Today's TechScan: Agents, PQC in GnuPG, and a DIY PCB Revival

A funny thing happens when software stops being a passive tool and starts behaving like a junior colleague with a mouse: all the tidy assumptions we’ve baked into our systems—testing, observability, databases, even “who wrote this code?”—get dragged into the messy world of autonomy. Today’s most consequential thread isn’t a single product launch so much as a widening recognition that desktop-capable agents are forcing the ecosystem to grow up fast. The open-source community, in particular, is filling in the gaps with new scaffolding for safety, evaluation, and long-running “memory”—and at the same time, practitioners are waving a very practical warning sign: if you point these agents at production systems without rethinking your operational posture, your database (and your boss) may end up believing things that aren’t true.

One of the clearest signals of maturation is trycua’s newly released cua, pitched as an open-source infrastructure stack for building and evaluating “Computer-Use Agents” across macOS, Linux, and Windows. The key contribution isn’t that it makes agents click buttons—plenty of demos already do that—it’s that it bundles sandboxes, SDKs, and benchmarks meant to make UI-level agent behavior reproducible and comparable. That’s a direct attack on a persistent testing gap: API-only benchmarks are neat and deterministic, but the real world is a flaky dropdown menu, a modal dialog you didn’t anticipate, and three subtly different OS behaviors. By emphasizing safe execution via sandboxed environments alongside standardized evaluation, cua is basically saying: if we’re going to let models operate “real desktops,” we need a lab environment that looks like reality but can’t burn the building down.

That push toward agent infrastructure is mirrored by a burst of experimentation around memory—not “context window” marketing, but mechanisms for deciding what a long-running system should keep, reinforce, or forget. A Show HN project called “AI memory with biological decay” proposes using an Ebbinghaus-style forgetting curve where memories have decaying “strength,” recall reinforces items via spaced repetition, and unused entries are pruned. It also tries to patch semantic-search blind spots by layering a graph over a vector store. The author reports 52% Recall@5 on the LoCoMo dataset—nearly double stateless vector stores—and an 84% reduction in token waste, packaged as a local-first MCP server backed by DuckDB. In parallel, another project, Stash, takes a more structured approach: a self-hosted, single-binary persistent memory layer that stores episodes, facts, and working context in Postgres, with an MCP server included. Put together, these efforts hint at a shift from “prompting” to operationalizing continuity—and they also raise a thorny question: once agents can remember, what exactly are we obligated to measure about their behavior over time?

Because the uncomfortable truth is that autonomy doesn’t just stress test evaluation; it stress tests the plumbing underneath your company. Arpit Bhayani’s “Databases Were Not Designed for This” is a bracing reminder that four decades of database expectations—deterministic callers, intentional writes, brief connections, and human-monitored failures—don’t survive first contact with a non-deterministic agent that can “think” while holding a connection or decide that the best way to solve a task is to run a query you never imagined. His recommendations are refreshingly concrete: role-level statement timeouts and idle-in-transaction timeouts, write idempotency, defensive schema and permissioning, and monitoring tailored to agent behavior to prevent resource exhaustion, runaway transactions, and silent incorrect writes. The subtext is that traditional tuning and indexing aren’t enough if your client is an autonomous system that can generate unpredictable load patterns at machine speed. If you’re treating agents like slightly chatty users, you’re already behind.

Even when the database survives, the dashboards might not. A separate piece on Windsurf—specifically its VSCode-fork agent “Cascade”—takes aim at the product’s “% new code written by Windsurf” metric (PCW). In testing, the author saw PCW routinely report eye-watering numbers (85–98%), and argues the way it’s computed can overcount trivial suggestions, boilerplate, or minor edits, turning a managerial KPI into something closer to a funhouse mirror. The stakes here aren’t theoretical: enterprises may use these analytics for hiring, performance reviews, compliance narratives, or simple budget fights. If your org is leaning on “AI authorship” metrics without understanding their caveats, you may wind up optimizing for the number rather than the outcome—while accumulating technical debt that looks like progress on a slide.

