AI 资讯
Using PostAll's API to Automate Your Content Workflow: A Getting-Started Guide
I didn't set out to build a content API. I set out to stop copy-pasting. Every week, the same ritual: open a doc, stare at a blank page, write a headline, delete it, write it again. Multiply that by every client, every product page, every email drip campaign. I wasn't doing creative work — I was doing assembly-line work while pretending it was creative. PostAll started as a script I wrote to stop doing that. The API is what that script became after other developers asked if they could use it too. This guide walks you through integrating PostAll's API into your own workflow — authentication, the endpoints you'll actually use, real working code in both Python and Node.js, and the specific places things will break before they work. By the end, you'll have a functioning pipeline that generates formatted, CMS-ready content programmatically. What you'll build A script that takes a list of content briefs (keywords, tone, target length) and returns publish-ready content — with proper formatting, metadata, and error handling for the rate limits you'll hit in production. Here's the shape of what you're building: [ CSV of briefs ] → [ PostAll API ] → [ formatted content objects ] → [ your CMS / database ] The full working code for both languages is at the end of each section. I'll explain the interesting parts inline. Prerequisites A PostAll account with API access enabled (free tier works for this guide — rate limits noted below) Node.js 18+ or Python 3.10+ Basic familiarity with async/await in either language An HTTP client: axios or native fetch for Node, httpx for Python Step 1: Authentication PostAll uses API key authentication. Every request needs your key in the Authorization header. Get your key: Dashboard → Settings → API Keys → Generate New Key Store it as an environment variable. Never hardcode it. export PostAll_API_KEY = "postall_live_xxxxxxxxxxxxxxxxxxxx" Your key has two prefixes: postall_live_ for production, postall_test_ for the sandbox. The sandbox returns r
AI 资讯
"Supports custom code" means nothing. Here's the 3-level ruler that tells you if a low-code platform will lock you in.
Every low-code vendor says "we support customization." But supports is a weasel word — recoloring a button is customization, and rewriting a scheduling engine is also customization. What actually decides whether a platform locks you in is how far up its extensibility goes. Here's a ruler. The three levels of customization Level What you can do Most no-code A real dev framework L1 — Config Fields, forms, workflows, permissions, themes ✅ ✅ L2 — Extension Custom components, custom actions, external API calls, business rules ⚠️ limited ✅ L3 — Framework Modify/extend the core, custom engines, deep rewrites, source under control ❌ wall ✅ (when open/controllable) Where it stops is where your ceiling is. Plenty of no-code platforms are delightful at L1, then hit "can't do that" at L2/L3 — and you retreat to writing your own thing next to it. Now low-code is the burden. Why you get locked in Black-box SaaS — no source, so any extension point the vendor didn't expose is simply out of reach. Two sources of truth — your extension code and the platform's config live in different systems, so a platform upgrade breaks/voids your work. Crippled self-hosting — the on-prem edition quietly drops extension capabilities. Closed ecosystem — only their component marketplace; your stack can't get in. How model-driven + open source raises the ceiling One unified extension system — your extensions (custom fields/components/actions) and the platform itself are built on the same metadata. Extension isn't a bolt-on, it's a first-class citizen — upgrades don't wipe your customizations. Source under your control — open + self-hostable is what makes L3 framework-level extension actually possible: an extension point you can't reach, you can add. AI at the metadata layer — AI-generated extensions land in the same model, so they stay maintainable and evolvable. That's the road Oinone takes: 100% metadata-driven, front + back end open source, self-hostable — customization reaches L3. How to stress-tes
AI 资讯
How to AI Code: Your AI is editing your migration files
