AI 资讯
We built 126 browser tools with zero uploads. Here is what broke along the way
We are two friends building Pageonaut , a collection of 126 free browser tools (converters, calculators, PDF and image utilities, dev helpers). Early on we committed to one constraint: everything runs client-side . No file uploads, no accounts, no server-side processing. That one decision shaped the whole architecture, and it broke things in ways I did not expect. Here are the lessons, including the one where our server filled up with 419 GB of cache and took the site down twice. Why client-side only Every time I needed a quick converter, the top search results wanted me to upload my file to their server, create an account, or pay to remove a watermark. For work that a browser can trivially do locally. So the rule became: drop a file into one of our converters and it never leaves your device. You can watch the network tab while using it. This is great for privacy and trust, and it has a nice side effect: our server does almost nothing per user, so hosting stays cheap even if a tool gets popular. The cost: some tools are genuinely harder to build. PDF manipulation in the browser (we use client-side libraries instead of a server queue), image processing on the main thread without freezing the UI, and no "just call an API" escape hatch. When a tool truly needs the network (say, fetching a URL you give it), the page says so explicitly. Lesson 1: Unbounded URL params + ISR = a full disk This is the expensive one. We built shareable challenge pages: beat my score, try this color, that kind of thing. The URLs look like /tools/<slug>/challenge/<value> , where <value> is user-generated. With Next.js ISR, every unique URL that renders gets persisted to the filesystem cache. You can see where this is going. The value space is infinite. Bots found the pattern and started enumerating it. .next/server/app grew to 419 GB . The disk filled up, the site went down, and because we did not understand the root cause immediately, it happened a second time a few days later. The fix was tw
AI 资讯
Supracorona Login Gate: Simple Access Control for WordPress Sites
For internal websites, client portals, development environments, and WordPress projects that should not be publicly accessible. Not every private WordPress website needs a complete membership system. Sometimes there is no need to manage subscriptions, membership plans, payments, complex user roles, or dozens of content-access rules. Sometimes the requirement is much simpler: The website should only be accessible to logged-in users. That is the reason I created Supracorona Login Gate , a lightweight WordPress plugin that places a simple access gate in front of a website. When the plugin is enabled, logged-out visitors cannot browse protected site content. Instead, they are redirected to the standard WordPress login page or to a custom page selected by the site administrator. The plugin is now published on WordPress.org: Supracorona Login Gate The problem the plugin solves Many WordPress projects are not intended to be publicly accessible at every stage of their lifecycle. They may be: development or staging websites; internal company or organization websites; client portals; private knowledge bases; documentation websites intended only for team members; projects being prepared for launch; demo websites available only to selected users; websites temporarily closed during migration or reconstruction. WordPress provides privacy controls for individual posts, but that is not the same as restricting access to the entire website. Installing a full membership plugin is possible, but it is often far more than the project requires. Such systems may introduce additional database tables, large settings panels, custom profiles, login forms, subscription management, and complex rule engines that will never be used. Supracorona Login Gate has a much narrower responsibility. It is not intended to become a complete membership platform. It is intended to answer one clear question: Is the current visitor logged in? When the answer is yes, the website behaves normally. When the answer
AI 资讯
Helm 4 Migration Guide: What Breaks and How to Fix It Before EOL
Originally published on DevToolHub . Helm 4 shipped in November 2025. Eight months later, most teams are still running Helm 3 in production CI/CD because it works. But Helm 3's final feature release lands September 9, 2026, and security patches stop completely on February 10, 2027. This helm 4 migration is simpler than it looks. Your charts don't need rewriting — Helm 3 Chart API v2 charts are fully compatible with Helm 4. But the automation around Helm has four real breaking points that fail silently if you don't know where to look. [IMAGE: articles/images/2026-07-05-helm-4-migration-guide-featured.png | alt: "helm 4 migration flow from Helm 3 to Helm 4 upgrade path"] Why This Helm 4 Migration Matters Now The EOL timeline has three stages, and they matter differently based on your situation: September 9, 2026 — Final Helm 3 feature release (limited to Kubernetes client library updates only after this date) February 10, 2027 — All security patches stop If your organization runs regulated workloads with requirements around supported software, February 