6 Practical Technology Guides for Today: Passkeys, AI Coding Agents, MCP, Cloudflare Tunnel, Docker Compose Watch, and Dev Containers

Updated: June 5, 2026

This guide focuses on technology practices that individuals, developers, and small engineering teams can apply immediately: improving account security with passkeys, assigning work to AI coding agents safely, connecting external tools through MCP, sharing local applications with Cloudflare Tunnel, speeding up containerized development with Docker Compose Watch, and standardizing development environments with Dev Containers.

Image source: Christopher Gower, Unsplash. JPG image, not SVG.¹

Quick Summary

• To reduce phishing risk, enable passkeys for Google, Microsoft, Apple, GitHub, cloud, and payment-related accounts.
• To use AI coding agents effectively, assign small tasks, define acceptance criteria, require tests, and review every diff before merging.
• To give an AI agent access to external data or tools, configure MCP at repository scope and grant only the minimum permissions required.
• To demo a local app or test webhooks, use Cloudflare Quick Tunnel for short-lived experiments and managed tunnels for serious environments.
• To reduce container development friction, use Docker Compose Watch to sync or rebuild services when files change.
• To reduce “works on my machine” issues, use Dev Containers or GitHub Codespaces to standardize runtime, tools, extensions, and setup commands.

1. Enable Passkeys for High-Value Accounts

A passkey is a passwordless sign-in method that uses your device’s local unlock mechanism. Google describes passkeys as a simpler and more secure alternative to passwords, letting users sign in with a fingerprint, face scan, or device screen lock.² Apple supports passkeys for websites and apps and can sync them through iCloud Keychain across Apple devices.³ Microsoft documents native passkey management experiences in Windows 11 and support across supported Windows client versions.⁴

When to Use Passkeys

Enable passkeys on high-value accounts first: primary email, website administrator accounts, GitHub, cloud consoles, payment accounts, and major social accounts. In enterprise environments, Microsoft Entra treats passkeys/FIDO2 as phishing-resistant credentials based on WebAuthn in browsers and CTAP for authenticators.⁵

Practical Setup Steps

1. Enable device lock, PIN, or biometrics on your primary device. Passkeys depend on local user verification, so the device itself must be protected.
2. Open the security settings for the account. Use Google Account passkey settings, Microsoft Advanced Security Options, or Apple passkey prompts on supported websites and apps.
3. Create the passkey on a trusted personal device. Do not create passkeys on borrowed, shared, or public devices.
4. Keep at least one recovery method: recovery email, recovery phone, hardware security key, or recovery codes.
5. Sign out and sign back in to confirm that the passkey works. Test recovery on a second device or browser before removing older methods.

Security Notes

Do not remove passwords or fallback methods immediately after enabling a passkey. First verify sign-in, sync, and recovery behavior. For work accounts, organizational policy may restrict which passkey types are allowed. Microsoft Entra supports synced passkeys and device-bound passkeys depending on administrator configuration.⁶

2. Assign Work to GitHub Copilot Cloud Agent Without Losing Code Quality

GitHub Copilot cloud agent can research a repository, create a plan, make changes on a branch, write commit messages, push changes, and help prepare pull requests.⁷ The important part is not to assign vague requests such as “optimize the entire project.” Treat the agent like a fast junior collaborator: keep the task small, define measurable output, and require CI and code review.

Image source: Luca Bravo, Unsplash. JPG image, not SVG.⁸

A Good Task Template

Goal: Fix pagination on /admin/users.
Scope: Only edit the user list module. Do not change the database schema.
Relevant files to inspect first: src/admin/users/*, tests/admin/users/*.
Acceptance criteria:
- When page=1, the API returns the first 20 users.
- When page exceeds the total number of pages, the UI shows an empty-state message.
- Add or update relevant tests.
- Run npm test and include the result in the PR summary.
Constraints:
- Do not add a new package unless the reason is explained.
- Do not touch authentication logic.

Review Workflow

1. Create an issue or task with a clear goal, scope, and acceptance criteria.
2. Ask the agent to produce a plan before editing many files. If the plan is wrong, stop early before the PR becomes hard to review.
3. Assign one logical change per task. GitHub notes that Copilot can search code semantically, but specific context still reduces misalignment.⁹
4. Require tests, linting, typechecking, and builds where available.
5. Review the diff as if it came from a human contributor. Do not merge simply because an AI agent generated the PR.

Good Candidate Tasks

Good tasks include documentation updates, tests for well-defined cases, small bug fixes, local refactors, scoped renames, and input validation. Higher-risk tasks include security changes, database migrations, major performance work, and business-logic changes without tests.

3. Prepare the Development Environment Before Giving Agents Complex Work

AI agents become more useful when they can build, test, and reproduce your project environment. GitHub provides guidance for configuring the development environment so Copilot cloud agent can pre-install tools and dependencies and validate changes more reliably.¹⁰

Environment Checklist

• Standard scripts exist in package.json, Makefile, justfile, or equivalent documentation: test, lint, typecheck, and build.
• Dependency installation is documented.
• .env.example exists and does not contain real secrets.
• The part of the codebase being changed has at least basic tests.
• Seed data or mocks are available if the feature requires a database or external API.
• Branch protection and CI requirements are enforced before merge.

