Hey everyone, thank you for joining us today. We have the webinar on SPEin the world, full of vibe, and we have our two guests, Adam and Michael, who've been working on PowerShell for quite a while. So so take it off, guys, let's see what you got.

Hey, thanks for having us. For those that don't know me, I'm Michael. I've been in the psych work community for, gosh, 13 years now. I think I think around 2013 and shortly after, I met Adam and started contributing to Sitecore PowerShell extensions. So happy to be here.

Yep, I'm Adam. I have been inside core community for a while as well, briefly at Sitecore. And yeah, also a also working on PowerShell and a few other things in the meantime. So thanks for having me Awesome. Well, I guess we'll kick off the slides. So you know, a couple weeks back, Akshay, you were asking about presenting, and to be honest, I came up with what I thought would be the silliest title, because by by coding is, is such? You say, there's a lot of back and forth on like, should we allow live coding? Should we not allow black coding? And so I'm hoping that this this presentation, there could be a little bit of debate on the subject. And so while I was being a little bit cheeky about the title, it also is very relevant in the cycle community, and I'm hoping to to hear what others in the community think about it, so so that we stay kind of on theme with site core PowerShell extensions, the presentation really coincides with work being done for site, core PowerShell extensions, 9.0 and I think one of the themes that you could say In SPE nine is, is that it's not creating a cage around, you know, the use of large language models like Claude and copilot and others, but rather it's it's steering. It's giving it a lane. It's steering it in a direction that I think is much more safe, but not necessarily secure, but more safe, as to what it will do and what you expect it to do, and the outcomes that you get. And I'm hoping that as we go through the presentation and we have our discussions about it, you'll start to really see that, to come together, and at any point, if there's a question, feel free to pose that. So I'd like to let me chip in, because this has been quite a discussion between us right over the past few days, what we call, you know, like guard railing versus security, right? And and, what is the, what is the when we guide the LLM versus what we call is going to be a security feature, and kind of, Michael will probably tell you more about where, where we landed, but it's we also thought that we will kind of surface this discussion a little bit here, because we came to a conclusion, but, but, yeah, it has been, it has been interesting trip for us as well.

Yeah, yeah, that's great. And I think the next slide we'll, we'll dive a little bit more into that discussion, the overall with the presentation we'll talk about, you know, the shift in, you know, by coding, but really just using AI to help accelerate the delivery of solutions. And in this particular case, we're using AI to help us discover, discover opportunities for improvement in SPE, help fix things that might have been time consuming, or just, you know, really, it was just never going to happen. And so we've, we've been able to solve challenges that have have existed for a while. Talk a little bit about how we have used AI to make working with SPEmore structured, I suppose you could say, and also with what is being introduced in 9.0 how AI can more. Reliably be used with psi core and in particular cycle partial extensions, but once again, not guaranteeing that it's safer or more secure, but make it more reliable when you're when you're trying to have these other systems talk to Sitecore a little bit about the MCP server work that's being done. I'm excited about that, and I think it's pretty neat just what what you can do with it. Also, there's a tutorial website that we can talk a little bit about, and then we'll talk a little bit more about SPEand AI, just overall in the presentation. So as Adam brought up, you know, let's talk about using Claude code, using copilot, Gemini, these other technologies in your normal software development cycle. What is your relationship with that today? Maybe Akshay or Cameron. Could you share kind of how have you been using that at your company? What are your thoughts on it?

So PowerShell, Sitecore, power I have to say this because I remember when I was in Poland, I was giving a presentation on PowerShell, and Adam pulled me to the side, and it's like, you have to enunciate PowerShell. Okay, so anyways, Sitecore PowerShell. I can't really think of anyone who doesn't use it on a day to day basis, if you're working on Sitecore, to be quite honest, right now, my primary thing that I'm working on is using a lot of remoting. That's where you get a lot of questions from me on, why can I do this on remoting? Why can't? Why doesn't it report status? Right now, it's a lot of DevOps with bamboo to automate quite a few things, and you can't automate a lot of things without using Sitecore PowerShell. So it's anything from creating packages, automatically exporting things, importing things, as well as running scripts during installation to during deployment, right? So if you're working with a multi team approach for one of the customers, each team for every month the deployment they have, each of them have different PowerShell scripts that they need to run. Each of them, each of the teams, have different item packages that need to be installed, rather than in person, manually doing it. We have processes in place where we use site core PowerShell remoting, remote into the container, then execute all of the packages, execute all of the PowerShell scripts and things like that. So that's what I've been mainly using it at this moment in time. But like to me, automation inside core without Sitecore PowerShell I've never heard of, and it's also really extremely useful in upgrades and rewrites, especially where you know you have a customer that's been on site call for a very, very long time, you need to move everything over to maybe it hadn't been architected Well, or the needs of the business have changed. So the architecture needs to now change. Maybe it's even moving across over to SX a for example, you need to do large content rework to fit the new structures and things. So SP is invaluable in that regard. Prior to using SP, I remember writing aspx pages to do these and it'd be long running processes and something would break, and, you know, be tedious to test it and deploy it and retest it. So SP has really, really, street had really streamlined those types of work. Even migrations actually from vibe coding and migrations are the big things these days. But I know I've spoken to you both before about migrating from like a WordPress site where everything a large, wholesome migration, and was using SP to actually do crawling of the target or website going through, scraping the HTML, looking at specific data, specific content on those fields, and then importing that into site call. So it's, it is the Swiss Army knife of the cycle, right? It's capable of doing a lot, a lot of lot of things. And I guess in the in the right hands, or the wrong hands, it can do a lot of damage as well.

