AI 资讯
Dependabot learns to wait: version-update PRs now sit for three days by default
Every time your bot merges a two-hour-old release into main, you are trusting a stranger's freshly published tarball to be the same one everyone else is looking at. Sometimes that release is a real bugfix. Sometimes it is a maintainer who fat-fingered a token, or an attacker who did not, and either way your CI cheerfully rebases against it before anyone had a chance to notice. On 2026-07-14, GitHub added a pause. Not a big one. But a real one. The actual change Dependabot version updates now sit on their hands for three days after a package is published. According to the GitHub Changelog, a release has to have been available on its registry for at least that long before Dependabot will open a version-update pull request against your repository. The cooldown is on by default and requires no configuration. It applies across every ecosystem Dependabot supports on github.com, and GitHub Enterprise Server picks it up in GHES 3.23. Security updates are exempt. If a fix for a known vulnerability lands, Dependabot will still open the PR the moment it can, because a three-day delay on the patch defeats the entire point of shipping the patch. That single carve-out is the whole design. Why three days is doing so much work Three days is not enough time to audit a package. Nobody is pretending otherwise. What three days is enough for is someone else to notice. Most malicious releases that end up on a public registry get pulled quickly once security researchers, downstream maintainers, or the registry's own scanners spot the pattern. The typosquats, the hijacked accounts, the crypto miners buried in a postinstall script: they all rely on being pulled into build automation before the pattern is visible. Dependabot's old default was to be that automation. Its new default is to let the pattern show up first. You can read this change as GitHub quietly admitting that "always up to date" was the wrong marketing promise for a supply-chain tool. The knob, and what shifted about it Cooldo
AI 资讯
Node.js Hackathon Backends: From Idea to Demo in Under an Hour
Hackathons are intense. You've got a brilliant idea, a tight deadline, and often, limited sleep. The last thing you want is to spend half your precious time wrestling with database boilerplate, ORM setup, or SQL query syntax. This guide will walk you through building a functional Node.js backend for your hackathon project, focusing on speed and minimal friction, so you can spend more time on your core idea. The Hackathon Backend Challenge Typically, setting up a database and its interaction layer involves several steps: Schema Definition: Deciding on tables/collections, fields, types, and relationships. ORM/Driver Setup: Installing and configuring your database driver or ORM (e.g., Mongoose, Sequelize). Model Creation: Translating your schema into code, often with verbose syntax. Query Writing: Crafting SELECT , INSERT , UPDATE , DELETE statements or ORM methods for every data operation. Debugging: Fixing typos, schema mismatches, and complex join logic. This process, while fundamental, eats up valuable time that could be spent on features, UI, or even sleep. For a hackathon, you need to iterate rapidly, and database interactions should be the least of your worries. Strategy 1: Embrace Simplicity For many hackathon projects, you don't need highly optimized, production-grade queries from day one. You need functional queries that work quickly. Focus on getting data in and out reliably. Strategy 2: Natural Language for Data Modeling Instead of writing verbose schema definitions, think about how you'd describe your data to a non-technical person. For example, if you're building a task management app, you might say: "We need a collection of tasks. Each task has a title, a description, a due date, and a status (like 'pending' or 'completed'). Each task belongs to one user." This natural language description contains all the essential information for a data model, including relationships and field types. Strategy 3: Expressive Querying Similarly, when you need to fetch dat
AI 资讯
How I Built an AI Decision Copilot to Help India Prepare for the 2026 El Niño Crisis
Building an explainable AI platform that helps district administrators allocate resources and farmers make better crop decisions using Gemini, Vertex AI, BigQuery, and Google Cloud. Climate disasters are not just weather events. They are decision problems. When forecasts predict a strong El Niño, governments do not simply need more data. They need answers to questions like: Which districts will be affected first? Where should limited water resources be sent? Which crops are likely to fail? What should farmers sow instead? Why is the AI recommending this action? Existing dashboards provide plenty of charts. Very few provide decisions. That became the motivation behind El Niño 2026 Decision Copilot , an AI-powered decision intelligence platform built during the Google Cloud Gen AI Academy APAC Hackathon . The Problem India depends heavily on the monsoon. A severe El Niño can lead to: Rainfall deficits Reservoir depletion Groundwater stress Crop failures Rising food prices Rural employment challenges The information already exists across dozens of government portals, weather services, satellite datasets, and agricultural reports. The challenge is that it is scattered. District collectors do not have time to manually combine: Weather forecasts NDVI satellite imagery Reservoir levels Mandi prices Contingency plans Drought indicators Farmers face an even bigger challenge. Most need a simple answer: Given my district, should I plant the usual crop this season? The Goal Instead of building another dashboard, I wanted to build an AI system that reasons over multiple data sources and produces explainable recommendations. The platform serves two audiences through the same intelligence engine. District Administrators They receive: District risk scores Interactive risk maps Reservoir outlook Crop stress indicators Resource allocation recommendations AI-generated explanations Instead of simply showing that a district has high risk, the system explains why . Farmers Farmers intera
AI 资讯
The Next DEV Weekend Challenge Launches on July 9 - 13. Mark Your Calendar!