Intro You’re using ChatGPT or Claude to speed up development. Good. Then suddenly: your migrations are broken. AI tools love editing files they shouldn’t touch , especially: SQL migration scripts EF Core migration files Schema snapshots This is dangerous. One wrong change can corrupt your database history. Recognize migration files EF Core migrations Typical structure: /Migrations/ 20240101120000_InitialCreate.cs 20240102130000_AddUsers.cs MyDbContextModelSnapshot.cs Example: public partial class AddUsers : Migration { protected override void Up ( MigrationBuilder migrationBuilder ) { migrationBuilder . CreateTable ( name : "Users" , columns : table => new { Id = table . Column < int >( nullable : false ) }); } } SQL migrations /db/migrations/ V001__init.sql V002__add_users.sql Example: CREATE TABLE Users ( Id INT PRIMARY KEY ); Key indicators Timestamp or version prefix Sequential naming Contains schema changes only Stored in a dedicated folder Understand the risk WRONG (AI rewriting history) AI might do this: // Modified existing migration (BAD) migrationBuilder . DropTable ( "Users" ); migrationBuilder . CreateTable ( "Customers" ); or: -- Edited old migration (BAD) ALTER TABLE Users RENAME TO Customers ; This breaks every environment except fresh ones. This is extremely dangerous if your AI does not recognize them. CORRECT (append-only) Always create a new migration : // New migration migrationBuilder . RenameTable ( name : "Users" , newName : "Customers" ); Step 3: Lock migration files from Claude AI editing Explicit blocking of editing We will create 2 new files. These files will instruct that CALUDE is not allowed to modify existing files. What we actually want to achieve is a way to keep appending the files. { "$schema": "https://json.schemastore.org/claude-code-settings.json", "hooks": { "PreToolUse": [ { "matcher": "Edit|Write|MultiEdit", "hooks": [ { "type": "command", "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/block-migration-edits.sh\"" } ] }
AI 资讯
I Wrote 50 Claude Code Prompts and Used Them for a Week -- Here's What Actually Works
Last week I did something dumb: I sat down and wrote 50 Claude Code prompts in one sitting. Halfway through I was sure most of them would never get used. But I finished, pushed them to GitHub, and made myself use them for an entire week -- no ad-hoc prompting allowed. The result surprised me. Some skills were life-changing. Others were useless. Here is the honest breakdown. The Methodology I categorized the 50 skills into 5 types: Analysis (12), Generation (14), Debugging (8), Planning (10), Maintenance (6). Rule: every time I hit a task, I must use a skill file or admit I did not have one. The 7 That Actually Saved Me Hours 1. Code Review Assistant (saved ~3h) This was the biggest surprise. I usually review PRs by gut feel -- scan the diff, look for obvious bugs, approve. The Code Review skill forced me to be systematic: On a 400-line PR it caught 2 security issues I would have missed. That alone justified the experiment. 2. Bug Investigator (saved ~2h) Instead of pasting errors and asking "why?", this skill forces you to provide: error message, file context, hypothesis. 3. Dependency Audit (saved ~1h) Scanned a 3-year old Node project. Found 2 CVEs, 8 unused devDependencies (21 MB). 4. Auto Commit Messages (saved ~30m) Saves 2 minutes per commit. Over 15 commits in a week that is 30 minutes. 5. Test Generator (saved ~2h) Generates 5-8 test cases per function in seconds. 6. Refactoring Planner (saved ~1h) Reads the function, identifies extraction candidates, outputs a dependency-ordered plan. 7. Performance Audit (saved ~30m) Found an unoptimized 3 MB hero image and a render-blocking script. The Ones I Never Touched About 8 out of 50 were "not this week" -- Database Migrations, API Documentation, CI/CD Pipeline. What I Learned The ROI is in the analysis skills. Code review, bug investigation, dependency audit -- these are high-judgment tasks where Claude thoroughness beats speed. Skills are habit, not technology. The hardest part was not writing the prompts -- it w
AI 资讯
Run Coding Agents on Local AI — Zero Cloud, Full Control
Coding agents — Codex CLI, Claude Code, Cursor, and Pi — are productivity multipliers. But they all assume you are happy sending your code to someone else's servers. For many of us that is a deal-breaker: proprietary codebases, client NDAs, compliance requirements, or just the principle of owning your own compute. This guide shows how to swap out every cloud API with a local Ollama server running qwen3-coder:30b . Same tools, same workflows, no data leaving your network. Why Run AI Locally? The case is simple: Zero data exfiltration. Your code never leaves your machine or LAN. No per-token cost. Run 10,000 completions or 10 — the electricity bill does not care. Works offline. Airplane mode, restricted network, flaky VPN — irrelevant. No rate limits. No 429s at 2 am when you are in flow. The honest tradeoff: frontier models (Claude Opus 4, GPT-5) still outperform local models on complex multi-step reasoning and very large context tasks. For the 80% of day-to-day coding work — autocomplete, refactors, test generation, documentation — a well-chosen local model is more than good enough. Hardware Requirements I run this on an Apple M4 Pro with 48 GB unified memory . Apple Silicon's unified memory architecture is exceptionally well-suited to LLM inference: the GPU and CPU share the same memory pool, so a 22 GB model fits comfortably alongside a full development environment. Minimum viable setup: RAM What fits 16 GB 7–8B parameter models (qwen3:8b, llama3.2:8b) 32 GB 14–20B models (qwen3:14b, gpt-oss:20b) 48 GB 30–35B models (qwen3-coder:30b, qwen3.6:35b) 64 GB+ 70B models (deepseek-r1:70b, llama3.3:70b) On Intel/AMD systems with discrete GPUs the math is different: VRAM is the bottleneck, and models that don't fit entirely in VRAM fall back to slow CPU offloading. Choosing a Model For 48 GB unified memory, these are the models worth knowing about: Model Size on disk Active params Strengths qwen3-coder:30b ~22 GB 3.3B (MoE) Coding, 256K context, HumanEval SOTA qwen3.6:35b
