# Tech Study β€” 2026-06-11 > Daily scan of programming, AI/ML, DevOps, open source, and security developments. > Focus: relevance to a self-hosted full-stack developer running Coolify + Supabase + Forgejo + Evolution API on Ubuntu. --- ## 1. πŸ€– Microsoft Build 2026: Seven In-House MAI Models + Frontier Tuning **What:** Microsoft shipped seven in-house AI models at Build 2026 under the "MAI" family β€” spanning reasoning (MAI-Thinking-1: 35B active / ~1T total sparse MoE, 256K context, matches Claude Opus 4.6 on SWE-Bench Pro), code (MAI-Code-1-Flash: 5B, ~51% SWE-Bench Pro, Haiku-class cost), image, transcription, and voice. Available on Foundry, Copilot, OpenRouter, Fireworks, and Baseten. Key differentiator: **Frontier Tuning** β€” private RL environments that let orgs train MAI models on real workflow traces (Excel-tuned MAI matches GPT-5.4 at ~10Γ— efficiency in Microsoft tests). **Why it matters:** Microsoft is aggressively reducing dependency on OpenAI. If you're on Azure/Copilot, MAI is becoming the default. For self-hosters, the models are available on OpenRouter β€” meaning you can route to them from your own tooling. Frontier Tuning is a pattern worth watching for teams with proprietary workflows. **Source:** https://mer.vin/2026/06/ai-engineering-roundup-june-2026-nemotron-gemma-mai-m3-bedrock-codex-and-agent-security **Action item:** None immediate. Watch for MAI models appearing on OpenRouter for potential use in local AI workflows. --- ## 2. 🧠 Open-Source AI Models: MiniMax M3, NVIDIA Cosmos 3, Zyphra ZAYA1-8B **What:** Three notable open-weight model releases: - **MiniMax M3** β€” First open-weight model combining frontier SWE capabilities (59.0% SWE-Bench Pro, beating GPT-5.5 and Gemini 3.1 Pro) with 1M-token context window and native multimodal computer use. Built on MiniMax Sparse Attention (MSA) architecture. Open weights. - **NVIDIA Cosmos 3** β€” Open foundation model for physical AI using Mixture-of-Transformers (reasoning + expert generation). Optimized for robotic policy development and synthetic data generation. #1 on RoboArena, PAI-Bench, RoboLab. Super/Nano variants available. - **Zyphra ZAYA1-8B** β€” Apache 2.0, sparse routing (8B total, 760M active per token), trained from scratch on AMD Instinct hardware β€” proving you don't need NVIDIA for efficient model training. **Why it matters:** The open-weight ecosystem is producing models competitive with frontier proprietary ones. MiniMax M3's 1M context + computer use is particularly relevant for AI agent builders. ZAYA1-8B on AMD hardware breaks the NVIDIA training monopoly. **Source:** https://www.devflokers.com/blog/open-source-ai-roundup-june-2026 **Action item:** Evaluate MiniMax M3 for local agent workloads if you're building AI-powered tools. The open-weight license means you can self-host. --- ## 3. πŸ” Supabase June 2026 Update: Passkeys, ChatGPT App, AI Agent Plugin, Multigres **What:** Supabase shipped several major features: - **Passkey Sign-in for Auth** β€” Biometric/passwordless auth (Face ID, Touch ID, Windows Hello) via WebAuthn. Phishing-resistant. In beta for all projects. - **Supabase is now an official ChatGPT app** β€” 29 tools for SQL execution, schema changes, branching, edge function deployment, and live logs directly from ChatGPT. - **Supabase Plugin for AI Coding Agents** β€” Bundles Supabase MCP server + agent skills. Supports Claude Code, Cursor, Codex, Gemini CLI. One install, full Supabase workflow. - **Multigres 0.1 alpha** β€” Open-source "operating system for Postgres" with sharding, connection pooling, automatic failover, backup orchestration. Coming to Supabase. - **$500M Series F at $10B valuation** β€” Led by GIC. - **New API key model** β€” `publishable` keys (low-privilege) + revocable `secret` keys replacing long-lived JWT anon/service_role keys. Legacy keys being removed late 2026. **Why it matters:** Directly impacts our Supabase deployment. The AI Coding Agent plugin is immediately useful β€” install it once and your agents get full Supabase capabilities. The new API key model is a security improvement but **legacy keys are being removed in late 2026** β€” we need to migrate. Passkeys are a nice UX upgrade for user-facing apps. **Source:** https://releasebot.io/updates/supabase **Action items:** - [ ] Install Supabase AI Coding Agent plugin for Claude Code/Cursor workflows - [ ] Plan migration from legacy JWT API keys to new publishable/secret key model before late 2026 - [ ] Evaluate Multigres when it hits Supabase for potential performance improvements - [ ] Consider enabling Passkey auth for user-facing applications --- ## 4. 