Please support this podcast by checking out our sponsors:

- Effortless AI design for presentations, websites, and more with Gamma - https://try.gamma.app/tad

- Invest Like the Pros with StockMVP - https://www.stock-mvp.com/?via=ron

- Discover the Future of AI Audio with ElevenLabs - https://try.elevenlabs.io/tad

Buy me a coffee: https://buymeacoffee.com/theautomateddaily

Today's topics:

CSS-only x86 computer demo - A surprising browser experiment: x86CSS emulates an 8086-class CPU using CSS rules, running GCC-produced 8086 machine code with JavaScript optional. Keywords: CSS-only emulator, 8086, Chromium, gcc-ia16, opcode coverage.

Firefox Sanitizer API vs XSS - Mozilla ships the standardized Sanitizer API in Firefox 148 to reduce cross-site scripting by making safe HTML insertion the default via setHTML(). Keywords: XSS, Sanitizer API, setHTML, CSP, Trusted Types.

Age verification vs privacy trap - An IEEE Spectrum piece argues strict underage social-media enforcement drives invasive identity checks, biometrics, and long-term data retention—creating an 'age-verification trap.' Keywords: age verification, privacy, biometrics, ID checks, data minimization.

ENVeil encrypted .env secrets - ENVeil is a Rust tool that keeps real secrets out of .env files by storing encrypted values under .enveil/ and injecting them at runtime with AES-256-GCM and Argon2id. Keywords: Rust, secrets management, .env, encryption, AI assistants.

Diode web circuit simulator - Diode pitches a full electronics workbench in the browser: draw schematics online, drop in common components, and simulate without local installs. Keywords: circuit design, schematic editor, browser simulation, 555 timer, LEDs.

turbopuffer object-storage job queue - turbopuffer rebuilt its indexing notification queue around a single object-storage file plus a stateless broker, cutting tail latency ~10× while keeping FIFO and at-least-once delivery. Keywords: distributed queue, object storage, CAS, group commit, heartbeats.

Coreboot on ThinkPad X270 - A developer ported Coreboot/Libreboot to a ThinkPad X270 fast—after SPI flashing adventures, a missing capacitor, and a tricky PCIe CLKREQ mapping that broke NVMe and Wi‑Fi. Keywords: coreboot, libreboot, SPI flash, RP2040, CLKREQ.

λProlog and ELPI in 2025 - The λProlog ecosystem remains active, with ELPI in OCaml (and Coq-ELPI) plus Teyjus and Makam, showcasing higher-order logic programming and HOAS. Keywords: λProlog, ELPI, higher-order unification, HOAS, Coq.

Missing Semester tools, Tao study - MIT’s Missing Semester IAP 2026 teaches practical dev tools—shell, editors, Git, debugging, packaging, and AI-augmented workflows—while a 1984 case study documents Terence Tao’s early learning patterns. Keywords: Missing Semester, developer tools, agentic coding, education, Terence Tao.

-https://www.withdiode.com/

-https://www.lix.polytechnique.fr/Labo/Dale.Miller/lProlog/

-https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

-https://gwern.net/doc/iq/high/smpy/1984-clements.pdf

-https://turbopuffer.com/blog/object-storage-queue

-https://missing.csail.mit.edu/

-https://github.com/GreatScott/enveil

-https://dork.dev/posts/2026-02-20-ported-coreboot/

-https://lyra.horse/x86css/

-https://spectrum.ieee.org/age-verification

Let’s start with the most delightfully impractical engineering of the day: x86CSS. This is a working 8086-era x86 emulator—CPU, memory model, and a tiny “computer”—implemented primarily in CSS, running in the browser.

The demo’s punchline is that it executes a C program compiled with GCC into 8086 machine code. The author isn’t claiming it’s a good way to compute—quite the opposite. It’s an artistic technical flex, because if you’re writing logic in CSS anyway, you could just implement the program logic directly rather than emulate a CPU. But as a demonstration of what browsers can be coerced into doing, it’s fantastic.