So just jumping to the second question, you know, where do we draw the line from code, code that you've written, in this case, maybe these migrations and code that AI has written for you. You know, how do you how do you say, like, I'm going to only do these tasks and AI is going to do these other tasks for me. How do you draw that? Learning at your company and the projects you work on review. So the truth this is funny, because this is the talk I was trying to give on the user groups, right? The fact is that you can't stop people from using AI to generate code. The fact is that when AI generates code for you. So I want to do this. Here's the SP docs. SP has so many publicly available resources, example scripts that I can tell you right now with almost 100% certainty, people are generating scripts that they don't even check. This is what I want to do. Go generate the script. It generates a script. They paste it in SP, run it on their local works. Fine, great. They just use it now. The problem with that is it's not generating one or two lines of code. It's a few 100 lines of code to be like very conservative right now. Who's checking the 200 300 lines of code, no one, and I doubt even 5% of the population is and that's where the problem is. Right for us, it's mainly trying to make sure that there is a review process. And that's what we are trying to do, is to make sure the speed at which we are generating is increasing, the speed at which we are reviewing is not increasing to accommodate for that. So for us, it's mainly code reviews and human code reviews, not AI code reviews. It doesn't make sense and AI testing, yeah. So the for us, it's mainly trying to add those we're spending less time on generation. So then the time shift has to move into review, and that's what we're trying to do. Yeah, good points. So so as I was, you know, starting with SPEnine, and certainly leading into this presentation, I kept thinking about my experience having AI interact with my local site, core instance, and there were times where I go, man, there's no way I would do this in production, like there were. There's no way, based on the results I'm getting, that I would have any confidence that it's not going to create an outage. You know that I'm going to have to have to do a database restore, if I just let it free run. You know, free reign run all over the site, for instance. And so, you know, the theme of 9.0 is, well, how do I, how do I take advantage of the accelerating skills of AI? But how do I also make sure that I do those proper code reviews. And, you know, as Adam and I have have, you know, discussed over the last few days, there's been some some nice wins with the enhancements, and there's also been some challenges and just quality. Because you think, Oh, I'm so convinced that it did a really good job. And I, you know, I do my testing, and it, it looks really good, and then, and then you go, you know, what? If I had spent five more minutes, 10 more minutes, I would have caught this, you know, if I would have let it bake for a day and come back with fresh eyes, maybe I would have caught, you know, this particular problem. And now we're like, 800 commits later, wondering where, where was this change introduced? And so I'm, I'm excited about what we can do today and and so let's, let's keep going. So one thing I do at work is I talk about, you know, what would, what would AI look like working on a project, like, where, where would it fit really well, and where might it be sort of overreaching. And, you know, one thing that I also consider is a developer's role in the project, and how AI is helping that developer. And so for me, personally, I've, I've spent in the last few months less time trying to trying to be intentional about what I what I asked Claude to do, or what I asked Jim and I to do, and I spent a lot less time focused on, am I writing perfect C sharp, like, do I understand the syntax in this new version of.net better than I did before? Do I know these new JavaScript standards that have existed for 10 years, but I just never learned them, because I'm not very good at it, right? So now I've been able to really focus on, what's the intent, what's the feature that we want, and what can I do to make sure that that feature is built correctly? And I'm certainly not that great at it, but I'm getting better at it. And the the earlier I had mentioned about some features that we've been building for SPE one, if it. Particular, I think it's Adam. Tell me, is it like three or four years old? The the ISC output panel that's divided between the text area and the output pane. There was a feature request to make it vertical so you could take advantage of wide screens. And I think it got close. I think it just it sat in the in the backlog for so long that there's just really no likelihood that it was going to happen, probably by eight, 8.0 it just got closed. And so in this process, I started thinking, what are, what are challenges that we would have just never got to, that we would have closed that maybe now it's five minute conversation, some clear documentation on what the outcome should be, and then you could just make it happen. And so it's it's no surprise to me that there's a lot of excitement about using these tools. Just with the hackathon, there were some great tools that came out of that great submissions where AI was delivering something that no way you could have done that in 24 hours by hand, right? This is like impossible to imagine that someone could build this of this quality, this capability, in a 24 hour period, and now it's like, oh yeah, I actually expected more in the 24 hour window. Like, you, like, Why did you stop here? You should have had it create new videos and stuff. So it's, it's becoming standard for teams. It's standard for developers and and so we're not so we've addressed that. Like we're moving on. AIS is here with us forever, for the foreseeable future, at least, and and so now the challenge you know, as Akshay pointed out, where do we draw the line between I'm I'm the author and I'm the reviewer, and how much do I let AI create for me, and how much do I force someone to actually look at every line of code and to actually make edits and to test every single line and have break points and get into the details it's it's becoming more comfortable. I'm becoming more comfortable, unfortunately, to say, oh, you know, I'll let, I'll let AI go do this stuff for me. You know, How do y'all feel about that? How is, how has your experience been with it? And what guardrails Have you or maybe, what fence Have you lowered because you're becoming more comfortable with AI, yeah, how I'll chip in? Because I'm thinking, Yeah, I agree. AI is here to stay. It is and it will be here long after we're gone. But I still think, and I will, like I've been for the past few days, for Michael, I can hold grump, not in terms of not using AI, because I am losing a lot of sleep, implementing all the different things in different places, but it is because it's so fast, you cannot be more relaxed. You need to be more guarded. And I My understanding is that, and what I've seen in my projects is that AI will give you superpowers, or AI is the amplifier. If you are competent, you shoot lasers from your eyes, but if you blink, if you don't put the guard rails in place, if you are if you let slope slide, the bad patterns are much are multiplying at a much higher rate than the good patterns. So if anything, you have to be more strict, and you have to be much more guarded about your code, having excellence kind of baked in, create the rules, guide the agents. I am. I'm Yes, I agree the vertical split would never be implemented if we didn't have AI, because it effectively is a great teacher, but it's a great teacher that will every once in a while. To have a little too much, you know, to drink and and you basically, and you basically have to, you know, just make sure that it's not, that it's not breaking other things, right? So, it is all about like, if anything, we need to be much more guarded, because we basically have a horde of interns working for us. And it is, and it is great. They are all very enthusiastic, but they will be, but they will just take us to town if we don't, if we don't, just properly, have put the proper, you know, discipline in place, right? And I'm, I'm like, the amount of stuff that I am now capable to learn that I would not be learning before is incredible, like, if I need to learn anything, I will just, hey, this is a subject I want to know everything about. Here's my angle, and just write me a book special, specifically for me, right? And it, it is doing an incredible job. But you also have to be always saying, Hey, be factual. If you don't know, say you don't know if you, if you are, if you, if you state any facts. I want a link for everything, because otherwise you'll just, you know, like, if you if you're not doing it, it will, it is better and better. I mean, AI will never be as bad as it is. Now, every next version is going to be better, right? But it's still, you know, like many geniuses were ultimately went crazy, right? That that happens with with this tool as well. And there is one thing that you mentioned, oh, you know, like before, I would never learn AI on production like, even with those guardrails that we put, if I will hear anyone like saying that they just use this on their production server, we're going to have a different discussion, right? I'm just, you know, going to be using that pin, right? It's, it is, you know, there is a lot of things that I'm not regretting, that we've put very early on in SPE, like event handling or even, handler plugging or jump, you know, jumping into pipelines with PowerShell scripts. But you can very like you can be. You have to be very guarded, and you have to be, you have to use this kind of things very sparsely. And I, I am one of the biggest enthusiasts of AI in in and I'm just, we're using it quite a bit, also internally in the company, but process and discipline is the thing that will, that will give you the the superpowers, or will just because you get you into into A lot of trouble. So, you know, like, I've been giving Michael a lot of grief, because we've been like, discussing a lot of those features, and we kind of started with from the point of, you know, a lot of this, being like, Hey, this is security. And then we dismantled it in 15 minutes, right yesterday, that was fun, where basically with the with the even with the so Michael is going to be talking about the the language, the Constraint Language, which is incredible feature, and it gives you interesting features for from the point of, okay, I don't want the stuff to be, you know, immediately breakable, just don't treat it as security feature, is my thinking, and it's and. Of me rambling.

