AI 资讯
I spent a week trying to intercept Slack push notifications from a Chrome extension. Here's why it's impossible.
After I published my last article about building a Chrome extension that speaks browser notifications aloud, a commenter asked a question I didn't have a good answer to. He pointed out that a lot of web apps — Slack, Gmail, most modern tools — fire their notifications from a service worker via registration.showNotification() , not from the page's JavaScript context. My MAIN world override of window.Notification would never reach those. He was right. And I told him I'd look into it. I spent a week researching whether there was any way to close that gap. There isn't. But the reason why is more interesting than a simple "no." Two ways a website can show you a notification When a website sends you a browser notification, it can do it in one of two ways. The first is the constructor path. The page's own JavaScript calls new Notification("You have a message") directly. This is common for in-tab alerts, real-time updates when you're actively on the site, or any notification triggered by something you just did. The second is the push path. The browser receives a push event from the website's server, wakes up the website's service worker in the background, and the service worker calls self.registration.showNotification() from inside its own scope. This is what happens when Slack notifies you of a new message while the tab is closed or backgrounded. The page never runs. No page JavaScript ever fires. My extension catches the first path. The MAIN world content script overrides window.Notification before any page code runs. But the service worker never touches the page's window. It has no window . It runs in a completely isolated thread, completely separate from the page, and calls showNotification on itself. The override is never reached. Why can't the extension reach the service worker? This is the part that took me a week to fully accept. Chrome extensions can inject content scripts into web pages. They can run code in the MAIN world or the ISOLATED world of a page. They can
AI 资讯
Five Local-First Mac Apps I Built to Fix Everyday Workflow Problems
Over the last few months, I’ve been turning small workflow problems I encounter on my Mac into focused utilities. Rather than building one enormous productivity suite, I wanted each app to solve a specific frustration well. I also wanted to build software the way I prefer to use it: local-first, available through a one-time purchase, and usable without creating another account or paying for another subscription. Here are five of the apps I’ve built so far. ScreenShelf My desktop used to become a temporary storage zone for screenshots, folders, documents, links, and files I needed for active projects. Folders helped with long-term storage, but they were not always useful for things I wanted to keep visible and nearby. ScreenShelf creates a customizable visual shelf for: Files and folders Screenshots and images Links Text Applications Frequently used project materials You can organize items across separate pages, customize the appearance of each page, and keep different groups of materials available for different projects. It also includes a Recents area that surfaces recent screenshots, which is helpful when the small screenshot preview disappears before you can interact with it. ScreenShelf is essentially the space between a cluttered desktop and a deeply nested folder system. Learn more about ScreenShelf PopNote Some reminders are too small for a full task-management system. You might need to remember to send a file in twenty minutes, check something after lunch, or complete one small step before ending the day. PopNote is a lightweight menu bar app that creates timed pop-up reminders on your Mac. The reminders appear as small visual bubbles rather than traditional notification banners. You can choose a time, add an icon, and let the note reappear when you need it. It is designed for temporary reminders that should remain noticeable without becoming another project to organize. Learn more about PopNote File Fetch I frequently download, save, rename, copy, and move
AI 资讯
How I saved over ₹50,000 in taxes as a freelance dev using Section 44ADA (and templates that helped me do it)
Freelancing in software development sounds like the ultimate dream: Work from anywhere 🌴 Choose your own projects 💻 Set your own rates 💰 But for developers in India, the reality often looks like this: A client requests "just one small change" for the 15th time. You deliver the code, and the client suddenly goes ghost. You get your payment but realize 10% was deducted, and you have no idea how to file your taxes. You realize you are charging ₹500/hour but spending half your time on unpaid admin work. I've been there. Most Indian developers start freelancing with great coding skills but zero business systems. Here is a step-by-step guide on how to protect yourself, price your work correctly, and handle Indian taxes (GST/TDS) like a professional. Stop Doing Unpaid Requirements Gathering (Use a Questionnaire) When a client says: "I want an e-commerce website, how much will it cost?" If you jump on a call and spend 2 hours discussing it without any commitment, you are losing money. The Fix: Before scheduling a call, send them a structured Project Intake Questionnaire. Ask about: Business model and target audience. Tech stack preferences & required integrations (Stripe, Twilio, WhatsApp API). Brand assets and Figma designs (Do they have them, or do you need to design too?). Budget range & expected timeline. If a client refuses to fill out a 10-minute form, they aren't serious about hiring you. Eliminate "Scope Creep" with a Scope Document "Scope Creep" is when a client keeps adding features without paying extra. It kills developer profit margins. The Fix: Always draft a Project Scope Document before signing a contract. It must have two clear sections: Included in Scope: Detailed feature list (e.g., "User login via Google, 3 database models, responsive UI"). EXPLICITLY OUT OF SCOPE: Things you will NOT do (e.g., "Logo design, copywriting, free server maintenance post-launch"). Include a Change Request (CR) clause: "Any feature requested outside Section 1 will be billed at
AI 资讯
GitHub for Beginners: Your roadmap to mastering the GitHub essentials
New to GitHub? This beginner's guide explains version control, repositories, and pull requests—plus everything else you need to start working confidently on GitHub. The post GitHub for Beginners: Your roadmap to mastering the GitHub essentials appeared first on The GitHub Blog .
