AI 资讯
What a Vibe Coding Security Scanner Can (and Cannot) Tell You
AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans. A public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable. The useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?” Layer 1: the public deployment surface A passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect: HTTP security headers such as Content-Security-Policy and Strict-Transport-Security HTTPS behavior and redirect consistency Public JavaScript bundles for credential-shaped strings Public source maps that expose original source structure Common sensitive paths such as environment files or repository metadata Cookie attributes and other response-level deployment signals These checks are valuable because they test the deployed result, not the configuration you intended to ship. For example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token. The deployed surface is where those mistakes become observable. Layer 2: source-code review A public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response. This is where you can answer questions such as: Is authorization enforced on the server? Can a user change an object ID and read anothe
AI 资讯
I picked a coding agent off a leaderboard. It flopped on our codebase.
Last year my team had to pick a coding agent, and I volunteered to run the evaluation. I felt good about it. I pulled up the public benchmark scores, lined up the contenders, took the one at the top, and told everyone we had a winner. Then we actually pointed it at our repo. It did not blow up dramatically. It just kept being slightly wrong in ways that ate our time. It wrote diffs our reviewers would not approve. It renamed a function and broke three files it had never opened. The tests it ran passed, and the repo was still broken. I had confidently recommended a tool based on a number that turned out to say almost nothing about our situation. That was embarrassing enough that I went and figured out why. It took a few weeks of reading and a couple more bad calls before I landed on something that works. This is that, written plainly, and I hope it saves you the meeting where you have to walk your recommendation back. Why the benchmark score lied to me The score was not fake. It was just measuring somebody else's code. Once I looked properly, four gaps explained the whole thing: The agent might have already seen the answers. The problems in these public benchmarks are old. Models were very likely trained on the actual fixes used to grade them. So the score partly measures memory, not problem-solving. The setup is nothing like real work. A benchmark gives the agent a clean repo, one clear issue, and one command to run the tests. My engineers give it a half-open editor, a messy branch, a Slack thread, and a reviewer comment. Completely different job. Our codebase has its own habits. Our internal libraries, our wrappers, our test style, the imports we ban. No benchmark knows any of that, so an agent can write textbook-perfect code that our reviewers still reject on sight. The bar for passing is way lower. A benchmark passes a patch if the broken test now passes. My team passes a patch if it does that, and does not break unrelated tests, does not reformat the whole file,
AI 资讯
The Union‑Find Fellowship: Finding Your Tribe in Code
The Quest Begins (The "Why") I still remember the first time I stared at a LeetCode problem that asked me to count the number of islands in a grid. My initial instinct? Run a BFS/DFS from every unvisited land cell, mark everything reachable, and repeat. It worked, but each query felt like I was re‑exploring the same territory over and over again—like walking the same hallway in a dungeon every time I wanted to open a new door. Then a friend tossed me another problem: “Given a list of friendships, tell me if two people are in the same social circle.” Again, the naive solution was to rebuild the whole graph for every query. I felt like I was stuck in a grind‑fest, repeating the same low‑level work while the real challenge—understanding the structure of the connections—remain. That frustration sparked a question: Is there a way to remember what we’ve already discovered about connectivity, so future queries are instant? The answer, as many of you have guessed, lives in a humble but mighty data structure called Union‑Find (also known as Disjoint Set Union, DSU). The Revelation (The Insight) At its core, Union‑Find is about two simple ideas : Each element starts in its own set – think of every person as a lone adventurer. When we learn that two elements belong together, we merge their sets – we call that a union . The magic isn’t just in merging; it’s in how we find the representative (or “root”) of a set later on. If we naïvely walked up a chain of parents every time, we could end up with O(n) per find—still a grind. Two optimizations turn this into near‑constant time: Union by rank (or size) – always attach the smaller tree under the root of the larger one. This keeps the overall tree shallow, guaranteeing that the height never exceeds log n. Path compression – during a find operation, we make every node we pass point directly to the root. It’s like handing every traveler a map that instantly shows the shortest route to the campfire, so next time they don’t need to trek
