AI 资讯
Your AI Agent Doesn't Understand Your System
Everyone is asking whether AI can write code. That question is already answered. The more important question is: Can AI understand the system it is changing? The biggest limitation of AI coding tools isn't code generation. It's system understanding. That is no longer the interesting question. AI can already generate APIs, tests, database migrations, infrastructure files, and entire services. The better question is: Does your AI understand the system it is changing? For most engineering teams, the answer is no. And that is where many AI-assisted workflows quietly fail. The illusion of understanding Ask an AI assistant to: create a new endpoint add a background worker generate a service layer write a migration Most models will produce something that looks correct. The code compiles. The tests may even pass. But production systems are not collections of files. They are collections of relationships. The real questions are: Which service owns this capability? Which projects depend on it? Which runtime executes it? Which release gates are affected? Which verification steps must pass? What breaks if this change is wrong? These questions are rarely visible in source code. They exist in architecture, operational knowledge, deployment rules, contracts, and team conventions. That is why an AI agent can generate valid code and still make the wrong change. Bigger context windows won't solve this The common response is: Give the model more context. But more context is not the same as better context. A million tokens of source code still do not explicitly answer: What projects exist? Which commands are safe? What evidence is trusted? What is currently blocked? What is ready for release? The issue is not missing tokens. The issue is missing structure. The missing layer Most AI tools understand: files functions repositories Production systems require understanding: ownership architecture dependencies operational boundaries verification requirements change impact This is the gap betw
AI 资讯
88% of orgs hit an AI agent security incident — and half their agents run with no boundaries. That's an architecture problem.
A stat from 2026 that should stop you cold: 88% of organizations reported a confirmed or suspected AI agent security incident in the past year (92.7% in healthcare). And more than half of all agents run with no security oversight and no logging — naked. The problem isn't that the AI isn't smart enough. It's that almost nobody welded boundaries around it. And boundaries are exactly where rigor lives. The incident list: speed flooring it, boundaries naked The last couple of weeks of security signals line up scarily well: 88% of orgs reported confirmed/suspected AI agent incidents in the past year; healthcare 92.7% ; over half of agents have no security oversight or logging. Supply chain is the front door. A plugin-ecosystem supply-chain attack harvested agent credentials from 47 enterprise deployments ; attackers used them to reach customer data, financial records, and proprietary code — undetected for six months. A public skills marketplace at one point hosted 824 of 10,700 malicious "skills." Config is an attack surface. Check Point disclosed remote code execution in a popular coding agent via poisoned repository config files ; MCP (Model Context Protocol) is the connective tissue across nearly every incident this year — poisoned configs, malicious marketplace skills, unauthenticated exposed MCP servers. By early 2026, at least ten public incidents across six major AI coding tools were attributed to " agents acting with insufficient boundaries. " The industry's own summary: AI agent security in 2026 is a supply chain problem first, a prompt-injection problem second. And every one of these shares a single root cause — the agent can act, but there's no architectural boundary on what it can touch, change, or call. Why "naked" is inevitable: bolt-on boundaries always leak Why do half the agents run with no oversight? Because in the mainstream approach, boundaries are bolt-ons : an allow-list here, a gateway there, logs you read after the fact. The trouble: The tools an
产品设计
Acti
Agentic keyboard for mobile commands and search Discussion | Link
开发者
PDF API is live on Forgelab
We just shipped the Forgelab PDF API — a fast, affordable REST API for developers who need to handle PDF files without the hassle. What it does: Merge multiple PDFs into one Split PDFs by page ranges Compress PDFs to reduce file size Convert PDFs to images (PNG/JPEG) Pricing: Starts at $5/month for 100 calls/month. No hidden fees. Quick start: curl -X POST https://www.forgelab.africa/api/pdf/merge \ -H "X-API-Key: your_key" \ -F "files=@doc1.pdf" -F "files=@doc2.pdf" Sign up at forgelab.africa
AI 资讯
Diff Checker: a small tool that solves a specific problem
