🛠️ All DevTools

[Other] Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.

[Other] Apple rejected my dictation app for using the accessibility API

[Testing] Show HN: NUA an agent that tests for product correctness We’ve been using background Claude loops a lot recently, and we would wake up to PRs that didn’t solve the problem we wanted, made on assumptions that were wrong. Furthermore, the tests that the agents wrote were usually tautological, and didn’t test for intent. We wanted an agent that took all the context a company has, and writes tests that check for product correctness as well.<p>For example, we work in reg tech, so bugs aren’t always technical. What we often see is things like insider trading alerts that should’ve fired that didn’t. We wanted an agent that turns laws and regulations into tests.<p>For now, users can upload PDF, MD, TXT, and DOCX files, but we’re planning integrations like Slack, Notion, Linear, and Zoom in the future.<p>We’re early on, so we would love to know what you all think!

[Other] OpenAI frontier models and Codex are now available on AWS

[Other] Alphabet announces $80B equity capital raise to expand AI infra and compute

[Other] Debug Project

[Other] Build a Basic AI Agent from Scratch: Tools

[Package Manager] Show HN: DepsGuard – one command to harden NPM/pnpm/yarn/bun/uv configs I kept seeing every npm&#x2F;pnpm&#x2F;yarn&#x2F;bun&#x2F;uv supply chain post end with the same advice (set a minimum release age, turn off install scripts), and while I know cooldowns are &quot;controversial&quot;, they do work. But even if you convince people that they should set cooldowns, it seems many don&#x27;t end up following through, not sure why, maybe because it means hand-editing five config files in five formats with five different time units, or perhaps the &quot;it won&#x27;t happen to me&quot; syndrome (or &quot;I&#x27;ll do it later, it seems complicated&quot; where it&#x27;s actually very simple). So I created a tool that checks what you have set and fixes it for you. I looked for an existing one first and couldn&#x27;t find it. It started as a small weekend project and turned into a small research project on the nuances of cooldowns across package managers. Not a proof of P vs NP, but a small convenience that can save you and your loved ones from the next supply chain attack. I&#x27;ve raised this in a couple of HN threads since (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=47878158">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=47878158</a> and <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=48156360">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=48156360</a>) but never actually did a Show HN for the tool itself.<p>If you know how to edit your ~&#x2F;.npmrc, which settings apply to npm vs pnpm, and which one wants minutes vs days vs seconds, you probably don&#x27;t need this. But if you vibe code and just want a one click fix (or you have a PhD in CS from Stanford, ex-FAANG, started 3 YC companies, now work at Anthropic, and still just want a one click fix), read on.<p>DepsGuard is a single Rust binary, no runtime deps, MIT. Run depsguard and it scans your user-level and repo-level configs, shows a table of what is and isn&#x27;t set, you pick what to change, hit d for the diff, and apply. It writes a timestamped backup first and depsguard restore rolls it back. depsguard scan is read-only if you just want the report.<p>The settings are the simple ones that work: min-release-age &#x2F; minimumReleaseAge (npm, pnpm, yarn, bun, and uv all name it differently and use days vs minutes vs seconds, which is half of why doing this by hand is annoying), ignore-scripts, and on newer pnpm block-exotic-subdeps, trust-policy: no-downgrade, and strict-dep-builds. It also handles Renovate and Dependabot cooldowns.<p>The whole thing is a bet on timing. The malicious @bitwarden&#x2F;cli 2026.4.0 was up ~19 hours and got 334 installs. axios was pulled in ~3h, ua-parser-js in hours, node-ipc in days. A 7-day gate means your installer never resolves any of those, they&#x27;re gone before the window even opens. It does nothing for the slow ones (event-stream sat 2+ months), and it&#x27;s not SCA, it won&#x27;t scan your existing lockfile for known CVEs, that&#x27;s a different layer.<p>Disclosure: I&#x27;m a co-founder and CTO at Arnica (a commercial appsec startup) and built this because putting the same recommendations on each blog post felt like yelling at the clouds. It&#x27;s free and MIT, no account, no telemetry. I&#x27;m also not the only one who had the idea (didn&#x27;t know at the time), cooldowns.dev does the cooldown part across more ecosystems with a shell helper and is worth a look. DepsGuard covers fewer ecosystems but adds the other settings and the diff&#x2F;backup&#x2F;restore flow.<p>If you want to try it: cargo install depsguard, or brew&#x2F;apt&#x2F;winget&#x2F;scoop, all in the README.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;arnica&#x2F;depsguard" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;arnica&#x2F;depsguard</a> (full settings table and FAQ at depsguard.com)<p>Is this an overkill that could have been a shell script? Probably yes (but I wanted windows support, why not).<p>Did it save someone from a supply chain attack? Also probably yes.<p>Do I know personally someone that without it wouldn&#x27;t have bothered changing their settings after repeatedly asking, but eventually did it when I gave them depsguard? Absolutely yes.

[Testing] Show HN: A desktop app for manual QA testing and evidence gathering

[Other] Malicious npm packages detected across Red Hat Cloud Services

[Other] Announcing Zstandard in Rust

[Other] Show HN: Postbase – 100% open source Alternative to Firebase and Supabase [video] Postbase – 100% Opensource Alternative to Firebase and Supabase

[Other] Using Git's rerere feature to escape recurring conflict hell

[Other] Rift: Better Alternative to Git Worktrees

[Other] Codex just found a "workaround" of not having sudo on my PC

[CLI Tool] Show HN: Ouijit, an open-source task and terminal manager for coding agents Hi HN, I’m working on Ouijit.<p>It’s a project and task-based terminal session manager that provides a few basic but useful tools for agent workflows:<p>- Terminal sessions in Ouijit have access to the ouijit CLI, and supported agents (Claude, Codex, Pi) can work with it out of the box to manage tasks and customize a personal development workflow<p>- Tasks live on a kanban board that supports hooks for task lifecycle events (eg. ‘Run this script when a task moves to ‘in progress’)<p>I’ve found this simple combination to be very expressive and flexible for adapting to changing workflows.<p>I made the V1 a couple months ago for fun, and have kept at it since a friend shared they had logged an 8 hour work session in it. Along the way I’ve baked in lots of what I believe are table-stakes for this type of tool, like task isolation via Git worktrees, agent working&#x2F;idle status with sound and notifications, diff&#x2F;markdown plan&#x2F;URL previews, and support for VM sandboxing using Lima.<p>It’s free and open source with no login or telemetry, so feedback is highly appreciated.<p>Github: <a href="https:&#x2F;&#x2F;github.com&#x2F;ouijit&#x2F;ouijit" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ouijit&#x2F;ouijit</a> Website: <a href="https:&#x2F;&#x2F;ouijit.com" rel="nofollow">https:&#x2F;&#x2F;ouijit.com</a>

[Other] Show HN: xxUTF – SIMD Unicode Normalization

[Other] Show HN: Atomic Editor – Obsidian-style live preview for CodeMirror 6

[Other] The open-source repo for docs.github.com

[Other] The Website Specification