Michael, back to you. Yeah, awesome. Thanks, Adam. Well, let's, let's jump into to what you were describing. Could be great. So Adam was mentioning about the constrained language mode. This is a feature of just standard PowerShell by default. PowerShell run space uses a full language mode. Essentially means you can do anything and everything that can be imported into that run space modules, modules in the sense of like a PowerShell module on the hard drive, any arbitrary script functions can be imported into the session. You could have like invoke expression, which is one of the dangerous commands that you often have. Antivirus type tools scan for where you run invoke expression and a base 64 encoded string, and it can contain whatever you want. And so a lot of these eight antivirus tools, they will look for signatures in these scripts and say, hey, you know what? There's this is probably a problem for our environment. So constrained language mode is what initially I was presenting as though, hey, this is a security feature, and it's, it's really, I think that that was a mistake on my part to just treat it like it was a security feature. It's really more of a guardrail, and I think Adam helped, helps kind of get me back back on track to say, look, if, if I'm going to give you a weapon, maybe we start off with a blunt or dull weapon first, not one that can cause serious damage up front. You know, are you going to give somebody a paintbrush or you're going to give them a spray gun, and if they're not skilled in a paintbrush, might not be skilled in a spray gun. And so what's the what will be the fallout if, if there's a mistake made? And so constrained language mode is a way to say, I only want commands like compiled commands to run, perhaps ones that I have included in an allow list so I don't trust anything. Then you explicitly trust things, as you say, hey, you know what write host is not a problem. Let me trust that, or format table, that's not a problem. Let me trust that. And so it's a way for you to opt in on the things that you do trust relative to whatever the problem is that you're trying to solve. In constrained language mode, you can use the core.net types like int, string, double, but you can't use some of the types, like creating a new SQL connection to a database, right? That's a that's not a core type that you get that's added on to the framework to allow you to interact with SQL Server Oracle or whatever, and so those are restricted by default. And so I sort of continued that theme of what are things that I can put in place that will knowing that someone will eventually do something wild and crazy with PowerShell remoting. What can I do to limit the problem that they created? And maybe they incrementally opt in on more and more capabilities until they're at a degree that they're comfortable. So you take constrained language mode, and then you add that to profiles. So I'm going to create a unrestricted profile that works just like I get today, with doing anything and everything. And then I'm going to create a read only profile. I'm going to create a content editor profile, and so maybe I only want to run, get item commands and filtering, you know, some real trivial things, because I'm going to use a system outside of site core to create reports, and I want to use the remoting API to to consume that data. Okay, well, so these profiles are a way that you can constrain take all your constrained language ideas and put it into something that's transferable from environment to environment. Now, trusted scripts, you know, Adam's got me second guessing even the word trusted. I'm I'm now, actually. Leaning towards maybe, like verified scripts, that might be a better, a better term to use for this. It's something that we have tested benign. Well, okay, so I work so, so a simple example would be SPEcomes with a function called convert to xlsx, right? It contains export xlsx, right? Excel document. Well, that's bundled in SPE. Someone trusts it to be run through remoting. So do we call it trusted. Maybe just verify that might be a more suitable name to say, Hey, we've we've tested this out, and we verified that it's suitable for remoting. So we're going to add it as a verified script comment and in the chat comment on LinkedIn if you've got some opinions about it, and we'll see what we get put together. So then the next thing is, well, today you get a couple different ways to authenticate username and password for still doing that. Shame on you. I want to, I want to remove that completely, but we need some backwards compatibility. Do you have a question?

