I am reading the Vibe Coding book.

On options (p.29)

I like this framing, which is also used by Gregor Hophe. Try out radical ideas and various implementations at low cost.

One recent example: I had to implement refresh-token-only dPoP support in IdentityServer. Since I (and my coding assistent) initially overlooked that using bearer tokens with dPoP refresh tokens is allowed in the main dPoP spec, I had a detour, with a full working implementation, around dPoP-RT.

When I re-read the dPoP spec and figured out there was a main-spec way, I threw away the old implementation and made a new one.

Both with heavy coding agent assistance; I mainly had to review the second solution and prune a few extras I did not need.

Without coding agents, the first solution would have required so much work that pivoting to the “right” solution would have been a much harder decision, had I figured it out as late as I did.

On senior-junior mentoring and the surgeon example (p.27)

Interesting look at what happened with senior-junior mentorship when surgical robots could fill the jobs juniors were usually required for. I, like the book authors, think this is going to happen in software development too.

While they (at least in this part of the book) focus on how great that is for the seniors (who are freed from communication tax and can move faster), this is going to create huge problems for the business when current seniors start retiring. Maybe coding agents will be ready to take over higher-level work (“taste”) reliably then - maybe not…

Not everyone want their workflows automated like many software developers do.

Software Brain (Decoder / The Verge)

The West Forgot How to Make Things

Ukraine taught us that peace does not last, so letting weapon-building skills atrophy during peace time has a cost.

Will the loss of operational knowledge in software development present similar challenges once the current generation of senior engineers retire (along with their pre-AI taste and implicit knowledge from building things manually)?

The West Forgot How to Make Things

Free models via NVIDIA Build

Copilot can run with BYO models, given they have an OpenAI-compatible endpoint. NVIDIA Build offers several larger open-weight models you can use for free.

From the models I have poked at, GLM-4.7 can code (set to retire soon though), but in practice I ended up running GLM-4.6 (aka BigPickle), which is currently free in OpenCode (and a lot faster). Still, having a rotating buffet of hosted models to experiment with is handy.

Reduced RAG

Interesting perspective: Frontload metadata extraction (potentially via LLM, e.g. sentiment analysis), capture it, query it deterministically, then feed results into the LLM for (nondeterministic but heavily grounded) synthesis.

Reduced RAG

Codegen as compiler

Interesting framing: instead of reviewing every line of generated code, build the surrounding apparatus so the output is constrained and verified, like we do with compilers.

I think that analogy is directionally useful, but only up to a point. Compilers are largely deterministic, or at least rules-based, whereas LLMs are not. So the “trust the process, not the artifact” idea is good, but the process probably needs to be much more defensive than the compiler metaphor suggests.

Codegen as Compiler

.NET agent skills

Nice to see the .NET team publishing a real skills, this is more solid than dnx ilspycmd. There is a dashboard, plugins, and concrete task coverage around things like MSBuild, NuGet, diagnostics and upgrades. Sometimes I worry about context pollution from too many skills though…

dotnet/skills

Coding is dead, but it still smells

Adam Tornhill argues that manual coding is shrinking, but software complexity is not, so the need for builders may well expand rather than contract. “After more than 30 years as a programmer, I no longer code manually. Sometime in October 2025 I went 100% agentic, and I’m not planning on going back.” - my journey has been similar. I worry about skill atrophy, but debugging gnarly issues deep in the code keeps me sharp (I hope!).

Coding Is Dead, but It Still Smells

Passkey sync, sharing and recovery

When I first read it, I thought they were using secure multiparty computation - Passkeys seem to be a great use case for that?

Pretext

This is one of those projects that makes the web feel a bit magical again - somebody looked at an annoying primitive and decided to rebuild it properly. I do not do a lot of frontend work, but I remember struggling with Masonry back in the day…

pretext

Chatbots: unsafe at any speed

Non-deterministic systems are hard to make 100% safe, but there are degrees of wrong :-)

Chatbots: Unsafe at Any Speed

More agent sandboxing: Docker Sandbox / sbx

More movement in coding agent sandboxing, which is good. Andrew Lock walks through running agents inside Docker’s sandbox / microVM setup so you can be a bit less terrified when enabling the more autonomous modes.

Running AI agents safely in a microVM using Docker Sandbox

Aspire as runtime for coding agents

This is a genuinely interesting direction: instead of feeding agents ever more markdown context, give them a runtime for the code that can actually manage processes, ports, env vars, logs and feedback loops.

Agentic Dev Aspirations

Building-block economy

Mitchell Hashimoto argues that the winning move is increasingly to build reusable building blocks rather than polished monolith products. That rings true in an agentic world where composition cost keeps dropping.

Building Block Economy

Cybersecurity in the age of instant software

Bruce Schneier sketching what security might look like once software becomes far more disposable and on-demand. Most people seem to agree that frontier models is a long-time benefit for the blue team, but short-term the red team must be having a field day

Cybersecurity in the Age of Instant Software

Quantization

Only skimmed this one, but quantization is an important concept if you want to run large open-weight at reasonable speed on consumer hardware (that much I do know). Some people claim that even “small” models like Qwen3.6-27B-UD-Q6 perform close to frontier-levels, and it would be interesting to try out at various levels of quantization

Quantization

Solid guide from someone who works at GitHub with practical advice on avoiding the most common pain points. Since NUKE is going out of maintenance, going back to “pure” GH Actions is on the table, and in any case some things are lightweight enough that it makes sense.

GitHub Actions: The Stuff Nobody Tells You

A Sufficiently Detailed Spec Is Code

Gabriel Gonzalez makes the case that sufficiently detailed specifications are, in practice, just code in disguise. The implication for agentic coding is that delegating to an agent does not remove the cognitive work - it moves it. Someone still has to think through the system carefully; now that person writes prompts / specs and establish context instead of code.

A Sufficiently Detailed Spec Is Code

Slop Creep

“Coding agents removed the circuit breaker.” - a clear risk with agentic development, they can keep going fast in bad code, where humans cannot.

The author calls it slop creep: individually reasonable decisions that collectively calcify a codebase.

