AI Coding News

May 7, 2026

Key Signals

  • Kiro launched Kiro Web, a browser-based agentic coding platform with collaborative and autonomous modes at app.kiro.dev. The tool supports multi-repo coordination in a single session, GitHub-native workflows with /kiro commands for issue assignment and PR feedback, steering files for team conventions, and isolated sandboxes per task. This positions AWS's Kiro as a direct competitor to GitHub Copilot Workspace and Cursor's cloud agents, with a particularly strong multi-repository story that addresses enterprise monorepo and microservice architectures. [1]

  • OpenAI's new WebSocket-based execution mode for the Responses API delivers up to 40% latency reduction for agentic coding workflows, with immediate adoption across major tools. By replacing repeated HTTP request-response cycles with persistent bidirectional connections, the protocol eliminates the network overhead that had become the dominant bottleneck as inference speeds improved. Vercel, Cline (39% improvement), Cursor (30% gains), and Codex have already integrated it, signaling that transport-layer optimizations are now as impactful as model improvements for real-world AI coding performance. [2]

  • Cursor shipped parallel plan execution via async subagents, in-editor PR review, and automatic PR splitting — compressing the plan-to-merge workflow into a single tool. The "Build in Parallel" feature identifies independent plan steps and runs them simultaneously, while the new PR review experience shows inline threads, commit history, and changes navigation. Combined with the ability to automatically split large changesets into logical PRs, this moves Cursor closer to end-to-end ownership of the development lifecycle. [3]

  • Mozilla revealed that its Claude Mythos-powered vulnerability pipeline found 271 Firefox bugs with "almost no false positives," fundamentally changing the economics of AI-assisted security auditing. The breakthrough came from pairing improved model capabilities with a custom agent harness that gives the model access to Firefox's build and fuzzing infrastructure to dynamically test hypotheses. Sample bugs include 15–20 year old latent issues, sandbox escapes, and IPC race conditions — categories notoriously resistant to traditional fuzzing. Over 100 contributors shipped 423 total security fixes in April 2026. [4][5]

  • GitHub Copilot CLI's Rubber Duck cross-model review agent expanded to pair GPT sessions with a Claude critic and Claude sessions with GPT-5.5, making second-opinion code review a bidirectional feature. This dual-model architecture catches architectural issues, subtle bugs, and cross-file conflicts that single-model sessions miss. The expansion reflects a broader industry trend toward multi-model orchestration where different model families complement each other's reasoning patterns. [6]

  • OpenAI Codex v0.129.0 shipped a major feature set including TUI Vim mode, redesigned session picker, workspace plugin sharing with access controls, lifecycle hooks browsable from /hooks, and experimental goals that persist across sessions. The release also bundled standalone bwrap for Linux sandboxing, vendored Bubblewrap 0.11.2 with security updates, and expanded analytics coverage. This positions Codex's Rust-native TUI as an increasingly complete development environment with IDE-like capabilities in the terminal. [7]

AI Coding News

  • Hands-on testing shows OpenAI Codex's new in-app browser, computer use, and PR review features make it "the strongest Claude Code rival yet" for real-world Python codebases. The in-app browser enabled a 3-minute bug fix by reading a GitHub issue directly and tracing the problem across three files, demonstrating that Codex understands both the task and the broader codebase context. Computer use works for GUI tasks but was intentionally restricted from terminal access for security reasons. PR review cited relevant documentation and flagged genuine test coverage gaps, though sandbox restrictions blocked full test suite execution. [8]

  • GitHub launched dependency scanning and secret scanning for its MCP Server, bringing security checks directly into AI-assisted coding environments. MCP-connected agents like Claude Code and Cursor can now query GitHub's advisory database through plain-English prompts to review packages for vulnerabilities before code is committed. The move follows incidents where AI coding agents autonomously discovered and misused over-permissioned credentials, highlighting the urgency of embedding security into the agent tooling layer itself rather than waiting for code review. [9]

  • Adam Wolff from Anthropic's Claude Code team revealed that 90% of Claude Code's production code is written by or with Claude, explaining how AI shifts the SDLC bottleneck from implementation to architectural decision-making. Three development "war stories" illustrated how testability and immutability enable rapid AI-assisted iteration, why the team pivoted from persistent to transient shell execution for parallel tool calls, and how they shipped and removed a feature in two weeks. The key insight: when coding costs drop to zero, the speed of learning becomes the only competitive advantage. [10]