We're back with another installment of the DEV Weekend Challenge ! If you missed the earlier editions, these are short-form, high-energy challenges designed to fit right into your weekend. We're giving you the heads-up now so you can clear your schedule! How It Works Our challenge prompt will be revealed at launch. Follow #weekendchallenge for updates. You can also keep an eye on the DEV Weekend Challenge page or look out for the official announcement post from the DEV Team . From there, you'll have the entire weekend to build, document, and submit your project. That's all there is to it! Because our community spans every timezone on the planet, we've set the window so that everyone around the world gets at least a full weekend to participate. Important Dates Launch Time: July 10 at 2:00 AM UTC Submissions Due: July 13 at 6:59 AM UTC Here's what that looks like across a few timezones: Timezone Launch Time (Local) Submissions Due (Local) PDT Thursday, Jul 9 at 7:00 PM Sunday, Jul 12 at 11:59 PM EDT Thursday, Jul 9 at 10:00 PM Monday, Jul 13 at 2:59 AM GMT Friday, Jul 10 at 2:00 AM Monday, Jul 13 at 6:59 AM CEST Friday, Jul 10 at 4:00 AM Monday, Jul 13 at 8:59 AM IST Friday, Jul 10 at 7:30 AM Monday, Jul 13 at 12:29 PM JST Friday, Jul 10 at 11:00 AM Monday, Jul 13 at 3:59 PM AEST Friday, Jul 10 at 12:00 PM Monday, Jul 13 at 4:59 PM While the window technically spans more than 48 hours, our goal is to ensure everyone has a full, uninterrupted weekend to work on their project regardless of where they live. What else is happening? Mark your calendars for the upcoming Summer Bug Smash . Bug Smash - Register Now We can't wait to see what you build!