Slop Creep: Enshittification of Software

Agent Sandboxes

A few projects in the agent sandboxing space worth keeping an eye on. I have dabbled myself with a basic Docker container and WSL as a de-facto sandbox:

Contagent runs coding agents in a container so they operate narrowly on the current project path rather than the full home directory. A pragmatic middle ground between full autonomy and paranoia, probably better than what I am using now.

OpenSandbox from Alibaba is a more general-purpose sandbox platform with SDKs in most languages (including .NET) and support for Docker and Kubernetes runtimes.

devenv.sh is the nix-based developer environment tool. Not itself an agent sandbox, but nix’s reproducibility story is interesting for setting up the work environment.

“CEO Said A Thing!” Journalism

This captures a phenomenon that has annoyed me for a while. Once you have the name for it, you see it everywhere: a headline that is just a verbatim restatement of what some exec claimed, with zero context, correction, or pushback. The examples in the article are… illustrative.

CEO Said A Thing! Journalism

Encoding Team Standards for AI

Establishing context for agents is important for good results. Seniors do it implicitly (as discussed last month), but capturing at least some essentials in LLM-accessible docs (and the solution structure itself) can help. Right now I am eyeing a lot of architecture docs I have written in Confluence, considering how to get that into our repos as actionable coding agent guidance.

Encoding Team Standards for AI

Package Manager Cooldowns (Sadly Not NuGet Yet)

Most major package managers now support “dependency cooldowns” - only installing updated packages after they have been out in the wild for a few days, to give the community a chance to spot supply chain attacks. pnpm, Yarn, Bun, Deno, uv, pip and npm all have some variant of this now.

NuGet has an open issue but nothing shipped yet. Would be a welcome addition.

Duende Agent Skills and MCP Server

Duende have published both an agent skills library and an MCP server for their documentation. Since this is a large part of my dayjob, I am trialing it across a few projects.

Duende Agent Skills and MCP Server

Emdash - Agentic Development Environment

Emdash runs multiple coding agents in parallel, each isolated in its own git worktree, locally or over SSH. It supports 23 CLI agents and can take Linear, GitHub, or Jira tickets as direct input.

Like Minions from last month, Steve Yegges Gas Town / Gas City and Squad (too ambitious for me atm, but I would like to check out Beads) - I am still not convinced the agent orchestration works as well as people think it does (how do you measure it?), but the amount of innovation being done here is staggering, so I am sure some best practices and frameworks will emerge over time.

Emdash

Weblate

Open source, web-based continuous localization platform, in production use by 2500+ projects across 165 countries. Self-hostable or SaaS. Has a .NET-friendly REST API. Looks nice, might give it a try.

Rising Tides, Not Crashing Waves

This paper proposes a useful framing for thinking about AI automation: crashing waves (abrupt capability surges over specific tasks) vs. rising tides (broad, continuous improvement across many tasks). Based on evaluation of 3000+ tasks from the US DOL O*NET database, they find mostly rising tides.

The numbers are interesting: in mid-2024, AI could complete tasks taking humans ~3-4 hours at 50% success. By Q3 2025, that was up to 65%. The projection is 80-95% success on most text-related tasks by 2029. The rising-tide framing matters for how organizations should think about adaptation - it is not one big disruption you plan around, it is a continuous shift you have to keep tracking.

Rising Tides vs Crashing Waves (arXiv)

Azure Functions Test Framework

WebApplicationFactory-like integration testing for Azure Functions (dotnet-isolated). Supports HTTP triggers, timer/queue/ServiceBus/blob triggers, Durable Functions, and both direct gRPC and ASP.NET Core integration modes - all without opening TCP ports. Pre-1.0 but apparently fully functional for .NET 10 / Worker SDK 2.x.

Integration testing Azure Functions has historically been painful. This looks promising.

Azure Functions Test Framework

Beautiful Mermaid

An interactive Mermaid diagram playground from Craft, useful for making coding agents produce ASCII diagrams.

Mermaid Agent

Steph Ango’s Vault

The creator of Obsidian sharing his personal vault setup and the principles behind it. I agree with “file over app” BUT I have trouble escaping the siren song of OneNote. But if I ever want non-Microsoft agents to work with the data, Obsidian is a better option (could also be agent-only repository like Karpathy describes)

Steph Ango’s Vault

Cleaner Tests with IAsyncLifetime

Expression-bodied single-assertion test methods combined with XUnit’s IAsyncLifetime for async test setup. The result is tests that are concise and highly targeted - each test body is a single line, and the arrange/act is in InitializeAsync.

I like this pattern, and will try to adopt it (maybe it could be part of a coding agent skill?).

Cleaner Tests with IAsyncLifetime

The Verification Gap

Research from Chris Catalini et al. exploring the “verification gap” - the challenge that as AI-generated content becomes more sophisticated, the cost of verifying that content often exceeds the cost of producing it. The paper looks at this through an economic lens and the implications for trust, fraud, and institutional decision-making.

An alternative view to Steve Yegge and Gas Town - I have a hard time believing in his approach where you vibe everything without looking at it.

The Verification Gap (SSRN)

Friendship in Your Thirties Requires Deliberate Effort

This resonated: “The friends didn’t leave — the structure that held them in place did.” Robin Dunbar’s research on friendship decay is cited here: without regular face-to-face contact, a close friendship degrades by one relationship layer within six months. The article argues that the thirties loneliness epidemic is not about social media or introversion - it is a structural shift. School and early career provided proximity and regularity; adult life does not (beyond work).

The Loneliness Epidemic in Your Thirties

GitHub Copilot CLI Local Models

GitHub Copilot CLI now supports local models via OpenAI-compatible providers, so you can do development with the same harness without burning cloud tokens. qwen3.5:9b seems to run nicely with Ollama - it does make my old RTX 3060 with 12GB VRAM sweat though, and fast, it is not.