AI 资讯
Building an AI Short Video Generator: Why the Workflow Needs Skills, Not Just Prompts
Most AI short-form video demos skip the boring part. They show a finished TikTok, Reel, or YouTube Short. Maybe they show the prompt. Maybe they show the generated script or the final render. But the hard part is not making one video. The hard part is making the fifteenth video without the whole system turning into a pile of one-off scripts, half-remembered FFmpeg commands, broken captions, inconsistent hooks, and manual upload steps. That is where I think the conversation around AI video automation gets more interesting. Not: Can an AI generate a Short? But: What workflow does an AI agent need to generate Shorts repeatedly? I was looking at a Terminal Skills use case for building an AI short video generator, and the useful part is not the fantasy of "push one button, print infinite content." The useful part is the stack. The real job is a pipeline A short-form video generator sounds like one tool. In practice, it is a pipeline: topic research -> script -> voiceover -> footage or visual generation -> subtitles -> assembly -> platform formatting -> upload -> analytics Each step has different failure modes. Topic research can produce generic ideas. Scripts can be too long. Voice can drift from the brand. Footage can mismatch the narration. Subtitles can land under platform UI. FFmpeg can export a technically valid file that a platform still hates. Uploads can succeed in the API but fail the actual publishing workflow. If you try to solve all of that with one giant prompt, the agent has to keep too much operational knowledge in its head. That is fragile. The better pattern is to split the workflow into skills. What a skill gives the agent A skill is not just a code snippet. For this kind of workflow, a useful skill tells the agent: when to use this capability what inputs are expected what output should exist afterward what validation is required when to stop instead of pretending success That last point matters. For media automation, "the command ran" is not enough. Th
AI 资讯
Lessons from open-sourcing a CLI agent messaging layer (320 stars in a week)
About a week ago I open-sourced agmsg , a ~500-line bash + SQLite tool that lets CLI AI agents message each other directly. I built it for a dumb reason: I was tired of being the human copy-paste relay between Claude Code and Codex — selecting code in one terminal, pasting it into the other, carrying replies back, all day. I expected a few stars from friends and nothing else. Instead it went 5 → 320 in a week, picked up forks, derivative projects, and pull requests from people I've never met. That gap between what I expected and what happened is the interesting part, so here's the honest retrospective: the numbers, what worked, what flopped, and what genuinely surprised me. The numbers In about a week, with no budget and no audience to speak of: GitHub stars: 5 → 320 Forks: 0 → 15 3 derivative projects — someone ported the idea to shogi (agmsg-shogi), someone wrapped it as an MCP server (agmsg-mcp), someone rewrote it in Go (agmsg-go) Pull requests from outside contributors — support for Gemini CLI, Antigravity, and now GitHub Copilot CLI, plus a fix for role-isolation race conditions None of this came from one big spike. It came from a sequence of posts across channels, some of which worked and some of which completely didn't. What worked Leading with a video, not an explanation. The first post that got traction wasn't a description of the architecture — it was a 23-second clip of two Claude Code instances autonomously playing tic-tac-toe over agmsg, with no human input. People stop scrolling for a moving picture of agents doing something on their own. The text underneath could be short; the video did the work. A relatable problem, stated plainly. "I became a copy-paste relay between two AIs" landed because a lot of people are quietly doing exactly that right now. I didn't open with the technical design. I opened with the annoyance. The design was the payoff, not the hook. Using a long-form post as the landing pad. Timeline posts are good at reach and bad at depth.
