AI 资讯
OTP Verification in Playwright Without Regex
Every developer who has written a Playwright test for OTP verification has written this line: const otp = email . body . match ( / \b\d{6}\b / )?.[ 0 ]; It works. Until it doesn't. The email body changes format. The OTP appears inside an HTML table. The sending service wraps it in a <span> . Your regex matches a phone number instead of the code. The test fails intermittently and you spend an hour debugging something that has nothing to do with the feature you're testing. The regex problem OTP extraction via regex is brittle by nature. You're pattern-matching against a string that your email sending service controls — not you. Any time the template changes, your tests break. Here's what a typical OTP test looks like today: import { test , expect } from ' @playwright/test ' ; import { ZeroDrop } from ' zerodrop-client ' ; const mail = new ZeroDrop (); test ( ' user can verify OTP ' , async ({ page }) => { const inbox = mail . generateInbox (); // 1. Trigger OTP send await page . goto ( ' /login ' ); await page . fill ( ' [data-testid="email"] ' , inbox ); await page . click ( ' [data-testid="submit"] ' ); // 2. Wait for email const email = await mail . waitForLatest ( inbox , { timeout : 15000 }); // 3. Extract OTP — the fragile part const otp = email . body . match ( / \b\d{6}\b / )?.[ 0 ]; if ( ! otp ) throw new Error ( ' OTP not found in email body ' ); // 4. Enter OTP await page . fill ( ' [data-testid="otp"] ' , otp ); await page . click ( ' [data-testid="verify"] ' ); await expect ( page ). toHaveURL ( ' /dashboard ' ); }); The test works — but line 14 is carrying all the risk. Change the email template and the test breaks. Add a phone number to the footer and the regex matches the wrong number. Send a 4-digit OTP instead of 6 and you need to update the pattern. OTP extraction at the edge ZeroDrop extracts OTPs before they reach your test. The Cloudflare Worker that catches incoming emails runs a pattern match on the plain-text body and stores the result alongsi
AI 资讯
How to Check If an Online JSON Formatter Uploads Your Data
Most developers have done this at least once. You get a messy API response. You need to inspect a JWT. You have a webhook payload, a log object, or a config file that is hard to read. So you open a JSON formatter, paste the content, and move on. That habit is convenient. But it also deserves a second look. Not every JSON tool behaves the same way. Some tools process your input entirely in the browser. Some send content to a server. Some store snippets for sharing. Some extensions have permissions that are broader than you expect. The problem is not that every online formatter is unsafe. The problem is that you often do not know what happens after you paste. What you should avoid pasting blindly Before using any random online tool, be careful with: production JWTs API responses containing user data logs from real systems config files webhook payloads database URLs cloud keys internal endpoints tenant IDs error traces from production systems A JSON payload does not need to contain an obvious password to be sensitive. Sometimes the risky part is context: user IDs, internal URLs, tokens, customer data, or system structure. A quick DevTools check You can do a basic check with your browser’s DevTools. Open the JSON tool. Open DevTools. Go to the Network tab. Clear existing requests. Paste a harmless test JSON first. Run format, validate, diff, decode, or whatever action the tool provides. Watch the Network tab. Look for POST, PUT, fetch, XHR, or beacon requests after your input. Inspect request payloads if they exist. Check whether your pasted JSON appears in any request. Do this with harmless test data first. If the tool uploads the test JSON, do not paste production content into it. What to look for A few signs deserve attention: POST requests after you paste or click format request bodies containing your JSON share-link features that save snippets server-side validation APIs analytics events that include pasted content extension background requests that are not clearly
AI 资讯
How Do You Integrate Penetration Testing into CI/CD?
