WEBVTT NOTE The Rundown — nextbig.dev daily audio edition, 2026-03-31 1 00:00:00.000 --> 00:00:07.884 Hey everyone, welcome to Builder's Briefing for March thirty-first, twenty twenty-six. I'm Alex, joined as always by Sam, and we've got a packed show today — the MCP ecosystem is leveling up, Copilot apparently snuck an ad into a pull request, and Cloudflare's bot detection is reading your React state. Fun times. 2 00:00:07.884 --> 00:00:12.378 Yeah, that last one especially — I had to read it twice. But let's start with the big story because I think it's going to matter a lot for anyone building agentic stuff right now. 3 00:00:12.378 --> 00:00:20.062 So the hero story today is mcporter, dropped by steipete. The idea is dead simple but solves a real pain point: it wraps any MCP server so you can call its tools as plain TypeScript functions, or even package them as standalone CLI commands. No more fighting with transport layers and JSON-RPC boilerplate. 4 00:00:20.062 --> 00:00:27.268 Right, and what's wild is how obvious this feels in hindsight. Like, if you've been building agentic workflows where your orchestrator needs to call MCP tools programmatically — not through a chat interface — you've been writing a ton of glue code. This just collapses that entire layer. 5 00:00:27.268 --> 00:00:34.298 Exactly. And there's a companion tool called skillshare that's also trending, which syncs your tool configurations across Claude Code, Codex, and other AI CLIs. So you pair those two together and you've got a real story for standardizing how your whole team's agents access tools. 6 00:00:34.298 --> 00:00:41.780 I think this signals something bigger, honestly. MCP's next phase isn't about more servers — it's about better consumption patterns. You're going to see this ecosystem split into server authors on one side and a growing layer of adapters and SDKs on the other that just make the protocol invisible. 7 00:00:41.780 --> 00:00:46.049 Well said. The teams that treat MCP as plumbing rather than product surface are going to iterate the fastest. Alright, let's talk AI news — and this first one is a doozy. 8 00:00:46.049 --> 00:00:46.576 The Copilot ad thing? 9 00:00:46.576 --> 00:00:51.773 Yeah. A developer documented Copilot inserting what appears to be promotional content directly into a pull request. Like, actual ad copy in the diff. And nobody on the team caught it before it almost merged. 10 00:00:51.773 --> 00:00:58.025 That's terrifying if you're running any kind of AI-assisted code review or auto-merge pipeline. It's a really good reminder — treat AI-generated diffs with the same scrutiny you'd give a third-party dependency. Audit before merge, every single time. 11 00:00:58.025 --> 00:01:04.654 There's also a great piece making the rounds arguing that coding agents could make free software matter again. The logic is: when AI agents can fork, fix, and maintain open source projects at near-zero cost, the economics flip back hard in favor of open codebases. 12 00:01:04.654 --> 00:01:11.584 That's interesting because I've actually seen this starting to happen. If you're on the fence about open-sourcing something, factor in that agents dramatically lower the contribution barrier. Your open project might attract way more agent-driven maintenance than you'd expect. 13 00:01:11.584 --> 00:01:19.217 And then there's the Cognitive Dark Forest essay — arguing that AI-generated content is poisoning online discovery. Real thinkers are going quiet because the noise floor is just too high. If you're building content-heavy products, you should be thinking about provenance signals and trust indicators now. 14 00:01:19.217 --> 00:01:24.289 Yeah, that one hit home. It's getting genuinely harder to find real human insight, and it's only going to get worse. Okay, can we jump to the security section? Because the Cloudflare story blew my mind. 15 00:01:24.289 --> 00:01:30.917 Absolutely. So someone did a deep reverse-engineering of ChatGPT's Cloudflare Turnstile challenge, and it turns out it's inspecting React component state and DOM internals as part of bot detection. Like, it's reading your React state before you even type anything. 16 00:01:30.917 --> 00:01:37.923 This is a two-sided story. If you're building browser automation or scraping tools, fingerprint evasion just got way harder. But it's also a huge cautionary tale — if you're shipping React apps with sensitive client-side state, you need to assume third-party scripts can read it. 17 00:01:37.923 --> 00:01:45.556 Also in security, QuipNetwork released hashsigs-rs — a Rust implementation of hash-based post-quantum signature schemes. If you're building anything with long-lived cryptographic commitments, blockchain, document signing — worth evaluating before those NIST post-quantum migration deadlines start biting. 18 00:01:45.556 --> 00:01:47.162 Smart to get ahead of that one now rather than scrambling later. 19 00:01:47.162 --> 00:01:53.816 Quick dev tools roundup — C++ twenty-six is finalized. Herb Sutter's trip report from the London ISO meeting confirms it. Compiler support will land incrementally through twenty twenty-seven, and contracts are going to reshape how people write safety-critical code. 20 00:01:53.816 --> 00:02:01.575 And there's River, which is a fast background jobs library for Go backed by Postgres. If you're running Go services on Postgres and using Redis just for job queues, you can drop that dependency entirely. Postgres-native background jobs with transactional enqueue — one fewer piece of infrastructure to manage. 21 00:02:01.575 --> 00:02:09.007 Love that pattern. Also, chenglou — the person behind React Motion and Reason — released Pretext, a TypeScript library for precise multiline text measurement and layout. If you're building canvas editors or diagram tools and you've been hacking around measureText limitations, this one's for you. 22 00:02:09.007 --> 00:02:14.204 Oh, and Cherri! A programming language that compiles to Apple Shortcuts. Write real code, get an Apple Shortcut with version control and proper programming constructs. That's such a niche but brilliant idea. 23 00:02:14.204 --> 00:02:21.486 Alright, rapid-fire quick hits. Washington state banned noncompete agreements — great news whether you're hiring or leaving. CodingFont is a fun tournament-style game to pick your next coding font, link in the briefing. And Philly courts are banning all smart eyeglasses starting next week. 24 00:02:21.486 --> 00:02:25.628 Wait, Philly courts? Like, you can't wear your Ray-Ban Metas into a courthouse? I guess that makes sense for recording concerns, but that's a sign of things to come. 25 00:02:25.628 --> 00:02:28.641 Also, Waterfox is celebrating fifteen years of maintaining a Firefox fork, which — respect for that kind of persistence. 26 00:02:28.641 --> 00:02:36.977 So here's the takeaway for today. The MCP ecosystem is entering what I'd call the 'make it disappear' phase. Tools like mcporter and skillshare are abstracting away the protocol so developers just call functions and agents just use tools. If you're building with MCP servers, invest in typed wrappers and cross-tool config sync now. 27 00:02:36.977 --> 00:02:41.773 And separately, that Cloudflare React state inspection story is a genuine wake-up call. If you're shipping React apps with sensitive client state, assume it's not private. Harden accordingly. 28 00:02:41.773 --> 00:02:47.121 That's the show for today! Links to everything we mentioned are in the briefing. We'll be back tomorrow — in the meantime, go wrap your MCP servers and audit your client-side state. Thanks for listening, everyone. 29 00:02:47.121 --> 00:02:47.1000 See you next time — happy building!