AI 资讯
AI Coding Agents in 2026: From Pair Programming to Autonomous Teams
AI Coding Agents in 2026: From Pair Programming to Autonomous Teams Slug: ai-coding-agents-2026-stack-comparison 1. The Three Categories That Actually Matter The 2024‑2025 hype cycle treated every AI coding tool as a single‑dimensional “best‑of‑list.” 2026 data shows that professional developers now average 2.4 tools per workflow (Stack Overflow Survey 2025). The real decision is architectural: Layer Goal Typical Agent Type Line‑level editing Speed, low latency Editor assistants Repo‑level planning Context depth, multi‑file changes Autonomous agents Enterprise governance Isolation, audit, CI/CD integration Platform agents Choosing a “one best tool” ignores the trade‑off between context window size (how many tokens the model can see) and execution speed (how fast the tool returns a suggestion). A narrow‑window editor assistant excels at instant autocomplete, while a wide‑window autonomous agent can rewrite an entire microservice in a single run. The three‑tier framework aligns the tool’s strengths with the architectural layer where they matter most. 2. Tier 1: Editor Assistants — Speed at the Line Level Tool Market Position Key Feature (2026) Pricing (per developer) Cursor $500 M+ ARR, fastest growth in Q1 2026 Parallel agents update git worktrees; 2‑second latency on 8‑core laptops $15 /mo (individual) – $120 /mo (team) GitHub Copilot 4.7 M paid subscriptions, 75 % YoY growth Agent Mode with multi‑agent workflows; deep VS Code integration $10 /mo (individual) – $100 /mo (enterprise) Windsurf 1.2 M active users, strong UI polish Real‑time code‑style enforcement; limited to 4‑file context Free tier up to 5 k lines, $30 /mo premium Tabnine Enterprise‑only after 2026 pivot Air‑gapped deployment; NVIDIA Nemotron 4‑bit models for on‑prem inference $200 /mo per seat (minimum 10 seats) When to choose each Cursor – prioritize raw typing speed and git‑aware suggestions. Ideal for startups that need rapid iteration without heavy IDE lock‑in. Copilot – best for teams already on
AI 资讯
I built a tool that gives Claude Code permanent memory of your codebase
The problem Every time I started a session with Claude Code I had to re-explain my entire project. What framework I use. How my folders are structured. What naming conventions I follow. What decisions I have already made. Every. Single. Session. It was slowing me down and I knew there had to be a better way. What I built I built stackbrief. One command scans your repo and opens a local visual dashboard showing your full codebase intelligence. npx stackbrief scan It opens a dashboard at localhost:3000 showing: Interactive code map of your architecture Dependency version comparison against npm Convention detection (naming, async patterns, error handling) Context health score MCP server so Claude Code pulls context automatically How it works stackbrief reads every file in your project and builds a structured understanding of it. It detects your framework, architecture pattern, modules, dependencies, and coding conventions. It then writes a CLAUDE.md file to your project and starts an MCP server on port 3001. Claude Code picks this up automatically before every session. No more explaining your project from scratch. AI chat that actually knows your code The dashboard has an Ask your codebase section. Unlike generic AI chat, this assistant has read every file in your project. Ask it about your own architecture and get answers specific to your code. Works with Ollama (free, fully local), Claude, OpenAI, or any OpenAI-compatible provider including Groq, Mistral, and local runners like LM Studio and AnythingLLM. Zero config, fully local No cloud. No telemetry. No account required. Everything runs on your machine. npx stackbrief scan That is it. The dashboard opens automatically. Try it GitHub: https://github.com/ragavtech/stackbrief Built with Node.js and TypeScript. Open source, MIT license. Would love to hear what you think.
