AI 资讯
Ship an AI agent without a kill switch and you are the incident
A finance bot kept issuing refunds in a loop because nobody built a way to stop it. Clean code. Sound logic. No off switch. A small bug became a long night. Here is the opinion most teams do not want to hear. Building the agent is the easy 80 percent. That off switch is the 20 percent that decides whether you can ship it at all. We celebrate the wrong milestone. Picture the demo where the agent books the meeting, writes the email, updates the record. That part is genuinely fun to build and genuinely easy now. Harder is the boring question nobody claps for. What happens when it is wrong, fast, and confident. An AI agent is not a chatbot. It takes actions in the real world. It spends money, deletes rows, messages real people, moves files. Wrong answers in a chat are annoying. A wrong action at machine speed is an incident with your name on it. So before features, I build the stop. One real kill switch is not a single button. Think of it as a small set of bounds that live from the first version. A spend ceiling, so a retry loop cannot drain the account A blast radius limit, so one task can never touch more than it should A human gate on anything irreversible, so the agent proposes and a person commits A global stop that halts everything in one move, with no redeploy None of that is glamorous. All of it is what lets you sleep at night. Teams skip this for a reason that feels rational in the moment. Bounds feel like negative work. They never show up in the demo. Your agent runs fine without them right up until the one time it does not, and that one time is the only time anyone remembers. Here is the reframe that changed how I build. Treat the stop as the feature that makes an agent shippable. Bolt it on at the end and you have already shipped a liability that happens to pass the demo. Honest about the trade-off. Bounds slow you down. You will watch the agent pause for an approval it could technically have skipped, and it will feel like friction. That friction is the pric
AI 资讯
CircleCI Introduces Chunk Sidecars to Bring CI Validation Directly Into AI Coding Workflows
CircleCI has launched Chunk Sidecars, a new capability designed to bring CI-style validation directly into an AI coding agent's inner development loop By Craig Risi
开发者
String Methods, Conditional Statements (if/elif/else), Loops (for, range())
🐍 Python for DevOps — Class 5 Notes Topic: String Methods, Conditional Statements ( if/elif/else ), Loops ( for , range() ) 📌 Key Concepts Overview Concept One-Line Definition String Methods Built-in functions to inspect and transform strings if / elif / else Execute code blocks based on conditions for loop Iterate over any iterable — string, list, range, dict range() Generate a sequence of numbers to loop over Nested if An if block inside another if block Nested for A for loop inside another for loop 🔤 Part 1 — String Methods (Continuation from Class 4) Checking String Case # islower() — True if ALL characters are lowercase ' devops ' . islower () # True ' Devops ' . islower () # False # isupper() — True if ALL characters are uppercase ' DEVOPS ' . isupper () # True ' Devops ' . isupper () # False # Practical: normalize before comparing env = input ( ' Enter environment: ' ) if env . lower () == ' production ' : print ( ' ⚠️ Deploying to PROD! ' ) Checking Digit / Numeric Strings Method Accepts Rejects DevOps Use isdecimal() 0-9 only decimals, superscripts Port validation isdigit() 0-9 + superscripts decimal points Version numbers isnumeric() 0-9 + superscripts + fractions decimal points Broadest check # Key difference — decimal point breaks all three ' 8080 ' . isdecimal () # True ' 8080 ' . isdigit () # True ' 8080 ' . isnumeric () # True ' 80.80 ' . isdecimal () # False — dot is not a digit ' 80.80 ' . isdigit () # False ' 80.80 ' . isnumeric () # False # DevOps use: validate user input before casting port_input = input ( ' Enter port: ' ) if port_input . isdecimal (): port = int ( port_input ) else : print ( ' ❌ Invalid port — must be a whole number ' ) replace() — Find and Replace in Strings # str.replace('old', 'new') ' Python ' . replace ( ' P ' , ' J ' ) # 'Jython' ' prod-server-01 ' . replace ( ' - ' , ' _ ' ) # 'prod_server_01' ' This is python class ' . replace ( ' i ' , ' a ' ) # 'Thas as python class' — ALL occurrences # DevOps: sanitize strings for us
AI 资讯
Windows Platform Security and the Race to Secure AI Agents
