Today on Hacker News felt like a reckoning with the question of guarantees — what it actually means to have rules, proofs, or licenses that hold when power is uneven. From cryptographic correctness to open source violations to geopolitical arm-twisting, the community kept circling back to the gap between rules on paper and rules in practice. A few cheerful maker projects provided relief.

---

The "IDE for the Agent Era" Is Getting Crowded

Superset (YC P26), launched today on HN, is a macOS desktop application for running multiple AI coding agents simultaneously. The core idea: rather than one AI assistant at your side, you orchestrate a "swarm" of them — Claude Code, OpenAI Codex, or any command-line-based tool — each running in its own isolated git worktree (a git feature that lets you check out multiple branches at once in separate folders, so agents don't step on each other). The app provides a built-in terminal, code review workflow, and editor handoff, all configured via a project config file. It's open source under the Elastic License 2.0 (source-available, meaning you can inspect and self-host it within restrictions), with a free tier and paid features — Linear project management integration, for instance, costs $20/month.

The discussion was lively but skeptical. The recurring question: is this actually a new category or just Cursor with extra tabs? yannoninator asked the existential one directly: "What happens if Cursor makes the exact same features as your product?" hermanschaaf pointed to Conductor and other tools "converging on the same general ideas," while jimmydoe observed that Zed, Orca, and various tmux-based setups all look "increasingly the same." The most grounding response came from micro23xd, a beta user who reported running "40–50 agent sessions over several repos simultaneously without any issues" — the real-world case the product needs to make. survirtual offered the sharpest strategic framing: current editors aim to make engineers 10x more productive, while agent orchestrators like Superset "aim at a different target than the engineer entirely" — suggesting the endpoint is autonomous development pipelines, not augmented developers. gchamonlive was unimpressed by the category altogether: "IDE for the agent era is just Linux... Kitty with oh-my-zsh, lazyvim and an agent."

---

When Rules Don't Have Teeth

Two separate stories today converged on the same uncomfortable theme: enforcement only works when you have leverage.

The first involves BambuStudio, the slicing software (the desktop app that converts 3D models into printer instructions) for Bambu Lab's popular 3D printers. The story, brought to light in a now-deleted tweet by Josef Prusa — founder of rival Prusa Research — alleges that Bambu Lab has been violating the AGPL license of PrusaSlicer since forking it. The AGPL (GNU Affero General Public License) requires anyone who distributes modified software to publish their source changes. Bambu Lab is a Chinese company that has become one of the fastest-growing 3D printer brands globally, and their printers ship with BambuStudio as the default software. The Software Freedom Conservancy, a nonprofit that enforces open source licenses, has since published a formal response to the violation.

The second story, from Dutch outlet DutchNews.nl, reports that US tech companies including Microsoft and Meta shared the names of Dutch civil servants and academics working on European tech regulation with a US Senate committee investigating "tech censorship." The named officials — from the Dutch competition authority and privacy watchdog, plus a disinformation researcher — now potentially face travel bans or US sanctions. Dutch digital economy minister Willemijn Aerdts called it "extremely worrying" and confronted the US ambassador. The bitter backdrop: 67% of some 16,500 Dutch government websites are linked to at least one American cloud service, the Dutch tax office is actively moving more infrastructure to Microsoft, and a major Dutch cloud provider used for government identity systems is on the verge of being sold to a US company. Stopping isn't an option, the government admitted.

Both stories drew the same diagnosis from commenters. On BambuStudio, isoprophlex was blunt: "It's a Chinese company. They don't give a single flying fuck. Nor do almost all consumers as long as the product is good." zipy124 identified the structural vulnerability: "Open source licenses are vulnerable, since defending them costs large amounts of money, and proving violations can be hard since by definition the products that break them are closed-source." amazingamazing concluded bleakly: "Open source for medium and small projects is dead if enforcement is a consideration." The Dutch story prompted parallel resignation. petcat noted the irony that the Dutch government is simultaneously protesting and deepening its Microsoft dependency. microtonal, identifying as Dutch, delivered a withering verdict on national political culture: "Two rules: (1) always choose the option that pleases the US the most; (2) always postpone solving issues to the latest possible moment." pjc50 drew the longer historical parallel: governments receive clear warnings that something costly is coming and defer preparation anyway, because you don't get political rewards for it.

