今日已更新 63 条资讯 | 累计 20533 条内容
关于我们

标签:#tools

找到 645 篇相关文章

AI 资讯

public-apis: what 438k stars actually buy you, and what they don't

Repository: public-apis/public-apis What public-apis actually is public-apis is a community-curated directory of free and public APIs, maintained by contributors together with staff at APILayer. It is not a library, SDK, or gateway: there is no package to import and nothing to run in production. The repository is essentially one very large, structured README that catalogs APIs across roughly fifty categories, from Animals and Anime to Finance, Machine Learning, Security, and Weather. Each entry is a row in a table with five columns: the API, a short description, the authentication model ( apiKey , OAuth , or none), whether it serves over HTTPS, and whether it sets permissive CORS headers. That last detail is the part most engineers undervalue. Why engineers keep coming back to it The star count, now past 438,000, is less interesting than the metadata discipline. When you are prototyping and need a currency-exchange or geocoding endpoint, the Auth/HTTPS/CORS columns let you filter candidates before you ever open a browser tab. "No auth, HTTPS yes, CORS yes" tells you that you can call the endpoint directly from a front-end spike without standing up a proxy or registering for a key. For throwaway demos, hackathons, internal tools, and teaching material, that triage saves real time. The category index doubles as a map of what kinds of public data are actually available, which helps when you are scoping whether an idea is even feasible. How it is maintained Curation is manual and community-driven: changes arrive as pull requests against the README, governed by a contributing guide, with issues and PRs as the moderation surface. The project's primary language is Python, reflecting validation tooling that checks entries rather than any runtime you would consume. There is also a separate companion project that exposes the list itself as an API. The model is simple and has clearly scaled, but "manually curated" is both the strength and the weakness. Limitations worth statin

2026-06-01 原文 →
AI 资讯

Claude Code's workflow docs are a menu.

Here is what a real solo founder orders. $ git worktree list ~/app a1b2c3d [ main] ~/app-review e4f5g6h [ review-branch] ~/app-content i7j8k9l [ draft-post] Three checkouts. One machine. Each one runs its own Claude Code session that cannot touch the others. That is a normal workday for me. I run a one person shop. Content and code, same desk, same hour. Anthropic's common workflows page lists about a dozen recipes for everyday work, and the docs are strong. What they do not tell you is which recipes survive contact with a real workday and which ones stay theory. After running Claude Code as my whole operation, five workflows carry the load. Here is the honest split. https://code.claude.com/docs/en/common-workflows 1. Worktrees changed how I work The problem worktrees solve is collision. You ask Claude to fix a bug. While it edits, you want to keep building a feature. Same repo, two streams of edits, and now your working tree is a fight nobody wins. A git worktree is a second checkout of the same repo on its own branch. Claude runs inside it and never sees the other windows. claude --worktree feature-auth Real scenario from this week. The post you are reading was drafted in one worktree while a separate Claude session reviewed an open pull request in another. Neither touched the other's files. When the review finished I merged, came back to the draft, and never lost my place. If you take one workflow from the docs, take this one. The setup cost is close to nothing and parallel agents stop stepping on each other. 2. Subagents protect the one resource you cannot buy more of The model's working memory is your budget. Every file Claude reads to answer a question spends it. Ask "how does our auth refresh work" in a large repo and Claude reads a pile of files to answer. Those files now sit in the window for the rest of the session, crowding out the work you care about. Delegate that to a subagent. use a subagent to investigate how our auth system handles token refresh The

2026-05-31 原文 →
AI 资讯

Coding agents should not hold write credentials.

I have been thinking a lot about coding agents lately. Not really about whether they can write good code, because usually they can, sometimes they can't. That part is obvious. But the risk is shifting from wrong answers to wrong outcomes. The part that feels more important to me is this: should the agent actually own the write authority? We already don't trust humans without roles, limits, reviews, and accountability. Developers use PRs, pilots use checklists, bank clerks have transfer limits. Capable agents need the same structure, but machine-readable. Right now a lot of setups still look roughly like this: agent reads the repo agent decides what to change agent has a GitHub token agent creates commits, branches, or PRs I don't think this is the right default. The agent can reason. The agent can inspect files. The agent can propose changes. But the moment it can directly create external impact, the problem changes. It is no longer just: did the agent say something wrong? It becomes: did the agent create the wrong outcome? That is a much more expensive failure mode. Intent is not authority The pattern I like more is simple: agent reads directly agent proposes intent a boundary decides an adapter materializes only admitted work So the agent does not get the write credentials. It submits a structured intent instead, which could look like: { "operation" : "write" , "target" : { "repo" : "example/app" , "branch" : "main" , "path" : "docs/config/agent-policy.md" }, "source_state" : { "blob_sha" : "8f31c2..." }, "requested_effect_hash" : "sha256:..." } This is then not a command anymore, it is a suggestion, or an intent. The system still has to decide whether this proposed outcome should exist. That decision layer can check things like: is this actor allowed? is this repo allowed? is this path in scope? does the source state still match? is this operation allowed? was the same effect already created? should this become a reviewable PR? Only after that should there be an

