Technology Strategy

SERA and the Case for Open-Source Coding Agents That Know Your Repo

If your team has tried Cursor, Copilot, or other AI coding tools and found them underwhelming on your codebase—wrong conventions, missing context, generic suggestions—you’re running into a fundamental limit: those models are trained and optimized for the average repo, not yours. In early 2026, AI2 (Allen Institute for AI) released SERA (Soft-Verified Efficient Repository Agents), an open-source family of coding agents built for something different: specialization to your repository through fine-tuning, at a cost that makes it realistic for more teams.

Cursor vs. Copilot in 2026: What Actually Matters for Your Team

By 2026 the AI coding tool war is a fixture of tech news. Cursor—the AI-native editor from a handful of MIT grads—has reached a $29.3B valuation and around $1B annualized revenue in under two years. GitHub Copilot has crossed 20 million users and sits inside most of the Fortune 100. The comparison pieces write themselves: Cursor vs. Copilot on features, price, workflow. But for teams that have adopted one or both and still don’t see clear performance benefits, the lesson from 2026 isn’t “pick the winning tool.” It’s that the tool is often the wrong place to look.

Prompt Injection Is Coming for Your Coding Agent

In early 2026, a critical vulnerability in Anthropic’s Claude Code made the rounds: CVE-2026-24887, which let an attacker bypass the user-approval prompt and execute arbitrary commands via prompt injection. Around the same time, researchers demonstrated prompt-injection-to-RCE chains in GitHub Actions—an external PR could trigger Claude Code in a workflow and, with a malicious payload in the PR title, achieve code execution with workflow privileges. Real incidents have shown agents exfiltrating SSH keys and credentials from hidden instructions in docs or comments. NIST has called prompt injection “generative AI’s greatest security flaw,” and it’s #1 on the OWASP LLM Top 10. If your team is rolling out AI coding assistants or agentic workflows, this isn’t theoretical. It’s the threat model you need to plan for.

OpenClaw in 2026: Security Reality Check and Where It Still Shines

OpenClaw (the project formerly known as Moltbot and Clawdbot) had a wild start to 2026: explosive growth, a rebrand after Anthropic’s trademark request, and adoption from Silicon Valley to major Chinese tech firms. By February it had sailed past 180,000 GitHub stars and drawn millions of visitors. Then the other shoe dropped. Security researchers disclosed critical issues—including CVE-2026-25253 and the ClawHavoc campaign, with hundreds of malicious skills and thousands of exposed instances. The gap between hype and reality became impossible to ignore.

GitHub Agentic Workflows Are Here: What They Change (and What They Don't)

In February 2026, GitHub launched Agentic Workflows in technical preview—automation that uses AI to run repository tasks from natural-language instructions instead of only static YAML. It’s part of a broader idea GitHub calls “Continuous AI”: the agentic evolution of continuous integration, where judgment-heavy work (triage, review, docs, CI debugging) can be handled by coding agents that understand context and intent.

If you’re weighing whether to try them, it helps to be clear on what they are, what they’re good for, and what stays the same.

OpenClaw for Teams That Gave Up on AI

Lots of teams have been here: you tried ChatGPT, Copilot, or a similar assistant. You used it for coding, planning, and support. After a few months, the verdict was “meh”—maybe a bit faster on small tasks, but no real step change, and enough wrong answers and extra verification that it didn’t feel worth the hype. So you dialed back, or gave up on “AI” as a productivity lever.

If that’s you, the next step isn’t to try harder with the same tools. It’s to try a different kind of tool: one built to do a few concrete jobs in your actual environment, with access to your systems and a clear way to see that it’s helping. OpenClaw (and tools like it) can be that next step—especially for teams that are struggling to see any performance benefits from AI in their software engineering workflows.

Your AI-Generated Codebase Is a Liability

If a quarter of Y Combinator startups have codebases that are over 95% AI-generated, we should probably talk about what that means when those companies get acquired, audited, or sued.

AI-generated code looks clean. It follows conventions. It passes linting. It often has reasonable test coverage. By most surface-level metrics, it appears to be high-quality software.

But underneath the polished exterior, AI-generated codebases carry risks that traditional codebases don’t. Security vulnerabilities that look correct. Intellectual property questions that don’t have clear answers. Structural problems that emerge only under stress. Dependency chains that nobody consciously chose.