A small detail that matters: there is a script tag on the site to provide a clock for better speed and stability, but the project also includes a JavaScript-less clock, and it still runs with scripts disabled. It’s mostly for Chromium-based browsers today; Firefox support is “in theory” but the demo doesn’t currently work there. It’s intentionally incomplete—some flags like CF and OF aren’t fully modeled—and the author’s method is pragmatic: compile the programs they want, then implement the instruction coverage required to run them. There’s even tooling so you can drop in your own 8086 binary and entry point, or compile C using gcc-ia16, then run it in this tiny memory map with custom I/O addresses.

Staying with browsers, but moving from novelty to real-world defense: Mozilla is shipping the standardized Sanitizer API in Firefox 148, positioning it as a default-safe way to fight cross-site scripting—still one of the most common and damaging web vulnerabilities.

The key idea is simple: developers keep inserting untrusted HTML into the DOM—often through user-generated content—and attackers smuggle in scriptable attributes or tags. Historically you either hand-roll sanitization or you try to lean on Content Security Policy. CSP can be powerful, and Mozilla has been in that game since 2009, but adoption is uneven because a strong CSP often means real architectural work and ongoing expert attention.

The Sanitizer API tries to close that gap by standardizing how “dangerous HTML” becomes “harmless HTML.” The headline feature is setHTML(), which bakes sanitization into the act of inserting HTML. Mozilla’s example is exactly the kind of thing that bites teams: an img tag with an onclick handler. With setHTML(), that gets stripped down to safe markup instead of silently turning into an exploit.

What makes it practical is migration: for lots of codebases, you can replace innerHTML assignments with setHTML() and immediately get a stronger baseline. And if the defaults are too strict—or not strict enough—you can configure allowed elements and attributes. Mozilla also points to a playground so teams can test policy choices. And for orgs that want to go further, the post calls out pairing Sanitizer with Trusted Types, so you can centralize which “HTML sinks” are allowed and block the risky ones.

From browser safety to platform policy, there’s an IEEE Spectrum argument that modern “keep kids off social media” enforcement is pushing the entire internet into an age-verification trap.

The author’s thesis is that minimum-age rules sound simple—13, 16, pick a number—but real enforcement forces platforms to collect more personal data, not less. Regulators don’t just ask you to check age; they expect you to prove you tried, which means logs, evidence, and retention. That pressure collides with privacy principles like data minimization and storage limitation.

Technically, the piece breaks the world into two approaches. One is identity-based verification: government IDs, digital identity systems, documents. That’s hard in places where teens don’t have IDs, and it creates a high-value stash of sensitive documents if platforms store it. The other is inference-based verification: guessing age from behavior, device signals, or biometrics—like facial age estimation from selfies.

In practice, platforms blend them: inference to flag accounts, then escalating to ID or credit-card checks when confidence is low. The article cites examples like Instagram’s video selfie prompts, TikTok scanning public videos to infer age, and Google or YouTube using behavioral signals with fallback requests for ID or payment instruments.

And the failure modes are messy. Adults get mislabeled as minors and locked out, while teens route around controls with borrowed IDs, new accounts, or VPNs. The author also claims some systems are being gamed at scale—Roblox is mentioned, including allegations of child-aged accounts being sold to predators for access to restricted areas. The big warning is that verification becomes recurring: new phone, behavior change, a model’s false positive—and suddenly you’re asked for more proof, more often, and that data tends to stick around.

Now, a very pragmatic response to a more immediate privacy risk—accidentally leaking secrets to AI coding tools—comes from a Rust utility called ENVeil.

The model here is: your project’s .env file should never contain plaintext secrets on disk. Instead, it contains symbolic references like DATABASE_URL=ev://database_url. The real secret values live in a per-project encrypted store under .enveil/, and you run your app through ENVeil so it can inject the resolved environment variables into the subprocess.

Mechanically, it’s careful about the common leak paths. You set secrets interactively—no passing them on the command line—so they don’t end up in shell history or process listings. When you run something like “enveil run -- ”, it prompts for a master password, derives a 256-bit key using Argon2id with a fairly chunky memory setting, then decrypts the store using AES-256-GCM.

The encrypted store is a binary blob with a random nonce and authenticated ciphertext; it generates a fresh nonce on every write, and any tampering causes authentication to fail. It also intentionally avoids commands like “get” or “export” that would print secrets to stdout—because stdout is exactly the kind of thing that gets captured in logs, terminals, and sometimes AI assistant context. It’s not pretending to solve every secrets problem, but for teams worried about accidental local exposure—especially with copilots watching—this is a tidy, opinionated design.

