Building Stuff That Doesn't Leak Everyone's Data
Hello, I'm Maneshwar. I'm building git-lrc, a Micro AI code reviewer that runs on every commit. It is...
找到 3793 篇相关文章
Hello, I'm Maneshwar. I'm building git-lrc, a Micro AI code reviewer that runs on every commit. It is...
I want to talk about why philosophy is actually far more important than people think, especially when it comes to software engineering, systems design, and AI. When most people hear the word "philosophy," they roll their eyes. They think of abstract, circular arguments that don't matter in the real world. But true philosophy, good philosophy, is more like base mathematics. It is base physics. It is the raw understanding of the essence of a concept and how that translates into real-world action. If you don't understand the origin of a thing, you are left playing a game of perceptions. You will circle around a problem, coming up with endless rationalizations, but you will be completely unable to predict where it is going to go next. The origin of something is it fundamental nature. This origin is actually its bounding box. It dictates the absolute limits of its trajectory. Knowing this gives you predictive capability before you execute. It is the a priori knowledge that separates actual engineers from people who just copy-paste solutions. (When should and how should you copy paste, for example, 'it depends'.) The Gun Analogy and Inherent Limitations Imagine you are at a shooting range, and you point a gun downrange. As long as you point that gun in the general direction of the targets, it is not going to shoot directly behind you, or 90 degrees to the left. The inherent nature of the gun, and the velocity of the bullet, give it strict limitations. Because of those limitations, you can heavily rely on the fact that the bullet won't leave that bounding box. Therefore, shooting on a range is actually very safe. It only becomes unsafe when you turn the gun in a different direction. You have to understand that you cannot ask a tool to do more than its inherent nature allows. If you are firing an M16, it is not going to act like a guided missile and hit a target in another country hundreds of miles away. It does not have that capability. * Furthermore, a gun cannot read you
Last month, I had a problem with a popular mobile banking app in Southeast Asia. Nothing exotic. A transaction didn't go through, and my support ticket had been sitting untouched for two weeks. So I opened the app's chatbot. It greeted me warmly, asked how it could help, and then couldn't do a single useful thing. It couldn't look up my transaction. It couldn't check the status of my ticket. It couldn't tell me why my issue was unresolved. It could answer FAQ questions, and that was it. I called the hotline instead. Spent an hour navigating prompts, got bounced between menus, and every path ended the same way: "Please contact our chatbot or check your existing ticket." The system was built for deflection, not resolution. The ticket that nobody had touched for fourteen days. I gave up. And somewhere in that company's dashboard, my interaction counted as a successful AI chatbot deflection. The uncomfortable part: if you shipped a deflection-optimized bot this quarter, a customer somewhere is living this exact loop right now. Your dashboard is calling it a win. The Deflection Metric Everyone Loves (and Nobody Questions) Deflection rate measures the percentage of customer contacts handled without a human agent. It's cheap to track, easy to celebrate, and it maps directly to cost savings. Industry benchmarks citing McKinsey's 2026 service operations data put AI resolutions at $0.62 per ticket versus $7.40 for human agents. That's a 12x cost difference. Of course executives love this number. But deflection doesn't measure whether the customer's problem got solved. It measures whether the customer stopped asking. Those are very different things. This is Goodhart's Law applied to customer experience: when a measure becomes a target, it ceases to be a good measure. Deflection is cheap and easy to optimize. Resolution is hard and expensive to track. So companies optimize the proxy and stop looking at the goal. Gartner data, as reported by Forbes , confirms the gap: only 14% o
Over the past year, one concept has fundamentally changed how I think about AI applications. Not larger language models. Not better prompts. Not even AI agents. It's Model Context Protocol (MCP) . For a long time, most AI applications lived inside a closed environment. They could generate text, answer questions, or write code, but they couldn't easily interact with external systems. MCP changes that. It provides a standardized way for AI models to communicate with tools, databases, APIs, and applications. Instead of building custom integrations for every project, developers can expose capabilities through MCP servers. After experimenting with different workflows, these are five MCP servers that have had the biggest impact on how I build AI applications. 1. GitHub MCP Server If you're building software with AI, GitHub integration is one of the most valuable capabilities you can add. Imagine asking an AI assistant to: Read a repository Review pull requests Search issues Create commits Open new issues Inspect project structure Instead of manually copying files into ChatGPT, the AI can interact directly with your repository. For developers, this dramatically improves productivity. Typical workflow: Developer Request ↓ GitHub MCP Server ↓ Repository ↓ LLM ↓ Action or Response This is far more scalable than copying snippets of code into prompts. 2. Filesystem MCP Server Almost every AI workflow eventually needs access to local files. Examples include: Reading documentation Editing Markdown Creating reports Refactoring code Updating configuration files Without an MCP server, these tasks often require multiple manual steps. With a Filesystem MCP server, an AI application can safely interact with project directories. For example: Read: /docs/api.md Update: /src/routes.py Create: /reports/summary.md This makes AI assistants feel much more like development partners. 3. PostgreSQL MCP Server One limitation of traditional chatbots is that they don't know your data. Connecting an
