Hanso Heartbeat Hanso Heartbeat
Cloudflare cut 1,100 jobs and called it "AI-first." Anthropic, xAI and SpaceX ended up in the same compute sentence. The EU pushed the hard part of the AI Act to 2027 and 2028. OpenAI's o1 beat triage doctors in a Harvard study. Chrome quietly shipped a 4 GB model to desktops.

Issue 19

8 May 2026

Hi there,

Browsers got fatter and org charts got thinner. Chrome quietly shipped a 4 GB model to desktops. Cloudflare cut 1,100 jobs and called it an "agentic AI era." More things keep getting pushed onto people before anyone decides they want them.

The non-AI stories were often the better ones this week.

Industry

1. Cloudflare cuts 20% of staff in an AI-first reorganisation

Cloudflare told employees it’s letting more than 1,100 people go. The framing: a move to an "agentic AI era." Internal AI use is up 600% in three months, employees running thousands of agent sessions a day. Q1 revenue: $639.8M, up 34% YoY. "AI-first" is now a reason for layoffs, not just a slogan.

How lightning works

Quanta's piece on lightning is the good kind of popular science. A question that felt settled until the instruments got better. The current picture: electric fields, runaway electrons, X-rays, gamma rays, antimatter flashes, hints of cosmic rays. Still no tidy "this is the moment lightning begins."

Lightning over ESO Headquarters

ESO / P. Horálek

Better sensors didn't shrink the mystery. They gave it a particle-physics subplot.

2. Anthropic, xAI and SpaceX end up in the same compute sentence

Anthropic announced a compute partnership with xAI on Colossus 1, picking up capacity to lift Claude limits for paying customers. Anthropic, xAI, SpaceX and Elon Musk in one procurement sentence – while Musk is still suing Sam Altman. Simon Willison’s notes on the deal flag the environmental footprint of the site.

3. The EU moves the hard part of the AI Act to 2027 and 2028

The European Parliament described the new provisional deal as simplification. The substance is a delay: 2 December 2027 for stand-alone high-risk systems, 2 August 2028 for high-risk systems embedded in products.

Marcus is already getting questions from German clients who treated 2026 as the binding date. Whether the act survives is one question. How much of its leverage survives the "simplification" is a different one.

Artificial Intelligence

4. AI slop is still a community problem, not just a content problem

Robin Moffatt’s piece on AI slop is one of the clearer accounts of what large-scale low-quality AI output does to a forum. The answers aren’t only wrong – they look polished enough to occupy the surface where the good answers used to live. That burns out the humans who did the slow work. Stack Overflow data underneath gives it a hard edge.

5. AI makes workplace theatre easier to perform

Appearing Productive in the Workplace describes the non-demo failure mode: work that looks like analysis, certainty, or coordination while skipping the understanding underneath. Not one lazy person with a chatbot. A workplace where fluent surface area is cheap, visible motion gets rewarded, and the person doing the slow work cleans up both.

The communist Apple II

Alexander Feldman's Friday archaeology note starts with Bulgarian Apple II clones and ends up at ISCAS benchmark circuits, missing context, and the academic problem of testing tools against artefacts whose original purpose has half-evaporated.

Pravetz 8 monitor and computer

DemieK07

The good kind of computer history. Not nostalgia, provenance. The machine, the benchmark, the lab, the political economy, the file format – all of it matters once "just run the test suite" turns into "what was this even meant to prove?"

6. OpenAI’s o1 does surprisingly well in a Harvard triage study

The Guardian covered a Harvard trial in which OpenAI’s o1 correctly diagnosed 67% of ER patients from triage notes, versus 50–55% by attending triage doctors. The setup matters more than the number: doctors were under real triage constraints, o1 was untimed and given clean notes. Useful as a second pair of eyes. Not the doctor-replacement story the headline reaches for.

7. Anthropic tries to make Claude’s internal states readable

Anthropic’s natural language autoencoders paper is the kind of interpretability work that rewards reading rather than skimming. They translate internal model activations into human-readable text, then feed those descriptions back into the model. Not a finished product. If we’re going to live with these systems, knowing what state they’re in matters more than the marketing around the output.

Infrastructure

8. DENIC’s DNSSEC outage took part of .de offline

DENIC had a DNSSEC validation incident on 4 May that broke resolution for a portion of .de domains on strict validators. Cloudflare, Google and Quad9 users saw resolution failures rather than NXDOMAIN – correct behaviour, deeply annoying failure mode. A key-rollover problem, per the registry’s note. A handful of our smaller German clients had calls about it the same morning.

Microsoft

9. VS Code tried to add Copilot to commit history by default

Microsoft merged PR #310226, enabling a default that added a Co-Authored-By: Copilot trailer to commits made through VS Code’s source-control panel – including commits where Copilot wasn’t used. The backlash was immediate. The rollback came quickly. A tool reaching for authorship metadata is not a neutral default.

10. Microsoft 365 Copilot gets real-time MCP connectors

Microsoft made federated Copilot connectors generally available. Copilot can now pull live data from external systems through MCP instead of only searching pre-indexed tenant content. First wave: Canva, HubSpot, Intercom, Linear, LSEG, Moody’s, Notion and others.

That moves the governance problem closer to the centre. Copilot becomes the interface through which people touch the SaaS estate – exactly the conversation Lars has been having with two Hanso clients before their Copilot rollout.