Adam, are you I wanted to are you guilty? No, what I wanted to say, because I've been like, we've been having this metaphor effectively still on the previous subject, like you're, imagine you're living in a castle, and you have your gates closed, and no one can get in. And effectively, that's where that those are the gates that we have, right? We cannot let your scripts in. We cannot let you in. We need to be. We need to be effectively the at the entrances, right? And then, when we're talking about those language restrictions, is just basically like putting logs on your cupboard in your house, right? Okay, so you shouldn't be going there, and this is my private thing, and I locked that door, right? But if you let a thug in your house, they are not going to respect that, right? You are living in a castle for a reason, right? And that's effectively I would like you to think he's just going to smash that cupboard. So would you say that that SPE remoting when enabled is like letting the drawbridge down to get into the castle in some of the changes that I'm describing is effectively slowing down or limiting, to some extent, what can pass across the drawbridge. Would you say it like that? I would say that your security measure is you have a VPN. You have you have a proper you know, security protected, you know the endpoint, protected with the password behind the you know, behind proper guardrails that may not be necessarily native to Sitecore, right, once you're in, limiting anything in is just this is this is not going to happen, right? And everyone is now talking about the mythos, and even the guardrails that we have right now may not be enough, the outside guardrails right with it just basically crushing every system it encounters. Right the new the new entropic model, now thinking that whatever between the two of us we build is going to be secure, we would have to be very naive right to think that, right? So all everything that you did before you still have to do that and more and more whenever methods goes public and will be available to the bad people as well as the good ones, right?

So, yeah, yeah, excellent points. Thank you. Yeah, so So to piggyback on that in SPE, 8.0 you get. It a shared secret. And I can't remember what version that came in, but you know, my goal was, I'd like to stop using a username and password connecting to remoting. And so today, that option is still there, but that's really not the right way to do that. And so the shared secret was a way to to say, hey, why don't we do it just a little bit different, something that is is configured and but it still doesn't feel that secure, and it served its purpose. So item based API keys, feels like the next evolution site core has this in other services that are already there today. And so what I want to be able to do is to say, hey, I want to give you a key and then shut it down when you're not using it, and I want to give you a key and give you even less access, and then shut it down when I'm ready to shut it down. Right? Maybe, maybe this endpoint doesn't need to be communicated with, 24/7, then maybe we have a scheduled task that in a five minute window, it unlocks it or enables IT and disables it, right? So there's there's more options in the configured shared secret is deployed with the application, and the only way to change that is, in essence, to redeploy something. So the item based API key, to me, felt like just the natural progression, as I said. And so what I've been able to do is associate a key with a an account to impersonate. So today, if you logged into remoting, you would, unfortunately consider using the admin account, when the better approach would be to use some purpose built account with limited access, you know, maybe with limited access in the content tree. And so you use the site course security model to help kind of scope, what it can it can talk to. So assuming you did that, and also, hey, I want to limit how how chatty you are with psych or with a cycle power show endpoint, we're going to do some throttling. And I found so far that this is this has been good. Because, as one can imagine, if you decided that you're going to let ai do all of that communication for you, then we've got to have some way to limit that right now. It's, it's a free for all. If you, if you can authenticate with promoting, then you can do what you got to do. And so let's create some guardrails around that. Any comments about that?