We're upgrading Crawlberg to a new version: Crawlberg v1.0.0. It builds on the previous kreuzcrawl. It declares the public API frozen under the new project name. All technical features below shipped in v0.3.0 (2026-06-23); v1.0.0 is a stability declaration and rename, not a new feature release. The four production-facing changes most likely to require operational action: Package and env var rename - every artifact identifier has changed; see the migration table. SSRF defense is now on by default - internal crawl targets (localhost, RFC 1918, cloud metadata) will fail without CRAWLBERG_ALLOW_PRIVATE_NETWORK=1 . CrawlError::WafBlocked is now a struct variant - exhaustive match arms will not compile until updated. max_retries semantics changed - off-by-one fixed; max_retries=3 now produces exactly 3 retries. Precompiled binaries cover Linux (x86_64/aarch64), macOS (ARM64 and x86_64), and Windows x64. Homebrew bottles and Docker images on GHCR are also available. What Is Crawlberg? Crawlberg is a web crawling engine written primarily in Rust that exposes a single consistent API across 14 language runtimes. It handles HTTP transport, JavaScript rendering, robots.txt compliance, per-domain rate limiting, SSRF safety, and structured extraction. Extension points ( Frontier , RateLimiter , CrawlStore , EventEmitter , ContentFilter , WafClassifier , ProxyProvider ) are injectable traits; wire in your own frontier, storage backend, or proxy pool without forking the engine. A single scrape() call returns text, metadata, links, images, assets, JSON-LD, Open Graph tags, hreflang, favicons, headings, response headers, and clean HTML→Markdown. When a site requires JavaScript, the optional headless browser tier handles it transparently. v1.0.0 promotes v1.0.0-rc.2 and freezes the public API under the new project name. The features described in the sections below represent the platform that 1.0.0 declares stable; they shipped in v0.3.0. What v1.0.0 Declares Stable These capabilities
I spend a lot of time in the AI space -- reading papers, building things, talking to engineers who are actually shipping. And there is a gap between what the demos show and what production systems actually look like that nobody is being fully honest about. So here is my honest take on where things actually are. The Problem With How We Talk About AI Agents Everyone is calling everything an "agent" right now. A function that calls a tool? Agent. A chatbot with memory? Agent. A script with a loop? Agent. This dilution is not just semantic. It is causing real engineering mistakes. When you do not have a precise definition for what you are building, you end up over-engineering simple pipelines and under-engineering genuinely complex ones. I have seen teams spend weeks adding "agentic" orchestration to workflows that would have been fine as a single well-structured prompt. Here is the definition I keep coming back to: an agent is a system that has an objective, not just an instruction. It decides what to do next. It handles failure. It knows when it is done. Everything else is just a fancy function call. 🟢 If your system needs a human to tell it each step, it is not an agent. It is a chat interface. 🔵 If your system can recover from a failed tool call and try a different approach, you are getting somewhere. ✅ If your system can decompose a goal into subtasks and delegate them, that is the real thing. What Is Actually Happening in Production Right Now The honest picture from teams I follow and talk to: Most real agent deployments are narrow. They do one thing well. Customer support triage. Document extraction. Code review on a specific codebase. They are not general-purpose reasoning engines. They are purpose-built pipelines with some intelligence in the decision layer. The teams getting good results are not chasing the latest model release. They are obsessing over: ☑️ Tool design -- what can the agent actually call, and how clean is the interface ☑️ Failure handling -- wh
Key takeaways Summarizing conversation history can reduce costs by up to 60%. Implementing an effective summarization algorithm is key to efficiency. Balancing detail and brevity in summaries is crucial for context. Optimized context windows lead to faster response times and lower latency. The problem Startups leveraging large language models (LLMs) often face significant costs associated with managing context windows during conversations. Each token processed incurs a cost, and as conversations grow, replaying entire histories can lead to runaway expenses. Founders and engineers encounter this issue particularly during customer support interactions or chatbots, where lengthy dialogues require constant context retention, drastically inflating operational costs. What we found Our research indicates that instead of replaying the entire conversation history, summarizing the dialogue can maintain context while drastically reducing token usage. By distilling key points and intents into a concise summary, we can effectively minimize the number of tokens processed, leading to major cost savings without sacrificing the quality of interaction. This non-obvious insight repositions how we approach conversation management in LLMs. How to implement it Start by selecting a summarization algorithm suitable for your use case. Techniques like extractive summarization (e.g., using TextRank) can identify and retain essential sentences from conversations, while abstractive methods (e.g., fine-tuning a transformer model) rephrase the content. Next, integrate this summarization step into your workflow: after each interaction, generate a summary that captures the main points. Ensure that the summary is stored and utilized as context for subsequent interactions, replacing the need for the entire conversation history. Monitor token usage before and after implementation to quantify cost savings. How this makes life easier By summarizing conversation history, startups can see a reduction in c
When the enemy is too strong to attack directly, attack what they hold dear. They will come to you...
