Devlog tag
View All Tags
For over a decade, Drupal developers have relied on Drupal.ajax—a powerful but heavy abstraction layer over jQuery—to handle dynamic interactions. But with jQuery's slow sunset and the rise of "HTML-over-the-wire" paradigms, it's time for a change.
Enter the HTMX in Drupal Core initiative.
qodo-multi-agent-code-review-demo is a Python-based simulator that demonstrates the multi-agent architecture recently introduced by Qodo (formerly CodiumAI). It showcases how specialized AI agents—focused on security, performance, style, and bugs—can collaborate to provide high-precision code reviews.
The project implements a ReviewCoordinator that orchestrates multiple domain-specific agents. Each agent uses targeted heuristics (representing specialized training) to identify issues and suggest fixes. By separating concerns into distinct agents, the system achieves better precision and recall than a single general-purpose model, mirroring the architecture behind Qodo 2.0.
A technical takeaway: multi-agent systems thrive on structured communication. Using a unified Finding model allows the coordinator to aggregate and prioritize feedback seamlessly, ensuring that critical security vulnerabilities aren't buried under style suggestions.
With WordPress 7.0 Beta 1 set for February 19, 2026, the ecosystem is bracing for one of the most significant releases in recent years. This version isn't just a number bump; it represents the convergence of Gutenberg Phase 3 (Collaboration) and the first steps into Phase 4 (Multilingual). To help developers prepare, I've updated my wp-7-release-readiness CLI scanner to detect more than just PHP versions.
I've enhanced the tool to specifically target the upcoming core changes:
Beta 1 (Feb 19) is the "feature freeze" point. For developers, this is the time to start testing themes and plugins against the new core. The final release is expected in early April, giving us a tight 6-week window to ensure compatibility. Using a scanner like this allows for automated auditing across large multisite networks or agency portfolios before manually testing each site.
The plugin detection logic uses a simple but effective directory-based heuristic. By mapping known third-party solutions for multilingual and collaboration to their core-equivalent counterparts in 7.0, the tool provides a high-level "conflict risk" score. It's not just about what breaks; it's about what becomes native.
Inspired by Dries Buytaert's recent insights on AI-Driven Vulnerability Discovery, I built a tool to address one of the biggest challenges in modern open-source security: Triage at Machine Speed.
As AI makes it easier and cheaper to find potential vulnerabilities, open-source maintainers are facing an unprecedented flood of security reports. The bottleneck is no longer finding bugs, but evaluating and triaging them without burning out the human maintainers.
The recent security alert regarding Moltbook, an AI-only social platform, serves as a stark reminder that "vibe coding" — while incredibly productive — can lead to catastrophic security oversights if fundamental principles are ignored.
In early February 2026, cybersecurity firm Wiz identified critical flaws in Moltbook. The platform, which was built primarily using AI-assisted coding, suffered from basic misconfigurations that led to:
The creator admitted that much of the platform was "vibe coded" with AI, which likely contributed to the oversight of standard security measures like authentication layers and secret management.
AI is great at generating code that works, but it doesn't always generate code that is secure by default unless explicitly instructed and audited. When building AI integrations, especially in platforms like Drupal, it's easy to accidentally store API keys in configuration or expose environment files.
To help the Drupal community avoid similar pitfalls, I've built a small utility module: AI Security Vibe Check.
This module provides a Drush command and a service to audit your Drupal site for AI-related security risks:
.env or .git directories in your web root.drush ai:vibe-check to get a quick health report on your AI security "vibe."View Code
Building with AI is the future, but let's make sure our "vibes" include a healthy dose of security auditing.
Issue: Moltbook Security Alert
WordPress 7.0 is set to bring a significant architectural shift with the proposed merge of the WP AI Client into core. This initiative aims to provide a provider-agnostic foundation for AI capabilities within WordPress, allowing developers to build AI-powered features that work seamlessly across different models and services.
I spent some time reviewing the proposal and building a proof-of-concept (POC) to see how this architecture might look in practice.