Code reviews, configuration changes, and debugging sessions demand precise understanding of what changed between two versions of text. Manual comparison of large blocks of code or configuration files is error-prone, and version control diffs don’t always provide a quick, focused view for sharing or verifying changes outside a repository. What it is Diff Checker is a browser-based text comparison tool that performs line-by-line analysis of two text blocks and highlights differences with color-coded visual indicators. It processes text entirely in the browser—part of the 200+ free tools on DevTools—meaning no data is uploaded or stored, a privacy‑first design. The interface uses a split‑pane layout: original text on the left, modified text on the right. As you paste or type, the comparison engine recalculates the diff in real time, marking added, removed, and changed segments so differences are immediately clear. Several configuration options tailor the analysis. Toggling whitespace sensitivity ignores differences in indentation or blank lines, useful when comparing code from teams with different formatting conventions. Case sensitivity can be turned off for text where capitalization inconsistencies are irrelevant. A swap button reverses the comparison direction with a single click, handy when the assignment of “original” and “modified” is accidentally reversed. How to use it Paste the original text into the left panel and the modified version into the right panel. The diff view updates instantly, so you don’t need to press a button to see changes. For code, the process is straightforward. Drop a baseline function on the left: function calculateTotal ( items ) { let total = 0 ; for ( let item of items ) { total += item . price ; } return total ; } And the updated version on the right: function calculateTotal ( items , taxRate = 0 ) { let total = 0 ; for ( let item of items ) { total += item . price * ( 1 + taxRate ); } return Math . round ( total * 100 ) / 100 ; } The
AI 资讯
Lorem Ipsum Generator: a small tool that solves a specific problem
Placeholder text is necessary scaffolding in web development, but ubiquitous Lorem ipsum can lead to design monotony and disconnect from project context. Developers building mockups, prototypes, or content-heavy interfaces often need filler text that matches the tone of the target application without introducing distracting Latin. What it is The Lorem Ipsum Generator is a browser-based tool that produces placeholder text in multiple styles, moving beyond classical Latin pseudo-text. It offers distinct variants: traditional Lorem ipsum, Hipster Ipsum with artisanal terminology, Corporate Speak filled with business jargon, and Pirate Ipsum with nautical themes. Each style maintains readability while providing vocabulary that aligns with the spirit of a given project. The generator is part of DevTools, a privacy-first collection of 200+ free browser tools where all processing happens locally—no signup, no tracking. Developers can configure generation parameters to specify the number of paragraphs, total word count, and whether to start with the familiar “Lorem ipsum dolor sit amet” opening. The output is plain text ready for pasting into HTML, design files, or CMS entries. How to use it The interface is a straightforward form: select a text style from the dropdown, then set the number of paragraphs or words you need. The tool generates the text instantly and provides a one-click copy button. <!-- Example output structure when pasting into HTML --> <div class= "content-area" > <p> Leverage agile frameworks to provide a robust synopsis for high level overviews... </p> <p> Iterative approaches to corporate strategy foster collaborative thinking... </p> </div> For typical workflows, 1–3 paragraphs suffice for article previews or body content. Headlines work well with 5–15 words, while navigation elements often need only 2–5 words. The quick copy functionality streamlines populating multiple content areas. Different styles suit different contexts: Corporate Speak makes busi
AI 资讯
Sakana Fugu
One Model to Command Them All Discussion | Link
AI 资讯
Latitude
Fix what's breaking in your AI agent Discussion | Link
AI 资讯
How I Built a Developer Knowledge Base in Obsidian That I Actually Use
Every developer I know has the same problem: knowledge scattered across five places at once. Browser bookmarks they never re-read. Notion docs that become graveyards. Slack threads with critical context that disappear into the archive. README files that contradict each other. Stack Overflow answers bookmarked with zero recall of why. I tried most of the "second brain" setups and none of them stuck until I figured out why they kept failing: generic productivity systems are not built for how developers actually think and work. A developer's knowledge is fundamentally different from a writer's or a manager's. It is: Code-linked (a note about a library is useless without the actual code it explains) Decision-heavy (architecture decisions need context, rationale, and alternatives considered) Debugging-intensive (solutions to bugs need