According to ChartMogul's 2026 analysis of 200 B2B software products, the median free-to-paid...
There is a habit that wastes more time than anything else when using Claude. Save this :) Writing the same instructions over and over again. Every session, you re-explain your role. You re-describe your writing style. You re-state your formatting preferences. You re-paste your company context. You re-specify what you want the output to look like. Then you do it again tomorrow. And the day after that. And the day after that. Over a month, you waste hours on instructions you have already written. Not new thinking. Not new requests. Just the same setup, repeated endlessly. Claude Projects and Skills fix this completely. Projects let you save context once and have it applied to every conversation automatically. Skills let you save entire workflows as reusable commands that you can trigger with a single sentence. Together, they turn Claude from "a tool you use from scratch every time" into "a system that already knows everything and just needs your specific request." Here is how to set them up from zero. What Are Claude Projects A Claude Project is a container for conversations that share the same context. When you create a Project, you upload knowledge files and write a system prompt. Every conversation inside that Project automatically has access to those files and follows those instructions. No re-explaining. No re-pasting. No re-describing. The context is always there. Example: you create a Project called "Content Marketing." You upload your brand guidelines, your editorial calendar, your top-performing articles, and your audience personas. You write a system prompt: "You are my content strategist. You know our brand voice, our audience, and our content strategy. Every piece of content should match our guidelines and target our defined personas." Now every conversation in that Project - brainstorming headlines, drafting articles, analyzing competitors - starts with full context. Claude already knows your voice, your audience, and your standards. One setup. Unlimited
Two things happened this month and they tell you everything about where AI is actually going. Coinbase quietly cut its AI bill nearly in half. Open models, smarter routing, better caching. No drama. A finance footnote that happens to be a glimpse of the future. And Dario Amodei published another essay. Not a tweet. An essay. The kind of sprawling, twenty-thousand-word civilizational scripture he keeps handing down from the mount. This one is called "Policy on the AI Exponential," and the gist is that AI is about to hand humanity "almost unimaginable power," that our institutions are too immature to hold it, and that therefore the government should be able to test, gate, and block frontier models before mere mortals get hurt. One of these is a price cut. The other is a prophecy. I want to talk about the prophecy. The robes Let me be fair before I am not. Dario is not a dumb man and he is not a fraud. He runs one of the best labs in the world. The safety concerns are not all imaginary. Misuse is real. I am not the guy arguing that anyone should be able to download a bioweapon recipe for a laugh. If that is the bar, sure, regulate it. Nobody serious disagrees. But watch the move he keeps making. Every few months the prophet descends with a new text. The stakes are always civilizational. The language is always biblical. "Unimaginable power." A "decent possibility" of "significant enduring job loss." Disruption that will be "unusually painful." Humanity handed a force it is not mature enough to wield. He is not describing a product roadmap. He is describing a flood. And conveniently, he is also selling the ark. That is the part that should make you tilt your head. Read the actual proposal Strip the poetry off "Policy on the AI Exponential" and here is the machinery underneath. Mandatory third-party testing for any model above a compute threshold. Authorized evaluators. Security standards. Incident reporting. Government authority to block or reverse a deployment that fail
Your CI catches the npm vulnerability. Your developer is already three branches away and one standup behind. The package is installed, the lockfile regenerated, the import wired into a service, and the human who made that decision did it on a Tuesday afternoon with a tab open to Stack Overflow. Now the scanner is yelling. From the terminal, that is not security. That is grief counseling. That is the frame Sonu Kapoor lays out in a DevOps.com essay this week, and the engineering bones of it are correct. A scanner is not a gate. It is a status check. Kapoor's argument is about feedback loops. A developer installs, codes, commits, pushes. Only then does CI run. By the time the finding surfaces, the decision to add the package, and the context for why, has evaporated. So has the lockfile churn that caused it. What