Against that backdrop of slippery agency and slippery measurement, it’s oddly grounding to see a venerable security toolchain making a crisp, concrete upgrade. GnuPG 2.5.19 has landed with Kyber—specifically ML-KEM/FIPS-203—bringing post-quantum encryption support into the mainline OpenPGP implementation. That’s significant not because post-quantum cryptography is new in research circles, but because GnuPG sits in the daily workflow layer for developers and organizations: key management, encrypted communication, signing, and the gritty operational stuff that “real security” is made of. When a tool that foundational adopts Kyber, it’s a marker that PQC is moving from future-proofing talk to deployable defaults, at least for those already living in the GPG ecosystem.

The release notes also underline that “deployable” depends on boring details. Alongside Kyber, GnuPG 2.5.19 continues 64-bit Windows improvements, adds new gpg and gpgsm options (including OCB symmetric mode, session-hash display, and cipher-mode in --cipher-algo), improves smartcard pinentry behavior, and introduces a new dirmngr keyserver keyword. There’s also a dense stack of bug fixes: key refresh edge cases, PKCS#12 import quirks, GCM and certificate handling, RSA signature padding, and gpgtar directory checks. The practical takeaway is that if the ecosystem is going to take PQC seriously, it can’t arrive as a fragile science project. It has to ship with the kind of operational sanding and patchwork that keeps encryption tools from becoming the next helpdesk wildfire—especially with 2.4 approaching end-of-life and teams looking for drop-in paths forward.

If you want a reminder that the weakest link in security is often process rather than math, today’s registrar horror story is hard to beat. An account tied to a 27-year organizational domain was reportedly transferred out of GoDaddy without proper documentation after an “Internal User” initiated an account recovery and completed a transfer within minutes. The fallout was brutally mundane: DNS was reset to defaults during the move, knocking websites and email offline for days, affecting twenty chapters that relied on subdomains. The organization says the account had dual two-factor authentication and GoDaddy’s Full Domain Privacy and Protection enabled—yet they still ended up in a slow-motion outage, with support giving inconsistent instructions and limited transparency about where the domain went or how recovery would proceed.

This is the kind of incident that makes even seasoned operators re-audit their threat models, because it spotlights a single point of failure that doesn’t live in your cloud provider or your codebase—it lives in the administrative machinery of the internet. Registrar access, account recovery workflows, and internal controls can become the real perimeter. The operational lesson isn’t just “use 2FA” (they did) but “treat domain custody like critical infrastructure,” with tighter internal processes, explicit registrar controls where possible, and organizational readiness for the unpleasant truth that support channels can be slow and inconsistent precisely when the incident is most existential.

On a very different axis of “infrastructure,” makers are also revisiting assumptions—this time about the physical substrate of computing. Mz* Baltazar’s Lab published a hands-on clay PCB tutorial that treats electronics not as a sealed global supply chain artifact but as something that can be locally sourced, materially experimental, and explicitly ethical. Their project uses recovered ATmega328P microcontroller chips from broken Arduino boards and a 3D-printed stamp to imprint circuit tracks into clay, accounting for roughly 5% shrinkage and targeting about 1.2 mm track depth. They explore porcelain and low-energy firing techniques, including open wood-fire methods inspired by ceramicist Heinz Lackinger, framing the work as an alternative to conventional PCBs tied to conflict minerals and high-energy manufacturing.

The point isn’t that clay PCBs are about to replace conventional fabrication for high-density electronics; the point is the conversation it forces. By demonstrating a path toward recyclable, locally sourced, repair-oriented hardware experiments, the project reframes “sustainability” away from corporate pledge decks and toward hands-on tradeoffs: energy input, material sourcing, reuse of components, and the idea that electronics can be culturally and geographically situated. Even if most readers never stamp a circuit into porcelain, the tutorial is a reminder that innovation isn’t only about smaller nodes and faster fabs—it can also be about different values baked into the object itself.

