# AI Agent Consolidation and Developer Tool Strategy

**Podcast:** The Changelog: Software Development, Open Source
**Published:** 2026-03-27

## Transcript

What's up, friends?
Adam here.
This is Change All News for the week of March 23rd, 2026.
Friends, I'm hot off an epic spring break.
You know, I've never taken a true spring break vacation.
Sure, I've done some things, but never an epic trip to South Florida that we did this year.
He was much needed time away with family, friends, and good sleep.
Sadly, while away, Chuck Norris passed away.
He was a high achieving person in life and someone worth emulating.
He has 10 principles to live by.
Here are two of my favorites.
Number one, I will forget the mistakes of the past and press on to greater achievements.
And number two, I will always remain loyal to my God, my family and friends, and my country.
Okay, let's get into the news.
This is a big one, y'all.
Astral, the company behind UV Rough and TY says it has entered into an agreement to join OpenAI as part of the Codex team.
And I think the reason why this hits so hard for me is that Astral is not some random AI startup getting aqua hired.
These are already some of the most important tools in modern Python development.
So the obvious first question is what happens to the tools?
Astral says the open source work continues after the deal closes, and that matters a lot because UV and Rough in particular are not side projects anymore.
These are foundational pieces of a lot of Python workflows right now.
If we zoom out, the bigger revelation is the center of gravity for developer tools keeps moving toward the coding agent stack.
Astral started out making Python development dramatically faster, and now the same team is heading into codecs.
That tells you where they think the highest leverage work is next.
And if you're a Python developer or honestly, any developer paying attention to tools, this is one of those moments worth clocking because it suggests the future is not just better linters, better package managers, better type checkers as separate things.
The future is those tools getting pulled closer and closer into the agent itself.
Light LLM compromised by supply chain attack.
Light LM1.82.8 was reported to include a malicious dot PTH file that could execute on Python startup and potentially steal secrets from machines that installed it.
Attackers published a fake light LM1.82.8 release directly to PyPy outside Light LLM's normal GitHub release flow.
The current explanation for how it got there is the real story.
Light LLM says a publishing token was exposed through an unpinned trivi security scan in CI.
This was not just one bad package upload, it was a supply chain chain reaction, compromised security tooling, stolen published credentials, then poisoned releases pushed straight to PyPy.
Light LM is not some random edge dependency though.
For a lot of teams, it sits right in the middle of their AI stack, writing model calls, living right next to API keys, cloud credentials, and internal config.
And the dot PTH file is a nasty delivery mechanism because it can execute when Python starts before anybody even imports the library.
So if you're out there and you installed the affected versions, treat this as an incident, not an upgrade bug.
Check where it ran, rotate anything exposed, and look at CI and developer machines first.
The takeaway is the AI middleware layer now belongs inside your real supply chain threat model.
Open code tops hacker news.
Open code blew up this week as the highest traction new coding agent launched on Hacker News.
Open code is an open source attempt to build the full coding agent surface area, terminal, IDE, desktop, multi-session workflows, LSP support with bring your own model flexibility.
The uncomfortable signal is in the timing.
Right before OpenCode hit number one on Hacker News, the project had to strip anthropic OAuth and Anthropic References after legal pressure.
And if you've been on X lately, you've likely heard about the Cloud Open Code drama.
This should tell us the open agent race is real, but it's still happening inside ecosystems controlled by model vendors.
So my read on this is that open code matters less because it's definitively the best agent today, and more because it shows where this market is going next.
The next fight is not just over model quality, it is over who owns the interface, the workflow, and the default home for coding with agents.
Rust has challenges, but here's how we can address them.
The Rust Project published a reality check.
This is not a Rust is doomed post.
It is not a victory lap either.
More like we talked to a bunch of people, and yes, the problems you already think Rust has are in fact the problems people keep running into.
The interesting part is the shape of those problems.
Compile times are still a thing, but they're not really blockers for most people.
The borrow checker is still brutal for beginners, but it bothers experts a lot less, which tells you some of that pain is onboarding pain, not necessarily evidence the language is broken.
