🔥 lessweb / deepcode-cli - Deep Code 是专为 deepseek-v4 模型优化的终端 AI 编码助手,支持深度思考、推理强度控制以及 Ag
GitHub热门项目 | Deep Code 是专为 deepseek-v4 模型优化的终端 AI 编码助手,支持深度思考、推理强度控制以及 Agent Skills。 | Stars: 1,654 | 128 stars today | 语言: TypeScript
找到 1341 篇相关文章
GitHub热门项目 | Deep Code 是专为 deepseek-v4 模型优化的终端 AI 编码助手,支持深度思考、推理强度控制以及 Agent Skills。 | Stars: 1,654 | 128 stars today | 语言: TypeScript
GitHub热门项目 | OpenReel Video - Professional browser-based video editor. Open source CapCut alternative. 100% browser-based, no installation, no cloud uploads, no watermarks. | Stars: 3,802 | 82 stars today | 语言: TypeScript
GitHub热门项目 | All parts of Claude Code's system prompt, 27 builtin tool descriptions, sub agent prompts (Plan/Explore/Task), utility prompts (CLAUDE.md, compact, statusline, magic docs, WebFetch, Bash cmd, security review, agent creation). Updated for each Claude Code version. | Stars: 11,638 | 28 stars today | 语言: JavaScript
GitHub热门项目 | 🦸 AI 编程超能力 · 中文增强版 — superpowers(116k+ ⭐)完整汉化 + 6 个中国原创 skills,让 Claude Code / Copilot CLI / Hermes Agent / Cursor / Windsurf / Kiro / Gemini CLI 等 16 款 AI 编程工具真正会干活 | Stars: 6,504 | 66 stars today | 语言: JavaScript
GitHub热门项目 | An OSINT tool to search for accounts by username and email in social networks. | Stars: 6,806 | 53 stars today | 语言: Python
GitHub热门项目 | An AI-boost cross-platform multi-protocol fluent-design concurrent downloader built with Python & Qt. | Stars: 5,688 | 59 stars today | 语言: Python
GitHub热门项目 | Production-grade platform for building agentic IM bots - 生产级多平台智能机器人开发平台/ Agent、知识库编排、插件系统 / Bots for Discord / Slack / LINE / Telegram / WeChat(企业微信, 企微智能机器人, 公众号) / 飞书 / 钉钉 / QQ / Matrix e.g. Integrated with ChatGPT(GPT), DeepSeek, Dify, n8n, Langflow, Coze, Claude, Gemini, GLM, Ollama, SiliconFlow, Moonshot, openclaw / hermes agent, deerflow | Stars: 16,733 | 33 stars today | 语言: Python
GitHub热门项目 | A TTS that fits in your CPU (and pocket) | Stars: 5,746 | 510 stars today | 语言: Python
GitHub热门项目 | Repository for skills to assist AI coding agents with .NET and C# | Stars: 4,218 | 200 stars today | 语言: C#
GitHub热门项目 | Show usage stats for OpenAI Codex and Claude Code, without having to login. | Stars: 16,922 | 377 stars today | 语言: Swift
GitHub热门项目 | 💡 Download the complete source code of any website (including all assets). [ Javascripts, Stylesheets, Images ] using Node.js | Stars: 3,643 | 173 stars today | 语言: HTML
GitHub热门项目 | AI-powered job application framework built on Claude Code. Fork it, fill in your profile, and let Claude evaluate jobs, tailor CVs, write cover letters, and prepare you for interviews. | Stars: 8,581 | 2,402 stars today | 语言: TypeScript
I was implementing a feature where the session container would track a lastActivity timestamp, updated on every authenticated request. Standard stuff. I wrote it, tested it locally with curl, and noticed something odd: I kept getting a new Set-Cookie header value on every response. Not occasionally. On every single one. A week later I was sending a pull request to mezzio/mezzio-session-cache . The Setup: Two Backends, One Session Our system had a constraint: two backend applications, written in different languages, sharing a single user session. One was the main PHP/Mezzio app. The other was a service in a different stack that needed to read from, and update the lastActivity timestamp on, the same session container. There are a few ways to make polyglot session sharing work. We landed on a shared cache backend (Redis) with a well-defined session structure. Both apps could read and write through their own libraries, as long as they agreed on the storage format and the cookie name. The session ID was the contract. That contract is the part that quietly broke. A Missing Escape Hatch My first instinct was the usual list of suspects. Was something calling regenerateId() in a middleware I didn't know about? Was there a logout being triggered somehow? Was a misconfigured cache layer evicting and recreating sessions? After a bit of digging through the call stack, I ended up in the library itself. And there it was: CacheSessionPersistence was regenerating the session ID whenever the session data changed . Not on login. Not on privilege escalation. On every write . That's when the real question hit me: why on earth would a library do that by default? Reading Code Before Changing It When you find behavior that surprises you in someone else's code, the wrong move is to immediately label it broken. The right move is to assume the maintainers had a reason, and find out what it was. The reason, in this case, is session fixation . Session fixation is a class of attack where an atta
