Luca Rossi argues that the right measure of AI effectiveness isn't lines of code but leverage — how much output you get per unit of human input. Teams progress through three stages: writing full specs for everything, then encoding knowledge into shared rules (like AGENTS.md), and finally building reusable modules that enforce correctness by design.

The security case for serverless just got stronger

AI agents can now scan an entire open-source codebase for exploitable vulnerabilities in hours.

Frontier models carry the complete library of known bug classes in their weights. So you can simply point an AI agent at a codebase and tell it to find zero-days.

This isn't theoretical.

Yan Cui highlights that AI agents can now find real zero-days in open-source codebases at scale, shrinking the patch window from weeks to hours. Serverless and managed services have a structural advantage because AWS patches the runtime for you. The practical takeaways: eliminate long-lived AWS keys everywhere, treat LLM API keys like credentials, and scan your repos for exposed secrets.

Do not use secrets in environment variables and here's how to do it better

Every Layer of Review Makes You 10x Slower

Each approval layer adds 10x wall clock time, and AI can't fix that. It only speeds up the first step. Drawing on Deming and the Toyota Production System, the argument is that review layers hide root causes rather than fixing them. The memorable line: "The job of a code reviewer isn't to review code — it's to figure out how to obsolete their review comment, that whole class of comment, forever."

The common thread across all four: the bottleneck isn't writing code, it's the systems around it. Whether it's review layers, security patching, or AI leverage, the answer is the same: engineer quality into the system itself through tests, automation, modules, and clear interfaces, rather than adding layers of inspection after the fact.

Claude Code cache chaos creates quota complaints

Anthropic changed the prompt cache TTL from 1 hour to 5 minutes in March. Long, high-context sessions hit quota limits much faster. Pro users report as few as 2 prompts per 5 hours. Leaving your machine for >1 hour = full cache miss on the 1M token context. They're considering reducing the default to 400K tokens.

Token consumption matters more than ever. The next two tools address this from both ends.

Caveman — Output Token Compression

Constrains LLM output to minimal-token structures. Strips pleasantries and padding, keeps code and technical content. Up to 87% output token reduction. Paper shows brevity constraints improve accuracy by 26pp.

RTK (Rust Token Killer) — Input Token Compression

Intercepts shell command outputs (git, ls, grep, test runners, docker, AWS CLI — 100+ commands) and compresses them before they reach the LLM context. 60-90% input token reduction, < 10ms overhead.

Works with: Claude Code, Copilot, Gemini CLI, Codex, Cursor, Windsurf, Cline.