AI 资讯
The SSE Fragmentation Catastrophe That Took Down CareerPilot AI (Smash Stories)
This is a submission for DEV's Summer Bug Smash: Smash Stories powered by Sentry . It was 11:14 PM. My friend DM'd me on Twitter: "Your app just hung for 30 seconds, spun indefinitely, and then completely died." I opened the browser DevTools console pointed at production and saw it — the screen flooded in red: GET https://careerpilot-ai.run.app/api/analyze-career net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK) The Server-Sent Events stream powering CareerPilot AI was systematically collapsing on Google Cloud Run. And I had no idea why. Locally on localhost:3000 , the agentic pipeline was a masterpiece. The multi-stage reasoning logs streamed gracefully — Step 1 flowed into Step 6, the final structured JSON payload arrived within seconds, the UI lit up with a complete personalized career roadmap. Beautiful. But once deployed behind Google's Front End (GFE) proxy, the pipeline was a graveyard of broken sockets. The Architecture Under Fire CareerPilot AI runs a six-stage agentic pipeline on every career analysis request. Instead of firing a single long-running prompt to Gemini and making the user stare at a blank screen for 20+ seconds, we designed a Server-Sent Events logging stream to broadcast real-time reasoning steps directly to the browser — giving the interface the feel of a live, active mentor thinking out loud. Once the final stage (Self-Evaluation & Constraint Validation) completed, the backend constructed a massive, nested 15KB JSON payload containing the personalized roadmap: skill weightings, role benchmarks, resource links, and a 30-day milestone calendar. Here was the delivery mechanism — and the landmine hiding inside it: // server.ts — The vulnerable streaming channel app . get ( " /api/analyze-career " , async ( req , res ) => { res . setHeader ( " Content-Type " , " text/event-stream " ); res . setHeader ( " Cache-Control " , " no-cache " ); res . setHeader ( " Connection " , " keep-alive " ); // Stream intermediate reasoning logs per step for ( let st
AI 资讯
DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget?
DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget? Last Tuesday I spent two hours building a client dashboard that needed AI-powered text summarization. The client is a small e-commerce shop, they get maybe 500 product descriptions a week that need condensing into bullet points. Sounds simple, right? Except when I ran the numbers on my usual OpenAI setup, the bill was going to eat into my margin harder than I'd like. That's when I went down the rabbit hole of Chinese AI models. DeepSeek, Qwen, Kimi, GLM — I've been hearing about these for months from other devs in Discord, but I never actually committed to testing them because, honestly, who has the time? Well, apparently I do, because that Tuesday I decided to run all four head-to-head against my actual workload. Here's what happened. Why I Even Bothered (The Real Math) Before we get into the benchmarks and pricing tables, let me put this in perspective. My hourly rate as a freelance dev sits at $85. Every hour I spend wrestling with a subpar API that hallucinates or charges too much is an hour I'm not billing a client. The "free" model is never free — either it costs me time or it costs me money, and usually both. I was paying roughly $0.60 per 1M output tokens on GPT-4o for the summarization work. For 500 product descriptions, each averaging maybe 150 tokens output, that's about $0.045 per batch. Sounds tiny, right? But multiply that across multiple clients, and suddenly I'm watching $40-60 a month vanish into API costs that I can't really pass along without awkward pricing conversations. So I started shopping. And what I found genuinely surprised me. The Contenders at a Glance All four model families run through Global API's unified endpoint, which means I didn't have to maintain four different SDKs, four different auth setups, four different billing dashboards. Just swap the model name in the request and ship. For a one-person operation, that's huge. Here's the landscape I was working with: Di
产品设计
Building Lynktern a digital SIWES logbook and internship management platform for Nigerian university students. Replacing the paper logbook with something students, supervisors, and companies can actually use. #buildinpublic
科技前沿
The Explosive Diarrhea Outbreak Is About to Get Much Bigger
Official case counts likely capture only a fraction of US cyclosporiasis infections, and the outbreak is likely to get worse before it gets better.
