今日已更新 38 条资讯 | 累计 21257 条内容
关于我们

标签:#Web

找到 1741 篇相关文章

AI 资讯

Why I Stopped Using reset() and end() in PHP (And What I Use Now)

If you have been writing PHP for a year or two, you have almost certainly written something like this: $items = getFilteredOrders (); $first = reset ( $items ); $last = end ( $items ); It works. It runs. It looks fine in code review. And it contains a subtle bug waiting to happen. The problem with reset() and end() Both functions move PHP's internal array pointer as a side effect. PHP arrays have a hidden cursor that tracks "the current position" in the array. Functions like current() , next() , prev() , and each() depend on where that cursor sits. reset() moves it to the first element. end() moves it to the last. This is harmless in an isolated script. But in a real application, the same array often passes through multiple functions — and any function that relies on the cursor position after your call will get unexpected results. Here is a concrete example: function getFirstActiveOrder ( array $orders ): ?array { // Moves the pointer to the first element $first = reset ( $orders ); foreach ( $orders as $order ) { if ( $order [ 'status' ] === 'active' ) { return $order ; } } return null ; } At first glance this looks fine. But foreach in PHP actually resets the pointer to the beginning before iterating — so in this simple case you get lucky. The bug shows up in less obvious situations: when you call reset() inside a function that the caller is already iterating with current() / next() , or when you use end() to peek at the last item while a foreach is in progress on the same array reference. The deeper issue: reset() and end() return false on an empty array. But false might also be a legitimate value stored in your array: $flags = [ true , false , true ]; $last = end ( $flags ); // returns false — but is this "empty array" or "the value false"? You have to write: if ( $flags === [] || end ( $flags ) === false ) { ... } Which is already awkward. And it still mutates the pointer. The modern solution: array_key_first() and array_key_last() PHP 7.3 introduced two functi

2026-06-10 原文 →
AI 资讯

10 MCP Servers That Actually Improve Your Development Workflow in 2026

If you've been following the AI-assisted development space, you've heard about the Model Context Protocol (MCP). But let's be honest—most MCP server lists are either too abstract or filled with niche tools you'll never use. In 2026, the ecosystem has matured, and I've curated 10 MCP servers that deliver real, measurable improvements to your daily coding workflow. Each entry includes: What it does Why it's useful (with a concrete scenario) Example config (using the standard .mcp.json or claude_desktop_config.json ) Let's dive in. 1. GitHub MCP Server (by modelcontextprotocol) What it does: Full read/write access to GitHub repos—issues, PRs, code reviews, and releases. Why useful: Instead of switching between your IDE and GitHub, your AI assistant can create a PR, request a review, and merge after CI passes—all from a single prompt. Example config: { "mcpServers" : { "github" : { "command" : "npx" , "args" : [ "-y" , "@modelcontextprotocol/server-github" ], "env" : { "GITHUB_TOKEN" : "ghp_xxxxxxxxxxxxxxxxxxxx" } } } } Scenario: "Create a new branch, add a fix for issue #42, push, and open a draft PR with a description." 2. Filesystem MCP Server What it does: Read, write, search, and manipulate files and directories on your local machine. Why useful: Your AI can now scaffold an entire project structure, rename files in bulk, or refactor code across multiple files without manual intervention. Example config: { "mcpServers" : { "filesystem" : { "command" : "npx" , "args" : [ "-y" , "@modelcontextprotocol/server-filesystem" ], "env" : { "ALLOWED_DIRS" : "/home/user/projects" } } } } Scenario: "Create a Next.js project with this folder structure, add a components folder, and move all page files into a pages directory." 3. PostgreSQL MCP Server What it does: Connect to PostgreSQL databases, run queries, and return results. Why useful: Debugging SQL queries or exploring a production database becomes a conversation. You can ask "Show me the last 10 orders with user details" a

2026-06-10 原文 →
AI 资讯

I built 50+ developer tools that run entirely in your browser — here's why privacy matters and how I did it

