Top stories

  1. Grok Build CLI whole-repo upload disabled server-side without comment The researcher who wire-captured xAI's Grok Build CLI v0.2.93 uploading entire repositories and .env secrets to the Google Cloud Storage bucket grok-code-session-traces retested within 24 hours and reported the storage channel now sends nothing, with the server returning traceuploadenabled: false and disablecodebaseupload: true. The change is a server-side flip, not a client update, and xAI published no statement as of 2026-07-14. A separate account claimed the CLI uploaded an entire home directory rather than only the working repository, widening the reported scope. That claim is a single unverified account.
  2. Codex encrypts sub-agent prompts and removes the local audit trail OpenAI's Codex CLI now encrypts the model-facing message payloads exchanged between agents in its MultiAgentV2 mode. A merged change (PR #26210, 2026-06-05) marks the spawnagent, sendmessage, and followuptask message text as encrypted, storing only encryptedcontent and leaving the local content field empty. A regression report (issue #28058, opened 2026-06-13) states this removes the human-readable subagent task and message text from local rollout history and parent-side audit and debug surfaces, so a user can no longer see what task a subagent was given. The change reached stable users in Codex 0.144.4, published 2026-07-14.
  3. Apple SpeechAnalyzer beats small Whisper models on device in a LibriSpeech benchmark A benchmark published 2026-07-13 ran Apple's SpeechAnalyzer API on an M2 Pro under macOS 26.5.1 against Whisper and the legacy SFSpeechRecognizer over 5,559 LibriSpeech utterances. SpeechAnalyzer reported 2.12% word error rate on clean speech and 4.56% on noisy speech, ahead of Whisper Small (3.74% and 7.95%) and the legacy API (9.02% and 16.25%), while running about 3x faster than Whisper Small per second of audio. The author notes larger Whisper models such as Large V3 Turbo still lead on accuracy, so the on-device engine is a speed-for-accuracy tradeoff.
  4. antirez argues developers should steer design, not review every line of AI code Salvatore Sanfilippo (antirez) published "Control the Ideas, Not the Code," arguing that reading thousands of lines of model-generated code daily is inefficient and that engineers should own architecture, data structures, and QA instead. He proposes replacing line-by-line review with a maintained DESIGN.md that states data structures and implementation strategy, and says he leans on strong models for error detection in Redis work rather than manual review. He cites implementing inference for DeepSeek v4 and GLM 5.2 in his DwarfStar project as evidence that subtle implementation errors are common.
  5. Cloudflare Precursor adds continuous behavioral bot detection between checkpoints Cloudflare announced Precursor on 2026-07-13, a session-scoped validation layer that injects JavaScript to collect mouse, keyboard, and pointer signals continuously and score human-versus-bot behavior between discrete checkpoints such as login, signup, and checkout. It is part of Bot Management and Turnstile, enabled from the dashboard, free during a beta rolling out now, with general availability planned later in 2026. Cloudflare states it captures timing and rhythm rather than keystroke content and persists signatures across page refreshes.

Conferences and events

  1. EuroPython 2026 is active this week EuroPython 2026 runs 2026-07-13 through 2026-07-19. Sessions cover CPython, typing, packaging, and the scientific Python stack.

Agentic coding

  1. Clawk runs coding agents in a disposable Linux VM Clawk is a Show HN tool that runs coding agents inside a disposable Linux VM instead of on the developer's machine, isolating file and network access from the host. It joins a run of agent-sandboxing projects surfacing this month.

Security

  1. CISA adds a 2008 Cisco IOS CSRF flaw to the KEV catalog CISA updated the Known Exploited Vulnerabilities catalog to version 2026.07.13 (count 1638), adding CVE-2008-4128, a cross-site request forgery in Cisco IOS first published in 2008, with a federal remediation due date of 2026-07-16. No other additions landed 2026-07-11 through 2026-07-14.