the exact error message, environment, and what you tried) Time-sensitive (that API migration note is only relevant for a 3-month window) Here is the structure that actually worked. The Core Structure 00-Inbox/ 10-Projects/ 20-Areas/ - Language: Python/ - Stack: AWS/ - Domain: Auth/ 30-Resources/ - Libraries/ - Tools/ - Patterns/ 40-Archive/ The key insight: Resources are evergreen, Projects are temporary, Areas are ongoing responsibilities. A note about how JWT works lives in 30-Resources/Domain-Auth/ . A note about implementing JWT for the current sprint lives in 10-Projects/Sprint-42-Auth-Revamp/ . When the sprint is done, the project gets archived. The JWT fundamentals note stays forever. The Templates That Made It Click Architecture Decision Record (ADR) # ADR-042: Use Postgres over DynamoDB for user sessions Status: Accepted | Date: 2026-06-22 ## Context We need session storage that supports complex queries for the audit log feature. ## Decision Postgres with connection pooling via PgBouncer. ## Alternatives Considered - DynamoDB: rejected (query limitations for audit log requirements) - Redis: rejected (not durable enough for complian
AI 资讯
Sync and manage contacts across providers: Nylas Contacts API
Contacts are messier than they look. A user's real address book is spread across the people they've saved by hand, the people they've emailed often enough that the provider auto-collected them, and the colleagues in their company directory. Google exposes these through the People API; Microsoft through Graph; both model the data differently and split it across sources you have to query separately. The Nylas Contacts API unifies all of that behind one schema and one grant_id . You read saved contacts, auto-collected contacts, and directory contacts through the same endpoint, create and update entries that sync back to the provider, and organize them into groups. This post walks the contact surface from the HTTP API and the Nylas CLI , which mirrors every operation for terminal use. I work on the CLI, so the terminal commands below are the ones I run when I'm exploring an address book. The contact model and its three sources A contact in Nylas carries the fields you'd expect — given_name , surname , emails , phone_numbers , company_name , job_title , notes — plus richer ones like im_addresses , physical_addresses , and web_pages . The schema is the same across providers, so a Google contact and a Microsoft contact deserialize into one struct. The detail that trips people up is source . Every contact has one of three sources, and they mean very different things: address_book — contacts the user saved deliberately. This is the real address book. inbox — contacts the provider auto-collected because the user emailed them. These were never explicitly saved. domain — contacts from the organization's directory (coworkers). Knowing the source matters because "all contacts" usually isn't what you want. If you're building a contact picker, the inbox source can flood it with one-off recipients the user doesn't think of as contacts. Filter by source deliberately. See the Contacts API overview for the full data model. Before you begin You need a Nylas API key and a connected accou
AI 资讯
Record and transcribe meetings with the Nylas Notetaker API
Meeting notes are the feature everyone wants and nobody wants to build. The hard part isn't the summary — an LLM handles that. The hard part is getting into the meeting: a bot that joins Zoom, Google Meet, and Microsoft Teams, survives each platform's waiting room and admission flow, records cleanly, and produces a transcript you can feed downstream. Each provider has its own join mechanics, and none of them ships a tidy "record this meeting" API. The Nylas Notetaker API is that bot as a service. You point it at a meeting link, it joins on schedule, records, and generates a transcript, and you fetch the recording and transcript through one endpoint. This post walks the Notetaker surface from the HTTP API and the Nylas CLI , which mirrors the whole lifecycle for terminal use and quick testing. I work on the CLI, so the terminal commands below are exactly what I run when I'm testing a notetaker against a live meeting. Two ways to run a notetaker: grant-scoped or standalone Before any code, there's one architectural choice worth understanding, because it changes the endpoint you call. A grant-scoped notetaker is tied to a connected account and lives under /v3/grants/{grant_id}/notetakers . Use it when the bot acts on behalf of a specific user — it can read that user's calendar and join their meetings as them. A standalone notetaker has no grant at all and lives under /v3/notetakers . You hand it a raw meeting link and it joins, no connected account required. This is the one to reach for when you just have a URL and want a recording — a public webinar, a meeting on an account you haven't connected, or a system that deals in links rather than users. Same request body, same lifecycle, same media output; the only difference is whether there's a grant_id in the path. See the Notetaker overview for how both models fit together. Before you begin You need a Nylas API key. If you're using a grant-scoped notetaker you also need a connected account; for standalone, the API key al