AI 资讯
Where ACC Fits in the Agent Stack: Transport, Runtime Control, and Business Authority
Connecting an AI agent to a tool is becoming easier. Letting that agent operate a real business system responsibly is still a different problem. Imagine an existing commerce system with APIs for reading orders, changing inventory, creating refunds, and disabling staff accounts. OpenAPI can describe the endpoints. A tool protocol can make them discoverable. An agent framework can select an operation and generate arguments. But those pieces do not, by themselves, answer several business questions: Which operations may be exposed to an agent-facing surface? Which invocation must carry a trusted acting subject? Which operation is high consequence? When does an invocation express approval intent? Which calls need stronger audit handling? Which execution properties should a runtime know before it invokes the API? These questions sit between tool connectivity and final business authorization. That is the layer the Agent Capability Contract, or ACC, is designed to describe. Start with a concrete operation Consider this API operation: paths : /orders/{order_id}/refund : post : operationId : createRefund parameters : - in : path name : order_id required : true schema : type : string requestBody : required : true content : application/json : schema : type : object required : [ amount ] properties : amount : type : number minimum : 0 This is enough to describe how to call the operation. It is not enough to describe how an agent-facing system should treat it. ACC adds a small, machine-readable declaration next to the operation: x-agent-capability : version : 1 enabled : true scope : refund.create risk : level : high subject : required : true approval : required : true when : - param : amount op : " >" value : 1000 audit : sensitive : true execution : readonly : false idempotent : true timeout_ms : 10000 The declaration does not grant the refund. It tells a compatible runtime how the operation should be presented and governed before the business system receives the call. The miss
AI 资讯
The 8-item security checklist no one tells indie devs
I've reviewed the launch post-mortems of dozens of indie devs who got hacked after shipping their first SaaS. The common thread isn't bad code. It's a checklist no one handed them before they clicked publish. This is that checklist. Eight items. Each one has: a curl command you can run right now, why the bug matters in plain English, and a concrete fix in under ten lines of code. If you can check all eight green before you launch, you've eliminated the majority of the low-hanging-fruit attack surface on a typical Next.js + Supabase MVP. You're not done with security — but you've moved from "will definitely get popped on launch day" to "a real attacker will have to actually work for it." No sales call required. No consulting firm. Eight items in your terminal before launch. Item 1: Every API endpoint has an auth check How to check: # Test an endpoint without a cookie/token curl -s -o /dev/null -w "%{http_code}" https://your-app.com/api/your-endpoint # Should return 401. If it returns 200, the endpoint is public — intentional? Why it matters: API routes in Next.js are not automatically protected. If you forgot to add getServerSession (or your equivalent auth check) to a route handler, it's open to the internet. The route might not be linked in the UI, but it's reachable. Fix: // At the top of every API route handler const session = await getServerSession ( authOptions ) if ( ! session ) return new Response ( ' Unauthorized ' , { status : 401 }) Run this check for every file under src/app/api/ . Better yet: write a middleware that protects all /api/ routes by default and use an explicit { public: true } annotation for routes that should be unauthenticated. Item 2: Per-tenant data scoping (BOLA / IDOR) How to check: # Log in as user A, grab a resource ID from the response # Then change the cookie/token to user B's and request the same ID curl -s -H "Cookie: your-user-b-session" https://your-app.com/api/items/YOUR-USER-A-ITEM-ID # Should return 403 or 404. If it returns
开发者
You Don't Need Node.js to Learn Web Development
I see this every week. Someone decides to learn web development. They Google "how to start web development" and within 20 minutes they're installing Node.js, npm, VS Code, and five extensions they don't understand. They haven't written a single line of code yet. But they've already spent an hour configuring their "environment." Then they get stuck. Node version conflicts. npm permission errors. VS Code extensions that break their syntax highlighting. They think they're not smart enough for programming. They are. They just started with the wrong step. The Problem Learning web development has three core technologies: HTML, CSS, and JavaScript. That's it. Everything else — Node.js, npm, webpack, Vite, React — is extra. It's not the starting point. But most tutorials assume you already have Node.js installed. They say "open your terminal" and "run npm install." Beginners follow along, copy the commands, and have no idea what any of it means. Here's what actually happens: You install Node.js (200MB+) You install VS Code (another 300MB+) You install 5-10 extensions You create a project folder You open terminal and run npm init -y You run npm install live-server You run npx live-server You finally see your HTML page in a browser That's 8 steps before you write Hello World . The Solution You don't need any of that. Not yet. Here's what you actually need to learn HTML, CSS, and JavaScript: A browser (you already have one) A text editor (Notepad works) That's it Open Notepad. Write this: <!DOCTYPE html> <html> <head> <title> My First Page </title> </head> <body> <h1> Hello, World! </h1> <p> This is my first web page. </p> </body> </html> Save it as index.html. Double-click the file. It opens in your browser. You just built your first web page. No terminal. No npm. No Node.js. No configuration. When Should You Actually Learn Node.js? Node.js becomes useful when you need: Server-side code (backend development) Package management (npm packages) Build tools (webpack, Vite) Framew
科技前沿
How To Watch the 2026 FIFA World Cup Semifinals: England vs Argentina
The end of the FIFA Men’s World Cup is nigh. Here’s how to watch the final games and the first ever World Cup halftime show.
