今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#code

找到 166 篇相关文章

产品设计

Dual role of * in C

Prerequisites Let's create a variable. int myNum = 5 ; Now, myNum refers to the value 5 . However, we can get its memory address using the & operator like this: &myNum . Role 1: Creating pointers A pointer holds a memory address. int * pointerToMyNum = & myNum ; Role 2: Modifying values using a pointer In this case, * works as the dereference operator. * pointerToMyNum = 10 ; Now, if we print myNum , the output will be 10 . Understanding that they are different in each context makes things much easier ✨ Note Both int ptr and int ptr are functionally identical in C.

2026-07-15 原文 →
AI 资讯

The Bug That Kept Coming Back

The first sign something was wrong wasn't a crash. It was a pattern. blockly-platform was the first real thing I built with Claude Code end to end — a Blockly-based platform for university programming exercises, driven entirely through Claude Code's Telegram channel. No editor open, no repo checked out on my machine, just a chat thread. I'd describe what I wanted, Claude Code would build it on a box I never looked at directly, and I'd judge the result by clicking around the deployed app. On March 22nd, the home page came up empty. GET /api/exercises/published was returning 403. I said so in the chat; a few messages later, Claude Code said it was fixed — the endpoint hadn't been added to Spring Security's permitAll() list. I moved on, tried the category filter. Also empty, also 403, also missing from the same permitAll() list — same file, same class of fix, different line. Then the exercise detail page. Same story, third time, same day. Three days later, the like button stopped working — root cause, again: POST /api/exercises/*/like had never been whitelisted either. Four times, one file, one recurring gap. None of these were hard bugs. Each one, in isolation, is a one-line fix a competent engineer makes without thinking twice. What bothered me, once I noticed the pattern, was that I hadn't noticed it as it happened. I had no diff to scroll through, no file to glance at and think "wait, didn't we just fix this exact class of thing twice already?" I had a chat log and a live app to poke at. The fourth fix looked, from where I sat, exactly like the first: a message telling me it was resolved. That was the moment I started to suspect the problem wasn't the model. It was that nobody — not the model, not me — had anything to look at. Why chat-only vibe coding breaks down Here's what makes that pattern more interesting than "the AI made a mistake": every one of those four fixes was correct. Claude Code read the error, found the missing permitAll() entry, added it, and move

2026-07-15 原文 →
AI 资讯

Building LIA (Part 1 Implementation): Clean Architecture and Argon2id in a Real Fastify + Prisma Registration Flow

LIA is a hyperlocal employability platform I'm building for an isolated coastal district in Brazil — think fixed retail jobs, gigs, and a reputation layer, all matched by proximity instead of routed through a national job board. This post is about the implementation: the actual folder structure, the real RegisterUserUseCase, and the Argon2id decision — pulled straight from the repository, not reconstructed from memory. The Clean Architecture folder structure LIA's backend is organized in four layers, and the direction of dependency is non-negotiable: outer layers depend on inner layers, never the other way around. backend/src/ ├── domain/ │ ├── entities/ │ └── repositories/ # interfaces only ├── application/ │ ├── dto/ │ └── use-cases/ ├── infrastructure/ │ ├── database/ │ └── repositories/ # Prisma implementations ├── presentation/ │ ├── controllers/ │ └── routes/ └── shared/ └── errors/ Let's walk through the registration feature end to end, following that exact order. Domain — the entity and the repository contract The User entity is a plain interface. No decorators, no ORM annotations, no framework leaking in: typescript// domain/entities/user.ts export interface User { id: string; name: string; email: string; password: string; createdAt: Date; updatedAt: Date; } The repository is defined as a contract, not an implementation. The domain doesn't know — and doesn't care — whether it's backed by PostgreSQL, an in-memory map, or something else entirely: typescript// domain/repositories/user.repository.ts import { RegisterUserDTO } from '../../application/dto/register-user.dto.js'; export interface UserRepository { create(data: RegisterUserDTO): Promise<{ id: string; name: string; email: string; createdAt: Date; updatedAt: Date; }>; findByEmail(email: string): Promise<{ id: string; name: string; email: string; password: string; createdAt: Date; updatedAt: Date; } | null>; } Notice create() never returns the password hash. That's not an accident — it's the same "strip

