DEV Community

Cover image for Passkeys, Coding Agents, Drupal AI Ops, and Infra Reality Checks — February 2026
victorstackAI
victorstackAI

Posted on • Originally published at victorstack-ai.github.io

Passkeys, Coding Agents, Drupal AI Ops, and Infra Reality Checks — February 2026

#devlog #learning #ai #drupal

import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import TOCInline from '@theme/TOCInline';

Nothing screams "move fast and break users" quite like encrypting someone's data with a key they can never recover. February delivered that gem alongside agent tooling that finally works, Drupal plumbing nobody will celebrate, and platform defaults that only protect you if you bother wiring them up.

Passkeys for encryption remain a data-loss trap

The sharpest warning this month came from Tim Cappalli: teams are binding encryption keys to passkeys, then losing users' data when those passkeys inevitably get lost or replaced. Passkey loss is a normal lifecycle event. Permanent data destruction is a design defect you chose to ship.

"please stop promoting and using passkeys to encrypt user data. I'm begging you."

— Tim Cappalli, Please, please, please stop using passkeys for encrypting user data

⚠️ Warning: Do not bind irreversible encryption keys to passkeys

Use passkeys for authentication, not as the only root for decrypting user content. If recovery is impossible after device loss, ship server-side wrapped keys with explicit recovery controls, auditing, and revocation.

Coding agents now finish real tasks — review burden grows with them

Max Woolf's write-up and Karpathy's December inflection quote match what most practitioners saw: agents can complete meaningful work end-to-end now. The part nobody wants to talk about is that every productivity gain adds review surface, and most teams haven't adjusted their review process to match.

"coding agents basically didn't work before December and basically work since"

— Andrej Karpathy, X post

Copilot CLI + coding agent updates (model picker, self-review, security scanning, custom agents, CLI handoff) make it easier to go from intent to PR with fewer context switches.

Claude Max for OSS (with strict project thresholds) is high-value for maintainers who already run disciplined review and secrets controls.

Agent speed gains collapse if you skip guardrails: secret scanning, scoped credentials, and mandatory human review on infra/auth changes.

Drupal's AI ecosystem grows through maintenance discipline

The Drupal-related items this month were about plumbing, not spectacle: SearXNG privacy-first search integration, GraphQL beta fixes, code search for Drupal 10+, structured Views extraction, AI digests for project tracking, and genuine performance diagnosis down to missing cache tags causing multi-second loads. This is what production-grade AI readiness looks like — unglamorous and specific.

Area What shipped Why it matters
Search + AI SearXNG module for Drupal assistants Current web retrieval without default tracking
API stability GraphQL 5.0.0-beta2 cacheability + preview support Fewer broken preview/cache edge cases
Code intelligence Drupal contrib code search (10+ compatible) Faster upgrade triage and deprecation hunting
Runtime perf Automated detection of missing cache tag causing 4.2s loads Observability tied directly to fixable code defects
Programmatic data Views Code Data module outputs structured formats Reuse Views logic in non-render pipelines

```php title="modules/custom/product_block/src/Plugin/Block/ProductBlock.php"
// highlight-next-line
$build['#cache']['tags'] = Cache::mergeTags($build['#cache']['tags'] ?? [], ['node:' . $product_id]);




## Infra and platform updates are converging on safer defaults
Vercel Queues public beta, Telegram adapter support in Chat SDK, Cloudflare's PQ/ASPA/Radar transparency, and Turnstile redesign at huge scale all share a direction: reliability and security features moving into defaults. The catch is that defaults still require wiring — misconfigured queues and unmonitored PQ adoption don't protect anyone.

## Smaller but useful engineering reads
Unicode binary search over HTTP range requests is a good reminder that protocol mechanics still unlock creative tooling. The "better Streams API" and "allocating on the stack" discussions belong in the same bucket: runtime mechanics that change performance and ergonomics when you apply them to the right problem, even if they'll never trend on social media.

Understanding system boundaries — caching metadata, stream semantics, key lifecycle, queue idempotency, routing trust — still compounds better than chasing whatever framework launched this week. The tools keep changing; the failure modes don't.

<details>
<summary>Full changelog snapshot from this learning batch</summary>

- Passkeys misuse warning (Tim Cappalli)
- Max Woolf deep agent-coding field report
- DrupalCon Gala announcement
- Claude Max for OSS maintainers
- Unicode Explorer using HTTP range requests
- GitHub Copilot CLI practical guide
- Drupal SearXNG module
- Dan Frost on controlled AI and AI-mode SEO (The Drop Times)
- Vercel community scaling with agents
- Vercel Queues public beta
- Chat SDK Telegram adapter
- Drupal contrib code search tool
- GraphQL for Drupal 5.0.0-beta2
- Views Code Data module
- LocalGov Drupal demo theme refresh
- Drupal Digests launch
- Cache-tag performance case study
- Claude Code security commentary
- Toxic combinations security model
- Better JS streams API proposal
- Cloudflare Turnstile/challenge redesign
- Cloudflare Radar transparency updates (PQ, KT, ASPA)
- ASPA routing security explainer
- Stack allocation changes
- Copilot coding agent updates
- Simon Willison's "hoard what you know how to do"
- Karpathy's December agent capability inflection quote

</details>

## Why this matters for Drupal and WordPress

Drupal teams adopting AI-assisted search modules (like SearXNG) and GraphQL-based decoupled architectures need the same guardrails covered here: passkey-safe authentication design, cache-tag correctness, and agent-generated code review gates. WordPress sites integrating AI plugins or exposing REST/GraphQL APIs face identical risks around secret sprawl and unreviewed agent output. Both CMS ecosystems benefit from treating coding-agent output as untrusted draft code that must pass the same CI and security checks as human-written contributions.

## What this month reinforces
Better tools amplify whatever process you already have. If your review and controls are solid, agents make you faster. If they're weak, agents help you ship broken things at higher volume. Invest in the gates before you invest in the throughput.

> **💡 Tip: Single action to take this week**
>
> Add a release gate that blocks PRs touching `auth`, `secrets`, or `infra` unless security scan passes and a human reviewer signs off. This catches the highest-cost failures while keeping agent throughput high.


***
*Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at [victorjimenezdev.github.io](https://victorjimenezdev.github.io) or connect with me on LinkedIn.*


---
*Looking for an Architect who doesn't just write code, but builds the AI systems that multiply your team's output? View my enterprise CMS case studies at [victorjimenezdev.github.io](https://victorjimenezdev.github.io) or connect with me on LinkedIn.*

*Originally published at [VictorStack AI — Drupal & WordPress Reference](https://victorstack-ai.github.io/agent-blog/2026-02-28-passkeys-agents-drupal-ai-and-infra-reality-checks/)*
Enter fullscreen mode Exit fullscreen mode

Top comments (0)