开发者
Conditional Operator (`?:`) in Java
The conditional operator ( ?: ) — The Only Ternary Operator is one of the most useful operators in Java. It lets you write simple decision-making logic in a single line, making your code cleaner and more concise. It's also a favorite topic in Java interviews because of its syntax, nesting behavior, and type compatibility rules. In this article, you'll learn: What the conditional operator is Why it's called a ternary operator Syntax and working Nested conditional operators Difference between ?: and if-else Practical examples Interview questions Memory tricks What is the Conditional Operator? The conditional operator is represented by: ? : It is the only ternary operator in Java . A ternary operator takes three operands , unlike: Operator Type Number of Operands Example Unary 1 ++x , !flag , ~5 Binary 2 a + b , a > b , a && b Ternary 3 (a > b) ? a : b Syntax result = ( condition ) ? valueIfTrue : valueIfFalse ; How It Works condition │ Is it true? / \ Yes No │ │ valueIfTrue valueIfFalse │ │ └────── Result ──────┘ If the condition is true , Java returns the value before the colon ( : ). If the condition is false , Java returns the value after the colon ( : ). Example 1 int x = ( 10 > 20 ) ? 30 : 40 ; System . out . println ( x ); Output 40 Step-by-Step Evaluate the condition: 10 > 20 ↓ false Since the condition is false, Java selects the value after : . 40 Therefore, x = 40 Example 2: Finding the Maximum int a = 10 ; int b = 20 ; int max = ( a > b ) ? a : b ; System . out . println ( max ); Output 20 This is one of the most common uses of the conditional operator. Example 3: Even or Odd int number = 7 ; String result = ( number % 2 == 0 ) ? "Even" : "Odd" ; System . out . println ( result ); Output Odd Example 4: Absolute Value int x = - 5 ; int absolute = ( x < 0 ) ? - x : x ; System . out . println ( absolute ); Output 5 Nested Conditional Operators One of the biggest advantages of the conditional operator is that it can be nested . Example int x = ( 10 > 20 ) ? 30 :
AI 资讯
7 MongoDB Query Mistakes That Return the Wrong Results
MongoDB queries look simple. You type a field, give it a value, hit run, and you get your data back. But just because a query runs without throwing an error doesn't mean it worked right. Sometimes you get a blank screen. Sometimes you get way too many records. Other times, the data looks fine at first glance, but it doesn't actually match what you asked for. Most of these slip-ups happen for one basic reason: the query structure doesn't match the way the data actually sits in the database. To show you what we mean, we’ll use a clinic database with a collection called visits . Here is what a typical document looks like: JSON { "_id": "6871b6f9c3f1d1a4c2a10001", "status": "completed", "visitDate": "2026-07-01T09:30:00.000Z", "patient": { "name": "Anna Keller", "age": 34 }, "doctor": { "name": "Dr. James Carter", "specialty": "Cardiology" }, "symptoms": ["cough", "fever"], "prescriptions": [ { "name": "Ibuprofen", "active": false }, { "name": "Paracetamol", "active": true } ], "invoice": { "paid": true, "method": "card", "total": 250 } } You can run these examples right in the VisuaLeaf MongoDB Shell . Using visual tools makes a big difference because you can see exactly what MongoDB is returning in real time. 1. Forgetting the Curly Braces This is just a quick typo, but it breaks things right away. The Mistake: db . visits . find ( status : " completed " ) The Correct Query The find() tool always expects an object. Even if you are only looking for one specific thing, you still need to wrap that condition in curly braces {} . 2. Treating $or Like a Regular Object This one trips a lot of people up because the broken version looks like it should work. The Mistake: db.visits.find({ $or: { status: "completed", "invoice.paid": false } }) What is wrong: $or expects an array of conditions, but this query gives it one object. The error will usually be something like: MongoServerError: $or must be an array The Correct Query The first query is wrong because $or needs an array, n
产品设计
Hackers quickly prove that Neo Geo Doom ports are not "impossible"
Clever coding and graphical compromises get a classic game on more classic hardware.