Run with ollama:

ollama run qwen3.5:9b-q4_K_M

then set up Copilot CLI provider (here with pwsh):

$env:COPILOT_PROVIDER_BASE_URL="http://localhost:11434/v1"

$env:COPILOT_MODEL="qwen3.5:9b-q4_K_M"

Then run Copilot CLI and listen for the fan spinning up ;-)

Using your own LLM models in GitHub Copilot CLI

Not found, but created - a .NET configuration provider for Doppler, something they seemingly intended on delivering 4 years ago, but never finished. It turned out somebody already did this but it was a fun little exercise in agentic coding, so I wrapped it up. Maybe you like Apache license better than MIT ;-)

In the sample, I also demonstrate a technique I have previously used with Azure Key Vault, where an entire JSON configuration object is loaded out of a single key. This allows easy transformation from appsettings.json to Doppler (and with Doppler the editing experience is okayish, unlike Key Vault where you more or less need custom tooling to pull it off)

It also gave me a chance to apply nuget trusted publishing

Michaelkc.Extensions.Configuration.Doppler

Michaelkc.Extensions.Configuration.Doppler package

A Language For Agents

Agents prefer strong typing, loose syntax. Python (significant whitespace) and dynamic languages in general are not ideal.

To the list I would add compiled languages where source is not available outright, but that can be somewhat mitigated with skills.

A Language For Agents

“Nordic” ANSI keyboards on laptops

My old Thinkpad is dying, and I am in the market for a new one. To my dismay, HP and Asus has started supplying the nordic market with ANSI-keyboard (one-row enter key vs the traditional two-row ISO variant), with nordic characters painted on.

This bums me out, as HP is making some really slick hardware at a good price point. But not going to retrain all that muscle memory. I guess Lenovo will get my business again…

EDIT 24/03: Picked up a Lenovo Yoga Aura 14” with Intel U7-258V and 32 GB ram for 5.500 DKR (~USD 850), by trading in an old¹ PC.

Minions

Price for best name for “semi-autonomous coding agents” goes to Stripe - I hope “Minions” will take as an industry standard. But what is up with that page background?

Minions: Stripe’s one-shot, end-to-end coding agents

Peli’s Agent Factory

Similar in spirit to Minions, but built on regular GitHub Actions / GitHub Copilot (or Codex/Claude/Gemini), the agent factory looks really interesting. I have started trialing some of the workflows on a non-critical repo.

Welcome to Peli’s Agent Factory

AI Benefits - But at What Cost?

I have dialed down my attempts to keep up with the latest LLM coding news, as drinking from the firehose is very tiresome. Still, being 95%+ of my Tech Feed on Linkedin and Twitter, a lot of stuff goes by, and I try to pick up the important stuff. But at this point, I would rather focus on actually using it for building real features, rather than chase the latest “Ralph Wiggum”-style hyperbole.

Anyway, this perspective on the actual costs of the AI infrastructure is interesting. You can only keep up turning $100 into $10 at scale for so long - but at this point I think it is hard to predict if the endgame is going to be price hikes, cheaper-per-token models (ideally runnable on consumer hardware) or AGI (unlikely but…)

AI Benefits - But at What Cost?

Two Beliefs About Coding Agents

“Most talented developers do not appreciate the impact of the intuitive knowledge they bring to their coding agent.”

I think this is accurate. When I see Uncle Bob, David Fowler and Kelly Sommers report great success with agentic coding, I am sure they are pouring tonnes of knowledge into their prompting. I do the same; over the last two days I had Copilot code up first an implementation of dPoP-RT then of dPoP with Bearer access tokens, both on top of Duende IdentityServer. If I had not been quite specific about what I wanted during planning, I am not sure the resulting implementations would have useful. Then again, I am sure that I could not deliver that as a potentially shippable feature in a day without LLM assistance.

Two Beliefs About Coding Agents

I am chewing through the course. Good tips, maybe you could distill it to a technical writing agent/reviewer?

Google Technical Writing

Azure Verified (Bicep) Modules

When I was last deep in Bicep, sharing module definitions was difficult (GitHub submodules…), and best practice guidance was non-existant. It seems things got a lot better, and there is now lots of “Azure Verified Modules” (AVM) to get you going on the right path, and it is possible to consume modules via URL reference (not sure how the supply chain attack story is though…)

Still not convinced that declarative languages are the way to go for resource definition, I think the Aspire/Azure CDK people are closer to the optimal solution. At any rate, I am 100% convinced you need a strategy for applying your infra definition code continuously (periodically, also when nothing changes), otherwise it will bit rot and you will be afraid to apply it when it matters.

Bicep AVM Quickstart Guide

Passkeys

Working with a passkey rollout plan, and I am digesting the tome linked below, to come up with personas and a scenario test plan.

When they work, passkeys are wonderful and secure. But I think the mental model is very difficult to grasp for the average user - which can quickly translate to support needs when things start going south.

Tour of WebAuthn

Azure Key Vault Emulator

Microsoft now supplies an Azure Service Bus emulator, but still no Key Vault emulator. This guy did the hard work, and that will come in handy with local-dev Aspire and not least using it in a TestContainer and the real-port hosting option for WebApplicationFactory in .NET 10.

Azure KeyVault Emulator

Evaluating LLM coding agent innovations

Pete Hodgson argues that the real issues in LLM coding is context management and bad design taste. He uses that to evaluate which of the flavor-of-the-month techniques (e.g. Ralph) and innovations to track closely

Assessing the Latest AI Coding Hotness

AGENTS.md docs index vs skills

Picking up on the above, context engineering is obviously super important. Especially when it comes to new versions of frameworks, on which the LLM is not properly trained. Vercel faced that issue with a new version of next.js, and ran experiments with Claude to see if skills were the right way to inject the appropriate context. It turns out coding agents do not call skills reliably, so a compressed index of the next.js markdown docs in AGENTS.md worked better.

AGENTS.md outperforms skills in our agent evals

Writing a good AGENTS.md

Also in that area, this article considers what to put in AGENTS.md, and reminds that at least Claude (and presumably also Copilot, OpenCode etc.) will often ignore it if it determines it is not relevant.

I really try to grok the principles people are uncovering, and am experimenting a lot.

Writing a good CLAUDE.md

Writing a great AGENTS.md

From good to great, Matt Nigh from GitHub chimes in with an analysis of 2,500 AGENTS.md files and concludes that it must cover 6 core areas:

I got the link from How to write a good spec for AI agents, but I was turned off by his misquoting of the lethal trifecta (AI slop?) - and who seriously uses GPT 4 for anything now?