Modern software delivery pipelines can deploy code dozens or even hundreds of times per day. Traditional penetration testing models, where security teams perform assessments quarterly or before major releases, simply cannot keep pace. Attackers do not wait for the next security review. Every pull request, dependency update, infrastructure change, or container image introduces potential risk. Integrating penetration testing into CI/CD enables organizations to identify vulnerabilities before they reach production. The goal is not replacing human penetration testers. The goal is automating everything that can be automated so security experts can focus on complex attack paths and business logic flaws. Understanding Security Testing Layers in CI/CD Security testing is often misunderstood because multiple categories overlap. Testing Type Purpose SAST Analyze source code SCA Detect vulnerable dependencies DAST Test running applications IAST Runtime security analysis Penetration Testing Simulate attacker behavior Penetration testing combines elements of all these approaches. A mature CI/CD pipeline continuously performs automated penetration testing while reserving manual testing for sophisticated attack scenarios. Designing a Security-First CI/CD Architecture A security-centric pipeline typically looks like: Developer Commit ↓ Pre-Commit Security Checks ↓ Pull Request Validation ↓ Build Stage ↓ Container Security Scan ↓ Infrastructure Validation ↓ Deploy to Staging ↓ Automated Penetration Testing ↓ Security Gate ↓ Production Deployment Each stage eliminates vulnerabilities before they become more expensive to fix. Stage 1: Pre-Commit Security Controls The cheapest vulnerability is the one that never reaches Git. Secret Detection Install TruffleHog or Gitleaks before code reaches the repository. repos : - repo : https://github.com/gitleaks/gitleaks rev : v8.20.0 hooks : - id : gitleaks Developer installation: pip install pre-commit pre-commit install Now every commit is aut
AI 资讯
TipTap is not broken. Your expectations are.
Since the Umbraco 16 release, Umbraco ships only with the TipTap Rich Text Editor. This was unfortunately something that Umbraco was forced to do. TinyMce 7 has a license that is incompatible with the open source license of Umbraco and TinyMce 6 was going out of support. So an alternative had to be found. Umbraco did a pretty good job at abstracting the rich text data. In Umbraco 15 both TinyMCE and TipTap were still present and exchangeable because of this abstraction. And arguably, the way you can set up your toolbars for the TipTap editor is superior to TinyMCE. But still, a new Rich Text Editor is a big change that presents real challenges. These challenges are most obvious when looking at the Umbraco forum's tip-tap tag . Topics vary, but a few come up again and again: Additional HTML tags getting added to the markup, like a <p> tag inside a <li> The inability to add certain tags to TipTap, like <script> tags The inability to add styling to an element, for instance to create a link that looks like a button These are valid challenges, especially if you're upgrading from an existing TinyMCE setup. But this is also a good moment to ask two questions: Why do I want the same behaviour? And was the old behaviour actually any good to begin with? You don't have to migrate everything at once Before getting into that, it's worth knowing that TinyMCE is still available as a community package for Umbraco 16+. If you're in the middle of a project, dealing with a large codebase, or just not ready to rethink your Rich Text Editor setup right now, that's a valid escape hatch. Swap in the package, keep things running, and give yourself time to migrate properly. But "later" should still be on the roadmap. The package is community maintained, not an official Umbraco product, so there are no guarantees around long-term support or compatibility with future Umbraco versions. Relying on it indefinitely carries the same risk as the situation Umbraco just came out of with TinyMCE 6. So
开发者
Building Lightweight PHP Microservices with webrium/core — No Framework Bloat Required
Do you really need a full framework to handle a few API endpoints or webhooks? Laravel and Symfony are excellent tools — for large applications. But when you're building a focused microservice, a webhook receiver, or a lightweight REST API, bootstrapping a full-stack framework means carrying hundreds of files, a massive autoloader, and a dependency tree you'll never fully use. That's the problem webrium/core was built to solve: a minimalist, zero-dependency PHP micro-framework written entirely from scratch, designed to stay out of your way. Installation composer require webrium/core That's it. No configuration files to publish, no service providers to register. The Entry Point Every webrium application starts with the same three lines: <?php require_once __DIR__ . '/vendor/autoload.php' ; use Webrium\App ; use Webrium\Route ; App :: initialize ( __DIR__ ); // ... your routes here App :: run (); App::initialize() sets the root path and loads the global helper functions. App::run() initializes error handling and dispatches the current request through the router. Routing The router supports all standard HTTP methods. Route handlers can be closures, a Controller@method string, or an [Controller::class, 'method'] array. Basic routes: Route :: get ( '/status' , fn () => [ 'status' => 'alive' ]); Route :: post ( '/items' , fn () => [ 'created' => true ]); Route :: put ( '/items/{id}' , fn ( $id ) => [ 'updated' => $id ]); Route :: patch ( '/items/{id}' , fn ( $id ) => [ 'patched' => $id ]); Route :: delete ( '/items/{id}' , fn ( $id ) => [ 'deleted' => $id ]); Route handlers return an array — the framework automatically encodes it as JSON and sends the correct Content-Type header. Dynamic parameters: Route :: get ( '/users/{id}/posts/{postId}' , function ( $id , $postId ) { return [ 'user_id' => $id , 'post_id' => $postId , ]; }); Named routes: Route :: get ( '/users/{id}' , fn ( $id ) => [ 'id' => $id ]) -> name ( 'users.show' ); // Generate the URL elsewhere: $url = rout
AI 资讯
I Built an AI Tools Directory: Looking for Feedback and Feature Suggestions!