2027 is your hard deadline. But waiting until then means doing this migration under pressure, after 14 months of Helm 4 fixes shipped without you tracking them. The better path: upgrade now, before September, so you're on supported software when new Kubernetes releases land and need updated client libraries. What Actually Broke: The Four Real Changes 1. Post-renderers require plugin registration In Helm 3, you could pass any executable directly to --post-renderer : helm install myapp ./chart --post-renderer ./scripts/mutate.sh Helm 4 drops this. Post-renderers must now be registered as named Helm plugins and referenced by plugin name: helm install myapp ./chart --post-renderer my-post-renderer If your pipeline calls --post-renderer ./path/to/script.sh , it fails on Helm 4. The error message doesn't say "plugin required," so this is easy to miss in a quick smoke test. To wrap an existing script as a plugin, create a plug
AI 资讯
A self-cleaning Product Hunt teaser banner in Blazor WASM — 100 lines, auto-hides after launch, GA4-tracked
I'm launching SmartTaxCalc.in on Product Hunt on Tuesday, 14 July 2026 . It's a 38-tool Blazor WebAssembly tax + finance calculator I've written about here before ( the SEO/schema saga , and dropping mobile LCP from 6-8s to under 2s ). The Product Hunt launch algorithm heavily rewards products that arrive with a real coming-soon follower base — day-of upvotes correlate strongly with pre-launch "Notify me" clicks. My PH page started with 1 follower . I had 9 days to get to 50+. The obvious answer: post on LinkedIn, ask friends, DM your network. All of that has ceilings (you can only ask a favor once). The non-obvious answer that has no ceiling: convert your own organic search traffic into PH followers automatically. This is the ~100 lines of Blazor code that does that, plus the design decisions I made along the way. It's also self-cleaning — after the launch date, the banner disappears with no manual work required. Steal the pattern for your own launch. The problem SmartTaxCalc gets modest but real organic traffic — mostly from Google Search Console impressions on tax-season queries. That traffic is the warmest possible audience for a PH launch (they already found the site, they're in the target demo). But how do you route them to a PH page without: Disrupting the tax content (they came for a tax calculator, not a marketing pitch) Cannibalizing the existing tax-season banner (which drives users to /tax-calendar/ — a real retention lever) Leaving code debt after 14 July (a dead PH banner still on the site in September) Losing the dismiss preference across page navigations (SPA reality — no page refresh) Those constraints ruled out a modal, a full-width interrupt, and a "hardcoded remove after launch" approach. The design Slim horizontal bar at the top of every page. Sits ABOVE the existing tax-season banner. PH-brand orange, different from the tax-season banner's yellow/red so both are visually distinguishable when stacked. Dismissible per-user via localStorage . Auto
开发者
I got tired of watching 40 Kalshi tabs, so I built a self-hosted signal monitor
I kept hearing about Kalshi. The commercials, the mentions, and then one morning CNN was talking about Kalshi prediction odds like they were a weather report. So I went and looked. And I had no idea what I was seeing. Kalshi is really hard to understand when you're new to it. You get markets, contracts, prices that are also probabilities, volume, movement, and none of it tells you what's actually worth paying attention to. I wanted something that would translate what I was looking at into something I could understand and, ideally, act on. That was the whole original goal: make the firehose legible. Then, of course, I kept adding to it, because once you can read the flow you start wanting an edge in it. Who doesn't. So Trade Hunter grew from a translation layer into a translation layer with detection on top. This is a writeup of what it became, why I made the design choices I made, and the parts I'm still not sure about. I'd rather you poke holes in it now than find the breakpoints the hard way. If you think a decision here is wrong, please let me know. The comments are the point of this post, not an afterthought. Where this came from Basically, I couldn't read Kalshi, and I wanted to. Trade Hunter is the original tool I built to fix that for myself, and it's the one I still run when I want a live view. So this isn't a polished sequel to anything. It's the thing I built because I wanted it to exist, flaws and design bets included, and I'd rather show you those directly. The core idea never changed even as I piled features on: watch live Kalshi WebSocket feeds and surface an unusual move while it's still moving, rather than reading about it after the fact, or on CNN the next morning. What it actually does Trade Hunter subscribes to live Kalshi feeds across every market you track. Multi-contract series like the Fed rate decisions or who will win Top Chef fan out automatically to all open contracts, so you point it at one thing and it watches the whole family. When some
科技前沿
Bentley teases the Torcal, its first electric vehicle
Bentley has confirmed that it will finally add an electric car to its exclusive lineup.