AI 资讯
OpenAI Staffers Are Funding a Rival Super PAC to Take on Their Boss
OpenAI employees have donated more than $215,000 to a political effort opposing Leading the Future, a group backed by the company’s president, Greg Brockman.
开发者
America pays workers just 27% of what its wealth allows – the worst in the OECD
开发者
FreeBSD 16 Retires the Last GPL Code from Its Base System
AI 资讯
Why Are Japanese Retail Traders Shorting the US Dollar?
AI 资讯
Starlink’s V5 dish is now available — here’s how it compares
SpaceX's latest residential dish - the Starlink V5 - is now available in "select areas." It's notably smaller and lighter than the V4 dish with improved power efficiency. It'll be available in more places as SpaceX ramps up production to meet global demand. The company notes that Starlink V5 is not intended for in-motion use […]
AI 资讯
UK teens report sleep, wellbeing gains under social media restrictions, study
AI 资讯
Microsoft said the patches would get bigger. I measured how much bigger.
On 9 July 2026 the head of Windows published a post about AI-powered vulnerability discovery. One line in it was a warning to customers: "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release." It does not say how much higher. The post runs about 1400 words and contains no numbers at all. Five days later Microsoft shipped the July package: 1150 CVEs. The number Microsoft would not put in the blog post is sitting in Microsoft's own API. The Security Update Guide publishes every monthly package as machine-readable CVRF, acknowledgments included, no key required. So I pulled twelve months of it and did the arithmetic. What the data says I sampled eight months before the ramp and four after it. Month CVEs Month CVEs 2024-07 454 2026-04 737 2025-01 343 2026-05 991 2025-04 374 2026-06 1281 2025-07 527 2026-07 1150 2025-10 427 2026-01 310 2026-02 169 2026-03 460 The eight pre-ramp months average 383 CVEs. July 2026 is 1150, so the package is 3,0 times the old normal. The baseline broke in April and peaked in June at 1281. April to July inclusive is 4159 CVEs. At the old rate that is 10,9 months of output, delivered in four. The number I am not going to use February 2026 had 169 CVEs. It is the lowest month in two years, less than half the baseline. Divide July by February and you get 6,8 times, which is a much better number for a headline. I am not using it, because choosing your denominator is how honest people produce dishonest numbers. February is an outlier, and the only reason to anchor to it is that it flatters the story. The real multiplier is 3,0. It does not need help. It is not noise The obvious objection is that volume without quality is just a bigger pile. If AI were generating low-value findings that got patched anyway, the severity distribution would sag. It did the opposite. Measure 2025-07 2026-07 CVEs 527 1150 CVSS median 6,5 7,5 CVSS mean 6,47 7,26 CVSS 7,0 and above 48,0 % 71,
AI 资讯
Build Firebase AI Logic Application with Antigravity CLI and Stitch MCP Server [GDE]
Build Firebase AI Logic with Antigravity CLI Note: Google Cloud credits are provided for this project. In this blog post, I demonstrate how to use the Antigravity CLI (an agentic AI assistant integrating directly with development workflows via skills and servers) to build an image analysis demo using Angular, the Firebase Hybrid & On-device Inference Web SDK, and Gemini models. Users upload an image and use a Gemini model to analyze it to generate a few alternative texts, tags, recommendations, and CSS tips to enhance the image quality. When the demo is running in Chrome 148+, the Hybrid & On-device SDK leverages the Prompt API of the on-device Gemini Nano model to perform the image-to-text tasks, and the token usage is 0. When other browsers, such as Safari or Firefox, execute the same tasks, the SDK falls back to Cloud AI (Gemini 3.5 Flash model), which consumes tokens. Next, I describe how to install the skills in my Angular project and register the Angular and Stitch MCP servers in the Antigravity CLI to develop the infrastructure, services, and UI design of my demo. 1. Workflow This is my entire workflow from implementing features, generating UI screens, and mapping the screens to Angular components. 