started as "is this package safe?" becomes "fix this in a different sprint." The scanner did its job. The fix is now a project. He backs it with a small case study from the NestJS repo: a scan of package-lock.json returned 1,626 resolved packages and 25 vulnerabilities. Of those, 12 were directly fixable. Thirteen were transitive, buried in upstream graphs, waiting on someone else's release. In a pipeline-first workflow, every dependency hop is a separate commit and a separate run. (Multiply by the number of services your team owns. Then by your runner-minutes budget. Send me the bill.) The arithmetic gets ugly quickly. A single lockfile with more than fifteen hundred resolved packages is not exotic for a working Node app, it is the default. The chance that the first time anyone looks at that graph is during a pipeline run, after the merge intent is already in the reviewer's queue, is the structural bug. Where the essay is right, and where it gets too tidy Concede the obvious. CI is not the problem. CI is fine. It runs uniformly, it cannot be skipped, and it is the right place to fail a build when an OSV record drops mid-week against a dependency that was clea
In the world of wearable health technology, the holy grail has always been moving intelligence from the cloud to the edge. Waiting for a cloud server to analyze your heart rhythm is not just a latency issue—it's a privacy and battery life concern. Today, we are diving deep into TinyML , Edge AI , and ECG signal processing to build a real-time abnormality detector. By leveraging TensorFlow Lite for Microcontrollers and the versatile ESP32 , we can process raw electrocardiogram (ECG) data locally. This approach ensures low-latency detection of arrhythmias while keeping sensitive medical data on-device. If you've been looking to bridge the gap between high-level deep learning and low-level embedded systems, you're in the right place! The Architecture: From Raw Signal to Insight 🏗️ The pipeline involves capturing a high-frequency analog signal, cleaning it, and feeding it into a quantized Convolutional Neural Network (CNN). Here is how the data flows through our ESP32: graph TD A[Raw ECG Signal/Sensor] -->|ADC Sampling| B(Preprocessing: Bandpass Filter) B --> C{Buffer Management} C -->|Windowed Segment| D[TFLite Micro Inference Engine] D --> E{CNN Model Classification} E -->|Normal| F[Log: Sinus Rhythm] E -->|Abnormal| G[Trigger Alert: Arrhythmia] G -->|Bluetooth/Wi-Fi| H[Mobile Dashboard] Prerequisites 🛠️ To follow this advanced guide, you'll need: Hardware : ESP32 (DevKit V1 or similar). Sensor : AD8232 ECG Module (or simulated ECG data). Software : Arduino IDE or PlatformIO. Frameworks : TensorFlow Lite for Microcontrollers (TFLM), EloquentTinyML (optional wrapper), or the standard C++ TFLM library. Step 1: Model Training & Quantization 🧠 Before we touch the C++ code, we need a model. Typically, we use the MIT-BIH Arrhythmia Database to train a 1D-CNN. The crucial step is Post-Training Quantization . Since the ESP32 doesn't have a dedicated NPU, we convert our 32-bit float model into an 8-bit integer (INT8) model. This reduces the size by 4x and speeds up inference s
So this weekend I spent $200 solving a $2 problem. Not because I was careless. Not because the system was broken in the old way. It happened because the tool was powerful, fast, confident, and wrong for just long enough. That is the strange thing about AI systems. They do not always fail loudly. A cloud server goes down, an alert fires, a dashboard turns red, someone opens an incident bridge, and the team knows what kind of movie they are in. AI failure is softer. The answer looks useful. The workflow keeps moving. The agent tries another path. The model explains itself beautifully. The bill keeps climbing. With cloud reliability, we learned how to survive machines failing. We built retries, failover, backups, autoscaling, health checks, runbooks, and incident reviews. The cloud taught us that infrastructure is never perfect, so systems must be designed to bend without breaking. AI is teaching us something different. The machine may be running perfectly and still produce the wrong result. The API may be healthy, the latency may be fine, the token stream may complete, and the business outcome may still be bad. That is why AI Site Reliability is going to become its own serious discipline. It will not be enough to ask, “Is the model available?” We will have to ask, “Is the model still useful?” “Is it drifting?” “Is it spending too much?” “Is it using the right tools?” “Is it looping?” “Is it making the same mistake with more confidence?” “Is a human needed before this continues?” In the cloud world, uptime was the king metric. In the AI world, usefulness will matter just as much. A model that is always available but often wrong is not reliable. An agent that finishes every task but spends 100 times more than needed is not reliable. A chatbot that gives answers with perfect grammar but poor judgment is not reliable. The next generation of reliability engineering will care about cost, correctness, context, and control. Cost matters because AI turns thinking into metered
