iamcoolvivek007/morpheus-brain
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
morpheus-brain/research/tech-study/2026-06-11.md
Morpheus fe3ee395ab Daily backup: 2026-06-11
2026-06-11 02:03:29 +00:00

130 lines
8.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Tech Study — 2026-06-11
> Daily scan of programming, AI/ML, DevOps, open source, and security developments.
> Focus: relevance to a self-hosted full-stack developer running Coolify + Supabase + Forgejo + Evolution API on Ubuntu.
---
## 1. 🤖 Microsoft Build 2026: Seven In-House MAI Models + Frontier Tuning
**What:** Microsoft shipped seven in-house AI models at Build 2026 under the "MAI" family — spanning reasoning (MAI-Thinking-1: 35B active / ~1T total sparse MoE, 256K context, matches Claude Opus 4.6 on SWE-Bench Pro), code (MAI-Code-1-Flash: 5B, ~51% SWE-Bench Pro, Haiku-class cost), image, transcription, and voice. Available on Foundry, Copilot, OpenRouter, Fireworks, and Baseten. Key differentiator: **Frontier Tuning** — private RL environments that let orgs train MAI models on real workflow traces (Excel-tuned MAI matches GPT-5.4 at ~10× efficiency in Microsoft tests).
**Why it matters:** Microsoft is aggressively reducing dependency on OpenAI. If you're on Azure/Copilot, MAI is becoming the default. For self-hosters, the models are available on OpenRouter — meaning you can route to them from your own tooling. Frontier Tuning is a pattern worth watching for teams with proprietary workflows.
**Source:** https://mer.vin/2026/06/ai-engineering-roundup-june-2026-nemotron-gemma-mai-m3-bedrock-codex-and-agent-security
**Action item:** None immediate. Watch for MAI models appearing on OpenRouter for potential use in local AI workflows.
---
## 2. 🧠 Open-Source AI Models: MiniMax M3, NVIDIA Cosmos 3, Zyphra ZAYA1-8B
**What:** Three notable open-weight model releases:
- **MiniMax M3** — First open-weight model combining frontier SWE capabilities (59.0% SWE-Bench Pro, beating GPT-5.5 and Gemini 3.1 Pro) with 1M-token context window and native multimodal computer use. Built on MiniMax Sparse Attention (MSA) architecture. Open weights.
- **NVIDIA Cosmos 3** — Open foundation model for physical AI using Mixture-of-Transformers (reasoning + expert generation). Optimized for robotic policy development and synthetic data generation. #1 on RoboArena, PAI-Bench, RoboLab. Super/Nano variants available.
- **Zyphra ZAYA1-8B** — Apache 2.0, sparse routing (8B total, 760M active per token), trained from scratch on AMD Instinct hardware — proving you don't need NVIDIA for efficient model training.
**Why it matters:** The open-weight ecosystem is producing models competitive with frontier proprietary ones. MiniMax M3's 1M context + computer use is particularly relevant for AI agent builders. ZAYA1-8B on AMD hardware breaks the NVIDIA training monopoly.
**Source:** https://www.devflokers.com/blog/open-source-ai-roundup-june-2026
**Action item:** Evaluate MiniMax M3 for local agent workloads if you're building AI-powered tools. The open-weight license means you can self-host.
---
## 3. 🔐 Supabase June 2026 Update: Passkeys, ChatGPT App, AI Agent Plugin, Multigres
**What:** Supabase shipped several major features:
- **Passkey Sign-in for Auth** — Biometric/passwordless auth (Face ID, Touch ID, Windows Hello) via WebAuthn. Phishing-resistant. In beta for all projects.
- **Supabase is now an official ChatGPT app** — 29 tools for SQL execution, schema changes, branching, edge function deployment, and live logs directly from ChatGPT.
- **Supabase Plugin for AI Coding Agents** — Bundles Supabase MCP server + agent skills. Supports Claude Code, Cursor, Codex, Gemini CLI. One install, full Supabase workflow.
- **Multigres 0.1 alpha** — Open-source "operating system for Postgres" with sharding, connection pooling, automatic failover, backup orchestration. Coming to Supabase.
- **$500M Series F at $10B valuation** — Led by GIC.
- **New API key model** — `publishable` keys (low-privilege) + revocable `secret` keys replacing long-lived JWT anon/service_role keys. Legacy keys being removed late 2026.
**Why it matters:** Directly impacts our Supabase deployment. The AI Coding Agent plugin is immediately useful — install it once and your agents get full Supabase capabilities. The new API key model is a security improvement but **legacy keys are being removed in late 2026** — we need to migrate. Passkeys are a nice UX upgrade for user-facing apps.