  • Simplex uses ChatGPT Enterprise and Codex to reduce software design, build, and testing time while scaling AI-driven development workflows across the organization. The case study demonstrates enterprise adoption of Codex as a productivity multiplier beyond individual coding assistance, extending into team-scale workflow automation. [11]

Feature Update

  • GitHub Copilot CLI v1.0.44-0/1/2 released with rubber-duck sub-agent model visibility, quota display fixes for Free users, and shell alias support in ! commands. The timeline now shows the resolved model for rubber-duck sub-agents (e.g., "Rubber-duck(claude-opus-4.7)"), tool permissions granted in autopilot mode are preserved after /clear, Ctrl+C no longer hangs during permission prompts, and invalid URL entries in settings.json are skipped with a warning instead of crashing. A new optional prerelease argument for copilot update lets users fetch the latest prerelease build. [12]

  • Claude Code v2.1.133 added worktree.baseRef setting, effort level exposure to hooks via $CLAUDE_EFFORT, and fixed parallel sessions credential race conditions. The worktree.baseRef setting controls whether worktrees branch from origin/ or local HEAD, and custom sandbox.bwrapPath/sandbox.socatPath managed settings allow specifying binary locations on Linux/WSL. Critical fixes address parallel sessions dead-ending at 401 after refresh-token races, HTTP_PROXY not being respected for MCP OAuth flows, and Remote Control stop/interrupt not fully canceling CLI sessions. [13]

  • Cursor released PR Review, Build Plan in Parallel, and Split PRs on May 7. The new Reviews tab shows inline threads and PR comments, the Commits tab provides focused history, and the Changes tab includes a file tree picker. "Build in Parallel" uses async subagents to execute independent plan steps simultaneously while maintaining ordering for dependent steps. The split-into-PRs quick action identifies logical slices from chat context and proposes a split plan. Skills can now be pinned as quick-action pills. [3]

  • OpenAI Codex v0.129.0 delivered Vim editing mode, plugin workspace sharing, and hooks lifecycle management. The TUI composer now supports modal Vim editing with /vim command, default-mode config, and Vim-specific keymap contexts. Plugin management gained workspace sharing, share access controls, source filtering, marketplace removal/upgrades, and remote bundle sync. Linux sandbox reliability improved across older bwrap versions, symlink-protected paths, and shared /tmp setups, while Windows sandbox handling was enhanced for named pipes, ConPTY teardown, and PowerShell-wrapped allow rules. [7]

  • Gemini CLI v0.42.0-nightly (May 7) fixed JSON output for non-interactive mode, added shell command safety evals, and resolved an A2A server race condition. Additional fixes address invalid custom plans directory handling, sandbox container name randomization, async context management hysteresis, and silent OAuth hangs on headless Linux. The MCP list UX was improved for untrusted folders, and core tools were migrated to a native ToolDisplay property. [14]

  • OpenCode v1.14.41 restored formatter output handling, enabled session warping with uncommitted file changes, and moved the desktop server to a utility process. ACP clients now restore the last model, mode, and effort when loading sessions. The companion v1.14.40 release added .well-known/opencode remote config support, automatic retry of server_is_overloaded API errors, and fixed numerous issues including CORS headers, web terminal CSP, and Cloudflare AI Gateway provider options. [15][16]

  • Kiro added Claude Opus 4.7 with Adaptive Thinking for Pro, Pro+, and Power subscribers in both IDE and CLI. Adaptive thinking automatically adjusts reasoning depth based on task complexity — spending more time on harder problems and responding quickly to simpler ones. Users need IDE 0.11.133+ and CLI 2.2.0+ for best performance and efficiency. [17]

  • GitHub deprecated Claude Sonnet 4 across all Copilot experiences on May 6, recommending Claude Sonnet 4.6 as the replacement. The deprecation affects Copilot Chat, inline edits, ask and agent modes, and code completions. Enterprise administrators may need to enable access to alternative models through model policies in Copilot settings. [18]