How to write a great agents.md: Lessons from over 2,500 repositories

Oh-my-posh visual configurator

Nice, vibe-coded app for building out your terminal. I will give it a shot if I tire of the default Aliens theme, which I recently started applying to all my machines with the Oh-my-posh DSC provider. (my basic setup of Aliens can be DSC-applied with this file)

Introducing Oh My Posh Visual Configurator

WinGet (DSC) Configuration

Picking up on that, nice to see some docs on DSC / winget configure- that would have been nice 14 days ago when I sifted through it! Relationship between winget and DSC v2/v3 is still spotty (see comments), and there really need to be more non-imperative providers for dev stuff beyond “switch on dark mode”. Basically nothing seems to have happened on that front since the build video.

But with more eyeballs, maybe it will gain some traction?

WinGet Configuration: Set up your dev machine in one command

Context switching with AI agents

Nice treatise on how to handle the excessive context switching that arise from constantly waiting on (multiple) agent workstreams. The middle ground between “too slow to stare and wait, too fast to do meaningful work in the meantime” is a bad place, always has been (for builds, deploys, reviews etc. etc.)

The biggest obstacle for engineer productivity in 2026

Real-world apps (or: Medium clone built in … everything)

Interesting concept: Build the same app in different stacks. Great as a learning tool and to compare approaches

RealWorld Example Apps

Playwright CLI

Spent a bit of time with an open browser window to the left, Playwright CLI in a VSCode windows (with Grok Code Fast, so free model) to the right. It is fun to describe what to do and have the agent do it in realtime. It seems there is quite a pivot from MCP to CLI-based skills at the moment.

Playwright CLI

Addy Osmani’s LLM Coding Workflow

Addy Osmani’s LLM coding workflow closely mirrors my own approach. He emphasizes clear plans before coding, small iterative chunks, extensive context, human oversight with testing and frequent commits.

My LLM coding workflow going into 2026

The art of KPop Demon Hunters

Very nicely done, love the music and looking forward to the lego sets.

The art of KPop Demon Hunters

AI-assisted coding: Same game, different dice

The article presents a contrarian view arguing that most AI teams see only 0.8x-1.2x productivity gains (not the promised 10x), and that success comes from fundamental practices like TDD, modular design, and small iterative chunks. I think that is a bit pessimistic, especially for resource constrained teams that struggle to fill all roles, but good balance to all the hype.

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

Canonical logs and structured logging

Excellent summary of canonical logs and related concepts, though implementing this pattern in .NET is challenging since standard libraries default to traditional structured logging rather than canonical logs.

Logging Sucks Evlog - Event-based logging tool

Vibe coding paralysis and managing workstreams

Trying to do too much at once with AI tools can lead to cognitive overload and unfinished work; it’s important to track what you’re building and read the generated code to maintain confidence and keep your skills sharp.

Vibe coding paralysis: When infinite productivity breaks your brain (Francesco Bonacci on X)

Summarize.sh: Fast, Scriptable Summaries

Summarize.sh is great at summarizing YouTube videos (and other types of content). I got it working with Azure AI Foundry GPT-5-mini with a bit of tinkering.

Summarize.sh

Sundhedsdatabanken

Drill into Danish medicine consumption in PowerBI. The Danish government has been tracking this stuff for 40 years, it opens up a lot of interesting possibilities for science.

Sundhedsdatabanken

Google A2 vs Microsoft Agents SDK

Erik Meijer contrasts Google’s A2 for dynamic with Microsoft Adaptive Cards (which I had never head of). Agentic UI is surely something that will become important as semi-autonomous agents starts to gain traction.

Google introduces A2 for dynamic UIs Microsoft Adaptive Cards Erik Meijer’s post on X

HTTP’s evolution: forced by reality

Great overview of how HTTP changed over decades, each version adapting to new constraints like latency, mobile, and unreliable networks—never by design, always by necessity.

HTTP Over the Decades: A Story of Physics, Latency, and Grudging Adaptation

2025: LLMs, agents, and everything else

Massive roundup of LLM developments, trends, and tools from 2025—so much happened it’s hard to keep up, and the links alone show the scale of change.

Simon Willison’s 2025 LLM Year in Review

Grounded AI adoption: Mitchell Hashimoto’s journey

Interesting and grounded take on the journey to see value in agentic coding, without drinking all of the “Ralph Wiggum” kool-aid.

My AI Adoption Journey – Mitchell Hashimoto

Shannon - autonomous LLM pentester

Shannon is an LLM-powered, autonomous pentester. Have not tried it out, but would be interesting to see it work against Supercar Showdown

Shannon automated pentester

Brace for the f***ening

What if the Tech CEOs ends up being right and white collar work disappears quickly? The most likely case is that they are inflating expectations to keep investments flowing (into the bubble) but what if…?

Brace for the f***ening

Outcome engineering and the o16g Manifesto

I respect Charity Majors, so I am inclined to take this seriously weight on this, even though it seems a bit ahead of things as they are. I certainly think there are other blockers than pure cost in development still.

The o16g Manifesto

Large Language Models Will Never Be Intelligent, Expert Says

It is hard not to be confused, I am thinking “two movies, one screen” here.

Large Language Models Will Never Be Intelligent

Amp drops VSCode plugins for CLI

Amp is killing its VSCode and Cursor extensions, shifting focus to a pure CLI approach.

Amp announcement: The Coding Agent Is Dead

Local CI

Safia, like DHH, advocates for “local CI” as the future of validation, moving away from slow PR-based loops. I think it makes sense if you run that verification in containers, and have a mechanism to attest that it happened (to prevent sloppiness).

Safia on local CI

The AI Vampire: Who profits from 10x output?

If AI coding agents can deliver 10x productivity, what is the cost? And who will profit?

The AI Vampire: Steve Yegge on value capture and burnout

Software is far from dead

Steven Sinofsky argues that AI won’t kill software, but rather increase the demand for it by moving functionality up the stack and making domain expertise more critical.

Death of Software. Nah.