AI 资讯
I Scanned My PC for AI Agents — Found 457 of Them
After using Claude Code, Codex, and Pi Agent for months, I wondered: how many AI agents are on my machine? I built a scanner. Here's what it found: Framework Active Archived Claude Code 192 191 Codex CLI 37 0 Pi Agent 8 sub-agents 12 scripts MCP Servers 8 - Total 448+ The Waste Duplicate calls : Same prompt → 3 agents (8-18% waste) Overqualified models : Simple tasks on expensive models (15-25% waste) Cache fragmentation : No shared prompt cache (12-20% waste) Zombie agents : Archived still indexed (2-8% waste) → 30-50% of AI API spend is wasted. The Fix AMA — Agent Management Agent bash pip install ama-core && ama scan && ama start Scans all agents across frameworks Smart routing (simple task → cheap model) Lifecycle management Local dashboard at localhost:8765 Free calculator: ama-agent-store.vercel.app/calculator MIT licensed. Feedback welcome!
AI 资讯
How I Rebuilt My Entire User Feedback Workflow with FeedLog (And Why I Ditched Canny)
Six months into running my SaaS, my "feedback system" was three browser tabs, a starred Gmail folder, and a sticky note on my monitor that said "check Discord." That was the whole system. It held together until the day I found a three-paragraph email from a paying user — a genuinely detailed feature request with a real use case — sitting unread for 24 days. His last line was: "Happy to pay more if you can support this." I replied the same afternoon I found it. His reply: "Switched last week, thanks anyway." That was the moment I stopped treating feedback management as a nice-to-have. Why the usual fixes didn't fix anything I tried the obvious things first. I want to document them because I see a lot of people cycling through the same failed solutions. Notion database 🪦 Built a beautiful one. Color-coded tags, priority columns, status tracking. It lasted 11 days before nobody — including me — was maintaining it. The friction of "open Notion, find the right database, fill in six fields" is invisible when you're designing the system and fatal when you're in the middle of a support conversation. Airtable form 🪦 Better entry point, still disconnected from where users actually were when they had feedback. Nobody bookmarks your Airtable form. They DM you on Discord and you think "I'll add that later" and you don't. Canny — this one actually worked, for a while I genuinely liked Canny. Clean interface, users could upvote requests, I could see what was popular. It felt like a real system. Then our user count grew and the pricing tier jumped. I was looking at $99/month for a feedback board for a product still finding its footing. That's not a moral judgment on Canny — it's a fair product — but for a bootstrapped indie dev, it started feeling like a tax on momentum. The deeper problem with all three solutions was the same: they were inboxes, not loops. User submits → enters the void → user never knows if anyone saw it → user assumes nobody did → trust erodes → churn. I had bui
AI 资讯
Claude Code's workflow docs are a menu.
Here is what a real solo founder orders. $ git worktree list ~/app a1b2c3d [ main] ~/app-review e4f5g6h [ review-branch] ~/app-content i7j8k9l [ draft-post] Three checkouts. One machine. Each one runs its own Claude Code session that cannot touch the others. That is a normal workday for me. I run a one person shop. Content and code, same desk, same hour. Anthropic's common workflows page lists about a dozen recipes for everyday work, and the docs are strong. What they do not tell you is which recipes survive contact with a real workday and which ones stay theory. After running Claude Code as my whole operation, five workflows carry the load. Here is the honest split. https://code.claude.com/docs/en/common-workflows 1. Worktrees changed how I work The problem worktrees solve is collision. You ask Claude to fix a bug. While it edits, you want to keep building a feature. Same repo, two streams of edits, and now your working tree is a fight nobody wins. A git worktree is a second checkout of the same repo on its own branch. Claude runs inside it and never sees the other windows. claude --worktree feature-auth Real scenario from this week. The post you are reading was drafted in one worktree while a separate Claude session reviewed an open pull request in another. Neither touched the other's files. When the review finished I merged, came back to the draft, and never lost my place. If you take one workflow from the docs, take this one. The setup cost is close to nothing and parallel agents stop stepping on each other. 2. Subagents protect the one resource you cannot buy more of The model's working memory is your budget. Every file Claude reads to answer a question spends it. Ask "how does our auth refresh work" in a large repo and Claude reads a pile of files to answer. Those files now sit in the window for the rest of the session, crowding out the work you care about. Delegate that to a subagent. use a subagent to investigate how our auth system handles token refresh The
AI 资讯
Coding agents should not hold write credentials.