Well, I mean, I The biggest benefit of it that I can see is kind of what, what what was, what I always like and always say, you can do a lot of that without redeploying. Because when you, when you do something with config files. Well, you know that this is not going to be taken well by your site, for instance, right? And it will have to wake up again. So that is, that is probably one of my favorite aspects of it. Yeah. Another mind. Adam, Have you guys played around with this with Sitecore? Ai instances, how does that? Like, do you have any info on how people are using it, or, like, how? Yeah, so this SP nine has not been deployed to a Sitecore. AI instance, as of yet, perhaps, you know, the great people at your company can help, help us figure out how we can get access to to an instance to really test but it's a great question, and I think that's going to be the question every year, is, what is SPEs role within the site core AI ecosystem, and how does SPE need to evolve to provide similar or better capabilities, but in a world where it's a SaaS offering? Now one one example of something I tried the other day was I created a custom app, and the app actually was a full screen of another website I had hosted, and it was essentially a mock PowerShell engine with text editor capability. And auto completion and everything, all within the browser and disconnected from site core. And I'll speak a little bit about that later. I think that could potentially be where we go in the future is similar capabilities, just deploy differently, not, you know, not necessarily.net, code deployed to a.net application, but a maybe a JavaScript based web service that does the same thing, and you still get the PowerShell scripting language just in a sandbox, and the access that it has, you can have more granular control over it, right? So I, I think just naturally we'll, we'll move in that direction. And so I think on our next webinar, we'll, we'll maybe share more about that.

This is an interesting this is an interesting challenge, because on one side, yeah, we know that we should be taking more out of the site core process, right? If we want to move to the in an extreme cloud direction on the other side, you also mentioned that you don't know anyone who is not using it. So this is like a weird dichotomy right on those fronts. So, you know, I'm of two minds. Personally, I will see there has been different pivots in different in different points for like, like, five years ago, I was worried about, you know, Will anybody be using SBE? And here we are presenting SBE, so it's, it's both comforting knowing that it's still around, and I think a true testament to to the quality, I think that is being delivered with SBE, but it's still a trusted brand, if you would. It's still a product that the community says, hey, it's necessary, regardless of you know where you're at in your implementation. So I think with obviously, with AI, we talked about it earlier. If you get a lot of hallucinations, you can run the same prompt twice, you'll end up with two different results. This is a good thing with SP is it's very repeatable. You've tested something, you repeat. You've run it 10 times, it's going to run exactly the same. So when you when it's used in conjunction with AI, you can use AI to generate the SP scripts to then run within your various environments, right? And you can test it in a lower environment and not have to run those scripts in a production environment. And of course, the other benefit is, it is you get savings in AI costs because you're not running unnecessary tokens, well, so the excellent segue cameras. So this is by no means production ready, and by no means permission for someone to say, Michael gave me the green light to go test this out in production, but I wanted to at least talk about the challenge that you're describing here, where I want AI to go do things for me, but I also want to be conscious, conscious of how much it's doing, because there's an expense to that, both in time the tokens have an expense, especially if you're on a on the API usage, you're paying high rate, you know, much more than like a subscription. So some of the ideas that I've had, and I'd love to hear what the community thinks about this, is, you've had a recent Inc server published to the community, which was like, felt more like an exhaustive list of all the commands that could be run in SBE. And I thought, Well, why don't we treat it more like what you get today with remoting? Remoting, the doors open or the doors closed, the doors open, you do whatever you want to do, and you shut the door. And so it's really the MCP server for SPEshould consider that in in sort of whatever feature development that's going to take place. And so as I was, you know, testing out, you know, have a, I go run a report, and then it would make up all sorts of stuff. It would create scripts that like commands that didn't exist, syntax that was invalid. It would have it, have you. Yeah, well, the biggest issue was they would actually make up commands that don't exist, and it's like, well, this doesn't even run. And it says, like, 10 minutes later, I just, like, sort of give it up on it creating a report. And so I thought, well, what could I do to make that a better experience? And so I started building a little MCP server for that. And along the way, I said, You know what? A lot of these capabilities should just exist in SPEremoting. So for example, I wanted to constrain the language. Well that first showed up in the MCP server. I was like, Well, that just sounds like everybody should have this. So then I moved it into the remoting. And then the MCP server has no knowledge about which constrained language is being used, or is it full language. It doesn't know which profile is being used. Why don't I just make that available in SPEremotely, and then let the Inc server have access to that. And so it just just sort of incrementally happened where I had an idea, I tried it out and said, you know, everybody should get this, and I do it again. And I was like, oh, everyone else should get that, too. And so in my my latest test, I can tell the plot agent, hey, go, go find items in Sitecore, and it will test the connection, validate the version of Sitecore. If there's errors, it will report back errors, because the errors come back from Sitecore with enough detail that it has sort of the ability to make decisions on what to do next. And so, you know, maybe to where you're headed with this commerce is, I'm I was focusing on what can SPE rebooting do and the MCP server do to make the whole system work well together and not be frustrating to a user and to not do things that are unacceptable. So for example, if if I'm only allowing an agent to connect with a restricted profile, then I have less concern that it's going to delete a bunch of items it's it's not out of the realm of possibility, but I'm much more concerned about the quality of the output, and less concerned about it hallucinating and then deleting items or creating a function that can then go delete items, right? So there's, there's just sort of a lot of back and forth. It's like, well, could it do this? Shouldn't do this. And so along the way, I learned a lot about how to make SPE better just on its own, and then how to make it usable more so than it has been to date. What are your thoughts on that? Adam, you think I'm full of BS, of course. Oh, no, no, absolutely. I don't think, no. I think this is that's all good. I'm thinking how I, I may be using it in in the future, that will probably be, probably be restricted to lower environments, like my local environment, and maybe, you know, up to staging, where I would say, Okay, here's site, core, you know, find me like, make me an audit of the solution. Are there, you know, too many versions? Are there too many children or or I want to create this report, understand the templates of that so that I can, you know, get the reports locally right so effectively, like, empower the AI to let me be better, To help me create the remoting scripts, because it then knows about my instance, right, yeah, just don't dare touching anything, but you can learn about my instance, right?