开发者
Python Is So Slow. Can Julia Solve the Two-Language Problem?
By some benchmarks, Julia code can run 10X to 1,000X faster than Python—but there’s a reason it’s not a very popular programming language.
AI 资讯
What Happened When I Let Several AI Agents Loose in One Repo
Originally published at blog.whynext.app . Work with AI agents for a while and the ambition comes naturally. While one session fixes a bug, another can refactor, and a third can investigate an issue, right? You can spin up as many models as you like, so productivity should scale to match. That's how I started too. And within a week I learned that the real enemy of parallel agents isn't the models' skill. It's the working directory they share. HEAD is a global variable The cause fits in one sentence. When multiple sessions share a single git checkout, the current branch becomes everyone's global variable. Picture two people working on one computer at the same time and the absurdity is obvious, but that thought never occurred to me while spinning up agents. With one session per terminal tab, they look isolated from each other. But there is one filesystem, and one HEAD. The moment one session runs git checkout , the ground shifts under every other session. The incidents from that week fell into clear types. Branch hijacking. While session A was working on a topic branch, session B switched branches to do its own work. A committed without knowing, and the commit landed on top of B's branch. It happened in the other direction too: right as A was about to commit, the branch had been switched to develop, and only the hook that blocks direct commits to protected branches saved it. Without the hook, it would have gone straight in. Orphaned commits. Session B deleted session A's topic branch during a cleanup pass. A's commits became orphans belonging to no branch, and I dug through the reflog, found the commit hashes, and recovered them with cherry-pick. Lucky that it worked; if the reflog had expired or I hadn't found them, the work would have simply evaporated. Staging contamination. At the moment session A was creating a commit, a file deletion that session B had staged was sitting in the staging area alongside it. Committed as-is, B's deletion would have been folded into
开发者
Equality Operators (==, !=) in Java — Part 1
Equality operators are among the most frequently used operators in Java. They allow us to compare two values and determine whether they are equal or not. Unlike relational operators ( < , > , <= , >= ), equality operators work with all primitive data types , including boolean , and they can also compare object references . However, many beginners get confused about how == behaves with objects, strings, and null . These concepts are also some of the most frequently asked Java interview questions. Let's understand them with simple explanations and practical examples. What Are Equality Operators? Java provides two equality operators. Operator Description == Equal to != Not equal to Both operators always return a boolean value. Example System . out . println ( 10 == 10 ); System . out . println ( 20 != 10 ); System . out . println ( 5 == 8 ); Output true true false Rule 1: Equality Operators Work with All Primitive Types Unlike relational operators, equality operators can be applied to every primitive type , including boolean . Supported primitive types include: byte short int long float double char boolean Numeric Examples System . out . println ( 10 == 20 ); Output false System . out . println ( 'a' == 'b' ); Output false System . out . println ( 'a' == 97 ); Output true Explanation 'a' = 97 (Unicode) 97 == 97 ↓ true System . out . println ( 'a' == 97.0 ); Output true Even though one operand is a char and the other is a double , Java performs numeric promotion before comparison. Boolean Example System . out . println ( true == false ); Output false System . out . println ( false == false ); Output true Unlike relational operators, equality operators fully support boolean values. Equality Operators vs Relational Operators Many beginners confuse these operators. Expression Result true == false ✅ Valid true != false ✅ Valid true > false ❌ Compile-time error true < false ❌ Compile-time error Remember: Equality operators work with boolean . Relational operators do not. Rul
AI 资讯
GitHub Copilot CLI Gets Tabs and No-Config-File Tool Setup in Redesigned Terminal UI
GitHub has made the redesigned GitHub Copilot CLI terminal interface generally available. It adds a tabbed layout for sessions, gists, issues, and pull requests; an in-session, form-driven setup for MCP servers, skills, and plugins that avoids hand-editing config files; and a cleaner, theme-aware, more accessible UI with screen reader support. By Mark Silvester
AI 资讯
Podcast: Formal Methods for Every Engineer in an AI-Powered Future