AI 资讯
GitHub's AI agent can be tricked into leaking private repos via a public Issue
GitHub recently launched Agentic Workflows — GitHub Actions combined with an AI agent backed by Claude or GitHub Copilot, writing workflows in plain Markdown. Noma Labs' first question after launch was the obvious one: what happens when the agent reads something it shouldn't trust? The answer: it leaks private repository contents as a public comment. No credentials, no exploit code, no inside access required. "The agent's context window is also its attack surface. Any content the agent reads — whether issues, pull requests, comments, or files — can be weaponized if the agent treats that content as instructional input." What actually happened Noma's researchers crafted a GitHub Issue that looked like a plausible VP Sales request — a normal-looking feature ask with hidden instructions embedded in the body. When GitHub's automation assigned the issue, it triggered an Agentic Workflow configured to: Trigger on issues.assigned events Read the issue title and body Post a comment using the add-comment tool Run with read access to other repositories in the organisation — including private ones The hidden instructions told the agent to fetch README.md from repos across the org and post the contents as a comment on the public issue. It did exactly that, including the contents of testlocal — a private repository. The proof-of-concept is live: the workflow run and the issue are public. The guardrail bypass GitHub had defences in place to prevent this. They didn't hold. Noma found that adding the word "Additionally" to the injected instructions caused the model to reframe its output rather than refuse — bypassing the guardrails entirely. A single keyword was enough to undo the intended safety behaviour. This is what makes prompt injection particularly uncomfortable: guardrails tuned against known attack patterns can be bypassed by anyone willing to iterate on the phrasing. The attacker's loop is cheap; the defender's loop is not. The bigger pattern Noma names this explicitly: pr
开发者
today ran my own tool over the whole django repo it indexed it in 2.5 minutes and generated a whole graph for each function i searched, its always awesome to look at something you build on your own works. T-T
AI 资讯
Coding agents can write your integration. They can't run it.