An updated version of GistPreview, which allows hosting single-file HTML pages on GitHub as gists. The author use them for storing Claude Code transcripts

GistHost

“Ralph Wiggum” agentic coding

As I understand it the core philosophy here is to come up with an implementation plan (like spec-driven), then convert it to individually implementable features and run the agent in a non-interactive, sequential loop to implement the plan.

The Ralph Wiggum part is the iteration with the same prompt on the same problem until a stop condition is met. The idea being that the agent will then build upon partial solutions in previous loops, and be able to run unattended for longer. This article explains it well.

Stop Chatting with AI. Start Loops (Ralph Driven Development)

Mitchell Hashimoto on “Feature Design”

Not a big fan of video content, but this one is gold. It walks through the crucial process of taking a step back when feature requests come in and:

• identify the underlying issue the requester hopes the feature will solve
• figure out how to address multiple such issues with a new feature that aligns with the product vision
• spec out the new feature using a “human–machine interface first” approach

Feature Design

textarea.my

A distraction-free, bare-bones text editor that saves content base64-encoded in the url

textarea.my

The Price of Intelligence - Three risks inherent in LLMs.

Supplementing the treatise on exfiltration risks in the lethal trifecta, this article discusses inherent issues in LLMs themselves, such as hallucination.

The Price of Intelligence

The Misconceptions About Vibe-Coding

Some good takes here, specifically that

• vibe coded apps are the new Excel (good for individual stuff, not so good when moving to multi-user, deployed apps)
• the people threatened the most by vibe coding are entrepeneurs with simple SaaS offerings, not developers
• developers stay relevant by moving up the complexity stack (architecture, review)
• vibe-coding’s ceiling is determined by your ability to validate the output

The Misconceptions About Vibe-Coding

AI rollout satire (& AI Underpants Gnomes)

Had a good laughh at this and it led me to this piece by Jeffrey Snover. That is a more serious treatise on how many companies adopt generative AI out of fear of “missing the boat”, with no clue how to derive value. That was how I felt when I saw the Gordon agent in Docker…

AI Underpants Gnomes: The Missing Step in Your Strategy

AI-native software engineering & the Ralph loop

Some hyperbole, but very interesting. I did dabble a bit with reverse engineering approaches (not products) to skills, with some success. I previously speculated that the outcome disparity people experience with agentic coding might be due to language choice and the models ability to work with your choice. Maybe it is time to trial work in alleged S-Tier languages like Typescript instead of F-Tier .NET ?

I am definitely going to watch the videos 1 2 and try out the workshop.

AI-native software engineering & the Ralph loop

mitmproxy

Spent a bit of time getting mitmproxy running today.

Basics:

• install with winget install 9NWNDLQMNZD7
• trust root cert via mitm.it
• capture trace for specific domain patterns
  • mitmproxy -p 9595 --allow-host .*mydomain1.com --allow-host .*mydomain2.org --no-show-ignored-hosts --store-streamed-bodies --save-stream-file ./capture.mitm
• configure Windows proxy to use http://localhost:9595
  • reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d http://localhost:9595 /f
• do what you want traced and stop mitmproxy
• disable Windows proxy
  • reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
• load up capture.mitm in mitmweb

WezTerm

While Windows Terminal is great, it is good to have competition in the space on Windows. Wezterm comes with interesting features I want to dig into.

Install with winget install wez.wezterm

WezTerm

Blazor Hot Reloading

I am shifting to UI adjustment work as we wrap up a project at work, and that led me to investigate the state of Blazor Hot Reloading. It is much, much better than when I looked last, and works even when not debugging. One gotcha is that “hot reload on save” is not enabled by default in VS 2026; you must press ALT-F10 to hot reload (or enable it in options).

Also I noticed that the browser refresh script injected is now an actual script file, which might mean that running with a CSP locally might finally be doable (it used to be direct script injection).

Write and debug running code with Hot Reload in Visual Studio

Resetting package.lock.json on git checkout

I was doing a lot of branch switching today, and got annoyed with Git complaining

git checkout main
error: Your local changes to the following files would be overwritten by checkout:
        src/DotNetProject1/packages.lock.json
        src/DotNetProject2/packages.lock.json
Please commit your changes or stash them before you switch branches.
Aborting

I want to regenerate lockfiles on build, to ensure that I build with the exact same transitive package versions on the build server as I developed locally. But the file contents are not important to me; when the branch is switched it should ignore any pending changes to the lockfiles lingering from the old branch. It will be regenerated as soon as I build anyway.

This co Git alias, courtesy of Copilot with some nudging, does the trick:

[alias]
  co = "!f() { set -e; CANDIDATES=$(git ls-files -m -o --exclude-standard --full-name -- \"**/packages.lock.json\" || true); if [ -z \"$CANDIDATES\" ]; then CANDIDATES=$(git ls-files --full-name -- \"**/packages.lock.json\" || true); fi; OLDIFS=\"$IFS\"; IFS=$(printf '\n'); for f in $CANDIDATES; do [ -z \"$f\" ] || { git restore --staged --worktree -- \"$f\" 2>/dev/null || true; git checkout -- \"$f\" 2>/dev/null || true; git clean -f -- \"$f\" 2>/dev/null || true; }; done; IFS=\"$OLDIFS\"; git checkout \"$@\"; }; f"

Add it to ~/..gitconfig.aliases (when using Phil Haack’s Git aliases)

It slows down the checkout process quite a bit though, but if that ends up annoying me I might make a separate alias for “fast” switching (or just use checkout).

Upscaling images - upscayl

I had to print some low-resolution images today, and experimented with putting them through AI upscaling. Upscayl runs locally (or you can pay for cloud), is free, open source (models possibly only open-weight?) and worked great for my use case. Only gotchas is that you must have an NVIDIA card for it to work, but most of my machines do…

Upscayl

AI personal assistants

Things are heating up with ClawdBot, which got a lot of hype this week. I am not personally ready to connect bleeding edge code and models with questionable safeguards to my critical workflows just yet, but I certainly see the allure of finally feeling close to realizing the “personal agent does stuff for me” vision. While other people work out the kinks, I am dabbling a bit with Goose, where things are somewhat less exposed and you are more in control of what is happening (like Copilot).