In a new Windows Developer Blog post titled "Windows platform security for AI agents", Microsoft positions Windows as the trustworthy operating system for autonomous agents and introduces the Microsoft Execution Containers (MXC) SDK as the core of that strategy. The post argues that containment, identity and manageability must be built into the operating system. By Matt Saunders
AI 资讯
Exploring Lore: A Scalable Open Source Version Control System
What was released / announced Lore is an open source version control system designed with scalability in mind, allowing developers to efficiently manage large-scale projects. According to the official website, Lore aims to provide a more efficient and scalable alternative to traditional version control systems. This release is particularly exciting for developers and engineers working on complex projects that require robust version control. Why it matters As someone who works with large-scale AI infrastructure and cloud systems, I can attest to the importance of reliable version control. With Lore, developers can expect improved performance and reduced latency when managing massive codebases. This is especially crucial in environments where multiple teams collaborate on the same project, and version control becomes a bottleneck. I believe Lore has the potential to streamline development workflows and enhance overall productivity. How to use it To get started with Lore, you can begin by installing the command-line tool using the following command: pip install lore Once installed, you can initialize a new Lore repository using: lore init Lore also provides a REST API for integrating with other tools and services. For example, you can use the following Python code snippet to interact with the Lore API: import requests response = requests . get ( ' https://your-lore-instance.com/api/repo ' ) print ( response . json ()) You can explore more API endpoints and usage examples in the official Lore documentation. My take As an AI infrastructure engineer and DevOps architect, I'm excited about the potential of Lore to improve our development workflows. In my experience, traditional version control systems often struggle with large-scale projects, leading to performance issues and frustration. Lore's focus on scalability and performance could be a game-changer for teams working on complex AI and machine learning projects. I'm looking forward to exploring Lore further and integr
AI 资讯
Day 25 of 100 Days of ClickHouse: Mastering the ClickHouse HTTP API
ClickHouse HTTP API: A Complete Beginner's Guide Introduction When most people think about interacting with a database, they usually imagine connecting through a database client or application. However, ClickHouse also provides a simple and powerful HTTP API that allows you to query and manage your database using standard HTTP requests. The ClickHouse HTTP API provides a universal interface for communicating with your ClickHouse server. Since almost every programming language and automation tool supports HTTP, it becomes an excellent choice for integrations, monitoring, scripting, and lightweight applications. In this guide, you'll learn what the ClickHouse HTTP API is, why it's useful, and how to perform common database operations using simple HTTP requests. What Is the ClickHouse HTTP API? The ClickHouse HTTP API is a built-in interface that enables clients to communicate with a ClickHouse server using the HTTP protocol. Instead of connecting through the native TCP protocol, you simply send HTTP requests and receive responses in formats such as JSON, CSV, TSV, XML, or plain text. The HTTP interface is: Language agnostic Easy to integrate with web applications Firewall friendly Simple to test using tools like cURL, Postman, or a web browser Because of its simplicity, the HTTP API is widely used for automation, dashboards, data pipelines, and monitoring systems. Why Use the HTTP API? The ClickHouse HTTP API offers several advantages: No dedicated database driver is required. Works with virtually every programming language. Easy integration with REST-based applications. Supports multiple output formats. Ideal for automation and scripting. Perfect for cloud-native applications and microservices. Common Operations Using the HTTP API, you can: Execute SQL queries Insert data Create and modify tables Retrieve query results Export data in different formats Automate database operations Authentication Options ClickHouse supports multiple authentication methods when using th
AI 资讯
Putting a file in .gitignore does nothing if git already tracks it. I built a CLI to find the leftovers.