2. Skills I installed the grill-with-docs , angular , and firebase skills in my project for the following reasons: grill-with-docs: Conduct a rigid Q&A session to generate a specification for a feature, refactor, or critical fix. AI is responsible for performing thorough analysis, and putting in more efforts to generate code to achieve the task. domain-modeling: The skill is referenced in the SKILL.md of the grill-with-docs skill, so a copy of it is required. code-review: Spawn two sub-agents to review changes to detect code smells and verify that the changes align with the specification. angular: Provide the best practices of modern Angular architecture, such as using signals and signal forms. firebase: Provide the skills for Firebase AI Logic, Firebase Remote, et
AI 资讯
Hetzner was cheaper at every size I tested and I still chose managed Postgres
Twelve pricing tabs open. Neon, Hetzner, Supabase, Prisma, Scaleway, OVH. My database is half a gigabyte. I was comparing ten-terabyte price curves. At some point this week I typed the words "I am super lost here" about my own infrastructure. I advise companies on this exact class of decision. That sentence still came out of my hands. If you have ever spent an evening deep in provider pricing pages for a workload that fits on a USB stick from 2009, this one is for you. All numbers below come from the live pricing pages as of July 2026. Rates move, so verify before you commit. Three fears, all pointed at the wrong layers I went in worried about getting attacked, running out of space, and being locked in. All three dissolved under ten minutes of honest reading. DDoS lands on the website edge, not the database. My site already sits behind Cloudflare and Vercel, and a database is never publicly exposed. Only the app talks to it. Whichever provider I picked, that attack surface stayed identical. Here is the shape of the stack, and where each fear lives. MANAGED (what I run today) visitors ──> Cloudflare edge ──> Vercel app ──> managed Postgres [DDoS absorbed] [stateless] [never public, app-only access, provider patches, provider backups, provider on-call] SELF-HOSTED (the alternative I priced) visitors ──> Cloudflare edge ──> Vercel app ──> Hetzner CAX11 [DDoS absorbed] [stateless] [Postgres :5432 firewalled to app, SSH hardened, fail2ban + auto- patching = MINE] │ pg_dump every 6h ▼ encrypted ────> Cloudflare R2 [off-site copies] Same edge, same app, same attack surface. Everything in the right-hand box is what changes owners. Storage was a rounding error. My data is 0.5 GB. Even the cheapest self-hosted box includes 40 GB, eighty times headroom before the first extra cent. Lock-in was a phantom too. Managed Postgres is still stock Postgres. Exiting means a dump, a restore, and one connection string change in the deployment environment. Minutes of cutover, no rewrite an
AI 资讯
LingoBridge-AI: Simplifying Complex Medical Reports for Rural Patients
Body: Hi everyone! 👋 I am excited to share my latest project, LingoBridge-AI, which I have been building to solve a critical problem in rural healthcare. The Problem 🩺 In many rural areas, patients receive medical reports that are complex and filled with technical jargon. Due to this, they often struggle to understand their own health conditions, which leads to confusion and delayed medical care. The Solution: LingoBridge-AI 💡 I developed LingoBridge-AI, an AI-powered tool designed to: Simplify complex medical reports into easy-to-understand language. Translate information into local languages to ensure better accessibility for patients. Bridge the gap between healthcare providers and patients who have limited medical literacy. Tech Stack 🛠️ Built using Python and AI frameworks. Focuses on accuracy, simplicity, and user-friendly output. Check it out! 💻 You can view the source code and documentation here: 👉 [ https://github.com/cherukuriLakshmi/LingoBridge-AI ] I am still working on improving this, and I would love to get some feedback from this amazing community! If you have any suggestions on how to improve the AI or the user experience, please let me know in the comments below. Thanks for your support! Tags (Add these at the bottom): ai #healthtech #opensource #python #beginners