2026-05-30 原文 →
AI 资讯

Coding agents keep losing context between tools, so I built a local-first handoff CLI

The problem I often switch between Codex, OpenCode, Cline, Claude Desktop, scripts, and terminals. The annoying part is not starting a new tool. The annoying part is explaining the same workspace state again: what changed what is still pending what should not be touched what tests passed what the next agent should read before editing What I built AgentContextBus (acb) is a local-first CLI for handing off workspace context between coding agents. It saves a local handoff packet, then lets the next agent read it through: paste-ready prompts brief prompts a local dashboard JSON output explicit MCP tools First run npx @xiaoshuo1988/acb verify first-run For Chinese output: npx @xiaoshuo1988/acb verify first-run --lang zh-CN A normal handoff From the agent that has context: acb handoff --from codex --summary "Ready for the next agent" --git From the receiving side: acb receive --latest After the receiving agent summarizes the packet: acb ack --latest --by opencode What ACB intentionally does not do no hidden prompt injection no traffic interception no third-party client config mutation no cloud sync no background daemon Why local-first I want the user to be able to inspect the packet store, copy text manually, and decide exactly when context crosses from one agent to another. What I want feedback on Is the handoff packet concept clear? Is verify first-run enough to understand the tool? Is receive --latest the right receiving-side command? Which client path needs the most work? Would you trust this workflow in a real project? Repo: https://github.com/xiaoshuo1988130/acb Feedback discussion: https://github.com/xiaoshuo1988130/acb/discussions/1

2026-05-30 原文 →
AI 资讯

OpenAI Codex vs Google Antigravity: Architecture, Workflow, and Key Differences

AI coding tools are no longer just autocomplete engines. For the last few years, developers used AI mainly to write faster: generate a function, explain an error, complete boilerplate, or suggest a code snippet. That was useful, but the human developer still controlled almost every step. Now the shift is toward agentic software development. Tools like OpenAI Codex and Google Antigravity are not only helping developers write code. They are starting to inspect repositories, understand tasks, edit files, run commands, verify outputs, and return work for human review. But Codex and Antigravity are not the same kind of product. They represent two different architectures for the future of software development. Codex: Delegated Engineering Agent OpenAI Codex is best understood as a delegated software engineering agent. The developer gives it a scoped task: fix a bug, review a pull request, write tests, refactor a module, or implement a defined feature. Codex then works through the codebase, makes changes, runs checks where possible, and returns a result that the developer can review. Its natural workflow is close to how software teams already work: Task → Repository Context → Code Changes → Tests/Checks → Pull Request or Reviewable Output This makes Codex useful for structured engineering work. It fits naturally into GitHub-style workflows, pull requests, code reviews, tests, and CI/CD practices. In simple terms, Codex feels like assigning work to an AI engineer. Antigravity: Agent-Orchestration Environment Google Antigravity takes a different approach. It is better understood as an agent-first development environment. Instead of focusing only on one delegated task, Antigravity is designed around supervising agents inside the development workspace. Agents can operate across the editor, terminal, browser, and artifacts. They can help plan, build, verify, and explain the work. Its workflow looks more like this: Goal → Agent Orchestration → Workspace Execution → Browser Verif

2026-05-30 原文 →
AI 资讯

Every tutorial tells you to add .env to .gitignore. That's not enough.