---

Cryptography You Can Actually Prove

Apple's Security Engineering blog published a detailed technical post on how they formally verified the quantum-secure cryptography implementations inside corecrypto — the foundational cryptographic library running on over 2.5 billion active Apple devices. The algorithms in question are ML-KEM and ML-DSA (standardized by NIST as FIPS 203 and 204), designed to resist attacks from future quantum computers that could break today's widely-used encryption. Formal verification, unlike testing, means using mathematical proof tools to demonstrate code is provably correct — not just that it passes test cases. Apple is publishing both the implementations and the verification proofs for independent review. During this process, the tooling actually caught a real implementation bug in an early ML-DSA build that testing would likely have missed entirely.

The discussion was small but technically precise. H0-LawJik explained exactly why formal verification matters here: the bug caught was the kind of "missing-step" error that "looks correct because the next line is correct" — tests wouldn't catch it unless someone rolled exactly the right rare inputs. AlotOfReading praised the SAW (Software Analysis Workbench) and Cryptol tooling as "amazingly easy to use compared to other formal methods tools." FiloSottile raised a pointed transparency concern: Apple disclosed that they found a bug but didn't describe what it was, making independent assessment harder. throwaway85825 tempered the enthusiasm with a broader critique: Apple's security posture isn't uniformly rigorous — parser security remains a known weak point where "they know it's insecure and offer lockdown mode instead of fixing it."

---

Builder Energy: A Punny Shell and a Node-Based Canvas

Two lighter projects rounded out the day. Rubish is a Unix shell written entirely in Ruby, where shell syntax is compiled to Ruby code before execution. It claims full bash compatibility — existing bash scripts should run unmodified — while adding deep Ruby integration: mix shell commands with Ruby expressions, use iterators to process command output line by line, and define functions with Ruby's native `def...end` syntax. A practical standout is `lazy_load`, which defers slow initializations like `rbenv init` or `nvm` to a background thread, keeping startup instant. The name is, yes, a deliberate pun on "rubi-sh."

ArcBrush is a free native desktop app (Windows, macOS, Linux) for node-based 2D image editing — where every operation is a visual node you wire together, and nothing is permanently baked in. The production pitch: define a 9-color palette, wire it into an Export Batch node, and 9 correctly-recolored PNG files appear automatically. It ships with 79 nodes and targets game artists doing repetitive variant work.

Rubish drew warm reception. Alifatisk noticed Claude is listed as a contributor, sighed, then admitted the code "looked quite thorough and well thought out" — genuinely unsure whether it's "vibe coded or LLM assisted." kieckerjan appreciated that unlike most language-showcasing projects, Rubish actually earns the integration: the language is the point, not a curiosity. ArcBrush attracted more skepticism — viraptor flagged that the app appeared suspiciously quickly after a similar project, Plasma Studio, was announced, suggesting it may have been "vibe-code-front-run as a paid offering." That accusation, even if unproven, captures a real anxiety in the maker community right now about AI-assisted concept cloning at speed.

---

Three of today's themes quietly rhyme. The enforcement gap in open source licensing, the power gap that let US companies expose European regulators, and Apple's insistence on proven cryptographic correctness are all variations on the same question: what does it mean to have a guarantee in software? Rules without enforcement are suggestions. Tests without proof are hopes. Apple's corecrypto work offers the rare counter-example — mathematics as the one thing that doesn't depend on leverage.

TL;DR - The "agent orchestration IDE" category is real and growing, but increasingly hard to differentiate from existing tools like Cursor adding the same features. - Open source licenses and EU tech regulations are both revealing their limits when the violating party has more leverage than the enforcing one. - Apple published formal mathematical proofs of quantum-secure cryptography correctness — a rare example of software guarantees that don't rely on trust or test coverage. - The maker community shipped a punny Ruby shell and a node-based image editor, with the recurring question of how much AI-generated code is actually in the mix.