OpenClaw for Engineering Teams: Beyond Chatbots

I wrote recently about using OpenClaw (formerly Moltbot) as an automated SDR for sales outreach. That post focused on a business use case, but since then I’ve been exploring what OpenClaw can do for engineering teams specifically—and the results have been more interesting than I expected.

OpenClaw has evolved significantly since its early days. With 173,000+ GitHub stars and a rebrand from Moltbot in late January 2026, it’s moved from a novelty to a genuine platform for local-first AI agents. The key differentiator from tools like ChatGPT or Claude isn’t the AI model—it’s the deep access to your local systems and the skill-based architecture that lets you build custom workflows.

Lessons from a Year of AI Tool Experiments: What Actually Worked

Over the past year, I’ve been experimenting extensively with AI tools—trying to understand what they’re actually good for, where they fall short, and how to use them effectively. I’ve written about several of these experiments: the meeting scheduling failures, the presentation generation disappointments, and most recently, setting up Moltbot as an SDR.

Looking back at all these experiments, patterns emerge. Some things consistently worked. Others consistently didn’t. And a few things surprised me in both directions.

GitHub Copilot Agent Mode: First Impressions and Practical Limits

GitHub Copilot’s agent mode represents a significant shift in how AI coding assistants work. Instead of just suggesting completions as you type, agent mode can iterate on its own code, catch and fix errors automatically, suggest terminal commands, and even analyze runtime errors to propose fixes.

This isn’t AI-assisted coding anymore. It’s AI-directed coding, where you’re less of a writer and more of an orchestrator. After spending time with this new capability, I have thoughts on what it delivers, where it falls short, and how to use it effectively.

Transforming Sales Outreach: Using Moltbot as Your AI-Powered SDR

If you’ve been following the AI space lately, you’ve probably heard about Moltbot (also known as OpenClaw)—the open-source AI assistant that skyrocketed to 69,000 GitHub stars in just one month. While most people are using it for personal productivity tasks, there’s a more intriguing use case worth exploring: setting up Moltbot as an automated Sales Development Representative (SDR) for companies.

This post explores how this approach could work, including the setup process, the potential benefits, and yes, the limitations you need to understand before diving in.

Why Netlify?

When it comes to hosting for static sites like this one, that uses Hugo, there are a few options out there now. It used to be that the default answer was to use GitHub Pages and Jekyll to host your site. There weren’t many well publicized alternatives out there that allowed you to host it all for free. Add in CloudFlare in front of GitHub Pages, and you had a well protected site that would be able to weather most issues, and be performant for most users.

When Should I Use Magento 2 Helpers?

One of the objects that developers familiar with Magento 1 will instantly recognize are helpers. When working with Magento 1, helpers proved to be a special type of object that looked similar in invocation to a singleton, but in reality it was more of a lazy way to share functionality between multiple locations. The main benefit to using a helper in Magento 1 is that it made it easier to access the __ function for translations and it was directly accessible from the template files .phtml. I’m sure many of you can relate to accessing a helper with the familiar Mage::helper('modulename');.

The Magento 2 Learning Curve

The learning curve for various products and platforms tends to vary greatly depending on the complexity of the system you are learning. For example, people that understand how to use the internet and communicate online via email or Facebook are generally able to figure out how to work with Twitter without much of an issue. On the other hand, when you are looking at the learning curve for designing airplanes that are able to carry people, it should be much more difficult to understand how to start as compared to starting to use Twitter. (Yes, I know there are people out that think learning to use Twitter is exceedingly difficult, and make paper airplanes all day long.)

The Best Way to Learn Magento 2

The very best way that I have found to figure out how to develop with Magento 2 is to write unit tests for a module. It not only requires you to figure out how to work with phpunit, but to also look at the existing codebase for examples of how the Magento 2 team works with the same objects and handles the same kinds of tasks. Once I wrote a full set of unit tests for my first Magento 2 module, I felt that I had a much better grasp of the workings of Magento 2 than I did before I started writing the unit tests.

Magento 2, Docker, and macOS don't mix

I was excited when the Docker team launched their better-integrated solution for running Docker containers on OS X this past summer. It allowed our team to switch from using full Vagrant/Virtual Box based virtual machines for local development to a much lighter-weight solution. Compared to the Vagrant setup, Magento 1 seemed to run a bit faster and require fewer resources when running in Docker.

However, when trying to setup a similar environment with Magento 2, the performance numbers didn’t quite line up when using a macOS host. I’m sure a little background as to the system setup would make things a bit more clear.

