§ I · The Curated Ten
moves worth your morning
01 · Acquisition
●
The Information · May 12
FOR YOU
Anthropic is buying the SDK layer.
Anthropic is in advanced talks to acquire Stainless for at least $300M — the same company that already auto-generates the official SDKs for OpenAI, Google, and Anthropic itself. If it closes, Anthropic owns the connective tissue between every major frontier lab and its developers.
This is the fourth bolt-on in six months after Bun (December), Vercept (computer-use), and Coefficient Bio. The pattern: stop renting the layer where your customers integrate you.
Read the report →
$300M+
$
02 · Codex Goes Where The Cookies Live
●
May 7 · 4M WAUs
FOR YOU
> codex install --target chrome_
OpenAI shipped Codex for Chrome on May 7. The agent now operates inside your already-authenticated browser session — LinkedIn, Salesforce, Gmail, internal admin tools — without you ever exposing API keys or screen-scraping a remote VM.
Reported growth: 4M weekly active users, up 8× since January. The strategic read: after launching desktop Computer Use, OpenAI saw that nearly every real workflow ended up in the browser. So they moved the agent into the surface where signed-in state lives, instead of trying to virtualize around it.
For senior engineers: the risk surface just changed. An agent running in your logged-in Chrome can write to any tab it can read. Treat it like a junior with prod credentials.
Read the docs →
Cyber Race
03 · Security
●
Dataconomy · May 12
OpenAI launches Daybreak — a direct shot at Anthropic's Project Glasswing.
OpenAI's new Daybreak initiative — powered by GPT-5.5-Cyber and Codex Security — wants to fold defensive cyber into the build pipeline and collapse triage from hours to minutes. Launch partners include Cloudflare, Cisco, CrowdStrike, Palo Alto Networks, Oracle, and Akamai.
The framing is a deliberate counter to Anthropic's Project Glasswing, which used unreleased Claude Mythos to find and patch 271 vulnerabilities in Firefox. Mythos itself reportedly leaked into "preview access" via a third-party vendor — the kind of supply-chain story that vendors are now both selling defense against and creating.
Read more →
04 · Hardware
●
blog.google · May 12
Google scraps "Chromebook" — renames the whole line for Gemini.
Announced at the I/O pre-show: Googlebook, a premium laptop line running an Android-based desktop OS with Gemini integrated at the system level. Headline feature is "Magic Pointer," which lets Gemini act on whatever you're pointing at — a system-level agent rather than an app.
Acer, ASUS, Dell, HP, and Lenovo all signed on for the fall launch. The strategic read mirrors Codex-in-Chrome: AI is moving below the application layer into the OS itself. ChromeOS as a brand is over.
Read the announcement →
5
OEMs signed · ASUS · Acer · Dell · HP · Lenovo
$
05 · Copilot Reads Your Live Terminal
●
VS Code v1.116–v1.119
FOR YOU
> copilot --tail $TTY --tab $CHROME_
Quietly, in the April-to-May VS Code releases, GitHub Copilot agents picked up two new abilities: read/write access to any foreground terminal — including running REPLs and interactive scripts — and live browser tab context that lets the agent read the page, click, and validate changes in real time.
Also new: BYO-key for Business/Enterprise (OpenRouter, Foundry, Google, Anthropic, OpenAI), org-level "Agents" secrets, and admin-distributed Copilot CLI plugins. The center of gravity has moved from autocomplete to multi-tool agent inside the editor.
Read the changelog →
06 · IDE Wars
●
Cursor 3 · April
FOR YOU
Cursor ships Composer 2 — its own model, 200+ tok/s, cloud-to-local handoff.
Cursor 3 shipped in April with a dedicated Agents Window, a new visual "Design Mode," and Composer 2, Cursor's first-party frontier coding model serving at 200+ tokens/sec. Cloud agents can now hand work back to the local editor mid-task.
Per JetBrains' January survey, Copilot still leads workplace adoption (29%), but Cursor is now tied with Claude Code at 18%, with Windsurf at 8%. The frontier-vs-foundation game has bled into the editor: every IDE either owns its own model or pays rent on one.
Read the comparison →
07 · Platform Engineering
●
stripe.com/blog · March 2
FOR YOU
Stripe argues AI agents should write Terraform — not call the API directly.
Stripe's engineering blog lays out a case worth reading even if you don't run Stripe: when you let an AI agent configure infrastructure, the safest interface isn't the live API — it's the IaC layer. Terraform's plan/apply split gives you a diff to review before anything mutates state, version-controlled history, and a predictable rollback story. Direct API calls give you none of that.
The piece pairs with their earlier post on building eval environments for agentic Stripe integrations: instead of trusting a model to call the right endpoint, you bench it against a synthetic merchant and grade the diff. The whole posture is "agents are powerful — wrap them in the safest reviewable surface you already have."
Read on stripe.com →
08 · Runtimes
●
supabase.com/changelog · May
FOR YOU
Supabase ships @supabase/server — one auth SDK for every edge runtime.
New package handles auth verification, client setup, request context, and CORS across Edge Functions, Vercel Functions, Cloudflare Workers, Deno, Bun, and Hono. The pitch: stop rewriting the same five middleware files per runtime.
Also in May: the Data API gets per-table and per-function toggles for PostgREST/GraphQL exposure (a real least-privilege win), Wrappers v0.6.0 adds OpenAPI and Clerk CRUD, and the Stripe Marketplace integration is GA.
Read the May update →
09 · Calendar
●
apple.com · WWDC June 8
Apple's response window opens June 8.
WWDC 2026 runs June 8–12. Apple's developer page now leads with "new tools, frameworks, and revised foundation model APIs" for on-device intelligence and "system integrations" — language that hasn't been there in prior years.