You added .env to .gitignore . You felt responsible. But three weeks later it's still in the repo, still pushed to GitHub, still in every clone — because adding a path to .gitignore does nothing to a file git already tracks. That's not a bug. It's documented behavior: .gitignore only stops untracked files from being added. Anything already committed keeps getting tracked, ignore rule or not. So the secrets, build artifacts, and 40 MB log files that were committed before someone wrote the rule just... stay. The fix is one command — git rm --cached — but only once someone notices . And nobody notices, because git status is clean and the file looks ignored. So I built gitslip : a zero-dependency CLI that finds every tracked file your own ignore rules say should be gone, and hands you the exact fix. $ npx gitslip 2 tracked files are ignored by your rules but still committed: config/secrets.env ↳ .gitignore:7 *.env logs/app.log ↳ .gitignore:2 *.log Fix — stop tracking them (keeps your local copy): git rm --cached -- config/secrets.env git rm --cached -- logs/app.log or let gitslip do it: gitslip --apply It tells you which rule caught each file ( .gitignore:7 *.env ), so there's no guessing. And --apply runs the git rm --cached for you — it only un-tracks, it never deletes your working copy. Why not just grep? You can grep your .gitignore patterns against git ls-files . But: A raw grep '\.env' can't tell a still-tracked leftover from a file that's correctly excluded, and it has no idea about !negation rules, build/ directory rules, nested .gitignore files, .git/info/exclude , or your global core.excludesFile . Reimplementing gitignore's matching semantics to get this right is exactly the kind of subtly-wrong code you don't want guarding your secrets. gitslip doesn't reimplement anything. It asks git. How it works (the fun part) Detection is a single git incantation: git ls-files -i -c --exclude-standard -c = tracked (cached), -i = ignored, --exclude-standard = use all the
AI 资讯
Securing AI-Generated Bash Scripts Before You Run Them
Bash is the easiest language for AI to write and the easiest language to get devastating output from. A 20-line script that "just cleans up old files" can recursively delete a home directory because the model assumed a variable would always be set. A "simple log shipper" can write your secrets to a remote server because the model used set -x for debugging and forgot to remove it. I have run AI-generated bash that I should not have. Most engineers I know have too. After enough close calls, there's a short checklist that catches the worst of it. This is that checklist. The five things to check before running any AI-generated bash 1. Does it start with a strict pragma? The first lines of any non-trivial bash script should be: #!/usr/bin/env bash set -euo pipefail IFS = $' \n\t ' What each does: set -e — exit on any command failure. Without this, a failure in line 5 doesn't stop the script from happily running lines 6-50. set -u — error on undefined variables. This is the one that saves you from rm -rf $UNDEFINED/ . set -o pipefail — propagate failures through pipes. Without it, failing-command | grep something succeeds because grep succeeds. IFS=$'\n\t' — sane field splitting. Defends against word-splitting bugs in filenames. If the AI-generated script doesn't have these, add them and re-read the script. You'll often discover bugs the pragma now flags. 2. Is every variable expansion quoted? # Wrong rm -rf $TARGET_DIR # Right rm -rf " $TARGET_DIR " The wrong version is what causes the "I deleted the root directory" stories. If $TARGET_DIR is empty or contains a space, the command becomes rm -rf (delete current directory) or rm -rf foo bar (delete two unintended things). Models default to the wrong version about half the time because the right version is harder to write in chat ("escape the quotes!") and the wrong version is what most blogs show. Fix: When reading AI bash, mentally check every $VAR for quotes. Add them if missing. This is the single biggest source of bas
AI 资讯
I built a CLI that generates .env files so I never read docs again