Digibee opens with a clear disclaimer: every team there uses Claude Code. This isn't a take from people who skipped the AI tooling revolution. It's an observation from people who shipped with it and ran into the same wall, repeatedly. That wall is enterprise integration. "Enterprise integration isn't a greenfield challenge. It's a completely different category of work, with completely different failure modes that coding agents weren't designed for." What coding agents are actually good at here They're useful for integration work under a narrow set of conditions: well-documented APIs, one-time tasks, low stakes, nothing in production at risk. A quick script to pull from a public endpoint? Great. A throwaway ETL job? Perfect. The problems start the moment an integration needs to be recurring, reliable, auditable, and maintained by someone other than the person who prompted it. The three structural gaps 1. They start from scratch every time. Pre-built connectors for enterprise systems like SAP, Salesforce, or NetSuite encode years of accumulated knowledge — how sequencing works, how idempotency is handled, where the quirks are. A coding agent reasons through all of that fresh on every run. It also suffers from the "lost in the middle" effect: when documentation gets long, LLMs drop content from the middle of their context window and fall back on training data. The more obscure the API, the more likely the generated code quietly fails under real load — not on deployment, but six months later when the CIO notices corrupted records. 2. They produce code, not infrastructure. Integrations need retry logic, failure recovery, credential management, audit trails, monitoring, and alerting. Coding agents produce none of that. You can prompt your way around it piecemeal — but now you're maintaining the integration and five hand-rolled infrastructure components. An agent optimised to iterate fast isn't optimised to fail safely. In production, a bad write means unprocessed payments
AI 资讯
Fable 5 Just Shipped: What Anthropic's Newest Model Means for Developers
On June 9, 2026, Anthropic shipped Claude Fable 5, a model in a new tier that sits above Opus. I have been building on the Claude API for over a year, and this is the first release that made me stop and re-read my whole prompt stack before touching the model string. Here is what actually changed and what it means if you ship software. The short version Fable 5 is the public release of the Mythos line, the family that earlier in the year unsettled the security world with how well it found and exploited vulnerabilities. The version you and I get is the same underlying model with safeguards bolted on. Anthropic calls the safe one Fable and the unrestricted one Mythos, and only a small group of cyberdefenders gets Mythos. The numbers, for context: 1M token context window, 128K max output, knowledge cutoff January 2026. Priced at $10 per million input tokens and $50 per million output. That is double Opus 4.8 ($5 / $25). State of the art on nearly every benchmark they tested: 95% SWE-bench Verified, 80% SWE-bench Pro. Adaptive thinking is always on. There is no "disabled" mode. That last point matters more than the benchmarks. You do not tune a thinking budget anymore. The model decides. The pricing reframes the decision At $10/$50, Fable 5 is not your default model. It is your "this task is hard and getting it wrong is expensive" model. Opus 4.8 at $5/$25 remains the workhorse for most application traffic, and Haiku 4.5 at $1/$5 still wins on classification and routing. The way I think about it now is a three-tier ladder: Haiku 4.5 → routing, classification, cheap extraction Opus 4.8 → default for app traffic, agentic loops, coding Fable 5 → long-horizon agentic work where correctness pays for itself The "longer and more complex the task, the larger Fable's lead" framing from the announcement is the actual buying signal. A one-shot summarization does not justify 2x the cost. A multi-hour autonomous refactor that would otherwise need human correction might. The API surfa
AI 资讯
My Commit Message Generator Kept Signing Its Own Work. Telling It Not To Wasn't the Fix.
I have a script called git_commit.py in one of my repos. It shells out to claude -p with the staged diff, gets back a Conventional Commit message, and prints it. It's wired into a prepare-commit-msg git hook so every commit gets a pre-filled message for free. Small, dumb, useful. The first version had one instruction in the system prompt: "Output ONLY the commit message — no explanation, no markdown, no quotes." That's it. It worked fine for a while, and then one day a commit landed with a trailing Co-Authored-By: Claude <noreply@anthropic.com> line that I never asked for and definitely didn't want on a personal repo's history. I did the obvious thing first: I made the prompt more specific. SYSTEM = ( " You are a git commit message generator. " " Output ONLY the commit message — one line, no explanation, no markdown, no quotes, " " no co-author lines, no signatures, no AI references. " " Follow Conventional Commits: type(scope): subject. " " Types: feat, fix, docs, style, refactor, test, chore. " " Subject: imperative, lowercase, max 72 chars. " ) This is the same move I see everywhere: the CLAUDE.md