Every week I open a new browser tab and search for something like "json formatter online" or "jwt decoder" or "regex tester". And every week I land on a site that: Shows me three ad banners before I can see the tool Requires me to create an account to "save" my work Is quietly uploading my payload to their server That last one bothers me most. Developers paste real things into these tools — JWT tokens with live user data, passwords they're about to deploy, private keys, internal API responses. Most people assume these tools are "just a webpage" and nothing is being sent anywhere. Often that's not true. So I built SnapTxt — a collection of 50+ developer utilities that run 100% client-side. No backend. No account. No tracking. Your data never leaves your browser. What's in it The toolkit covers the things I reach for most often: Data & text JSON formatter, validator, minifier, diff, tree explorer SQL formatter XML formatter YAML → JSON, CSV → JSON converters Base64 encode/decode, URL encoder, hash generator Auth & security JWT decoder & generator RSA key generator bcrypt generator x.509 certificate decoder Password generator Images Image compressor Image format converter Image to text (OCR via Tesseract.js) SVG to PNG, favicon generator, code-to-image Frontend / CSS Regex tester CSS gradient generator, box shadow generator Color converter Mermaid live editor HTML live editor, HTML to Markdown, HTML to JSX Cron expression builder And more — word counter, text diff, unix timestamp, lorem ipsum, QR code generator, markdown to PDF, and a collection of Australian and NZ business number validators. How it's built It's a Next.js app deployed as a fully static export to Firebase Hosting. There is no server. Every tool runs in the browser using: CodeMirror 6 for editor-style inputs Tesseract.js for OCR (runs a WASM binary in a web worker) Chrome's built-in Prompt API (Gemini Nano) for the AI explain features in JSON, SQL, and JWT tools — meaning even the AI inference is on-dev

2026-06-10 原文 →
AI 资讯

Chrome 149 finally lets you turn off its local AI model. That should be the default

Google pushed a 4GB local AI model to Chrome through silent updates and did not provide a disable switch until version 149. Users had to delete the file manually and it would be re-downloaded on restart. The reason this matters is not the storage. It is the consent. An AI model running in my browser is a category different from a calculator widget. It sends data to an inference engine, consumes power, generates heat, and runs code. Not having a clear off switch is not an oversight. It is a product philosophy about whether the user is in control. I do not think local AI is inherently bad. For real-time search suggestions or on-device content filtering it is useful. But the deployment model matters. If I install something, I should know what it does and how to turn it off. The update that installed the model was silent and the documentation was buried. The switch to disable it only appeared after sustained user complaints. The lesson is that capability is not what builds trust. The ability to turn it off is. submitted by /u/Fantastic-Place5501 [link] [留言]

2026-06-10 原文 →
AI 资讯

How to Transcribe a YouTube Video (Free, in Under a Minute)

Building a "paste a YouTube link, get a transcript" feature sounds trivial until you deploy it to a server. The moment your request comes from a datacenter IP instead of a residential one, YouTube responds with LOGIN_REQUIRED or quietly serves nothing. Here's how VidTranscriber handles it. The problem There are two ways to get text from a YouTube video: Existing captions — if the uploader (or YouTube's auto-caption) provides them, you can fetch the caption track directly. Fast, free, no transcription needed. Transcribe the audio — pull the audio stream and run it through a speech-to-text model (Whisper-family). Works for any video, but costs compute. Both start with talking to YouTube from your server — and that's where it breaks. YouTube aggressively gates datacenter traffic: the watch page and InnerTube API return LOGIN_REQUIRED , and naive audio fetching gets reCAPTCHA'd. The approach The fix is to separate where the request originates from where the work happens : A Cloudflare Worker handles the user request and orchestration. Caption/audio fetching is routed through a path whose egress isn't treated as a bot — so the LOGIN_REQUIRED wall doesn't trigger. Captions, when available, become the primary path (no transcription cost). Only when there are no usable captions do we fall back to downloading audio and running Whisper. Long jobs go onto a queue (Cloudflare Queues) so the request returns immediately and the transcript streams in as it completes. Why captions-first matters Most "transcript generator" traffic is for videos that already have captions — talks, tutorials, news. Serving those from the caption track is instant and free, which means the expensive Whisper path is reserved for the minority of videos that actually need it. That's the difference between a tool that's cheap to run and one that isn't. What's still hard IP reputation drifts — what works today can get throttled tomorrow, so the extraction path needs monitoring and fallbacks. Caption quality

