Docker microVM sandboxes, Argo CD multi-tenant security, AI evaluation in CI/CD

The guide shows how to enforce tenancy in Argo CD by combining AppProjects, RBAC, OIDC groups, and Kubernetes policies, providing a reliable pattern for generating projects with ApplicationSets instead of using the default project. Layered controls—from Git repo limits to sync windows—prevent cross‑team interference and keep deployments secure.

Braintrust’s review highlights how AI eval tools now integrate directly into CI/CD workflows, automatically running large‑scale model evaluations on each code change. Continuous validation catches regressions early, letting teams ship AI features with the same confidence as traditional software releases.

OpenClaw incorporated Gavriel Cohen’s NanoClaw code without attribution, exposing a serious provenance gap in AI‑driven coding agents. The incident underscores missing supply‑chain accountability and trust challenges for DevOps teams relying on autonomous AI tools.

Docker’s Sandboxes run AI coding agents inside isolated microVMs, giving each agent its own Docker daemon, filesystem and network. Admins can enforce uniform policies across machines, making the feature useful not just for AI agents but for any code that needs strong runtime isolation.

cloudopsworks/openrouter is a Terraform provider that lets teams manage OpenRouter API keys, workspaces, and guardrails through IaC. It simplifies shared‑account usage and enforces spending limits, making LLM traffic routing safer and more controllable.

At Build 2026 Microsoft released Scout, its first always‑on work agent built on the open‑source OpenClaw runtime, which is now free to use. The company is keeping its revenue focus on the surrounding control‑plane services—identity, policy, and audit logging—mirroring Android’s model of a free base with paid layers. This shift opens new options for DevOps teams deploying agentic workloads.

A 2026 guide surveys leading Kubernetes security solutions, highlighting runtime threat detection, policy-as-code enforcement, and CI/CD scanning. It compares open‑source options like Kyverno, Falco, and Trivy with commercial platforms such as AccuKnox that add zero‑trust automation and cloud‑posture management. The article helps teams choose tools that protect clusters beyond static image scans.