AI 资讯
The part of a PaaS you use most should have the least power — so I built Mooring
I have a folder on my laptop called side-projects . Most of them are Dockerized. Most of them will never see more than a handful of users. And for years, every one of them hit the same wall: getting the thing onto a cheap VPS without losing a weekend — and copy-pasting my own past mistakes forward every single time. Here's the opinion that eventually turned into a project: the part of a PaaS you touch most often should hold the least power over your server. Think of a deploy tool as two planes. There's a read plane — dashboards, logs, container health, the stuff you stare at — where you spend most of your time and which is your most exposed surface. And there's a write plane — deploy, restart, the actions that actually change the system — which is rare and should be gated. My frustration was that the thing I looked at all day and the thing that could rewrite my box tended to sit on the same pile of privilege. So I built Mooring to keep those two planes apart. It's an early, solo project, and this post is me showing it and asking for eyes on it. The mental model The whole thing, end to end: Install it as an unprivileged systemd service (not root). Connect a git repo. Write one mooring.yaml . Click Deploy. That's the loop. Everything below is what's underneath it. What it is Mooring is a small, security-first, self-hosted control plane for Docker — a tiny PaaS. You point it at a git repo, describe your app once, and it deploys and runs your containers on your own server. Same territory as Coolify, Dokku, CapRover, and Kamal — all genuinely good work. The difference I care about is the posture underneath. It ships as one static, CGO-free Go binary . It runs as an unprivileged systemd service — not root. State lives in SQLite (the pure-Go modernc driver). Every asset is embedded with go:embed , so there's no node_modules , no asset pipeline, nothing to build on the box. To be honest about the neighborhood: setting up a self-hosted PaaS, these tools tend to want broad ac
AI 资讯
I built a daily Linux documentation site
I built a daily Linux documentation site I created this site because I've noticed that Linux documentation is generally confusing. What is xybss? xybss is a simple site that publishes Linux documentation every day. No ads No tracking No JavaScript Just plain HTML docs I add at least one new command every day. Who is it for? Beginners learning Linux Anyone who needs a quick reference People who want simple, clean docs Current content Right now, the site covers basic commands like ls and rm. More commands are added daily. Check it out 👉 https://xybss.github.io Feedback is welcome
AI 资讯
A 20-year-old HCI paper, resurrected as a Chrome extension
I missed the tiny "x" on a browser tab again today. Meant to close it, switched to it instead. Aiming a one-pixel pointer at an eleven-pixel checkbox is basically microsurgery, and somewhere along the way we all just accepted that. Here's the strange part: HCI research solved this twenty years ago. It just never shipped. The paper In 2005, Grossman and Balakrishnan published The Bubble Cursor at CHI. The whole idea fits in one sentence: Make the cursor's hit area a dynamic circle that always contains exactly one target. That turns out to be the same thing as always selecting the target nearest to the pointer. Picture the screen divided into Voronoi cells, one per clickable thing, and the cursor picking the owner of whatever cell it's currently in. The clever part is what it refuses to do. Naive "gravity" cursors snap to every link on the way to the one you actually want, and they get stuck. The bubble cursor grabs exactly one target by definition. The moment a second target becomes nearer, it switches. So it stays calm on link-dense pages, and the paper showed significant speedups in controlled experiments. Twenty years later our cursors are still naked, so I built it as a Chrome extension. It's called MagPoint . The core is about 30 lines A content script collects clickable elements ( a[href] , button , input , ARIA roles and so on) and, every frame, picks the one with the smallest point-to-rectangle distance: function pointToRect ( x : number , y : number , r : DOMRect ): number { const dx = Math . max ( r . left - x , 0 , x - r . right ); const dy = Math . max ( r . top - y , 0 , y - r . bottom ); return Math . hypot ( dx , dy ); } Clicks that land in the empty space near a captured element get re-routed to it. Past a max radius of 120px the magnet lets go, and empty-space clicks behave like the normal web. It also stands down while you type or select text, because getting yanked toward a link mid-sentence would be infuriating. The rule that kept me sane: the vis
