<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Gnani Rahul</title>
    <description>The latest articles on DEV Community by Gnani Rahul (@gnanirn).</description>
    <link>https://dev.to/gnanirn</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png</url>
      <title>DEV Community: Gnani Rahul</title>
      <link>https://dev.to/gnanirn</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/gnanirn"/>
    <language>en</language>
    <item>
      <title>[Boost]</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Thu, 11 Jun 2026 18:43:36 +0000</pubDate>
      <link>https://dev.to/gnanirn/-4enf</link>
      <guid>https://dev.to/gnanirn/-4enf</guid>
      <description>&lt;div class="ltag__link--embedded"&gt;
  &lt;div class="crayons-story "&gt;
  &lt;a href="https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i" class="crayons-story__hidden-navigation-link"&gt;Untrusted Code Execution: Why a Skill Allowlist Is the Floor&lt;/a&gt;


  &lt;div class="crayons-story__body crayons-story__body-full_post"&gt;
    &lt;div class="crayons-story__top"&gt;
      &lt;div class="crayons-story__meta"&gt;
        &lt;div class="crayons-story__author-pic"&gt;

          &lt;a href="/gnanirn" class="crayons-avatar  crayons-avatar--l  "&gt;
            &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" alt="gnanirn profile" class="crayons-avatar__image" width="96" height="96"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
          &lt;div&gt;
            &lt;a href="/gnanirn" class="crayons-story__secondary fw-medium m:hidden"&gt;
              Gnani Rahul
            &lt;/a&gt;
            &lt;div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"&gt;
              
                Gnani Rahul
                &lt;a href="/++"&gt;&lt;img alt="Subscriber" class="subscription-icon" src="https://assets.dev.to/assets/subscription-icon-805dfa7ac7dd660f07ed8d654877270825b07a92a03841aa99a1093bd00431b2.png" width="166" height="102"&gt;&lt;/a&gt;
              
              &lt;div id="story-author-preview-content-3868993" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"&gt;
                &lt;div class="gap-4 grid"&gt;
                  &lt;div class="-mt-4"&gt;
                    &lt;a href="/gnanirn" class="flex"&gt;
                      &lt;span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"&gt;
                        &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" class="crayons-avatar__image" alt="" width="96" height="96"&gt;
                      &lt;/span&gt;
                      &lt;span class="crayons-link crayons-subtitle-2 mt-5"&gt;Gnani Rahul&lt;/span&gt;
                    &lt;/a&gt;
                  &lt;/div&gt;
                  &lt;div class="print-hidden"&gt;
                    
                      Follow
                    
                  &lt;/div&gt;
                  &lt;div class="author-preview-metadata-container"&gt;&lt;/div&gt;
                &lt;/div&gt;
              &lt;/div&gt;
            &lt;/div&gt;

          &lt;/div&gt;
          &lt;a href="https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i" class="crayons-story__tertiary fs-xs"&gt;&lt;time&gt;Jun 10&lt;/time&gt;&lt;span class="time-ago-indicator-initial-placeholder"&gt;&lt;/span&gt;&lt;/a&gt;
        &lt;/div&gt;
      &lt;/div&gt;

    &lt;/div&gt;

    &lt;div class="crayons-story__indention"&gt;
      &lt;h2 class="crayons-story__title crayons-story__title-full_post"&gt;
        &lt;a href="https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i" id="article-link-3868993"&gt;
          Untrusted Code Execution: Why a Skill Allowlist Is the Floor
        &lt;/a&gt;
      &lt;/h2&gt;
        &lt;div class="crayons-story__tags"&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/ai"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;ai&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/security"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;security&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/opensource"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;opensource&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/supplychain"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;supplychain&lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="crayons-story__bottom"&gt;
        &lt;div class="crayons-story__details"&gt;
            &lt;a href="https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"&gt;
              

              &lt;span class="hidden s:inline"&gt;Add&amp;nbsp;Comment&lt;/span&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div class="crayons-story__save"&gt;
          &lt;small class="crayons-story__tertiary fs-xs mr-2"&gt;
            5 min read
          &lt;/small&gt;
            
              &lt;span class="bm-initial crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
              &lt;span class="bm-success crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
            
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;


</description>
    </item>
    <item>
      <title>Untrusted Code Execution: Why a Skill Allowlist Is the Floor</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Wed, 10 Jun 2026 23:06:25 +0000</pubDate>
      <link>https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i</link>
      <guid>https://dev.to/gnanirn/untrusted-code-execution-why-a-skill-allowlist-is-the-floor-3c3i</guid>
      <description>&lt;p&gt;In early 2026, attackers uploaded over 1,100 malicious skills to ClawHub — the community skill registry for OpenClaw. Many of the skills masqueraded as trading bots, productivity utilities, or coding helpers. Several climbed into the top-downloaded list. One attacker, working under the handle &lt;code&gt;hightower6eu&lt;/code&gt;, uploaded dozens of nearly identical malicious skills in a single campaign. The Hacker News write-up named it &lt;strong&gt;ClawHavoc&lt;/strong&gt;. IBM cited it as the textbook case for the first of their six agent risks: &lt;strong&gt;untrusted code execution&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The interesting question isn't "how did this happen." It's "what would have to be true about a personal AI agent's architecture for ClawHavoc to be impossible — not improbable, but actually mechanically impossible?" That's where allowlists stop being enough.&lt;/p&gt;

