May 31, 2026
Report summary
7 stories cleared the bar, led by Protecting against token theft, How we contain Claude across products, and Running Python ASGI apps in the browser via Pyodide + a service worker.
Worth attention
Vercel argues inference theft is now a high-margin attack: attackers wrap your AI endpoint in an OpenAI/Anthropic-compatible adapter and burn your model budget. Their recommendation: verify/gate every AI request (not just at login) and treat per-session checks as bypassable at scale; they describe using BotID deep analysis on each request.
Anthropic published a detailed containment write-up across claude.ai, Claude Code, and Cowork: human-in-the-loop approvals degrade (they cite ~93% approval rates), so they emphasize deterministic containment—process sandboxes/VMs, filesystem boundaries, and egress controls—to cap blast radius against user misuse, model misbehavior, and external attackers.
Simon Willison describes a pattern for running Python ASGI apps entirely in-browser using Pyodide + a service worker. The service worker intercepts same-origin requests (e.g. under /app/) and routes them through the ASGI interface, which avoids the earlier limitation where HTML was generated but <script> tags didn't execute.
The Website Specification is a platform-agnostic checklist of ‘what a good website does’ (SEO, accessibility, security headers, /.well-known, performance, privacy, resilience, i18n) with links back to primary standards. It also exposes the spec via a read-only MCP server and per-page Markdown (llms.txt / Accept: text/markdown) for agent consumption.
A Consumer Rights Wiki write-up claims Microsoft Office 2019 for Mac (perpetual license) will drop into view-only mode on July 13, 2026 when a license-validation certificate expires, with no fix for Office 2019 because it can’t reach the required build. Office 2021 / Microsoft 365 on supported macOS can avoid it by updating; Office 2019 users may be forced to switch apps or pay for subscription/new license.
Racket v9.2 is out with a set of language/runtime/Typed Racket correctness and compatibility changes (including match non-linear pattern behavior and Unicode 17.0).
AOMedia’s AV2 v1.0.0 specification and reference code are published (dated 28 May 2026) as the conformance reference for AV2 implementations.
Full digest
Title-only: Show HN: 500 years of Joseon court omens as an observability dashboard
Title-only: Show HN: Helios – what plug-in solar could generate for any address in Britain
Title-only: I accidentally discovered that ChatGPT was sending me users. Then I figured out why.
Title-only: Made my first sale.
Title-only: Hey guys... I would like to introduce...my first dollar 😭
Title-only: I just made my first sale!!! What is this feeling?!
Title-only: Made my first sale from my third ios app before 48 hours
Title-only: What's you opinion on this?
Title-only: Those with 100+ users, what SPECIFICALLY did you do to gather them?
Title-only: Vibe coding didn't kill developers. It killed the excuse for not validating.
Title-only: what saas idea to build man ?
Title-only: [Guidance Required] Achieve Initial sales
Title-only: Payment Gateway for my SAAS app
Title-only: How do you guys measure paid ads?
Title-only: How do you guys promote your SaaS
Title-only: How do I get more people to try my beta?
Title-only: Will you use this couples compatibility SaaS app?
Title-only: Day 16 of building in public
Title-only: Building MVP on Emergent/Lovable
Title-only: Bounces and conversions
Title-only: Looking for founders to test my product Sinter
Title-only: I think I've pivoted this project 20 times. Anyone else do this?
Title-only: Opus 4.8, thoughts?
Title-only: Journey from non-technical to technical-enough
Title-only: Using Product Hunt as one of my beta activation channels before launch, anyone done this? What actually worked?
Vercel argues inference theft is now a high-margin attack: attackers wrap your AI endpoint in an OpenAI/Anthropic-compatible adapter and burn your model budget. Their recommendation: verify/gate every AI request (not just at login) and treat per-session checks as bypassable at scale; they describe using BotID deep analysis on each request.