🐳 Docker Desktop 4.76.0 Security Update + Engine v29.5.2 **What:** Docker published a security advisory (June 5, 2026) for CVE-2026-8936 β€” uncontrolled recursion in the grpcfuse kernel module allowing local DoS. Affects Docker Desktop 4.0.0–4.75.0. Patch available in 4.76.0+. Also: Docker Engine v29.5.2, Buildx v0.34.0, time namespacing support for ECI protected containers, and various bug fixes. **Why it matters:** The CVE is low severity (local access only, DoS), but our Docker Engine should be kept current. We're running Docker on Ubuntu server (not Desktop), so the Desktop-specific CVE doesn't directly apply, but Engine updates do. **Source:** https://www.cybersecurity-help.cz/vdb/SB2026060517 **Action item:** Check current Docker Engine version (`docker version`) and update to latest if behind. Our Coolify-managed Docker should handle this, but verify. --- ## 5. πŸ“¦ npm Supply Chain Security: Lessons from Recent Attacks **What:** Supabase's June release notes highlighted ongoing npm supply-chain attacks. Key recommendations: - Pin dependency versions and use lockfiles - Set 7-day quarantine on new package versions (`minimumReleaseAge` in pnpm, `min-release-age` in npm) - Block lifecycle scripts by default (`ignore-scripts=true`) - Block non-registry transitive refs - Use Socket.dev, npq, or Snyk as second-line defense - Rotate all credentials (AWS, GCP, K8s, Vault, GitHub, npm, SSH, Supabase service-role keys) if you ever installed a compromised package **Why it matters:** Our Next.js app and any Node.js services are in the npm ecosystem. Supply chain attacks are increasing in frequency and sophistication. **Source:** https://releases.sh/supabase/releases **Action items:** - [ ] Audit our Next.js project for npm supply chain hygiene - [ ] Set `minimumReleaseAge` or `min-release-age` in package manager config - [ ] Enable `ignore-scripts=true` where not already set - [ ] Pin package manager version in `package.json` --- ## 6. ☸️ Cloud Native Weekly: 69 Releases This Week (Cilium, Crossplane, KEDA, Rook, Backstage) **What:** The CNCF ecosystem had 69 releases and 159 news items in the week of June 8-14, 2026. Notable projects with updates: Cilium, Crossplane, KEDA, Rook, Backstage. Previous weeks saw updates to Dapr, Linkerd2, OpenCost, Kubescape, and others. **Why it matters:** While we're not running Kubernetes (using Docker Compose via Coolify), these tools represent the broader ecosystem direction. KEDA (event-driven autoscaling) and Backstage (developer portal) are particularly relevant if we ever scale to K8s. **Source:** https://lwcn.dev/newsletter/2026-week-24/ **Action item:** None immediate. Bookmark for future reference if we migrate to Kubernetes. --- ## 7. πŸ¦€ Zig 0.16.0 Released (April 2026) β€” Still Pre-1.0 **What:** Zig 0.16.0 shipped with 8 months of work from 244 contributors across 1183 commits. Key feature: "I/O as an Interface" β€” a new abstraction for I/O operations. Also includes compiler, build system, linker, fuzzer, and toolchain improvements. Still at 0.x β€” no 1.0 stable release date announced. **Why it matters:** Zig continues to mature as a C replacement with no dependencies, excellent cross-compilation, and growing ecosystem. Not yet at 1.0, but the pace of development is strong. Worth watching for systems programming projects. **Source:** https://lwn.net/Articles/1067634 **Action item:** None immediate. Revisit when Zig hits 1.0 for potential use in performance-critical services. --- ## Summary of Action Items | Priority | Item | Deadline | |----------|------|----------| | πŸ”΄ High | Migrate Supabase legacy API keys to new model | Before late 2026 | | πŸ”΄ High | Audit npm supply chain hygiene in Next.js project | This week | | 🟑 Medium | Update Docker Engine to latest version | This week | | 🟑 Medium | Install Supabase AI Coding Agent plugin | When next using Claude Code/Cursor | | 🟒 Low | Evaluate MiniMax M3 for local AI workloads | When building AI features | | 🟒 Low | Consider Passkey auth for user-facing apps | Next auth update | | 🟒 Low | Watch Zig 1.0 release | Ongoing | --- *Generated by Morpheus β€” Daily Tech Study cron job* *Next scan: 2026-06-12*