I have been thinking a lot about coding agents lately. Not really about whether they can write good code, because usually they can, sometimes they can't. That part is obvious. But the risk is shifting from wrong answers to wrong outcomes. The part that feels more important to me is this: should the agent actually own the write authority? We already don't trust humans without roles, limits, reviews, and accountability. Developers use PRs, pilots use checklists, bank clerks have transfer limits. Capable agents need the same structure, but machine-readable. Right now a lot of setups still look roughly like this: agent reads the repo agent decides what to change agent has a GitHub token agent creates commits, branches, or PRs I don't think this is the right default. The agent can reason. The agent can inspect files. The agent can propose changes. But the moment it can directly create external impact, the problem changes. It is no longer just: did the agent say something wrong? It becomes: did the agent create the wrong outcome? That is a much more expensive failure mode. Intent is not authority The pattern I like more is simple: agent reads directly agent proposes intent a boundary decides an adapter materializes only admitted work So the agent does not get the write credentials. It submits a structured intent instead, which could look like: { "operation" : "write" , "target" : { "repo" : "example/app" , "branch" : "main" , "path" : "docs/config/agent-policy.md" }, "source_state" : { "blob_sha" : "8f31c2..." }, "requested_effect_hash" : "sha256:..." } This is then not a command anymore, it is a suggestion, or an intent. The system still has to decide whether this proposed outcome should exist. That decision layer can check things like: is this actor allowed? is this repo allowed? is this path in scope? does the source state still match? is this operation allowed? was the same effect already created? should this become a reviewable PR? Only after that should there be an
AI 资讯
Coding agents keep losing context between tools, so I built a local-first handoff CLI
The problem I often switch between Codex, OpenCode, Cline, Claude Desktop, scripts, and terminals. The annoying part is not starting a new tool. The annoying part is explaining the same workspace state again: what changed what is still pending what should not be touched what tests passed what the next agent should read before editing What I built AgentContextBus (acb) is a local-first CLI for handing off workspace context between coding agents. It saves a local handoff packet, then lets the next agent read it through: paste-ready prompts brief prompts a local dashboard JSON output explicit MCP tools First run npx @xiaoshuo1988/acb verify first-run For Chinese output: npx @xiaoshuo1988/acb verify first-run --lang zh-CN A normal handoff From the agent that has context: acb handoff --from codex --summary "Ready for the next agent" --git From the receiving side: acb receive --latest After the receiving agent summarizes the packet: acb ack --latest --by opencode What ACB intentionally does not do no hidden prompt injection no traffic interception no third-party client config mutation no cloud sync no background daemon Why local-first I want the user to be able to inspect the packet store, copy text manually, and decide exactly when context crosses from one agent to another. What I want feedback on Is the handoff packet concept clear? Is verify first-run enough to understand the tool? Is receive --latest the right receiving-side command? Which client path needs the most work? Would you trust this workflow in a real project? Repo: https://github.com/xiaoshuo1988130/acb Feedback discussion: https://github.com/xiaoshuo1988130/acb/discussions/1
AI 资讯
OpenAI Codex vs Google Antigravity: Architecture, Workflow, and Key Differences