&lt;h2&gt;
  
  
  The receipts
&lt;/h2&gt;

&lt;p&gt;OpenClaw's skill model is in the ballpark of every modern agent skill model — a manifest (&lt;code&gt;SOUL.md&lt;/code&gt; in OpenClaw's case, &lt;code&gt;SKILL.md&lt;/code&gt; in most others), some code or instruction body, and a marketplace to install from. The agent loads the skill, the skill becomes part of the agent's available capabilities, and the agent's prompts can now call into it. That's the design.&lt;/p&gt;

&lt;p&gt;The economics of that design are heavily in the attacker's favor. A skill takes minutes to publish. A malicious skill that does its job — install an info-stealer, exfiltrate &lt;code&gt;~/.ssh&lt;/code&gt;, drop a persistent agent on the host — does it on first run. By the time anyone reports it, it's been on hundreds of developer machines for hours.&lt;/p&gt;

&lt;p&gt;The defenses you typically reach for here are signing (publisher keys) and allowlists (only install from a curated set). Both help. Neither is sufficient on its own. Publisher keys can be stolen, especially for community skills with low publication barriers. Allowlists narrow the surface but don't change what an allowed skill is permitted to do once loaded. If your model is "trusted skills get full agent capabilities," then the day a trusted skill is compromised is the day the agent is compromised.&lt;/p&gt;

&lt;p&gt;This is the gap IBM names. From the X-Force write-up: &lt;em&gt;"Many of the issues are tied to command execution, leaked plaintext API keys and credentials, which can be stolen by threat actors via indirect prompt injection, malicious skills, or unsecured endpoints."&lt;/em&gt; The malicious-skills vector and the credential-leakage vector are the same problem in two costumes — both are "code I shouldn't trust got to do things only trusted code should do."&lt;/p&gt;

&lt;h2&gt;
  
  
  The architecture lesson
&lt;/h2&gt;

&lt;p&gt;The instinct, when this kind of incident lands, is to lock down the marketplace. Vet uploads harder. Review the top-downloaded skills. Take down bad actors faster. All of that is right, and OpenClaw has done a lot of it.&lt;/p&gt;

&lt;p&gt;What it doesn't fix is the architectural shape: a skill, once installed, inherits the agent's authority. The agent has filesystem access? The skill has filesystem access. The agent has the Anthropic API key in its environment? The skill has the Anthropic API key. The agent can call &lt;code&gt;shell.run&lt;/code&gt;? The skill can call &lt;code&gt;shell.run&lt;/code&gt; with any arguments it likes.&lt;/p&gt;

&lt;p&gt;That shape is built into most agent stacks. You install a skill, and what you've actually done is granted that skill the union of every capability the agent already holds. The implicit trust boundary is "did this come from an allowlisted source," and once that check passes, no further gate runs. You don't get to express, "this skill should be able to do X but not Y" without changing the runtime.&lt;/p&gt;

&lt;p&gt;The deeper question is whether the agent should be enforcing capability at the &lt;strong&gt;skill-call boundary&lt;/strong&gt;, not at the &lt;strong&gt;install boundary&lt;/strong&gt;. The install boundary checks where the code came from. The call boundary checks whether &lt;em&gt;this specific call&lt;/em&gt; is one the user authorized this skill to make. The first is supply-chain hygiene. The second is least-privilege.&lt;/p&gt;

&lt;h2&gt;
  
  
  How Ardur handles it
&lt;/h2&gt;

&lt;p&gt;In Ardur, a skill never inherits agent authority. Every tool call the skill makes — read a file, hit an HTTP endpoint, run a shell command, call a model — has to ride a &lt;strong&gt;cap-token&lt;/strong&gt; that the runtime checks before the call executes. The cap-token is Biscuit-formatted, Ed25519-signed, scoped to a specific verb on a specific resource, and attenuable so the skill can only narrow it, never widen it.&lt;/p&gt;

&lt;p&gt;Concretely: a skill that says it summarizes papers in &lt;code&gt;~/reading&lt;/code&gt; gets minted a cap-token at install time that reads, in effect, &lt;code&gt;file.read&lt;/code&gt; on &lt;code&gt;~/reading/**&lt;/code&gt; only. If that skill turns malicious and tries to read &lt;code&gt;~/.ssh/id_rsa&lt;/code&gt;, the cap-token check fails at the runtime boundary. The tool call returns Denied. The agent didn't have to be smart enough to refuse — the wire format refused.&lt;/p&gt;

&lt;p&gt;This sits inside the &lt;code&gt;FusedRuntime&lt;/code&gt; pipeline as the first stage of every turn. Cap-token check is stage one. Cedar policy (Allow / Deny / Indeterminate over a richer policy language) is stage two. Cost gate is stage three. If any of those fail, the turn short-circuits before the model is even called. No skill can sneak a tool call past those stages, because the stages run on every tool call, not on the skill at install time.&lt;/p&gt;