In this podcast Shane Hastie, Lead Editor for Culture & Methods spoke to Gabriela Moreira about making formal methods accessible through the Quint specification language, how AI is dramatically lowering the barrier to entry for formal specification and model-based testing, and why defining correct system behaviour remains essential human work in an AI-driven world. By Gabriela Moreira
AI 资讯
Why I Choose Lovable for Building Full-Stack Applications with AI
Why I Choose Lovable for Building Full-Stack Applications with AI Over the last year, AI-assisted software development has evolved from generating code snippets to building complete web applications. We've all seen tools like Cursor, Claude Code, GitHub Copilot, Replit Agent, Bolt, and many others enter the market. Each has its strengths, but after experimenting with several of them, I keep coming back to Lovable whenever I want to build a new web application from scratch. This isn't a sponsored post—it's simply the workflow that has worked well for me. If you're interested in trying Lovable, you can use my referral link below. Disclosure: new users receive additional signup credits, and I receive referral credits if you sign up through it. Referral: https://lovable.dev/invite/AQ02SOZ Why Lovable Stands Out Most AI coding assistants help you write code. Lovable helps you build an application. Instead of focusing on individual functions or files, it takes a higher-level approach where you describe what you want, and it generates a complete full-stack application that you can continue refining. A typical workflow looks like this: Idea │ ▼ Describe the application │ ▼ Lovable generates • Frontend • Backend • Database • Authentication • API integration │ ▼ Preview instantly │ ▼ Connect GitHub │ ▼ Iterate and Deploy Unlike traditional no-code platforms, you're not locked into a proprietary editor. Lovable supports GitHub synchronization, native Supabase integration for authentication and PostgreSQL-backed data, and deployment options ranging from Lovable-hosted apps to your own infrastructure. Why I Keep Choosing Lovable After building several side projects, these are the reasons I continue to use it. 1. Rapid idea-to-production workflow The biggest productivity gain isn't AI-generated code. It's reducing the number of decisions needed before users can interact with your application. Instead of spending hours creating project structure, authentication, routing, database
产品设计
Figma acquires team behind a vibe-coding app
The Y Combinator-backed company started a vibe-coding platform and later built an agent-creation product.
AI 资讯
Claude Cowork expands to mobile and web
With this update, users can start a task from their desk, get status updates on their phone, and pick up the finished output later — even if their laptop is closed.
AI 资讯
Cursor AI Review 2026: The AI-Native Code Editor
Cursor is the first AI code editor I have used that feels less like an autocomplete plugin and more like a place to steer work. It does not write perfect software. It changes the rhythm: ask for a scoped change, review the diff, then tighten it by hand. This Cursor AI review is based on day-to-day developer tasks: reading unfamiliar code, editing React components, moving logic between files, writing tests, and asking the editor to explain errors from the terminal. The short version is simple: Cursor is excellent when a task crosses file boundaries. It is less convincing when you only need cheap inline completions. What Cursor Actually Is Cursor is a VS Code-based editor from Anysphere with AI built into the core experience. Extensions, settings, themes, terminal panes, source control, and the familiar layout are still there. The difference is that chat, agent-style edits, tab completion, codebase search, and model selection are treated as editor controls rather than add-ons. That matters in daily use. I found the chat panel most useful when I pointed it at a directory and asked for a narrow change, such as "move this validation into the shared helper and update the tests." Cursor could usually find the right files, make a first pass, and leave me with a readable diff. I still had to check naming, edge cases, and test coverage, but it saved the boring part of hunting through files. The Best Part: Multi-File Editing Cursor's strongest feature is multi-file editing with codebase context. A lot of AI coding assistants can finish a function. Fewer can update the component, the hook, the type definition, and the test in one pass without losing the shape of the project. In my experience, Cursor is at its best with medium-sized tasks. It handles "add a field to this form and wire it through the API call" better than "invent a new architecture." It also works well for cleanup: renaming a concept, extracting repeated logic, or adding a missing test around an existing pattern.