Security history offers another kind of reframing: not “what’s next,” but “how long has this been possible?” SentinelOne researchers disclosed fast16, a stealthy cyberweapon compiled in 2005 that silently corrupted scientific and engineering simulations and remained undetected for 21 years, predating Stuxnet by five years. Analysts Vitaly Kamluk and Juan Andrés Guerrero-Saade traced it through a 2016 VirusTotal upload (svcmgmt.exe) embedding a Lua 5.0 VM, encrypted bytecode, a network-mapping DLL, and a kernel driver fast16.sys, targeting single-core-era Windows systems. Fast16 spreads via network shares, installs as a service, exfiltrates dial-up/VPN connection details, and injects payloads that manipulate calculations—an unnerving reminder that sabotage doesn’t always look like an explosion; sometimes it looks like a subtly wrong answer.

The timeline shift matters because it suggests sophisticated, modular cyber sabotage techniques—Lua scripting, stealthy persistence, reconnaissance, and calculation manipulation—were in play well before the world fixated on Stuxnet as the origin story. For defenders of critical infrastructure, research environments, or any system where simulation integrity matters, the warning is sharp: long-lived targeted tooling can distort outputs quietly, and detection can lag not by days but by decades. In an era where we increasingly rely on computational outputs—engineering models, scientific simulations, even automated decision systems—the integrity of “the calculation” is part of the security perimeter.

Meanwhile, the open-source baseline continues to quietly define expectations for cross-platform reliability and extensibility. Projects like curl and Home Assistant Core remain the kind of foundational tooling that everything else leans on, often invisibly, setting norms for portability and ecosystem integration simply by existing and being depended upon. Alongside those staples, today’s repo zeitgeist also includes a push toward minimal-dependency, performance-minded infrastructure: shimmy positions itself as a Python-free Rust inference server that’s OpenAI-API compatible, supporting GGUF and SafeTensors with hot model swapping and auto-discovery in a single binary; cap pitches a privacy-first, self-hosted CAPTCHA for the modern web. The connective tissue here is developer appetite for stacks that are easier to deploy, easier to audit, and less entangled with heavyweight runtime assumptions—an echo, in infrastructure form, of the “local-first” instinct showing up in agent memory systems.

Even sports offered a tech-flavored jolt this weekend. Kenya’s Sebastian Sawe ran 1:59:30 at the London Marathon on 26 April 2026, becoming the first athlete to go sub-two hours in a competitive, record-eligible race—beating the previous world record of 2:00:35 set in 2023 by the late Kelvin Kiptum, and going faster than Eliud Kipchoge’s famous 2019 sub-two run that wasn’t record-eligible due to controlled conditions. Sawe hit halfway in 1:00:29 and then accelerated to a 59:01 second half; Yomif Kejelcha also went under two hours at 1:59:41. Discussion around the feat quickly gravitated to two familiar levers of modern performance: nutrition protocols and shoes. Hacker News commenters cited Maurten’s account of researchers spending 32 days embedded with Sawe’s team across six trips to “train the gut” to tolerate roughly 90–120 grams of carbohydrates per hour using hydrogel products, and highlighted Adidas Adizero shoes described as weighing about 96 grams with new foam and carbon-plate designs. The cultural shift is the point: the narrative is moving from “you need a bespoke, expensive moonshot project” to “the barrier is falling in real races as techniques diffuse.”

Pull these threads together and a pattern emerges: whether it’s agents clicking around a desktop, PQC landing in a daily crypto tool, a domain slipping away through opaque registrar process, a clay PCB challenging the material assumptions of electronics, or a 2005 cyberweapon rewriting the history of sabotage, the theme is operational reality catching up with technical possibility. The next few months will likely be defined less by flashy demos and more by the slow construction of guardrails: reproducible agent benchmarks, defensive database configurations, honest metrics, more deployable cryptography, and a renewed focus on the brittle chokepoints—administrative and infrastructural—where failures cascade. If the future is autonomous, quantum-resistant, and increasingly DIY, it will also have to be measurably reliable, or it won’t be trusted for long.