# EnvForge BETA v1.1 ⚡ Structured .env scaffolding for modern applications. Generate, validate, and protect environment variables for 14+ services – without ever opening a docs page. Github repo [ https://github.com/Jos3456/envforge ] NPM version (https://img.shields.io/npm/v/envforge-dev) MIT License (https://img.shields.io/badge/License-MIT-yellow.svg) ## Installation bash npm install envforge-dev **Requirements:** Node.js 18 or later. --- **## Quick Start** bash # 1. Generate an .env file and choose your providers envforge init # 2. Fill in your actual credentials envforge fill # 3. Check everything is set correctly envforge validate ## All Commands ### Scaffolding Command What it does envforge init Create a new .env by selecting providers interactively envforge add <provider> Add variables from a specific provider to your existing .env envforge preset Generate a .env from a popular stack preset envforge example Create a safe‑to‑commit .env.example file envforge fill Interactively enter values (secret keys are masked) envforge list Show all built‑in and custom providers ### Guardrails Command What it does envforge validate Check that all required variables are filled in envforge scan Detect secret keys accidentally exposed in frontend code envforge hook install Install a pre‑commit hook that runs validate + scan ### Customisation Command What it does envforge provider add Create a custom provider template envforge registry update Download the latest providers from the community registry ## Built‑in Providers Category Providers Database Supabase, Neon, MongoDB Atlas Auth Clerk, Auth0, Firebase AI OpenAI, Anthropic (Claude) Payments Stripe Email Resend, SendGrid Storage Cloudinary, AWS S3 / Cloudflare R2 Other Vercel Missing a provider? Add your own with envforge provider add or contribute one to the community. ## Framework‑Aware Scanning Use --framework for smarter detection: # Next.js specific rules (app/ vs pages/, "use client") envforge scan --framework next Th
AI 资讯
I built Proofline because AI agents are getting too good at sounding finished
AI agents are getting very good at writing final reports. The problem is not only that they make mistakes. The problem is that sometimes they make mistakes with excellent presentation. Proofline is a 5-skill Markdown pack that catches fake-ready output before it turns into a release, handoff, public post, or "yeah, looks done". What Proofline does It is not trying to be another giant agent. It works as a review route after the agent produces a result: Reference Gap Ready Gate Reality QA Lean Pass Repair Report Compiler Each step asks an annoying but useful question: what is missing from the references, what was not checked, where did the agent pretend everything was fine, and what actually needs to be fixed? Who it is for Builders working with Codex-style agent chats, AI coding workflows, Markdown handoffs, and any process where "done" needs to mean more than a confident paragraph. Release: https://github.com/aisflows/proofline/releases/tag/v0.2.0-rc5
AI 资讯
WIP - Glossário DevOps #1
Texto com base no livro "Manual de DevOps" WIP significa "Work In Progress". É uma métrica essencial que representa a quantidade de trabalho iniciado, mas ainda não concluído. Na prática, ela ajuda a entender quantos tickets, tarefas, histórias ou demandas estão sendo executados simultaneamente pelo time. WIP Alto (Ruim) Time com 5 pessoas 20 histórias abertas Todos pegam várias tarefas ao mesmo tempo Dezenas de branches simultâneas Dezenas de PRs simultâneos WIP Baixo (Bom) Time com 5 pessoas Apenas 5 histórias abertas Cada pessoa trabalhando em uma tarefa por vez O time termina as tarefas antes de começar outras Menor Lead Time Essa métrica é essencial para uma boa estratégia de DevOps, além de ser um baita indicador para a saúde do projeto ou da companhia. Quanto maior o WIP: Maior troca de contexto Mais conflitos de merge Mais difícil rastrear e validar as entregas Maior "latência" no tempo de aprovação dos PRs Se seu time está começando muitas frentes e terminando poucas demandas, você está com um WIP alto, e isso afeta diretamente a qualidade das entregas e a qualidade de vida das pessoas. Sei que WIP aparece bastante nos princípios Lean, porém ainda não li o suficiente sobre o tema para me aprofundar nele.