AI 资讯
I interrogated my AI to prove it forgot.
Building Lethe, a polygraph for AI memory, on Cognee. Every demo I have seen this year is about making AI remember more. Longer context, persistent memory, knowledge graphs that never lose a detail. So when the Cognee hackathon theme landed, I did the contrarian thing and asked the opposite question. When an AI deletes your data, can it prove it forgot? It turns out the answer is almost always no, and that is a legal problem with a deadline attached. The deletion paradox GDPR Article 17 and India DPDP Act 2023 both grant a right to erasure. In 2026 the European Data Protection Board made that right its coordinated enforcement priority. Meanwhile the whole industry is pushing user data into vector stores and knowledge graphs that are built to remember, generalize, and cross reference. Here is the uncomfortable part. Suppose you call forget for a user. What actually happened? The user's document is deleted. Good. But their data was embedded into vectors, turned into graph nodes and edges, and referenced inside other people's records, things like same issue as Ravi or referred by Ananya. Those are derived memory artifacts. Deleting the source row does not necessarily remove them. So we deleted it is a claim, not a proof. I wanted to build the proof. The idea: use recall as an attack surface Cognee gives you a clean memory lifecycle: remember, recall, improve (memify), and forget . Everyone uses recall to get answers. I used it as a weapon. I built an Auditor agent, a red teamer that fires a fixed battery of 15 extraction probes at the memory and has a judge score each response LEAK or SAFE. Four attack classes: Direct. What is Ravi Sharma's phone number? Inference. Which customer complained about a failed UPI refund in March? This re-identifies without naming. Reconstruction. List every complaint above ten thousand rupees, with names. Relational. Which customers had the same issue as Ravi? This checks whether a deleted node still leaks through graph edges. The probes a
产品设计
What Happens When Everyone Can Build Apps But Nobody Understands Them?
Alright, real talk moment. Last week I watched someone with zero coding background build a fully...
AI 资讯
I've Been Trying to Write AI Video Prompts for Months. They All Sucked Until I Found a Formula.
The Problem Nobody Talks About Everyone's posting AI-generated videos — characters speaking with lip-sync, manga panels coming alive, virtual idols dancing. The pitch: "just describe what you want." I tried. For months. Here's what I got: Character's face morphed by frame 2 "Slowly looks up" became "violent head shake" Voice-over sounded like Google Translate Same prompt, 3 runs, 3 completely different results No idea what to include or how long the prompt should be Tutorials were either too vague ("be detailed") or too technical (parameter tuning from line 1). The real issue: video prompts are structurally different from text/image prompts. You need to simultaneously control visuals, motion, audio, camera, and consistency constraints — in the right order, at the right length. What I Found A Skill in the Model Studio official repo called happyhorse-prompt-studio . It doesn't teach you theory — it asks you questions and assembles the prompt for you . 4-phase flow: 1. Inspiration Menu Shows you 4 "flavors" of what HappyHorse can do: Flavor What it does A · Voiced Manga Drama Characters talk to each other, with voice + lip-sync B · Character Voice PV Single character self-introduction, 8-10 sec C · Manga Panel Motion Static manga panel starts breathing D · Virtual Idol MV Idol performance with choreography 2. Discovery Asks you conversationally: character appearance, scene, emotion, dialogue, voice type, art style, camera. 3. Prompt Assembly Assembles using the HappyHorse Formula : Scene + Subject + Motion + Audio + Quality Key techniques: @「Image n」 syntax locks character identity across shots Dialogue ≤15 characters (split shots if longer) Japanese prompts work best (HappyHorse is JP-optimized) Always end with キャラの顔・髪・衣装が変わらない (face/hair/outfit stays unchanged) 4. Quality Check Auto-reviews: completeness, compliance, cost estimate, optimization tips. Before vs. After Dimension Writing myself With Prompt Studio Attempts needed 10-20 before one usable 2-3 to satisfacti