11. Copilot Cowork keeps turning into an agent platform

Microsoft’s latest Copilot Cowork update adds plugins, mobile access for eligible Frontier users, and Agent 365 integration for observability, security and governance. Read past the word "agent" and what’s there is connectors, packaged skills, read/write surfaces, mobile hand-off, and a control plane for security teams.

Development

12. Mozilla used Claude Mythos Preview to harden Firefox

Mozilla’s behind-the-scenes write-up on hardening Firefox with Claude Mythos Preview is better than the usual vendor-AI success story. The model was scoped to specific code regions, fed crash dumps and fuzzing output, and used as a triage layer – not as the fix itself. Humans wrote and reviewed the patches. That’s the bar for this kind of work.

13. Stripe formatted 25 million lines of Ruby in one night

Stripe’s rubyfmt story earns its length. They formatted the entire Ruby codebase – 25 million lines – in one overnight run. Zero outages, zero rollbacks. Worth reading for the mechanics: diff tracking, semantic-equivalence checks, and the awkward corners of Ruby’s grammar that make formatters fail in unglamorous ways.

Before GitHub was the default

Armin Ronacher's Before GitHub is infrastructure memory. Trac, Subversion, mailing lists, self-hosted projects, fragmented identity, and the slow gravitational pull that made GitHub feel less like a site and more like the place open source happened.

The piece doesn't reach for a "GitHub bad" frame. It just remembers that defaults are historical accidents with network effects. Once a forge becomes the social layer, the CI layer, the issue tracker, the release surface and the reputation graph, leaving it stops being a technical migration and becomes a small act of archaeology.

14. Simon Willison’s take on vibe coding is the one worth reading

Simon Willison’s essay on vibe coding and agentic engineering is worth reading because it resists the lazy binary. The distinction turns on ownership: whether the human still owns the spec, tests, review and integration work, regardless of how much AI sat in the middle. The code is visible. The bottleneck is usually everything around it.

Information Security

15. Chrome silently ships a 4 GB AI model to desktop installs

The Privacy Guy documented Chrome’s silent Nano install. The stable channel downloads a roughly 4 GB Gemini Nano model into desktop installs via the standard update path. No user-facing consent prompt. No obvious opt-out in settings. 9to5Google followed up with Google’s explanation that the model is required for built-in AI features and downloaded once.

Google didn’t answer why machines that will never use the feature get it anyway.

Software for an audience of one

Geir Isene's A desktop made for one argues for making tools that fit one person exactly. No market segment, no onboarding funnel, no roadmap theatre. A window manager, editor, shell, file manager and desktop stack slowly bent around the person who has to use them.

A desktop made for one – laptop, lamp, plant and notebook

Geir Isene

Sounds self-indulgent until you remember how much good software began as a refusal to generalise too early. A tool for one person has one unfair advantage over most products: it can be clear about what it is for.

I have a small homelab corner that started exactly this way. The parts I built for myself have outlasted the parts I tried to make "proper."

16. Dirty Frag is the bad shape of a Linux LPE

Researchers disclosed Dirty Frag on oss-security this week. A Linux local privilege escalation with Copy Fail-like impact, a broken embargo, and no convenient mitigation beyond blocking the affected modules from loading until patches are out. Low-friction to weaponise, broad in reach, awkward to clean up – the slowest systems get hit hardest.

17. ShinyHunters extorts Instructure / Canvas

The Verge reported that Instructure, the parent of Canvas, was hit by ShinyHunters and is dealing with leaked student data and threats of a wider release. Canvas is the LMS for a large chunk of K-12 and higher-ed in the US. School systems are slow to rotate and easy to pressure.

Coming up

19–20 May: Google I/O 2026 returns to Shoreline and online. Gemini and Android are the obvious surfaces. The Chrome local-model install story above gives the announcements a less comfortable backdrop.

2–3 June: Microsoft Build 2026 in San Francisco and online. First major Microsoft developer event after the Microsoft / OpenAI restructure, so the Copilot framing should be more interesting than usual.

8–12 June: Apple WWDC26, online, keynote on 8 June. Apple’s AI and developer-tooling story under much less forgiving scrutiny than last year.

Big week. Let me know if any of it changed your read.

Cheers,
Julian

How this is made

Throughout the week I stumble across a mildly unreasonable number of interesting things, and I forward them instantly to the friend or colleague I think might care – sometimes to their delight, sometimes to their annoyance, and often with no context at all. Heartbeat is the attempt to do that a little better.

Every Friday a small agent I built, Honoka, looks through the places where those links tend to leak out: my private email, work email, Matrix, Mastodon, WhatsApp, Apple Messages, Signal, and the faint imprints on the platen of my Olympia typewriter (still not an API, tragically). It sorts, filters, groups and summarises the week, then hands me a draft.

Honoka is guided by a private corpus of things I have written over the last fifteen years, so it can get closer to how I sound in more-or-less official emails and public notes. I still take a pass by hand: remove things, change sentences, check links, argue with the judgement. Whether that is enough is, frankly, the experiment. Every issue has one item written entirely by hand. If you can reliably spot it, hit reply and judge.
Hanso Hanso
Hanso Pte Ltd · 1 Phillip Street #08-00, Singapore 048692
www.hanso.group