Outages

  1. GitHub Actions run startup failures on 2026-07-13 GitHub reported degraded availability on 2026-07-13 with Actions run startup failures and Pages affected, resolved by 13:53 UTC with a root-cause analysis promised. All systems returned to operational.
  2. Cloudflare R2 regional errors recur on 2026-07-14 Cloudflare logged repeated R2 object-storage error incidents on 2026-07-14. An EU-region incident ran 03:46 to 04:36 UTC, about 50 minutes, and resolved. A new incident, elevated R2 errors in the WEUR region, was identified from 15:23 UTC and remained ongoing as of this run. A separate incident, elevated errors on AI Search item PUT requests from 04:01 UTC, also remained under investigation. A Gateway CSV list-update issue ran 11:55 to 12:52 UTC and resolved. All are logged as minor impact.
  3. GitHub Codespaces degradation on 2026-07-14 GitHub reported degraded Codespaces performance on 2026-07-14 from 08:21 UTC, mitigated by 09:51 UTC and resolved at 09:56 UTC, with a root-cause analysis promised. Impact was limited to Codespaces.
  4. OpenAI ChatGPT feature errors on 2026-07-13 OpenAI reported two short ChatGPT incidents on 2026-07-13, elevated errors creating sites from 12:59 and elevated errors uploading, deleting, and navigating files in the Library from 14:35. Both fully recovered the same day. The API was not reported affected.

Developer tools

  1. The experimental git history command lands atomic fixup, reword, and split A 2026-07-13 write-up by Lalit Maganti describes the experimental git history command, which the post attributes to Git 2.54 and 2.55, with three subcommands: fixup edits an older commit and rebases all descendant branches, reword changes a past commit message and rebuilds dependents, and split breaks one commit into two through a hunk-by-hunk prompt. All three are atomic and refuse any operation that would risk a conflict, avoiding half-rebased repository states.

Languages and runtimes

  1. Kotlin 2.4.10 ships compiler and Gradle-tooling bug fixes JetBrains published Kotlin 2.4.10 on 2026-07-14, a patch release on the 2.4 line. It fixes K2 and JVM compiler issues (a reified type-inference regression, an annotation-argument crash on nested Java const values), a Compose Compiler stability-inference regression, a Kotlin/Native klib binding error, and several Gradle, JS, and scripting build problems, and adds kotlinr to the distribution. No language changes and no security fixes are listed.

Apple platforms

  1. Shipping Mac and iOS apps from the command line without opening Xcode A 2026-07-11 post by Scott Willsey describes building, signing, notarizing, and installing Mac and iOS apps entirely through command-line tools that ship inside Xcode.app without launching the IDE. The workflow uses XcodeGen to generate the project from a project.yml, xcodebuild to archive and Developer ID sign, xcrun notarytool and xcrun stapler to notarize and staple, and devicectl to deploy to a device, all driven by one release.sh script with signing keys kept in the login keychain. The author frames the fully headless, scriptable pipeline as suited to AI coding agents.

Engineering posts

  1. A predicted-unlikely branch quadruples an encoding loop by breaking a data dependency A 2026-07-12 post by purplesyringa shows a serial encoding loop dropping from 320 to 80 microseconds after wrapping a table lookup in a branch the CPU predicts as unlikely, with a volatile cast to stop the compiler removing it. The original loop was latency-bound because each iteration depended on the previous value. The added branch lets the processor speculate ahead, converting the loop from latency-bound to throughput-bound.
  2. Go-style channels and worker pools built on pthreads in C A 2026-07-10 post by Anton Zhiyanov implements Go's concurrency primitives in C for Solod, a strict Go subset that compiles to plain C with no runtime or garbage collector. Channels use a mutex-guarded ring buffer when buffered and a rendezvous copy when unbuffered, and a fixed worker pool consumes a bounded queue. The pool benchmark lands within 1.1x of Go on realistic 40 microsecond tasks, while unbuffered channels run about 23x slower because of kernel wakeup costs.

Hacker News

  1. Zig creator's rebuttal to the Bun Rust rewrite dominates discussion A commentary by Ray Myers reached the top of Hacker News with 1431 points, arguing that Bun's Zig-to-Rust rewrite was framed as an AI success story more than a technical necessity and siding with Zig creator Andrew Kelley's earlier rebuttal that the reliability gains came from engineering discipline rather than the language change. The piece cites Bun's roughly weekly memory-bug fixes and its unused Zig safety tooling, contrasting with TigerBeetle's TigerStyle discipline.

Reddit and social pulse

  1. Practitioners debate AI-approved pull requests A widely upvoted r/SoftwareEngineering post described a team letting an AI approve pull requests and the guardrails they added to make it safe. It runs alongside the antirez essay and the Bun rewrite debate as this week's recurring theme of how much control to hand code-writing and code-reviewing agents. Reddit coverage this run was degraded, so this is a single sampled signal.