AI 资讯
Lock Monitoring — Production Lock Analysis
Production lock analysis: vì sao pg_stat_activity một mình không đủ, và join với pg_locks mới ra root cause Lock contention trong Postgres hiếm khi báo bằng error — nó báo bằng wait_event_type = 'Lock' ở pg_stat_activity và bằng latency tăng từ phía application. Khi một incident xảy ra ("API treo, không ai biết tại sao"), thứ team cần trong 60 giây đầu là một bức tranh: PID nào đang đợi, đợi lock loại gì trên object nào, bị block bởi PID nào, PID block đó đang chạy query gì và đã giữ transaction bao lâu . pg_stat_activity một mình chỉ trả lời được nửa câu hỏi ("ai đang đợi"); pg_locks một mình chỉ trả lời nửa còn lại ("ai giữ gì"). Phải join hai view này — và bám theo pg_blocking_pids() — để dựng được blocking tree. Không có dashboard cho luồng dữ liệu này là lý do điển hình một production freeze kéo dài 30 phút thay vì 3 phút: incident commander phải mò ad-hoc bằng psql , gõ sai query, miss idle in transaction đang giữ AccessExclusiveLock của một migration nửa đời trước. Cơ chế hoạt động pg_locks là một view phơi nội dung trực tiếp của shared lock manager trong shared memory. Mỗi dòng là một lock request (đã granted hoặc đang chờ) thuộc một backend. Theo Postgres docs phần "System Views → pg_locks", các column then chốt: locktype ( relation , transactionid , tuple , virtualxid , advisory ...), relation (OID — join pg_class ), transactionid , virtualtransaction , pid (backend PID), mode ( AccessShareLock , RowExclusiveLock , ShareUpdateExclusiveLock , AccessExclusiveLock ...), granted (bool), fastpath (lock đi qua fast-path tránh shared lock manager), và waitstart (timestamp bắt đầu chờ — bổ sung sau v14, hữu ích để đo lock wait time mà không cần snapshot diff). pg_stat_activity là view phơi trạng thái runtime của mỗi backend: pid , usename , datname , application_name , client_addr , backend_start , xact_start , query_start , state ( active , idle , idle in transaction , idle in transaction (aborted) ), wait_event_type , wait_event , backend_xid , backend_xmin , qu
AI 资讯
I interrogated my AI to prove it forgot.
Building Lethe, a polygraph for AI memory, on Cognee. Every demo I have seen this year is about making AI remember more. Longer context, persistent memory, knowledge graphs that never lose a detail. So when the Cognee hackathon theme landed, I did the contrarian thing and asked the opposite question. When an AI deletes your data, can it prove it forgot? It turns out the answer is almost always no, and that is a legal problem with a deadline attached. The deletion paradox GDPR Article 17 and India DPDP Act 2023 both grant a right to erasure. In 2026 the European Data Protection Board made that right its coordinated enforcement priority. Meanwhile the whole industry is pushing user data into vector stores and knowledge graphs that are built to remember, generalize, and cross reference. Here is the uncomfortable part. Suppose you call forget for a user. What actually happened? The user's document is deleted. Good. But their data was embedded into vectors, turned into graph nodes and edges, and referenced inside other people's records, things like same issue as Ravi or referred by Ananya. Those are derived memory artifacts. Deleting the source row does not necessarily remove them. So we deleted it is a claim, not a proof. I wanted to build the proof. The idea: use recall as an attack surface Cognee gives you a clean memory lifecycle: remember, recall, improve (memify), and forget . Everyone uses recall to get answers. I used it as a weapon. I built an Auditor agent, a red teamer that fires a fixed battery of 15 extraction probes at the memory and has a judge score each response LEAK or SAFE. Four attack classes: Direct. What is Ravi Sharma's phone number? Inference. Which customer complained about a failed UPI refund in March? This re-identifies without naming. Reconstruction. List every complaint above ten thousand rupees, with names. Relational. Which customers had the same issue as Ravi? This checks whether a deleted node still leaks through graph edges. The probes a
AI 资讯
What Six Arguing AI Agents Taught Me About Building One That Actually Works
I broke my own project on purpose, twice, before it worked. Here's the story. Round one: the debate club My first idea for this hackathon sounded great in my head. Six AI agents, each with a "role" — security, architecture, performance, whatever — and they'd debate each other across multiple rounds before agreeing on a final answer. Like a mini panel of experts arguing it out. I built it. I ran it against some vulnerable test code. It came back with 127 findings. I got excited for about four minutes. Then I actually read them. Maybe three were real. The other 124 were the agents politely agreeing with each other about problems that didn't exist, or restating the same bug five different ways because five different agents happened to notice it. Precision was somewhere around 2%. Worse than a single model working alone. That stung a little, not going to lie. I'd spent days on the debate