2026-06-10 原文 →
AI 资讯

Headless CMS Security: Why Decoupled Is Safer

📝 Originally published on unfoldcms.com — reposted here for the DEV community. (I work on UnfoldCMS.) A coupled CMS puts the admin login on the same hostname visitors reach. A headless CMS puts it on a different hostname behind auth. That single architectural difference is why headless CMS security is meaningfully better than traditional coupled-CMS security on most real-world dimensions — and it's also why the comparison gets oversimplified into "headless is more secure" when the truth is more interesting. This post is the architectural take on headless CMS security : why decoupled is safer on most dimensions, where it can be less safe if you don't handle API hygiene properly, and what the honest comparison looks like in 2026. TL;DR : headless wins on attack-surface reduction (admin off the public hostname, smaller plugin attack surface, API-first auth model) but loses on dimensions teams typically don't think about (exposed APIs without rate limits, JWT misuse, secrets in frontend code, draft preview tokens leaking). A well-built headless CMS is meaningfully more secure than a typical WordPress site; a poorly-configured headless CMS can be worse than a maintained WordPress site. The architecture biases toward safer; the implementation determines actual outcomes. The audience: technical decision-makers and security-conscious teams comparing CMS architectures with security as a deciding factor. If you're earlier in the architectural decision, see headless CMS vs traditional CMS: key differences . For the WordPress-specific security picture this post compares against, WordPress security problems in 2026 . The Attack Surface Difference The single biggest architectural difference between coupled and headless CMS security is where the admin lives . A traditional WordPress site puts the admin login at yourdomain.com/wp-admin . The same hostname your visitors reach. The same SSL cert. The same Cloudflare config. Every brute-force attempt, every credential-stuffing bot, ev

2026-06-10 原文 →
AI 资讯

WordPress Market Share Declining (2026 Data)

📝 Originally published on unfoldcms.com — reposted here for the DEV community. (I work on UnfoldCMS.) WordPress's market share among CMS-using websites dropped from 65.2% in 2023 to 60.2% by Q1 2026, contracting -2.9% year-over-year for the first time in over a decade. The platform that built the modern web is losing share to Wix, Squarespace, Shopify, and an emerging headless category — and the trend is steeper among newly-built sites than the headline number suggests. This post is the data-driven take on WordPress market share declining in 2026 — where the numbers actually come from, where the lost share is going, what age-cohort analysis reveals about the trajectory, and what the developer-signal data (Stack Overflow, GitHub) shows about who's still building on WordPress versus moving on. TL;DR : WordPress isn't collapsing — 60% market share is still dominant — but the lead has shrunk for the first time in 10 years, the cohort of new sites is breaking away faster than the overall number suggests, and the developer mindshare is leaving even faster than market share. The structural pressures (security, performance, plugin tax, modern stack expectations) all point the same direction. The audience: developers, agencies, and CTOs trying to read the WordPress market trend before committing to a multi-year platform decision. If you've been told "WordPress is sinking" or "WordPress is fine, market share gossip is overstated," this post puts numbers behind the actual movement. For the broader context on why WordPress is losing share, see why developers are leaving WordPress: 7 pain points and WordPress vs modern CMS: honest feature comparison . The Headline Numbers Three primary sources track CMS market share. They don't agree exactly, but they all show the same direction: W3Techs (the most-cited dataset, scans the top 10M websites): Metric 2023 Q1 2024 Q1 2025 Q1 2026 Change WordPress share among CMS-using sites 65.2% 64.1% 62.4% 60.2% -5 points in 3 years WordPress shar