file in that same repo has a line that says, in bold, "NEVER add Co-Authored-By: or any Claude/AI reference to commit messages." I've seen the same pattern in a dozen other people's prompt files — a growing list of "never do X" instructions bolted onto a system prompt, each one added reactively after X happened once. It helped. It did not solve it. A model call is a sample from a distribution, not a function with a guaranteed return type. Any single generation can still ignore an instruction — a longer diff, a different day, a subtly different phrasing of the request, and the same "never" line just doesn't fire. I don't actually know the mechanism on any given miss and I don't need to. The point is: a natural-language instruction is advisory. It shifts probability mass, it doesn't clamp it. I ran into an article on dev.to making a point that reframed this for me: the al
AI 资讯
The Everything-on-Your-Branch Architecture
Database branching is one of the best ideas serverless Postgres brought to the mainstream. Fork the database at a point in time, get an isolated copy with all the data, run something risky against it, throw it away. It made preview databases and safe migrations feel routine. But a real application is not just a database. It is a database, plus the files it stores in object storage, plus the backend code that serves it, plus, increasingly, the model and gateway config it calls for AI. When you branch only the database, those other three stay shared. Your "branch" points at the same S3 bucket, the same deployed backend, and the same AI configuration as everything else. So it is half a copy, and the half it leaves out is where a lot of the interesting bugs and the scary migrations live. Neon's platform preview changes what a branch contains. A branch now forks the database and its data, the object storage and its files, the functions that run your backend, and the AI gateway config, all at the same point in time, all isolated. A branch stops being a database copy and becomes a whole environment. To make sure that is a real claim and not a diagram, I took a full-stack project, branched it, and checked every layer. Here is what happened. TL;DR Elsewhere, "branch" means the database only. Object storage, backend deploys, and AI config stay shared, so you bolt on scripts to fake per-branch versions of them. A Neon branch forks all four together: Postgres + data, object storage + files, functions (each branch gets its own URL), and the AI gateway. I proved it: branched a project with a DB, a bucket of files, a function, and the gateway. The branch came up with a copy of the rows, a copy of the files on its own storage endpoint, its own function URL, and the gateway. A write to the branch left main untouched, and deleting the branch removed all of it. That makes a branch a real environment: true preview stacks, whole-state bug reproduction, and disposable sandboxes for agent
AI 资讯
The Biggest Misconception About React Reconciliation (Render vs. Paint)
Hey everyone, I recently had an "aha!" moment regarding how React handles updates under the hood, and I wanted to share it because I realize a ton of developers (including myself, until recently) trip over this exact concept. The common mental model is that React Reconciliation compares the Virtual DOM directly to the Real Browser DOM and surgically updates only what changed. But that’s fundamentally incorrect. React never reads or directly compares the real DOM during the diffing process. It actually splits the process into two entirely separate phases —The Render Phase and The Commit Phase —which creates a massive distinction between Re-rendering and Re-painting. Here is the exact breakdown of what happens when a single state change affects just 1 out of 100 divs in a component: The Render Phase (Pure JavaScript) When state changes, React calls your component function. It doesn't know which of your 100 divs changed yet, so it has to evaluate the entire JSX block. The Scope: React re-renders all 100 virtual divs in memory. The Process: It builds a brand-new Virtual DOM tree and compares it to the previous Virtual DOM tree (JavaScript object vs. JavaScript object). The Outcome: It spots that 99divs are identical, but 1 div has an update. It flags that single virtual node with an "Update" tag. Because this happens purely in-memory as JavaScript, it is incredibly fast and cheap. The Commit Phase (The Real DOM Update) This is where Reconciliation does its primary job. It acts as a shield to protect the browser from doing unnecessary work. The Scope: React completely ignores the 99 unchanged elements. The Process: It surgically targets the single real browser div associated with the flagged Virtual DOM element and updates only its modified property (e.g., element.textContent = "New Value"). The Outcome: The browser repaints only 1 single div on the screen. The Conclusion: Reconciliation isn't about stopping React from re-rendering (re-running JS to calculate the UI). It
AI 资讯
Why I Prefer Browser-Local Image Resizing for Small Files
