Friday, 19 June 2026

Cloudflare details AI-scale vulnerability harness; Switzerland ends nuclear moratorium; GitHub caps AI-generated pull request noise

Today's Lead

Engineering

Cloudflare Blog

Build Your Own Vulnerability Harness

Cloudflare details a two-stage AI-driven system for discovering and validating security vulnerabilities across large enterprise codebases, treating models as interchangeable components rather than fixed dependencies. The harness addresses the fundamental limits of generic coding agents — context exhaustion and information loss across runs — through persistent orchestration, dynamic threat modeling, and mandatory proof-of-concept validation against unmodified source code. A key empirical finding: across 128 repositories the pipeline filtered roughly 20,800 raw candidates down to 7,245 actionable findings, and the agents reached for a 'wishlist' tool 25,472 times while calling Semgrep exactly zero times — a reminder to watch what agents actually use rather than what you expect them to want. Practical guidance throughout: start with just recon, hunt, and validate stages before adding cross-repo tracing; keep each agent's context below 25% of the window; build for model volatility from day one. The Cloudflare security audit skill referenced in the post is being released publicly.

Read →

Engineering

Bluewin

Swiss Parliament Lifts Ban on New Nuclear Power Plants

Switzerland's National Council voted 100-98 to lift the decades-long ban on constructing new nuclear power plants, aligning with earlier approvals by the Federal Council and Council of States. The measure permits new reactor construction at the framework permit level but still faces a likely public referendum. The reversal ends the political consensus that had held since the 2011 Fukushima accident and reflects a broader European recalculation of energy infrastructure under decarbonization pressure and post-Ukraine energy security concerns.

Read →

Model Context Protocol Blog

Zero-Touch OAuth for MCP: Enterprise-Managed Authorization

Model Context Protocol now supports Enterprise-Managed Authorization (EMA), letting organizations centrally provision MCP server access through their existing identity provider rather than requiring individual OAuth consent flows for each user and server. The implementation uses Identity Assertion JWT Authorization Grants exchanged at the MCP server for access tokens, keeping policy decisions and audit trails inside the IdP while removing interactive consent screens entirely. For regulated enterprises deploying AI agents at scale, the key shift is governance: authorization moves from a per-user burden to a centrally auditable, policy-driven model that IT can configure and revoke without touching individual client configurations.

Read →

GitHub Blog

How Pull Request Limits Are Cutting Down the Noise

GitHub introduced persistent pull request limits that cap how many open PRs a user without write access can have in a repository — AI-generated PRs from Copilot and other agents count against the limit. The backdrop: GitHub's monthly PR volume has grown 3.6× over three years, from 25 million to 90 million, with the acceleration driven largely by AI coding tools lowering the cost of submitting a change to near zero while the human cost of reviewing one stayed constant. AutoGPT's lead noted the feature 'helped us want to review pull requests again.' GitHub plans follow-on work including PR archiving, issue limits, and cross-repository rate limiting to address contributors who spray low-quality PRs across many projects simultaneously.

Read →

That Privacy Guy

I Told Them Forced Consent Was Unlawful. Five Years Later It Cost Elkjøp €1.8M

Norway's data protection authority fined Elkjøp NOK 20 million (€1.8M) for requiring customers to accept marketing emails as a condition of store membership — a consent design privacy researcher Alexander Hanff flagged to the company's DPO in 2021 citing GDPR Articles 4(11), 5, and 6. Elkjøp maintained the practice for five years before the fine landed. The case establishes a clear precedent: when a user cannot refuse a request without losing something they were otherwise entitled to keep, the consent is not freely given regardless of what the interface labels it — the 'agree-or-lose-access' architecture is legally indefensible under GDPR.

Read →
Humanities

Aresluna

Show Your Hands Honor for the Strange Power They Bring You

Marcin Wichary traces over a century of keyboard and input device history to argue that software designers systematically underestimate what human hands can actually do. Fingers do not move one at a time — they pre-stage overlapping motor commands, which is why typists can be several keystrokes ahead of what appears on screen. This capability creates a set of non-negotiable interface obligations: feedback within milliseconds, spring-loaded modes that never trap state, instant undo, and a cursor that never freezes. The essay reads as a philosophy-of-design argument about care and obligation: when you build something people interact with through their hands, you inherit a responsibility to those hands.

Read →