AI 资讯
Stop polling: real-time email and calendar webhooks with Nylas
If your integration polls Nylas every minute to check for new email, you're doing too much work and still getting stale data. Polling is a tax: you burn rate limit on requests that mostly return nothing, and a message that arrives at 12:00:05 doesn't reach your app until the next poll. Webhooks flip that around. Nylas pushes a notification to your endpoint the moment something happens — a message arrives, an event changes, a contact is created — and your app reacts in real time. This post walks the webhook surface from both sides: the HTTP API that registers and manages webhooks, and the Nylas CLI , which has genuinely useful tooling for the part everyone gets stuck on — verifying signatures and testing webhooks against local code. I work on the CLI, so the terminal commands below are the ones I run when I'm wiring up a webhook receiver. Triggers and destinations A webhook has two halves: the trigger types it listens for and the destination URL it pushes to. Trigger types are dotted event names like message.created , event.updated , and contact.created , grouped into categories — grant, message, thread, event, contact, calendar, folder, and notetaker. You subscribe one destination to as many triggers as you want. The CLI lists every available trigger so you don't have to guess the names: # All trigger types nylas webhook triggers # Only message-related triggers nylas webhook triggers --category message Webhooks are application-scoped, not grant-scoped: one webhook registered on your application receives notifications for every connected account, identified by the grant_id in each payload. See the notifications overview for the full event model. Before you begin You need a Nylas API key — webhook management is admin-level, so it uses the application's API key rather than a grant. You also need an HTTPS endpoint reachable from the public internet to receive the notifications. The CLI gets the key set up: nylas init # create an account, generate an API key For local de
AI 资讯
One calendar API for Google, Microsoft, and beyond: Nylas Calendar
Scheduling features look simple until you build them. Google Calendar speaks its own REST API with events.insert ; Microsoft 365 wants Graph and POST /me/calendar/events ; Apple and a long tail of providers expect CalDAV. The moment your app needs to read a user's events, drop a meeting on their calendar, or check whether three people are free at 2pm, you're staring down three integrations that disagree on field names, time formats, and recurrence rules. The Nylas Calendar API gives you one interface over all of them. Connect a user's account once, get a grant_id , and read calendars, manage events, send RSVPs, and compute free/busy with the same request shape whether the backing provider is Google or Microsoft. This post walks the calendar surface from both sides: the HTTP API your backend calls, and the Nylas CLI for testing the same operations in a terminal. I work on the CLI, so the terminal snippets below are the commands I actually run when I'm poking at a calendar. Calendars, events, and the calendar_id A connected account has one or more calendars , and every event belongs to exactly one of them. Most operations take a calendar_id , and the special value primary resolves to the account's default calendar — so you don't need to look up an ID to act on the main calendar. One exception: iCloud doesn't support primary , so for iCloud accounts you pass a real calendar ID from nylas calendar list . An event carries a title , a when object holding its start and end times, a list of participants , an optional location , and flags like busy . That schema is identical across providers, which is the whole point: you read a Google event and a Microsoft event into the same struct. See the Calendar API overview for how calendars, events, and availability fit together. Before you begin You need a Nylas API key and a connected account with calendar scopes. The CLI gets you there in two commands: nylas init # create an account, generate an API key nylas auth login # connect
AI 资讯
Give your AI agent its own inbox: Nylas Agent Accounts via API and CLI
