Today’s TechScan: Ads in PRs, Router DIY, and Europe’s Office Reboot

The modern tech stack has always been a little like city plumbing: mostly invisible, occasionally miraculous, and catastrophically annoying when someone decides it’s a great place to hang a billboard. That metaphor stopped being cute this week when developers noticed GitHub Copilot behaving less like a helpful autocomplete engine and more like a marketing channel with commit access. The flashpoint was almost comically mundane: a teammate used Copilot to fix a typo, and the resulting change didn’t just correct text—it rewrote part of a pull request description to include self-promotional copy for Copilot and Raycast. The developer who documented it framed it as an early warning sign that platforms, having spent lavishly in the subsidy era, are now learning to monetize wherever users’ attention is most captive: inside the workflow itself.

The larger scale is what turns “weird bug” into “trust crisis.” Reporting cited by Neowin claims over 1.5 million GitHub pull requests have had promotional “tips” injected by Copilot, plus thousands more on GitLab. Sometimes these appear as visible text; other times they’re tucked into hidden HTML comments labeled “START COPILOT CODING AGENT TIPS.” The examples include plugs for integrations and partner tools—Raycast, Slack/Teams hooks, and instructions for launching Copilot coding agent tasks from editors like VS Code and JetBrains. Even if the copy is framed as “tips,” it changes the social contract of code review: PR descriptions are supposed to reflect intent, context, and accountability, not serve as ad inventory. Once a collaboration artifact becomes a place where marketing can appear without explicit author intent, every future “helpful suggestion” gets viewed through a fog of suspicion.

This is less about whether any individual tip is harmless and more about consent and hygiene—two concepts developers obsess over precisely because they’re the difference between a stable system and a slow-motion incident. A pull request is part technical document, part workplace communication, part legal record (depending on the org). Injecting promotional material—especially via hidden comments—undermines the professional expectations teams bring to these artifacts. And it forces an uncomfortable question: if a tool can add marketing copy, what else can it alter in the name of “help”? This is how trust erodes: not with an outage, but with a pattern of small boundary violations that makes everyone second-guess what they’re seeing.

If that sounds bleak, today’s other stories offer a kind of counter-programming: practical, user-controlled computing that treats software as something you can inspect, bend, and own. Consider the humble home router, long treated as an opaque plastic appliance with firmware you’re not supposed to think about. A new guide argues that, with possible US policy moves that could restrict consumer router imports looming, it’s worth remembering a router is “just” a computer—one you can build from almost any spare Linux-capable machine. The author walks through turning everything from a Celeron mini-PC to an old ThinkPad into a WAN/LAN router, using familiar Linux components: hostapd for Wi‑Fi, dnsmasq for DHCP/DNS, and bridge-utils for LAN bridging, focusing on IPv4.

The appeal isn’t only cost savings, though reusing a mini-PC or laptop is undeniably cheaper than chasing whatever “gaming router” is trending. It’s about control and clarity. When your router is a Debian or Alpine box you assembled, you can reason about what it’s doing and why. And in a world where policy shocks can reshape hardware availability, the ability to repurpose what you already own starts to look like resilience rather than hobbyism. Even the guide’s premise—two Ethernet interfaces, or a USB‑Ethernet dongle—quietly challenges the consumer networking narrative that you need specialized gear to do basic networking well. Sometimes the best upgrade is simply swapping mystery firmware for tooling you can audit.

That same spirit—durable systems built with modest resources—shows up in an improbable corner of developer education. Webminal, a browser-based Linux terminal service, has been running since 2011 on a single CentOS server with 8GB RAM, serving roughly 500,000 users while weathering datacenter outages and traffic spikes. The founder rebuilt the site with a modern self-hosted UI and added a “Root Lab” that provides root-capable practice environments using User Mode Linux. There’s also an eBPF-powered live command ticker that has traced 28 million commands, a detail that feels like both a flex and a love letter to systems observability. The project’s history is a tour through pragmatic choices—browser IDEs (Theia/VS Code), Docker-over-LXC root environments, Asciinema screencasts, ttyrec-to-GIF publishing, and even a custom useradd to handle huge user counts—without succumbing to the modern reflex of “just add a cluster.”

From there it’s a short leap to another thread running through today’s briefing: sovereignty, not as a slogan, but as an architectural goal. Euro-Office is a new European-led open-source project backed by organizations including Nextcloud, Proton, EuroStack, Wiki, and Soverin, aiming to provide a web-based collaborative office editor positioned as an alternative to Google Docs and Microsoft Office. The key design choice is telling: it’s not trying to be a full suite or replace every cloud feature. Instead, Euro-Office will be a fork of OnlyOffice, supporting DOCX/XLSX/PPTX and OpenDocument, and designed to be pluggable into cloud storage, wikis, and project-management tools. In other words, it wants to be the collaborative editing layer you can integrate into systems you already run.

The organizers also cite concerns about OnlyOffice’s development governance and its Russian corporate ties amid sanctions, arguing that an auditable, sovereign alternative is necessary. That motivation lands differently when you pair it with a market reality check: Paul Kedrosky notes that the S&P 500’s year-to-date decline has been dominated by eight mega-cap stocks—Microsoft, Nvidia, Alphabet, Apple, Amazon, Meta, Tesla, and Oracle—accounting for about 85% of the index’s drop. Whatever you think of “digital sovereignty” as rhetoric, it’s increasingly hard to ignore the practical consequences of concentration. When a small handful of firms shape not only product roadmaps but also market mood and institutional risk appetite, governments and enterprises start looking for vendor-independent options that reduce exposure, even if they’re not as glossy.