2026-07-15 原文 →
AI 资讯

Laptop Memory Leak Story

I found a slow, insidious memory leak in a Node.js API gateway caused by lingering event listeners; I fixed it by scoping emitters per request, enforcing cleanup in finally blocks, and adding leak‑aware tests and runtime safeguards—memory usage flattened and OOM restarts stopped. The Incident The gateway handled TLS termination, auth, and request fan‑out for many microservices. Over weeks its resident set size climbed in a staircase pattern until Kubernetes began OOM‑killing pods under load. The failure was gradual —light traffic ran for days, peak traffic crashed in hours—so it escaped casual monitoring. Investigation Heap snapshots and allocation profiles showed growing counts of small objects —closures, request metadata, and event listeners—rather than one giant allocation. Tracing revealed an internal event bus where request‑scoped listeners were attached but not always removed: an early‑exit authentication path returned before the cleanup function ran, leaving listeners that held references to request state. The GC saw those objects as live and never reclaimed them. The Fix (technical details) 1. Scoped emitters per request. Replace global emitters for request‑local concerns with a short‑lived EventEmitter created at request start. When the request ends, the emitter goes out of scope and the whole closure graph becomes collectible. 2. Guaranteed teardown via try/finally . Wrap the entire request pipeline so cleanup runs on success, error, or early return; the finally detaches any remaining listeners, clears timers, and releases caches. 3. Leak‑aware CI tests and runtime metrics. A harness simulated thousands of requests across code paths, captured heap snapshots, and asserted bounded object counts. Production metrics tracked listener counts and emitted alerts when thresholds were exceeded. 4. Operational safeguards. Added backpressure on accept queues, a soft memory threshold that disabled nonessential tracing, and rollout halting on excessive crash loops. Thes

2026-07-15 原文 →
AI 资讯

Every Commit in My Repo Gets Reviewed by a Second AI. Here's What Actually Changed.

My CLAUDE.md has one line near the bottom that I wrote months ago and mostly forgot about until I started actually paying attention to what it does: ## Important Note after your work done codex will review what you done. Terse, no punctuation, clearly typed in a hurry. But it's a real instruction that fires on every session in this repo: I finish a change, and a second model reviews it before I consider the work done. I added it half as an experiment. A few months in, it's changed how I work more than almost anything else in the setup, and not in the way I expected. I thought it would catch bugs. Mostly it doesn't, not directly. What it actually does is force a triage decision on every single piece of feedback, and getting that triage wrong is where all the pain lives. The three buckets Early on I treated every review comment the same way: read it, do it. That lasted about a week before I was silently making changes I didn't agree with because a second AI suggested them, and separately burning a stupid amount of time re-litigating comments that were just wrong or out of scope. What actually works is sorting every comment into one of three buckets before touching code: Fix it, no discussion. The comment is unambiguous, low-risk, and doesn't touch anything architecturally significant. Just do it and move on. Ask first. The comment is ambiguous, or it touches something that would require a real judgment call, or the "fix" would be a bigger refactor than the comment implies. Stop and get a human decision before acting. Skip silently. The comment is a duplicate of something already handled, or genuinely doesn't apply. Don't reply just to say "not doing this," don't leave a comment thread as evidence of having read it. Silence is the correct response to a non-issue. The failure mode I kept falling into before I had these buckets explicitly was collapsing 2 into 1: treating "ambiguous" as "just pick an interpretation and go." That's the actual source of review fatigue, not

2026-07-14 原文 →
AI 资讯

LeetCode 78. Subsets

Link https://leetcode.com/problems/subsets/description/ Problem Given an integer array nums of unique elements, return all possible subsets (the power set). The solution set must not contain duplicate subsets. Return the solution in any order. Example Example 1: Input: nums = [1,2,3] Output: [[],[1],[2],[1,2],[3],[1,3],[2,3],[1,2,3]] Example 2: Input: nums = [0] Output: [[],[0]] Solution First, create a variable subsets, initialized to [[]], as the return value. Loop through nums, and for each element, create new subsets by appending that element to each existing subset. Then, append these new subsets to subsets. Sample code class Solution : def subsets ( self , nums : List [ int ]) -> List [ List [ int ]]: """ 0: [[]] 1: [[]]+[1] -> [[], [1]] 2: [[],[1]] + [2],[1,2] -> [[], [1], [2], [1, 2]] 3: [[], [1], [2], [1, 2]] + [3], [1, 3], [2, 3], [1,2,3] -> [[], [1], [1, 2], [3], [1, 3], [2, 3], [1, 2, 3]] """ subsets = [[]] for num in nums : new_subsets = [ subset + [ num ] for subset in subsets ] subsets += new_subsets return subsets

