Vite just launched Void, a fullstack JavaScript framework and cloud platform that bundles together routing, SSR, auth, an ORM, and nearly everything you’d expect from a modern meta-framework — all built on top of Cloudflare’s infrastructure. Scott, Wes, and CJ dig into whether Void is the Rails moment JavaScript has been waiting for, or just shiny Cloudflare lock-in with a bow on it.

Show Notes

• 00:00 Welcome to Syntax!
  • The Announcement
• 00:27 Laravel or Rails for JavaScript?
• 01:38 What is this big announcement?
• 04:36 It’s just Vercel for Cloudflare?
• 07:09 Database options.
• 09:37 Brought to you by Sentry.io.
• 10:01 Type safety.
• 12:09 What about RPC?
• 15:41 Component Loaders over Page Loaders.
• 18:23 Baked in authentication via Better Auth.
• 22:57 Lock-in. Unapologetically Cloudflare
  • Evan’s X Post.
• 24:55 Is it lock-in?
• 32:40 Self-Cloudflare your own Void apps?

Hit us up on Socials!

Syntax: X Instagram Tiktok LinkedIn Threads

Wes: X Instagram Tiktok LinkedIn Threads

Scott: X Instagram Tiktok LinkedIn Threads

Randy: X Instagram YouTube Threads

Bhavin Shukla: When Protecting Your Agile Team Becomes the Barrier to Their Growth

Read the full Show Notes and search through the world's largest audio library on Agile and Scrum directly on the Scrum Master Toolbox Podcast website: http://bit.ly/SMTP_ShowNotes.

"The perception I had was safe space means insulation from creating that transparency. It was not about protecting the teams. It was actually about giving them the voice, giving them the platform." - Bhavin Shukla

Bhavin shares a story from early in his Scrum Master journey, working with two teams building a BI and regulatory platform in Australia. When he arrived, team morale was low — people buried in their screens, going for coffee alone, no healthy debates happening. His natural instinct kicked in: protect the team, help them gel, get the best out of them. But his coach asked a question that changed everything: "What's the balance between protecting the team and creating visibility and transparency?" Bhavin realized he'd been shielding the team from stakeholders, keeping ceremonies closed and conversations siloed. When the team opened up their reviews to stakeholders with clear expectations, something shifted. The backlog started changing based on real feedback, healthy tension built up, and the team started humming. The lesson was profound — creating a safe space doesn't mean insulating the team from reality. Psychological safety isn't the absence of difficult emotions; it's the freedom to have them without destructive patterns. By isolating the team, Bhavin had actually been undermining their trust and growth.

Self-reflection Question: Are you protecting your team in ways that might actually be preventing them from building the stakeholder relationships and transparency they need to grow?

[The Scrum Master Toolbox Podcast Recommends]

🔥In the ruthless world of fintech, success isn't just about innovation—it's about coaching!🔥

Angela thought she was just there to coach a team. But now, she's caught in the middle of a corporate espionage drama that could make or break the future of digital banking. Can she help the team regain their mojo and outwit their rivals, or will the competition crush their ambitions? As alliances shift and the pressure builds, one thing becomes clear: this isn't just about the product—it's about the people.

🚨 Will Angela's coaching be enough? Find out in Shift: From Product to People—the gripping story of high-stakes innovation and corporate intrigue.

Buy Now on Amazon

[The Scrum Master Toolbox Podcast Recommends]

About Bhavin Shukla

Bhavin joins us from Australia. Bhavin is driven by unlocking potential and helping people thrive in ambiguity through clarity, honesty, and discipline. He believes growth comes from truthful conversations, thoughtful experimentation, and learning from failure. Guided by ownership, confidence, kindness, and purpose, he focuses on what matters most to build meaningful progress for himself and others.

You can link with Bhavin Shukla on LinkedIn.

Meta just announced a 1:50 manager-to-employee ratio for their new AI engineering team, and Bob and Josh have opinions. They debate what management is actually for, whether AI can substitute for real leadership, and why they're more worried about who copies this experiment than whether Meta pulls it off.

• Reuters: Meta planning sweeping AI-related layoffs
• Meta creates new applied AI engineering division
• Meta’s new AI team has 50 engineers per boss. What could go wrong? | Fortune

Stay Connected and Informed with Our Newsletters

Josh Anderson's "Leadership Lighthouse"

Dive deeper into the world of Agile leadership and management with Josh Anderson's "Leadership Lighthouse." This bi-weekly newsletter offers insights, tips, and personal stories to help you navigate the complexities of leadership in today's fast-paced tech environment. Whether you're a new manager or a seasoned leader, you'll find valuable guidance and practical advice to enhance your leadership skills. Subscribe to "Leadership Lighthouse" for the latest articles and exclusive content right to your inbox.