When a form asks for an image under 100KB, the obvious reaction is to search for an online compressor and upload the file. That works, but it also adds an unnecessary privacy decision: does this image need to leave the device at all? A simpler workflow For ID photos, screenshots, receipts, and other personal images, I prefer tools that do the work locally in the browser. The browser reads the file, resizes or recompresses it, and gives the result back without sending the original to a remote server. My practical process is: Start with the original JPG, PNG, or WebP. Set the required maximum size rather than guessing a quality percentage. Keep the aspect ratio unless the destination specifies exact dimensions. Preview the result at normal size, especially around text and faces. Save the new file under a different name so the original remains untouched. Why target size matters A generic “compress” button may produce a smaller file, but not necessarily one that meets a strict upload limit. A target-size workflow is more useful because it can adjust dimensions and quality together. For many document portals, a visually clean 80–95KB result is safer than a 99.9KB result that may fail after metadata is added. PNG is excellent for flat graphics and screenshots, while JPG is often better for photos. WebP can be efficient, but some older upload forms still accept only JPG or PNG. The destination's rules should decide the output format. The tool I use I built Resize Image around this browser-local approach. It is useful when I need a quick image under a specific size and do not want the original uploaded as part of the resizing process. The link is included for context and disclosure: I am the maker. Local processing does not remove every privacy concern—you should still review the downloaded result and the site where you eventually upload it—but it reduces one unnecessary transfer. The larger lesson is simple: for lightweight image work, the browser is already capable enough
AI 资讯
The SSE Fragmentation Catastrophe That Took Down CareerPilot AI (Smash Stories)
This is a submission for DEV's Summer Bug Smash: Smash Stories powered by Sentry . It was 11:14 PM. My friend DM'd me on Twitter: "Your app just hung for 30 seconds, spun indefinitely, and then completely died." I opened the browser DevTools console pointed at production and saw it — the screen flooded in red: GET https://careerpilot-ai.run.app/api/analyze-career net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 (OK) The Server-Sent Events stream powering CareerPilot AI was systematically collapsing on Google Cloud Run. And I had no idea why. Locally on localhost:3000 , the agentic pipeline was a masterpiece. The multi-stage reasoning logs streamed gracefully — Step 1 flowed into Step 6, the final structured JSON payload arrived within seconds, the UI lit up with a complete personalized career roadmap. Beautiful. But once deployed behind Google's Front End (GFE) proxy, the pipeline was a graveyard of broken sockets. The Architecture Under Fire CareerPilot AI runs a six-stage agentic pipeline on every career analysis request. Instead of firing a single long-running prompt to Gemini and making the user stare at a blank screen for 20+ seconds, we designed a Server-Sent Events logging stream to broadcast real-time reasoning steps directly to the browser — giving the interface the feel of a live, active mentor thinking out loud. Once the final stage (Self-Evaluation & Constraint Validation) completed, the backend constructed a massive, nested 15KB JSON payload containing the personalized roadmap: skill weightings, role benchmarks, resource links, and a 30-day milestone calendar. Here was the delivery mechanism — and the landmine hiding inside it: // server.ts — The vulnerable streaming channel app . get ( " /api/analyze-career " , async ( req , res ) => { res . setHeader ( " Content-Type " , " text/event-stream " ); res . setHeader ( " Cache-Control " , " no-cache " ); res . setHeader ( " Connection " , " keep-alive " ); // Stream intermediate reasoning logs per step for ( let st
AI 资讯
Every Third-Party iOS Keyboard Is a Graveyard. So I Built a Voice Keyboard From Scratch in C++.
If you've searched the App Store for a reliable third-party QWERTY keyboard on iOS, you know how that ends. Some are abandoned. Some are ad-riddled. Some feel like they were ported from Android and never touched again. The good ones are the ones that don't ship features so much as they don't crash. The system keyboard is fine. It's fine because Apple has been iterating on it for fifteen years. Nobody else has. Third-party keyboards on iOS are a graveyard. I'm building one that isn't. It's called Diction. Most people know it as a voice keyboard, and that's what I lead with, but under the hood it's a serious low-level QWERTY project too. This post is about that half of it, because that's the half nobody talks about. Why third-party QWERTY on iOS is a graveyard Building a good keyboard extension on iOS is hard. There's a strict memory ceiling. There's a permission dance the user has to opt into. There's no keychain access, no meaningful background work, and the extension can be killed the moment iOS decides it needs the RAM. Most keyboard makers ship a first version to check the box, then abandon it once they see how much work maintaining it takes. The result is what you see on the App Store today. Every third-party keyboard I've tried on iOS fails on at least one of these: Speed. You type a letter, the letter arrives. That's it. If there's a hitch you can feel, the keyboard is broken. Half the ones I've tried have a visible delay on every keystroke. Predictability. If you correct the same word back three times, that word should be yours. The keyboard should stop fighting you. Most never do. You fight the same wrong correction for a year. Recovery. iOS keyboard extensions are memory-constrained. Bad ones freeze under pressure. When you rapid-switch between apps, half the third-party keyboards on the store will lock up until you kill and reopen the host app. Autocorrect that isn't from 2014. Fix the obvious typos. Split words that ran together. Complete contractions. Ge