AI coding tools are no longer just autocomplete engines. For the last few years, developers used AI mainly to write faster: generate a function, explain an error, complete boilerplate, or suggest a code snippet. That was useful, but the human developer still controlled almost every step. Now the shift is toward agentic software development. Tools like OpenAI Codex and Google Antigravity are not only helping developers write code. They are starting to inspect repositories, understand tasks, edit files, run commands, verify outputs, and return work for human review. But Codex and Antigravity are not the same kind of product. They represent two different architectures for the future of software development. Codex: Delegated Engineering Agent OpenAI Codex is best understood as a delegated software engineering agent. The developer gives it a scoped task: fix a bug, review a pull request, write tests, refactor a module, or implement a defined feature. Codex then works through the codebase, makes changes, runs checks where possible, and returns a result that the developer can review. Its natural workflow is close to how software teams already work: Task → Repository Context → Code Changes → Tests/Checks → Pull Request or Reviewable Output This makes Codex useful for structured engineering work. It fits naturally into GitHub-style workflows, pull requests, code reviews, tests, and CI/CD practices. In simple terms, Codex feels like assigning work to an AI engineer. Antigravity: Agent-Orchestration Environment Google Antigravity takes a different approach. It is better understood as an agent-first development environment. Instead of focusing only on one delegated task, Antigravity is designed around supervising agents inside the development workspace. Agents can operate across the editor, terminal, browser, and artifacts. They can help plan, build, verify, and explain the work. Its workflow looks more like this: Goal → Agent Orchestration → Workspace Execution → Browser Verif
AI 资讯
Every tutorial tells you to add .env to .gitignore. That's not enough.
Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them from git. They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever. So I built dotlock — an encrypted .env vault with a terminal UI, written in Go. Before and after Before dotlock DATABASE_URL = postgres://localhost/myapp # plaintext, readable by anything STRIPE_KEY = sk_live_abc123 # one grep away from anyone After dotlock # .dotlock file on disk — looks like this: [ encrypted binary — unreadable without your private key] How it works under 10 seconds cd my-project dotlock set DATABASE_URL # prompts for value, input is masked dotloc # opens the terminal UI Secrets are encrypted with age — X25519 key agreement and ChaCha20-Poly1305 authenticated encryption. The same primitives serious security engineers use. No master password. No cloud. No telemetry. 100% offline. What it looks like Two panels — profiles on the left, secrets on the right. Values are masked by default. Press v to reveal for 30 seconds, then it hides itself automatically. Switch between dev , staging , and prod profiles. Run a diff before deploying to catch missing variables before they break your app. The interesting technical bit The hardest part wasn't the encryption — filippo.io/age makes that straightforward. It was the TUI. BubbleTea uses the Elm architecture — Model, Update, View. Everything is a message. A keypress is a message. A timer firing is a message. Your Update function receives messages and returns a new model. The 30-second auto-hide on secret reveal works like this — no time.Sleep , no goroutines: type secretReveal struct { key string value [] byte expire time . Time // Now() + 30 seconds } On every render, check if time.Now() is past the expiry. If it is, zero the bytes and clear the display. Simple once you understand the model but it took
AI 资讯
Your JWT decoder might be leaking your tokens. Here's how to check.