AI 资讯
Why git pull --rebase should probably be your default
Most developers run git pull dozens of times a week without thinking about it. And most of the time, it works. Then one day you open a PR and the reviewer says "can you clean up the merge commits?" You look at your branch and see three "Merge branch 'main' into feature/login" commits scattered through history. The feature itself is 5 commits. The log is a mess. That mess comes from one decision: using git pull instead of git pull --rebase . Here's what's actually happening, and why the rebase variant produces cleaner history for teams. The setup: diverged history You're working on feature/login . You commit two changes locally ( X , Y ). Meanwhile, your teammate pushes two commits to main ( C , D ). Your branch and main have now diverged . Neither is a strict superset of the other. Git needs to reconcile them when you pull. Shared history: A → B Your local: A → B → X → Y (you added X, Y) Remote main: A → B → C → D (teammate added C, D) Git has two strategies for this reconciliation. Strategy 1: git pull (merge) A plain git pull creates a merge commit that joins your local history with the remote. Your commits and the remote's commits both appear in the log, connected by a merge node. The git log reads: M Merge branch 'main' into feature/login D fix: timeout on slow connections Y feat: client-side validation C chore: upgrade eslint X feat: login form B (shared) A (shared) This is honest history — it records exactly what happened: parallel development that was joined at a specific point. But it's also noisy history — the merge commit has no meaningful changes, and the log interleaves commits that weren't conceptually related. Strategy 2: git pull --rebase With --rebase , Git takes a different approach. It: Temporarily sets aside your local commits ( X , Y ) Fast-forwards your branch to the tip of the remote ( D ) Replays your commits on top, one by one, creating new commits ( X' , Y' ) The git log reads: Y' feat: client-side validation X' feat: login form D fix: timeo
AI 资讯
Opentofu vs pulumi, which one survives a 200-account landing zone
IaC tools built for single-team deployments fail structurally at 200 accounts because the failure modes are architectural, not configurational. Why 200 Accounts Is Where IaC Tools Break IaC tools built for single-team deployments fail structurally at 200 accounts because the failure modes are architectural, not configurational. Scale Threshold State Management Provider Auth Overhead Execution Time Impact ~10 accounts One backend bucket, one workspace; quirks are routable Not a meaningful bottleneck Sequential plan/apply is manageable ~50 accounts Sequential execution still viable; blast radius contained Per-account latency exists but tolerable Below threshold where parallelism is required 200+ accounts 200 separate plan operations per shared-module refactor 3-sec per-account auth × 200 = 10 min added per plan cycle Sequential Terraform applies measured at 4.1 hours end-to-end A 10-account environment forgives sloppy state management. One backend bucket, one workspace convention, one pipeline. Engineers learn the tool's quirks and route around them. At 200 accounts, those same quirks compound. Why the threshold is 200 State lock contention, cross-account provider authentication chains, and module resolution latency stack on top of each other. The result is not slower deploys. It is non-deterministic deploys, which is operationally worse. The specific threshold matters. Below roughly 50 accounts, most teams run plan and apply sequentially without parallelism because the blast radius of a runaway apply is contained. Above 200 accounts, sequential execution becomes untenable. We measured a 200-account org where sequential Terraform applies across all accounts took 4.1 hours end-to-end. That latency made emergency remediation impossible inside a standard incident window. Three compounding failure modes State file proliferation. Each account carries its own state file, and each state file is a consistency boundary. At 200 accounts, a single refactor touching a shared modu
AI 资讯
Day 21 : Time-Series Data in ClickHouse®