Weird Errors Running Magento 2 Unit Tests

One of the great promises with the release of Magento 2 was that the core codebase would ship with unit tests built in so that you could have some way to be able to tell if you did something to break the site long before you ever pushed your code to production. In reality, though, since you should never directly edit the core files, instead only override their functionality, as a Magento 2 developer, there is little that you should be able to do that will cause the shipped tests to fail. Instead, the testing framework for unit tests makes it much easier for the extension developers and customizers to be able to unit test their custom code to ensure that the code does exactly what they expect it to.

Magento 2.1.3 Upgrade Static Files Not Loading

Magento just released an update to the latest version of their ecommerce platform to up the version from 2.1.2 to 2.1.3. There are a few differences between the versions, and one of those differences relates to the handling of the static files and what method is used to bust the cache of browsers to ensure users get the latest code whenever changes are deployed. Unfortunately, this upgrade by default breaks sites that aren’t aware of the changes needed to make this work properly.

Don't Use MongoDB For The Wrong Things

The early phases of a greenfield project always seem to conjure up grand ideas of how to use the hottest new technologies to accomplish your goals. Many times, these grandiose plans give way to a more level-headed design discussion where more realistic technologies are adopted. However, there are a few times where the developer with the idea to use the hottest new technology is the one in charge, and ends up getting his way.

Verify Magento User Access to Admin Functionality

When working with Magento, there will inevitably come a time where you need to manually check to see if the currently logged-in user has access to a specific piece of functionality as defined in the ACL settings. Personally, I have come across this situation more often when creating my own custom modules and their custom permissions, but they can be used to check the permissions of any module.

As is so often the case, Alan Storm has documented the exact solution for this scenario. Lets say that your ACL configuration is setup as it is below…

Never Explicitly Trust Software Because It Is Open-Source

One of the major ideas behind open source projects is that allowing anyone that wants to view the source code of a project to be able to do so should make bugs and security weaknesses easy to find. While this did not work so well with OpenSSL and its various bugs that have been exposed recently, I do have an example where it worked extremely well.

Magento is an eCommerce platform that has two separate editions. One is a completely open-source and free as in beer Community edition. The other is a somewhat expensive Enterprise Edition. There is a large community of Magento developers that create extentions, or addons, for these two editions of Magento.

Authenticate Magento Admin Users

Magento’s admin interface allows you to do the vast majority of everything that you would ever want to do to manage your eCommerce website. However, there are times when the rigidity of the framework makes it difficult for developers to appropriately customize a layout.

One of the things that we have done to combat these limitations is to create a new administration section of the website specifically for the use of developers and other advanced administrators of the site. In order to do this as seamlessly as possible, one of the requirements was to enable current admin users to use the same authenticated session across the standard Magento admin and our new custom admin systems.

The Amazing Magento Configuration

At the heart of every piece of PHP in Magento is the XML configuration files that tell core Magento code where to find functions and what to do with them. It seems to be the biggest hurdle that most developers face when they begin developing with Magento.

When going through a bit of code recently, I discovered something in the configuration that looks like it should have never worked, but amazingly enough, has worked without issue the entire time it has been in place. Let’s see if you spot the bit of strangeness.

Magento's preDispatch Observer

One of the decisions that always seems to arise when adding functionality to a Magento website is what the best strategy is for doing so. Should you override the controller or function, edit it in place, or use an observer to listen for a particular event to occur.

It just so happens that if you want to make sure that you have some sort of validation logic that runs before a particular controller action is executed, the easiest way to implement it is via a preDispatch observer. The other aspect of preDispatch controllers is that they can be configured to listen only for preDispatch events from a particular module, or they can listen for preDispatch events from every module, allowing you to add some password expiration policies to the adminhtml side of your website, for example.

5 Ways to Keep Your Nude Pictures Secure

With the recent revelation that there was a massive release of naked or revealing photographs of many female celebrities, it seems to be an important time to remind people how to make sure private photos and other information don’t get shared all around the internet without your permission. As a result, here are my top 5 ways to keep your nude pictures secure.

1. Don’t Take Nude Selfies - Yes, the best and easiest way to keep your naked selfies out of the sight for the public viewers on the internet is to never take a naked selfie in the first place. Just don’t do it.