Yeah, yeah, yeah. Good points, Adam, just, just to touch on that. So one of the one of the neat things with the MCP server is it will have access to which API key you give it. So if I go create an item API key, then I can go give it, and if I no longer trust the MCP server or whichever system that I can just go shut the key down. So So it's sort of started to come together in building this and in. The MCP server, you can give it templates that it uses for certain functionality. So you say, hey, I want to write a report. We'll go look at these templates for reports to get an idea of how it's structured and what commands are available to it. I want to use the Content Search API. Well, here are some examples baked into the MCP server. How how those queries look. Okay. Well now when you go test it, it's not having to discover all of it from the beginning, but then there are tools built into it that say, Go, get me all the commands, and it will go run, essentially a report of all the commands that are available in SBE. So then it can then discover those things. And so the MCP server is really the, I'd say, a guided tutorial for the LLM to understand how to communicate with a brand new solution, as you were saying, Adam like it's not going to know the templates, but it does know the commands, and it can discover the content tree. And so through that process, you could get somewhere better than if you just let it guess and it won't hallucinate the commands potentially. Won't hallucinate the commands that are not available, or fields that are not not there, in my instance, because it can, it can check anything, right? It's basically like an, yeah, an inspection tool for the for the LLM, and, you know, one of the Anton, I think, had asked the question about, essentially the remoting today, you get two versions. You either get an XML response or you get a raw response. And I thought, well, maybe a different format would be worth exploring. And it turns out that JSON response is about two and a half times faster than the XML response and only slightly slower than the raw response. And I thought, Okay, well, that would be useful. And so then I thought, Well, what else could be improved? Oh, well, the logging. Maybe the logging should be structured to an extent that Splunk could read it. Maybe the error messages should be formatted in a way that the LLM can kind of understand what's happening, understands that there's an exception and the details present, but you know, maybe I don't want everyone to see that detail, so why don't I give a way to toggle off that detail so that I can see that an error occurred, but I don't actually get the stack trace right. So, so the more I learn about what could be done, the more I learned about one what I shouldn't do, and alternate ways to which I could approach a problem. Because if I had the idea and I didn't have AI to help me, man, I'd be committed. I'd be committed to that way, and I'd be, like, three weeks into it, and now in an evening, I can try four or five different options and go, You know what, I didn't like any of that. Throw it away and just be okay with that, and then start over tomorrow. And so it's, it's really been a it's been a treat doing this, you know, adding in a rate limiter. Well, spes never had a rate limiter, but doesn't that seem like a feature that should just exist? So, so then I added that, and then it just kept going. And so, as much as I'm sure I'm annoying Adam with all these issues it commits, I think at the end of the day, we're going to land on something that's going to be pretty awesome, better than what we've had so far.