Hey developers! I have been working on a side project to help people discover the best AI tools in one place. It is a curated directory designed to be clean, fast, and user-friendly. You can check it out live here: GetNexusAI Tech Stack Used: Next.js / React Tailwind CSS Vercel for hosting Why I Built This: Finding the right AI tool among thousands of options can be overwhelming. I wanted to create a simple dashboard where users can easily filter and find exactly what they need without the clutter. I Need Your Help! Since I just launched it, I would love to get your honest feedback: How is the loading speed and UI/UX? What features should I add next (e.g., user reviews, bookmarking tools)? If you have built an AI tool, let me know so I can feature it! Check the website here: https://getnexusai.tech
AI 资讯
The most popular AI coding skills right now
Introduction It's crazy to me that some GitHub repos, that were just created in the last...
AI 资讯
Building a Chrome Extension to Make AI Use More Intentional
After posting several articles about the impact of AI on developers and sharing resources to help...
AI 资讯
Day 31 of learning MERN Stack
Hello Dev Community! 👋 It is officially Day 31 — stepping straight into my second month of documented full-stack engineering! Fresh off the 30-day milestone yesterday, I decided to keep the engineering momentum high by building a classic browser game: Rock, Paper, Scissors using HTML5, CSS3, and vanilla JavaScript. After mastering API integration yesterday, today was about refinement—handling dynamic score states, tracking user choices, and creating a clean automated opponent engine. 🛠️ The Core Logic Architecture To make the game interactive and clean, I divided the code structure into distinct logical components: 1. Capturing User Selection I assigned the choices (rock, paper, scissors) to clickable image/div nodes in the layout. Instead of writing repetitive lines, I used a forEach array loop to attach an addEventListener("click", ...) to each choice, pulling the user's explicit selection instantly via DOM attributes. 2. The Computer's Automated AI Brain Since a computer cannot pick words, I mapped out an array of strings: ["rock", "paper", "scissors"] . I then utilized JavaScript's math utility library to generate a randomized index number: javascript const genCompChoice = () => { const options = ["rock", "paper", "scissors"]; const randIdx = Math.floor(Math.random() * 3); return options[randIdx]; };
AI 资讯
Fable 5 or Feeble 5? Claude's New Safety Filters are Funny
Do you know Pulled Pork recipes and snakes games are being blocked by Claude Fable’s safety features? We will discuss this later in the article. Claude Fable 5 is the most capable AI model made till date, and it is generally ranked top by nearly every benchmark. The company Avidclan Technologies has a blog already covering the full Claude Fable 5 timeline from Project Glasswing to launch day, if you want to gather more information. But today in this blog we will be discussing about its safety classifiers, designed to stop bioweapon synthesis and cyberattacks, which are currently flagging... pulled pork. Fable 5 vs Mythos 5, what’s the difference in simple terms? Quick context: We can say that Fable 5 is the child of Claude Mythos 5. Now the question is, what is this Mythos 5? According to Anthropic, it is a system that is capable of finding software vulnerabilities that Anthropic restricts to vetted cyber-defence partners only. Anthropic bolted on two-stage classifiers monitoring four categories to release the public version, the four categories are cybersecurity, biology, chemistry, and model distillation, and this distilled model is Fable 5* ( This is what Anthropic says, not us) * This is what grabs attention: Fable 5 will not refuse flagged prompts. It will silently send your request to Claude Opus 4.8 (the previous flagship), which answers instead. You will get a notification, the conversation continues, and nobody hits a brick wall. Anthropic says “this triggers in less than 5% of sessions and that against 30 public jailbreaks on cyberattack planning, Fable 5 compiled exactly zero times.” On paper, it looks elegant, right? But in practice? Oh my god.. Can Claude Fable 5 give wrong answers? Yes, False Positive Every one of these is a documented, real example from the first two days: A Costco shopping list. A user asked for portion sizes for pulled pork sandwiches. Flagged as a biology/cybersecurity concern. Sheep RNA data. A researcher working with RNA sequenci