2026-06-10 原文 →
AI 资讯

🤖 Your AI Agent Is Failing in Prod — You Just Don't Know It Yet

The demo is impressive. ✅ The demo works in your environment, with your data, with you watching. ✅ Production? Silent failures. Cost overruns. Wrong tool calls. Stuck loops. No fallback. ❌ Agents in 2026: The Real Problem Here is the thing most people are not talking about when they ship AI agents: A demo agent and a production agent are completely different things. A demo is: "watch this work once." A production agent is: "what happens when it is wrong, stuck, expensive, over-permissioned, or called 10,000 times by real users?" That second question is what separates a cool technical proof-of-concept from something a business can actually rely on. Demos are not systems. 1️⃣ The 7 Things That Break in Prod In every agent hardening sprint I run, the same failures show up: Failure Mode What It Costs No logging You have no idea what the agent did or why No eval set You cannot measure quality or catch regressions Unlimited tool access Agent calls tools it should never touch No retry logic Transient failures become permanent failures No memory rules Context leaks between sessions or inflates cost No fallback path Agent loops or crashes instead of escalating No cost checks 1 misconfigured prompt → $400 API bill overnight If your agent is in production with 3 or more of those missing — you are one bad prompt away from a very expensive incident. 2️⃣ The Production Hardening Checklist Before you call an agent production-ready, run through this: Eval set exists — at least 20 test cases covering happy path + edge cases Structured logging — every tool call, every input, every output, every error — logged and searchable Retry logic — transient API failures handled gracefully, not crashed Tool limits — agent cannot call tools outside its defined scope Memory rules — what carries over between sessions, what gets cleared, how context is compressed Fallback paths — when the agent gets stuck or uncertain, it has an exit: escalate to human, return partial result, surface an error Cost

2026-06-10 原文 →
AI 资讯

⚡ Proof Compounds. Claims Decay. — Why Delivery Is Your Next Marketing Asset

Here is the move most technical service providers miss: Every project you deliver quietly dies inside a private folder. Every project you deliver with receipts becomes a trust asset that sells the next sprint without you lifting a finger. The Insight Almost No One Acts On Delivery is not the end of marketing. Delivery is where the next marketing asset is born. The before/after screenshot. The launch-readiness report excerpt. The workflow map. The metric improvement. The buyer quote. All of that is proof. And proof is the compound interest of service work. Claims decay. Proof compounds. 1️⃣ What Proof Actually Looks Like This is the proof asset menu. Every sprint should produce at least 1 item from this list: Before/after screenshot — the most shareable format Launch-readiness report excerpt — shows rigor and standard Workflow map — visual, specific, credibility-dense Dashboard screenshot — metrics that moved Test checklist — shows what was verified, not just what was built Client quote — even 1 sentence is worth 1,000 words of claims Metric improvement — "response time dropped from 24 hours to 4 minutes" Public teardown — anonymous version of the diagnosis Case study — structured story: context → pain → fix → result One-minute walkthrough video — screen-recorded, narrated, personal You do not need all of them. You need 1 per sprint. 2️⃣ The Case Study Structure That Sells A case study is not a trophy. It is a reusable trust asset. Use this structure every time: 1️⃣ Context — who had the problem? (anonymized if needed) 2️⃣ Pain — what was it costing them? 3️⃣ Hidden cause — what was really broken underneath? 4️⃣ Fix — what did you change, specifically? 5️⃣ Result — what improved? With a number. 6️⃣ Proof — what artifact backs it up? 7️⃣ Lesson — what should similar buyers do next? That is 7 steps. The whole thing can fit in a LinkedIn post or a page section. And here is the thing most people are not talking about: a case study with a specific number outperforms 10 po