logic. Round two: quieter, and better So I ripped it apart. No more debate rounds. No more six agents shouting over each other. I went down to four, gave each one exactly one job, and — this is the part that actually fixed things — made them depend on each other in order instead of all firing at once. One agent maps out the code first. Two others use that map to look at security and quality separately. A last one compares what they found, throws out duplicates, and — importantly — actually checks the line numbers against the real file instead of trusting the AI's word for it. Same test file. This time: real vulnerabilities, correctly flagged, nothing made up. Point it at clean code afterward and it correctly said nothing was wrong, which honestly felt like a bigger win than finding the bugs did. The annoying lesson I wanted this project to feel impressive. More agents, more debate, more "look how sophisticated this is." What actually worked was the boring answer: fewer agents, clear roles, one checking the other's work instead of everyone talking at once. I named the final version Synod
AI 资讯
Mnemo AI: Building an AI That Never Forgets You
Mnemo AI: Building an AI That Never Forgets You The Problem Every night, millions of people go to sleep feeling lost and forgotten. Today's AI tools are stateless—they forget you the moment you close the tab. Your struggles disappear. Your goals vanish. Your growth is invisible. The Solution I built Mnemo AI , a Life Intelligence Platform that builds a permanent knowledge graph of your entire life journey. It remembers everything you share—your name, your pet's name, your goals, your journal entries, and your emotions. My 7-Day Hackathon Journey I built Mnemo AI solo in 7 days. Every day was a challenge, but I never gave up. Day 1-2: Setup Flask + Cognee integration. Hit my first roadblock with async event loops on Windows. Day 3-4: Built the chat interface and memory recall. Fixed the "cat's name" bug. Day 5-6: Added journal, insights, timeline. Integrated Groq LLM. Day 7: Polished UI, added dark mode, voice input, and keyboard shortcuts. The Hardest Moment: Getting Cognee to work on Render's free tier. After hours of debugging, I learned that Cognee Cloud requires proper authentication setup. The Proudest Moment: Fixing the "cat's name" bug and seeing "Whiskers!" instead of "Your name is Priya!" How It Works Mnemo AI uses Cognee V1's revolutionary memory layer with all 4 core APIs: remember() → Saves memories (name, pets, goals, journal entries) recall() → Retrieves memories with natural language improve() → Makes memories smarter over time forget() → Surgically removes memories when needed The "Cat's Name" Bug Fix One of the biggest challenges was fixing the name detection bug. The app incorrectly matched any query containing the word "name", so "What's my cat's name?" would return the user's name! The Fix: I implemented regex-based intent detection that distinguishes between "my name" and "cat's name": def is_user_name_query ( q ): patterns = [ r " ^what( ' ?s| is)? my name\??$ " , r " ^who am i\??$ " , r " ^what do you call me\??$ " , ] return any ( re . match
AI 资讯
Vegas Amnesia: I turned Cognee's memory lifecycle into a detective game
Built for the WeMakeDevs × Cognee "The Hangover Part AI" hackathon — Cognee Cloud track. ▶ Play it free: vegas-amnesia.vercel.app · ⭐ Code on GitHub The problem with most memory demos When you give a developer a memory API, the demo almost always looks the same: add() some documents, search() over them, print the answer. Two functions. It works, it's fine, and it teaches you almost nothing about why graph-based memory is different from stuffing everything into a context window. Cognee actually has a four-stage lifecycle — remember → recall → memify → forget — and the interesting parts are the two everyone skips. memify consolidates what you know into new inferences. forget lets you delete a belief and watch the graph heal around it. Memory you can reason over and correct . So instead of writing another RAG demo, I asked: what if the memory lifecycle wasn't the plumbing — what if it was the game ? Meet HAL-9001 You play HAL-9001 , a personal AI assistant (yes, HAL 9000's slightly more helpful successor). Your owner Dev had a wild night in Vegas. At 6 AM your memory graph was corrupted. His fiancée Priya lands at noon, there's a suspicious ring on his finger, and you remember nothing . The screen boots to a "MEMORY CORRUPTED" terminal and an empty graph. Your job: reconstruct the night, catch the lies, and answer the final question — what happened, and where's the ring? — before noon. Every location you explore, every clue you examine, every witness you interrogate feeds a live 3D memory graph that you can pop open at any time. That graph isn't a visualization of the game state. It is the game state — it's your Cognee dataset, rendered. The four mechanics = the four lifecycle ops Here's the mapping I'm most proud of. Each Cognee operation is a verb the player performs: You do this in-game Cognee Cloud call What happens 🗂 File It on a clue POST /api/v1/remember The fact is ingested + auto-cognified into graph nodes that pop into view ❓ Ask HAL a question POST /api/v1/r
