AI 资讯
The 8-item security checklist no one tells indie devs
I've reviewed the launch post-mortems of dozens of indie devs who got hacked after shipping their first SaaS. The common thread isn't bad code. It's a checklist no one handed them before they clicked publish. This is that checklist. Eight items. Each one has: a curl command you can run right now, why the bug matters in plain English, and a concrete fix in under ten lines of code. If you can check all eight green before you launch, you've eliminated the majority of the low-hanging-fruit attack surface on a typical Next.js + Supabase MVP. You're not done with security — but you've moved from "will definitely get popped on launch day" to "a real attacker will have to actually work for it." No sales call required. No consulting firm. Eight items in your terminal before launch. Item 1: Every API endpoint has an auth check How to check: # Test an endpoint without a cookie/token curl -s -o /dev/null -w "%{http_code}" https://your-app.com/api/your-endpoint # Should return 401. If it returns 200, the endpoint is public — intentional? Why it matters: API routes in Next.js are not automatically protected. If you forgot to add getServerSession (or your equivalent auth check) to a route handler, it's open to the internet. The route might not be linked in the UI, but it's reachable. Fix: // At the top of every API route handler const session = await getServerSession ( authOptions ) if ( ! session ) return new Response ( ' Unauthorized ' , { status : 401 }) Run this check for every file under src/app/api/ . Better yet: write a middleware that protects all /api/ routes by default and use an explicit { public: true } annotation for routes that should be unauthenticated. Item 2: Per-tenant data scoping (BOLA / IDOR) How to check: # Log in as user A, grab a resource ID from the response # Then change the cookie/token to user B's and request the same ID curl -s -H "Cookie: your-user-b-session" https://your-app.com/api/items/YOUR-USER-A-ITEM-ID # Should return 403 or 404. If it returns
开源项目
SpaceX is gearing up for Starship's 13th test flight later this week
This flight will put Starship under higher pressure and test out new Starlink satellites in orbit.
AI 资讯
AI News Roundup: Grok 4.5 Hits Tesla, Perplexity's Orchestrator Beats Opus, and Meta Undercuts Pricing
Five stories moved the AI-coding world today. None are about a single model winning forever — they are about the ground shifting under who runs the agents and who pays for them. Musk puts Grok 4.5 to work at Tesla and SpaceX Tesla and SpaceX have been told to trial Grok 4.5 . The signal is not the benchmark — it is that a frontier model is being pointed at real engineering and ops inside hardware companies. When a model moves from a chatbot to a mandate inside a manufacturing and launch pipeline, the feedback loop gets brutally honest fast. Perplexity's orchestrator beats Opus on a benchmark Perplexity added Grok 4.5 to its orchestrator and reports beating Opus on the WANDR benchmark. Orchestrators are the quiet winners of this cycle: instead of one model doing everything, a router picks per-subtask. A smaller-or-cheaper mix outperforming a single flagship on a targeted benchmark is the trend to watch — it is how teams cut cost without giving up quality on the hard parts. Meta launches Muse Spark 1.1 at 25% of competitor pricing Meta shipped Muse Spark 1.1 through an API priced at roughly a quarter of what competitors charge. Price is a feature. At 25% of the field, an API becomes the default fallback router for cost-sensitive agents even if it is not the best at everything. Expect orchestrators to slot it in for the boring 80%. ByteDance rolls out Seedream 5.0 Pro ByteDance pushed Seedream 5.0 Pro across multiple platforms. Image generation keeps consolidating into a few vendor-backed models with wide distribution — relevant to coding agents the moment they need to generate UI mockups or assets inline. Cursor builds an "Office Agent" to challenge Anthropic Cursor is building a Sand AI office agent aimed at Anthropic's turf. The coding-agent wars are expanding from "writes code" to "runs the surrounding workflow" — email, docs, tickets. That is the same expansion the open-source side is feeling: oh-my-pi's model hub and OpenClaw's session fleet are both bets that th
AI 资讯
Planting a Future Breaking Change Today: A launchd Timer Job That Deletes Itself When Done
This is a follow-up to my earlier post, " Automating a config migration with a one-shot launchd job ." Some breaking changes come with a known expiration date, and you can prepare for them long before they land. This time the external event was the end-of-life of Fable 5 (2026-07-07), and I'll walk through how I designed a launchd job you set up today, that fires only on the target day, and that removes itself once it's done. The whole thing started with the thought, "manually fixing this on the shutdown day is going to be annoying." But I also didn't want to run a script every morning that needlessly rewrites JSON. What I landed on was a three-part set: a date gate, a jq rewrite with a backup, and self-unload. The problem: on the day I learn about a deprecation, I want to plant a job that "only runs on the target day" Right now, ~/.claude/settings.json looks like this: { "model" : "claude-fable-5[1m]" , ... } The moment I learned Fable 5 would end on 2026-07-07, creating a calendar reminder to manually rewrite this "model" felt too flimsy — I'll forget. On the other hand, making "a daemon that checks the date every time it boots" is overkill. What I wanted was a job I could set once and leave alone, that runs when the day arrives, and then disappears. launchd can fire at a specified time via StartCalendarInterval . But you can't express "just once at 9:00 on 7/7"; you need a combination of recurring and date-fixed slots. Specifying multiple slots and absorbing the redundancy with idempotency is the standard trick on macOS launchd. The implementation: the three-part set Here's the full ~/.claude/scripts/model-transition-0707.sh (comments omitted). #!/bin/bash set -uo pipefail SETTINGS = " $HOME /.claude/settings.json" LOG = " $HOME /.claude/logs/model-transition.log" PLIST = " $HOME /Library/LaunchAgents/com.shun.model-transition-0707.plist" log () { echo "[ $( date '+%F %T' ) ] $* " >> " $LOG " ; } # ① 日付ゲート if [ " $( date +%Y%m%d ) " -lt 20260707 ] ; then log "ski
科技前沿
China recovered its first reusable rocket and showed a new way to do it
"Clearly, they admire the work that's being done by SpaceX and are trying to replicate it."