Most developers paste production JWTs into online decoders without thinking. Here's a 10-second DevTools check to see if your token is actually leaving your machine. A coworker was debugging an auth bug last month. Standard workflow: copy the JWT from the failing request, paste it into an online decoder, read the payload. I've done it a thousand times. You probably have too. Except the token he pasted belonged to a real customer. And the decoder he used is owned by an identity company that's had its share of security incidents. Nothing bad happened. Probably. But it made me think about something I'd never actually checked: when you paste a JWT into an online decoder, where does that token go? What a JWT actually contains Quick reminder of why this matters. A JWT isn't encrypted — it's just Base64URL-encoded. Anyone who has the token can read everything in it: header.payload.signature The payload routinely contains: User ID, email, and role Session identifiers Token expiry ( exp ) and issue time ( iat ) Sometimes — against best practice — far more And here's the part people forget: a valid, unexpired JWT is a live credential. If it hasn't expired, whoever holds it can often impersonate the user. Pasting it into a random website is functionally similar to pasting a password. The 10-second check Most online JWT decoders claim to be "secure" and "client-side." Some are. Some aren't. You don't have to trust the claim — you can verify it yourself in 10 seconds: Open the decoder in your browser Open DevTools → Network tab Clear the network log Paste a JWT and decode it Watch the Network tab If any request fires when you decode — your token left your machine. A truly client-side decoder fires zero network requests during decoding. The JavaScript does everything locally; nothing is sent anywhere. Try this on whatever decoder you currently use. You might be surprised. Why most "online" tools send data It's usually not malicious. Building decoding logic on the server is someti
AI 资讯
I built a 9-agent AI dev team in a Claude Code plugin — here's what happened
The moment I realized AI coding assistants were broken I was building a side project — a simple task manager app. I opened Claude Code, typed: "Add user authentication with email and password login" …and hit enter. Twenty minutes later, I had code. A lot of code. Authentication logic, routes, middleware, even some basic tests. But there was a problem. The frontend (me, on a different day) had assumed a different API shape. The tests only covered the happy path. There was no architecture decision to reference — I just picked JWT because it felt right. And the docker-compose.yml ? It didn't exist yet. I had AI-generated code, but no real software development workflow. What was actually missing Good software isn't just code. Before you write a single line, you need: A spec that everyone (including future-you) agrees on An architecture decision that explains the why Backend and frontend designed to talk to each other Tests that prove things actually work A code review that catches security holes before they ship A deployment config that someone can actually run Normally, a team handles all of this. A PM writes the spec. An architect proposes options. Engineers implement and review each other's work. A DevOps person sets up CI/CD. What if AI could fill all those roles? Building the pipeline I built claude-dev-pipeline — a Claude Code plugin that orchestrates a team of specialized AI agents, each with a specific job. airwaves778899 / claude-dev-pipeline 7-agent full-stack development pipeline plugin for Claude Code — PM → Architect → Backend → Frontend → QA → Reviewer → DevOps claude-dev-pipeline A Claude Code plugin that orchestrates 7 specialized AI agents to take your feature request all the way from requirements analysis to production deployment — with a human-in-the-loop checkpoint at every phase. 中文說明 Why? Writing a feature involves more than just code. You need: A clear spec that everyone agrees on An architecture decision before you write a single line Backend and
AI 资讯
You Don't Have to Learn Hermes From Scratch — I Brought My Existing Skills In
This is a submission for the Hermes Agent Challenge : Write About Hermes Agent I Didn't Start With Hermes Six months ago I started building a set of agent skills and personas for how I build software. Not generic prompts — opinionated role files. A /backend-architect that owns schema and recommendation logic. A /test-engineer that writes Vitest coverage and flags weak acceptance criteria. A /project-manager that maintains planning docs and closes iterations cleanly. These roles have evolved across multiple projects. They have layering rules, discovery checklists, inheritance from a base engineering discipline file. They produce consistent, reviewable work because they're scoped — the backend architect doesn't touch test files, the test engineer doesn't redesign the schema, each persona has a defined mandate and exits cleanly. When I heard about Hermes Agent, my first instinct wasn't "let me learn a new system." It was: can I run my existing system inside this? The answer is yes. That's what this article is about — what it looks like to bring a mature workflow into Hermes, what you gain, where it breaks down, and what I'd do differently. What Hermes Is (and Isn't) to Someone Who Already Has a Workflow Hermes is an LLM-agnostic orchestration layer. It has its own skill system, its own soul.md concept for persistent agent identity, built-in cron scheduling and MCP management. All of that is real and useful. But it's also a runtime. If you have skills that work, you can bring them in. I installed a local Hermes instance — few clicks, straightforward setup — and ran it inside VSCode's integrated terminal pointed at my existing persona files. No migration. No rewrite. My /backend-architect runs in Hermes the same way it runs in Claude Code. Before settling on this, I'd tried a couple of other paths — a VPS instance with a Telegram interface for ideation, and attempting to build through a browser-based terminal. The VPS was fine for sketching ideas. The browser terminal ma
AI 资讯
If Microsoft and Uber can't afford AI coding, what chance do the rest of us have?
Two stories landed in the same news cycle. Microsoft cancelled most internal Claude Code licenses....