Today I built the WP Playground AI Agent Skill, a set of tools and Blueprints designed to enable AI agents to interact with WordPress in a fast, ephemeral environment using WP Playground.
Testing WordPress plugins and themes usually requires a full local server setup (DDEV, LocalWP, etc.), which can be slow and heavy for an AI agent performing quick iterations. WP Playground runs WordPress in a WASM-based environment, allowing for near-instantaneous site launches directly in the terminal or browser.
By wrapping WP Playground CLI into a specialized skill, AI agents can now:
The project includes:
test-plugin.sh that automate the process of mounting and activating a local plugin in a Playground instance.This skill is now part of the VictorStack AI ecosystem, allowing our agents to perform high-fidelity WordPress testing with minimal overhead.
Google News and "Preferred Sources" are critical for publishers looking to maintain visibility in search and news feeds. Today, I'm reviewing and building a demonstration of a Google Preferred Source CTA Tool for WordPress.
This tool is a lightweight plugin designed to encourage users to follow a site on Google News and set it as a preferred source, effectively boosting the site's authority and reach.
When a user "follows" your publication on Google News, they are more likely to see your content in their "For You" feed and Discover. Setting a site as a "Preferred Source" (or just Following) is a strong signal to Google's algorithms that your content is valued by that specific user.
[google_preferred_source] to place the CTA anywhere in your layouts.The plugin follows WordPress coding standards (verified with PHPCS) and includes unit tests powered by Brain Monkey to ensure reliability without requiring a full WordPress database for testing.
public function render_shortcode() {
$options = get_option( $this->option_name );
$url = isset( $options['google_news_url'] ) ? $options['google_news_url'] : '#';
if ( empty( $url ) || '#' === $url ) {
return '';
}
// Render the CTA box...
}
Future iterations could include:
View Code
The release of Terminus 4.1.4 is a quiet reminder that while AI and flashy dashboards get the headlines, the command line is still where the real work of site reliability engineering happens.
I manage a fleet of sites on Pantheon. Clicking through a dashboard to clear caches or run updates for one site is fine; doing it for twenty is a waste of a morning.
I rely on Terminus to script these interactions. When a tool like this gets an update, it's not just a "nice to have"—it's a potential impact on my CI/CD pipelines and local automation scripts. Ignoring CLI updates is a recipe for waking up one day to an authentication error that breaks a deployment.
Terminus 4.1.4 is a maintenance release, but in the world of platform CLIs, "maintenance" often means "keeping the lights on."
These tools bridge the gap between my local terminal and the remote container infrastructure. A minor version bump often contains fixes for API changes on the platform side that aren't visible until your old version stops working.
# Updating Terminus (standard method)
curl -O https://github.com/pantheon-systems/terminus/releases/download/4.1.4/terminus.phar
chmod +x terminus.phar
sudo mv terminus.phar /usr/local/bin/terminus
# Check version
terminus --version
# In your CI config, pin versions or fetch latest carefully
- name: Install Terminus
run: |
curl -L https://github.com/pantheon-systems/terminus/releases/download/4.1.4/terminus.phar -o terminus
chmod +x terminus
./terminus auth:login --machine-token=${{ secrets.PANTHEON_MACHINE_TOKEN }}
Always pin your CLI versions in CI. Fetching latest is tempting, but if 4.1.5 introduces a breaking change or a new interactive prompt, your build will hang or fail silently.
No separate repo—this is a review of a tool release.
package.json or requirements.txt, your operational tools need version pinning in automated environments. I've been burned by auto-updating pipelines before.remote:drush or token handling that you've been working around with a hacky script.The problem: You have two collections of plain arrays or objects and you need to associate them relationally, but you are not working with Eloquent models. Laravel's Collection class is powerful, but it has no built-in way to express a one-to-many relationship between two arbitrary datasets.
laravel-collection-has-many is a small PHP library that registers a hasMany() macro on Laravel's Collection class. It lets you attach a related collection to a parent collection using foreign key and local key fields, exactly like Eloquent's eager loading, but for plain data. After calling $users->hasMany($posts, 'user_id', 'id', 'posts'), each user in the collection gains a posts property containing their matched items.