Example Verification Commands

npm install
npm run lint
npm run typecheck
npm test
npm run build

For non-Node.js projects, replace the commands with the equivalent workflow. The key is to tell the agent exactly which commands prove that the change works. Avoid vague instructions such as “check carefully.”

4. Use MCP to Connect a Repository to External Tools and Data Carefully

Model Context Protocol (MCP) lets AI tools access external data sources or actions through a consistent interface. In GitHub Copilot, you can configure MCP servers for a repository so Copilot cloud agent and Copilot code review can access external tools and data sources.¹¹

When MCP Helps

MCP is useful when an agent needs to search internal documentation, read issue-tracker context, inspect API schemas, query design-system information, or run specialized analysis tools. The tradeoff is that MCP increases the amount of data an agent can see, so the permission model matters.

Implementation Principles

1. Add an MCP server only when there is a clear use case.
2. Grant the least privilege possible: read-only if write access is unnecessary; repository scope if organization scope is unnecessary.
3. Do not give agents access to production secrets.
4. Document what each MCP server is for, who owns it, and when its token expires.
5. Review audit logs if your organization supports them.

Repository Documentation Template

## MCP servers used by this repository

- docs-search: read-only access to internal engineering docs.
- issue-tracker: read-only access to project tickets for acceptance criteria.
- api-schema: read-only access to OpenAPI schema snapshots.

Rules:
- Agents must not create production changes directly.
- Agents must mention which MCP source was used in the PR summary.
- Maintainers must review all generated code before merge.

5. Share a Local App with Cloudflare Tunnel for Demos and Webhook Testing

Cloudflare Tunnel connects an origin server to Cloudflare’s network through cloudflared.¹² For quick experiments, Cloudflare Quick Tunnels can generate a random trycloudflare.com subdomain and proxy requests to a web server running on localhost.¹³ Cloudflare also documents wrangler tunnel quick-start <URL> for temporary tunnels, which is useful for demos, webhook testing, or sharing a local development server.¹⁴

Quick Localhost Example

If your app runs at http://localhost:3000, run:

wrangler tunnel quick-start http://localhost:3000

Or, with cloudflared:

cloudflared tunnel --url http://localhost:3000

The command returns a temporary URL. Use that URL for a demo or webhook endpoint during testing.

When Not to Use a Quick Tunnel

Do not use a temporary tunnel for production, admin panels with sensitive data, or APIs that write real data. For serious use, create a managed tunnel in the Cloudflare dashboard, attach a custom hostname, enable Access policies, and restrict who can reach the application.¹⁵

Safety Checklist

• Expose only the port you need.
• Do not connect the demo app to a production database.
• Do not run debug endpoints with real secrets in .env.
• Shut down the tunnel after use.
• Rotate webhook secrets after broad sharing.

6. Speed Up Containerized Development with Docker Compose Watch

Docker Compose Watch monitors file changes and automatically updates or previews running Compose services when code changes.¹⁶ The docker compose watch command watches the build context and rebuilds or refreshes containers when files are updated.¹⁷

Example compose.yaml

services:
  web:
    build: .
    command: npm run dev
    ports:
      - "3000:3000"
    develop:
      watch:
        - action: sync
          path: ./src
          target: /app/src
        - action: rebuild
          path: package.json

Then run:

docker compose watch

When to Use sync vs. rebuild

Use sync for frequently edited source paths such as src/, app/, pages/, and components/. Use rebuild for files that change the image or dependencies, such as package.json, pnpm-lock.yaml, Dockerfile, and requirements.txt. Separating these actions avoids full rebuilds after every small code edit.

7. Standardize Development with Dev Containers and GitHub Codespaces

A dev container is a Docker container configured to provide a full development environment.¹⁸ The Development Container Specification defines how to add metadata, tools, and configuration to containers so development environments are easy to create, use, and reproduce.¹⁹

Image source: Alexandre Debiève, Unsplash. JPG image, not SVG.²⁰

Example .devcontainer/devcontainer.json

{
  "name": "node-dev",
  "image": "mcr.microsoft.com/devcontainers/javascript-node:22",
  "features": {
    "ghcr.io/devcontainers/features/github-cli:1": {}
  },
  "postCreateCommand": "npm install",
  "customizations": {
    "vscode": {
      "extensions": [
        "dbaeumer.vscode-eslint",
        "esbenp.prettier-vscode"
      ]
    }
  }
}

Practical Benefits

• New contributors can open the project with a consistent environment.
• CI, Codespaces, and local development can share the same baseline.
• Version mismatches for Node, Python, Go, CLIs, and editor extensions become less common.
• AI coding agents are more likely to run validation commands correctly when the environment is reproducible.

