Show HN за 30 марта 2026 г.

I just had the best time learning about the REWE (German supermarket chain) API, how they use mTLS and what the workflows are. Also `mitmproxy2swagger`[1] is a great tool to create OpenAPI spec automatically.

And then 2026 feels like the perfect time writing Haskell. The code is handwritten, but whenever I got stuck with the build system or was just not getting the types right, I could fall back to ask AI to unblock me. It was never that smooth before.

Finally the best side projects are the ones you actually use and this one will be used for all my future grocery shopping.

[1]https://github.com/alufers/mitmproxy2swagger

I'm excited to introduce Zerobox, a cross-platform, single binary process sandboxing CLI written in Rust. It uses the sandboxing crates from the OpenAI Codex repo and adds additional functionalities like secret injection, SDK, etc.

Watch the demo: https://www.youtube.com/watch?v=wZiPm9BOPCg

Zerobox follows the same sandboxing policy as Deno which is deny by default. The only operation that the command can run is reading files, all writes and network I/O are blocked by default. No VMs, no Docker, no remote servers.

Want to block reads to /etc?

  zerobox --deny-read=/etc -- cat /etc/passwd

  cat: /etc/passwd: Operation not permitted

How it works:

Zerobox wraps any commands/programs, runs an MITM proxy and uses the native sandboxing solutions on each operating system (e.g BubbleWrap on Linux) to run the given process in a sandbox. The MITM proxy has two jobs: blocking network calls and injecting credentials at the network level.

Think of it this way, I want to inject "Bearer OPENAI_API_KEY" but I don't want my sandboxed command to know about it, Zerobox does that by replacing "OPENAI_API_KEY" with a placeholder, then replaces it when the actual outbound network call is made, see this example:

  zerobox --secret OPENAI_API_KEY=$OPENAI_API_KEY --secret-host OPENAI_API_KEY=api.openai.com -- bun agent.ts

Zerobox is different than other sandboxing solutions in the sense that it would allow you to easily sandbox any commands locally and it works the same on all platforms. I've been exploring different sandboxing solutions, including Firecracker VMs locally, and this is the closest I was able to get when it comes to sandboxing commands locally.

The next thing I'm exploring is `zerobox claude` or `zerobox openclaw` which would wrap the entire agent and preload the correct policy profiles.

I'd love to hear your feedback, especially if you are running AI Agents (e.g. OpenClaw), MCPs, AI Tools locally.

Hi HN - We've been working on Coasts (“containerized hosts”) to make it so you can run multiple localhost instances, and multiple docker-compose runtimes, across git worktrees on the same computer. Here’s a demo: https://www.youtube.com/watch?v=yRiySdGQZZA. There are also videos in our docs that give a good conceptual overview: https://coasts.dev/docs/learn-coasts-videos.

Agents can make code changes in different worktrees in isolation, but it's hard for them to test their changes without multiple localhost runtimes that are isolated and scoped to those worktrees as well. You can do it up to a point with port hacking tricks, but it becomes impractical when you have a complex docker-compose with many services and multiple volumes.

We started playing with Codex and Conductor in the beginning of this year and had to come up with a bunch of hacky workarounds to give the agents access to isolated runtimes. After bastardizing our own docker-compose setup, we came up with Coasts as a way for agents to have their own runtimes without having to change your original docker-compose.

A containerized host (from now on we’ll just say “coast” for short) is a representation of your project's runtime, like a devcontainer but without the IDE stuff—it’s just focused on the runtime. You create a Coastfile at your project root and usually point to your project's docker-compose from there. When you run `coast build` next to the Coastfile you will get a build (essentially a docker image) that can be used to spin up multiple Docker-in-Docker runtimes of your project.

Once you have a coast running, you can then do things like assign it to a worktree, with `coast assign dev-1 -w worktree-1`. The coast will then point at the worktree-1 root.

Under the hood the host project root and any external worktree directories are Docker-bind-mounted into the container at creation time but the /workspace dir, where we run the services of the coast from, is a separate Linux bind mount that we create inside the running container. When switching worktrees we basically just do umount -l /workspace, mount --bind <path_to_worktree_root>, mount --make-rshared /workspace inside of the running coast. The rshared flag sets up mount propagation so that when we remount /workspace, the change flows down to the inner Docker daemon's containers.

