今日已更新 386 条资讯 | 累计 20358 条内容
关于我们

标签:#c

找到 15961 篇相关文章

AI 资讯

The SSE Fragmentation Catastrophe That Took Down CareerPilot AI (Smash Stories)

This is a submission for DEV's Summer Bug Smash: Smash Stories powered by Sentry . It was 11:14 PM. My friend DM'd me on Twitter: "Your app just hung for 30 seconds, spun indefinitely, and then completely died." I opened the browser DevTools console pointed at production and saw it — the screen flooded in red: GET https://careerpilot-ai.run.app/api/analyze-career net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK) The Server-Sent Events stream powering CareerPilot AI was systematically collapsing on Google Cloud Run. And I had no idea why. Locally on localhost:3000 , the agentic pipeline was a masterpiece. The multi-stage reasoning logs streamed gracefully — Step 1 flowed into Step 6, the final structured JSON payload arrived within seconds, the UI lit up with a complete personalized career roadmap. Beautiful. But once deployed behind Google's Front End (GFE) proxy, the pipeline was a graveyard of broken sockets. The Architecture Under Fire CareerPilot AI runs a six-stage agentic pipeline on every career analysis request. Instead of firing a single long-running prompt to Gemini and making the user stare at a blank screen for 20+ seconds, we designed a Server-Sent Events logging stream to broadcast real-time reasoning steps directly to the browser — giving the interface the feel of a live, active mentor thinking out loud. Once the final stage (Self-Evaluation & Constraint Validation) completed, the backend constructed a massive, nested 15KB JSON payload containing the personalized roadmap: skill weightings, role benchmarks, resource links, and a 30-day milestone calendar. Here was the delivery mechanism — and the landmine hiding inside it: // server.ts — The vulnerable streaming channel app . get ( " /api/analyze-career " , async ( req , res ) => { res . setHeader ( " Content-Type " , " text/event-stream " ); res . setHeader ( " Cache-Control " , " no-cache " ); res . setHeader ( " Connection " , " keep-alive " ); // Stream intermediate reasoning logs per step for ( let st

2026-07-15 原文 →
AI 资讯

DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget?

DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget? Last Tuesday I spent two hours building a client dashboard that needed AI-powered text summarization. The client is a small e-commerce shop, they get maybe 500 product descriptions a week that need condensing into bullet points. Sounds simple, right? Except when I ran the numbers on my usual OpenAI setup, the bill was going to eat into my margin harder than I'd like. That's when I went down the rabbit hole of Chinese AI models. DeepSeek, Qwen, Kimi, GLM — I've been hearing about these for months from other devs in Discord, but I never actually committed to testing them because, honestly, who has the time? Well, apparently I do, because that Tuesday I decided to run all four head-to-head against my actual workload. Here's what happened. Why I Even Bothered (The Real Math) Before we get into the benchmarks and pricing tables, let me put this in perspective. My hourly rate as a freelance dev sits at $85. Every hour I spend wrestling with a subpar API that hallucinates or charges too much is an hour I'm not billing a client. The "free" model is never free — either it costs me time or it costs me money, and usually both. I was paying roughly $0.60 per 1M output tokens on GPT-4o for the summarization work. For 500 product descriptions, each averaging maybe 150 tokens output, that's about $0.045 per batch. Sounds tiny, right? But multiply that across multiple clients, and suddenly I'm watching $40-60 a month vanish into API costs that I can't really pass along without awkward pricing conversations. So I started shopping. And what I found genuinely surprised me. The Contenders at a Glance All four model families run through Global API's unified endpoint, which means I didn't have to maintain four different SDKs, four different auth setups, four different billing dashboards. Just swap the model name in the request and ship. For a one-person operation, that's huge. Here's the landscape I was working with: Di

2026-07-15 原文 →
AI 资讯

Where ACC Fits in the Agent Stack: Transport, Runtime Control, and Business Authority