Michael, have you been using the issue tracker from GitHub to actually feed AI like what you're trying to achieve, and is that where you've been? I've seen a lot. I've seen a lot of these pop up, obviously, within the Slack channel. I've seen a lot of detail within those. I know a lot of them are from yourself, but, yeah, that's a that's a great question. So while initially working on non SPE things like I built a little file sharing websites that's like a command line tool that hosts a web server. And then I built a little self signed certificate creation tool. I started to realize that if I didn't tell Claude to persist to a. File, then I would lose kind of all the work, and it would have to research it again. And so that I kept having to say, hey, go write a file in case I have to start over. And so that it progressed to, why don't I create a skill, which is basically a markdown file that says, here's my workflow to make sure that I hit all these checkpoints so I don't miss something. And so it includes like, creating a plan, proposing one to three options, writing failing tests, you know, TDD, make the implementation and then run the test and and so I just kept going and going. I thought, well, I should stop creating these files, because Adam's not going to have the file. And if Adam wanted to contribute to it, then I should have it shared with him. But do I want to commit all of these temporary markdown files? No, that. It's not really the good place for that. So I started to have I installed the GitHub CLI tool, and now Claude can go query issues. It can comment on issues. It can do all sorts of stuff. And I use that to keep track of the progress. If I decide I want to do something different, it will go edit the issue with new information. And so now I'm better utilizing GitHub to centralize documentation on what the feature is, why it's needed, what decisions were made, and any potential impacts to other features, if there was a if, maybe I, I created a template, and then later on and decided to change the name Claude, can go figure out which issue that was and link them together, right? And so it's really helped me to organize, perhaps, to by detriment, it creates lots of issues. And so I have to. So something I tried yesterday was be an adversarial reviewer of these changes. So it's like I have this idea. Go. Give me these options. Now, give me assume that it's all wrong, that it's all going to break. Give me options at how to make this better, poke holes in it. And so then I have that produce a sorted list, and I tell it to merge things together, and I approve those things. And once I settle on my work list, go create issues with all the documentation associated, and then be sure to, you know, comment that this should be revised when the work begins. You know, like, more in depth research. And so if that, I think, has really helped, and I I'm confident that when I do this at work, I will leverage sort of similar skill, you know, having to update Jira, having to update confluence, or whatever tools that you're using, those are painful to use. Why not have aI go do it better than you, and then you don't have a project manager saying, Have you move your ticket through the queue? That answer the question, I think, I think it did, yeah, yeah. Adam was just asking me about, like, commits today. I think that's the next problem to solve. Is, what is the optimal commit history to have? You know, do you squash it all into one commit? You break it out and related changes, even if it's for the same feature, you know, like, what is that optimal thing? And I think we'll eventually get to that, and then we'll have a, you know, smooth running machine. One last thing is the SPE tutorials. So there is a new website, tutorials, dot Sitecore, powershell.com, it is 100% browser based environment where you can go through. What I've always wanted to give the community is a tutorial on using SPErunning commands. It includes a visual builder, which is actually, I think pretty slick, you just click on command names and fill out parameters, and then you could run it in there. I did add a way to connect it to a running site, core instance that's not fully fleshed out yet, but I knew Adam was gonna love that feature, no so, so I'll probably remove it just, just so gray hair.

No, no, I That's good. Let's, let's, let's explore that. Yeah, well, at any rate, it was fun building and it. And so I hope that the community enjoys using it. It's it's really a safe place to go try stuff and not be dependent on a site core instance. And when you feel proficient in running commands and things like that, then you can switch into SPE proper and have a good sense of what, what's supposed to happen. You get similar formatting. You get, you know, auto completion. You get all those cool things I may be coming, you know, across, like, like an old grump, and just, you know, like, like, squash and Michael and all of that, but it's basically like, I've over over years, you know, the product management and all of that. I kind of realized the there is, and I kind of read this statistic somewhere that creating a feature is around 11% of its lifetime cost, the rest is in documentation, maintenance, support, you know, potential security problems that you that you can have with it, and everything around that, right? And if we're going to be creating features as fast as we can, by definition, we have no chance surviving this, right? So that's why I'm kind of sometimes coming across, as, you know, like, oh, I keep saying, you do a lot of things, but, but it's, but it's basically okay. Like, it's easy to add something. Let's add, you know, this new way of doing this whole thing, but then this new way, you know, because we have, like, three ways. And then let's add this new way, because it's going to be better, and it's going to replace the three ways. No, now you have four ways, right? And, you know, and this is potentially my, my kind of why I am, like, why we can never remove anything, because effectively, then it's a, it's a breaking change. It's, it's potentially huge problem, and at some point the well psycho may say, just for not upgrading it any longer, because you guys have broken all of this stuff, right? So we need to be we need to be mindful that, like, if everyone is like you're saying, using it, then we're potentially breaking everyone right? This is something that we we need to be very mindful of. And it's, it's, it's all about. You know that upgrading Sitecore is interesting challenge every time on its own, and we don't want to be part of it. We've, we, yes, we like what I what I'm kind of what I have experienced because we have upgraded side core from 10.2 to 10.4 and we had all kinds of API's just behaving in a slightly different way, or doing, you know, or just having switched to from one thing to another, and the one stable thing was all of our scripts just worked the same. This was something that I was just that I will not and it's basically that's why we can never remove anything, right? And this is why we we we need to be very intentional in in maintaining and and be ruthless about saying no to optional stuff that can be potentially, you know, released as an add on or a module to the module.