&lt;p&gt;The model identity matters here too. Cap-tokens derive their principal from the verified token, not from the caller's assertion. A malicious skill can claim to be a different skill, can claim to be the user, can claim to be the system. The runtime doesn't care — the principal is whichever signed party actually holds the unattenuated parent token, and that party is the one who installed the skill in the first place.&lt;/p&gt;

&lt;p&gt;The Cedar policy layer is what lets you express the rules that depend on context the cap-token alone can't carry. "This skill can make &lt;code&gt;http.fetch&lt;/code&gt; calls, but only between 9am and 5pm." "This skill can call the model, but only with &lt;code&gt;claude-haiku&lt;/code&gt;, not &lt;code&gt;claude-opus&lt;/code&gt;." Those policies are deny-by-default; an Indeterminate result is a Deny, which is the only safe interpretation when policy is uncertain.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fivb5nyk8omszlvyt6bsq.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fivb5nyk8omszlvyt6bsq.jpeg" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;AI skill is code you didn't write running with permissions you wouldn't grant&lt;/p&gt;

&lt;h2&gt;
  
  
  Where we're honest
&lt;/h2&gt;

&lt;p&gt;I'd be misleading if I claimed Ardur's skill model is bulletproof. It isn't, in two specific places.&lt;/p&gt;

&lt;p&gt;First, the cap-token model only protects against a malicious skill &lt;em&gt;executing&lt;/em&gt; the wrong tool call. It does not protect against a malicious skill &lt;em&gt;contributing prompt content&lt;/em&gt; that hijacks the agent's reasoning. That's the indirect prompt injection class, which is the next piece in this series and lives in the &lt;code&gt;injection-defense&lt;/code&gt; crate, not the cap-token crate.&lt;/p&gt;

&lt;p&gt;Second, Ardur's two open durability tickets — &lt;strong&gt;ARD-17&lt;/strong&gt; (single-phase journal commit) and &lt;strong&gt;ARD-19&lt;/strong&gt; (recall not yet wired to hybrid memory) — mean a poisoned skill that takes a single bad action right before a crash could orphan its receipt. We track both in &lt;code&gt;RUN.md&lt;/code&gt;. They're the reason we still call Ardur dev fidelity.&lt;/p&gt;

&lt;p&gt;The class of problem ClawHavoc is — "an allowlisted skill gets to do anything the agent could do" — isn't a class Ardur is vulnerable to, because the agent itself doesn't have that authority lying around to inherit. The agent has cap-tokens. The skill has narrower cap-tokens. Nothing has "all the things."&lt;/p&gt;

&lt;h2&gt;
  
  
  The takeaway
&lt;/h2&gt;

&lt;p&gt;If you're running a personal AI agent and your model of skill security is "install from the official registry," you're depending on the registry's vetting pipeline being faster than attacker iteration. ClawHavoc says the attacker iteration is the part that's hard to slow down.&lt;/p&gt;

&lt;p&gt;The shift worth making is from supply-chain hygiene (which you should still do) to least-privilege at the call boundary (which you also have to do). The first asks where the code came from. The second asks what the code is allowed to do once it's running. The second is the floor. The first is what you do on top of the floor.&lt;/p&gt;

&lt;p&gt;If your stack can't answer "what cap-token did this tool call ride on?" — that's the gap.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>opensource</category>
      <category>supplychain</category>
    </item>
    <item>
      <title>I started working on Ardur-Agent(https://github.com/ArdurAI/ardur-agent) and Ardur (https://github.com/ArdurAI/ardur) as side projects, just make my d life easier, for my work, my research and upskilling. Sharing some insights from them.</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Tue, 09 Jun 2026 23:37:13 +0000</pubDate>
      <link>https://dev.to/gnanirn/i-started-working-on-ardur-agenthttpsgithubcomarduraiardur-agent-and-ardur-1a9f</link>
      <guid>https://dev.to/gnanirn/i-started-working-on-ardur-agenthttpsgithubcomarduraiardur-agent-and-ardur-1a9f</guid>
      <description>&lt;div class="ltag__link--embedded"&gt;
  &lt;div class="crayons-story "&gt;
  &lt;a href="https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c" class="crayons-story__hidden-navigation-link"&gt;The 6 Risks IBM Named About OpenClaw&lt;/a&gt;


  &lt;div class="crayons-story__body crayons-story__body-full_post"&gt;
    &lt;div class="crayons-story__top"&gt;
      &lt;div class="crayons-story__meta"&gt;
        &lt;div class="crayons-story__author-pic"&gt;

          &lt;a href="/gnanirn" class="crayons-avatar  crayons-avatar--l  "&gt;
            &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" alt="gnanirn profile" class="crayons-avatar__image" width="96" height="96"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
          &lt;div&gt;
            &lt;a href="/gnanirn" class="crayons-story__secondary fw-medium m:hidden"&gt;
              Gnani Rahul
            &lt;/a&gt;
            &lt;div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"&gt;
              
                Gnani Rahul
                &lt;a href="/++"&gt;&lt;img alt="Subscriber" class="subscription-icon" src="https://assets.dev.to/assets/subscription-icon-805dfa7ac7dd660f07ed8d654877270825b07a92a03841aa99a1093bd00431b2.png" width="166" height="102"&gt;&lt;/a&gt;
              
