Show stories

If you have heard of [Haven](https://github.com/guardianproject/haven), then Tripwire fills in the void for a robust anti evil maid solution after Haven went dormant.

The GitHub repo describes both the concept and the setup process in great details. For a quick overview, read up to the demo video.

There is also a presentation of Tripwire available on the Counter Surveil podcast: https://www.youtube.com/watch?v=s-wPrOTm5qo

Prepend tomcp.org/ to any URL to instantly turn it into an MCP server.

You can either chat directly with the page or add the config to Cursor/Claude to pipe the website/docs straight into your context.

Why MCP? Using MCP is better than raw scraping or copy-pasting because it converts the page into clean Markdown. This helps the AI understand the structure better and uses significantly fewer tokens.

How it works: It is a proxy that fetches the URL, removes ads and navigation, and exposes the clean content as a standard MCP Resource.

Repo: https://github.com/Ami3466/tomcp (Inspired by GitMCP, but for the general web)

Hi there, HN! We’re Jai and Sanket from DeepSource (YC W20), and today we’re launching Autofix Bot, a hybrid static analysis + AI agent purpose-built for in-the-loop use with AI coding agents.

AI coding agents have made code generation nearly free, and they’ve shifted the bottleneck to code review. Static-only analysis with a fixed set of checkers isn’t enough. LLM-only review has several limitations: non-deterministic across runs, low recall on security issues, expensive at scale, and a tendency to get ‘distracted’.

We spent the last 6 years building a deterministic, static-analysis-only code review product. Earlier this year, we started thinking about this problem from the ground up and realized that static analysis solves key blind spots of LLM-only reviews. Over the past six months, we built a new ‘hybrid’ agent loop that uses static analysis and frontier AI agents together to outperform both static-only and LLM-only tools in finding and fixing code quality and security issues. Today, we’re opening it up publicly.

Here’s how the hybrid architecture works:

- Static pass: 5,000+ deterministic checkers (code quality, security, performance) establish a high-precision baseline. A sub-agent suppresses context-specific false positives.

- AI review: The agent reviews code with static findings as anchors. Has access to AST, data-flow graphs, control-flow, import graphs as tools, not just grep and usual shell commands.

- Remediation: Sub-agents generate fixes. Static harness validates all edits before emitting a clean git patch.

Static solves key LLM problems: non-determinism across runs, low recall on security issues (LLMs get distracted by style), and cost (static narrowing reduces prompt size and tool calls).

On the OpenSSF CVE Benchmark [1] (200+ real JS/TS vulnerabilities), we hit 81.2% accuracy and 80.0% F1; vs Cursor Bugbot (74.5% accuracy, 77.42% F1), Claude Code (71.5% accuracy, 62.99% F1), CodeRabbit (59.4% accuracy, 36.19% F1), and Semgrep CE (56.9% accuracy, 38.26% F1). On secrets detection, 92.8% F1; vs Gitleaks (75.6%), detect-secrets (64.1%), and TruffleHog (41.2%). We use our open-source classification model for this. [2]

Full methodology and how we evaluated each tool: https://autofix.bot/benchmarks

You can use Autofix Bot interactively on any repository using our TUI, as a plugin in Claude Code, or with our MCP on any compatible AI client (like OpenAI Codex).[3] We’re specifically building for AI coding agent-first workflows, so you can ask your agent to run Autofix Bot on every checkpoint autonomously.

Give us a shot today: https://autofix.bot. We’d love to hear any feedback!

---

[1] https://github.com/ossf-cve-benchmark/ossf-cve-benchmark

[2] https://huggingface.co/deepsource/Narada-3.2-3B-v1

[3] https://autofix.bot/manual/#terminal-ui

I'm building an open source Amazon.

In other words, an open source decentralized marketplace. But like Carl Sagan said, to make an apple pie from scratch, you must first invent the universe.

So first I had to make open source management systems for every vertical. I'm launching the first one today, Openfront e-commerce, an open source Shopify alternative. Next will be Openfront restaurant, Openfront grocery, and Openfront gym.

And all of these Openfronts will connect to our decentralized marketplace, "the/marketplace", seamlessly. Once we launch other Openfronts, you'll be able to do everything from booking hotels to ordering groceries right from one place with no middle men. The marketplace simply connects to the Openfront just like its built-in storefront does.