   #rant #security

   Read More

Hackers Exploiting Gullible Magento Site Administrators

Nexcess recently released a report of a Recent Exploit using Fake Magento Extensions was able to skim credit card information from affected Magento websites. While it seems that some of the stores were breached by correctly guessing simple admin usernames and passwords, others seemed to be the result of site administrators installing Magento Extensions that included backdoors that gave the hackers remote access to the website. Once the backdoor was installed, the hackers went on to modify core Magento files, ensuring that when a credit card order was placed, the credit card information would be saved to a text file that was hidden with an image file name extension .jpg, .gif, .bmp and saved in the /media directory, allowing the hackers, and anyone else on the internet to download the credit card information.

Orphaned Attribute Data in Magento

Its always entertaining to look at the source of an application that originates from outside your organization. It frequently highlights ways of using technology I was not familiar with beforehand, and sometimes leaves me shaking my head in disgust. I initially started looking at a relatively new third-party module thinking that I would find some sort of major bug that was causing the issues the site was experiencing, but was surprised to find that was not the case.

Unintended Consequences with Magento Observers on Sales Orders

Anyone that uses Magento to place orders will be hard-pressed to consider this process a speedy one. While it takes a while to process the order under the best of circumstances, there are a few things that you can do that actually make it worse.

One of those things that can make it worse is creating an observer that runs in the middle of the saving of the order processes that is always slow-running, or continues to get slower over time as the data that the Magento site grows. While the observer may run well at first, over time as the data grows, some random symptoms may show up, including database deadlocks and even some missing sales orders.

Magento Version 2, is it just Microsoft Windows Longhorn AKA Vista?

Magento version 2 was first introduced in 2010. It is now almost halfway through 2014, and the public has not seen any alpha or beta release of Magento version 2 as of yet. The new version of Magento promised to replace PrototypeJS and Scriptaculus with jQuery as well as reorganize the database schema to remove the slow EAV tables and migrate to a bit of a flatter table structure. However, it seems that the latest updates on the direction for Magento 2 show that the database schema will not be changed much after all.

Magento appending __SID to URLs

When trying to fully optimize a Magento website to run as fast as possible, I tend to opt for turning on all of the caching options in Magento, and then put the Varnish caching server in front of the web server with the Turpentine plugin. However, when you do this with some configurations, you start seeing the __SID query string parameter added to the end of the site’s url. Unfortunately, when the Turpentine plugin sees the __SID query string in the URL, it means that this page request will bypass the cache and load it directly from the server, slowing things down.

Magento Adminhtml and Relative Links to Static Resources

Relative links in URLs allow you to only specify the path to an resource that is in the same or subfolder of the current folder. Lets say the current page you are on is http://example.com/test/ and you want to reference an image at http://example.com/test/image.jpg. You could put the full http://example.com/test/image.jpg in the src attribute of the img tag, or you could use just image.jpg instead. This works well when you are not sure what the directory path is the parent directory of your code. However, it can cause some issues when your code is moved to another location, but some resources are not moved, such as image.jpg.

Saving Products in Magento Deletes Tier Pricing

Magento’s framework makes many things simple to accomplish when working with the products and categories of your eCommerce website. However, I have found one scenario that doesn’t exactly work as expected.

Tier Pricing in Magento

Magento allows you to setup custom pricing levels based upon the quantity purchased. You set the minimum quantity purchased to enable the lower price when the part is added to the customer’s cart. You could see where losing the tiered pricing for an entire catalog of products would be a big deal for a site.

Creating a Best-Sellers Category with Magento

Magento allows you to organize products in categories, and a single product can be a member of quite a few separate categories. As a result, you can create a category that is specifically for your top selling products. You could manually keep track of which products sell the best, either by number of sales completed, or by the actual quantity of each product that were sold. If you want to spend all your time managing this category, then this is the way to go. However, there is a much easier way to manage the products in the category.

Login Problems with Magento and Varnish

When you have a Magento website configured to use Varnish as a caching frontend, there are certain scenarios where you may have some problems logging-in to the frontend of the website. It poses some unique problems that are not frequently seen on a typical website. This issue typically manifests itself to the end user by visiting the login page, entering the correct credential, submitting the form, and then the page reloads the login page again instead of redirecting to the My Account page or whatever page is specified in the configuration.

Magento FrontName Naming and SSL/HTTPS

One of the things that has always been an issue for sites that are based on Magento is that they are slow. Well, to be fair, sites using Magento Enterprise Edition that take advantage of the built-in full-page caching functionality seem to have decent page load times. One way to take care of this slow load time issue is to utilize a third-party full-page caching solution such as what Varnish provides.