The main idea is that the agents can continue to work host-side but then run exec commands against a specific coast instance if they need to test runtime changes or access runtime logs. This makes it so that we are harness agnostic and create interoperability around any agent or agent harness that runs host-side.

Each coast comes with its own set of dynamic ports: you define the ports you wish to expose back to the host machine in the Coastfile. You're also able to "checkout" a coast. When you do that, socat binds the canonical ports of your coast (e.g. web 3000, db 5432) to the host machine. This is useful if you have hard coded ports in your project or need to do something like test webhooks.

In your Coastfile you point to all the locations on your host-machine where you store your worktrees for your project (e.g. ~/.codex/worktrees). When an agent runs `coast lookup` from a host-side worktree directory, it is able to find the name of the coast instance it is running on, so it can do things like call `coast exec dev-1 make tests`. If your agent needs to do things like test with Playwright it can so that host-side by using the dynamic port of your frontend.

You can also configure volume topologies, omit services and volumes that your agent doesn't need, as well as share certain services host-side so you don't add overhead to each coast instance. You can also do things like define strategies for how each service should behave after a worktree assignment change (e.g. none, hot, restart, rebuild). This helps you optimize switching worktrees so you don't have to do a whole docker-compose down and up cycle every time.

We'd love to answer any questions and get your feedback!

We have pegboards and plywood all over our apartment, and I had an idea to make a tiny pegboard for my kid, Oli. So I naturally cut the wood, drilled in the holes, sat down at the computer to open Fusion 360 and spend an hour or two drawing the pieces by hand.

Then I looked at the rough sketch Oli and I had made together, took a photo of it, pasted it into Codex, and gave it just two dimensions: the holes are 40mm apart and the pegs are 8mm wide.

To my surprise, 5 minutes later my 3D printer was heating up and printing the first set.

I ran it a few times to tune the dimensions for ideal fit, but I am posting the final result as a repository in case anyone else wants to print one, tweak it, or have fun with it too. I am already printing another one to hang on our front door instead of a wreath, so people visiting us have something fun and intriguing to play with while they knock.

This is also going onto my list of weird uses of AI from the last few months.

This post explains why a 2-row, 16-key keyboard structure is a natural fit for mobile environments and how it scales. It also explores the rationale behind key features of QWERTY mini Pro, including the integration of standard and wide layouts, fast switching, and efficient input.

I'm a CTO with a ~16-person engineering team. Last year I wanted real data on what was actually shipping, not guesswork or story point theater. So we built GitVelocity.

Every merged PR gets scored 0–100 by Claude across six dimensions: scope (0–20), architecture (0–20), implementation (0–20), risk (0–20), quality (0–15), perf/security (0–5). Six dimensions added up, then scaled by change size — a 10-line fix scores lower than a 500-line refactor even at the same complexity. Full formula at gitvelocity.dev/scoring-guide.

After scoring 50,000+ PRs across TypeScript, Python, Rust, Go, Java, Elixir, and more, some things surprised us:

Big PRs don't automatically score high. An 800-line migration with low complexity scores worse than a 200-line architectural change. Size gets you the full multiplier, but the base score still has to earn it.

You can't score well without tests. The quality dimension (0–15) won't give you points without test coverage. At similar experience levels, this was the clearest separator between engineers.

Juniors started outscoring some seniors. They adopted AI tools faster and took on harder problems. Once they could see their own scores, they aimed higher.

We score AI-generated code the same as human-written code. Code is code. An engineer who uses AI to ship more complex work faster is more productive, and their scores reflect that.

Scoring consistency was the hardest technical problem. Without reference examples anchoring each dimension, Claude's scores drifted 15+ points between runs. With 18 calibrated anchors (three per dimension at low/mid/high), we got it down to 2–4 points on the same PR.

The thing we didn't expect was behavioral. We call it the Fitbit effect — the tool doesn't make you ship better code, but seeing the score does. Engineers started referencing their own scores in 1:1s unprompted, because the numbers matched what they already felt about their work. A junior who shipped a tricky concurrency fix could point to a score that proved it wasn't "just a small PR."

We recently added team benchmarks (gitvelocity.dev/demo/benchmarks). Once you're scoring PRs, you can see how your team compares to others across the dataset — about 1,000 engineers on 60 teams so far. Headline's team ships faster than roughly 95% of them, which was nice to confirm but also made us wonder who the other 5% are. The competitive angle surprised us: teams that were skeptical about individual scores got genuinely curious once they could measure themselves against the field.