2026-07-14 原文 →
AI 资讯

--- title: Day 1: Starting My Web Dev Journey published: true description: Learning HTML from scratch ---

Hi everyone! I'm a tech enthusiast currently mastering web development and game development. I am building my foundation from scratch,learning on my phone with Sololearn and Mimo while writing my code completely on a tablet using an app called Acode . Why I'm Doing This I want to learn how to turn big ideas into reality, one line of code at a time. I'm starting with the absolute basics of the web: HTML. My First HTML Project Today, I built a multi-page setup right on my tablet. Here is the structure of my homepage ( index.html ): <!DOCTYPE html> <html lang= "en" > <head> <title> My First Blog Post </title> </head> <body> <h1> Day 1: Starting My Journey To Become A Web Developer </h1> <p> I officially started learning web development today! </p><h3> What I Learnt </h3><Some of the things I learnt today were: </ p ><ul><li> HTML code controls the structure of a webpage </li><li> HTML tags are used to add elements to a webpage </li><li> Elements like button and paragraph require container tags while elements like images and line break only require empty tags <li> Container tags consist of both opening and closing tags. </li><li> Some HTML tags known as Semantic tags </li></ul><h4> What I Built </h4><p> I started with my first project which is my portfolio website </p><h5> Looking Ahead </h5><p> Next I want to learn more on HTML and dive deeper to get a better understanding of HTML and later learn CSS and JavaScript to style and make my webpage more interactive <p> </body> </html> ``` What's Next? ​My next immediate goal is to learn more about HTML and to learn CSS so I can start styling these pages and making them look awesome. After that, I'll be diving into JavaScript and starting my first simple game development projects. ​I'm excited to document my progress here as I grow from a beginner into a software developer. If you have any tips for learning on a mobile device, let me know in the comments!

2026-07-14 原文 →
AI 资讯

I Built a Local AI Code Reviewer That Reads Your Entire Codebase (and PRs!) for Free

As developers, we all want AI to review our code. But sending proprietary, unreleased code to third-party cloud APIs (like OpenAI or Anthropic) isn't always an option—especially if you're working on client projects or under strict NDAs. I wanted an AI code reviewer that was 100% private , free , and actually understood the context of my entire project . So, I built one using Python and Ollama . Here’s a look at what it does and how you can use it! What it does It’s a CLI tool that uses local LLMs (like qwen2.5-coder or llama3 ) to review your code. No API keys, no subscriptions, and zero data leaves your machine. But I didn't want to just paste code snippets into a terminal. I wanted a tool that actually fits into a developer's workflow. Here is what it supports: 1. Review an Entire Codebase Just point it at your project folder. The app will recursively gather your files, automatically ignoring bulky folders like node_modules , .git , vendor , and .next , and give you a full architectural review. python3 app.py ./my-project/ 2. Review Pull Requests Automatically Want to review a PR? Just pass the GitHub PR URL. The tool auto-detects that it's a diff, fetches the changes, and switches into "PR Review Mode." Instead of looking at architecture, it zeroes in on the + lines to find bugs, edge cases, and missing tests introduced by the PR. python3 app.py https://github.com/facebook/react/pull/30000 (Working on a private repo? Just pipe it: gh pr diff 123 | python3 app.py ) 3. Pipe Anything Into It You can pipe individual files, diffs, or snippets straight from your terminal. cat src/main.py | python3 app.py 🛠️ How to run it yourself Install Ollama and pull a solid coding model: ollama pull qwen2.5-coder Clone the repo and install the requirements: pip install -r requirements.txt Run it! python3 app.py ./your-code 💡 The Magic Under the Hood The script dynamically switches its prompt based on what you feed it. If you give it a directory, it looks for separation of concerns