Time-series data is one of the most common types of data generated by modern applications. Every log entry, API request, metric, transaction, sensor reading, or user interaction is recorded with a timestamp, making time the primary dimension for analysis. As organizations collect billions of these records, efficiently storing and querying them becomes increasingly challenging. This is where ClickHouse® excels. Although ClickHouse is not a dedicated time-series database, its columnar storage architecture, vectorized query execution, high compression ratios, and massively parallel processing make it an excellent choice for time-series analytics at scale. It is capable of ingesting large volumes of data while delivering analytical queries in milliseconds. The article begins by explaining the fundamentals of time-series data and highlighting common real-world use cases such as application monitoring, IoT sensor data, financial market analysis, server metrics, user activity tracking, and business analytics. These workloads typically involve continuous data ingestion, time-based filtering, aggregations, and trend analysis. One of ClickHouse's biggest strengths is its optimization for analytical workloads. Since data is stored column-wise rather than row-wise, only the required columns are read during query execution. Combined with compression and vectorized processing, this significantly reduces I/O and improves query performance over massive datasets. The article also demonstrates how to create an optimized table for time-series workloads using the MergeTree engine. Proper partitioning by month and ordering data by dimensions and timestamps help ClickHouse prune unnecessary partitions and efficiently locate relevant data during queries. Several practical SQL examples are covered, including: Filtering records within a specific time range Aggregating metrics by hour, day, week, or month Calculating averages, sums, minimums, and maximums Grouping events over time Working wi
AI 资讯
Use the Telegram Bot API in OpenClaw via Cloudflare WARP (1.1.1.1)
You run a Telegram bot through OpenClaw on your own Linux server. One day it goes quiet. The bot can't send or receive. But the server itself is fine — SSH works, apt works, other sites load. The reason: your server can't reach api.telegram.org . Some networks block or throttle it, so every call times out while everything else is fine. The clean fix: route only OpenClaw's Telegram traffic through Cloudflare WARP (1.1.1.1) . Everything else on the box stays direct and fast — including your SSH login. Here is the full setup, step by step. First, confirm it's a Telegram-only problem curl --max-time 8 https://api.telegram.org/ # hangs / times out curl --max-time 8 https://www.google.com/ # works instantly If Telegram times out but other sites are quick, this guide is for you. How it works We chain three small tools: OpenClaw ──▶ iptables ──▶ redsocks ──▶ WARP (SOCKS5) ──▶ Cloudflare ──▶ api.telegram.org WARP gives us a local proxy that exits through Cloudflare's network (which can reach Telegram). redsocks turns normal connections into proxy connections (so the app needs no proxy support — OpenClaw has none). iptables picks only OpenClaw's Telegram traffic and sends it to redsocks. The trick is in that last step. We match by the app's user and Telegram's IP ranges, so nothing else is touched. Step 1: Install WARP in proxy mode # Add Cloudflare's package repo curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \ | gpg --yes --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] \ https://pkg.cloudflareclient.com/ $( lsb_release -cs ) main" \ > /etc/apt/sources.list.d/cloudflare-client.list apt-get update && apt-get install -y cloudflare-warp # Sign up (free) and switch to proxy mode warp-cli --accept-tos registration new warp-cli --accept-tos mode proxy # opens a SOCKS5 proxy on 127.0.0.1:40000 warp-cli --accept-tos connect Now check that WARP can reach Telegram: curl --socks5-
AI 资讯
Fire-and-forget AI engineering: letting agents ship a production app unsupervised
"An AI agent just built a production landing page, with GDPR audit logs and encryption baked in. I wasn't even at my desk." That is not a lucky one-shot. It is a repeatable workflow. Piotr Karwatka recorded a full tutorial showing how to go from idea to a production-ready app on Open Mercato - the AI-Engineering Foundation Framework for CRM/ERP - with no babysitting and no ping-pong prompting. This is the technical version: what the loop actually looks like, why it doesn't fall apart, and which patterns you can lift into your own stack. The problem with conversational coding The default AI coding loop is single-threaded and human-bound: prompt -> generate -> you spot a bug -> correct -> re-prompt -> repeat It holds for snippets. It collapses the moment the task touches real architecture - multi-tenancy, RBAC, event flow, encryption, audit logging. Corrections pile up in the context window, the agent loses the thread, and you are back to typing. You are the bottleneck, sitting in the inner loop. The