Every score is fully visible to the engineer who wrote the PR, with per-dimension breakdowns and reasoning. There's no hidden dashboard that management sees and engineers don't.

Free, BYOK (your Anthropic API key). We default to Sonnet 4.6, which scores nearly as well as Opus 4.6 at a fraction of the cost — but you can switch models if you want. Pennies per PR either way. No source code stored, diffs analyzed and discarded. Works with GitHub, GitLab, and Bitbucket.

Ask me anything about the scoring methodology, how we solved calibration, or what it was actually like rolling this out to a team.

I built a lightweight Neovim GUI client for macOS. The goal was something simple — just render Neovim in a proper macOS window with multi-window support, like MacVim did for Vim.

Features:

  - Metal GPU-accelerated rendering (falls back to CoreText)
  - Multi-window — each window is an independent Neovim process
  - Neovim's native tabline with Cmd+1-9
  - Full IME support for CJK input
  - Standard macOS shortcuts work out of the box (Cmd+C/V/X/Z/S/W)
  - CLI launcher with gvimdiff support
  - Uses your system-installed Neovim — no bundled binary

The whole thing was built in a single day with Claude Code as a pair programmer. The initial MVP took about 1.5 hours, then another 8-9 hours of iterative refinement to get it to a daily-drivable state. It was an interesting experience — I made all the design decisions and UI judgment calls, while the AI handled the implementation and codebase mechanics.

Still very early (v0.2), plenty of rough edges. Would love feedback from other Neovim users on macOS.

Hey HN, I've built a new feature to listen to blog posts. I also have an app, that's what I personally use to listen to audio while driving.

I would love to get some feedback on the UX and whether this is useful for you!

Hey HN, I'm Mo. I've been building Paseo, an open source environment for running Claude Code, Codex, and OpenCode across desktop, mobile, web, and CLI.

It started last September as a push-to-talk voice interface for Claude Code. I wanted to talk to an agent while going on walks. Then I wanted to see what it was doing. Then text it when I couldn't talk. Then review diffs, run multiple agents, and manage work across machines. After a lot of iteration, it turned into a broader environment.

The basic model is:

  - A daemon runs on your machine (MacBook, desktop, VPS, etc.).
  - Clients connect to it over WebSocket.
  - There's an optional built-in E2EE relay for easy remote/mobile access.

A few things I care about:

  - It works with the first-party agent CLIs, not by calling inference APIs directly or extracting OAuth tokens.
  - It's multi-provider instead of locking you to one model.
  - It supports local voice, git worktrees, split panes, terminals, and running agents across different hosts.
  - No forced account, no telemetry, no tracking.

The daemon is written in TypeScript. The app uses Expo for native mobile and web, and the desktop app is Electron. I actually started with Tauri and had to migrate due to platform specific problems. The relay is built on Cloudflare Durable Objects.

I use Paseo every day, but one thing I’m increasingly excited about is the CLI. It's turning into a primitive for more advanced orchestration, loops, and agent teams, which feels like a bigger direction than the app alone.

Repo: https://github.com/getpaseo/paseo Homepage: https://paseo.sh/ Discord: https://discord.gg/jz8T2uahpH

Happy to answer questions about the product, architecture, or where I think this is going.

I initially wrote axil to help inspect and run queries against syntax trees for my treesitter-based language server implementation (https://github.com/terror/just-lsp), and have been working toward making this into something more useable :)

A unified, high-performance data validation and serialization framework for Rust, inspired by Pydantic's ergonomics and powered by Serde.

I built a CLI tool to generate as much slop as possible

memv is an open-source Python library that gives AI agents persistent memory. Feed it conversations; it extracts knowledge.

The extraction mechanism is predict-calibrate (Nemori paper): given existing knowledge, it predicts what a new conversation should contain, then extracts only what the prediction missed.

v0.1.2 adds the production path: - PostgreSQL backend (pgvector for vectors, tsvector for text search, asyncpg pooling). Single db_url parameter — file path for SQLite, connection string for Postgres. - Embedding adapters: OpenAI, Voyage, Cohere, fastembed (local ONNX).