2026-06-10 原文 →
AI 资讯

🧠 The Million-Dollar Math Is Boring — And That's the Point

A million dollars is emotional as a dream. As math, it is boring. And that is exactly why most people never get close. Break It Down Here is the thing: $1M/year is not one big bet. It is a machine. And machines are built from boring, repeatable components. 20 clients at $50,000? That is $1M. 100 clients at $10,000? That is $1M. 12 retainers at $4,000/month? That is $576k — plus 4 sprints at $10,000 each gets you to $616k. The question is not whether the number is possible. The question is which machine can realistically produce it — from where you actually stand today. 1️⃣ The Practical Ladder Here is how the staged path actually works for an AI service business: Stage What You Are Doing Why It Matters Stage 1 Sell fixed-scope sprints Creates cash and proof Stage 2 Turn repeated sprint work into templates, SOPs, automations Reduces delivery time, increases margin Stage 3 Sell retainers around highest-demand system Predictable monthly cash Stage 4 Productize repeated workflow into software or toolkit Scalable without more hours Stage 5 Scale the thing the market already proved it wants Compound the machine Notice what is missing from Stage 1. There is no SaaS. No product. No cold paid traffic. No team. Just skill, packaged cleanly, sold to people with money and a painful problem. That is the fastest path — not the most glamorous one. 2️⃣ The Proof-of-Force Line The first mission is not $1M. The first mission is $10k/month — reliably, from sprint work. Here is what that actually looks like: 2 × $1,500 teardown/audit packages = $3,000 2 × $3,500 implementation sprints = $7,000 2 × $5,000 launch/GTM sprints = $10,000 3 × $2,000 retainers = $6,000/month That is not the finish line. It is the proof-of-force line. It proves the machine works. It funds the next iteration. It creates the case studies that make the next sprint easier to sell. Then you go from $10k/month to $25k. Then $50k. Then you make the productization decision from a position of demand — not hope. 3️⃣ The

2026-06-10 原文 →
AI 资讯

📊 Distribution Is the Moat — And Most Technical Founders Have None

Products are easier to build. Workflows are easier to automate. Content is easier to generate. But trust is not easier. Attention is not easier. Buyer memory is not easier. The Hard Truth Here is the thing most people are not talking about in 2026: The bottleneck is no longer the product. The bottleneck is whether the right buyer has seen your diagnosis 3 times in 2 weeks. Because that is how trust is built. Not with one perfect post. With repeated, useful presence in the right feed. Distribution is the moat. 1️⃣ Why "Staying Active" Is the Wrong Goal Most founders post to stay active. That is not a content strategy. That is anxiety dressed up as marketing. Every post should do one of 3 things: Make the buyer understand a pain they already have Make the buyer trust your diagnosis of that pain Move the buyer closer to a conversation A post about your tech stack? Probably none of those. A post that says "Your AI app is not launch-ready until auth, payments, logging, and rollback are boring" — that does all 3. 2️⃣ The Five Content Pillars That Build Pipeline Here is the system I use. 5 pillars. Everything maps to one of them: Pillar What It Signals Launch risk Why AI-built products break before production GTM systems How founders turn expertise into pipeline Workflow automation How businesses leak time and revenue Proof and case studies What changed before/after — with receipts Founder operating lessons The discipline behind building for money Every post I write maps to one of these. Not because it is tidy. Because each pillar speaks directly to a buyer who has a specific pain — and positions me as the operator who sees it clearly. 3️⃣ The Daily Format That Creates Pipeline This is the actual weekly posting structure that works: Monday — mistake post: a painful thing technical founders do wrong Tuesday — teardown post: a real example dissected publicly Wednesday — checklist: the 10-item audit your buyer needs Thursday — before/after: what changed after a sprint, with s