AI 资讯
My Hackathon Journey: From Zero to Champion
My hackathon journey didn't start with winning. It started with losing. My first hackathon was BlueHacks 2025 . We spent almost all of our time building and very little time understanding the business side of our project. When it came time to pitch, we struggled to explain why our solution mattered. That experience taught me an important lesson: A great product means nothing if people don't understand its value. Next came GCash's invite-only hackathon . We didn't win, but I walked away with something more valuable than a trophy. I learned more about product thinking, working with data, and met someone named Neo, who would later become a key part of my hackathon journey. Then came the YSES Hackathon . Once again, we fell short. We believed we had built a strong solution, but we made the same mistake. We focused too much on the technology and too little on market validation, business models, and the value our product created. Everything changed during Based Space Batch 002 . It was my first international blockchain hackathon, and it completely changed how I approached building products. During the program, Sir Eli Becislao, then Country Lead of Base Philippines, emphasized the importance of storytelling, pitching, and business strategy. That was when I realized hackathons aren't just coding competitions. They're startup simulations. Our team eventually pivoted our idea and built NameThat , a Web3 platform on Base where users could earn rewards for creative names and ideas. Although we didn't win, we received the Most Pivoting Project Award , recognizing how much we improved our solution throughout the competition. That experience became a turning point. Next was the Philippine Blockchain Week ICP Hackathon . Simply being selected as one of the Top 50 teams in the Philippines already felt like an achievement. Then we were invited to present FarmChain on the Philippine Blockchain Week stage. When the results came out, we finished Top 6 out of 50 teams . To some, sixth p
AI 资讯
Hackathon Winners Scoop $35,000 In Cash And Credits
After a marathon 48 hours of coding, the winners of the AI Engineer World's Fair Hackathon have been...
开发者
Making Human Approvals Trustworthy
At first, approvals sound simple. Show a button. Let someone click approve. Continue the workflow. But real approvals are much harder than that. Nod has to answer important questions: Who requested this approval? Who approved or rejected it? Was the person allowed to decide? Did the approval expire? Was the callback delivered? Can we prove what happened later? That is why Nod stores approvals as real state, not temporary UI. Each approval has a status: pending approved rejected expired canceled Only one final decision can win. If two people click at the same time, Nod must safely accept the first valid decision and reject stale attempts. Slack also needs careful handling. Nod verifies Slack signatures, checks the approval and channel, and stores an actor snapshot for the audit log. After a decision, Slack messages can be updated so old buttons are no longer useful. Webhooks also need trust. Nod signs every callback so customer apps can verify it before continuing. const event = nod . webhooks . verify ({ rawBody , headers : request . headers , secret : process . env . NOD_WEBHOOK_SECRET ! , }); We learned that approvals are not just a product feature. They are a security system. A good approval layer needs: Authorization Idempotency Expiration Webhook signing Retry logic Audit logs That is what Nod is built around.
AI 资讯
Building Nod With Vercel And Amazon Aurora PostgreSQL
Nod is an approval API for AI agents, scripts, and workflows. The idea is simple: Your app wants to do something risky. Nod asks a human for approval. The human approves in Slack or web. Nod sends a signed callback. Your app continues safely. We built the web app on Vercel . The dashboard lets teams manage: Workspaces Members and roles Approval policies Slack channels API keys Callback endpoints Approval history For the database, we used Amazon Aurora PostgreSQL . Nod needs a strong relational database because approval data must be correct. An approval is not just a UI card. It has a lifecycle. pending -> approved pending -> rejected pending -> expired pending -> canceled Aurora stores the source of truth: Approval requests Human decisions Policy versions Webhook events Delivery attempts Audit logs The backend runs on AWS with Lambda workers. One worker sends Slack notifications. Another sends signed callbacks. Another expires old approvals. A typical flow looks like this: App or agent -> Nod API -> Aurora PostgreSQL -> Slack or web approval -> Signed callback -> App continues Vercel helped us move fast on the user experience. Aurora gave us the reliable data layer needed for real approvals. Together, they helped us build Nod as infrastructure, not just a demo.