AI 资讯
Docker Security Best Practices for Beginners
Docker is a game-changer for developers—making it easier to package, ship, and run applications. But with great power comes great responsibility. Whether you're running containers in development or production, security should never be an afterthought . In this post, I'll walk you through beginner-friendly Docker security practices that will help you build safer containers from the start. No enterprise jargon—just practical, actionable tips. Why Care About Docker Security? Containers may feel isolated, but they share the host OS kernel. This means: A compromised container could lead to host compromise. Vulnerabilities in container images can be exploited. Misconfigured containers can unintentionally expose sensitive data or ports. Docker Security Best Practices for Beginners This post is a follow-up to my previous article, Docker Like a Pro: Essential Commands and Tips , where we explored fundamental Docker commands and tips. Building upon that foundation, this guide focuses on essential security practices to help you build safer containers from the start. Docker has revolutionized the way developers build, ship, and run applications. However, with great power comes great responsibility. Whether you're running containers in development or production, security should never be an afterthought. In this post, I'll walk you through beginner-friendly Docker security practices that will help you build safer containers from the start. No enterprise jargon—just practical, actionable tips. Why Care About Docker Security? Containers may feel isolated, but they share the host OS kernel. This means: A compromised container could lead to host compromise. Vulnerabilities in container images can be exploited. Misconfigured containers can unintentionally expose sensitive data or ports. 1. Use Official Images When Possible Start by pulling images from Docker Hub’s verified publishers or official repositories. Use this: docker pull node:18 Not this (could be outdated or malicious): doc
AI 资讯
Making "files never leave your browser" verifiable with DevTools and CSP
"Files never leave your browser" is becoming standard copy for PDF tools, image editors, and document converters. But a trust claim and a verifiable fact are different things. Here's how to turn "zero upload" into something any user can audit in about two minutes, and how to enforce it at the browser level so it isn't just a promise. Step 1: Read the Network panel Open DevTools → Network, enable "Disable cache", reload. While processing a file, filter by "Fetch/XHR" and "Doc". A genuinely client-side tool should show only HTML/CSS/JS/WASM asset loads — no POST requests, no GETs carrying file content in query parameters. The non-obvious trap: third-party analytics, Google Fonts, and CDNs all show up as outbound requests. If you claim zero uploads, those count too. The honest move is to self-host fonts and scripts and drop analytics entirely, so the request list is genuinely short enough to eyeball. The Network panel is the human-readable check. The next part is what actually makes it hold. Step 2: Enforce egress with CSP connect-src This is the piece people get backwards, so it's worth stating precisely. CSP's connect-src is an egress allowlist the browser enforces before the request is sent . A fetch /XHR to an origin that isn't on the list is blocked by the browser and never leaves the machine. You'll see it fail in the console as a CSP violation, with no entry in the Network tab going out to that origin. This includes no-cors requests. no-cors is sometimes assumed to be an escape hatch, but it isn't one for this purpose. All no-cors does is let you issue a cross-origin request while making the response opaque (you can't read the body). It does not bypass connect-src : if the target origin isn't in your connect-src allowlist, the no-cors request is blocked exactly the same way — it never goes out. So you can't smuggle a file out to a third party with no-cors under a tight CSP. That's what makes CSP the actual proof, not just documentation. Tighten connect-src to 's