workflow in the tutorial moves you to the outer loop : you review a finished, tested PR instead of every keystroke. goal -> agent: branch + implement + test + open PR -> you: review PR The reason this is even possible on Open Mercato is that the hard architectural decisions are already encoded as conventions, specs and agent-readable skills ( AGENTS.md , task routing, spec skills). The agent is not inventing how RBAC or GDPR logging should work - it reads the foundation and follows it. 1. Fire-and-forget: the autonomous PR loop The execution agent owns the full unit of work: 1. git checkout -b feat/lead-capture-landing 2. implement against framework conventions 3. run the test suite (Playwright integration tests included) 4. open a structured PR: what changed, why, how it was verified You are no longer correcting tokens. The deliverable is a reviewable artifact. In the tutorial the output is concrete: a live site capturing leads straight into the Open Mercato CRM, with GD
AI 资讯
The Hidden Linux Routing Issue That Broke My Deployment
The deployment should have taken a few minutes. The application was running, DNS was configured correctly, and the domain was already pointing to the server's public IP. Caddy was configured as a reverse proxy and was listening on ports 80 and 443. Every item on my deployment checklist appeared healthy. Yet every Let's Encrypt validation attempt kept failing. The error looked simple enough: authorization failed timeout during connect likely firewall problem At first, I believed it. I checked DNS resolution, verified firewall rules, confirmed that Caddy was listening on the expected ports, and made sure the application itself was reachable. Every check came back clean. That was the first clue that the problem might not be where the logs were pointing. The Obvious Things The first assumption was DNS. I verified that the domain resolved to the correct public IP. dig +short my-domain.com Everything looked correct. Next came the firewall. sudo ufw status Ports 80 and 443 were open. There were no unexpected deny rules, and nothing suggested inbound traffic was being blocked. Then I checked whether Caddy was actually listening. sudo ss -tulpn | grep -E ':80|:443' Again, everything looked normal. The application itself was healthy too. curl http://localhost:3001 returned a valid response. At this point I had checked most of the things engineers typically check when certificate validation fails. DNS looked good, the firewall looked good, the reverse proxy was healthy, and the application was running. Yet the validation errors continued. The Part That Sent Me In The Wrong Direction The error messages kept mentioning connectivity problems and possible firewall issues. That wording influenced my thinking more than it should have. I spent time investigating firewall rules, reverse proxy configuration, TLS settings, and domain configuration. Every new hypothesis felt reasonable, but none of them explained why local tests consistently succeeded while external validation continued
AI 资讯
Comment orchestrer un double déploiement automatique sur Vercel & GitHub Pages avec GitHub Actions
Introduction Dans le cadre de mon apprentissage des pratiques DevOps modernes, j’ai conçu et implémenté un pipeline CI/CD (Continuous Integration / Continuous Deployment) capable de déployer automatiquement une application web frontend sur deux environnements de production distincts : Vercel et GitHub Pages . Cette mission constitue une application concrète des concepts fondamentaux du DevOps, notamment l’automatisation des processus, la réduction des interventions manuelles et la mise en place d’une chaîne de livraison logicielle fiable et reproductible. Tableau comparatif des plateformes Dans ce projet, le déploiement sur les deux plateformes n’est pas un doublon mais une démarche pédagogique et technique délibérée permettant de tester la flexibilité de l'orchestrateur. Voici comment elles se comparent : Critère GitHub Pages Vercel Hébergement Statique uniquement Statique + SSR + Serverless Domaine gratuit username.github.io projet.vercel.app CI/CD intégré Via GitHub Actions Natif + GitHub Actions Performance Bonne Excellente (Edge Network) Previews PR Non Oui (automatique) Gratuit Oui (illimité) Oui (avec limites) Cas d’usage Portfolios, docs Apps React/Next.js, SaaS ⚠️ Le problème du double déploiement : Laisser Vercel en mode automatique génère un conflit critique avec GitHub Actions. Pour éviter que deux builds s'exécutent en parallèle, j'ai désactivé le déploiement natif de Vercel en ajoutant un fichier vercel.json à la racine contenant "git": { "deploymentEnabled": false } . Le pipeline complet — deploy.yml Voici le code source du fichier de configuration de l'orchestrateur GitHub Actions ( .github/workflows/deploy.yml ). Ce script gère séquentiellement l'installation, le build et la publication vers nos deux cibles : name : CI/CD -- Deploy to Vercel & GitHub Pages # Declenchement : uniquement sur push vers main on : push : branches : - main jobs : build-and-deploy : runs-on : ubuntu-latest permissions : contents : write steps : # Etape 1 : Recuperer le code