Async is still messy in the way Rust Async has been messy for a while.
Except in this post, they are pretty explicit, but there are actual next steps they think can help.
And then you get to the ecosystem story, which is maybe the most important one.
A healthy crate ecosystem is Rust's largest strength.
But people do not always know which crates to trust, which ones are effectively standard, or whether the thing that they need exists yet in their domain.
In worlds like embedded, GUI, and safety critical work, that maturity gap gets a lot more obvious.
I applaud this post because the intent behind it is awesome.
I use Rust daily.
Sure, Rust can be improved, but this shows the project is listening and it shows they have clear pain points to smooth out where there's friction.
And now time for some sponsor news.
Well, friends, I'm here with Michael Greenwich, founder and CEO of Work OS.
Michael, if you didn't know, CLIs are back.
They're all the rage.
And a major problem I personally have with my CLIs is authorization, authentication.
What do you say about Work OS and auth for CLI?
Long live the CLI.
We've had a resurgence of it, which I am so thrilled about.
We have actually have supported CLI auth for many years at Work OS.
This is something called the device grant flow.
It lets you have that really smooth experience where from your CLI app you're building, you can link out to the browser and have the user authenticate through whatever system they have in your app and then bounce back into the browser.
So nobody is pasting their credentials or their secrets into the shell itself.
Kind of zero knowledge, zero trust way of building OAuth authorization.
It works great for existing CLIs.
It also works super great if you're building a CLI specifically for agents, which is kind of all the rage now as people are expanding upon that.
So WorkOS we think is the fastest way to do it.
And you can actually do it without migrating your entire user base.
You can just layer on the CLI auth.
Because WorkOS is so modular, you can just add that in front.
We have people doing this for MCP as well, where they just use Work OS for the MCP authentication gateway and not for the primary identity stack.
So it's totally possible today.
And I think WorkOS is the fastest way to ship auth in your CLI app you're building.
Well, friends, go to workOS.com, try it today.
Again, work OS.com.
Learning to code by building TurboTax.
Ryan Leasey got annoyed enough with TurboTax and the larger tax filing mess that he used AI coding tools to build a free open source alternative and then put it in the public so tax professionals and quote actual programmers end quote can inspect it.
The question is not whether AI can spit out code anymore.
We are past that.
The better question is whether these tools are good enough to help somebody take a real run at expensive, boring, incumbent software that normal people actually depend on.
Tax software is a great test because it is high stakes, full of edge cases, and usually not something you could fake your way through with a polished demo.
Ryan is not asking for your trust.
He's doing the exact opposite.
He's saying, hey, here's the app I made.
It is open source.
Vet it.
If you're a pro, if you're a programmer, vet it please.
This isn't about a journalist suddenly becoming a 10x software tax engineer.
It is whether or not AI lowers the cost enough for we the people to build credible public interest software in markets that used to belong entirely to incumbents.
Why I forked HTTP X.
This is one of those open source stories that sounds niche until you realize how much code quietly depends on it.
HTTPX is a very popular HTT client, and Michael Bajan has now forked it into HTTP XYZ.
And the reason is there hasn't been a release of HTTX since November 2024.
Fixes were sitting around unreleased and upstream trust has been eroding.
Now the real story is not just that somebody got frustrated and made a fork.
The issue is project maintenance risk eventually turns into dependency risk.
In this case, the fork author points to hidden issues, discussions being turned off, years of talk about a future 1.0, and a growing sense that a widely used package did not have a stable maintenance path anymore.
HTTPX is not some obscure utility.
It sits underneath a lot of Python software in even high profile packages like OpenAIs and Anthropic's Python SDKs, they've already begun guarding against a future 1.0 release.
The fork's pitch is the interesting part.
It is not a rewrite.
Not novelty, just a maintainer story they can trust.
Alright, that's it for the news this week.
Thank you for tuning in.
We'll see you back here next week, of course.
Changelob.news.
If you haven't subscribed, do so now and tell a friend.
I've got some amazing shows recorded in the can being produced.
It is amazing.
I can't wait to release them.
Things are getting stacked up over here, and it's so exciting.
Alright, that's it for this week's news.
We'll see you next week.