EDIT: How a Single Email Turned My ClawdBot Into a Data Leak and From Clawdbot to Moltbot: How a C&D, Crypto Scammers, and 10 Seconds of Chaos Took Down the Internet’s Hottest AI Project . Making a chat/email-accessible personal agent with the right balance between safety and usability is hard. Reading the article, I wonder who dumps money they cannot afford to loose into new crypto-coins like that? I do not feel sorry for them.

Scott Adams

Scott Adams found out if the world really is a simulation as he often speculated. This obituary mirrors my feelings on the matter well. If you can overlook the post-Trump years and subsequent horrible political views (and that is hard), his books and writings contain many valueable life-lessons, like Systems over goals. I will always remember old Dilbert fondly.

Andreas Backhaus - My journey with Scott Adams

I am heavily invested in NUKE build, however its author has been having a bad time with nasty community engagement.

I hope he will consider taking it commercial, as the product brings a lot of value.

That did, however, prompt me to consider alternatives. The core issue is the well known difficulty of developing and testing GitHub Action workflows locally, which leads to a long stream of error correcting commits when you work with CI.

NUKE mostly solves this, by capturing the build script in strongly-typed, imperative .NET/C# (no more YAML debugging), and allows you to easily run the pipeline locally. Dagger offers an alternative solution for the same problem; here an underlying execution engine is used to orchestrate functions written in Go/Typescript (or untyped alternatives) that chain together.

It allows you to take input (e.g. code in repo) to output (e.g. versioned deployment artifact, such as a container image) and can potentially also be used for code-based CD of those artifacts.

I made a small spike of building a basic .NET solution (with heavy aid from Copilot)

In principle, this sounds great, but lack of .NET support and lack of Microsoft engagement in the Daggerverse for common tasks curbs my enthusiasm a bit. Staying with NUKE for now, but keeping an eye on Dagger.

CI/CD with Dagger and Azure

Fizzy - a fresh take on Kanban

The BaseCamp folks made a Kanban board / task tracker, free for up to 1000 cards. Also the code is open source (like they did with Campfire), which I would think is really valueable for upcoming Ruby programmers. At least I always wished for access to commercially-viable codebases to learn from early in my career, but that was unfortunately not commonly available for .NET in the early 2000s…

Fizzy

How to write a great agents.md

Nice, actionable guidance.

How to write a great agents.md: Lessons from over 2,500 repositories

The Engineers Who Can’t Use AI Agents Don’t Have a Tools Problem

Postulates that to use AI (coding) agents efficiently, you have to be able to

• understand what you are building
• externalize that understanding in writing

That is defintely true, but not the whole picture (as in: more is needed, context, experience etc.). It made me think of Kent Becks 90% of My Skills Are Now Worth $0…but the other 10% are worth 1000x

EDIT: See also Adam Tornhills take I tend to delete 80% of the generated code. The remaining 20% I refactor

The Engineers Who Can’t Use AI Agents Don’t Have a Tools Problem

EDIT: And another take: 90 percent

Azure CDK progress

Previously-mentioned Azure CDK seem to be maturing nicely. They are not pushing it very hard, so I guess the intended usage is more via the higher-level deployment story of Aspire?

Azure CDK

Using SPIFFE as an OAuth client credential

I have not worked with SPIFFE (or mTLS for that matter), only the somewhat-related managed identities inside Azure and GitHub OIDC. But eliminating secrets is great for security, so nice to see traction on standardizing this stuff. Perhaps Azure PaaS platform managed identities can offer SPIFFE capabilities in the future for federating passwordless workload identities?

SPIFFE client auth

Adapting open source practices in the wrong context

Great quote, which I fully agree with:

Open source practices are the MOST wasteful way to deliver software. They exist to manage the fact that there is no trust and there are no shared incentives. When used in an enterprise, they are are wasteful and even dangerous.

I once encountered a team that had adopted Git Flow for what was basically a web-based SaaS. Predictably, this ran completely off the rails in zero-value overhead. They were able to adapt their processes to a better place afterwards, but reckless implementation of open source practices in the wrong context (just like implementing FAANG architecture in the wrong context) remains a danger.

I also like the Contrast best practices between OS and enterprise list.

Bryan Finster on LinkedIn

Mistral Vibe CLI & Devstral Small 2

Nice to see European AI is still there.

I have not tried Devstral Small 2 (or Qwen 3 coder flash for that matter), but a laptop-runnable coding model have a lot of appeal. My experiments with OpenCode/Cline and Grok Code Fast has not been very successful, but not sure if that is mostly the model or the agent…maybe time to give the small models a shot.

It has been many years since I have been able to code efficiently offline; in the old days it was Google, these days it is the coding agent.

For work (with GitHub Copilot), nothing I have tried beat Claude Sonnet 4.5 and Claude Opus 4.5. Although I did read that Gemini had an edge on large, legacy codebases.

Devstral2 & Mistral Vibe CLI

Same Model, Different Results: Why Coding Agents Aren’t Interchangeable

Nice overview of some of the tricks Claude Code use to steer the behaviour of the underlying LLM, and reflections on what makes different agents work differently on top of the same model.

Why Coding Agents Aren’t Interchangeable

Vibe Engineering JustHTML

Great account of vibe engineering in action. I am building an application currently, not a library, but I have similar experience. The process shines when you can guide the agent with key design choices, then it can fill out the blanks.

How I wrote JustHTML using coding agents

How I Built a Production App with Claude Code

Interesting observations from Josh Anderson - that agent coding collapse with huge context is a message I have heard before, however I recently say someone report that Gemini 3 Pro works well when things get large. It is in preview in GitHub Copilot now, but did not work very well in my (extremely limited, 2-3 prompts) testing today (on a small solution).

How I Built a Production App with Claude Code

GitHub Actions Has a Package Manager, and It Might Be the Worst

On the atrocious security posture of GitHub Actions. To mitigate, I try to stick to GitHub/Microsoft provided actions (in the hope that they know what they are doing) + NUKE + a few, carefully reviewed, forked and SHA-pinned actions.

