The Wire — 2026-05-30

Same NestJS Prompt. Claude Got 6 Security Errors. Gemini Got 2. Here's What Both Got Wrong.

Claude Sonnet 4.6 generated 6 security errors (no guards, exposed fields, debug endpoint) while Gemini 2.5 Flash produced 2 errors (both missing rate limiting) for the same NestJS users service prompt. Both omitted rate limiting on login, but Gemini's output included class-level guards and @Exclude() on password, showing toolchain choice affects default security posture.

Why it matters

As AI-generated code becomes part of your SDLC, the toolchain you use (Anthropic vs Google) directly impacts the security baseline of your NestJS services, requiring proactive auditing even for simple scaffolding.

AI/ML / techcrunch.com

Coders are refusing to work without AI — and that could come back to bite them

Developers now refuse to work without AI, as METR found in 2026 when it couldn't replicate a productivity study because participants wouldn't code manually. Yet AI-generated code introduces 1.7x more problems than human code (CodeRabbit) and increases maintenance costs, per James Shore and Singapore Management University. Tokenmaxxing—using token count as a productivity proxy—has backfired, with Amazon shutting its Kirorank leaderboard and Uber exhausting its 2026 AI budget in four months without measurable gains.

AI/ML / thenewstack.io

Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent.

Anthropic's Opus 4.8 boosts intelligence and introduces dynamic workflows that can spawn hundreds of parallel subagents, each consuming tokens at standard rates, making cost control urgent. A viral test showed Opus 4.8 at max effort used 16.5M tokens ($17.26) on a task GPT-5.5 handled with 5.9M ($5.57). The new effort control lets engineers cap thinking, but token discipline—choosing the right model and token budget—is now the critical skill to avoid budget blowouts.

AI/ML / dev.to

One AGENTS.md for Every Coding Agent: Auto-Derive CLAUDE.md, GEMINI.md & Copilot Instructions

AI coding agents like Claude, Gemini, Copilot, and Aider each expect their own instruction file, leading to fragmentation and drift. @mongez/agent-kit derives all per-agent files (CLAUDE.md, .gemini/GEMINI.md, etc.) from a single AGENTS.md and syncs skills from npm packages into each agent's skills directory, even flattening nested folders that Claude Code cannot read natively. A postinstall hook keeps everything in sync automatically.

General / dev.to

Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.

Cal.com's 44K-star open-source scheduling platform used Math.random() to generate API keys, but V8's xorshift128+ PRNG is deterministic — tools like v8_rand_buster recover internal state from 3–4 consecutive outputs, allowing attackers to predict future keys. The article recommends crypto.randomBytes or similar CSPRNG and an ESLint rule (eslint-plugin-node-s) to catch this insecure pattern.

Languages / dev.to

Building Image Compression in Rust with libvips Real Benchmarks, Real Tradeoffs

Building image compression in Rust with libvips 8.15.1 and Axum, the author found WebP at Q=80 saves only 42.5% vs JPEG's 41.3% on complex photographic content, contradicting marketing claims. mozjpeg offers 10-15% better compression but requires compiling libvips from source, adding operational complexity not justified when libjpeg at Q=80 already covers 90% of use cases. PNG quantization via imagequant (same engine as TinyPNG) achieves up to 36% savings with minimal perceptual loss.

AI/ML / infoq.com

How Meta Rebuilt Data Ingestion for Petabyte-Scale Reliability

Meta migrated its petabyte-scale MySQL social graph data ingestion platform to a centralized, self-managed warehouse service, replacing fragmented pipelines. The team achieved zero downtime using reverse shadowing, continuous checksum monitoring, and staged migrations (shadow, reverse shadow, cleanup) with automated validation and rollback controls. The new architecture relies on change data capture (CDC) with full dumps and delta tables, minimizing expensive full snapshots for recovery.

A person wearing a white hat with the word "Shift" and a camera attached to the hat brim is waving and smiling while holding a cleaning mop and Swiffer. The word "Free" in big red letters is in the foreground.

AI/ML / arstechnica.com

Startup offers free home cleaning—if it can record it all for robot training

German startup MicroAGI is offering free NYC home cleaning through its Shift app, sending cleaners with cameras to capture first-person video for training embodied AI robots. The company claims on-device ML anonymizes faces and identifiers before cloud upload, but lacks data removal guarantees. The promotion also recruits paid operators at $20/hour; MicroAGI has already paid over $5M to 10,000 operators in Q1 2026.

AI/ML / dev.to

I Added a Human Veto to My PM Agent — Here's What Broke First

The author added a human approval step to a PM agent that posts Jira status to Slack, but found that after three weeks they were rubber-stamping approvals, defeating the purpose. The fix required adding friction—mandatory comments instead of emoji reactions—and implementing a severity classifier to gate only irreversible actions. The article also highlights lessons on escalation hooks and distinguishing irreversible from annoying-to-undo actions, inspired by Microsoft Conductor's designed-in human-in-the-loop pattern.

AI/ML / liquid.ai

Liquid AI reveals 8B-A1B MoE trained on 38T

Liquid AI released LFM2.5-8B-A1B, an edge MoE model trained on 38T tokens with a 128K context window and reasoning-only chain-of-thought, featuring a doubled 128K vocabulary for non-Latin scripts and targeted RL to mitigate doom loops and hallucinations. Available on Hugging Face, it targets reliable tool calling on consumer hardware, building on the predecessor's 12T training and 32K context.