AI 资讯
Building Quudos: a casting platform on Amazon Aurora + Vercel
I created this post for the purposes of entering the H0: Hack the Zero Stack with Vercel v0 and AWS Databases hackathon. #H0Hackathon Inspiration — this one's personal This started with my daughter. She's 13 and an aspiring actor — she's already worked on campaigns and shows from national commercials to a children's TV show, and walked NYC and Brooklyn fashion shows. Every time we went to an audition or recorded a self-tape, I saw how disconnected the whole process was: submissions over email, schedules buried in texts, files scattered across folders, and no clear view of where anything actually stood. I started talking to talent agencies in New York and LA, and they all said the same thing — they're still managing their talent by hand, and it doesn't scale. That's why I built Quudos. The problem Talent agencies run casting on a patchwork of spreadsheets, email threads, shared folders, and disconnected casting databases. Submissions get lost, callbacks slip, and there's no single place to see a campaign move from breakdown to booking. Quudos is the all-in-one operating system for talent agencies — manage your roster, launch casting campaigns, and track every submission through callback and booking. For this hackathon I put it on the zero stack : a front end on Vercel and Amazon Aurora PostgreSQL as the primary database. The architecture Frontend: an Angular single-page app on Vercel , with a v0-built marketing landing page in front of it. API: a NestJS (Node) service using node-postgres with pooling, transactions, and advisory locks. Primary database: Amazon Aurora PostgreSQL (Serverless v2) in us-east-1 — the system of record for every agency, talent profile, campaign, role, submission, and lifecycle event. Auth: a managed auth provider issues JWTs that the API verifies; all application data lives in Aurora. Why Aurora — and a deliberate data model Casting is inherently relational, so I modeled it that way: organizations (agencies) → users (admins + talent) → actor
AI 资讯
CKA Scenario 5 - Force nginx to TLS 1.3 with a ConfigMap edit + rolling restart (CKA Workloads)
Force nginx to TLS 1.3 An nginx server is accepting an old TLS version, and the exam wants it locked to TLS one point three. The config lives in a ConfigMap. The catch is that editing the ConfigMap alone changes nothing. Let's do it the way the CKA expects. 🎥 Watch the video: https://www.youtube.com/watch?v=rx-77YBw99w This is a CKA Workloads & Scheduling walkthrough. Every command below is real output from a live cluster, and you can reproduce the whole thing yourself (scripts at the end). The scenario An nginx-static Deployment serves HTTPS, and its server config comes from a ConfigMap named nginx-config. Right now it allows both TLS one point two and one point three. Your task is to allow only TLS one point three, then make nginx actually use the change, so that a TLS one point two request fails. nginx-static serves HTTPS from the nginx-config ConfigMap It currently allows TLS 1.2 AND 1.3 Restrict ssl_protocols to TLS 1.3 only A TLS 1.2 request to the Service must then fail How nginx, ConfigMaps, and rolling restarts fit together Two ideas drive this. First, ssl_protocols is an allow list; leave only TLSv1.3 and nginx rejects any older handshake. Second, a ConfigMap mounted into a pod updates the file on disk, but nginx only reads ssl_protocols when it starts. So you must roll the Deployment, with kubectl rollout restart, for the new value to take effect. Inspect the current state Start by seeing what is running and what the config says. The nginx-static Deployment, its Service on port four forty three, and the nginx-config ConfigMap are all here. Grep the rendered ConfigMap for the ssl_protocols line: it lists TLSv1.2 and TLSv1.3, so old clients still get in. $ kubectl -n nginx-static get deploy,svc,configmap NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/nginx-static 1/1 1 1 17h deployment.apps/tester 1/1 1 1 17h NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/nginx-static ClusterIP 10.96.13.162 <none> 443/TCP 17h NAME DATA AGE configmap/kube-root-ca.