This comes up more often than you'd think. API responses, CSV imports, cached datasets, cross-service joins — any time you're working with structured data outside of the ORM, you end up writing the same nested loop to group children under parents. This macro replaces that boilerplate with a single, readable call. It handles both arrays and objects, auto-wraps results in collections, and the key names are fully customizable.
The implementation uses O(n+m) grouping instead of naive nested iteration. It indexes the child collection by foreign key in one pass, then iterates the parent collection and attaches matches by lookup. This is the same strategy Eloquent uses internally for eager loading — groupBy the foreign key first, then assign. If you ever need to optimize a manual join in collection-land, this pattern is worth stealing. View Code
Gemini Ollama CLI Bridge is a Python CLI tool that chains a local Ollama model with Google's Gemini CLI into a two-stage code analysis pipeline. You point it at your codebase, it runs a first pass entirely on your machine via Ollama, and then optionally forwards the results to Gemini for a second opinion. Output lands as Markdown so it slots straight into docs or review workflows.
The main draw is the offline-first design. Most AI code-review tools require sending your source to a remote API. This bridge flips the default: the local Ollama pass handles the bulk of the work—scanning for bugs, security issues, or performance concerns—without any code leaving your machine. The Gemini refinement step is entirely opt-in, which makes it practical for proprietary codebases or air-gapped environments where you still want LLM-assisted review.
The architecture is straightforward but worth noting. Ollama exposes a local HTTP API (default localhost:11434), and the bridge talks to it directly. For the Gemini leg, instead of using a REST client, it pipes the analysis through Gemini's CLI via stdin. This means you get the flexibility of custom Gemini commands and arguments without managing API keys or SDK versions for that stage—just a working gemini binary on your PATH. It also supports file-level include/exclude patterns so you can target specific directories or skip generated code.
WordPress settings pages have been stuck in the register_setting / add_settings_field era for over a decade. The @wordpress/dataviews package ships a DataForm component that replaces all of that boilerplate with a declarative, React-driven interface — and almost nobody is using it yet. I built wp-dataform-settings-page-demo to show how.
Drupal AI Content Impact Analyzer is a module that uses AI to evaluate how content changes ripple through a Drupal site before they go live. It inspects entity references, views dependencies, menu links, and block placements to surface which pages, layouts, and downstream content will be affected when you edit, unpublish, or delete a node. Instead of discovering broken references after the fact, editors get a clear impact report at authoring time.
Large Drupal sites accumulate dense webs of content relationships. A single node might feed into multiple views, appear as a referenced teaser on landing pages, and anchor a menu subtree. Removing or restructuring it without understanding those connections creates silent breakage that only surfaces when a visitor hits a 404 or an empty listing. I built this analyzer to close that feedback gap by combining Drupal's entity API with an LLM layer that scores the severity of each downstream effect and suggests mitigation steps. View Code
Technical takeaway: the key design choice is separating the structural graph walk from the AI scoring pass. The first phase is pure Drupal — querying entity reference fields, views configurations, and menu link content plugins to build a dependency graph. The second phase sends that graph, not raw content, to the LLM for impact classification. This keeps token usage low, makes the structural analysis deterministic and testable, and lets the AI focus on the judgment call: how critical is this dependency, and what should the editor do about it.
Drupal DDoS Resilience Toolkit is a set of tools and configurations designed to harden Drupal sites against distributed denial-of-service attacks. It packages rate-limiting rules, request filtering, and monitoring hooks into a reusable toolkit that can be dropped into an existing Drupal deployment. The goal is to give site operators a practical starting point instead of scrambling during an incident.