              &lt;div id="story-author-preview-content-3859737" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"&gt;
                &lt;div class="gap-4 grid"&gt;
                  &lt;div class="-mt-4"&gt;
                    &lt;a href="/gnanirn" class="flex"&gt;
                      &lt;span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"&gt;
                        &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" class="crayons-avatar__image" alt="" width="96" height="96"&gt;
                      &lt;/span&gt;
                      &lt;span class="crayons-link crayons-subtitle-2 mt-5"&gt;Gnani Rahul&lt;/span&gt;
                    &lt;/a&gt;
                  &lt;/div&gt;
                  &lt;div class="print-hidden"&gt;
                    
                      Follow
                    
                  &lt;/div&gt;
                  &lt;div class="author-preview-metadata-container"&gt;&lt;/div&gt;
                &lt;/div&gt;
              &lt;/div&gt;
            &lt;/div&gt;

          &lt;/div&gt;
          &lt;a href="https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c" class="crayons-story__tertiary fs-xs"&gt;&lt;time&gt;Jun 9&lt;/time&gt;&lt;span class="time-ago-indicator-initial-placeholder"&gt;&lt;/span&gt;&lt;/a&gt;
        &lt;/div&gt;
      &lt;/div&gt;

    &lt;/div&gt;

    &lt;div class="crayons-story__indention"&gt;
      &lt;h2 class="crayons-story__title crayons-story__title-full_post"&gt;
        &lt;a href="https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c" id="article-link-3859737"&gt;
          The 6 Risks IBM Named About OpenClaw
        &lt;/a&gt;
      &lt;/h2&gt;
        &lt;div class="crayons-story__tags"&gt;
        &lt;/div&gt;
      &lt;div class="crayons-story__bottom"&gt;
        &lt;div class="crayons-story__details"&gt;
            &lt;a href="https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"&gt;
              

              &lt;span class="hidden s:inline"&gt;Add&amp;nbsp;Comment&lt;/span&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div class="crayons-story__save"&gt;
          &lt;small class="crayons-story__tertiary fs-xs mr-2"&gt;
            4 min read
          &lt;/small&gt;
            
              &lt;span class="bm-initial crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
              &lt;span class="bm-success crayons-icon c-btn__icon"&gt;
                

              &lt;/span&gt;
            
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;



&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
        &lt;div class="c-embed__cover"&gt;
          &lt;a href="https://github.com/ArdurAI/ardur-agent" class="c-link align-middle" rel="noopener noreferrer"&gt;
            &lt;img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fopengraph.githubassets.com%2Fe4c419a411899d9b4c72b160b63417eed9909f65ad644e1f1f08cc5139ba420d%2FArdurAI%2Fardur-agent" height="600" class="m-0" width="1200"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="c-embed__body"&gt;
        &lt;h2 class="fs-xl lh-tight"&gt;
          &lt;a href="https://github.com/ArdurAI/ardur-agent" rel="noopener noreferrer" class="c-link"&gt;
            GitHub - ArdurAI/ardur-agent: Ardur — open-source personal AI agent. Lives in your terminal and across your messaging channels. Multi-provider LLM access, tool use, memory, plugins, with cap-token security, receipt-chain transparency, and cost-tuple awareness built in. · GitHub
          &lt;/a&gt;
        &lt;/h2&gt;
          &lt;p class="truncate-at-3"&gt;
            Ardur — open-source personal AI agent. Lives in your terminal and across your messaging channels. Multi-provider LLM access, tool use, memory, plugins, with cap-token security, receipt-chain transp...
          &lt;/p&gt;
        &lt;div class="color-secondary fs-s flex items-center"&gt;
            &lt;img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.githubassets.com%2Ffavicons%2Ffavicon.svg" width="32" height="32"&gt;
          github.com
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;
&lt;br&gt;
&lt;div class="crayons-card c-embed text-styles text-styles--secondary"&gt;
    &lt;div class="c-embed__content"&gt;
        &lt;div class="c-embed__cover"&gt;
          &lt;a href="https://github.com/ArdurAI/ardur" class="c-link align-middle" rel="noopener noreferrer"&gt;
            &lt;img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fopengraph.githubassets.com%2Fd0bb0a7d6b1b1e5bbaa103964eb0c928925c3b0eb75999a75b5fafc8c3d9b040%2FArdurAI%2Fardur" height="600" class="m-0" width="1200"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="c-embed__body"&gt;
        &lt;h2 class="fs-xl lh-tight"&gt;
          &lt;a href="https://github.com/ArdurAI/ardur" rel="noopener noreferrer" class="c-link"&gt;
            GitHub - ArdurAI/ardur: Open-source runtime governance for AI agents — prove what your agents do, not just what they say. · GitHub
          &lt;/a&gt;
        &lt;/h2&gt;
          &lt;p class="truncate-at-3"&gt;
            Open-source runtime governance for AI agents — prove what your agents do, not just what they say. - ArdurAI/ardur
          &lt;/p&gt;
        &lt;div class="color-secondary fs-s flex items-center"&gt;
            &lt;img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.githubassets.com%2Ffavicons%2Ffavicon.svg" width="32" height="32"&gt;
          github.com
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
&lt;/div&gt;