2026-07-14 原文 →
AI 资讯

The Myth of the Post-Documentation Era

There is a growing sentiment in engineering circles right now that documentation is a relic of the past. The argument usually goes something like this: We’re living in the era of agent-driven development. If an AI agent can read the raw source code or parse an OpenAPI specification instantly, why waste human engineering hours writing prose? Code churns too fast anyway, and human-written docs are outdated the second they’re committed. It’s an attractive, black-and-white view of the world. It’s also completely wrong. Chasing strict determinism in your source of truth is a pipe dream. Code and specs tell a system how something works, but they are fundamentally incapable of explaining why it was built that way in the first place. The Intent Gap: Why Code Isn't Enough Even if you’re building entirely for a downstream consumer of AI agents, there is a massive, structural gap between a raw API specification and an operational reality. Agents are phenomenal at pattern matching and syntax execution, but they struggle with architectural philosophy and human intent. We still need words to contextualize the boundaries. A spec can define an endpoint, its parameters, and its payload. What it can't capture is the nuance of why a specific architectural trade-off was made, or the implicit historical context of a legacy edge case. Prose provides the guardrails for non-deterministic systems. Even if that prose is ultimately consumed by a machine rather than a human, the written word remains the highest-leverage way to transmit intent. The Danger of Slop Describing Slop This doesn't mean we need to return to the days of manually maintaining massive, static wiki pages. Automation has a massive role to play here. Cascading automation—where documentation is dynamically generated alongside code changes—is incredibly powerful. But there’s a trap here: slop describing slop is entirely useless. If we completely hand off documentation generation to unchecked LLMs, we end up with a feedback loo

2026-07-13 原文 →
AI 资讯

Git: The Fellowship of the Commit – Best Practices for Solo Devs and Teams

The Quest Begins (The "Why") I still remember the first time I tried to track down a bug that only showed up after midnight. I opened my terminal, typed git log , and was greeted by a wall of commits that read like a toddler’s grocery list: * 7a9c3f1 (HEAD -> main ) fix stuff * 4b2e8a1 update * f1d9c6b wip * 9e3b7d2 more changes * … I spent three hours chasing a regression that turned out to be a one‑line typo in a file I hadn’t touched in weeks. The commit messages gave me zero clues, and the diff was a tangled mess of unrelated changes. I felt like I was wandering through a dungeon without a map, hoping the next room would hold the answer. That night I realized the real monster wasn’t the bug—it was the way I was committing code. My commits were large, vague, and scattered , making every subsequent step (review, revert, bisect) a gamble. If I wanted to keep my sanity (and maybe even enjoy coding again), I needed a better system. The Revelation (The Insight) The turning point came when I read about Conventional Commits —a lightweight convention that gives each commit a clear type ( feat , fix , docs , refactor , test , chore , etc.) and a short, descriptive message. It sounded simple, but the impact was massive: Atomicity – each commit does one thing. Clarity – the message tells you why the change exists, not just what changed. Automation – tools can generate changelogs, version bumps, and even release notes straight from the log. Adopting this felt like discovering a hidden shortcut in a Zelda dungeon—suddenly the whole map made sense, and I could sprint to the boss room with confidence. Wielding the Power (Code & Examples) Before – The Chaos Imagine we’re building a tiny API for user profiles. Here’s what a typical day of committing looked like (messages only, but the diffs were just as messy): $ git log --oneline -5 7a9c3f1 ( HEAD -> main ) fix stuff 4b2e8a1 update profile handler f1d9c6b wip 9e3b7d2 added auth middleware c5d4e3f refactor utils If I needed to ro

2026-07-12 原文 →
AI 资讯

What is an API? An Explanation for Complete Beginners

Imagine you are sitting at a table in a restaurant. You have a menu in front of you with a list of delicious meals, and the kitchen is ready to cook them. However, there is a missing link. You are sitting in the dining room, and the chefs are tucked away in the back. You can't just walk into the kitchen and grab your food, and the chefs don't leave the stove to come take your order. To bridge the gap, you need a mediator. You need someone to take your order from the table, deliver it to the kitchen, and then bring the food back to you. That person is your waiter. In the digital world, an API (Application Programming Interface) is that waiter. The Plain English Definition An API stands for Application Programming Interface. Strip away the technical jargon, and an API is simply a software messenger that allows two different computer programs to talk to each other and share data. Think of it as a digital bridge. When you use an app on your phone, it doesn't contain all the data in the world inside its small download file. Instead, it uses an API to send a request over the internet to a massive server, which then sends the correct information back. The Restaurant Analogy: Side-by-Side To see how this works in real life, let’s map our restaurant experience directly to how technology works on your phone or computer: The Customer (You): This is the Client (your web browser, smartphone app, or computer). You are the one asking for information. The Menu : This is the API Documentation. It lists out exactly what items you are allowed to order and how you need to ask for them. The Waiter : This is the API. They take your request, run it over to the system, and bring you back the result. The Kitchen : This is the Server / Database. It holds all the raw data, processes the request, and prepares the final output. Where Do You See APIs in Real Life? You interact with dozens of APIs every single day without even realizing it. Here are a few common examples: "Log In with Google" or