GitHub Actions Has a Package Manager, and It Might Be the Worst

MCP 2025-11-25 spec

Digging through it today, I understand the basics of MCP but need to know more about the details. MCP is everywhere right now, and the potential (and potential risk) is huge.

MCP 2025-11-25

Pydoll - Evasion-first browser automation

TIL there are alternatives to Playwright/Selenium browser automation that actively try to evade detection. Evil-ish, reminds me of the AI companies ignoring robots.txt.

Pydoll

I like [Team Topologies] as a shared language for talking and thinking about how teams work. Part of that is talking about what is not working, and how to improve, which this article touches upon.

When the Shapes Don’t Fit

Generate GitHub Copilot instructions

Good little tip from Burke Holland: GitHub Copilot in VSCode can auto-generate .github/copilot-instructions.md via canned meta-instructions and a review of your codebase. A simple step to take, barring more heavyweight, emerging practices like memory and stuff like Repomix.

Your AI assistant might be guessing more than helping

Hitting fresh GitHub bugs

I was working on a fork of a custom Windows taskbar (to create a transparent zone other windows cannot maximize into, for use when I auto-hide the Windows taskbar to save my OLED screen from burn-in) and happened upon this bug. It is pretty specific, in that it occurs

• if your repo was created 2025-11-25 (writing this on the 26th)
• if your repo is trying to create a release with GITHUB_TOKEN

Bug Report: Publishing a release via GitHub actions fails for repos created on 2025-11-25

Not a fan of video content, but I know this sentiment exactly. A 15 minute meeting at 13:00 can ruin an entire day of deep work. It goes back to the difference between makers schedule and managers schedule - meetings cost makers more. Funny enough, I reflected on my experience today, and 2 x 5 minute interruptions in person in the office was significantly less disuptive than a chat message “do you have 15 minutes for a quick call”. Food for thought.

When I politely decline scheduling a ‘quick call’

The Architect Elevator

Participated in the workshop, great stuff. Gregor has seen it all, and can challenge your thinking like few others. I come away energized and with lots of food for thought, in the areas of political capital and how to spend it, ways to expand the solution space and how to be high level with depth - to name but a few. I had a blast, colleagues were not quite as enthusiastic though (too many anecdotes for their taste), so YMMV. If you are a fan of the books, definitely go.

Azure Dev Summit

Microsoft returned to Europe with a developer conference, and it was a great one. Portugal is lovely (first time there), and there was loads of great content. Standout sessions were

• Filip W’s session on patterns for Small Language Models (and fine tuning them)
• Safia Abdalla’s mini-workshop on re-implementing ASP.NET Core Minimal API (the framework) from scratch (2 hours!)
• Bart De Smet’s session on implementing a C# feature in the Roslyn compiler (1 hour!)

and a great workshop (with demo of Sustineo) about the new (LLM) Agents framework and LLM agents in general by Seth Juarez

GH-500 ESI Training

Triple-up on training, I did the GH-500 workshop virtually with a Microsoft trainer today. Strange pacing in the material, some of it very basic, some of the stuff around CodeQL very deep and difficult to grasp in a few overloaded slides, but the trainer did his best to make it work. And I walked away with a better idea of how MS virtual training works.

The labs were somewhat broken (e.g. “do not introduce the synthetic bug in main but make a branch and a PR” … “fix the bug you introduced in main”), but I found it interesting that they were automated with GitHub Actions, that analyzed your progress and updated the lab instructions based on this.

I previously did the MS Learn test exam for GH-500, and it seems way too easy compared to something like AZ-204. Not sure if this reflects the actual exam, but maybe I should give it a shot…

Paperless-ngx

I have long considered scanning my old physical documents to PDF. Paperless-ngx offers a web interface for ingestion/OCR/tagging of scanned documents (and other document types), and might be a useful part of that.

Paperless-ngx

The Doom loop

Not as in “Knee-deep in the dead”, but as in what happens when you try to get frontier models to solve problems for which their training data was insufficient. E.g. non-tool assisted multiplication, representing unusual imagery like “a wine glass filled to the brink” or esoteric application code. Fortunately (?) there is a lot of boilerplate involved in development still…

The Doom loop

Net Promoter Score

NPS is getting more and more traction, but I cannot help but wonder if cultural bias or survey fatigue is setting up organizations for disappointment and false conclusions…

Macrodata Refinement Keycaps (from Severance)

Finished watching Severance today, and I found out you can get a set of matching Macrodata Refinement-style keycaps. I like the retro style, but they are expensive, and I use blank keycaps…

Cline + Grok Code Fast 1

I am vibe coding an new version of my PhoneShare app, that I use to capture and LLM summarize links from social media (which mostly happens on LinkedIn these days after Twitter imploded).

The app started out from a oneshot with M365 Copilot + GPT-5 which sorta worked, but I had little luck when I tried to follow up with GitHub Copilot, Senatus and the free GPT-1 / GPT-5-Mini models (my Premium model requests are provided by work, so I do not want to use that for hobby projects). It seemed to be stuck in “the Doom loop”. So I was looking for alternatives.

After a quick look at market leader Cursor, which I considered subscribing to, I found Cline, specifically the terminal coding agent. And it turns out that currently, usage with grok-code-fast-1 is completely free (even though Elon went crazy, I do not mind spending his money on tokens) The results were pretty good - it picked up on the Senatus plan, found the failing tests GPT-5 had created and, given appropriate number of “fix the tests” inputs, it did. Since the new architecture is a complete split of a static web app Front End with configureable backend, I might publish the repo when I am done. But I guess I should look at the actual code first :-)

ORAS - use container registries for non-container-image artifacts

As part of my thinking on how to replace Octopus with GitHub flows, there is a need to store binaries with metadata (and perhaps other artifacts like SBOM) between the build and release stages (as per Build Binaries Only Once)

Some workloads naturally use container images for this, but since I use .NET and Azure App Service a lot, simple zip deployment is often all that is needed. I have seen examples of using GitHub Releases for this purpose, and while it works, I would really like to store binaries in a single place (like the Octopus feeds), with the ability to apply my own retention policies and access control, separate of source access.

