今日已更新 156 条资讯 | 累计 20626 条内容
关于我们

标签:#r

找到 17293 篇相关文章

AI 资讯

DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget?

DeepSeek vs Qwen vs Kimi vs GLM: Which One Wins My Freelance Budget? Last Tuesday I spent two hours building a client dashboard that needed AI-powered text summarization. The client is a small e-commerce shop, they get maybe 500 product descriptions a week that need condensing into bullet points. Sounds simple, right? Except when I ran the numbers on my usual OpenAI setup, the bill was going to eat into my margin harder than I'd like. That's when I went down the rabbit hole of Chinese AI models. DeepSeek, Qwen, Kimi, GLM — I've been hearing about these for months from other devs in Discord, but I never actually committed to testing them because, honestly, who has the time? Well, apparently I do, because that Tuesday I decided to run all four head-to-head against my actual workload. Here's what happened. Why I Even Bothered (The Real Math) Before we get into the benchmarks and pricing tables, let me put this in perspective. My hourly rate as a freelance dev sits at $85. Every hour I spend wrestling with a subpar API that hallucinates or charges too much is an hour I'm not billing a client. The "free" model is never free — either it costs me time or it costs me money, and usually both. I was paying roughly $0.60 per 1M output tokens on GPT-4o for the summarization work. For 500 product descriptions, each averaging maybe 150 tokens output, that's about $0.045 per batch. Sounds tiny, right? But multiply that across multiple clients, and suddenly I'm watching $40-60 a month vanish into API costs that I can't really pass along without awkward pricing conversations. So I started shopping. And what I found genuinely surprised me. The Contenders at a Glance All four model families run through Global API's unified endpoint, which means I didn't have to maintain four different SDKs, four different auth setups, four different billing dashboards. Just swap the model name in the request and ship. For a one-person operation, that's huge. Here's the landscape I was working with: Di

2026-07-15 原文 →
AI 资讯

Where ACC Fits in the Agent Stack: Transport, Runtime Control, and Business Authority

Connecting an AI agent to a tool is becoming easier. Letting that agent operate a real business system responsibly is still a different problem. Imagine an existing commerce system with APIs for reading orders, changing inventory, creating refunds, and disabling staff accounts. OpenAPI can describe the endpoints. A tool protocol can make them discoverable. An agent framework can select an operation and generate arguments. But those pieces do not, by themselves, answer several business questions: Which operations may be exposed to an agent-facing surface? Which invocation must carry a trusted acting subject? Which operation is high consequence? When does an invocation express approval intent? Which calls need stronger audit handling? Which execution properties should a runtime know before it invokes the API? These questions sit between tool connectivity and final business authorization. That is the layer the Agent Capability Contract, or ACC, is designed to describe. Start with a concrete operation Consider this API operation: paths : /orders/{order_id}/refund : post : operationId : createRefund parameters : - in : path name : order_id required : true schema : type : string requestBody : required : true content : application/json : schema : type : object required : [ amount ] properties : amount : type : number minimum : 0 This is enough to describe how to call the operation. It is not enough to describe how an agent-facing system should treat it. ACC adds a small, machine-readable declaration next to the operation: x-agent-capability : version : 1 enabled : true scope : refund.create risk : level : high subject : required : true approval : required : true when : - param : amount op : " >" value : 1000 audit : sensitive : true execution : readonly : false idempotent : true timeout_ms : 10000 The declaration does not grant the refund. It tells a compatible runtime how the operation should be presented and governed before the business system receives the call. The miss