2026-07-11 原文 →
AI 资讯

Planting a Future Breaking Change Today: A launchd Timer Job That Deletes Itself When Done

This is a follow-up to my earlier post, " Automating a config migration with a one-shot launchd job ." Some breaking changes come with a known expiration date, and you can prepare for them long before they land. This time the external event was the end-of-life of Fable 5 (2026-07-07), and I'll walk through how I designed a launchd job you set up today, that fires only on the target day, and that removes itself once it's done. The whole thing started with the thought, "manually fixing this on the shutdown day is going to be annoying." But I also didn't want to run a script every morning that needlessly rewrites JSON. What I landed on was a three-part set: a date gate, a jq rewrite with a backup, and self-unload. The problem: on the day I learn about a deprecation, I want to plant a job that "only runs on the target day" Right now, ~/.claude/settings.json looks like this: { "model" : "claude-fable-5[1m]" , ... } The moment I learned Fable 5 would end on 2026-07-07, creating a calendar reminder to manually rewrite this "model" felt too flimsy — I'll forget. On the other hand, making "a daemon that checks the date every time it boots" is overkill. What I wanted was a job I could set once and leave alone, that runs when the day arrives, and then disappears. launchd can fire at a specified time via StartCalendarInterval . But you can't express "just once at 9:00 on 7/7"; you need a combination of recurring and date-fixed slots. Specifying multiple slots and absorbing the redundancy with idempotency is the standard trick on macOS launchd. The implementation: the three-part set Here's the full ~/.claude/scripts/model-transition-0707.sh (comments omitted). #!/bin/bash set -uo pipefail SETTINGS = " $HOME /.claude/settings.json" LOG = " $HOME /.claude/logs/model-transition.log" PLIST = " $HOME /Library/LaunchAgents/com.shun.model-transition-0707.plist" log () { echo "[ $( date '+%F %T' ) ] $* " >> " $LOG " ; } # ① 日付ゲート if [ " $( date +%Y%m%d ) " -lt 20260707 ] ; then log "ski

2026-07-11 原文 →
AI 资讯

n8n review: I automated 12 saas.pet workflows with it in 6 months

n8n is the open-source workflow automation tool that competes with Zapier and Make. I have been running it for saas.pet's content pipeline for 6 months. Here is my honest take on self-hosting n8n versus paying Zapier, and whether it is worth the hassle. What n8n does that Zapier cannot n8n is an open-source workflow automation platform with 400+ built-in integrations. You connect nodes on a visual canvas: when X happens in one app, do Y in another. The killer difference from Zapier: you control where it runs. Self-host on a $5/month VPS or run on n8n Cloud at $20/month. No per-task pricing, no 'you hit your zap limit' emails. For high-volume workflows, the cost difference is dramatic. I run n8n on the same $6/month HK server that hosts my proxy. 12 workflows handle saas.pet's entire content pipeline: daily data fetch from GitHub Trending API, transform JSON, write to data files, trigger build, push to git, notify me on Telegram. The same workflows on Zapier would cost $73.50/month (Professional plan with 2,000 tasks). On n8n, $6/month for the server plus $0 for the software. The self-hosting overhead is real—updates, SSL certs, monitoring—but for 12+ active workflows, the savings are $800+/year. If you only have 2-3 simple zaps, stay on Zapier's free tier. If you have 5+ workflows with volume, n8n pays for the hosting in month 1. My 6-month setup for saas.pet I run n8n in Docker on the HK server. The initial setup: install Docker, pull n8n image, configure nginx reverse proxy, set up SSL via Certbot. That took about 2 hours the first time. Now I can deploy n8n in 15 minutes on a fresh server. The 12 workflows: (1) Daily GitHub trending fetch via saas.pet/api/trending, (2) data transform to unified JSON, (3) write to data/YYYY-MM-DD.json, (4) trigger build-ci.mjs, (5) git add + commit + push, (6) Telegram notification with commit SHA, (7) weekly sitemap health check, (8) monthly backup of reviews/ JSONs to S3, (9) uptime ping every 15 minutes, (10) DNS health check,