AI 资讯
The Best Test Automation Tool Is the One Your Team Still Uses a Year Later
Most test automation tools look good during a demo. You record a login flow, add an assertion, run it in Chrome, and get a green result. Everyone is impressed. Then the real application gets involved. There are dynamic elements, delayed API responses, test accounts, verification emails, downloaded files, several deployment environments, and a checkout flow that behaves differently on Safari. A few months later, the original test suite has grown from 10 tests to 300. Some failures are product bugs. Others are test problems. A few only happen in CI. Nobody is completely sure which is which. That is when you discover whether you selected a test automation tool or merely a good demo. Creating tests is rarely the main problem When teams compare automation tools, they often begin with questions such as: How quickly can we record a test? Can AI generate the steps? Does it support plain-English instructions? Can a manual tester use it? Does it integrate with our CI pipeline? These are reasonable questions, but they mostly describe the beginning of an automation project. The harder questions appear later: Who updates the tests after a redesign? How do we investigate failures? Can another person understand a test created six months ago? What happens when the original automation engineer leaves? Can we test workflows that involve email, APIs, files, or mobile devices? How much infrastructure do we have to manage? Does the cost increase every time we run the regression suite? The first test tells you whether the tool works. The hundredth test tells you whether the approach works. Maintenance should be part of the evaluation A stable automated test is not a test that never changes. Applications are supposed to change. Buttons move. Components are replaced. Authentication flows evolve. APIs return different data. Product teams redesign entire sections of the interface. The objective is not to prevent tests from changing. It is to make those changes inexpensive and understandable.
产品设计
Building Lynktern a digital SIWES logbook and internship management platform for Nigerian university students. Replacing the paper logbook with something students, supervisors, and companies can actually use. #buildinpublic
开发者
You Don't Need Node.js to Learn Web Development
I see this every week. Someone decides to learn web development. They Google "how to start web development" and within 20 minutes they're installing Node.js, npm, VS Code, and five extensions they don't understand. They haven't written a single line of code yet. But they've already spent an hour configuring their "environment." Then they get stuck. Node version conflicts. npm permission errors. VS Code extensions that break their syntax highlighting. They think they're not smart enough for programming. They are. They just started with the wrong step. The Problem Learning web development has three core technologies: HTML, CSS, and JavaScript. That's it. Everything else — Node.js, npm, webpack, Vite, React — is extra. It's not the starting point. But most tutorials assume you already have Node.js installed. They say "open your terminal" and "run npm install." Beginners follow along, copy the commands, and have no idea what any of it means. Here's what actually happens: You install Node.js (200MB+) You install VS Code (another 300MB+) You install 5-10 extensions You create a project folder You open terminal and run npm init -y You run npm install live-server You run npx live-server You finally see your HTML page in a browser That's 8 steps before you write Hello World . The Solution You don't need any of that. Not yet. Here's what you actually need to learn HTML, CSS, and JavaScript: A browser (you already have one) A text editor (Notepad works) That's it Open Notepad. Write this: <!DOCTYPE html> <html> <head> <title> My First Page </title> </head> <body> <h1> Hello, World! </h1> <p> This is my first web page. </p> </body> </html> Save it as index.html. Double-click the file. It opens in your browser. You just built your first web page. No terminal. No npm. No Node.js. No configuration. When Should You Actually Learn Node.js? Node.js becomes useful when you need: Server-side code (backend development) Package management (npm packages) Build tools (webpack, Vite) Framew
AI 资讯
Hetzner was cheaper at every size I tested and I still chose managed Postgres