Together, we can use open source to disrupt marketplaces and make sure sellers, in every vertical, are never beholden to them.

Marketplace: https://marketplace.openship.org

Openfront platforms: https://openship.org/openfront-ecommerce

Source code: https://github.com/openshiporg/openfront

Demo - Openfront: https://youtu.be/jz0ZZmtBHgo

Demo - Marketplace: https://youtu.be/LM6hRjZIDcs

Part 1 - https://news.ycombinator.com/item?id=32690410

The eslint-plugin-styled-jsx is a linting tool that helps enforce best practices and consistency in the use of the styled-jsx library, a popular CSS-in-JS solution for React applications. This plugin provides a set of rules to ensure proper styling, naming conventions, and other style-related best practices are followed in the codebase.

Hey HN, Waleed here. We're building Sim (https://sim.ai/), an open-source visual editor to build agentic workflows. Repo here: https://github.com/simstudioai/sim/. Docs here: https://docs.sim.ai.

You can run Sim locally using Docker, with no execution limits or other restrictions.

We started building Sim almost a year ago after repeatedly troubleshooting why our agents failed in production. Code-first frameworks felt hard to debug because of implicit control flow, and workflow platforms added more overhead than they removed. We wanted granular control and easy observability without piecing everything together ourselves.

We launched Sim [1][2] as a drag-and-drop canvas around 6 months ago. Since then, we've added:

- 138 blocks: Slack, GitHub, Linear, Notion, Supabase, SSH, TTS, SFTP, MongoDB, S3, Pinecone, ...

- Tool calling with granular control: forced, auto

- Agent memory: conversation memory with sliding window support (by last n messages or tokens)

- Trace spans: detailed logging and observability for nested workflows and tool calling

- Native RAG: upload documents, we chunk, embed with pgvector, and expose vector search to agents

- Workflow deployment versioning with rollbacks

- MCP support, Human-in-the-loop block

- Copilot to build workflows using natural language (just shipped a new version that also acts as a superagent and can call into any of your connected services directly, not just build workflows)

Under the hood, the workflow is a DAG with concurrent execution by default. Nodes run as soon as their dependencies (upstream blocks) are satisfied. Loops (for, forEach, while, do-while) and parallel fan-out/join are also first-class primitives.

Agent blocks are pass-through to the provider. You pick your model (OpenAI, Anthropic, Gemini, Ollama, vLLM), and and we pass through prompts, tools, and response format directly to the provider API. We normalize response shapes for block interoperability, but we're not adding layers that obscure what's happening.

We're currently working on our own MCP server and the ability to deploy workflows as MCP servers. Would love to hear your thoughts and where we should take it next :)

[1] https://news.ycombinator.com/item?id=43823096

[2] https://news.ycombinator.com/item?id=44052766

I modified my terminal Jupyter client, euporie [1], to run using pyodide in the browser.

It's akin to JupyterLite, providing a temporary online Python notebook environment without the need to install any Python packages. It's potentially useful if you need to do a bit of quick interactive work in Python, but don't have the environment set up ready to do so.

Since actual jupyter kernels can't run in pyodide (they run as subprocesses and communicate over ZMQ), it uses an in-process Python kernel which runs on the same interpreter as the application itself.

Notebooks and files can be saved persistently to a local-storage based file system. It uses xterm.js as the terminal emulator (though I'm keen to test out ghostty-web).

[1] https://news.ycombinator.com/item?id=27091167

What started as a Claude Code experiment turned into a browser-native SQL workbench I now use daily.

Runs DuckDB WASM entirely in your browser. No backend, no installation, no signup.

- Query local files (CSV, Parquet, Excel) – data never leaves your machine - Handles 100M+ rows, 50GB+ files in a browser tab - Full UI: Monaco editor, schema explorer, spreadsheet-style results grid - Share SQL via URL – anyone can run your query instantly - BigQuery connector built-in (Snowflake coming)

v0.2 – actively developing. Feedback welcome.

GitHub (MIT): https://github.com/hfmsio/dbxlite

This article provides a primer on WebGL2 and GLSL, covering topics such as shaders, GPU programming, and practical examples to help developers get started with creating advanced graphics in the browser.