开源项目
Payloads used to dictate the terms of launch. That's finally changing.
"The Starship Pez dispenser demonstrates very smart industrial design and scale."
AI 资讯
MVP vs MLP
The MVP was a great idea that got misused. "Minimum viable product" was meant to be the smallest experiment that tests a hypothesis. In practice it became an excuse to ship something broken and call it strategy. The minimum lovable product — MLP — is the correction: the smallest release that people actually want to use, not just tolerate. Knowing which one you need is a scoping decision, not a philosophy. The difference in one line An MVP asks will they use it at all? An MLP asks will they love the part we built? The MVP tests demand with the roughest possible artifact. The MLP narrows scope but polishes what remains until it's genuinely good. Both are about doing less. They disagree on where the "less" goes — fewer features versus rougher features. Why the bar has risen When users had few alternatives, a rough MVP could win on novelty. Today almost every category is crowded, and people judge a new product against the polished tools they already use. A janky first impression doesn't read as "early" — it reads as "not for me," and they don't come back. In a saturated market, lovability is the viability test. When an MVP is still right Ship a true MVP when the core question is demand, not quality: You're genuinely unsure anyone wants this at all. The audience is early adopters who tolerate rough edges for access. You can learn what you need from a small, forgiving group. Speed to a signal matters more than the strength of the signal. Here, spending weeks polishing something nobody wants is the expensive mistake. When to reach for an MLP Choose an MLP when demand is fairly clear but the market is competitive: Users have real alternatives and will compare you to them. Your differentiation is the experience — feel, speed, design. First impressions are hard to reverse. Word of mouth depends on delight, not just function. Scope narrow, finish deep The trap with "lovable" is treating it as license to add features. It's the opposite. Pick fewer things and finish them complet
科技前沿
ULA's last six Atlas Vs can't launch anything besides Boeing's Starliner
Amazon says it has enough satellites in orbit to begin initial broadband service at mid-latitudes later this year.
产品设计
Katalyst's satellite rescue mission is now in pursuit of NASA's Swift
It will take several weeks for the Link spacecraft to rendezvous with NASA's Swift observatory.
产品设计
Katalyst's satellite rescue mission is now in pursuit of NASA's Swift
It will take several weeks for the Link spacecraft to rendezvous with NASA's Swift observatory.
开发者
A US military exercise in space got underway with barely anyone noticing
The Space Force wants to cut the time to field new satellites from years to weeks, days, or hours.
AI 资讯
Eidetic Works Pro is live: persistent memory for your AI agents, $29/mo
I just shipped Pro tier for Eidetic Works . Here's what's in it, who I built it for, and why I'm shipping three tiers ($29 / $99 / $299) instead of a single plan. What problem does this actually solve? You're running Claude Code. You have two or three sessions open across different parts of the codebase. Session 2 doesn't know what Session 1 decided. You end up re-explaining the same architecture decisions to the same model you already talked to yesterday. This is the context-drift problem. It doesn't come from the model being bad. It comes from each session starting with no memory of what came before. nucleus_ask — the MCP tool at the center of Pro — lets any agent call into your shared engram store and pull context that persists across sessions, across tools, and across machines. What's in Pro Managed R2 sync. Your engrams live in SQLite on your machine. Pro backs them to a Cloudflare R2 bucket with zero config. Your keys, your bucket — I'm not storing your AI history on my infrastructure. nucleus_ask recall. The MCP primitive your agents use to query the shared store. One call, structured results. Wire it into your MCP config once and every session gets recall. Customer dashboard. Sync health, engram counts, last-seen surfaces. Not glamorous. Just the visibility you need to confirm it's working. Email support. Direct line. Not a help-center chatbot. 60-second restore. New machine. One command. Full engram history back, including decisions from six months ago that your codebase assumes you remember. Three tiers Pro $29/mo — single seat. Managed sync, recall MCP, dashboard, email support. Pro+ $99/mo — 3 seats. Same features, team-shared engram store. Team $299/mo — 10 seats. Same features at team scale. Priority support. All three live at eidetic.works/pricing right now. Stripe checkout, monthly billing, cancel anytime. Who I built it for Devs running Claude Code seriously. If you use it daily, you're accumulating context that the next session can't access. That's
科技前沿
A Chinese rocket breaks apart dangerously close to the Starlink constellation
The rocket's breakup likely generated 100 to 150 new pieces of space junk.
开发者
Safety officials finally have a good idea of what a big rocket explosion can do
Overpressure from the Blue Origin blast shattered windows at a hangar about a mile away from the pad.
产品设计
In a surprise launch, China debuts another big rocket designed for reusability
There are sound engineering reasons to use the same approach SpaceX uses with the Falcon 9.
AI 资讯
Unastella, a South Korean rocket startup that launched from home, raises $24M
The Seoul-based rocket startup is developing its own launch vehicles and engines.