Title-only: v16.3.0-canary.36
Title-only: Quoting Karen Kwok for Reuters Breakingviews
Anthropic published a detailed containment write-up across claude.ai, Claude Code, and Cowork: human-in-the-loop approvals degrade (they cite ~93% approval rates), so they emphasize deterministic containment—process sandboxes/VMs, filesystem boundaries, and egress controls—to cap blast radius against user misuse, model misbehavior, and external attackers.
Simon Willison describes a pattern for running Python ASGI apps entirely in-browser using Pyodide + a service worker. The service worker intercepts same-origin requests (e.g. under /app/) and routes them through the ASGI interface, which avoids the earlier limitation where HTML was generated but <script> tags didn't execute.
Title-only: I Am Retiring from Tech to Live Offline
Title-only: Quoting Daniel Jalkut
The Website Specification is a platform-agnostic checklist of ‘what a good website does’ (SEO, accessibility, security headers, /.well-known, performance, privacy, resilience, i18n) with links back to primary standards. It also exposes the spec via a read-only MCP server and per-page Markdown (llms.txt / Accept: text/markdown) for agent consumption.
Title-only: Domain expertise has always been the real moat
Title-only: A Gentle Introduction to Lattice-Based Cryptography [pdf]
Title-only: Shantell Sans (2023)
Title-only: I found a seashell in the middle of the desert
AOMedia’s AV2 v1.0.0 specification and reference code are published (dated 28 May 2026) as the conformance reference for AV2 implementations.
A Consumer Rights Wiki write-up claims Microsoft Office 2019 for Mac (perpetual license) will drop into view-only mode on July 13, 2026 when a license-validation certificate expires, with no fix for Office 2019 because it can’t reach the required build. Office 2021 / Microsoft 365 on supported macOS can avoid it by updating; Office 2019 users may be forced to switch apps or pay for subscription/new license.
Racket v9.2 is out with a set of language/runtime/Typed Racket correctness and compatibility changes (including match non-linear pattern behavior and Unicode 17.0).
Original markdown
# Nightly Librarian — Newsletter draft Run: b6ee59f1-37a6-4e3f-9cd7-c700e8011674 Started: 2026-05-31T11:03:32.075Z Completed: 2026-05-31T11:07:37.212Z ## Worth attention - **Protecting against token theft** https://vercel.com/blog/protecting-against-token-theft Vercel argues inference theft is now a high-margin attack: attackers wrap your AI endpoint in an OpenAI/Anthropic-compatible adapter and burn your model budget. Their recommendation: verify/gate every AI request (not just at login) and treat per-session checks as bypassable at scale; they describe using BotID deep analysis on each request. - **How we contain Claude across products** https://simonwillison.net/2026/May/30/how-we-contain-claude/#atom-everything Anthropic published a detailed containment write-up across claude.ai, Claude Code, and Cowork: human-in-the-loop approvals degrade (they cite ~93% approval rates), so they emphasize deterministic containment—process sandboxes/VMs, filesystem boundaries, and egress controls—to cap blast radius against user misuse, model misbehavior, and external attackers. - **Running Python ASGI apps in the browser via Pyodide + a service worker** https://simonwillison.net/2026/May/30/pyodide-asgi-browser/#atom-everything Simon Willison describes a pattern for running Python ASGI apps entirely in-browser using Pyodide + a service worker. The service worker intercepts same-origin requests (e.g. under /app/) and routes them through the ASGI interface, which avoids the earlier limitation where HTML was generated but <script> tags didn't execute. - **The Website Specification** https://specification.website/ The Website Specification is a platform-agnostic checklist of ‘what a good website does’ (SEO, accessibility, security headers, /.well-known, performance, privacy, resilience, i18n) with links back to primary standards. It also exposes the spec via a read-only MCP server and per-page Markdown (llms.txt / Accept: text/markdown) for agent consumption. - **Microsoft Office 2019 and 2021 for Mac view-only conversion** https://consumerrights.wiki/w/Microsoft_Office_2019_and_2021_for_Mac_view-only_conversion_(2026) A Consumer Rights Wiki write-up claims Microsoft Office 2019 for Mac (perpetual license) will drop into view-only mode on July 13, 2026 when a license-validation certificate expires, with no fix for Office 2019 because it can’t reach the required build. Office 2021 / Microsoft 365 on supported macOS can avoid it by updating; Office 2019 users may be forced to switch apps or pay for subscription/new license. - **Racket v9.2** https://blog.racket-lang.org/2026/05/racket-v9-2.html Racket v9.2 is out with a set of language/runtime/Typed Racket correctness and compatibility changes (including match non-linear pattern behavior and Unicode 17.0). - **The AV2 Video Standard Has Released (Final v1.0 Specification)** https://av2.aomedia.org AOMedia’s AV2 v1.0.0 specification and reference code are published (dated 28 May 2026) as the conformance reference for AV2 implementations. ## Full digest - [R] [hn-show] Show HN: 500 years of Joseon court omens as an observability dashboard — https://ajin.im/is/building/omen.ops/ — Title-only: Show HN: 500 years of Joseon court omens as an observability dashboard - [R] [hn-show] Show HN: Helios – what plug-in solar could generate for any address in Britain — https://helios.southlondonscientific.com/ — Title-only: Show HN: Helios – what plug-in solar could generate for any address in Britain - [R] [reddit-saas] I accidentally discovered that ChatGPT was sending me users. Then I figured out why. — https://www.reddit.com/r/SaaS/comments/1tsam1y/i_accidentally_discovered_that_chatgpt_was/ — Title-only: I accidentally discovered that ChatGPT was sending me users. Then I figured out why. - [R] [reddit-saas] Made my first sale. — https://www.reddit.com/r/SaaS/comments/1tsi2nl/made_my_first_sale/ — Title-only: Made my first sale. - [R] [reddit-saas] Hey guys... I would like to introduce...my first dollar 😭 — https://www.reddit.com/r/SaaS/comments/1tsnql0/hey_guys_i_would_like_to_introducemy_first_dollar/ — Title-only: Hey guys... I would like to introduce...my first dollar 😭 - [R] [reddit-saas] I just made my first sale!!! What is this feeling?! — https://www.reddit.com/r/SaaS/comments/1tsng25/i_just_made_my_first_sale_what_is_this_feeling/ — Title-only: I just made my first sale!!! What is this feeling?! - [R] [reddit-saas] Made my first sale from my third ios app before 48 hours — https://www.reddit.com/r/SaaS/comments/1tslikh/made_my_first_sale_from_my_third_ios_app_before/ — Title-only: Made my first sale from my third ios app before 48 hours - [R] [reddit-saas] What's you opinion on this? — https://www.reddit.com/r/SaaS/comments/1tslcig/whats_you_opinion_on_this/ — Title-only: What's you opinion on this? - [R] [reddit-saas] Those with 100+ users, what SPECIFICALLY did you do to gather them? — https://www.reddit.com/r/SaaS/comments/1ts6gxh/those_with_100_users_what_specifically_did_you_do/ — Title-only: Those with 100+ users, what SPECIFICALLY did you do to gather them? - [R] [reddit-saas] Vibe coding didn't kill developers. It killed the excuse for not validating. — https://www.reddit.com/r/SaaS/comments/1tsjzz6/vibe_coding_didnt_kill_developers_it_killed_the/ — Title-only: Vibe coding didn't kill developers. It killed the excuse for not