2026-07-15 原文 →
AI 资讯

The 8-item security checklist no one tells indie devs

I've reviewed the launch post-mortems of dozens of indie devs who got hacked after shipping their first SaaS. The common thread isn't bad code. It's a checklist no one handed them before they clicked publish. This is that checklist. Eight items. Each one has: a curl command you can run right now, why the bug matters in plain English, and a concrete fix in under ten lines of code. If you can check all eight green before you launch, you've eliminated the majority of the low-hanging-fruit attack surface on a typical Next.js + Supabase MVP. You're not done with security — but you've moved from "will definitely get popped on launch day" to "a real attacker will have to actually work for it." No sales call required. No consulting firm. Eight items in your terminal before launch. Item 1: Every API endpoint has an auth check How to check: # Test an endpoint without a cookie/token curl -s -o /dev/null -w "%{http_code}" https://your-app.com/api/your-endpoint # Should return 401. If it returns 200, the endpoint is public — intentional? Why it matters: API routes in Next.js are not automatically protected. If you forgot to add getServerSession (or your equivalent auth check) to a route handler, it's open to the internet. The route might not be linked in the UI, but it's reachable. Fix: // At the top of every API route handler const session = await getServerSession ( authOptions ) if ( ! session ) return new Response ( ' Unauthorized ' , { status : 401 }) Run this check for every file under src/app/api/ . Better yet: write a middleware that protects all /api/ routes by default and use an explicit { public: true } annotation for routes that should be unauthenticated. Item 2: Per-tenant data scoping (BOLA / IDOR) How to check: # Log in as user A, grab a resource ID from the response # Then change the cookie/token to user B's and request the same ID curl -s -H "Cookie: your-user-b-session" https://your-app.com/api/items/YOUR-USER-A-ITEM-ID # Should return 403 or 404. If it returns

2026-07-15 原文 →
开发者

You Don't Need Node.js to Learn Web Development

I see this every week. Someone decides to learn web development. They Google "how to start web development" and within 20 minutes they're installing Node.js, npm, VS Code, and five extensions they don't understand. They haven't written a single line of code yet. But they've already spent an hour configuring their "environment." Then they get stuck. Node version conflicts. npm permission errors. VS Code extensions that break their syntax highlighting. They think they're not smart enough for programming. They are. They just started with the wrong step. The Problem Learning web development has three core technologies: HTML, CSS, and JavaScript. That's it. Everything else — Node.js, npm, webpack, Vite, React — is extra. It's not the starting point. But most tutorials assume you already have Node.js installed. They say "open your terminal" and "run npm install." Beginners follow along, copy the commands, and have no idea what any of it means. Here's what actually happens: You install Node.js (200MB+) You install VS Code (another 300MB+) You install 5-10 extensions You create a project folder You open terminal and run npm init -y You run npm install live-server You run npx live-server You finally see your HTML page in a browser That's 8 steps before you write Hello World . The Solution You don't need any of that. Not yet. Here's what you actually need to learn HTML, CSS, and JavaScript: A browser (you already have one) A text editor (Notepad works) That's it Open Notepad. Write this: <!DOCTYPE html> <html> <head> <title> My First Page </title> </head> <body> <h1> Hello, World! </h1> <p> This is my first web page. </p> </body> </html> Save it as index.html. Double-click the file. It opens in your browser. You just built your first web page. No terminal. No npm. No Node.js. No configuration. When Should You Actually Learn Node.js? Node.js becomes useful when you need: Server-side code (backend development) Package management (npm packages) Build tools (webpack, Vite) Framew

2026-07-15 原文 →
AI 资讯

Microsoft said the patches would get bigger. I measured how much bigger.

On 9 July 2026 the head of Windows published a post about AI-powered vulnerability discovery. One line in it was a warning to customers: "As AI helps defenders discover more issues, customers will see a higher volume of security updates included in each security release." It does not say how much higher. The post runs about 1400 words and contains no numbers at all. Five days later Microsoft shipped the July package: 1150 CVEs. The number Microsoft would not put in the blog post is sitting in Microsoft's own API. The Security Update Guide publishes every monthly package as machine-readable CVRF, acknowledgments included, no key required. So I pulled twelve months of it and did the arithmetic. What the data says I sampled eight months before the ramp and four after it. Month CVEs Month CVEs 2024-07 454 2026-04 737 2025-01 343 2026-05 991 2025-04 374 2026-06 1281 2025-07 527 2026-07 1150 2025-10 427 2026-01 310 2026-02 169 2026-03 460 The eight pre-ramp months average 383 CVEs. July 2026 is 1150, so the package is 3,0 times the old normal. The baseline broke in April and peaked in June at 1281. April to July inclusive is 4159 CVEs. At the old rate that is 10,9 months of output, delivered in four. The number I am not going to use February 2026 had 169 CVEs. It is the lowest month in two years, less than half the baseline. Divide July by February and you get 6,8 times, which is a much better number for a headline. I am not using it, because choosing your denominator is how honest people produce dishonest numbers. February is an outlier, and the only reason to anchor to it is that it flatters the story. The real multiplier is 3,0. It does not need help. It is not noise The obvious objection is that volume without quality is just a bigger pile. If AI were generating low-value findings that got patched anyway, the severity distribution would sag. It did the opposite. Measure 2025-07 2026-07 CVEs 527 1150 CVSS median 6,5 7,5 CVSS mean 6,47 7,26 CVSS 7,0 and above 48,0 % 71,