Most "AI email" demos point a model at a human's inbox over OAuth. That's fine until you want the agent to be a participant — to have its own address that people reply to, that calendars invite, and that builds its own sender reputation. Pointing at someone's personal inbox doesn't give you that. Nylas Agent Accounts take the other approach: a real name@yourdomain.com mailbox and calendar that the agent owns end to end. It sends, receives, hosts events, and RSVPs — and to anyone on the other side it's indistinguishable from a human-operated account. It went GA in June 2026. The part I like as an SRE: it's not a new API surface. An Agent Account is just another Nylas grant . It gets a grant_id that works with every endpoint you already use — Messages, Drafts, Threads, Folders, Attachments, Calendars, Events, Webhooks. Nothing new to learn on the data plane. This walkthrough provisions one two ways (CLI and raw API), then sends, receives, RSVPs, and adds guardrails. What you get When you create an Agent Account, Nylas provisions a real mailbox on a domain you've registered (or a Nylas *.nylas.email trial domain). Each account comes with: An email address that sends and receives like any other mailbox Six system folders ( inbox , sent , drafts , trash , junk , archive ), plus any custom ones you create A primary calendar that hosts events and RSVPs over standard iCalendar/ICS A grant_id for all the existing Nylas endpoints Before you begin You need two things: A Nylas API key. The fastest path is the CLI — nylas init creates an account and generates a key in one command. A domain. Either a Nylas-provided *.nylas.email trial subdomain (good for testing in minutes) or your own custom domain with MX + TXT records. Register it under Organization Settings → Domains. Why your own domain? It's what makes the agent a real first-class sender instead of a shared relay address — people reply to it, calendars invite it, and its mail authenticates as coming from you. A new domain b
AI 资讯
What to Put in Your CLAUDE.md (and What to Leave Out)
A great CLAUDE.md is not the longest one. It is the one where every line changes what Claude does. The whole skill is knowing what belongs in it — and, just as importantly, what does not. The sections that earn their place Start with a one or two line project description and your stack, with version numbers. Claude infers a lot from your code, but it will not guess that you are on Next.js 15 instead of 14, or which ORM you chose. Then a directory map — not every file, just the top-level layout with a note on what each part holds. After that: the build and test commands, the conventions a formatter does not enforce, and critically, the things not to touch. # Project: Acme Dashboard Next.js 15 (App Router), TypeScript, Drizzle ORM, Vitest. ## Structure src/app/ # routes and pages src/lib/ # shared utilities, db client db/migrations/ # generated - never hand-edit ## Commands Build: npm run build Test: npm run test ## Conventions - API routes return { data, error } - never throw to client - Server components by default ## Do not touch - db/migrations/ is generated. Never edit by hand. Every line in that file would cause a mistake if removed. That is the bar. What to leave out This is where most files go wrong. Two kinds of content waste your budget: Personality instructions. "Act as a senior engineer," "think step by step," "be thorough." These feel productive but change nothing — Claude already does them. General advice that does not prevent a specific mistake is pure noise. Rules a tool already enforces. If you have a formatter or linter, do not restate what it enforces. Wire it into a hook instead, and keep CLAUDE.md for what tools cannot enforce. The one-line test For every line, ask: "If I remove this, will Claude make a mistake?" If yes, keep it. If no, delete it. This single question, applied ruthlessly, is the difference between a file Claude follows and one it ignores. A bloated file buries the rules that matter in noise, so Claude cannot tell which line is the
AI 资讯
What Is CLAUDE.md? A Practical Guide to Configuring Claude Code
If you use Claude Code, there is one file that quietly shapes every session: CLAUDE.md. Most developers either do not have one or have one that works against them. Here is what it actually is, in plain terms. The file Claude reads every session CLAUDE.md is a markdown file that Claude Code reads at the start of every conversation. Think of it as your project's constitution — the source of truth for how your specific repository works. Because Claude reads it every time, you stop re-explaining your stack, your conventions, and your commands on every task. Why it exists Without a CLAUDE.md, every session starts cold. Claude can read your code, but it cannot infer the things that live outside the code: that you are on Next.js 15 and not 14, that a directory is generated and must never be edited, that your team has a particular commit style. You end up explaining these again and again, slightly differently each time, so the output drifts. CLAUDE.md captures that knowledge once, somewhere Claude always sees it. Where it lives, and how to start Put CLAUDE.md in the root of your project. You do not have to write it from a blank page — the /init command analyses your codebase and generates a starter, detecting your build tools, test framework, and existing patterns: $ claude > /init Treat the result as a foundation, not a finished product. The real value comes from refining it as you learn what Claude gets wrong without guidance. What belongs in it A good CLAUDE.md is short and specific: A one-line stack description, with versions — Claude will not guess Next.js 15 over 14 A directory map — the top-level layout and what each part holds The build and test commands The conventions a newcomer could not infer from the code A "do not touch" section — generated files, migrations, protected paths Here is a compact example: # Project: Acme Dashboard Next.js 15 (App Router), TypeScript, Drizzle ORM, Vitest. ## Structure src/app/ # routes and pages db/migrations/ # generated - never h