This is part of my work with 01MVP on OpenNomos — a project that helps founders validate ideas before building. The $0 Launch I once spent three months building a product. It had everything: authentication, payments, a polished UI, dark mode. I was proud of it. Launch day: 27 visitors. Zero signups. I had spent 90 days building and precisely zero days asking anyone if they wanted what I was building. I was solving a problem that existed only in my head. The Hardest Lesson The product wasn't bad. The code was fine. The UI was clean. The problem was that I never validated the core assumption: does anyone actually have this problem, and would they pay to solve it? This is the most common failure mode in indie hacking. You build something you think is cool, polish it to perfection, and launch to silence. The code was never the bottleneck. The validation was. What I Do Differently Now Talk to 10 people before writing code. Not surveys. Not landing page analytics. Actual conversations. "Would you use this? Would you pay for it? Why or why not?" Build a mockup, not a product. A Figma prototype or even a Google Form that simulates the core workflow is enough to test willingness to engage. Charge from day one. Free users will tell you nice things. Paying users will tell you the truth. If nobody will pay, the idea isn't ready. Kill fast. Most ideas fail. The goal isn't to make every idea succeed — it's to fail the bad ones quickly so you can find the good ones. Why This Matters More in 2026 In 2016, building a product was hard. You needed to know how to code, set up servers, handle deployments. The barrier to building kept bad ideas from being built. In 2026, Cursor writes your code, v0 generates your UI, and Replit deploys it. The barrier to building has collapsed to near zero. But here's the problem: AI can help you build anything. It cannot help you figure out what's worth building. The result is a flood of well-built products that nobody wants. The bottleneck shifted from
Disclosure: I write about projects in the OpenNomos ecosystem, including Swipe Cleaner. The Problem With Photo Cleaners Most photo cleaning apps have a dirty secret: your photos leave your device. They get uploaded to some server for "AI processing," "cloud analysis," or just because the developer didn't think about it. Swipe Cleaner takes the opposite approach. Everything happens on your iPhone. Not a single pixel leaves your device. Let me break down why that matters, and how it actually works under the hood. The Architecture Swipe Cleaner is built on three principles: 1. On-device processing, always. Image analysis, duplicate detection, and similarity matching all run locally using Apple's Core ML and Vision frameworks. No cloud roundtrips, no server costs, no privacy policy loopholes. 2. Tinder-style UX for decisions. You don't manage a grid of thumbnails and checkboxes. You swipe. Right to keep, left to delete. This isn't just a UI gimmick — it's a deliberate choice to reduce decision fatigue. When you have 3,000 photos to clean, you need flow, not friction. 3. Sandboxed storage access. The app requests permission for exactly what it needs. It doesn't ask for your entire photo library if you only want to clean screenshots. This is iOS privacy-by-design done right. Why On-Device Matters Now We're in a weird moment. AI capabilities are exploding, which means the temptation to "send it to the cloud for better results" is stronger than ever. But at the same time, Apple is pushing hard in the opposite direction — Private Cloud Compute, on-device ML, differential privacy. Swipe Cleaner aligns with where the platform is going, not where the industry has been. The Technical Trade-offs Local-first isn't free. Here's what you give up: Model size constraints. You can't run a 70B parameter vision model on an iPhone. The models need to be small, optimized, and ruthlessly efficient. No cross-device sync. Your cleaning decisions stay on one device. No cloud means no sync. For
The open-source ecosystem is converging on a hard question: when a commit is written with AI assistance, how do we know — and how do we enforce the disclosure policy? Python's discourse, Linux kernel's Assisted-by trailer, Fedora's AI policy, Apache's disclosure guidelines — every major project is grappling with this. But until now, there has been no tool at the CI level to enforce whatever policy a project chooses. Commit Check v2.11.0 introduces AI Attribution Governance — a new feature that detects known AI tool signatures in commit messages and lets projects decide whether to forbid them outright. To our knowledge, no existing tool enforces this kind of policy at the CI level. The industry need The conversation around AI disclosure is no longer theoretical: The Linux kernel standardized on the Assisted-by: trailer format — but deliberately stopped short of CI enforcement. As Sasha Levin noted at the Maintainers Summit, the kernel sets the convention, not the gate. The Python community is actively discussing whether Claude Code usage should be documented VS Code issue #313962 proposes replacing Co-authored-by with Assisted-by for AI agents Fedora requires AI disclosure (recommends the Assisted-by trailer). QEMU and Gentoo go further and forbid AI-generated contributions entirely. Each community defines its own policy — but none provides a neutral enforcement layer. That is the gap Commit Check fills. Configuration: a single toggle Commit Check keeps it simple. One configuration value, three ways to set it. TOML ( cchk.toml ): [commit] ai_attribution = "forbid" CLI: commit-check --message --ai-attribution = forbid Environment variable: CCHK_AI_ATTRIBUTION = forbid commit-check --message Two modes: Mode Behavior "ignore" No validation (default, backward compatible) "forbid" Rejects any commit containing known AI tool signatures There is no require mode in this release — only ignore and forbid . The reason is pragmatic: requiring an Assisted-by or similar trailer is
Hit a perfect 7-day streak this week, splitting my time between a massive aesthetic pivot in my...