AI 资讯
Mailboxes as Cattle: Ephemeral Email Infrastructure
When was the last time you deleted an email account on purpose? For most teams the answer is never, and that tells you something. We treat mailboxes the way we treated servers in 2008: hand-built, carefully named, kept alive indefinitely because recreating one is painful. They're pets. Meanwhile every other piece of our infrastructure — compute, queues, databases — became cattle: numbered, provisioned by code, destroyed without sentiment when the job ends. Email is finally catching up. With Nylas Agent Accounts (in beta), a mailbox is created with one call and destroyed with another, and that symmetry is the whole point. The full lifecycle in two commands Provisioning, from the CLI: nylas agent account create signup-agent@agents.yourdomain.com Or via POST /v3/connect/custom with "provider": "nylas" — no OAuth, no refresh token, just an address on a domain you've registered. Teardown is equally unceremonious: nylas agent account delete signup-agent@agents.yourdomain.com --yes (The API equivalent is a DELETE on the grant.) The signup automation recipe treats this as a loop: provision a fresh inbox, point a third-party signup form at it, catch the verification email through a message.created webhook, follow the confirmation link, delete the grant. No human inbox involved at any step, and nothing left behind. The middle of that loop is about twenty lines of webhook handler, and the recipe's version filters hard before acting — right grant, right sender, right URL shape: const { grant_id , id : messageId , from } = event . data . object ; if ( grant_id !== AGENT_GRANT_ID ) return ; const sender = from [ 0 ]?. email ?? "" ; if ( ! sender . endsWith ( " @saas-you-care-about.example.com " )) return ; const match = /https: \/\/ saas-you-care-about \. example \. com \/ confirm \? token= [^ " \s < ] +/ . exec ( message . body , ); if ( match ) await fetch ( match [ 0 ]); Nylas fires message.created within a second or two of mail arriving, so the whole signup round-trip typical
AI 资讯
The $0 Bug That Cost Us $1,800 in API Calls
Last quarter our OpenAI bill went from $620 to $2,480 in 23 days. No new features shipped. No traffic spike. Zero error alerts. Deployment logs were clean. Just a number climbing in silence while five engineers stared at dashboards that gave us totals and nothing else. This is what we found. And why "cost monitoring" is completely the wrong mental model. The dashboard that answers the wrong question First thing I did was open the OpenAI usage dashboard. It showed me a total. A graph going up. A model breakdown. I knew we spent $2,480. I still had no idea which feature spent it, which service triggered it, or which user was responsible. The dashboard was answering "how much" while we were desperately asking "what caused it." Those are completely different questions. Almost every cost tool on the market only answers the first one. That distinction matters more than most engineering teams realise until they are staring at a bill like ours. Three features, zero visibility We had three features hitting GPT-4o: A document summariser, triggered manually by users An inline suggestion engine, triggered on keystrokes A batch report generator, triggered on export Any one of them could be the problem. Or all three. Or one specific tenant hammering one endpoint in a loop nobody noticed. Without attribution at the feature, service, and user level, we were just guessing. So I did what most engineers do: optimised the feature that felt most expensive. Added caching to the one that ran most often. Two weeks later the bill was still climbing. Guessing at cost problems without attribution data is exactly like debugging a performance issue without a profiler. You move things around and hope. 48 hours of real data A teammate dropped CostReveal in our Slack. I set it up that evening. The Node.js SDK wraps your existing provider calls. You instrument each one with a feature name, service context, and user or tenant ID. That is the entire integration for the base case: import { CostReveal