AI 资讯
Why Claude Code Ignores Your CLAUDE.md (And How to Fix It)
You wrote a detailed CLAUDE.md, and Claude Code still gets things wrong — wrong convention, touches files it should not, ignores rules you clearly wrote down. The cause is almost never that the rules are missing. It is that they are buried. The over-specified file problem CLAUDE.md loads into Claude's context every single session, and performance degrades as that context fills. When the file grows too long, something counterintuitive happens: Claude starts ignoring parts of it. The important rules get lost in the noise, and the genuinely critical instructions sit too deep to reliably influence output. A bloated file does not just waste tokens. It actively makes Claude less reliable, because it cannot tell which of your hundred lines is the one that matters. The trap of good intentions It always starts reasonably: "let me put everything relevant in here." But relevant is a low bar. The file grows until it is impossible to scan, full of duplication, and so noisy that the truly important rules carry no weight. More content felt like more control. It was the opposite. The fix: prune ruthlessly Run every line through one question: "If I remove this, will Claude make a mistake?" If the answer is no, the line is noise — delete it. And if something only matters in a specific situation rather than always, it does not belong in the always-loaded file at all. That is what skills and subdirectory CLAUDE.md files are for — they load on demand, only when relevant. Let Claude fetch what it needs Instead of embedding everything, tell Claude how to pull context when it needs it. Rather than pasting an entire API guide into the file: # Wasteful - embeds the whole file every session: @docs/api-guide.md # Better - Claude reads it only when relevant: For Stripe integration work, read docs/stripe-guide.md The second form costs almost nothing until the moment it is needed. The result A pruned CLAUDE.md is often a third of the length and many times more effective. The rules that matter are
AI 资讯
I Fixed the "AI Commit Messages" Problem in 20 Lines of Python
You've probably seen that trending post — "I Asked AI to Write My Commit Messages and It Was Embarrassing." Same. But instead of accepting embarrassing output, I fixed it. Here's the thing: the problem isn't AI writing commit messages. The problem is how you ask it. One clear system prompt + the actual diff = surprisingly good results. The Setup No new packages. No API key. If you have Claude Code , you're already set. #!/usr/bin/env python3 import subprocess SYSTEM = ( " You are a git commit message generator. " " Output ONLY the commit message — no explanation, no markdown, no quotes. " " Follow Conventional Commits: type(scope): subject. " " Types: feat, fix, docs, style, refactor, test, chore. " " Subject: imperative, lowercase, max 72 chars. " ) diff = subprocess . check_output ([ " git " , " diff " , " --staged " ], text = True ) if not diff . strip (): print ( " Nothing staged. Run `git add` first. " ) raise SystemExit ( 1 ) msg = subprocess . check_output ( [ " claude " , " -p " , SYSTEM + " \n\n " + diff ], text = True , ). strip () print ( msg ) That's it. 20 lines. Uses the claude CLI under the hood — no API key, no config, just your existing Claude Code OAuth session. Why It Works The system prompt does the heavy lifting. Three constraints: Output ONLY the commit message — no preamble, no explanation Follow Conventional Commits — feat , fix , chore , etc. max 72 chars — keeps it readable in git log The diff is the context. You're not asking "write a commit message". You're asking "given these exact changes, what happened?" That's a much more answerable question. Usage # No setup needed if you have Claude Code. Just: git add . python /path/to/git_commit.py # → feat(server): add AI commit message generator via Claude CLI Or wire it into a git alias: git config --global alias.ai '!python /path/to/git_commit.py' # git ai The Results Before: update stuff fix bug WIP added the thing After: feat(api): add generate_commit_message tool to MCP server fix(auth): ha
产品设计
Animdock Motion Templates in the Browser
Create trend motions in your browser! Discussion | Link
产品设计
Notchkin
A notes app that lives in your MacBook's notch. Discussion | Link