validating. - [R] [reddit-saas] what saas idea to build man ? — https://www.reddit.com/r/SaaS/comments/1tsn6tl/what_saas_idea_to_build_man/ — Title-only: what saas idea to build man ? - [R] [reddit-saas] [Guidance Required] Achieve Initial sales — https://www.reddit.com/r/SaaS/comments/1tsn06o/guidance_required_achieve_initial_sales/ — Title-only: [Guidance Required] Achieve Initial sales - [R] [reddit-saas] Payment Gateway for my SAAS app — https://www.reddit.com/r/SaaS/comments/1tsmnf5/payment_gateway_for_my_saas_app/ — Title-only: Payment Gateway for my SAAS app - [R] [reddit-saas] How do you guys measure paid ads? — https://www.reddit.com/r/SaaS/comments/1tslkd3/how_do_you_guys_measure_paid_ads/ — Title-only: How do you guys measure paid ads? - [R] [reddit-saas] How do you guys promote your SaaS — https://www.reddit.com/r/SaaS/comments/1tsdwhq/how_do_you_guys_promote_your_saas/ — Title-only: How do you guys promote your SaaS - [R] [reddit-saas] How do I get more people to try my beta? — https://www.reddit.com/r/SaaS/comments/1tsbp5y/how_do_i_get_more_people_to_try_my_beta/ — Title-only: How do I get more people to try my beta? - [R] [reddit-saas] Will you use this couples compatibility SaaS app? — https://www.reddit.com/r/SaaS/comments/1tsoboj/will_you_use_this_couples_compatibility_saas_app/ — Title-only: Will you use this couples compatibility SaaS app? - [R] [reddit-saas] Day 16 of building in public — https://www.reddit.com/r/SaaS/comments/1tso4lt/day_16_of_building_in_public/ — Title-only: Day 16 of building in public - [R] [reddit-saas] Building MVP on Emergent/Lovable — https://www.reddit.com/r/SaaS/comments/1tso2zy/building_mvp_on_emergentlovable/ — Title-only: Building MVP on Emergent/Lovable - [R] [reddit-saas] Bounces and conversions — https://www.reddit.com/r/SaaS/comments/1tso2se/bounces_and_conversions/ — Title-only: Bounces and conversions - [R] [reddit-saas] Looking for founders to test my product Sinter — https://www.reddit.com/r/SaaS/comments/1tsnj9p/looking_for_founders_to_test_my_product_sinter/ — Title-only: Looking for founders to test my product Sinter - [R] [reddit-saas] I think I've pivoted this project 20 times. Anyone else do this? — https://www.reddit.com/r/SaaS/comments/1tsndj1/i_think_ive_pivoted_this_project_20_times_anyone/ — Title-only: I think I've pivoted this project 20 times. Anyone else do this? - [R] [reddit-saas] Opus 4.8, thoughts? — https://www.reddit.com/r/SaaS/comments/1tsn64z/opus_48_thoughts/ — Title-only: Opus 4.8, thoughts? - [R] [reddit-saas] Journey from non-technical to technical-enough — https://www.reddit.com/r/SaaS/comments/1tsicab/journey_from_nontechnical_to_technicalenough/ — Title-only: Journey from non-technical to technical-enough - [R] [reddit-saas] Using Product Hunt as one of my beta activation channels before launch, anyone done this? What actually worked? — https://www.reddit.com/r/SaaS/comments/1tsmrsf/using_product_hunt_as_one_of_my_beta_activation/ — Title-only: Using Product Hunt as one of my beta activation channels before launch, anyone done this? What actually worked? - [P] [vercel-changelog] Protecting against token theft — https://vercel.com/blog/protecting-against-token-theft — Vercel argues inference theft is now a high-margin attack: attackers wrap your AI endpoint in an OpenAI/Anthropic-compatible adapter and burn your model budget. Their recommendation: verify/gate every AI request (not just at login) and treat per-session checks as bypassable at scale; they describe using BotID deep analysis on each request. - [R] [gh-nextjs] v16.3.0-canary.36 — https://github.com/vercel/next.js/releases/tag/v16.3.0-canary.36 — Title-only: v16.3.0-canary.36 - [R] [simon-willison] Quoting Karen Kwok for Reuters Breakingviews — https://simonwillison.net/2026/May/31/anthropic-run-rate/#atom-everything — Title-only: Quoting Karen Kwok for Reuters Breakingviews - [P] [simon-willison] How we contain Claude across products — https://simonwillison.net/2026/May/30/how-we-contain-claude/#atom-everything — Anthropic published a detailed containment write-up across claude.ai, Claude Code, and Cowork: human-in-the-loop approvals degrade (they cite ~93% approval rates), so they emphasize deterministic containment—process sandboxes/VMs, filesystem boundaries, and egress controls—to cap blast radius against user misuse, model misbehavior, and external attackers. - [P] [simon-willison] Running Python ASGI apps in the browser via Pyodide + a service worker — https://simonwillison.net/2026/May/30/pyodide-asgi-browser/#atom-everything — Simon Willison describes a pattern for running Python ASGI apps entirely in-browser using Pyodide + a service worker. The service worker intercepts same-origin requests (e.g. under /app/) and routes them through the ASGI interface, which avoids the earlier limitation where HTML was generated but <script> tags didn't execute. - [R] [simon-willison] I Am Retiring from Tech to Live Offline — https://simonwillison.net/2026/May/30/retiring-from-tech-to-live-offline/#atom-everything — Title-only: I Am Retiring from Tech to Live Offline - [R] [simon-willison] Quoting Daniel Jalkut — https://simonwillison.net/2026/May/30/daniel-jalkut/#atom-everything — Title-only: Quoting Daniel Jalkut - [P] [hn-top] The Website Specification — https://specification.website/ — The Website Specification is a platform-agnostic checklist of ‘what a good website does’ (SEO, accessibility, security headers, /.well-known, performance, privacy, resilience, i18n) with links back to primary standards. It also exposes the spec via a read-only MCP server and per-page Markdown (llms.txt / Accept: text/markdown) for agent consumption. - [R] [hn-top] Domain expertise has always been the real moat — https://www.brethorsting.com/blog/2026/05/domain-expertise-has-always-been-the-real-moat/ — Title-only: Domain expertise has always been the real moat - [R] [hn-top] A Gentle Introduction to Lattice-Based Cryptography [pdf] — https://cryptography101.ca/wp-content/uploads/lattice-based-cryptography.pdf — Title-only: A Gentle Introduction to Lattice-Based Cryptography [pdf] - [R] [hn-top] Shantell Sans (2023) — https://shantellsans.com/process — Title-only: Shantell Sans (2023) - [R] [hn-top] I found a seashell in the middle of the desert — https://github.com/Hawzen/I-found-a-seashell-in-the-middle-of-the-desert#i-found-a-seashell-in-the-middle-of-the-desert — Title-only: I found a seashell in the middle of the desert - [M] [hn-top] The AV2 Video Standard Has Released (Final v1.0 Specification) — https://av2.aomedia.org — AOMedia’s AV2 v1.0.0 specification and reference code are published (dated 28 May 2026) as the conformance reference for AV2 implementations. - [P] [hn-top] Microsoft Office 2019 and 2021 for Mac view-only conversion — https://consumerrights.wiki/w/Microsoft_Office_2019_and_2021_for_Mac_view-only_conversion_(2026) — A Consumer Rights Wiki write-up claims Microsoft Office 2019 for Mac (perpetual license) will drop into view-only mode on July 13, 2026 when a license-validation certificate expires, with no fix for Office 2019 because it can’t reach the required build. Office 2021 / Microsoft 365 on supported macOS can avoid it by updating; Office 2019 users may be forced to switch apps or pay for subscription/new license. - [M] [hn-top] Racket v9.2 — https://blog.racket-lang.org/2026/05/racket-v9-2.html — Racket v9.2 is out with a set of language/runtime/Typed Racket correctness and compatibility changes (including match non-linear pattern behavior and Unicode 17.0).