AI 资讯
Scaling Terraform Infrastructure Beyond a Single Team
When a single engineer manages all the Terraform in an organisation, everything is simple. One repo, one state, one pipeline, one set of credentials. There's no coordination overhead because there's no one to coordinate with. That stops working the moment a second team needs to deploy infrastructure. And by the time you have three or four teams — networking, platform, application, security — the single-team model is actively slowing everyone down. This guide covers what breaks, how teams typically work around it, and how to set up a structure where each team owns their slice of infrastructure independently. What breaks State lock contention Terraform's state locking is per-state. When the networking team is running terraform plan , the application team's pipeline is blocked — even though they're changing completely unrelated resources. The more teams share a state, the more time everyone spends waiting. Blast radius A junior engineer deploying a new application service shouldn't be able to accidentally destroy the VPC. But if application resources and networking resources share a state, a single misconfigured terraform apply can touch anything. Code review catches some of this. Not all of it. Credential sprawl A shared pipeline needs credentials for everything — the networking team's Azure subscription, the application team's AWS account, the security team's DNS provider. Every team's secrets end up in one CI environment, accessible to anyone who can trigger a run. This fails most compliance audits. Approval bottlenecks In many organisations, one person or a small group gatekeeps all infrastructure changes. Every PR needs their review. Every apply needs their approval. The gatekeeper becomes a bottleneck not because they're slow, but because they're a single point of serialisation for all infrastructure work. Backend access as implicit access control Terraform has no built-in concept of per-team or per-workspace permissions. All workspaces in a backend share the sam
AI 资讯
Managing Terraform Across Multiple Cloud Providers
Most organisations don't live in a single cloud. You might run compute in AWS, DNS in Cloudflare, identity in Azure AD, and logging in GCP. Terraform handles each provider fine on its own, but the moment you need to coordinate across providers the tooling fights you. This guide walks through the common pain points of multi-cloud Terraform setups and the approaches teams use to cope — then shows how Snap CD makes cross-cloud dependency management a solved problem. Where it gets difficult Credential sprawl Each cloud provider has its own authentication mechanism. AWS uses IAM roles and access keys. Azure uses service principals and managed identities. GCP uses service accounts and workload identity federation. A single Terraform state that spans providers needs credentials for all of them — which means your CI runner or developer workstation holds keys to everything. That's a security problem. A compromised CI pipeline with AWS and Azure credentials exposes both clouds simultaneously. And it's an operational problem — rotating credentials means updating every pipeline that touches that state. This problem compounds at scale: Terraform couples provider processes tightly to credentials , so managing hundreds of accounts across clouds means spawning thousands of provider processes, which quickly becomes unmanageable. Provider version conflicts Terraform providers are versioned independently. Upgrading the AWS provider to fix a bug in aws_eks_cluster shouldn't require you to also test a new version of the Azure provider. But when they share a state, a terraform init -upgrade pulls new versions for everything, and a regression in one provider blocks all deployments. Terraform also lacks built-in support for instantiating multiple providers with a loop and passing providers to modules in for_each , making multi-cloud configurations especially verbose and repetitive. Blast radius across clouds A misconfigured terraform apply in a single-cloud state damages resources in one c
AI 资讯
Bentley Torcal EV: Price, Specs, Availability
The 300-mile Torcal arrives in September, but considering what's come before with Ferrari, Porsche and Mercedes, has the company timed its EV entry right?
科技前沿
The Czinger 21C might be the wildest car we drive all year
This hybrid V8 has organic-looking 3D-printed components and shatters lap records.
AI 资讯
Sony Bravia 7 Mark II: Midrange but Priced High (2026)
This midrange mini RGB LED television has a high-end price but doesn’t match the brightness and contrast of more advanced models.
AI 资讯
Agentic payments: your AI agent can pay - but can it get paid?