Other things it does: - Bi-temporal validity: event time (when was the fact true) + transaction time (when did we learn it), following Graphiti's model. - Hybrid retrieval: vector similarity + BM25 merged with Reciprocal Rank Fusion. - Episode segmentation: groups messages before extraction. - Contradiction handling: new facts invalidate old ones, with full audit trail.

Procedural memory (agents learning from past runs) is next, deferred until there's usage data.

Hi HN,

I built SEARCH WIZARD — a tool that lets you search your computer using natural language.

Traditional file search only works if you remember the filename.

But most of the time we remember things like:

"the screenshot where I was in a meeting" "the PDF about transformers" "notes about machine learning"

Smart Search indexes your files and lets you search by meaning instead of filename.

Currently supports: - Images - Videos - Audio - Documents

Example query: "old photo where a man is looking at a monitor"

The system retrieves the correct file instantly.

Everything runs locally except embeddings.

I'm looking for feedback on: - indexing approaches - privacy concerns - features you'd want in a tool like this

GitHub: https://github.com/deepanmpc/SMART-SEARCH

Demo: https://deepanmpc.github.io/SMART-SEARCH/

I wanted to learn game theory optimal poker, but the existing tools were kind of clunky and unintuitive for semi-beginners like me. I wanted an app where I could play poker against an opponent that’s grounded with GTO frequencies, and get feedback instantly in order to learn an intuition to hand strengths and optimal actions in any scenario (also the GTO frequencies so that I could learn to rotate styles to stay unreadable). So I ran a solver and solved thousands of game trees from flop to river with preset stacks, that can be matched to the current stacks in the game, to get as accurate frequencies as possible. Thanks for checking it out! Feel free to give feedback from the app settings, my contact details are also in my bio.

  https://gameplan.poker

DOM rendering has been the main performance bottleneck for the web apps for years. I added 2 NEW JS APIs to Chromium so DOM rendering is no longer the bottleneck.

Here's how it works:

1- You can rasterize any divs, (literaly, precisely)

2- You can freeze/lock rasterization of some divs (contain: x, but stronger)

https://github.com/yeargun/chromium5/pull/1

only 355 LOC change, 2 hours(compilation), composer2

Lots of dom nodes you have?

1- Rasterize the complex, heavy dom, and <img src="" /> it

3- Detach the dom node from the body.

4- Keep going

It's figma like performance, but HTML.

===

You might ask, why hasn't such a capability existed for the web since day 1? The answer is security.

But I always questioned that. I always thinked that such capabilities must be available permission based, somehow. Just like native apps. (I know there are lots of illiterate users that can not understand the consequences. So basically, some apps could get registered/verified by Chrome/Mozzilla/respectable other browser people, for having such capabilities)

That being said, I don't have enough time & resources to invest my time for this project right now. But it's trivial trivial with humongous benefits. My goal is to light a spark on some people to either fund the project, or pr into this project.

This is how Electron apps and the web should evolve—more powerful JavaScript APIs, with permission based extra security primitives.

Again, if you think you can't write C/C++ thats a shame. Go and edit the source code yourself, for your projects' needs, if you are tryhard enough.

I'm wishing some things to change for web.

I am also experimenting with these new APIs and features in my own document/pdf/pptx editor -> https://eddocu.com

--

Argun Sayilgan Building your next favorite document editor, Eddocu (seeks alpha testers)

Any feedback, thoughts and knowledge share is welcomed.

Yesterday I started writting this proof of concept, LLM detector, that takes advantage of the fact that LLMs depend on training data.

I am posting it here to get feedback and to validate the idea before I dedicate more time on it.

Blog: https://gokuljs.com/blogs/retrieval-from-first-principles

Modalyze manages multiple draggable, resizable, stackable modal windows while preserving React context. Place <Modalyze> beneath your context providers and any modals created there inherit that context naturally. They're portaled up to a root instance for reliable stacking.

Would appreciate any feedback.

CLI that gives your AI tools memory between sessions.

Runs locally as an MCP server, works with 11 tools.

    npm install -g memoir-cli
                                                                                           

https://github.com/camgitt/memoir

Hey HN. I'm Teo, I've spent 10+ years doing application security assessments and training dev teams. The same vulnerabilities kept coming back, so I built something to fix that.

