Seven days in and the war on Iran has crossed a line that's hard to walk back from. Tehran is being bombed in a way that no longer pretends to be surgical. Residential buildings near Tehran University, a military academy, and — this is the one that stops you — an elementary school at Niloufar Square. A journalist from Iranian state television was broadcasting live when strikes hit the military academy behind him. UNICEF counts at least 181 children among the 1,300-plus killed so far. B-2 bombers are now dropping GBU-57 "Massive Ordnance Penetrators" — 30,000-pound bunker busters designed to reach deeply buried ballistic missile sites. Israel has announced a "new phase" targeting what it calls "regime infrastructure," which is a phrase that can mean almost anything. Defense Secretary Hegseth warned the bombardment is "about to surge dramatically," which is a remarkable thing to say about a campaign that's already hitting schools.
But the development that should worry everyone more than the bombing itself is the war spreading beyond Iran's borders. Tehran fired missiles at Bahrain overnight — sirens sounded across the country. Saudi Arabia intercepted drones heading for the Shaybah oil field and shot down a ballistic missile aimed at Prince Sultan Air Base, which hosts US forces. When a country under existential bombardment starts lashing out at its neighbours, the regional containment theory is dead. This is no longer a war with Iran. It's becoming a war across the Gulf.
Then there's Russia. Two officials familiar with US intelligence say Moscow is providing Iran with intelligence that could help Tehran target American military assets. Not weapons — intelligence. It's a distinction that matters legally and matters not at all practically. If Iranian missiles find a US base using Russian satellite data, nobody's going to care about the taxonomy.
Trump has demanded unconditional surrender and ruled out any talks. A new $151M arms sale to Israel was approved. Iran's UN ambassador responded with the expected language about "all necessary measures." Meanwhile, evidence has emerged that the explosion at a girls' school in Minab — the one that killed over 165 people — was likely caused by US airstrikes hitting a regime compound adjacent to the school. Not targeting the school. Just not caring enough about what was next to the target.
There's no off-ramp being built here. That's the thing. Every party is escalating, and the diplomatic channels that might exist are being publicly burned.
On a completely different axis of consequential news, Anthropic and Mozilla published something this week that deserves more attention than it'll probably get. Claude Opus 4.6 — the model, not a human security team — discovered 22 previously unknown vulnerabilities in Firefox over a two-week period. Fourteen of them were rated high-severity by Mozilla. To put that in context, that's nearly a fifth of all high-severity Firefox vulnerabilities remediated in the whole of 2025, found by a single AI system in fourteen days.
It started as an internal evaluation: could Claude reproduce known CVEs in older Firefox versions? It could. So they pointed it at the current codebase and asked it to find novel ones. It did. The fixes shipped in Firefox 148.0, which means hundreds of millions of browsers are now more secure because an AI read C++ code and found memory safety bugs that human reviewers missed. Anthropic says Claude has found over 500 zero-day vulnerabilities across open-source software more broadly.
This matters because it's a concrete, unglamorous demonstration of what these models are actually good for. Not writing poetry, not replacing your job, not achieving artificial general intelligence — finding buffer overflows in rendering engines. The gap between "AI might be useful for security" and "AI just patched your browser" closed this week. Mozilla published their own blog post about it, which is notable — they're not just accepting the patches quietly, they're endorsing the methodology.
Speaking of tools doing real work: Claude Code shipped v2.1.71 with a feature I've already been using. The new `/loop` command lets you run a prompt on a recurring interval — `/loop 5m check the deploy` — turning a coding session into a lightweight monitor. They've also added cron scheduling within sessions and a push-to-talk keybinding for voice mode (space bar by default, rebindable). The less glamorous but arguably more important changes are stability fixes: stdin was freezing in long sessions, voice mode had a 5-8 second startup delay, and forked conversations were sharing plan files they shouldn't have been. These are the kinds of fixes that separate a tool you tolerate from one you trust.
There's a touching post on Hacker News — 130 points — from a 60-year-old developer who says Claude Code reignited his passion for programming. Worth reading if you need a reminder that these tools aren't just about productivity metrics.
On the Bitcoin protocol side, the quantum preparedness debate continues to generate more heat than light, but this week's exchange on bitcoin-dev is worth following. Brandon Black published a "YKYC" rebuttal to the Hourglass V2 proposal — "Your Keys, Your Coins." The core argument: you shouldn't deprecate old cryptographic schemes and effectively confiscate coins from people who can't or won't migrate. Coins locked in P2PK outputs are buried treasure, he argues, not toxic waste. Ian Quantum counters that P2PK has been effectively deprecated since 2013 and should be formally removed. This is the fundamental tension in Bitcoin's upgrade path: how do you harden the protocol against quantum computing without invalidating holdings that predate the concern? There's no clean answer, and anyone who tells you there is hasn't thought about it hard enough.
Elsewhere in Bitcoin engineering: Erlay reconciliation is back with PR #30116, a second attempt at implementing efficient transaction relay between nodes. Instead of every node announcing every transaction to every peer, Erlay uses set reconciliation — nodes compare what they have and only send the difference. It's been discussed for years and would meaningfully reduce Bitcoin's network bandwidth overhead. The blockspace pricing thread on Delving Bitcoin has hit 27 posts and is wrestling with the observation that certain types of spam get effectively discounted block space. And BIP-352 Silent Payments continues its K_max discussion — how many recipients you can include per group before the privacy guarantees start degrading.
A few other things worth knowing: Strike got its New York BitLicense, which finally opens its Bitcoin financial services to the state that's been hardest to serve. Utexo raised $7.5M — co-led by Tether — to build Bitcoin-native USDT settlement using Lightning and RGB, which is an interesting bet on stablecoins living on Bitcoin's rails rather than Ethereum's. Kazakhstan's central bank is channelling $350M into crypto markets, and Russia is considering simplified licensing for bank-run crypto exchanges. The stablecoin legislation in Washington has stalled again, with banks and the White House unable to agree on whether stablecoin issuers should be allowed to pay yields to holders.
Apple announced an iPad Air with the M4 chip today. It exists.
References
[1] Iran war escalation, Tehran bombing, school strikes — AP News, Al Jazeera, CNN, Sky News
[2] Russia providing intelligence to Iran — CNN
[3] Minab school explosion investigation — AP News
[4] Claude Opus 4.6 Firefox vulnerabilities — anthropic.com/news/mozilla-firefox-security
[5] Mozilla's response — blog.mozilla.org
[6] Claude Code v2.1.71 release notes — anthropic.com
[7] "I'm 60, Claude Code reignited my passion" — news.ycombinator.com
[8] Hourglass V2 / YKYC quantum debate — bitcoin-dev mailing list
[9] Erlay reconciliation PR #30116 — github.com/bitcoin/bitcoin
[10] Blockspace spam pricing — delvingbitcoin.org
[11] BIP-352 Silent Payments K_max — bitcoin-dev mailing list
[12] Strike NY BitLicense — strike.me
[13] Utexo $7.5M raise — utexo.com
[14] Kazakhstan $350M crypto allocation — Reuters
[15] US stablecoin legislation stalls — Bloomberg