Agentic insights for modern tech teams
BadHost (CVE-2026-48710) is a high-severity authentication bypass in Starlette, affecting 325M weekly downloads, discovered by Secwest and X41 D-Sec during a vLLM audit. Attackers exploit malformed Host headers containing /, ?, or # to bypass path-based access controls, exposing AI agents, LLM gateways, and MCP servers often deployed without reverse-proxy protection. The vulnerability spans three layers—ASGI servers, Starlette, and middleware—and despite a moderate CVSS score of 6.5, researchers argue it should be critical due to downstream impact and poor patch adoption.
For an architect building AI agent orchestration and LLM infrastructure, this vulnerability directly threatens internal deployments of vLLM, MCP servers, and agent pipelines that rely on Starlette's URL parsing for auth decisions, especially when exposed without reverse-proxy hardening.
A Python agent's retry loop projected $200 in costs, prompting a 71-line black box recorder that logs each turn as JSONL events with tool duration, secret sanitization, and unique run IDs. DuckDB queries the log to pinpoint failures like tool timeouts and guard stops, replacing guesswork with evidence.
Security researcher Piyush Gupta demonstrated that a trailing slash on AWS HTTP API paths (e.g., /v1/accounts/ vs /v1/accounts/) bypassed Lambda authorizer authentication, returning 200 with full data instead of 401. The root cause: path normalization mismatch between route matching and authorizer layers caused the authorizer context to drop, leaving userId undefined and defaulting to a system account. The fintech fixed it by switching to REST API and adding independent userId validation in every Lambda, while a Reddit comment noted HTTP API development has been on hold for years, raising concerns about future fixes.
A step-by-step guide deploys Gemma 4 on an M3 MacBook Air via Ollama, using Python MCP tools and Antigravity CLI (successor to Gemini CLI) to build a local DevOps/SRE assistant. The setup requires Google Cloud authentication and leverages stdio transport for MCP communication, with FastMCP server and helper scripts (init.sh, set_env.sh) for environment management. It includes observability and performance testing capabilities.
Platform teams that build custom automation stacks often mistake complexity for progress, creating fragile layers of scripts and workflows that require indefinite maintenance. This DIY approach masks rather than eliminates complexity, leading to burnout as engineers become archaeologists of their own infrastructure. A true PaaS like Tanzu Platform integrates security, deployment, and resilience out of the box, avoiding the trap of bespoke automation that decays without constant attention.
MongoDB's multi-key indexes efficiently filter on a child field (e.g., child_value) and sort by a parent field (parent_value) in one-to-many relationships, but PostgreSQL lacks a direct equivalent. Workarounds include denormalizing into JSONB with GIN indexes (which don't preserve sort order) or using normalized tables with triggers and cascade foreign keys, then leveraging B-tree, GIN, or the RUM index extension for sorted pagination. The RUM index, a PostgreSQL extension, can combine GIN-like filtering with ordering, but requires careful design to maintain consistency.
This article likely covers best practices for implementing dynamic configuration management in Swift services deployed on cloud native infrastructure, including Kubernetes ConfigMaps and containerized workloads. It probably also discusses integration with observability tools like Prometheus and OpenTelemetry to handle configuration changes without service restarts.
OpenAI's AI disproved the Erdős unit distance conjecture, an 80-year-old open problem in discrete geometry. Fields Medalist Tim Gowers called it a milestone, and mathematician Daniel Litt deemed it the first exciting AI-produced result. The model combined existing techniques from multiple subfields, but human mathematicians later cleaned up and extended the proof, highlighting a complementary future where AIs handle broad knowledge and tedious work while humans contribute deeper thinking.
Running Hermes Agent locally on M-series Mac avoids API costs but demands careful setup—free tier Gemini APIs (5 req/min) fail on multi-step agentic tasks, while Ollama with models like qwen3:8b (~50 tok/s) or gemma3:12b (~30 tok/s) works well on 16GB machines. The agent's episodic memory and 40+ tools make it powerful, but you must run `hermes postinstall` for browser automation and choose local models to avoid rate limits.
An autonomous AI agent (ZKA) using Hermes Agent and GitHub CLI ran for 96 hours, submitting 240+ PRs to open source bounties. After pivoting from broad bounty searches to targeting repos with proven merge histories, it achieved 72 merges and $500-800 in earnings. The experiment revealed that 90% of bounties are fake, and a Pareto distribution showed 7 repos accounted for all successful merges.