2026-07-15 原文 →
AI 资讯

Build Firebase AI Logic Application with Antigravity CLI and Stitch MCP Server [GDE]

Build Firebase AI Logic with Antigravity CLI Note: Google Cloud credits are provided for this project. In this blog post, I demonstrate how to use the Antigravity CLI (an agentic AI assistant integrating directly with development workflows via skills and servers) to build an image analysis demo using Angular, the Firebase Hybrid & On-device Inference Web SDK, and Gemini models. Users upload an image and use a Gemini model to analyze it to generate a few alternative texts, tags, recommendations, and CSS tips to enhance the image quality. When the demo is running in Chrome 148+, the Hybrid & On-device SDK leverages the Prompt API of the on-device Gemini Nano model to perform the image-to-text tasks, and the token usage is 0. When other browsers, such as Safari or Firefox, execute the same tasks, the SDK falls back to Cloud AI (Gemini 3.5 Flash model), which consumes tokens. Next, I describe how to install the skills in my Angular project and register the Angular and Stitch MCP servers in the Antigravity CLI to develop the infrastructure, services, and UI design of my demo. 1. Workflow This is my entire workflow from implementing features, generating UI screens, and mapping the screens to Angular components. 2. Skills I installed the grill-with-docs , angular , and firebase skills in my project for the following reasons: grill-with-docs: Conduct a rigid Q&A session to generate a specification for a feature, refactor, or critical fix. AI is responsible for performing thorough analysis, and putting in more efforts to generate code to achieve the task. domain-modeling: The skill is referenced in the SKILL.md of the grill-with-docs skill, so a copy of it is required. code-review: Spawn two sub-agents to review changes to detect code smells and verify that the changes align with the specification. angular: Provide the best practices of modern Angular architecture, such as using signals and signal forms. firebase: Provide the skills for Firebase AI Logic, Firebase Remote, et

2026-07-15 原文 →
AI 资讯

Hetzner was cheaper at every size I tested and I still chose managed Postgres

Twelve pricing tabs open. Neon, Hetzner, Supabase, Prisma, Scaleway, OVH. My database is half a gigabyte. I was comparing ten-terabyte price curves. At some point this week I typed the words "I am super lost here" about my own infrastructure. I advise companies on this exact class of decision. That sentence still came out of my hands. If you have ever spent an evening deep in provider pricing pages for a workload that fits on a USB stick from 2009, this one is for you. All numbers below come from the live pricing pages as of July 2026. Rates move, so verify before you commit. Three fears, all pointed at the wrong layers I went in worried about getting attacked, running out of space, and being locked in. All three dissolved under ten minutes of honest reading. DDoS lands on the website edge, not the database. My site already sits behind Cloudflare and Vercel, and a database is never publicly exposed. Only the app talks to it. Whichever provider I picked, that attack surface stayed identical. Here is the shape of the stack, and where each fear lives. MANAGED (what I run today) visitors ──> Cloudflare edge ──> Vercel app ──> managed Postgres [DDoS absorbed] [stateless] [never public, app-only access, provider patches, provider backups, provider on-call] SELF-HOSTED (the alternative I priced) visitors ──> Cloudflare edge ──> Vercel app ──> Hetzner CAX11 [DDoS absorbed] [stateless] [Postgres :5432 firewalled to app, SSH hardened, fail2ban + auto- patching = MINE] │ pg_dump every 6h ▼ encrypted ────> Cloudflare R2 [off-site copies] Same edge, same app, same attack surface. Everything in the right-hand box is what changes owners. Storage was a rounding error. My data is 0.5 GB. Even the cheapest self-hosted box includes 40 GB, eighty times headroom before the first extra cent. Lock-in was a phantom too. Managed Postgres is still stock Postgres. Exiting means a dump, a restore, and one connection string change in the deployment environment. Minutes of cutover, no rewrite an

2026-07-15 原文 →