Yeah, yeah. What comment? Adam, you had asked if we had 600 commands, what it's actually 151 commands that are compiled in the library, 13 remoting commands, and 167 functions within items. So it really comes out to about half of that 331 approximately. So I got a little excited about the count.

Let's say AI hallucinated that. Yeah, it did, actually. But when I saw it, it's like, oh, 600 Okay, great, I'm good to go. And then you asked about it. I was like, All right, well, let me go. Let me go. Do a. Audit, and so I tallied up everything. Yeah, so I I'm excited where we're headed, and I think Adam's been good to help keep me grounded in in the things that I think, oh, this would be a great idea, but it's like, well, you know, if I think about it, it might not have been that great of an idea. There was a issue that you pointed out earlier, Adam, so I had an idea of restricting remoting to prevent it from accessing a certain path, like when it makes sense for a remote script to not be able to see part of a tree. And so then, in a couple minutes, Adam's like, we'll try this. And so we kept trying it. I was like, oh, okay, you can, because of the site core API, you can traverse the tree like the SPE restrictions aren't blocking site, course, API, and so the only way that you could have gotten close to it working is if the account that was being impersonated had less access right, which would require someone to be in Sitecore to do that. But if I had an unrestricted account, go create an account, then, like, you see what I'm saying, like, so you could just sort of keep talking about it. Eventually you get to, well, okay, then it's not really a security feature that's even worthwhile having. So I removed it because it wasn't going to it was going to give a false sense of security. And in five minutes, Adam picked it apart. Think about people who get paid to go pick it apart. They're going to find even more problems. Yeah, it's lucky you, you asked Adam and not AI, because I would have told you it was a great idea, right? Yeah, yeah, yeah. PowerShell has this like interesting feature called it's basically, it allows you to chain, like you can execute a property on an object, and then you can, you can do that same property. So you can, if you do an item and then you do dot children. It will return the children, but then you can do again dot children, and for every child, it will execute children on the child. So we said, Okay, let's go into the parent of what you cannot do and say, Let's do children, the children, the children, the children. Dot security key? Yep, we got the keys. That's why I'm saying, like, if you're led the thug into your castle, just, it doesn't matter what you do them. It doesn't matter, yeah, it's wheels off at that point. Yeah. Yeah. Well, Michael, did you have any other slides? Oh, no, that's it nice.

Alright, so I've been meaning to say this to you guys. I think I've probably said it when I when we're in person, but it takes a lot to have a community module and keep it up to date and field as many questions as you guys do. So thank you for that, for being patient. I know what we see publicly is only percentage of the things that you feel. So it's the GitHub questions, it's the ones on Slack, God knows where else, right? And then you have people like me reaching out to you guys personally, asking, Hey, by the way, what about this? Because, you know, obviously I looked at everything before I come. But so just wanted to say thank you. Is there anything from a community perspective that we could be doing a better job, rather than just being consumers of what you guys built, but also try to contribute in any way. Right? Coding isn't the only way to contribute, but if you guys can think of ways the community can help you guys contribute a little bit. Yeah, I've got an idea, and I gave Adam some time to think. So for me, it's always been someone either proposing a feature, like they had an idea that I just never thought of, or Adam never thought of that would be really beneficial. So I like those, and someone identifying a bug or some, you know, typo in the documentation. I always find that to be very helpful, because it it's it's easy for you to notice it and just move on. It's another thing to say I care enough about the community in this module to go tell whoever's maintaining it that I. I discovered this thing. You might want to fix it. I appreciate that the most use it, love it. Talk about it. It's like, that's why I've been doing it. I'm just, I love the conversations about this. For me, this is the most, the most important thing, all of the all of the people are around it. And I ever get, I never get tired hearing about, you know, people using it. This is just Yeah. For me, this is the core of why I'm doing it. And yes, I mean, report, whatever you, whatever you, your your whatever you think would be useful. Because we can, we may not think about it right. We've just yesterday, I've added the fact the terminal view, which I'm using SP daily. So I wanted to have the terminal to be able to just in the bottom part of the ISC, just write a one off command, like in regular ISC in window, right like now writing this for us as a days of day of work, whereas before, it would be a week of, you know, really pulling our heads, you know, or our Hair apart, right, like today, just today, I've added the variable inspector. Variable inspector, basically, which you had a tooltip, and now you have, like, a full view, so the execution time have completely collapsed ideas, which is ideas are, are great, and we're definitely not like I said. I'm the the I'm probably the one who will say no more than Michael, because I have to, you know, yeah, I'm just, I'm just afraid, but, yeah, we will be able to deliver much more, much faster, get a better experience because of the vibes. Couldn't have said any better. Adam, nice. Thank you so much for your time, guys. This was very helpful. I don't see any questions in YouTube or LinkedIn. So thanks again for your time. I know it's precious, so we appreciate that. Hope you guys have a good rest of your day. Thanks. Thank you guys. Bye.