开发者
Stop Rewriting UI Components for Every Project
Ever started a new project and found yourself rebuilding the same modal, dropdown, toast notification, tabs, and switches for the 20th time? I got tired of that. So I built UltraHTML , a lightweight UI library that gives you modern components with simple HTML and JavaScript, no framework required. Getting Started Include the CSS and JS files: <link rel= "stylesheet" href= "dist/ultra.css" > <script src= "dist/ultra.js" ></script> Initialize UltraHTML: Ultra . init (); Done. Buttons UltraHTML includes two button styles out of the box: ultra-button — a clean, modern button. ultra-button-wave — adds a wave/ripple-style interaction effect. Basic button: <button class= "ultra-button" > Simple Button </button> Wave button: <button class= "ultra-button ultra-button-wave" > Wave Button </button> Buttons use UltraHTML's default green theme, but because they're standard HTML elements, you can easily customize them with CSS. For example, here's a red button that displays a popup message: <button onclick= "Ultra.popupmsg('Hello from UltraHTML!')" class= "ultra-button ultra-button-wave" style= "background-color: red" > Show Popup </button> You can create buttons that match your site's branding without learning a separate theming system: <button class= "ultra-button" style= "background-color: #3b82f6;" > Blue Button </button> <button class= "ultra-button ultra-button-wave" style= "background-color: #f59e0b;" > Orange Button </button> <button class= "ultra-button ultra-button-wave" style= "background-color: #ef4444;" > Red Button </button> UltraHTML handles the styling and interactions while still giving you full control over how your buttons look. Modal Example Need to display important information? <script> window . addEventListener ( " load " , () => { Ultra . init (); Ultra . modal ({ head : " Important " , text : " You need to reset your password " , buttonText : " Reset " , buttonAction : ( modal ) => { console . log ( " Going to reset page... " ); modal . remove (); } }); }
AI 资讯
I scraped Chrome Web Store reviews to find abandoned extensions that still have 100k+ users
I've shipped 4 Chrome extensions and 2 VS Code extensions. The advice that always sounds smart — "find a popular extension the dev abandoned, rebuild it better" — is miserable in practice. You open the Web Store, see 100k users and a 4.4 rating, think you found gold, then burn a weekend reading reviews only to realize half the complaints are unfixable traps (sync died, login broke, backend gone). So I built a small pipeline to do the boring part automatically. The method Scrape public Chrome Web Store metadata — users, rating, last-updated date. Filter: 20k–300k users, 18+ months without an update, rating 3.3–4.4 (good enough to prove demand, bad enough to prove pain). Pull up to 50 recent reviews per candidate via public CWS data. Score each one: score = log10(users)10 + months_stale0.5 + feature_request_count2 - trap_count1.5 The key part is trap_count — I subtract points for complaints about sync/login/server issues, because those are unfixable without inheriting someone else's dead backend. High "demand" with high trap count is a mirage. One example Extension Manager — 100k users, 4.4★, last updated ~25 months ago. Looks healthy until you read the 1–2★ reviews: "The site-specific rules feature simply does not work… the core feature advertised is broken." "It won't save any changes made… extensions are re-enabled automatically." A user even posted an RCE report: the dev parses JSON with a Function(str)() fallback — executing arbitrary code from untrusted input. That's not "build a clone." That's "fix the rules engine, kill the eval, add local backup, ship something 100k people already want." The counterintuitive part The highest-scoring extension in my list (200k users, abandoned ~4 years) is actually the worst business opportunity — it's a simple toggle utility whose users will never pay, and the original asks for camera/mic permissions (adware-grade). Raw download counts would put it at the top of your build list. Revenue potential buries it. That gap between "
开发者
There Is No Perfect Solution in Software Development: Every Decision is a Tradeoff
Most bad decisions in software engineering aren't made because the engineer chose wrong between two...