That lead me to ORAS which offers the ability to store arbitrary files as versioned container registry repositories. You install it with

winget install oras

then authenticate with

oras login <container registry url>

push the file(s) with something like

oras push <container registry url>/my-application:1.1.1001 --artifact-type application/zip --annotation "org.opencontainers.image.title=My Deployment artifacts" --annotation "..." MyApplication.1.1.1001.zip

and can then download it where you need to deploy it with

oras pull <container registry url>/my-application:1.1.1001

I have only scratched the surface here, but it looks very promising.

Yet another password generator

I use a lot of passwords still, and while there are plenty of generators out there, I figured that making one myself could be a fun vibe coding exercise. I had Copilot / Sonnet create the code, and M365 Copilot security review it, to arrive at the final solution. It is deliberately kept simple, ~450 lines of unminified Javascript, and all additional resources used (Pico CSS and some custom styles) are also kept unminified for easy review. In addition, a CSP policy prevents loading anything off-origin just in case.

(yet another) Secure Password Generator

Unregistry - skip the container registry

More to my taste than the ephemeral registry I wrote about previously is Unregistry, where you make the daemon on the remote end where you want your image to end up host a registry you can push the (missing layers of the) container image to. I do not have a use case right now, but one to look into next time I am dabbling with containers at home (via David Fowler)

Unregistry

MCP as generic, non-agent plugins

Another lens to view MCP as “USB-C for APIs”, a universal interface, allowing your non-agentic apps to piggyback on the huge amount of functionality being exposed as MCP servers. Some of the comments predicts impending collapse, when the MCP server vendors sour on the value proposition for them in exposing their functionality and data this way.

MCP: An (Accidentally) Universal Plugin System

Stripe rediscovers that strong typing is great, unfortunately their code base is in Ruby so they have to write a type checker themselves :P

I do like the approach of gradual rollout though, and the architectural-constraints-as-code approach is something I also use on complex projects (usually NetArchTest but I am not sure it is maintained anymore?)

Refactoring Stubborn, Legacy Codebases

Mackie’s Pizza

If you live in Aarhus, you probably remember Mackie’s Pizza. It turns out one of the people who made pizza there now has a food truck

Mackie’s Pizza

TUnit

Another contender in the NUnit/MSTest/XUnit space. Since I maintain code in both .NET Framework Classic and .NET 8+, a framework that can work in both is appealing. Not sure how Playwright integration looks atm, but one to watch.

Converting an xUnit test project to TUnit

Decision tree for app authentication

One of the greatest features of public cloud is the ability to simply not have any passwords to steal, i.e. managed identities. While I have previously been bitten by the fact that Azure Managed Identities do not have a SLA (and they started running slowly), I still promote and use them heavily.

Workload identity federation is also great if your platform supports it. Certs are a bit of a pain, but still better than rotating client secrets…

Decision tree for app authentication

AutoHideMouseCursor

I have purchased an OLED screen, and of course I now have burn-in anxiety. So I have switched everything to dark mode, and am looking for tools to remove static elements from the screen. AutoHideMouseCursor is an older but no-nonsense tool that will hide the mouse cursor after N seconds

AutoHideMouseCursor

TranslucentTB

Also in the “burn-in prevention” category, this tool allows control of the task bar. Install with

winget install 9pf4kz2vn4w9

TranslucentTB

Rooting every Entra tenant

Insane vulnerability. I remember early Azure and the ACS, and have gone many rounds with SAML-based actor tokens - never without signatures though! I guess it all still exists behind the scenes.

Really shows why security infra legacy and bridging is not just a maintenance burden - it is also a ripe opportunity for holes and unintended access paths to creep in.

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

Azure RG Janitor

Nice little example of using Spectre.Console and the dotnet 10 features around scripting C#. I like TUIs almost as much as my favorite iconoclast DHH does.

cleanup-rg.cs

Aikido Safe Chain

NPM Supply chain security is a huge issue, this tool looks like an easy way to at least stop some of the malicious stuff being pushed again and again.

Aikido Safe Chain

CloudKitchens Study on GenAI DevEx

A nice point-of-view on pratical usage of AI coding agents. I have not tried Cursor, but I find it interesting that they rate Copilot highly - need to look into that, as my use so far has not left me impressed.

Study on GenAI DevEx

From CQRS and back - Netflix Tudum

Reading the article, I also question if this is not a case of too many resources leading to extreme over-engineering. I would think cloud services like CosmosDB (of which I am sure there is an alternative in AWS where Netflix lives) could handle the scale with read-your-writes, and even if it cannot, I would imagine ample opportunity to leverage output caching before reaching for dedicated read models with Kafka in between.

I guess the takeaway is like Kelly writes: “Consistency at scale is easier than ever.”. Many architectural patterns exists to handle extreme scale, which in itself is a shrinking concept as cloud services, networks and even on-prem hardware gets more and more powerful.

Netflix revamps Tudum with RAW Hollow (via the brilliant Kelly Sommers)

AZ-204

Passed the exam this month. I found the Whizlabs material and practice tests quite nice for preparation, and reasonably priced, so a completely unbiased recommendation from here. Together with Microsoft Learn (which can be used during the exam but beware), that was what I needed to pass.

Liberating structures & Open Practice Library

I do not have a use case right now, but these team practices seem like a nice catalog to get inspiration from, if you need to run team sessions or tighten up some internal processes.

Liberating structures Open Practice Library via Gregor Hophe - looking forward to attending his workshop next week!

Vibe coding a “me-ware” tool - wslcd

I was annoyed that I could not cd to Windows paths (like C:\foo\bar) copied from Total Commander to the inside of WSL (which mounts them under /mnt/<drive letter>). Copilot had little trouble conjuring up wslcd. I have not even looked at the code (beyond basic “is it deleting my drive” review), and it seems to be working well.

A fun exercise, and “my” first, actually useful Golang project. Perhaps long term using zoxide or even Mark Russinovich’ new jcd would be a better option, but for now this tool solves exactly what annoyed me.

Azure Front Door Gateway Timeout issues

We have been troubleshooting an incident with Azure Front Door, which seems to have lingered for a while. I hope Microsoft will eventually produce a more robust solution of the root causes than retries…