Subscribe here

Bob Galen's "Agile Moose"

Bob Galen's "Agile Moose" is a must-read for anyone interested in Agile practices, team dynamics, and personal growth within the tech industry. The newsletter features in-depth analysis, case studies, and actionable tips to help you excel in your Agile journey. Bob brings his extensive experience and thoughtful perspectives directly to you, covering everything from foundational Agile concepts to advanced techniques. Join a community of Agile enthusiasts and practitioners by subscribing to "Agile Moose."

Subscribe here

Do More Than Listen:

We publish video versions of every episode and post them on our YouTube page.

Help Us Spread The Word: 

Love our content? Help us out by sharing on social media, rating our podcast/episodes on iTunes, or by giving to our Patreon campaign. Every time you give, in any way, you empower our mission of helping as many agilists as possible. Thanks for sharing!

Microsoft’s AI strategy has, for the most part, been about using third-party large language models (LLMs). First this was mostly about using OpenAI’s GPT models, but more recently, this also included Anthropic’s Claude — and now Microsoft is using both of them in tandem to improve Copilot’s Researcher agent.

The Researcher agent, which Microsoft recommends for problems where deeper reasoning or problem solving across multiple sources is necessary, now includes an optional ‘critique’ feature. With this, GPT will write the draft, which Claude then reviews. As Microsoft notes in its announcement, this review will include checks for “accuracy, completeness, and citation integrity.”

In the future, Microsoft says, it may also give users the option to switch this flow around and have Claude write and GPT check.

Claude and GPT: Better together?

This workflow may feel a bit hacky at first, but it’s also not all that different from how developers sometimes use one model to write the code and another — from a different model family — to do the code review.

At least in Microsoft’s benchmark, this approach also shows some clear advantages. Using Perplexity’s deep research DRACO benchmark, Anthropic’s Claude Opus 4.6 scores 42.7 by itself and 50.4 within Perplexity’s Deep Research mode. Copliot’s Researcher with Critique turned on scores 57.4, higher than any of the individual models.

Sadly, we don’t have benchmarks for OpenAI’s GPT-5.4 yet, but chances are its score would be in the same range as Opus 4.6’s.

Another new feature for research with Copilot is the so-called ‘council.’ This allows users to compare how different models handle a query side-by-side.

Cowork is now in the M365 Frontier Program

Recently, Microsoft also announced that it would bring Anthropic’s Claude Cowork tool — essentially Claude Code for knowledge workers who need long-running agents who can complete multi-step workflows — to Copilot.

Imaginatively named Copilot Cowork, this feature is now available in the early-access Microsoft 365 Frontier program.

Microsoft’s advantage here is that many of its customers would be worried about using Cowork if they had to upload their data to Anthropic. But since these companies already use Microsoft 365 and the Copilot Cowork data stays within their control (Cowork runs in a sandboxed cloud environment), this now enables them to take advantage of these new tools.

“This isn’t about generating content or answers. It’s about taking real action – connecting steps, coordinating tasks, and following through across everyday workflows,” says Barton Warner, SVP of
Enterprise Technology at Capital Group. “Because Cowork operates on our enterprise data and within our security and risk boundaries, we can experiment, learn, and scale with confidence. That allows us to move faster and focus AI in places where it actually delivers value.”

Why is Microsoft doing this?

Having to bring in Anthropic to ship features like Cowork and Critique does say something about the position Microsoft finds itself in now: it is diversifying away from its early reliance on OpenAI, but in doing so, it is also deepening its relationship with yet another model provider. For customers paying premium prices for Copilot, one question on their minds is surely whether the value in using Microsoft’s services lies in the models it orchestrates or in the enterprise data and trust layer that makes those models useful in the first place.

Microsoft is clearly betting it’s the latter, while for Anthropic, this partnership is yet another step in its play to become the AI vendor for the enterprise.

When Microsoft first announced Cowork, its president of business applications and agents Charles Lamanna noted that “it is this multi-model advantage that makes Copilot different.” If Microsoft had its own frontier models, it would likely take a different approach, but as things stand, this is the best approach it can take.

The post Microsoft’s Copilot makes Anthropic’s Claude and OpenAI’s GPT team up appeared first on The New Stack.

As we're always wanting to keep ahead in the security game, I'm happy to announce that we now support Passkeys on Report URI! Let's take a quick look at what Passkeys are, why you should use them, and how we've implemented them.

Passkeys solve a big problem

Let's kick things off by stating the biggest benefit of Passkeys which is that they are phishing-resistant! That's right, if you're using Passkeys to protect your account, you no longer have to worry about falling victim to a phishing attack. This was the primary driver for us to add support at Report URI, to provide our customers with a strong authentication mechanism that will give them confidence they are protected against the pervasive threat of phishing attacks. On top of this tremendous benefit, I feel that they're also much more convenient to use too!

How do Passkeys work?