AI 资讯
Picking a Phone Verification Method: SMS, Flash Call, Phone Call, and Data Verification
When your app needs to confirm that a user actually owns the phone number they gave you, the pattern looks the same from the outside: send something to the device, user usually confirms it. Under that surface, there are four distinct approaches using phone and carrier networks, each with different security characteristics, user experiences, and requirements. The right one depends on your context. If you want the implementation side, the Sinch Verification API is a good starting point. I've covered the code in detail in Phone-Based User Verification in TypeScript and Python . The four methods Method Delivery User action Requires mobile data SMS OTP Text message Read and type a numeric code (auto-fill possible on Android) No Flash Call Missed call (caller ID is the code) None (Android SDK) / Enter caller ID (iOS, web) No Phone Call Verification Inbound phone call Listen and type a numeric code No Data Verification Carrier network check None Yes The differences matter more than they appear in that table. SMS OTP The default choice for most apps. It works on any phone, any network, over Wi-Fi or cellular. Your users already know what to do with a six-digit code. Delivery is global, the integration is straightforward, and it pairs with any backend. On Android, the SMS Retriever API makes auto-fill possible: the mobile SDK can read the incoming message and fill the code without user input, if your app implements it. Most apps don't, so users typically still read and type the code manually. The trade-off is that a code the user can read is a code that can be relayed, whether by accident or by a phishing page. For most consumer flows that's an acceptable trade. For account recovery or financial transactions, you may want to weigh methods where no code changes hands at all. Flash Call A call is placed to the user's number and immediately disconnected. The incoming caller ID is the verification code. On Android, the mobile SDK can intercept the caller ID automatically, comple
AI 资讯
Build a Private AI App Platform with Dify and Ollama
Build custom AI apps - chatbots, RAG pipelines, and agents - entirely on your own hardware with Dify and Ollama. No monthly fees, no data leaving your network. What You Need A GPU with 12GB+ VRAM (RTX 3060 12GB or better) Docker + Docker Compose 2.24.0+ About 20 minutes Architecture Component Role Dify Visual app builder, RAG engine, agent framework, API layer Ollama Serves local models via OpenAI-compatible API Qwen3 14B Default model - strong general chat, fits 12GB at Q4 Setup Step 1: Start Ollama docker run -d --gpus all -p 11434:11434 --name ollama \ -v ollama:/root/.ollama \ ollama/ollama Pull your default model: docker exec ollama ollama pull qwen3:14b Step 2: Start Dify git clone https://github.com/langgenius/dify.git cd dify/docker cp .env.example .env docker compose up -d Step 3: Connect Ollama to Dify Open http://localhost/install and create your admin account Go to Settings > Model Provider Click Ollama and fill in: Model Name: qwen3:14b Base URL: http://host.docker.internal:11434 (Docker Desktop) or http://YOUR_IP:11434 (Linux) Click Save Build Your First App Chatbot Studio > Create Application > Chatbot. Select your model, add a system prompt, publish. Your chatbot gets a public URL and API endpoint. RAG Pipeline Knowledge > Create Knowledge. Upload documents, choose chunking strategy, create an app that uses this knowledge base. Now your chatbot answers from your documents. Agent Studio > Create Application > Agent. Add tools (web search, code interpreter), give it a goal, Dify orchestrates the tool calls. Cost vs Cloud Local Dify Cloud + OpenAI Monthly $0 $59-599 + API usage Hardware ~$300 once $0 Data privacy Stays on your machine Sent to cloud AI calls Unlimited, free Per-token billing After about 5 months the GPU has paid for itself versus a mid-tier Dify Cloud plan. Full guide with detailed troubleshooting and alternatives: https://everylocalai.com/stack/dify-ollama-local-app-builder
AI 资讯
Stop Writing Boilerplate API Responses: Meet BaR-js
We've all been there: you’re building an endpoint, and for the hundredth time, you’re typing out res.status(200).json({ success: true, data: ... }) . It feels repetitive, and honestly, it’s a recipe for inconsistency across your API. I wanted to fix that, so I built BaR-js . What is it? BaR (Builder a Response) is a lightweight, framework-agnostic TypeScript library designed to help you serve API responses like a pro—almost like a bartender mixing a drink. It strips away the JSON clutter and ensures every response you send follows a consistent, production-ready schema. Why use it? Consistency: Every endpoint speaks the same language. Fluent API: You can use a chainable syntax like res.builder.as.ok(data) instead of manually crafting objects every time. Traceability: It automatically handles request_id and timestamps, making debugging so much easier. Type Safety: Built with strict TypeScript, so you get great IntelliSense support. It’s this simple: import express from ' express ' ; import { BarExpressAdapter } from " @vorlaxen-labs/bar-js " ; const app = express (); // 1. Configure the adapter const bar = new BarExpressAdapter ({ environment : ' production ' , logger : console , }); // 2. Register it as middleware // This injects `res.builder` and `req.bar` into every route! app . use ( bar . handler ()); // Now you can use it in any route app . get ( ' /user ' , ( req , res ) => { return res . builder . as . ok ({ name : ' John ' }). build (); }); Why "BaR"? I like the idea that "your code is a work of art, and your responses are its signature." The clearer your response schema, the more professional and valuable your API feels to whoever is consuming it. The project is still fresh, and I’d love to hear what you think. If you’re looking to clean up your API layer, give it a spin! Feedback, issues, or PRs are more than welcome. Check it out on GitHub: https://github.com/vorlaxen-labs/bar-js Grab it from NPM: https://www.npmjs.com/package/@vorlaxen-labs/bar-js Cheers!