AI 资讯
The Bug That Kept Coming Back
The first sign something was wrong wasn't a crash. It was a pattern. blockly-platform was the first real thing I built with Claude Code end to end — a Blockly-based platform for university programming exercises, driven entirely through Claude Code's Telegram channel. No editor open, no repo checked out on my machine, just a chat thread. I'd describe what I wanted, Claude Code would build it on a box I never looked at directly, and I'd judge the result by clicking around the deployed app. On March 22nd, the home page came up empty. GET /api/exercises/published was returning 403. I said so in the chat; a few messages later, Claude Code said it was fixed — the endpoint hadn't been added to Spring Security's permitAll() list. I moved on, tried the category filter. Also empty, also 403, also missing from the same permitAll() list — same file, same class of fix, different line. Then the exercise detail page. Same story, third time, same day. Three days later, the like button stopped working — root cause, again: POST /api/exercises/*/like had never been whitelisted either. Four times, one file, one recurring gap. None of these were hard bugs. Each one, in isolation, is a one-line fix a competent engineer makes without thinking twice. What bothered me, once I noticed the pattern, was that I hadn't noticed it as it happened. I had no diff to scroll through, no file to glance at and think "wait, didn't we just fix this exact class of thing twice already?" I had a chat log and a live app to poke at. The fourth fix looked, from where I sat, exactly like the first: a message telling me it was resolved. That was the moment I started to suspect the problem wasn't the model. It was that nobody — not the model, not me — had anything to look at. Why chat-only vibe coding breaks down Here's what makes that pattern more interesting than "the AI made a mistake": every one of those four fixes was correct. Claude Code read the error, found the missing permitAll() entry, added it, and move
AI 资讯
Is Being Full-Stack Really Necessary in the Age of AI?
In an AI-powered reporting project, the backend API response time suddenly jumped to 8 seconds; I couldn't find a solution by examining only the frontend code to isolate the issue. This experience highlighted how the lack of a full-stack developer, who can see API, data layer, and model integration simultaneously, can slow down a project. Below, I will analyze step-by-step whether being full-stack is truly necessary in the age of AI. Why is Being Full-Stack Necessary in the Age of AI? The primary benefit of being full-stack is enabling a single developer to have end-to-end control of AI systems. This is because training a model, saving it to a vector database, and serving it via a REST API all occur at different layers; each of these layers might require a separate area of expertise. However, a full-stack developer, by being able to see the entire process from the data collection script ( python collect_data.py ) to the model service ( uvicorn app:app --host 0.0.0.0 ), can catch integration errors faster. Let's illustrate this advantage with a concrete example: within a project, I automated model retraining using a systemd timer and saw “Active: active (waiting)” in the systemctl status model-retrain.timer output; however, the API layer's GET /predict response was still returning the old model. Identifying the issue was only possible by simultaneously examining the timer configuration and the API code; without switching between separate teams. Summary: Full-stack proficiency provides the ability to detect and resolve potential incompatibilities within the complex data-model-service chain of AI projects at a single point. How Do Full-Stack Skills Contribute to AI Projects? A full-stack developer keeps all steps, from data preprocessing ( pandas script) to the model service ( FastAPI endpoint), within a single codebase. This simplifies version control and the CI/CD workflow. For example, when I define a postgres service, a redis cache, and an api service within docker