Everyone is building rails for AI agents to spend money. Google's AP2 gives agents payment mandates. Coinbase's x402 pattern turns HTTP 402 into machine-to-machine micropayments. Agent wallets are everywhere. But watch what agents actually do all day in 2026: they build products. A Lovable app in an evening. A SaaS in Cursor over a weekend. And every one of those products eventually needs the thing no spending protocol covers — accepting money. The wall every agent hits Here's a session I've watched a hundred times: ➜ ~ claude "finish my app" ✓ scaffold — Next.js + Tailwind ✓ UI — components & design system ✓ UX — onboarding flow polished ✓ auth — Google sign-in wired ✓ database — schema + migrations ✓ deploy — production live ▸ application is almost ready… ✗ missing: payments And then the agent — which just shipped a full product in one session — tells you: "To accept payments you need a merchant account. Traditional PSP onboarding requires a compliance review — expect to wait at least a week for approval." An app built in an evening, waiting 7 days for permission to charge £1. That's not risk management. That's a workflow designed when software took months to ship, and nobody went back to fix it. Your other options aren't better: no company? The classic path detours through Stripe Atlas ($500) and an IRS EIN wait that stretches to weeks for non-US founders — before you can even apply . Software's bottleneck has moved — from writing code to accepting payments. What "agent-native" means on the merchant side The spending side got protocols. The earning side needs four properties: 1. Machine-readable everything. Docs an agent consumes in one pass — llms.txt , agents-first API references. The integrating developer is increasingly not a human. 2. Provisioning tools, not just management tools. Stripe's MCP server can operate an account you already have — customers, refunds, invoices. The agent-native question is one level deeper: create the account. 3. Progressive KYB. G
AI 资讯
You Can't Review an Agent. You Can Review a Plan.
A harness for AI-era Terraform. I'm building one. For a while now I've been developing a harness for infrastructure-as-code as a private SDK and compiler — the layer that sits between whoever proposes a change (a person, an agent, CI) and whatever actually reaches production. This post isn't the tool. It's the thinking underneath it, and the few pieces I've become most convinced by while building it. (Notes from inside the work — where I've landed so far, not advice.) The problem that sent me down this road is easy to state and easy to underrate. A version of it happened recently. An agent fixed some Terraform; the PR read clean — tidy diff, sensible resource names, a plan output that looked exactly like what I'd asked for. It got approved. And then, at apply time, a different plan ran than the one that was reviewed: apply had re-planned against state that moved in between, and the diff that touched production wasn't quite the diff anyone had read. Nothing broke, that time. But that near-miss is the whole reason the harness exists. Because the danger was never "the agent writes bad HCL." Agents write perfectly good HCL; I let them. The danger is the distance between the plan a human reviewed and the plan that actually runs — and once agents are the ones proposing changes at volume, that distance is the thing I most want to nail shut. Where I've landed for now (and expect to keep revising): What AI-era IaC needs isn't AI that can apply . It's a structure where every change — human or agent — is evaluated at the same boundary , and only a reviewed plan ships. The unit of trust isn't the agent. It's a specific, reviewed plan , bound byte for byte. You can't review an agent. You can only review a plan. Instructions to an agent can be broken. A CI gate can't be talked out of it. Put guidance in the prompt; put the guarantee in the gate. Terraform/OpenTofu don't go away. You wrap them in a harness; you don't replace them. Your repo has non-human authors now For years IaC
AI 资讯
How I Cut Our AI API Bill by 95% — The Engineering Playbook
How I Cut Our AI API Bill by 95% — The Engineering Playbook When our finance lead forwarded me the AWS bill for March, I almost choked on my coffee. We were a team of nine engineers shipping AI features, and somehow we'd burned through enough on inference to cover two salaries. The worst part? I hadn't even noticed because the charges were scattered across OpenAI, Anthropic, and a couple of side experiments. That's the moment I decided to actually treat LLM spending like a real infrastructure problem instead of a credit card swipe. What follows is the playbook I wish I'd had on day one. These aren't theoretical tips — they're the exact moves I made across three products to get our run-rate down to roughly 5% of where it started, without shipping worse software. The Harsh Truth About Model Defaults Here's the dirty secret nobody tells you in the LLM hype cycle: most teams default to the most famous model for every single call. GPT-4o for everything. Claude Sonnet for everything. Then they wonder why their "simple AI feature" costs them a kidney. The model selection decision is