AI 资讯
Prompt Caching in LLMs: The Hidden Optimization Saving Millions of GPU Hours
Hello, I'm Shrijith Venkatramana. I'm building git-lrc, an AI code reviewer that runs on every commit. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product. Every developer eventually discovers the same frustrating pattern. Your application sends a 20,000-token prompt to an LLM. The first request takes 2 seconds. The next request contains the exact same 20,000 tokens plus a tiny user message at the end. And somehow the model processes the entire thing again. At least, that's what many developers assume. Modern LLM systems have a trick called prompt caching that can dramatically reduce latency and cost by reusing work from previous requests. But unlike traditional application caches, prompt caching isn't storing generated text. It's storing something much deeper inside the model. To understand how prompt caching works, we need to follow a prompt all the way through the transformer itself. The Expensive Part of Processing a Prompt When a prompt enters a transformer model, it isn't immediately generating text. First, the model must process every input token through every layer of the network. Imagine a prompt like: System: You are a helpful coding assistant. Project Documentation: [20,000 tokens of documentation] User: How does authentication work? Before generating a single output token, the model performs: Tokenization Embedding lookup Multi-head attention Feed-forward networks Layer normalization ...across dozens or even hundreds of transformer layers. For a large model, this preprocessing is often more expensive than generating a short answer. If another user asks: System: You are a helpful coding assistant. Project Documentation: [Same 20,000 tokens] User: Explain the database schema. Most of the prompt is identical. Without caching, the model would recompute everything from scratch. Prompt caching exists to avoid that waste. The Key Insight: Cache Internal Transformer State, Not Text A common misconception
开发者
Word Scrambling as a Learning Mechanic: Tools, Theory, and Classroom Applications
Word scrambling is a deceptively simple mechanic. Rearrange the letters of a word, ask someone to restore the original — that's the entire game loop. But underneath that simplicity is a cognitive process that language researchers find genuinely interesting, and that developers building educational tools keep returning to. The Cognitive Mechanics of Unscrambling When a learner attempts to unscramble a word, they're engaging several parallel cognitive processes: pattern recognition (matching letter combinations to phonemes they know), memory retrieval (searching their lexical database), and hypothesis testing (trying a mental arrangement before committing). It's a lightweight version of the same cognitive work that makes retrieval practice so effective in spaced repetition systems. For language learners specifically, this is high-value low-stakes practice. The scrambled form gives enough context to confirm the answer upon success — no ambiguity like a multiple-choice distractor — while requiring genuine active recall. Implementation Considerations for Developers If you're building a word scramble feature into an educational app, a few things matter: Avoiding anagram collisions: "SILENT" → "LISTEN" is a classic example. Your scrambling algorithm needs to detect valid English words in the output and regenerate if it creates a different real word. A dictionary API lookup on the scrambled result handles this. Difficulty calibration: Longer words and words with repeated letters (like "BALLOON") are objectively harder to unscramble. A good difficulty curve starts with 4–5 letter words and increases length progressively. First/last letter anchoring: Keeping the first and last letters in position is a widely used technique to reduce cognitive load. It's psychologically effective — people anchor on word edges more than the interior. Using Existing Tools vs. Building Your Own For most educational content creators and teachers (non-developers), building their own tool isn't feas