Instead of relying on a secret piece of information like a password, Passkeys work by relying on cryptography and are surprisingly simple under the hood. Your device will create a cryptographic key pair that will be used for authentication when you need to login to the website. The registration process for a Passkey looks like this:

 User               Browser / OS              Website / Server            
 |                      |                           |
 | 1. "Create Passkey"  |                           |
 |--------------------->|                           |
 |                      | 2. Request registration   |
 |                      |-------------------------->|
 |                      |                           |
 |                      | 3. Send challenge         |
 |                      |<--------------------------|
 |                      |                           | 
 |                      | 4. Create new key pair    |
 |                      |    - save private key     |
 |                      |      on device            | 
 |                      |                           |
 |                      | 5. Send public key + attestation
 |                      |-------------------------->|
 |                      |                           | 7. Store public key
 |                      |                           |    with user account
 |                      | 8. Registration complete  |
 |                      |<--------------------------|
 | 9. "Registration Complete"                       |
 |<---------------------|                           |
 |                      |                           |

You initiate the Passkey registration process in the browser and you will be prompted by your device or password manager to create a Passkey. You device will create the cryptographic key pair, sign the challenge provided by the website, and then return the signed challenge along with your public key, which is stored against your account. The private key is kept securely on your device. Now that Passkey registration is complete, you can then use your Passkey for authentication.

User               Browser / OS              Website / Server
 |                      |                           |
 | 1. "Sign in with passkey"                        |
 |--------------------->|                           |
 |                      | 2. Request authentication |
 |                      |-------------------------->|
 |                      |                           | 
 |                      | 3. Send challenge         |
 |                      |<--------------------------|
 |                      |                           |
 |                      | 4. Biometrics / PIN       |
 |                      | 5. Sign with private key  |
 |                      | 6. Return signed challenge|
 |                      |-------------------------->|
 |                      |                           | 7. Verify signature
 |                      |                           |    using public key
 |                      | 8. Authentication successful
 |                      |<--------------------------| 
 | 9. "Signed in!"      |                           |
 |<---------------------|                           |

When logging in to a website where you have registered a Passkey, you will usually have to initiate the process to sign in with your Passkey. In the background, your device will then start the authentication process and receive the challenge that needs to be signed with your private key. To do that, your device will ask for something like FaceID, TouchID, or similar on your device to authenticate you. Once you have authenticated to your device, it will sign the challenge with your private key and return it to the website. The website can then check it is definitely you by verifying that signature using your public key that it previously received, and then you're logged in! This is such a nice experience and has so little friction for the user, especially when you consider how strong this mechanism is.

How are they phishing-resistant?

When your device creates a Passkey, it doesn't just create and store the keys used, it also stores some important metadata too. The relevant part of that metadata that gives us phishing resistance is the Relying Part ID, or rpId. When you go to Report URI and register a Passkey on our website, the rpId will be saved with the Passkey on your device as report-uri.com and your device can then enforce that your new Passkey is only ever used on this domain or its subdomains. This means that if you end up on a phishing site that looks like Report URI, but isn't actually report-uri.com, the Passkey simply will not work. Take these examples that might make for convincing phishing pages:

https://report-url.com               <-- nope
https://report-uri.secure-login.com  <-- nope
https://report-uri.xyz               <-- nope

The only way that your device will now use the Passkey to log you in is if you're on a valid website where the Passkey is allowed to be used, effectively neutralising the threat of phishing!

How are they being used on Report URI?

There are two ways that you can use Passkeys on your website and they offer slightly different benefits.

1. You can use Passkeys to replace passwords altogether, so they become your primary authentication mechanism.
2. You can use Passkeys as a 2FA mechanism alongside your existing username/password authentication.

At Report URI we've opted for option #2 and now offer Passkeys as a 2FA option alongside our existing TOTP 2FA offering. Passkeys make for an incredibly strong second-factor and our primary goal was to achieve the phishing resistance that Passkeys offer. Looking at option #1 is also a valid approach and there are other benefits too, mainly being able to get rid of passwords from your database and protect against password based attacks. Given our extensive measures to protect user passwords, it was less of a concern for us to move to using Passkeys as our primary authentication mechanism and instead we chose to introduce them as a 2FA mechanism. If you're interested in our approach to securing user passwords, you can read my blog post that goes in to detail, but here is a summary:

1. We use the Pwned Passwords API to prevent the use of passwords that have previously been leaked.
2. We use zxcvbn to ensure the use of strong passwords when registering an account or changing password.
3. We provide extensive support for password managers using attributes on HTML form elements.
4. We store hashed passwords using bcrypt (work factor 10 + 128bit salt) so they are resistant to cracking.

Passkeys are now available on the Settings page in your account and we strongly recommend that you go and enable them!

In the coming week, I will also be publishing two more blog posts. One of them is the full details of the external engagement to have our Passkeys implementation audited. We engaged a penetration testing company to come in and do a full test of our implementation to make absolutely sure it was rock solid. The blog post will contain the full, unredacted report with details of all findings. The second blog post will be the announcement of our whitepaper on Passkeys and the new security considerations they bring if you're planning to use them on your site. Make sure you're subscribed for notifications so you know when they go live!