Here's something nobody talks about. .gitignore doesn't encrypt your secrets. It just hides them from git. They're still sitting on your laptop as plaintext. Every tool you install can read them. Every script that runs can read them. One accidental commit and your database password is public on GitHub forever. So I built dotlock — an encrypted .env vault with a terminal UI, written in Go. Before and after Before dotlock DATABASE_URL = postgres://localhost/myapp # plaintext, readable by anything STRIPE_KEY = sk_live_abc123 # one grep away from anyone After dotlock # .dotlock file on disk — looks like this: [ encrypted binary — unreadable without your private key] How it works under 10 seconds cd my-project dotlock set DATABASE_URL # prompts for value, input is masked dotloc # opens the terminal UI Secrets are encrypted with age — X25519 key agreement and ChaCha20-Poly1305 authenticated encryption. The same primitives serious security engineers use. No master password. No cloud. No telemetry. 100% offline. What it looks like Two panels — profiles on the left, secrets on the right. Values are masked by default. Press v to reveal for 30 seconds, then it hides itself automatically. Switch between dev , staging , and prod profiles. Run a diff before deploying to catch missing variables before they break your app. The interesting technical bit The hardest part wasn't the encryption — filippo.io/age makes that straightforward. It was the TUI. BubbleTea uses the Elm architecture — Model, Update, View. Everything is a message. A keypress is a message. A timer firing is a message. Your Update function receives messages and returns a new model. The 30-second auto-hide on secret reveal works like this — no time.Sleep , no goroutines: type secretReveal struct { key string value [] byte expire time . Time // Now() + 30 seconds } On every render, check if time.Now() is past the expiry. If it is, zero the bytes and clear the display. Simple once you understand the model but it took

2026-05-30 原文 →
AI 资讯

Your JWT decoder might be leaking your tokens. Here's how to check.

Most developers paste production JWTs into online decoders without thinking. Here's a 10-second DevTools check to see if your token is actually leaving your machine. A coworker was debugging an auth bug last month. Standard workflow: copy the JWT from the failing request, paste it into an online decoder, read the payload. I've done it a thousand times. You probably have too. Except the token he pasted belonged to a real customer. And the decoder he used is owned by an identity company that's had its share of security incidents. Nothing bad happened. Probably. But it made me think about something I'd never actually checked: when you paste a JWT into an online decoder, where does that token go? What a JWT actually contains Quick reminder of why this matters. A JWT isn't encrypted — it's just Base64URL-encoded. Anyone who has the token can read everything in it: header.payload.signature The payload routinely contains: User ID, email, and role Session identifiers Token expiry ( exp ) and issue time ( iat ) Sometimes — against best practice — far more And here's the part people forget: a valid, unexpired JWT is a live credential. If it hasn't expired, whoever holds it can often impersonate the user. Pasting it into a random website is functionally similar to pasting a password. The 10-second check Most online JWT decoders claim to be "secure" and "client-side." Some are. Some aren't. You don't have to trust the claim — you can verify it yourself in 10 seconds: Open the decoder in your browser Open DevTools → Network tab Clear the network log Paste a JWT and decode it Watch the Network tab If any request fires when you decode — your token left your machine. A truly client-side decoder fires zero network requests during decoding. The JavaScript does everything locally; nothing is sent anywhere. Try this on whatever decoder you currently use. You might be surprised. Why most "online" tools send data It's usually not malicious. Building decoding logic on the server is someti

2026-05-30 原文 →
AI 资讯

I built a 9-agent AI dev team in a Claude Code plugin — here's what happened

The moment I realized AI coding assistants were broken I was building a side project — a simple task manager app. I opened Claude Code, typed: "Add user authentication with email and password login" …and hit enter. Twenty minutes later, I had code. A lot of code. Authentication logic, routes, middleware, even some basic tests. But there was a problem. The frontend (me, on a different day) had assumed a different API shape. The tests only covered the happy path. There was no architecture decision to reference — I just picked JWT because it felt right. And the docker-compose.yml ? It didn't exist yet. I had AI-generated code, but no real software development workflow. What was actually missing Good software isn't just code. Before you write a single line, you need: A spec that everyone (including future-you) agrees on An architecture decision that explains the why Backend and frontend designed to talk to each other Tests that prove things actually work A code review that catches security holes before they ship A deployment config that someone can actually run Normally, a team handles all of this. A PM writes the spec. An architect proposes options. Engineers implement and review each other's work. A DevOps person sets up CI/CD. What if AI could fill all those roles? Building the pipeline I built claude-dev-pipeline — a Claude Code plugin that orchestrates a team of specialized AI agents, each with a specific job. airwaves778899 / claude-dev-pipeline 7-agent full-stack development pipeline plugin for Claude Code — PM → Architect → Backend → Frontend → QA → Reviewer → DevOps claude-dev-pipeline A Claude Code plugin that orchestrates 7 specialized AI agents to take your feature request all the way from requirements analysis to production deployment — with a human-in-the-loop checkpoint at every phase. 中文說明 Why? Writing a feature involves more than just code. You need: A clear spec that everyone agrees on An architecture decision before you write a single line Backend and

2026-05-29 原文 →