Let’s pivot to tools that put serious capability into the browser on purpose: Diode is pitching itself as an online electronics workbench.

The landing page is straightforward: create schematics directly on the web, drag in components from a palette—resistors, capacitors, NPN and PNP transistors, LEDs, tactile switches, even a 555 timer—and wire them up. Then simulate right there in the browser, with no local setup.

The message is basically “bring your workshop to the web.” There’s a clear call to sign up for free, so it sounds like a free tier or at least a free entry path, and navigation points to Explore plus the usual sign-in and sign-up. The page also hints at “Featured Projects,” although the content wasn’t visible in the scraped text—likely dynamically loaded. The big value proposition is frictionless experimentation: if you’re teaching, prototyping, or just sketching an idea, the browser becomes your lab bench.

On the infrastructure side, turbopuffer shared a detailed post about replacing an internal indexing job queue—and the design is a nice reminder that sometimes the simplest primitives win, as long as you respect their limits.

Context first: this queue is not on the write path. Data lands in the write-ahead log, and the queue is just the notification and scheduling layer that tells indexing nodes to build or update search indexes asynchronously.

The old design was sharded across indexing nodes, which sounds scalable until you hit the classic problem: one slow node can block all jobs assigned to it even if other nodes are sitting idle. The new design centers on a single queue file in object storage, plus a stateless broker. They aim for FIFO execution, at-least-once delivery, and they report about a 10× reduction in tail latency—meaning jobs spend far less time waiting around.

The write mechanics are surprisingly approachable. Start with a queue.json that’s overwritten each time, but protect updates with compare-and-set conditional writes, giving you atomicity and strong consistency without locks. Pushers append jobs; workers claim the first unclaimed job by marking it in-progress. If the CAS fails due to contention, retry.

Then reality hits: object storage overwrites can take ~200 milliseconds, and some services impose limits like one request per second per object. So they add group commit—buffering many requests in memory and flushing them together—to raise throughput. Contention still becomes painful with many clients, so the broker becomes the only component talking to object storage, running one group-commit loop for everybody, and acknowledging requests only after they’re durably committed.

High availability is handled with a pragmatic, slightly spicy strategy: if requests take too long, clients can start a new broker. The active broker’s address is stored inside the queue file itself, and CAS prevents corruption even if two brokers overlap briefly. For worker failures, per-job heartbeats are written through the broker; if a heartbeat goes stale, another worker can reclaim the job. It’s a queue built out of one durable file and stateless processes—simple to reason about, easy to operate, and apparently a lot faster where it matters.

For the hardware-and-firmware crowd, there’s a fast-moving story: a developer ported Coreboot and Libreboot to a ThinkPad X270 with a Kaby Lake platform, in under a week from deciding to do it.

The workflow starts the way it should: dump the stock BIOS as a safety net, then extract the regions you actually need for a working image—Intel Management Engine bits for generating deguard deltas, the GbE region for Ethernet, and the Intel Flash Descriptor so the final image has the correct layout. They used an RP2040-zero running pico-serprog with flashprog, connected via a SOIC-8 clip, to dump and flash the SPI ROM.

And then, real life: they knocked a capacitor off the board, lost it, and had to identify the missing part using the silkscreen label—PJ304—and schematics. It turned out to be a 10 microfarad 0603 capacitor rated at 6.3 volts. They replaced it… and it kept falling off during repeated reflashes, which is exactly the kind of detail you only appreciate after you’ve been hunched over a board for hours.

On the software side, they validated the dump by inspecting strings and using ifdtool to confirm and extract regions, then followed deguard’s docs and even contributed a commit—pointing out that a patched Intel ME, not necessarily a vulnerable one, can still be used to produce the needed deltas.

They initially based the X270 work off the existing X280 variant, adjusting GPIO and board specifics—no Thunderbolt on the X270, and it has a SODIMM slot instead of soldered RAM. They got as far as SeaBIOS and GRUB payloads, but NVMe boot failed and both NVMe and Wi‑Fi vanished from lspci, pointing to a PCIe configuration issue.