This project reconstructs the Epstein email records from the recent U.S. House Oversight Committee releases using only public-domain documents (23,124 image files + 2,800 OCR text files).

Most email pages contain only one real message, buried under layers of repeated headers/footers. I wanted to rebuild the conversations without all the surrounding noise.

I used an OCR + vision-LLM pipeline to extract individual messages from the email screenshots, normalize senders/recipients, rebuild timestamps, detect duplicates, and map threads. The output is a structured SQLite database that runs client-side via SQL.js (WebAssembly).

The repository includes the full extraction pipeline, data cleaning scripts, schema, limitations, and implementation notes. The interface is a lightweight PWA that displays the reconstructed messages in a phone-style UI, with links back to every original source image for verification.

Live demo: https://epsteinsphone.org

All source data is from the official public releases; no leaks or private material.

Happy to answer questions about the pipeline, LLM extraction, threading logic, or the PWA implementation.

OP here.

I built this because I recently caught myself almost pasting a block of logs containing AWS keys into Claude.

The Problem: I need the reasoning capabilities of cloud models (GPT/Claude/Gemini), but I can't trust myself not to accidentally leak PII or secrets.

The Solution: A Chrome extension that acts as a local middleware. It intercepts the prompt and runs a local BERT model (via a Python FastAPI backend) to scrub names, emails, and keys before the request leaves the browser.

A few notes up front (to set expectations clearly):

Everything runs 100% locally. Regex detection happens in the extension itself. Advanced detection (NER) uses a small transformer model running on localhost via FastAPI.

No data is ever sent to a server. You can verify this in the code + DevTools network panel.

This is an early prototype. There will be rough edges. I’m looking for feedback on UX, detection quality, and whether the local-agent approach makes sense.

Tech Stack: Manifest V3 Chrome Extension Python FastAPI (Localhost) HuggingFace dslim/bert-base-NER Roadmap / Request for Feedback: Right now, the Python backend adds some friction. I received feedback on Reddit yesterday suggesting I port the inference to transformer.js to run entirely in-browser via WASM.

I decided to ship v1 with the Python backend for stability, but I'm actively looking into the ONNX/WASM route for v2 to remove the local server dependency. If anyone has experience running NER models via transformer.js in a Service Worker, I’d love to hear about the performance vs native Python.

Repo is MIT licensed.

Very open to ideas suggestions or alternative approaches.

I built Jottings because I was tired of my own thoughts getting trapped inside algorithmic feeds where I had to perform. There was a huge mental load before posting something on X or Instagram.

Every time I wanted to share something small or unfinished, I opened Twitter and lost 20 minutes to the timeline. Writing a blog post felt too heavy for those smaller, quick thoughts. I just wanted a place to write something down quickly and hit publish.

Jottings is that place. It gives you a clean microblog on a domain you own. Posts show up in simple chronological order. No likes. No followers. No feed trying to decide what matters.

What Jottings is - A microblogging platform that builds fully static microblog sites - A free subdomain (you.jottings.me) or connect your own domain on PRO plans - Markdown, tags, RSS feed, links with preview, and image uploads - An optional AI writing helper when you are stuck or lazy to fix grammar - Optimized for SEO and AI search friendly - Analytics for your sites

What it is not - Not a social network - Not an engagement funnel - Not trying to keep you on the site - Not a replacement for long-form blogging, though you can use it that way

How it works Each Jot publish triggers a static site rebuild. The site is stored in Cloudflare R2 and served directly at the edge. Custom domains go through Cloudflare SSL for SaaS. I built it to be boring, reliable (barring Cloudflare's latest issues), and cheap to run.

Pricing Free tier for a subdomain, text posts, and a lot more. USD5 per month for custom domains, images, full Markdown, and the writing helper. I priced it to be an easy yes.

Limitations - No comments (on purpose) - No native apps yet (iOS is coming) - The writing helper is helpful but not magic - I am a solo founder, so features move at human speed

I use Jottings regularly to document what I build. It has been the lowest-friction way I have found to publish anything publicly.

Demo of Jottings site for product updates: https://jottings.jottings.me/ Demo of my personal Jottings site: https://jottings.vishalvshekkar.com (with custom subdomain)

I would love feedback from this community. What would make this better or more useful for you?