DDoS mitigation for CMS-backed sites is often an afterthought until traffic spikes expose weaknesses. Drupal's bootstrap is heavier than a static page, which makes unchecked request floods particularly damaging. This toolkit addresses that by providing layered defenses: upstream filtering rules (for reverse proxies or CDN edge), application-level throttling, and visibility into anomalous traffic patterns so you can act before the site goes down. View Code
Technical takeaway: effective DDoS resilience is not a single firewall rule. It requires defense in depth across the stack. Filtering at the edge is fast but coarse; application-layer throttling is precise but expensive per request. Combining both layers, and adding observability to detect shifts in traffic shape, is what turns a toolkit from a checkbox into something that actually holds up under pressure.
opus-4-6-harness is a lightweight Python toolkit for experimenting with two of Claude Opus 4.6's most interesting capabilities: Adaptive Thinking and the Compaction API. It exposes an OpusModel class for generating responses with optional multi-step reasoning traces, and a CompactionManager for intelligently compressing prompt data to fit within context windows. If you have been looking for a clean way to prototype around these features without wiring up a full application, this is a solid starting point.
Context window management is one of the least glamorous but most important problems in agentic workflows. Once your conversation history grows beyond a few thousand tokens, you either truncate blindly or build your own summarization layer. The CompactionManager in this harness lets you specify a target compression ratio and handles the reduction for you, which is exactly the kind of utility that saves hours of boilerplate. On the other side, Adaptive Thinking gives you visibility into the model's reasoning steps before the final answer — useful for debugging agent chains or understanding why a model chose a particular path.
The project is structured as a standard pip-installable package with no heavy dependencies, which makes it easy to drop into an existing pipeline. The key design decision is separating the model interface (OpusModel) from the context management layer (CompactionManager) — this means you can use compaction independently, for example to pre-process prompts before sending them to any model, not just Opus 4.6. That kind of composability is what turns a demo into a real tool.
The honeymoon phase of "generate everything with AI" is officially over, as major platforms like WordPress and Cloudflare are now forced to build guardrails against the resulting tide of low-quality "slop."
While I didn't push a new repo for this specific analysis, the shift in industry standards directly affects how I build my own agent workflows. The "slop" problem isn't just about bad blog posts; it's about the erosion of trust in both content and code. WordPress's new guidelines and the Cloudflare Matrix debate highlight a critical technical debt: if you can't verify or maintain what you generate, you shouldn't publish it.
The industry is moving toward a "Human-in-the-Loop" (HITL) requirement. WordPress is now explicitly targeting mass-produced, low-value content, while the Cloudflare community is debating whether AI-generated code for complex systems (like Matrix homeservers) is a feature or a liability.
The technical fix isn't to ban AI, but to implement scoring and verification pipelines.
When building content generators, we need to shift from "is this grammatically correct?" to "does this add value?".
Using AI to generate complex infrastructure code (like a Matrix homeserver) without a deep understanding of the output is a security risk. The Cloudflare debate proves that "it runs" is no longer the bar—"it is maintainable" is.
No separate repo—this is a review of external guidelines and industry shifts that are reshaping my development roadmap.
The AI model landscape just shifted again with the simultaneous drop of Opus 4.6 and Codex 5.3, and for once, the "System Card" is more interesting than the marketing splash page.
The AI landscape just shifted again with the release of Opus 4.6 and GPT-5.3-Codex. For those of us building autonomous agents, this isn't just a version bump—it's a potential recalibration of our "Architect vs. Coder" architectures.
I recently worked on the drupal-smartbees-workflow-moderation project, which aims to extend the standard Drupal content moderation capabilities. This module provides a structured approach to managing content states and transitions, specifically tailored for teams needing more granular control over their editorial pipeline.
Managing large-scale Drupal sites often requires a robust moderation system to prevent unauthorized publishing and ensure consistent content quality. This project simplifies the setup of complex workflows by providing pre-configured states and roles, making it easier for site administrators to implement a "Smartbees" style editorial flow without starting from scratch.
One key technical takeaway from this project is how it leverages Drupal's Core Content Moderation API to define custom transition logic. By hooking into the state change events, I was able to implement automated checks and notifications that trigger during specific transitions, ensuring that no content moves forward without meeting the necessary criteria.
For the full implementation details, visit the repository: View Code
The Drupal AI module is getting granular with a new 'Focal Point' operation type and fixing critical streaming consistency issues in the API Explorer.