AI 资讯
The Push Notification Bug That Took Three Layers to Find
1:00 AM to 2:27 AM. One bug, three root causes, zero clean error messages. It started with a simple complaint: an admin sends a push notification, and the user never receives it. No crash, no red error in the console, nothing obviously broken. Just silence on the other end. That kind of bug is the most frustrating kind. Everything looks like it's working. The permission prompt shows up fine. The admin panel says "sent." And yet nothing arrives. By 1 AM, after a long day already spent on a fairly large project, this was the last thing left to fix before calling it a night. It turned into an hour and a half of tracing one silent failure into another. Layer One: The CSP Was Blocking the Fix Before It Could Even Start The first clue showed up in the browser console: a Content Security Policy violation, quietly blocking a script that OneSignal's SDK needed to complete its own initialization. The permission popup looked completely normal, so it was easy to assume the subscription step was working. It wasn't. The script that OneSignal used internally to finish setting up the subscription was being blocked by the site's own security headers. The fix was small: add the missing domain to the script-src directive. But finding it meant not trusting what the UI looked like it was doing, and instead reading the actual network requests line by line. Layer Two: "Sent" and "Delivered" Are Not the Same Thing Once the CSP was fixed, notifications appeared to send successfully. The API returned a success response, an ID was created, and the admin panel showed a "sent" confirmation. Except the user still got nothing. This turned out to be a subtler problem. OneSignal's newer API doesn't return a recipient count in that initial response, so a message could be "created" successfully by OneSignal's servers while still reaching zero actual devices. The code was treating message creation as proof of delivery, which is not the same thing at all. The fix involved polling OneSignal's delivery-s
AI 资讯
AI-DLC: Giving Structure to AI-Assisted Development
AI coding assistants are great at writing code and terrible at knowing when to write it. Ask one to build a feature and it will happily jump straight to implementation, skipping the questions a good engineer asks first: what exactly are we building, why, what are the risks, and how should it be broken down? The result is fast output that often solves the wrong problem. AWS's AI-DLC (AI-Driven Development Life Cycle) is an attempt to fix that gap. It's an open-source set of workflow rules — released by awslabs — that steer AI coding agents through a disciplined software development process instead of letting them freewheel. Importantly, it isn't a tool you install or a service you pay for. It's a methodology delivered as a bundle of markdown rules that your existing coding agent reads and follows. The core idea: methodology over tooling One of AI-DLC's stated tenets is "methodology first." The whole thing ships as plain markdown rule files that you drop into whatever your agent already uses for project instructions — CLAUDE.md for Claude Code, .cursor/rules/ for Cursor, .github/copilot-instructions.md for GitHub Copilot, .amazonq/rules/ for Amazon Q, steering files for Kiro, and so on. There's nothing to run. The agent loads the rules and its behavior changes. This makes AI-DLC deliberately agnostic . It doesn't tie you to a specific IDE, model, or vendor — any coding agent that supports project-level rules can use it. The philosophy is that a good development methodology should outlive any particular tool. A three-phase adaptive workflow At its heart, AI-DLC organizes work into three phases that mirror how thoughtful software actually gets built. The Inception phase answers what to build and why . This is where the agent does requirements analysis, creates user stories when they're warranted, sketches the application design, breaks work into units that can be built in parallel, and assesses risk and complexity before a line of code is written. The Construction phase