AppSec.fi is an interactive platform where developers learn application security hands-on, matched to their actual stack (languages, cloud provider, CI/CD). Exercises include real attacks, real defense, AI-evaluated code reviews, and simulated environments. Everything runs in the browser.

We're launching a 2-week free trial starting tomorrow (April 1st). Today is the last day to sign up as an early adopter, which gets you 50% off permanently if you continue.

https://appsec.fi/en/

Happy to answer any questions about the platform or AppSec training in general.

My background is in filmmaking and content creation — I later built a TikTok influencer agency in the US: 200+ brands, 3M+ creators, 1B+ impressions. What I kept seeing was the same gap: brands knew what to sell, creators knew how to film, but nobody was bridging them with real content strategy. Most campaigns failed before they started because the strategy wasn't there.

That's the problem we built Ace Influence to solve.

You describe your product in one conversation. The agent builds your content strategy — not just scripts, but who should deliver them: it generates shot-by-shot scripts tailored to your product and audience, maps them to the right creator niches, finds and validates matching creators, handles outreach, and tracks everything through delivery.

The point isn't to be another discovery tool. It's to replace the judgment that makes influencer marketing actually work — the kind agencies charge for and most small brands can't access.

We have paying customers and 100% retention so far. Still early. Looking for B2C small brands running — or wanting to run — influencer campaigns who are willing to tell us what's broken.

Live at aceinfluence.ai.

HI I am Dhanush, I have an Hard tech infra to be future protocol ,that's all basically I am poor 17M self taught(by piracy) solo guy I made multiplayer 3d games and now I used Burp Suite on random to understand Communications to services when using a service from a company named "B"(an AI using company for neural phase locking) (they are multi-million ARR company premium only model with trials)I saw some problems here they are

Technical Findings:(All actions are for educational/reporting purposes only and none used for personal benefit or piracy)

1) their account management system is completely flawed I can use anything with '@' and '.' other peoples mails, non-existing mails ,temp mails AND also I can delete an account and recreate with same credentials to get another set of trials

2) they store data using service like braze its API is shown out I thought its real one well it might be just SDK Key I didn't brag much about its access as it might be illegal cuz they don't have any formal bug bounty program neither they hired me to do this so I stand on limit and moved on but they could have used "Identifier field level encryption" feature on braze so even with certificates proxy can't know personal details about user

3) they use bulk production of tokenized links and there are multiple flaws there 3.1)its bulk so I get 40 usable links to download their proprietary IP and they might have thousands of song ,with just basic python automation one can get 800 songs (verified truth) 3.2)those links are said to be used for 3 months with single authorization and those files are full unencrypted hosted audio files 3.3)the main link didn't support third party downloads like IDM catchers but the flaw is it exposes the link which can be tracked down and download with another simple Python automation (verified)

4) and final problem is UI of premium can be just toggled so basically their whole product is exposed to me cuz I didn't sit and watch an audio streaming platform if a bad actor hosted their IP somewhere it could be dangerous these are all my views and inferences

I am neither professional(but I followed all principles and cleaned all codes, files and shown proof via sha-256 alone) at this and they don't have any option in Hacker One or any firms to contact so I attempted 50 times, for more like 3-4 maybe even 5 months time span I guess literally all social media even those who freelanced for that business or random strangers who followed CEO(his personal mail even) no one responded finally I got an response from an official employee I explained this problem and waited for more than lot of time and just for this I got linked In premium trial and told him and its been more than 2 months after him responding itself still they didn't fix anything and lately he didn't even respond for two weeks just for certificate of endorsement or some kind of pedigree where I am self taught by piracy I have nothing to prove neither rich to create some I just asked for a certificate still un-responded but before that I asked Him can I make technical write-up and he said feel free to do what you want now I took 2 weeks to reflect and here is My write Up

at least I feel having a validation(you would know its value when you have none) for putting this work on a decade old AMD a4 Radeon r4 govt distributed entry level laptop and I am resourceful ,persistent and technically capable yet I lost YC whereas those with pedigree like "---- IDE" (the worlds first BRAINROT IDE)(just an webview extension pre-installed to IDE fork with bookmarks of brainrot websites) got In so help me get validated to build something future needs

my project is basically a Virtual File System with build in compression for future world models and 6g networks If anyone wants to ask or help anyway do In comments that would be helpful