February 2026 Developer Roundup: Security Assumptions Broke, AI Still Overpromises

import TOCInline from ' @theme /TOCInline'; February 2026 feels like the month where the industry admitted two things at once: security assumptions were wrong, and "AI everywhere" still does not mean "useful everywhere." The signal is in practical changes, not launch videos. TL;DR — 30 second version Google API keys that were "safe" for Maps now unlock billable Gemini operations -- key governance is broken overnight Drupal had 9 security advisories (SA-CONTRIB-2026-011 through 019) -- update everything tldraw moved tests to closed source because tests encode product behavior = strategic IP AI tooling (Claude Code remote, Open WebUI, WebMCP for Drupal) keeps advancing, but product fit still lags capability PHP 8.4 patch, Node.js 24 LTS and 25 Current updates, WebGPU Chrome 146 improvements mindmap root((Feb 2026 Signals)) Security Google API key scope changes Drupal SA-CONTRIB batch 011-019 PHP 8.4 patch release AI and Tooling Claude Code Remote Control Open WebUI + Docker Model Runner