Of course, sovereignty and self-hosting only matter if the security model is credible, especially as AI agents become more common in production workflows. One of the more pragmatic developments today comes from Bitwarden and an open-source gateway called OneCLI. Bitwarden has released an Agent Access SDK that enables human-approved, runtime credential access for AI agents, and OneCLI now integrates with it in a way that sidesteps the most obvious failure mode: letting an agent ever see the key it’s using. The pitch is elegantly boring: secrets are pulled only after an approval flow via Bitwarden CLI, and then OneCLI injects credentials into API requests at the network layer, so the agent never holds plaintext keys in memory. Alongside that, the gateway can apply rate limits, policy enforcement, and audit trails, and the integration is currently alpha.

This matters because so many agent deployments are currently held together by the digital equivalent of sticky notes: environment variables, long-lived tokens, and hope. The Bitwarden/OneCLI model implicitly accepts that prompt injection and accidental exfiltration aren’t edge cases; they’re expected hazards. So you design the system such that even a “clever” agent can’t leak what it never possessed. It’s not a silver bullet, but it’s a measurable improvement you can explain to auditors and incident responders, which is more than can be said for many flashy agent demos.

Trust, meanwhile, is getting stress-tested at every layer—from developer tools to government software. A TechScan review of federal Android apps paints a grim picture of permission sprawl and tracking: the White House app requests GPS, fingerprint access, storage changes, and draw-over-apps, and includes trackers including Huawei Mobile Services; the FBI app embeds multiple trackers including Google AdMob; and other tools request extensive permissions. The same investigation flags issues like long retention for biometric data in certain contexts, warrantless location purchases from brokers, and GAO recommendations that have largely not been implemented. Whatever your politics, the pattern is familiar: institutions that talk tough about security often ship software that behaves like it’s optimized for data collection first and user trust second.

Even privacy advocacy can take unexpected forms. Cape hid a sweepstakes—offering a free trip to Switzerland—inside the plain-language version of its privacy policy, and a reader found it within two weeks. Cape says it ran the promotion with Proton to underline how rarely people read privacy policies, citing an FTC estimate that only 0.5% do. The stunt also nods at the wider industry problem: policies that bury data monetization clauses, and a backdrop that includes FCC fines for illegal location-data sales. It’s marketing, sure, but it’s marketing that proves a point by exploiting a real UX truth: most users click “agree” with the same attention they give to elevator music.

Hardware, too, is getting its own trust-and-control drama, just in a more pixel-dense form. A detailed report finds that Apple Silicon M4 and M5 Macs are intentionally capped in how they offer HiDPI modes on 4K external displays. On a 3840x2160 panel, the top HiDPI mode available is now 3360x1890 using an approximately 6720x3780 backing store, rather than the full 3840x2160 HiDPI mode that M2/M3 machines could produce. Testing that compared an M5 Max and M2 Max with identical DCP-reported capabilities suggests the hardware can do more—the M5 Max even lists native 8K@60Hz—but the AppleDisplayCrossbar driver enforces a ~1.75x backing-store cap, short of the 2.0x required for full 4K HiDPI. Attempts to bypass it via software overrides and EDID patching or flashing didn’t work, which points to a deliberate policy rather than an accidental regression.

The practical outcome is a frustrating trade-off: choose full 4K with a UI that looks blurrier than it should, or choose a reduced effective resolution to get sharp HiDPI. For users who bought new hardware expecting better external display handling, this is the opposite of the usual Silicon story. And it’s a reminder that “capable hardware” doesn’t guarantee “available capability” when the driver draws a line. The same day brings a small, charming counterpoint in the macOS ecosystem: Ghostmoon.app, a lightweight menu-bar utility that bundles a pile of system-level shortcuts—keep-awake toggles, mass-eject drives, switch audio devices, reset macOS databases, generate cryptographically secure passwords—offered as a free pre-release download with an optional paid unlock. It’s not a solution to Apple’s scaling cap, but it embodies a theme: power users will always build (and pay for) tools that give them back a little agency.

If you want a final dose of that agency, look at the long arc of browser forks. Waterfox just marked 15 years since its initial fork from Firefox, charting a path from a privacy-focused alternative into a niche browser known for legacy extension support and performance tweaks. Its history underlines why forks matter: they preserve user choice, keep older workflows alive, and sometimes nudge upstream projects simply by proving demand exists. In the same way Webminal refuses to die on 8GB of RAM, Waterfox’s persistence is a reminder that the internet is not only shaped by giants. It’s also shaped by stubborn, competent people who decide that if the mainstream won’t serve their needs, they’ll ship something that does.

The throughline today is simple: trust is becoming the scarce resource, and everyone is trying to spend it—platforms by monetizing workflows, institutions by collecting data, vendors by restricting capabilities—while users and developers are relearning old skills to reclaim control. Tomorrow’s winners won’t just be the products with the most features; they’ll be the ones that can prove, in concrete ways, that they deserve a place in the plumbing.