Connecting an AI agent to a tool is becoming easier. Letting that agent operate a real business system responsibly is still a different problem. Imagine an existing commerce system with APIs for reading orders, changing inventory, creating refunds, and disabling staff accounts. OpenAPI can describe the endpoints. A tool protocol can make them discoverable. An agent framework can select an operation and generate arguments. But those pieces do not, by themselves, answer several business questions: Which operations may be exposed to an agent-facing surface? Which invocation must carry a trusted acting subject? Which operation is high consequence? When does an invocation express approval intent? Which calls need stronger audit handling? Which execution properties should a runtime know before it invokes the API? These questions sit between tool connectivity and final business authorization. That is the layer the Agent Capability Contract, or ACC, is designed to describe. Start with a concrete operation Consider this API operation: paths : /orders/{order_id}/refund : post : operationId : createRefund parameters : - in : path name : order_id required : true schema : type : string requestBody : required : true content : application/json : schema : type : object required : [ amount ] properties : amount : type : number minimum : 0 This is enough to describe how to call the operation. It is not enough to describe how an agent-facing system should treat it. ACC adds a small, machine-readable declaration next to the operation: x-agent-capability : version : 1 enabled : true scope : refund.create risk : level : high subject : required : true approval : required : true when : - param : amount op : " >" value : 1000 audit : sensitive : true execution : readonly : false idempotent : true timeout_ms : 10000 The declaration does not grant the refund. It tells a compatible runtime how the operation should be presented and governed before the business system receives the call. The miss

2026-07-15 原文 →
AI 资讯

The 8-item security checklist no one tells indie devs

I've reviewed the launch post-mortems of dozens of indie devs who got hacked after shipping their first SaaS. The common thread isn't bad code. It's a checklist no one handed them before they clicked publish. This is that checklist. Eight items. Each one has: a curl command you can run right now, why the bug matters in plain English, and a concrete fix in under ten lines of code. If you can check all eight green before you launch, you've eliminated the majority of the low-hanging-fruit attack surface on a typical Next.js + Supabase MVP. You're not done with security — but you've moved from "will definitely get popped on launch day" to "a real attacker will have to actually work for it." No sales call required. No consulting firm. Eight items in your terminal before launch. Item 1: Every API endpoint has an auth check How to check: # Test an endpoint without a cookie/token curl -s -o /dev/null -w "%{http_code}" https://your-app.com/api/your-endpoint # Should return 401. If it returns 200, the endpoint is public — intentional? Why it matters: API routes in Next.js are not automatically protected. If you forgot to add getServerSession (or your equivalent auth check) to a route handler, it's open to the internet. The route might not be linked in the UI, but it's reachable. Fix: // At the top of every API route handler const session = await getServerSession ( authOptions ) if ( ! session ) return new Response ( ' Unauthorized ' , { status : 401 }) Run this check for every file under src/app/api/ . Better yet: write a middleware that protects all /api/ routes by default and use an explicit { public: true } annotation for routes that should be unauthenticated. Item 2: Per-tenant data scoping (BOLA / IDOR) How to check: # Log in as user A, grab a resource ID from the response # Then change the cookie/token to user B's and request the same ID curl -s -H "Cookie: your-user-b-session" https://your-app.com/api/items/YOUR-USER-A-ITEM-ID # Should return 403 or 404. If it returns

2026-07-15 原文 →
开发者

You Don't Need Node.js to Learn Web Development

I see this every week. Someone decides to learn web development. They Google "how to start web development" and within 20 minutes they're installing Node.js, npm, VS Code, and five extensions they don't understand. They haven't written a single line of code yet. But they've already spent an hour configuring their "environment." Then they get stuck. Node version conflicts. npm permission errors. VS Code extensions that break their syntax highlighting. They think they're not smart enough for programming. They are. They just started with the wrong step. The Problem Learning web development has three core technologies: HTML, CSS, and JavaScript. That's it. Everything else — Node.js, npm, webpack, Vite, React — is extra. It's not the starting point. But most tutorials assume you already have Node.js installed. They say "open your terminal" and "run npm install." Beginners follow along, copy the commands, and have no idea what any of it means. Here's what actually happens: You install Node.js (200MB+) You install VS Code (another 300MB+) You install 5-10 extensions You create a project folder You open terminal and run npm init -y You run npm install live-server You run npx live-server You finally see your HTML page in a browser That's 8 steps before you write Hello World . The Solution You don't need any of that. Not yet. Here's what you actually need to learn HTML, CSS, and JavaScript: A browser (you already have one) A text editor (Notepad works) That's it Open Notepad. Write this: <!DOCTYPE html> <html> <head> <title> My First Page </title> </head> <body> <h1> Hello, World! </h1> <p> This is my first web page. </p> </body> </html> Save it as index.html. Double-click the file. It opens in your browser. You just built your first web page. No terminal. No npm. No Node.js. No configuration. When Should You Actually Learn Node.js? Node.js becomes useful when you need: Server-side code (backend development) Package management (npm packages) Build tools (webpack, Vite) Framew

2026-07-15 原文 →