**Source:** https://releasebot.io/updates/supabase
**Action items:**
- [ ] Install Supabase AI Coding Agent plugin for Claude Code/Cursor workflows
- [ ] Plan migration from legacy JWT API keys to new publishable/secret key model before late 2026
- [ ] Evaluate Multigres when it hits Supabase for potential performance improvements
- [ ] Consider enabling Passkey auth for user-facing applications
---
## 4. 🐳 Docker Desktop 4.76.0 Security Update + Engine v29.5.2
**What:** Docker published a security advisory (June 5, 2026) for CVE-2026-8936 — uncontrolled recursion in the grpcfuse kernel module allowing local DoS. Affects Docker Desktop 4.0.04.75.0. Patch available in 4.76.0+. Also: Docker Engine v29.5.2, Buildx v0.34.0, time namespacing support for ECI protected containers, and various bug fixes.
**Why it matters:** The CVE is low severity (local access only, DoS), but our Docker Engine should be kept current. We're running Docker on Ubuntu server (not Desktop), so the Desktop-specific CVE doesn't directly apply, but Engine updates do.
**Source:** https://www.cybersecurity-help.cz/vdb/SB2026060517
**Action item:** Check current Docker Engine version (`docker version`) and update to latest if behind. Our Coolify-managed Docker should handle this, but verify.
---
## 5. 📦 npm Supply Chain Security: Lessons from Recent Attacks
**What:** Supabase's June release notes highlighted ongoing npm supply-chain attacks. Key recommendations:
- Pin dependency versions and use lockfiles
- Set 7-day quarantine on new package versions (`minimumReleaseAge` in pnpm, `min-release-age` in npm)
- Block lifecycle scripts by default (`ignore-scripts=true`)
- Block non-registry transitive refs
- Use Socket.dev, npq, or Snyk as second-line defense
- Rotate all credentials (AWS, GCP, K8s, Vault, GitHub, npm, SSH, Supabase service-role keys) if you ever installed a compromised package
**Why it matters:** Our Next.js app and any Node.js services are in the npm ecosystem. Supply chain attacks are increasing in frequency and sophistication.
**Source:** https://releases.sh/supabase/releases
**Action items:**
- [ ] Audit our Next.js project for npm supply chain hygiene
- [ ] Set `minimumReleaseAge` or `min-release-age` in package manager config
- [ ] Enable `ignore-scripts=true` where not already set
- [ ] Pin package manager version in `package.json`
---
## 6. ☸️ Cloud Native Weekly: 69 Releases This Week (Cilium, Crossplane, KEDA, Rook, Backstage)
**What:** The CNCF ecosystem had 69 releases and 159 news items in the week of June 8-14, 2026. Notable projects with updates: Cilium, Crossplane, KEDA, Rook, Backstage. Previous weeks saw updates to Dapr, Linkerd2, OpenCost, Kubescape, and others.
**Why it matters:** While we're not running Kubernetes (using Docker Compose via Coolify), these tools represent the broader ecosystem direction. KEDA (event-driven autoscaling) and Backstage (developer portal) are particularly relevant if we ever scale to K8s.
**Source:** https://lwcn.dev/newsletter/2026-week-24/
**Action item:** None immediate. Bookmark for future reference if we migrate to Kubernetes.
---
## 7. 🦀 Zig 0.16.0 Released (April 2026) — Still Pre-1.0
**What:** Zig 0.16.0 shipped with 8 months of work from 244 contributors across 1183 commits. Key feature: "I/O as an Interface" — a new abstraction for I/O operations. Also includes compiler, build system, linker, fuzzer, and toolchain improvements. Still at 0.x — no 1.0 stable release date announced.
**Why it matters:** Zig continues to mature as a C replacement with no dependencies, excellent cross-compilation, and growing ecosystem. Not yet at 1.0, but the pace of development is strong. Worth watching for systems programming projects.
**Source:** https://lwn.net/Articles/1067634
**Action item:** None immediate. Revisit when Zig hits 1.0 for potential use in performance-critical services.
---
## Summary of Action Items
| Priority | Item | Deadline |
|----------|------|----------|
| 🔴 High | Migrate Supabase legacy API keys to new model | Before late 2026 |
| 🔴 High | Audit npm supply chain hygiene in Next.js project | This week |
| 🟡 Medium | Update Docker Engine to latest version | This week |
| 🟡 Medium | Install Supabase AI Coding Agent plugin | When next using Claude Code/Cursor |
| 🟢 Low | Evaluate MiniMax M3 for local AI workloads | When building AI features |
| 🟢 Low | Consider Passkey auth for user-facing apps | Next auth update |
| 🟢 Low | Watch Zig 1.0 release | Ongoing |
---
*Generated by Morpheus — Daily Tech Study cron job*
*Next scan: 2026-06-12*
Reference in a new issue View git blame Copy permalink