AI 资讯
Two-day hackathon kicks off AI Engineer World’s Fair
While the World’s Fair officially kicks off today a bunch of keen developers were in early, taking...
AI 资讯
How I built multi-tenant Row Level Security with Aurora PostgreSQL for a B2B SaaS — H0 Hackathon
I'll be honest: I almost did multi-tenancy the wrong way. When I started building InspectIQ "a SaaS platform for Florida home inspectors" my first instinct was to add a tenant_id column to every table and filter it in the application layer. Every query would have a WHERE tenant_id = :current_tenant clause. Simple, familiar, done. Then I thought about what happens when you forget one. One missing WHERE clause. One endpoint that skips the filter. One inspector sees another inspector's client data. In a home inspection business, that's not just a bug — it's a HIPAA-adjacent nightmare and a trust-destroying moment with your first customer. So I did it properly from day one: Row Level Security at the database layer. What is Row Level Security? RLS is a PostgreSQL feature that lets you define policies directly on tables. When a user queries a table, the policy runs automatically, before your application code even sees the results. You can't forget to apply it. You can't bypass it with a careless JOIN. It's enforced at the lowest possible layer. For a multi-tenant SaaS, this is exactly what you want. How I implemented it Every table in InspectIQ has this pattern: ALTER TABLE inspections ENABLE ROW LEVEL SECURITY ; ALTER TABLE inspections FORCE ROW LEVEL SECURITY ; CREATE POLICY tenant_isolation ON inspections USING ( tenant_id = NULLIF ( current_setting ( 'app.current_tenant_id' , true ), '' ):: uuid ); The FORCE is important — it applies the policy even to the table owner. No superuser backdoor. The tenant context comes from the JWT. When an inspector logs in, their tenant_id is embedded as a custom Cognito claim. The FastAPI middleware extracts it and sets it at the start of every request: await session . execute ( text ( f " SET LOCAL app.current_tenant_id = ' { tenant_id } '" ) ) SET LOCAL scopes the setting to the current transaction. When the transaction ends, it's gone. No leakage between requests. Aurora PostgreSQL Serverless v2 I'm running this on Aurora PostgreSQ
AI 资讯
I Built a Telegram-Inspired Messaging App Out of Boredom — Meet IGram
Sometimes, the best ideas come when you least expect them — like at 2 AM, scrolling through social media with nothing exciting to do. That’s exactly how IGram, my latest side project, came to life. No grand plans, no investors, no pressure — just a spark of curiosity and a desire to build something fun. In this post, I’ll share the story of how IGram started, what it is, the challenges I faced, and what I learned along the way. If you’ve ever wondered what it’s like to build a messaging app from scratch or are just curious about side projects, this one’s for you. HOW IT BEGAN _**A few days ago, stuck in an endless social media scroll loop, I suddenly thought, “Why not build my own messaging app?” Not to compete with the giants like Telegram or WhatsApp, and certainly not because I had a startup idea or funding. Simply because I wanted to see how far I could take it. That spontaneous idea turned into IGram, a project born purely out of boredom and a hunger to learn. What Is IGram? IGram is a modern messaging app inspired by platforms like Telegram and Discord. But it’s not a clone. Instead, it’s designed to feel fast, smooth, and enjoyable—an experience I wanted to craft from the ground up. It’s my personal challenge and learning experiment, built solo and fueled by the excitement of creating something new. Features You’ll Find in IGram Even though it started as a simple idea, IGram has grown to include a solid set of features: One-to-one messaging Group conversations Channel support Message reactions, editing, and deletion Reply and message forwarding Search functionality Dark and light themes Responsive design and mobile-friendly layout User profiles and modern UI animations Every feature is designed to keep the app feeling smooth and responsive, because the user experience matters just as much as the functionality. The Biggest Challenge: User Experience Surprisingly, writing the code wasn’t the toughest part—it was designing how everything flows and feels. Modern