With help from the Libreboot IRC channel—and Leah Rowe iterating on diagnostic ROMs—they eventually traced it to CLKREQ mapping: the X280’s CLKREQ4 was unused, but the X270’s WLAN wiring needed a different CLKREQ assignment, and shifting that mapping fixed the cascade of missing devices. After rebuilding, it booted cleanly into a fully encrypted Guix System installation, with logs available via cbmem. Upstreaming is in progress via Gerrit links, and they’re even considering an ath9k USB path toward linux-libre.

In programming languages and formal methods, λProlog popped up—one of those technologies that keeps resurfacing because it solves a particular kind of problem extremely well: meta-programming with binding and higher-order structure.

λProlog is grounded in higher-order intuitionistic logic based on Church’s simple theory of types. In plain terms, that gives it a strong foundation for modularity, abstract data types, higher-order programming, and representing languages with bound variables cleanly—via what’s called lambda-tree syntax. Historically, it’s also known as the first language to directly support higher-order abstract syntax, or HOAS.

The ecosystem today includes a few notable implementations. ELPI is the current flagship for many people: an embeddable λProlog interpreter in OCaml, with a recent release—version 3.4.5—dated December 11, 2025, and described in an LPAR paper. ELPI also plugs into Coq through Coq-ELPI, which means you can execute λProlog programs inside the Coq environment—useful if you’re building tooling around proof developments or writing sophisticated Coq extensions.

There’s also Teyjus from Gopalan Nadathur’s group, with features like separate compilation and runtime type support, and Makam, a metalanguage refining λProlog, also implemented in OCaml. If you want to learn it properly, the page points to the book “Programming with Higher-Order Logic,” plus tutorials and course notes. And for reasoning about these kinds of specifications, Abella is highlighted—an interactive theorem prover that supports λ-tree syntax and the ∇ quantifier for nominal variables, using a two-level logic approach.

We’ll close with learning and craft—two different lenses on how people actually get good.

First, MIT’s “The Missing Semester of Your CS Education” ran as an IAP 2026 course, aimed at the tool skills that most students end up teaching themselves: shell fluency, editors, debugging and profiling, version control beyond the basics, packaging and shipping code, and code quality.

What’s new in the 2026 framing is that it doesn’t treat AI as a separate topic. Instead, it weaves AI-enabled workflows into each lecture—reflecting how day-to-day engineering is changing, whether you’re using autocomplete, chat-based assistants, or more agentic coding tools. The materials are broadly accessible—videos on YouTube, discussion through the OSSU Discord, and plenty of community translations.

And then there’s a fascinating historical counterpoint: M.A. Clements’ 1984 paper documenting Terence Tao’s early mathematical development, based on assessments when Tao was seven and eight in Adelaide.

The details are striking not because they’re mythic, but because they’re measured. Perfect scores on standardized operations tests well above typical Year 12 norms, rapid solutions to Krutetskii-style mental problems, fluent use of advanced algebraic language—including group concepts—and even sketching polynomial graphs and turning points using differentiation, despite not having formally learned calculus at school.

The paper emphasizes environment as well as ability: a mother with math and physics training who guided more than she drilled, plus Tao’s own intense curiosity—reading advanced texts for hours and teaching himself BASIC on a Commodore, writing math programs around age six. It’s also candid about the schooling trade-offs—mixing primary school with high-school classes, concerns about boredom versus emotional readiness, and early-university planning.

Put next to Missing Semester, it’s an interesting reminder: the tools and the talent matter, but so does the workflow—how you practice, how you explore, and how quickly you can turn curiosity into feedback.

Subscribe to edition specific feeds:

- Space news

* Apple Podcast English

* Spotify English

* RSS English Spanish French

- Top news

* Apple Podcast English Spanish French

* Spotify English Spanish French

* RSS English Spanish French

- Tech news

* Apple Podcast English Spanish French

* Spotify English Spanish Spanish

* RSS English Spanish French

- Hacker news

* Apple Podcast English Spanish French

* Spotify English Spanish French

* RSS English Spanish French

- AI news

* Apple Podcast English Spanish French

* Spotify English Spanish French

* RSS English Spanish French

Visit our website at https://theautomateddaily.com/

Send feedback to [email protected]

Youtube

LinkedIn

X (Twitter)