I got laid off in March 2026. The day HR handed me the 30-day notice, I had a small panic attack, then opened my laptop and started building things. Here's the deal: I had 30 days before severance ran out, and I wanted to see how much I could ship with AI tools before the money (and motivation) ran dry. I gave myself a single rule — every project gets a 7-day deadline, otherwise I kill it. I built 6 things. One has real users. One broke in production. Two I never opened again. This is what happened, in the order I built them. 1. AI Buddy (Chrome sidebar) — shipped, 15 users A Chrome extension that puts an AI assistant in a sidebar. Select text on any page, hit a keyboard shortcut, it goes to the AI, reply shows up without you leaving the page. Works with GPT-4, Claude, Gemini, DeepSeek. No login, no credit card. Time: 11 days (April 1–11). Status: Live on Chrome Web Store. 15 real users as of June 28, 2026. Rating 4.2. What I used AI for: 90% of the code (500 lines of JavaScript, written in Cursor). The README, the Chrome Web Store description, the marketing tweets — all AI-drafted, then I rewrote the parts that sounded like AI. What went wrong: The first version had a Stripe integration. AI wrote 90% of the webhook signature verification. I had to rewrite it from scratch. Also the model-picker UI went through 5 revisions because AI kept proposing what looked right but didn't work. → Chrome Web Store 2. Weekly report generator — personal use only Every Friday at 4pm, a script grabs my git commits, Slack messages, and Linear ticket changes, throws them at GPT-4, and asks for a "manager-readable" weekly report. I review, tweak, send. Time: 2 days. ~200 lines of Python. Status: Running for 11 weeks. Has 1 user. Me. Cost is $0.12/week. What I used AI for: The prompt. It's surprisingly tricky to get GPT-4 to write a weekly report that doesn't sound like a robot. The single most useful line: "if you don't have data, write 'no progress this week' — don't make things up." T
you've felt it. you type a prompt, hit send, and the response starts streaming in under a second....
The latest update to hermes-memory-installer introduces a focused set of features that directly address production-level concerns: observability, storage management, security, fault tolerance, and performance introspection. If you maintain a message-processing pipeline or job queue, these are the components that often decide whether your system survives peak loads or security audits without manual heroics. Let's break down each addition and how you can integrate them into your workflow. System Metrics Exposing runtime health is no longer an afterthought. The new metrics module taps into the core processing loop and emits standard Prometheus-formatted data: message throughput (count and rate), latency percentiles, queue depths, and goroutine or thread pool utilization. This isn't a simple "up/down" gauge—you get histograms for processing duration and derived metrics like consumer lag. For example, if you run multiple worker instances, you can now directly compare their processing speeds via a Grafana dashboard. The endpoint is configurable, so you can keep it behind a reverse proxy or internal load balancer. Memory pressure triggers a separate gauge for heap usage per queue, which helps with capacity planning before it becomes a midnight incident. Auto-Archive Without auto-archive, old messages accumulate in memory or primary storage, driving up costs and slowing down scans. This feature moves processed or expired messages to a cheaper tier (S3, GCS, or local file system) based on age or queue size. The archive process is a background task that runs on a cron-like schedule; you can define how many messages to retain per queue before archiving kicks in. The compression is transparent—gzip by default, but you can switch to snappy or zstd. A key detail: archived messages retain their metadata and can be restored if needed, though the replay path skips them automatically unless explicitly requested. This is useful for audit trails or multi-region cold replicas. Token Rot
Like most developers, I have a set of tools I use every day. Most of them work great, and I don't...
Abstract Executing autonomous AI agent payloads in Google Workspace via the Apps Script...
China's Zhipu AI (Z.ai) released its open-weight GLM-5.2, and some researchers have claimed that it matches Mythos in certain bug-finding and cybersecurity scenarios. While GLM lags behind models from Anthropic and OpenAI in other, more general tasks, it seems that China has dramatically reduced the gap in the capabilities between its models and those of […]