Check it out here: https://jottings.me (2 min set up) Feel free to write to me at vishal@vishalvshekkar.com

— Vishal

I recently tried the desktop app Handy (handy.computer) and found it working quite well, so I decided to port the concept to Android.

Since I use GrapheneOS, I was also missing the "Live Caption" feature from stock Android, so I implemented that too. It runs entirely offline, no data leaves the device.

Thought this small project i did would be fitting to post now as theres been more CSS related posts recently

Hi HN!

I'm building a JavaScript debugger called Wirebrowser. It combines network inspection, request rewriting, heap snapshots, and live object search.

The main experimental feature is BDHS (Breakpoint-Driven Heap Search): it hooks into the JavaScript debugger and automatically captures a heap snapshot at every pause and performs a targeted search for the value or structure of interest. This reveals the moment a value appears in memory and the user-land function responsible for creating it.

Another interesting feature is the Live Object Search: it inspects runtime objects (not just snapshots), supports regex and object similarity, and lets you patch objects directly at runtime.

Whitepaper: https://fcavallarin.github.io/wirebrowser/BDHS-Origin-Trace

Feedback very welcome, especially on whether BDHS would help your debugging workflow.

wget https://github.com/beehive-lab/TornadoVM/releases/download/v... unzip tornadovm-2.1.0-opencl-linux-amd64.zip # Replace <path-to-sdk> manually with the absolute path of the extracted folder export TORNADO_SDK="<path-to-sdk>/tornadovm-2.1.0-opencl" export PATH=$TORNADO_SDK/bin:$PATH

tornado --devices tornado --version

# Navigate to the project directory cd GPULlama3.java

# Source the project-specific environment paths -> this will ensure the source set_paths

# Build the project using Maven (skip tests for faster build) # mvn clean package -DskipTests or just make make

# Run the model (make sure you have downloaded the model file first - see below) ./llama-tornado --gpu --verbose-init --opencl --model beehive-llama-3.2-1b-instruct-fp16.gguf --prompt "tell me a joke"

The article discusses the future of news consumption in 2035, predicting a shift towards more personalized, interactive, and immersive news experiences driven by advancements in technology and user preferences.

WorkMux is an open-source tool that allows developers to manage multiple development environments and projects simultaneously, providing a unified workspace and streamlining the development workflow.

I built a procedurally generated word-search game where the puzzle never ends - as you scroll, the grid expands infinitely and new words appear. It’s designed to be quick to pick up, satisfying to play, and a little addictive.

The core game works without an account using the pre-defined games, but signing up allows you to generate games using any topic you can think of.

I’d love feedback on gameplay, performance, and whether the endless format feels engaging over time. If you try it, I’d really appreciate any bug reports or suggestions.

Thanks in advance!

I built dssrf, a safe-by-construction SSRF defense library for Node.js apps.

Most existing SSRF libraries rely on blacklists or regex checks, which are easy to bypass. dssrf takes a different approach based on normalization, DNS resolution, redirect validation, and IP classification.

Key features: – URL normalization RFC compliant – DNS resolution + IP classification – Redirect chain validation – IPv4/IPv6 safety – Rebinding detection – Protocol restrictions – TypeScript types included

The goal is to eliminate entire classes of classic SSRF vulnerability and it bypasses rather than patching individual payloads.

GitHub: https://github.com/HackingRepo/dssrf-js npm: https://www.npmjs.com/package/dssrf

I love feedback, edge cases, and contributions from the community.

Mobile keyboards today are almost entirely based on the 26-key, 3-row QWERTY layout. Here’s a new 2-row, 16-key alternative designed specifically for smartphones.

I’ve been working on gotui, a modern fork of the unmaintained termui, rebuilt on top of tcell for TrueColor, mouse support, and proper resize handling. It keeps the simple termui-style API, but adds a bunch of new widgets (charts, gauges, world map, etc.), nicer visuals (collapsed borders, rounded corners), and input components for building real dashboards and tools. Under the hood the renderer’s been reworked for much better performance, and I’d love feedback on what’s missing for you to use it in production.