</description>
      <category>agents</category>
      <category>ai</category>
      <category>showdev</category>
      <category>sideprojects</category>
    </item>
    <item>
      <title>The 6 Risks IBM Named About OpenClaw</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Tue, 09 Jun 2026 19:08:24 +0000</pubDate>
      <link>https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c</link>
      <guid>https://dev.to/gnanirn/the-6-risks-ibm-named-about-openclaw-195c</guid>
      <description>&lt;p&gt;In April 2026, IBM's X-Force team published &lt;em&gt;What OpenClaw reveals about agentic AI security risks&lt;/em&gt; — a write-up enumerating the security failures of the fastest-growing open-source AI agent in history. By mid-year, IBM Distinguished Engineer Jeff Crume had extended that into a six-part breakdown on IBM Technology's YouTube channel and a parallel mapping to the OWASP Top 10 for Agentic Applications 2026.&lt;/p&gt;

&lt;p&gt;The list is not theoretical. Each of the six risks IBM named is anchored to documented incidents — CVE chains, real malware campaigns, real exploit videos. If you're running OpenClaw, Hermes Agent, or any personal AI agent that sits on your laptop with credentials and tool access, you've probably read at least one of those advisories with that mild sinking feeling.&lt;/p&gt;

&lt;p&gt;This piece is the index post for a six-article series — one per risk — that walks through what each risk actually means in code, where the documented failures landed, and how Ardur's substrate handles the same class of failure. The TL;DR: every one of these is a property of the protocol, not a feature you turn on.&lt;/p&gt;

&lt;h2&gt;
  
  
  The six risks, in IBM's language
&lt;/h2&gt;

&lt;p&gt;IBM's enumeration, paraphrased from the X-Force write-up and Crume's video:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Untrusted code execution&lt;/strong&gt; — third-party skills run on your machine; a poisoned skill executes whatever it wants.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Indirect prompt injection&lt;/strong&gt; — the agent reads attacker-controlled text from an email, a web page, an MCP response. The text contains instructions. The agent follows them.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Persistent memory poisoning&lt;/strong&gt; — the attacker alters the files the agent re-reads on every boot. Behavior drifts. The drift looks like the agent.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credential exposure and reuse&lt;/strong&gt; — API keys, OAuth tokens, and bot secrets end up inlined in prompts or leaked through tool output.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Autonomous action risk&lt;/strong&gt; — runaway loops, accidental data exfiltration, unbounded model spend.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Host and workspace compromise&lt;/strong&gt; — the agent process gets RCE, and the agent's identity becomes the attacker's identity on your machine.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;IBM's parallel framing — the &lt;strong&gt;"lethal trifecta"&lt;/strong&gt; — is worth keeping in mind throughout the series: a single agent that has &lt;em&gt;deep access to private local data&lt;/em&gt;, &lt;em&gt;interacts with untrusted external content&lt;/em&gt;, and &lt;em&gt;can communicate outward&lt;/em&gt; is the most dangerous combination in the model.&lt;/p&gt;

&lt;p&gt;OpenClaw hits the trifecta. Hermes Agent hits the trifecta. Most production agents hit the trifecta. The question is what the substrate does about it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why a substrate
&lt;/h2&gt;

&lt;p&gt;The instinct, when a security incident lands, is to ship a patch. The OpenClaw team has shipped 535+ patches; their GitHub Security Advisories tab is the fastest-growing advisory feed of any agent project in 2026. None of those patches are wrong. The point of the substrate argument is that you don't get out of the lethal trifecta by patching faster — you get out by making each of the six risks expensive to express in the first place.&lt;/p&gt;

&lt;p&gt;Ardur's bet is that the six risks are properties of the wire format. If a cap-token has to ride every action, untrusted code execution can't take an action that wasn't pre-authorized. If a receipt chain links every action, persistent memory poisoning leaves visible drift. If a cost-tuple gates every model call, autonomous action risk is bounded by a dollar number that's checked on the way in, not after the bill arrives.&lt;/p&gt;

&lt;p&gt;The substrate isn't a security product. It's the protocol the agent talks before it talks to anything else.&lt;/p&gt;

&lt;h2&gt;
  
  
  The series
&lt;/h2&gt;

&lt;p&gt;Each article in the series is independent — read whichever maps to the risk you're worried about right now — but they build on each other:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Untrusted code execution: why a skill allowlist is the floor, not the ceiling&lt;/strong&gt; — what cap-tokens actually gate, and how Cedar policy enforces it&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Indirect prompt injection: when your agent reads an attacker's email&lt;/strong&gt; — the injection-defense crate, what it scans, what it can't catch&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Persistent memory poisoning: when your AI's notes become the attack surface&lt;/strong&gt; — bi-temporal memory and the receipt chain as a poisoning audit&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Credentials don't belong in prompts: scoped cap-tokens vs. raw API keys&lt;/strong&gt; — Biscuit, Ed25519, attenuation, revocation&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Autonomous action risk: putting a hard dollar ceiling on your agent&lt;/strong&gt; — cost-tuples, the four-stage gate, ceiling-check and refund&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Host &amp;amp; workspace compromise: why your AI shouldn't have root&lt;/strong&gt; — OS isolation, &lt;code&gt;shell.run&lt;/code&gt; allowlist, &lt;code&gt;http.fetch&lt;/code&gt; SSRF defense&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you're already running an agent and don't want to read all six, the highest-yield piece is probably the persistent-memory one. It's the risk that quietly degrades over time without anyone noticing — the worst kind.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7k54b3cpgc6fxa2y3xap.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7k54b3cpgc6fxa2y3xap.png" alt=" " width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What this series isn't
&lt;/h2&gt;