2026-07-11 原文 →
开发者

Two Sum and the use of Dictionary (Easy) | LeetCode Practice #1

Two Sum Given an array of integers nums and an integer target , return indices of the two numbers such that they add up to target . (You may assume that each input would have exactly one solution, and you may not use the same element twice. You can return the answer in any order.) Python ####Double FOR Loops (Runtime: 2100ms, Memory: 13.3MB) #DECLARE nums: ARRAY of INTEGER #DECLARE target: INTEGER class Solution : def twoSum ( self , nums , target ): Length = len ( nums ) for i in range ( Length - 1 ): for j in range (( i + 1 ), Length ): if nums [ i ] + nums [ j ] == target : return i , j return None ####Hashing Algorithm (Runtime: 0ms, Memory: 12.9MB) #DECLARE nums: ARRAY of INTEGER #DECLARE target: INTEGER class Solution : def twoSum ( self , nums , target ): Seen = {} for i , Value in enumerate ( nums ): if ( target - Value ) in Seen : return Seen [ target - Value ], i Seen [ Value ] = i return None

2026-07-10 原文 →
AI 资讯

Adding real payments to a Base44 app (3 insertion points, tested)

Disclosure up front: I'm Oded, co-founder of UniPaaS, the FCA-authorised Payment Institution (No. 929994) behind paas.build - so this is a vendor writing about his own product. That said, the three Base44 mechanics below are documented Base44 surfaces, and they work with any external payments API, not just ours. The wall Tell Base44 "add payments" and it installs Stripe or Base44 Payments (powered by Wix), plus Tranzila/Max for Israel. Both main options are solid if you qualify: Stripe is excellent infrastructure with first-class docs, and the Wix-powered option is native to the platform. The fine print is where builders hit a wall: Stripe live mode needs verified business and banking information before you can take a real payment. Base44 Payments requires "a business and bank account based in one of the supported countries" (their docs). The top payments request on Base44's own feedback board is "a way to setup other payment providers other than Stripe" - precisely because not every country is supported. Base44 webhooks only fire while someone is actively using your app, so 3am subscription renewals, retries and dunning silently don't run. If you have a registered company in a supported country and mostly sell one-off purchases, use the built-in Stripe path. It's the smoothest. The rest of this post is for everyone else. Base44 gives you three documented ways to wire in an external provider. I tested all three with paas.build. Here's each, and when it fits. Insertion point 1: custom MCP connection (build-time) In Base44: Settings → Account → MCP connections → Add custom MCP . Name: paas.build Server URL: https://paas.build/sse Auth: API key (your paas.build key) That's the legacy SSE endpoint Base44's form takes; streamable HTTP lives at https://paas.build/mcp for agents that support it. Base44's AI treats MCP connections as tools it can call when your request needs external data or actions. So in the editor chat you can say "use paas.build to create a live merchan

2026-07-10 原文 →
开发者

Introducing OrBit: A Local-First Workspace Synchronization Engine for Developers

As developers , we often face challenges keeping our workspaces perfectly synchronized across devices and collaborators. Whether it’s dealing with slow cloud sync, merge conflicts, or latency issues, these problems can disrupt our workflow and productivity. That’s why I’m excited to introduce OrBit , a local-first workspace synchronization engine designed to keep your development environments in sync with sub-millisecond latency — all while supporting offline work and peer-to-peer collaboration. What is OrBit ? OrBit is built around a multi-layered architecture that combines the power of Rust, Tauri, and VS Code to deliver a seamless synchronization experience: Rust-based local watcher daemon: Monitors file system changes with kernel-level events for ultra-low latency. Tauri-based native desktop dashboard: Provides a lightweight, secure, and cross-platform interface to manage your sync settings. VS Code extension: Integrates directly with your editor for smooth, real-time syncing of your code workspace. Unlike traditional cloud-based sync solutions, OrBit uses peer-to-peer connections and Conflict-free Replicated Data Types (CRDTs) to ensure your workspaces stay consistent even during network partitions or offline periods. Key Features Real-time sync with sub-millisecond latency: Changes propagate instantly across your devices. Offline support: Work uninterrupted without internet, with automatic merging when reconnected. Conflict resolution: CRDTs handle concurrent edits gracefully, preventing data loss. Native desktop and editor integration: Manage sync easily via the desktop app and VS Code extension. Peer-to-peer architecture: No heavy cloud servers required, enhancing privacy and speed. Why OrBit ? OrBit is designed for developers who demand speed, reliability, and seamless collaboration. It eliminates the frustration of slow syncs and merge conflicts, letting you focus on coding. Whether you’re working solo across multiple devices or collaborating with a team,