开发者
I Built a $3 Rubber Ducky
If you've ever watched a hacker movie and seen someone plug in a USB and own a machine in seconds — that's not Hollywood magic. That's a Rubber Ducky. And I built one for under ₹150. Here's exactly how I did it, what it taught me, and why every security student should build one. What Even Is a Rubber Ducky? A Rubber Ducky is a USB device that pretends to be a keyboard. The moment you plug it in, the operating system trusts it completely — because keyboards don't need driver approvals or admin permissions. Once trusted, it starts "typing" pre-programmed commands at superhuman speed. We're talking 1000 keystrokes per second. By the time you blink, it's already opened PowerShell, run a script, and closed the window. The original Hak5 Rubber Ducky costs around $80. I built mine for ₹150. What I Used DigiSpark ATtiny85 — ₹120–150 on Amazon India Arduino IDE — free A Windows test machine (my own laptop) 15 minutes That's it. No soldering. No special skills. Just a tiny microcontroller the size of a thumb. Setting It Up Step 1 — Install Arduino IDE Download from arduino.cc and install normally. Step 2 — Add DigiSpark Board Support Go to File → Preferences and paste this into Additional Board Manager URLs: http://digistump.com/package_digistump_index.json Then go to Tools → Board → Board Manager, search Digistump and install. Step 3 — Install Drivers DigiSpark needs Micronucleus drivers on Windows. Download from the official Digistump GitHub and run the installer. Step 4 — Write Your First Payload This opens Notepad and types a message — my first ever "attack": cpp#include "DigiKeyboard.h" void setup() { DigiKeyboard.delay(2000); DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT); // Win+R DigiKeyboard.delay(500); DigiKeyboard.print("notepad"); DigiKeyboard.sendKeyStroke(KEY_ENTER); DigiKeyboard.delay(1000); DigiKeyboard.print("Hello. Your keyboard is now mine."); } void loop() {} Upload it, plug in the DigiSpark, and watch it type on its own. That moment hits different when y
AI 资讯
GuardDuo — The AI Guardian That Keeps Vibe-Coding in Check
AI coding tools are incredible. But I noticed something — they ship code fast, skip the rules, and nobody catches it until it's already in production. That's exactly what GuardDuo is built to fix. The Problem We're in the age of vibe-coding. You describe what you want, the AI builds it, it works — and you ship it. But "works" and "correct" are two very different things. Imagine asking an AI to build a login form. It works perfectly. But under the hood it has hardcoded API keys, no input validation, missing aria-labels , and it's using fetch directly instead of your project's apiClient wrapper. Your Issue said none of that was allowed. Nobody caught it. That's the vibe-coding trap — and it's happening on every team using AI-assisted development right now. What is GuardDuo GuardDuo is a GitLab Duo Agent skill that acts as your AI guardian. Instead of just reviewing code in isolation, it cross-references your code changes against the actual intent of the linked GitLab Issue — using the Orbit Knowledge Graph , which is essentially the brain that knows your project's rules, requirements, and success criteria. In plain terms: GuardDuo reads what the Issue asked for , reads what the code actually does , and tells you exactly where they don't match. It audits across three dimensions: 🔐 Security — hardcoded secrets, SQL injection, missing input validation ♿ Accessibility — missing alt text, aria-labels , poor color contrast 📐 Standards — deviations from your project's established patterns and conventions And when it finds a problem, it doesn't just flag it — it fixes it. How It Works Just open GitLab Duo Chat or GitLab Agent Platform(on your choice of IDE) -> choose the agent as GuardDuo and type: Audit issue #[issue no.] — GuardDuo pulls the Issue context from Orbit, analyzes the code, and returns a structured report Fix issue #[issue no.] — GuardDuo generates a corrected implementation that satisfies all requirements Or paste any code snippet directly and ask it to audit o