where I recovered the majority of my budget. When you look at it rationally, the gap between the flagship tier and the cheap-tier models is absurd for tasks that don't require frontier reasoning. This is the matrix I landed on, and it still governs our routing today: Task What I Used To Use What I Use Now Cost Cut Simple chat GPT-4o ($10/M out) DeepSeek V4 Flash ($0.25/M) 97.5% Classification GPT-4o-mini ($0.60/M) Qwen3-8B ($0.01/M) 98.3% Code generation GPT-4o ($10/M) DeepSeek Coder ($0.25/M) 97.5% Summarization GPT-4o ($10/M) Qwen3-32B ($0.28/M) 97.2% Translation GPT-4o ($10/M) Qwen-MT-Turbo ($0.30/M) 97% I want you to really sit with the classification row. Qwen3-8B at $0.01 per million output tokens. That's sixty times cheaper than GPT-4o-mini. For a binary sentiment classifier, the accuracy difference in my benchmarks was under 1.5 percentage points. The ROI math isn't even close. The code
AI 资讯
Self-Hosting Like a Pro, Part 1: Hardening a Fresh Ubuntu VPS
This is the first article in a four-part series where I document how I turned a 10€/month VPS into a production-grade platform hosting my portfolio, a university group webapplication and a SaaS product, all isolated from each other with Kubernetes. In this part, we take a fresh Ubuntu server and lock it down properly before installing anything else. Why bother with hardening? The moment your VPS gets a public IP address, it starts receiving attacks. Not "might receive", it starts . Within minutes, automated bots will probe port 22, try root:root , admin:admin123 and thousands of other credential combinations. If you skip this step and jump straight to deploying your apps, you are building on sand. The good news: an hour of work is enough to eliminate the vast majority of these threats. Here is what we will set up: A non-root user with sudo privileges SSH key authentication, with passwords and root login disabled UFW as a simple, effective firewall Fail2ban to ban brute-force attackers automatically Automatic security updates What you need A fresh VPS running Ubuntu 24.04 LTS or newer. I use a Hostinger KVM 2 (2 vCPU, 8 GB RAM, 100 GB NVMe), but any provider works: Hetzner, DigitalOcean, OVH, Contabo. The root password or SSH key your provider gave you. A terminal on your local machine (macOS, Linux, or WSL on Windows). Throughout this tutorial, replace YOUR_SERVER_IP with your server's IP address and deploy with the username you want to use. Step 1: First login and system update Connect as root for the first and last time: ssh root@YOUR_SERVER_IP Update everything before touching anything else: apt update && apt upgrade -y apt autoremove -y If a kernel update was installed, reboot now: reboot Wait a minute, then reconnect. Step 2: Create a non-root user Working as root is like driving without a seatbelt: fine until it isn't. One mistyped rm -rf and the party is over. Create a dedicated user: adduser deploy Choose a strong password (you will still need it for sudo ,
AI 资讯
What I Learned After Building AI Systems Across Multiple Brands
One of the biggest misconceptions about AI is that every project is unique. At first glance, it certainly feels that way. One project is a chatbot. Another is an AI-powered search system. Another automates documentation. Another generates code. But after building AI systems across multiple brands and initiatives, I started noticing something surprising. The technology changes. The business domain changes. The users change. The underlying principles rarely do. Here are some of the biggest lessons I've learned. 1. AI Doesn't Fix Broken Systems Many teams believe AI will solve operational problems. In reality, AI usually exposes them. If documentation is inconsistent, AI becomes inconsistent. If data is outdated, AI produces outdated answers. If workflows are unclear, automation becomes unreliable. One of the biggest lessons I've learned is this: AI amplifies the quality of your existing systems. It rarely compensates for poor foundations. That's why I spend far more time understanding processes than choosing models. 2. Simplicity Beats Complexity Every new AI framework looks exciting. Agents. Memory. Planning. Reflection. Tool calling. Multi-agent orchestration. I've experimented with many of these approaches, but one principle keeps proving itself. The simplest solution that solves the problem is usually the best solution. A straightforward workflow is often easier to: Build Test Maintain Scale Explain Complexity should be introduced only when it delivers clear value. 3. Prompt Libraries Are More Valuable Than Individual Prompts When I first started using AI, I wrote prompts from scratch. Eventually I realized I was solving the same problems repeatedly. Now I build prompt libraries. Instead of creating new prompts every day, I improve existing ones. This creates consistency across projects. If you're interested in how I manage this, I recently shared the system I use to organize more than 10,000 prompts across different projects. The shift from individual prompts to
产品设计
What Happens When Everyone Can Build Apps But Nobody Understands Them?
Alright, real talk moment. Last week I watched someone with zero coding background build a fully...