&lt;p&gt;It's not a hit-piece on OpenClaw. Peter Steinberger and the OpenClaw team have shipped one of the most impactful open-source projects of the decade, the patch cadence is genuinely fast, and the velocity is what created the surface area for these advisories in the first place. Velocity is a virtue.&lt;/p&gt;

&lt;p&gt;It's also not a claim that Ardur is bulletproof. We have two open durability tickets — &lt;strong&gt;ARD-17&lt;/strong&gt; (the journal-append / receipt-sign commit is still single-phase, so a crash in the window can orphan a receipt) and &lt;strong&gt;ARD-19&lt;/strong&gt; (the runtime's recall side does not yet call the hybrid memory surface). Both are tracked in &lt;code&gt;RUN.md&lt;/code&gt;. Until they land, we describe Ardur as &lt;em&gt;dev fidelity, not turnkey production&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;What this series is: a walk through six real risks, six real incidents, and six pieces of the Ardur substrate that handle each class. Read whichever maps to what's on fire for you. If the substrate argument lands, the GitHub repo and the operator runbook are where the receipts actually live.&lt;/p&gt;

&lt;p&gt;The thing about a wire-format security model is that it's boring to ship and fast to verify. That's the move.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>If anyone has tried the new Claude Security feature(beta released yesterday/today), what are your thoughts?

#Anthropic #GlassWing #Claude #Opus4.7 #mythos</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Tue, 05 May 2026 01:54:19 +0000</pubDate>
      <link>https://dev.to/gnanirn/if-anyone-has-tried-the-new-claude-security-featurebeta-released-yesterdaytoday-what-are-your-1aj1</link>
      <guid>https://dev.to/gnanirn/if-anyone-has-tried-the-new-claude-security-featurebeta-released-yesterdaytoday-what-are-your-1aj1</guid>
      <description></description>
      <category>ai</category>
      <category>claude</category>
      <category>discuss</category>
      <category>security</category>
    </item>
    <item>
      <title>For my first post on DEV, I am creating this recurring series on "DevOps Is Not Ending." In short this is my story said with different characters and experiences of my team and my friends in the same space.
"Love Feedback"</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Tue, 05 May 2026 01:42:12 +0000</pubDate>
      <link>https://dev.to/gnanirn/for-my-first-post-on-dev-i-am-creating-this-recurring-series-on-devops-is-not-ending-in-short-hb5</link>
      <guid>https://dev.to/gnanirn/for-my-first-post-on-dev-i-am-creating-this-recurring-series-on-devops-is-not-ending-in-short-hb5</guid>
      <description>&lt;div class="ltag__link--embedded"&gt;
  &lt;div class="crayons-story "&gt;
  &lt;a href="https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f" class="crayons-story__hidden-navigation-link"&gt;"DevOps Is Not Ending. The Production Surface Changed."&lt;/a&gt;


  &lt;div class="crayons-story__body crayons-story__body-full_post"&gt;
    &lt;div class="crayons-story__top"&gt;
      &lt;div class="crayons-story__meta"&gt;
        &lt;div class="crayons-story__author-pic"&gt;

          &lt;a href="/gnanirn" class="crayons-avatar  crayons-avatar--l  "&gt;
            &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" alt="gnanirn profile" class="crayons-avatar__image" width="96" height="96"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
          &lt;div&gt;
            &lt;a href="/gnanirn" class="crayons-story__secondary fw-medium m:hidden"&gt;
              Gnani Rahul
            &lt;/a&gt;
            &lt;div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"&gt;
              
                Gnani Rahul
                &lt;a href="/++"&gt;&lt;img alt="Subscriber" class="subscription-icon" src="https://assets.dev.to/assets/subscription-icon-805dfa7ac7dd660f07ed8d654877270825b07a92a03841aa99a1093bd00431b2.png" width="166" height="102"&gt;&lt;/a&gt;
              
              &lt;div id="story-author-preview-content-3605614" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"&gt;
                &lt;div class="gap-4 grid"&gt;
                  &lt;div class="-mt-4"&gt;
                    &lt;a href="/gnanirn" class="flex"&gt;
                      &lt;span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"&gt;
                        &lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3905448%2F9f1e5814-5873-48b5-9818-398122329fb5.png" class="crayons-avatar__image" alt="" width="96" height="96"&gt;
                      &lt;/span&gt;
                      &lt;span class="crayons-link crayons-subtitle-2 mt-5"&gt;Gnani Rahul&lt;/span&gt;
                    &lt;/a&gt;
                  &lt;/div&gt;
                  &lt;div class="print-hidden"&gt;
                    
                      Follow
                    
                  &lt;/div&gt;
                  &lt;div class="author-preview-metadata-container"&gt;&lt;/div&gt;
                &lt;/div&gt;
              &lt;/div&gt;
            &lt;/div&gt;