Important Note

Do not put secrets in devcontainer.json. Use platform secret managers or .env.example files that contain placeholder values only. GitHub also documents Dev Container Features, which can add tools, runtimes, or libraries to a dev container configuration quickly.²¹

Quick Selection Table

SEO and GEO FAQ

Do passkeys fully replace passwords?

They can for many services, but you should not remove recovery methods too early. Keep recovery email, recovery phone, recovery codes, or a hardware security key for device-loss scenarios.

Can an AI coding agent merge code automatically?

It should not merge into the main branch without review. A safer workflow is for the agent to create a branch or PR, run tests, and let a human review the diff before merge.

Is Cloudflare Quick Tunnel suitable for production?

No. Quick Tunnel is best for short-lived demos and tests. Production should use managed tunnels, custom hostnames, Access policies, and monitoring.

How is Docker Compose Watch different from framework hot reload?

Framework hot reload usually runs inside the application. Compose Watch operates at the container layer and decides whether to sync files or rebuild containers. They can complement each other.

Are Dev Containers necessary if a project already uses Docker Compose?

Often, yes. Docker Compose describes application services. Dev Containers describe the developer workspace, editor extensions, tools, and setup commands. Many projects benefit from both.

Suggested Structured Data for CMS Use

{
  "@context": "https://schema.org",
  "@type": "TechArticle",
  "headline": "6 Practical Technology Guides for Today: Passkeys, AI Coding Agents, MCP, Cloudflare Tunnel, Docker Compose Watch, and Dev Containers",
  "datePublished": "2026-06-05",
  "dateModified": "2026-06-05",
  "inLanguage": "en",
  "about": [
    "Passkeys",
    "GitHub Copilot cloud agent",
    "Model Context Protocol",
    "Cloudflare Tunnel",
    "Docker Compose Watch",
    "Dev Containers"
  ]
}

Official Sources

Image Sources

Footnotes

1. Christopher Gower — “A MacBook with lines of code on its screen on a busy desk”, Unsplash: https://unsplash.com/photos/a-macbook-with-lines-of-code-on-its-screen-on-a-busy-desk-m_HRfLhgABo ↩

2. Google Account Help — “Sign in with a passkey instead of a password”: https://support.google.com/accounts/answer/13548313?hl=en ↩

3. Apple Support — “Use passkeys to sign in to websites and apps on iPhone”: https://support.apple.com/en-vn/guide/iphone/iphf538ea8d0/ios ↩

4. Microsoft Learn — “Support for Passkeys in Windows”: https://learn.microsoft.com/en-us/windows/security/identity-protection/passkeys/ ↩

5. Microsoft Learn — “Passkeys (FIDO2) authentication method in Microsoft Entra ID”: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passkeys-fido2 ↩

6. Microsoft Learn — “How to enable passkeys (FIDO2) in Microsoft Entra ID”: https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-passkeys-fido2 ↩

7. GitHub Docs — “About GitHub Copilot cloud agent”: https://docs.github.com/copilot/concepts/agents/coding-agent/about-coding-agent ↩

8. Luca Bravo — “turned on gray laptop computer”, Unsplash: https://unsplash.com/photos/turned-on-gray-laptop-computer-XJXWbfSo2f0 ↩

9. GitHub Docs — “Best practices for using GitHub Copilot to work on tasks”: https://docs.github.com/copilot/how-tos/agents/copilot-coding-agent/best-practices-for-using-copilot-to-work-on-tasks ↩

10. GitHub Docs — “Configure the development environment”: https://docs.github.com/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-environment ↩

11. GitHub Docs — “Configure MCP servers for your repository”: https://docs.github.com/copilot/how-tos/copilot-on-github/customize-copilot/configure-mcp-servers ↩

12. Cloudflare Docs — “Set up your first tunnel”: https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/ ↩

13. Cloudflare Docs — “Quick Tunnels”: https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/ ↩

14. Cloudflare Docs — “Wrangler tunnel commands”: https://developers.cloudflare.com/workers/wrangler/commands/tunnel/ ↩

15. Cloudflare Docs — “Create a tunnel (dashboard)”: https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/ ↩

16. Docker Docs — “Use Compose Watch”: https://docs.docker.com/compose/how-tos/file-watch/ ↩

17. Docker Docs — “docker compose watch”: https://docs.docker.com/reference/cli/docker/compose/watch/ ↩

18. GitHub Docs — “Introduction to dev containers”: https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-configuration/introduction-to-dev-containers ↩

19. Development Containers — “Development Container Specification”: https://devcontainers.github.io/implementors/spec/ ↩

20. Alexandre Debiève — “macro photography of black circuit board”, Unsplash: https://unsplash.com/photos/macro-photography-of-black-circuit-board-FO7JIlwjOtU ↩

21. GitHub Docs — “Adding features to a devcontainer.json file”: https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/configuring-dev-containers/adding-features-to-a-devcontainer-file ↩