2026-06-10 原文 →
AI 资讯

⚡ Your AI Demo Is Not a Product — Here's the Checklist That Proves It

The demo worked perfectly. ✅ Production? First real users. 50% failure rate. ❌ The Gap Nobody Warns You About I see this pattern every week — a founder launches, pushes traffic, and watches their app fall apart in real conditions. Not because the core idea was wrong. Because "it works on my machine" is not a launch-readiness standard. AI-built apps in 2026 ship fast. That is the superpower. But fast shipping without hardening means you are presenting a demo as a product — and real users will find every crack within 48 hours. 1️⃣ What "Launch-Ready" Actually Means Launch-ready is not "the feature works." Launch-ready is when auth, payments, logging, analytics, database permissions, and rollback are boring — because they have already been thought through and tested. Here is the difference: Demo State Launch-Ready State Auth works for happy path Auth handles edge cases, token expiry, role conflicts Payments go through in test mode Webhooks confirmed, retries handled, failures logged Console.log for debugging Structured logging with alerts on errors No analytics Core events tracked from day 1 Manual deploy Automated deploy + rollback path exists No onboarding flow User activation measured from first session If your app is in column one — you are not ready. 2️⃣ The Launch-Readiness Checklist Copy this. Run it before you push traffic. Authentication and authorization — roles, permissions, token handling, session expiry Environment variables — nothing sensitive exposed, prod secrets separate from dev Database permissions — row-level security, no open-read tables, no admin keys in frontend Payment webhooks — test confirmed, failure logged, retry logic exists Error logging — uncaught exceptions surfaced somewhere you will actually see them Analytics events — signup, activation, key action, churn signal — all firing Rate limits — LLM calls protected, API routes guarded Backups and rollback — you have a path back if something breaks Onboarding flow — first session gets the use

2026-06-10 原文 →
开发者

Has anyone seen this happen in Google Search Console?

I launched a content site about 2.5 months ago. Current stats: • ~250 pages published • ~196 pages indexed by Google • Pages are receiving organic traffic from Google, Bing, Reddit, HN, and social media • Brand searches are starting to appear on page 1 The strange part: Google Search Console still shows my sitemap as: "Couldn't fetch" with 0 discovered pages. Yet the sitemap URL loads fine in a browser, robots.txt references it correctly, and Google has clearly discovered and indexed hundreds of pages. At the same time, I noticed indexed pages dropped from ~238 to ~196, while "Crawled – currently not indexed" increased. I'm trying to figure out whether: Search Console is simply showing stale sitemap data Google is finding URLs through internal links and ignoring the sitemap This is a normal quality-filtering phase for a young site Or it's an early warning sign that Google isn't happy with the content Would love to hear from anyone who has experienced the combination of: • Sitemap = "Couldn't fetch" • Hundreds of pages indexed anyway • Growing "Crawled – currently not indexed" counts What happened next? submitted by /u/kamscruz [link] [留言]

2026-06-10 原文 →
AI 资讯

I get millions of users but barely make money

I own an unblocked games website that I started roughly 2 years ago at https://boredom arcade.xyz and it's reached over 75000 daily active users. I run ads with Google adsense, but since the website has so many mirror domains I struggle to make the money that I should. I have looked into other advertising networks that allow for mirror domains such as adsterra but they offer low quality ads which isn't what I want. Does anyone know how I could make more money from my website? It currently only pulls in about 250 ish a month from the few domains I have monetized on adsense. submitted by /u/Recent-Background-61 [link] [留言]

2026-06-10 原文 →
AI 资讯

What is Redis? The In-Memory Data Store That Makes Your App Faster

🎬 This article is a companion to my YouTube video. Watch it here: Introduction In this video we are going to talk about Redis — what it is, what it does, and why it is an important part of my back-end stack. What is Redis? Redis is a free, open-source, in-memory data store. Unlike PostgreSQL which stores data on disk, Redis stores data entirely in memory — in RAM. This makes it extremely fast. Redis can handle millions of operations per second with sub-millisecond response times. Redis is most commonly used as a cache, a session store, a message broker, and a real-time data store. What is Caching? When your application queries a database, that query takes time — it reads from disk, processes the query, and returns the result. If the same query is made thousands of times per second, you are hitting the database thousands of times unnecessarily. Caching solves this by storing the result of a query in memory. The first request hits the database and the result is stored in Redis. Every subsequent request gets the result from Redis — which is in memory and therefore much faster — instead of hitting the database again. Think of it like a shortcut. Instead of driving the long route to the database every time, you take the shortcut through Redis. What Does Redis Do? Caching Store frequently accessed data in memory for fast retrieval. Database query results, API responses, computed values — anything that is expensive to compute and accessed frequently is a good candidate for caching. Session Storage Store user session data in Redis instead of the database. Since sessions are read on every request, having them in memory is significantly faster than a database lookup. Rate Limiting Track how many requests a user or IP address has made in a given time window. Redis's atomic increment operations make it perfect for implementing rate limiting. Message Queues and Pub/Sub Redis supports publish/subscribe messaging and message queues. Applications can publish messages to a channel a