          &lt;/div&gt;
          &lt;a href="https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f" class="crayons-story__tertiary fs-xs"&gt;&lt;time&gt;May 4&lt;/time&gt;&lt;span class="time-ago-indicator-initial-placeholder"&gt;&lt;/span&gt;&lt;/a&gt;
        &lt;/div&gt;
      &lt;/div&gt;

    &lt;/div&gt;

    &lt;div class="crayons-story__indention"&gt;
      &lt;h2 class="crayons-story__title crayons-story__title-full_post"&gt;
        &lt;a href="https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f" id="article-link-3605614"&gt;
          "DevOps Is Not Ending. The Production Surface Changed."
        &lt;/a&gt;
      &lt;/h2&gt;
        &lt;div class="crayons-story__tags"&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/devops"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;devops&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/ai"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;ai&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/kubernetes"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;kubernetes&lt;/a&gt;
            &lt;a class="crayons-tag  crayons-tag--monochrome " href="/t/mlops"&gt;&lt;span class="crayons-tag__prefix"&gt;#&lt;/span&gt;mlops&lt;/a&gt;
        &lt;/div&gt;
      &lt;div class="crayons-story__bottom"&gt;
        &lt;div class="crayons-story__details"&gt;
            &lt;a href="https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"&gt;
              

              &lt;span class="hidden s:inline"&gt;Add&amp;nbsp;Comment&lt;/span&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div class="crayons-story__save"&gt;
          &lt;small class="crayons-story__tertiary fs-xs mr-2"&gt;
            4 min read
          &lt;/small&gt;
            
              &lt;span class="bm-initial"&gt;
                

              &lt;/span&gt;
              &lt;span class="bm-success"&gt;
                

              &lt;/span&gt;
            
        &lt;/div&gt;
      &lt;/div&gt;
    &lt;/div&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;/div&gt;


</description>
      <category>career</category>
      <category>devops</category>
      <category>discuss</category>
    </item>
    <item>
      <title>"DevOps Is Not Ending. The Production Surface Changed."</title>
      <dc:creator>Gnani Rahul</dc:creator>
      <pubDate>Mon, 04 May 2026 15:00:00 +0000</pubDate>
      <link>https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f</link>
      <guid>https://dev.to/gnanirn/devops-is-not-ending-the-production-surface-changed-381f</guid>
      <description>&lt;h2&gt;
  
  
  "AI is not replacing DevOps. It is widening the production surface DevOps teams have to operate: models, prompts, evals, GPU capacity, tool permissions, and rollback paths."
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Ram&lt;/strong&gt; is new to DevOps, but not new to the tools changing it.&lt;/p&gt;

&lt;p&gt;He is comfortable with coding assistants, agent demos, GitHub workflows, cloud consoles, and AI-powered operations tools. If a model can explain a failed pipeline, generate Kubernetes YAML, or draft a Terraform module, Ram wants to try it.&lt;/p&gt;

&lt;p&gt;That curiosity is useful.&lt;/p&gt;

&lt;p&gt;It is also risky if nobody reviews it with production discipline.&lt;/p&gt;

&lt;p&gt;That is where Siya comes in.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Siya&lt;/strong&gt; has been through enough incidents to distrust clean demos. She likes useful automation, but she asks the questions that decide whether something survives production:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What changed?&lt;/li&gt;
&lt;li&gt;Who approved it?&lt;/li&gt;
&lt;li&gt;Can we roll it back?&lt;/li&gt;
&lt;li&gt;What is the blast radius?&lt;/li&gt;
&lt;li&gt;How much does it cost when traffic doubles?&lt;/li&gt;
&lt;li&gt;What happens when the tool is wrong?&lt;/li&gt;
&lt;li&gt;Ram’s question is: can AI make DevOps faster?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Siya’s question is: can we operate AI-assisted DevOps safely?&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;That is the theme of this series.&lt;/strong&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;DevOps is not ending. The production surface is changing.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcriwge15j9cg65fk3393.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcriwge15j9cg65fk3393.png" alt="CI/CD is not Enough" width="800" height="450"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  &lt;strong&gt;The part of DevOps that will shrink, Some DevOps work will absolutely get smaller.&lt;/strong&gt;
&lt;/h2&gt;

&lt;p&gt;Copying YAML from one repo to another. Writing the first draft of a CI workflow. Explaining a common Kubernetes error. Summarizing logs. Turning a runbook into a checklist.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;AI is already useful for that work.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;If someone’s entire value is typing commands without understanding the system, that is a fragile place to be. Ram sees that. He is not trying to protect busywork.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;But that was never the best version of DevOps.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;*&lt;em&gt;The serious part of DevOps was always judgment under production constraints: *&lt;/em&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What changed?&lt;/li&gt;
&lt;li&gt;What is the blast radius?&lt;/li&gt;
&lt;li&gt;Can we roll back?&lt;/li&gt;
&lt;li&gt;Is this secure?&lt;/li&gt;
&lt;li&gt;Why did cost jump?&lt;/li&gt;
&lt;li&gt;What does the dashboard not show?&lt;/li&gt;
&lt;li&gt;Should this automation be allowed to act?&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;AI does not remove those questions. It adds more of them.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The production surface got bigger
&lt;/h2&gt;