2026-07-10 原文 →
AI 资讯

RLS recursion infinite loop: why I gave up policies and bet everything on a JWT custom claims hook

Episode 1/4 — 3 incidents, one root: default GRANTs open more than you think — [CANONICAL URL EPISODE 1: fill in after push] Episode 2/4 — await mutation() lies when nobody opens the { error } envelope — [CANONICAL URL EPISODE 2: fill in after push] The morning Françoise sees zero rows, again It's a Tuesday in April 2026. I've just added the agent_readonly role to the authenticated membership — a one-liner, meant to share a GRANT for a reporting job. First SELECT on cours , Sentry receives infinite recursion detected in policy for relation "user_roles" , code 42P17 . From the office next door, Françoise is already on the phone with the Maisons-Laffitte branch: "So they can't see anything over there — is that normal?" Foreman tone, not really a question. I read the error on my screen. The difference from episode 1: this time Postgres is talking. What came out of Sentry was no longer a silent empty set — it was an explicit error. That difference saved me two days. When Postgres shouts, you listen. The trap is that what it says isn't where you're looking. I won't pretend this is obscure. A policy on user_roles that queries user_roles to decide who can read user_roles is a loop. You avoid it, you work around it with SECURITY DEFINER , you move on. The problem: my user_roles policy didn't reference user_roles . I had already cleaned it up three weeks earlier. The recursion was coming from somewhere else. The diagnostic that targets the wrong object First reflex: re-read the user_roles policy. It's clean, reads auth.email() , never calls itself. Second reflex: disable policies one by one to find the culprit. Wrong angle. -- supabase/migrations/20260420_admin_write_cours_v1.sql -- "Admin write cours" policy — original version that loops CREATE POLICY "Admin write cours" ON public . cours FOR ALL TO authenticated USING ( EXISTS ( SELECT 1 FROM public . user_roles WHERE email = auth . email () AND role IN ( 'admin' , 'super_admin' ) ) ); The recursion doesn't come from a fau

2026-07-09 原文 →
AI 资讯

The PostgREST query that silently ORDER BY ctid: a Supabase week, distilled

The fourth call of the week Catherine calls from the Maisons-Laffitte site on a Tuesday afternoon in early May. "It's broken, but it's a quick fix." That's her line — I know it, and she's usually right. She describes it in three sentences: the newsletter export for the enrolled-students segment comes back with ninety-two names, the planning view shows ninety-two active courses, but the counter page shows eighty-nine. Three enrolled students missing. She'd checked the database directly — they're all there. "Why three steps for that?" She's not asking for my benefit. She's asking for herself. Except this time, hanging up, I realize it's the fourth time this week I've hung up thinking the same thing. Four Supabase incidents, four fixes, four closed tickets. And not a single exception raised by the database. I reopen the three previous ones and lay all four side by side on screen. This isn't four bugs. It's one failure mode, declinated four times. The first three Episode 1 was about the default GRANT s Supabase places on functions and policies. A SQL function created without an explicit REVOKE inherits anon access that nobody wrote in the migration, and that nobody caught in review because the diff doesn't show it. The function works. It's just callable from outside. [CANONICAL URL EPISODE 1: to fill in after publication of #48 — "3 Supabase security incidents, one shared root cause: SECURITY DEFINER inherits EXECUTE TO PUBLIC"] Episode 2, an ON DELETE SET NULL cascade coupled with a CHECK NOT NULL on the target column. The parent DELETE attempts the SET NULL , the CHECK rejects it, and the transaction surfaces an error we read as a deletion failure — while it actually masks a consistency assumption we'd held for three months. The query fails loudly, which is more charitable than the other three cases, but the diagnosis heads in the wrong direction because nobody had declared that the two constraints lived in tension. [CANONICAL URL EPISODE 2: to fill in after publicati

2026-07-09 原文 →