The Developer app already pushed a "Liquid Glass" UI refresh, widely read as a iOS 27 tell. Leaks point to macOS 27 with two more design changes still under wraps. The substantive question for senior engineers: will Apple finally give third-party access to the on-device model? Currently they're the only major platform without a real developer surface for their own LLM.
Read the schedule →
10 · Mobile
●
CNBC · May 12
Google races Gemini into Android — to beat Apple's June reset.
CNBC reports Google is moving up Gemini's Android-OS integration timeline specifically to land before WWDC. The internal framing: "AI reboot of the OS" is now a platform war, not a feature comparison, and whoever ships first defines the default behavior users learn.
Combined with Googlebook above, the strategy is no longer "AI as feature in app" — it's "AI as the runtime." Apple's keynote four weeks out is now the most-watched product event of 2026.
Read on CNBC →
§ II · Hacker News · top 5 / 24h
what the front page filed overnight
Front Page.
ranked by HN●fetched 06:55 CET
01
Deterministic Fully-Static Whole-Binary Translation Without Heuristics
204 points ● 49 comments ● arxiv.org
An arXiv paper proposing a binary-translation pipeline that drops the usual mix of heuristics and dynamic recompilation in favor of a fully deterministic, static-only transform of the entire binary. Useful if you've ever debugged a QEMU mis-translation and wished the answer didn't depend on which path the dynamic translator happened to discover. Comment thread digs into recoverable jump tables and indirect branches.
02
Restore full BambuNetwork support for Bambu Lab printers
462 points ● 201 comments ● github.com
An OrcaSlicer fork from the new "FULU Foundation" that re-enables full network printing against Bambu hardware after Bambu Lab moved features into proprietary firmware. The thread reads as a real-time case study in what happens when a hardware vendor walls off a community-driven slicer — fork, reimplement, organize a foundation around it, repeat.
03
Googlebook
800 points ● 1,311 comments ● googlebook.google
The HN take on the announcement covered above: Chromebook is gone, replaced by a Gemini-native Android-desktop laptop line with five OEM partners. The thread is overwhelmingly skeptical — comments revolve around whether "Magic Pointer" is a genuinely new affordance or another Bixby-tier marketing button, and whether shipping a desktop OS over Android is finally the right call after twelve years of false starts.
04
Needle: Gemini tool-calling distilled into a 26M model
486 points ● 154 comments ● github.com
Cactus Compute distilled Gemini-3.1-Flash-Lite's function-calling behavior into a 26M-parameter "Simple Attention Network" — MLPs removed entirely, leaning on the tools list as external memory. Pretrained on 200B tokens across 16 TPU v6e in 27 hours, post-trained on 2B synthetic tool-call tokens in 45 minutes. On Cactus, 6000 toks/sec prefill, 1200 decode. MIT, weights on HF — the on-device agent dream just got plausible.
05
SecurityBaseline.eu — auditing 3,000 EU gov sites
168 points ● 78 comments ● internetcleanup.foundation
A new public dashboard from the Internet Cleanup Foundation: 3,000 European governmental sites set tracking cookies without consent, 1,070 exposed phpMyAdmin instances on 3,529 domains, and 99% of inbound government email lacks modern encryption. France leads on exposed phpMyAdmin (513), Slovakia on illegal trackers. Foundations notified ministries three months ahead so the numbers reflect post-warning state — which makes them worse, not better.
§ III · Architecture in the Wild
one piece worth the coffee
Cloudflare Engineering · Esteban Carisimo & Antonio Vicente · May 12, 2026
When "idle" isn't idle: how a 2017 Linux kernel optimization became a QUIC death spiral.
Cloudflare's post-mortem describes a bug that lived in quiche — their userspace QUIC stack — for years before anyone noticed, then revealed itself only under a very specific combination: real packet loss, a connection that had already exited slow-start, and a congestion window collapsed to its minimum of two packets. The trigger came from a 2017 Linux kernel CUBIC patch that fixed an unrelated problem (cwnd inflation across application idle gaps) by shifting the epoch forward by the idle duration. When the fix was ported into quiche, a subtle bug travelled with it: at minimum cwnd, every two-packet send drained bytes_in_flight to zero, which the next send-decision misread as "the application has been idle" — for a full RTT. The epoch then advanced into the future, locking the connection into a permanent recovery state where CUBIC, by design, refuses to grow.
"999 state transitions oscillating between recovery and congestion avoidance every ~14ms — cwnd locked at minimum despite zero packet loss."
The diagnostic detail is the part worth studying. Carisimo and Vicente reproduced it with a synthetic scenario — 30% random loss for two seconds, 10MB HTTP/3 download, 10-second timeout — and watched a 61% failure rate emerge from what looked like routine recovery behavior. The fix is three lines: track last_ack_time alongside last_sent_time, then compute the idle delta from max(last_ack_time, last_sent_time). After the patch the same scenario passes 100%, with cwnd climbing the expected CUBIC curve and downloads finishing in 4–5 seconds instead of timing out.
What makes this a senior-engineer read is how it inverts the usual postmortem shape: there is no shipped product outage, no rollback, no incident commander. It's a deep instrumentation story about a latent kernel-port hazard in a protocol stack that handles a large fraction of the world's HTTPS traffic. The lesson is the small one — kernel optimizations carry assumptions ("recovery start time is set during ACK processing") that get silently broken when you port them — and the large one: at the edges of a control-loop algorithm, your invariants live in implicit timestamps, and you only find out which ones during a 30%-loss test you should have been running all along.
Read on blog.cloudflare.com →