&lt;p&gt;A normal service has failure modes we know how to name: latency, error rate, saturation, bad deploy, expired certificate, broken dependency, runaway logs, surprise cloud bill.&lt;/p&gt;

&lt;p&gt;An AI system can fail while looking healthy.&lt;/p&gt;

&lt;p&gt;The pod is running. The API returns 200. The GPU is busy. The dashboard is green.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The answer is still wrong.&lt;br&gt;
Or unsafe.&lt;br&gt;
Or too expensive.&lt;br&gt;
Or produced through a tool path nobody approved.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;em&gt;That is a DevOps-shaped problem. It touches release control, observability, security, identity, cost, rollback, and incident response.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The artifact is no longer just a container image. It might include:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;code&lt;/li&gt;
&lt;li&gt;model version&lt;/li&gt;
&lt;li&gt;prompt version&lt;/li&gt;
&lt;li&gt;retrieval index&lt;/li&gt;
&lt;li&gt;evaluation results&lt;/li&gt;
&lt;li&gt;tool permissions&lt;/li&gt;
&lt;li&gt;provider routing&lt;/li&gt;
&lt;li&gt;runtime configuration&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;If those pieces can change behavior, they belong in the operating model.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Why Kubernetes and GitOps still matter
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;CNCF’s 2025 survey says Kubernetes is already a major production foundation for AI workloads. That tracks with what platform teams are seeing: AI workloads still need scheduling, isolation, rollout control, policy, networking, observability, and cost boundaries.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;The details are changing.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Dynamic Resource Allocation&lt;/em&gt; matters because accelerators are not normal CPU requests.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Kueue&lt;/em&gt; matters because AI and batch workloads need fair queueing.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;AI Gateway&lt;/em&gt; work matters because inference traffic is not ordinary web traffic.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;KServe&lt;/em&gt; and &lt;em&gt;llm-d&lt;/em&gt; matter because model serving is becoming a distributed systems problem.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;GitOps&lt;/em&gt; also becomes more important, not less.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;For AI systems, desired state has to include more than YAML. It has to answer:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;which model moved?&lt;/li&gt;
&lt;li&gt;which prompt changed?&lt;/li&gt;
&lt;li&gt;which evaluation passed?&lt;/li&gt;
&lt;li&gt;which tool permissions changed?&lt;/li&gt;
&lt;li&gt;which rollback path exists?&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;&lt;em&gt;Siya’s point to Ram was not “stop experimenting.”&lt;br&gt;
It was: turn the experiment into an operating model.&lt;br&gt;
That is the calmer path.&lt;/em&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What I would try first
&lt;/h2&gt;

&lt;p&gt;I would start with read-only DevOps assistance:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;summarize a failed CI job&lt;/li&gt;
&lt;li&gt;explain Kubernetes events&lt;/li&gt;
&lt;li&gt;draft a runbook from existing alerts&lt;/li&gt;
&lt;li&gt;review a Helm chart for obvious mistakes&lt;/li&gt;
&lt;li&gt;compare a Terraform plan against a policy checklist&lt;/li&gt;
&lt;li&gt;build an incident timeline from logs and commits&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Then I would learn the production concepts that are becoming unavoidable:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Kubernetes scheduling and GPU capacity&lt;/li&gt;
&lt;li&gt;GitOps with Argo CD or Flux&lt;/li&gt;
&lt;li&gt;Helm packaging and rollback&lt;/li&gt;
&lt;li&gt;MLOps basics: model registry, evaluation, inference&lt;/li&gt;
&lt;li&gt;AI observability: traces, tokens, tool calls, cost, quality&lt;/li&gt;
&lt;li&gt;agent security: identity, permissions, audit trails&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;em&gt;I would not begin by giving an agent production write access.&lt;/em&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;Read-only first. Sandbox writes second. Production writes only with narrow permissions, approval, receipts, and rollback.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;&lt;strong&gt;Ops note: if your current platform cannot explain a normal deploy, it will not explain an AI deploy.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The career signal
&lt;/h2&gt;

&lt;p&gt;This series will talk about careers, but it is not only career advice.&lt;/p&gt;

&lt;p&gt;The larger story is how DevOps itself is changing.&lt;/p&gt;

&lt;p&gt;DevOps absorbed cloud. It absorbed containers. It absorbed Kubernetes. It absorbed infrastructure as code, GitOps, DevSecOps, platform engineering, observability, and FinOps.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Now it is absorbing AI.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Ram’s instinct is right:&lt;/strong&gt; DevOps teams should test these tools early.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Siya’s answer is the one I trust:&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Someone still has to make these systems deployable, observable, secure, reversible, and affordable.&lt;/p&gt;

&lt;p&gt;That work is not disappearing.&lt;/p&gt;

&lt;p&gt;It is getting harder.&lt;/p&gt;

&lt;p&gt;And if DevOps has always been about making change safer, then AI is not the end of DevOps.&lt;/p&gt;

&lt;p&gt;It is the next test.&lt;/p&gt;

</description>
      <category>devops</category>
      <category>ai</category>
      <category>kubernetes</category>
      <category>mlops</category>
    </item>
  </channel>
</rss>