Built this over the last few days, based on a Rust codebase that parses the latest ALPR reports from OpenStreetMaps, calculates navigation statistics from every tagged residential building to nearby amenities, and tests each route for intersection with those ALPR cameras (Flock being the most widespread).

These have gotten more controversial in recent months, due to their indiscriminate large scale data collection, with 404 Media publishing many original pieces (https://www.404media.co/tag/flock/) about their adoption and (ab)use across the country. I wanted to use open source datasets to track the rapid expansion, especially per-county, as this data can be crucial for 'deflock' movements to petition counties and city governments to ban and remove them.

In some counties, the tracking becomes so widespread that most people can't go anywhere without being photographed. This includes possibly sensitive areas, like places of worship and medical facilities.

The argument for their legality rests upon the notion that these cameras are equivalent to 'mere observation', but the enormous scope and data sharing agreements in place to share and access millions of records without warrants blurs the lines of the fourth amendment.

The article introduces MVS, a minimal version control system designed for simplicity and ease of use. It provides a basic set of commands for managing local repositories and sharing changes with others, without the complexity of more feature-rich version control systems.

Marmot hits major milestone I've been solo pushing (with help of AI), to really mature out the system. And yesterday I have hit the first milestone where MySQL API is stable enough to make WordPress install and work flawlessly. System is now in a place where you can spin off a cluster, and then spin off many replicas you want to scale out. I wanted to build something that is actually hard with AI, and it's been long and tough journey trying various AI tools, and huge amount of learning. I will follow up with a blog post, but since I have all the scripts to help you guys spin up cluster and examples I wanted to put it out there so that you guys can poke holes and help me improve it.

Source is available at: https://github.com/maxpert/marmot/

Most fun part is a Wordpress running in cluster: https://github.com/maxpert/marmot/tree/master/examples/wordp...

Each one of these Wordpress instances is talking to it's own "MySQL" but under the hood replication is being done and stored over SQLite DB.

I built AlgoDrill because I kept grinding LeetCode, thinking I knew the pattern, and then completely blanking when I had to implement it from scratch a few weeks later.

AlgoDrill turns NeetCode 150 and more into pattern-based drills: you rebuild the solution line by line with active recall, get first principles editorials that explain why each step exists, and everything is tagged by patterns like sliding window, two pointers, and DP so you can hammer the ones you keep forgetting. The goal is simple: turn familiar patterns into code you can write quickly and confidently in a real interview.

https://algodrill.io

Would love feedback on whether this drill-style approach feels like a real upgrade over just solving problems once, and what’s most confusing or missing when you first land on the site.

Hey HN! Like most here regular meetings have always been a big part of my work.

Over the years I've learned the value of active note taking in these meetings. Meaning: not minutes, not transcriptions or AI summaries, but me using my brain to actively pull out the key points in short form bullet-like notes, as the meeting is going on, as I'm talking and listening (and probably typing with one hand). This could be agenda points to cover, any interesting sidebars raised, insights gotten to in a discussion, actions agreed to (and a way to track whether they got done next time!).

It's both useful just to track what's going on in all these different meetings week to week (at one point I was doing about a dozen 1-1s per week, and it just becomes impossible to hold it in RAM) but also really valuable over time when you can look back and see the full history of a particular meeting, what was discussed when, how themes and structure are changing, is the meetings effective, etc.

Anyway, I've tried a bunch of different tools for taking these notes over the years. All the obvious ones you've probably used too. And I've always just been not quite satisfied with the experience. They work, obviously (it's just text based notes at the end of the day) but nothing is first-class for this usecase.

So, I decided to build the tool I've always felt I want to use, specifically for regular 1-1s and other types of regular meetings. I've been using it myself and with friends for a while already now, and I think it's got to that point where I actually prefer to reach for it over other general purpose note taking tools now, and I want to share it more widely.

There's a free tier so you can use it right away, in fact without even signing up.

If you've also been wanting a better system to manage your notes for regular meetings, give it a go and let me know what you think!

Aulico provides a platform for creating and managing virtual workspaces, allowing users to customize their digital work environment and collaborate with team members remotely.

The article discusses the author's experience with getting a job at a technology company called 'Hor'. It provides insights into the company's culture, hiring process, and the challenges the author faced during the interview and onboarding stages.