We just open-sourced Synapse , a governed control plane for software composition analysis, recon, evidence, and reporting. It is built for people who have to scan a dependency tree, prove what they found, and hand over a report that holds up. Site: https://synapse.kkloudtarus.net/ Code: https://github.com/KKloudTarus/synapse-ce (Apache-2.0) Why we built it The usual workflow is fragmented. One tool for the SBOM, another for vulnerabilities, a spreadsheet for licenses, a folder of screenshots for evidence, and a report you assemble by hand. Nothing is reproducible, and when a client asks "how do you know this is real," the answer lives in someone's memory. Adding an LLM that writes your findings only makes that worse. We wanted the opposite: fast, but provable. What it is Synapse runs the assessment lifecycle behind one control plane, in Go, clean architecture. A few ideas hold it together: Deterministic-first. Scanning, matching, license classification, and reporting are pure, reproducible Go. There is no model in the report path. Scope-gated execution. Every engagement carries a scope and an authorization window, enforced server-side before any tool runs. Tools run via argument arrays, never a shell string. Tamper-evident evidence. Every artifact is hash-chained and append-only. A broken chain blocks the report. Bounded automation. The optional AI layer only ever proposes. A distinct verifier or a human confirms. The agent can never confirm its own claim. What it does today: SBOM across 15+ ecosystems, multi-source vulnerability detection with risk-based prioritization (KEV, then EPSS, then CVSS), license compliance, reachability, and deterministic reports in CycloneDX, SPDX, SARIF, and OpenVEX. Try it git clone https://github.com/KKloudTarus/synapse-ce.git cd synapse-ce docker compose -f deploy/docker-compose.full.yml up --build # open http://localhost:5173 Or gate CI on real risk: ./bin/synapse-cli scan . --fail-on high . We are looking for contributors Synapse i
Four years of optimizing React and Next.js projects taught me one thing: unoptimized images are everywhere, and nobody wants to fix them. Every project has the same pattern. Heavy PNG and JPG files are sitting inside /public , there is no consistent image pipeline, and some of those files have no business being that large in a production codebase. This is especially common in small and mid-sized projects. There is no CDN transformation layer or dedicated asset pipeline. Images get added while the product is moving quickly, and the cleanup becomes a task for “later.” Later, of course, never comes. Then, at 1am, while refactoring an extremely vibe-coded Next.js project, I found myself doing the cleanup manually again. Find an image. Upload it to an online compressor. Hit the free limit. Open another tool. Convert a few more. Download everything. Replace the original files. Hunt through the codebase for every import and src path. Hope I did not miss one. And I finally thought: I am a developer. Why am I doing this by hand? So I built pixcrush . npx pixcrush . One command to convert the images, compress them, and update their matching code references automatically. “But doesn’t Next.js already optimize images?” Yes, and if your application uses next/image consistently, you should absolutely take advantage of it. The Next.js <Image> component can resize images for different devices, lazy-load them, and serve modern formats such as WebP. Files inside /public can be referenced from the root URL, while statically imported images also give Next.js access to their intrinsic dimensions. The official Next.js image documentation explains these runtime optimizations in detail. But that solves a different layer of the problem. I wanted to clean up the source assets themselves: Replace heavy PNG and JPG files with smaller WebP files when conversion is worthwhile. Update existing imports and string-based image paths across the repository. Identify images that are no longer reference
I built SeamStress. It's a code reviewer with one rule: it only reports what it can prove against your actual code, quoting the exact lines. If it can't prove it, the finding gets demoted to a judgment call. Not presented as fact. That rule is enforced by one small piece of code: the verification gate. It decides whether a finding may be shown as verified_real. Every other part of the tool can be wrong and the damage is bounded. If the gate is wrong, the tool shows you a confident claim it never earned, with a proof label on it, and it renders as success. Silently. So before making the repo public, I ran the tool on the gate. Same pipeline it runs on anyone's code: three blind critics, then synthesis, then per finding verification. Eight model calls. It found two critical defects in its own foundation. Defect one: verified with no evidence behind it The status authority looked like this: const result = verifications . find (( v ) => v . findingId === finding . id ); return result ? result . status : " unverified " ; It trusted the verdict on a finding ID match. It never looked at the evidence. And the schema allowed an empty evidence array and an empty quoted code string. So a result shaped like {status: "verified_real", evidence: []} validated cleanly and certified a finding as proven. The report renderer would put that finding in the headline, under copy promising the exact lines quoted as proof, with nothing attached. The evidence block suppressed the display of the missing proof. It did not remove the finding from the verified set. The fix lives at the authority, not just the schema: if ( ! result ) return " unverified " ; const hasRealEvidence = result . evidence . some (( e ) => e . quotedCode . trim (). length > 0 ); return hasRealEvidence ? result . status : " unverified " ; A verdict is honored only when at least one non empty quote backs it. Checking at the authority also catches the whitespace quote variant that a naive schema minimum would miss. Fixed in