2026-06-10 原文 →
AI 资讯

How to Use the TypeScript Compiler (tsc) to Compile Your Code

TLDR tsc is the TypeScript compiler. It turns your .ts files into .js files that Node.js and browsers can run. Install it with npm install -g typescript . Run tsc to compile your whole project. Run tsc --watch to auto-compile on every file save. Run tsc --noEmit to check for errors without creating any files. What is the TypeScript Compiler? The TypeScript compiler is a tool called tsc . It reads your TypeScript files and turns them into JavaScript files. Your browser and Node.js cannot run TypeScript directly. They only understand JavaScript. So tsc acts as the bridge between what you write and what actually runs. Think of tsc like a spell checker for your code. It finds problems before your code ever runs. Then it produces clean JavaScript output for you. How to Install the TypeScript Compiler You install tsc using npm. There are two ways to do this. Option 1: Global Install (runs anywhere on your computer) npm install -g typescript After install, check it works: tsc --version You will see something like Version 6.0.3 . Option 2: Local Install (recommended for teams) npm install --save-dev typescript Then run it using npx : npx tsc --version Which one should you use? Use a local install for project work. This makes sure everyone on your team uses the same TypeScript version. Use a global install only for quick personal experiments. How to Compile a Single TypeScript File The simplest way to use tsc is to pass it a single file. Create a file called hello.ts : const message : string = " Hello, TypeScript! " ; console . log ( message ); Now compile it: tsc hello.ts This creates a new file called hello.js in the same folder: var message = " Hello, TypeScript! " ; console . log ( message ); Notice that TypeScript removed the : string type annotation. The output is plain JavaScript that Node.js can run. Run the output file: node hello.js # Hello, TypeScript! Important: When you pass a file directly to tsc , it ignores your tsconfig.json . It uses its own default setting

2026-06-10 原文 →
AI 资讯

I just gave AI agents write access to Shopify stores. Here's everything standing between them and disaster.

Last week I shipped something that would have sounded reckless two years ago: an MCP server that lets an AI agent write to a merchant's live Shopify store. Create discount codes. Build customer segments. Draft WhatsApp campaigns against real order data. Read-only agent integrations are everywhere now, and they're fine — but a read-only agent is just a chatbot wearing a dashboard. The useful version is the one that does the thing . The dangerous version is also the one that does the thing. A hallucinated SELECT is a wrong answer; a hallucinated discount code is free product going out the door. So before turning writes on, I sat down and listed every way an agent could hurt a store. Then I built one guardrail per failure mode. Here's the list — it's short, and I think it generalizes to any agent surface that touches business data. 1. Read-only by default. Writes are a per-token opt-in. The lazy design is one API key that can do everything the app can do. Instead, every agent token starts read-only — list customers, inspect segments, read campaign stats. Write capability is a separate flag the merchant flips per token: { "token" : "fav_mcp_…" , "scopes" : [ "read" ], // default "writeEnabled" : false // explicit opt-in , per token } This sounds obvious. It is obvious. It's also the single most-skipped step I see in agent integrations, because it's friction during development. Build the friction in anyway — "the agent could read everything but couldn't have sent that" is a sentence you really want available to you later. 2. Caps live in the tool schema, not the prompt. Early on I had a system prompt that said something like "never create discounts above 30%." You can guess how durable that is. Prompts are suggestions; schemas are physics. So the caps moved into the tool's input validation itself — the shape of it: // create_discount — validated server-side, not prompt-side { percentage : z . number (). min ( 1 ). max ( 100 ), // hard ceiling, enforced in the service exp

2026-06-10 原文 →