Twelve pricing tabs open. Neon, Hetzner, Supabase, Prisma, Scaleway, OVH. My database is half a gigabyte. I was comparing ten-terabyte price curves. At some point this week I typed the words "I am super lost here" about my own infrastructure. I advise companies on this exact class of decision. That sentence still came out of my hands. If you have ever spent an evening deep in provider pricing pages for a workload that fits on a USB stick from 2009, this one is for you. All numbers below come from the live pricing pages as of July 2026. Rates move, so verify before you commit. Three fears, all pointed at the wrong layers I went in worried about getting attacked, running out of space, and being locked in. All three dissolved under ten minutes of honest reading. DDoS lands on the website edge, not the database. My site already sits behind Cloudflare and Vercel, and a database is never publicly exposed. Only the app talks to it. Whichever provider I picked, that attack surface stayed identical. Here is the shape of the stack, and where each fear lives. MANAGED (what I run today) visitors ──> Cloudflare edge ──> Vercel app ──> managed Postgres [DDoS absorbed] [stateless] [never public, app-only access, provider patches, provider backups, provider on-call] SELF-HOSTED (the alternative I priced) visitors ──> Cloudflare edge ──> Vercel app ──> Hetzner CAX11 [DDoS absorbed] [stateless] [Postgres :5432 firewalled to app, SSH hardened, fail2ban + auto- patching = MINE] │ pg_dump every 6h ▼ encrypted ────> Cloudflare R2 [off-site copies] Same edge, same app, same attack surface. Everything in the right-hand box is what changes owners. Storage was a rounding error. My data is 0.5 GB. Even the cheapest self-hosted box includes 40 GB, eighty times headroom before the first extra cent. Lock-in was a phantom too. Managed Postgres is still stock Postgres. Exiting means a dump, a restore, and one connection string change in the deployment environment. Minutes of cutover, no rewrite an
AI 资讯
LingoBridge-AI: Simplifying Complex Medical Reports for Rural Patients
Body: Hi everyone! 👋 I am excited to share my latest project, LingoBridge-AI, which I have been building to solve a critical problem in rural healthcare. The Problem 🩺 In many rural areas, patients receive medical reports that are complex and filled with technical jargon. Due to this, they often struggle to understand their own health conditions, which leads to confusion and delayed medical care. The Solution: LingoBridge-AI 💡 I developed LingoBridge-AI, an AI-powered tool designed to: Simplify complex medical reports into easy-to-understand language. Translate information into local languages to ensure better accessibility for patients. Bridge the gap between healthcare providers and patients who have limited medical literacy. Tech Stack 🛠️ Built using Python and AI frameworks. Focuses on accuracy, simplicity, and user-friendly output. Check it out! 💻 You can view the source code and documentation here: 👉 [ https://github.com/cherukuriLakshmi/LingoBridge-AI ] I am still working on improving this, and I would love to get some feedback from this amazing community! If you have any suggestions on how to improve the AI or the user experience, please let me know in the comments below. Thanks for your support! Tags (Add these at the bottom): ai #healthtech #opensource #python #beginners
AI 资讯
What a Vibe Coding Security Scanner Can (and Cannot) Tell You
AI-assisted builders can take an idea from prompt to production in a weekend. That speed is useful, but it also compresses the part of the process where someone normally reviews deployment settings, browser-visible secrets, authorization boundaries, and recovery plans. A public security scanner is a good first pass for that problem. It is also easy to misunderstand. A clean public scan does not mean an application is secure, and a warning does not always mean a vulnerability is exploitable. The useful question is not “Did the scanner pass my app?” It is “What evidence could this scanner actually observe?” Layer 1: the public deployment surface A passive scanner can request the same resources that a normal visitor can reach. Depending on its scope, it may inspect: HTTP security headers such as Content-Security-Policy and Strict-Transport-Security HTTPS behavior and redirect consistency Public JavaScript bundles for credential-shaped strings Public source maps that expose original source structure Common sensitive paths such as environment files or repository metadata Cookie attributes and other response-level deployment signals These checks are valuable because they test the deployed result, not the configuration you intended to ship. For example, a repository may contain a CSP configuration while the CDN response does not. A source map may be disabled in one build configuration but still appear in production. A key may be stored safely on the server in most code paths while one client bundle accidentally contains a privileged token. The deployed surface is where those mistakes become observable. Layer 2: source-code review A public URL cannot reveal every control behind an application. Source review or SAST can inspect code paths, configuration, data flow, and dangerous implementation patterns that never appear in a normal response. This is where you can answer questions such as: Is authorization enforced on the server? Can a user change an object ID and read anothe