🛠️ All DevTools

[DevOps] Show HN: Shibuya – A High-Performance WAF in Rust with eBPF and ML Engine Hi HN,<p>I’ve been working on Shibuya, a next-generation Web Application Firewall (WAF) built from the ground up in Rust.<p>I wanted to build a WAF that didn&#x27;t just rely on legacy regex signatures but could understand intent and perform at line-rate using modern kernel features.<p>What makes Shibuya different:<p>Multi-Layer Pipeline: It integrates a high-performance proxy (built on Pingora) with rate limiting, bot detection, and threat intelligence.<p>eBPF Kernel Filtering: For volumetric attacks, Shibuya can drop malicious packets at the kernel level using XDP before they consume userspace resources.<p>Dual ML Engine: It uses an ONNX-based engine for anomaly detection and a Random Forest classifier to identify specific attack classes like SQLi, XSS, and RCE.<p>API &amp; GraphQL Protection: Includes deep inspection for GraphQL (depth and complexity analysis) and OpenAPI schema validation.<p>WASM Extensibility: You can write and hot-load custom security logic using WebAssembly plugins.<p>Ashigaru Lab: The project includes a deliberately vulnerable lab environment with 6 different services and a &quot;Red Team Bot&quot; to test the WAF against 100+ simulated payloads.<p>The Dashboard: The dashboard is built with SvelteKit and offers real-time monitoring (ECharts), a &quot;Panic Mode&quot; for instant hardening, and a visual editor for the YAML configuration.<p>I&#x27;m looking for feedback on the architecture and the performance of the Rust-eBPF integration.

[API/SDK] Show HN: BVisor – An Embedded Bash Sandbox, 2ms Boot, Written in Zig bVisor is an SDK and runtime for safely executing bash commands directly on your host machine. We built it on the belief that &quot;sandbox&quot; doesn&#x27;t need to mean shipping off to remote sandbox products, or spinning up local VMs &#x2F; containers. Sometimes, you just want to run that bash command locally.<p>bVisor boots a sandbox from user-space without special permissions, powered by seccomp user notifier. This allows us to intercept syscalls from guest processes and selectively virtualize them to block privilege escalation, isolate process visibility, and keep filesystem changes isolated per sandbox (copy-on-write). Sandboxes boot in 2ms, and can run arbitrary binaries at native speed (with minor overhead per syscall). This approach is heavily inspired by Google&#x27;s gVisor.<p>As of today, bVisor supports most filesystem operations, basic file I&#x2F;O, and can run complex binaries such as python interpreters. It is packaged as a Typescript SDK and installable via npm. There&#x27;s much to still implement (such as outbound network access to support &#x27;curl&#x27;, shipping a python SDK, etc), but we wanted to share it here for feedback and anyone who&#x27;d be able to make use of the current featureset!

[Database] Show HN: PgDog – Scale Postgres without changing the app Hey HN! Lev and Justin here, authors of PgDog (<a href="https:&#x2F;&#x2F;pgdog.dev&#x2F;">https:&#x2F;&#x2F;pgdog.dev&#x2F;</a>), a connection pooler, load balancer and database sharder for PostgreSQL. If you build apps with a lot of traffic, you know the first thing to break is the database. We are solving this with a network proxy that works without requiring application code changes or database migrations.<p>Our post from last year: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=44099187">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=44099187</a><p>The most important update: we are in production. Sharding is used a lot, with direct-to-shard queries (one shard per query) working pretty much all the time. Cross-shard (or multi-database) queries are still a work in progress, but we are making headway.<p>Aggregate functions like count(), min(), max(), avg(), stddev() and variance() are working, without refactoring the app. PgDog calculates the aggregate in-transit, while transparently rewriting queries to fetch any missing info. For example, multi-database average calculation requires a total count of rows to calculate the original sum. PgDog will add count() to the query, if it’s not there already, and remove it from the rows sent to the app.<p>Sorting and grouping works, including DISTINCT, if the columns(s) are referenced in the result. Over 10 data types are supported, like, timestamp(tz), all integers, varchar, etc.<p>Cross-shard writes, including schema changes (CREATE&#x2F;DROP&#x2F;ALTER), are now atomic and synchronized between all shards with two-phase commit. PgDog keeps track of the transaction state internally and will rollback the transaction if the first phase fails. You don’t need to monkeypatch your ORM to use this: PgDog will intercept the COMMIT statement and execute PREPARE TRANSACTION and COMMIT PREPARED instead.<p>Omnisharded tables, a.k.a replicated or mirrored (identical on all shards), support atomic reads and writes. That’s important because most databases can’t be completely sharded and will have some common data on all databases that has to be kept in-sync.<p>Multi-tuple inserts, e.g., INSERT INTO table_x VALUES ($1, $2), ($3, $4), are split by our query rewriter and distributed to their respective shards automatically. They are used by ORMs like Prisma, Sequelize, and others, so those now work without code changes too.<p>Sharding keys can be mutated. PgDog will intercept and rewrite the update statement into 3 queries, SELECT, INSERT, and DELETE, moving the row between shards. If you’re using Citus (for everyone else, Citus is a Postgres extension for sharding databases), this might be worth a look.<p>If you’re like us and prefer integers to UUIDs for your primary keys, we built a cross-shard unique sequence, directly inside PgDog. It uses the system clock (and a couple other inputs), can be called like a Postgres function, and will automatically inject values into queries, so ORMs like ActiveRecord will continue to work out of the box. It’s monotonically increasing, just like a real Postgres sequence, and can generate up to 4 million numbers per second with a range of 69.73 years, so no need to migrate to UUIDv7 just yet.<p><pre><code> INSERT INTO my_table (id, created_at) VALUES (pgdog.unique_id(), now()); </code></pre> Resharding is now built-in. We can move gigabytes of tables per second, by parallelizing logical replication streams across replicas. This is really cool! Last time we tried this at Instacart, it took over two weeks to move 10 TB between two machines. Now, we can do this in just a few hours, in big part thanks to the work of the core team that added support for logical replication slots to streaming replicas in Postgres 16.<p>Sharding hardly works without a good load balancer. PgDog can monitor replicas and move write traffic to a promoted primary during a failover. This works with managed Postgres, like RDS (incl. Aurora), Azure Pg, GCP Cloud SQL, etc., because it just polls each instance with “SELECT pg_is_in_recovery()”. Primary election is not supported yet, so if you’re self-hosting with Patroni, you should keep it around for now, but you don’t need to run HAProxy in front of the DBs anymore.<p>The load balancer is getting pretty smart and can handle edge cases like SELECT FOR UPDATE and CTEs with INSERT&#x2F;UPDATE statements, but if you still prefer to handle your read&#x2F;write separation in code, you can do that too with manual routing. This works by giving PgDog a hint at runtime: a connection parameter (-c pgdog.role=primary), SET statement, or a query comment. If you have multiple connection pools in your app, you can replace them with just one connection to PgDog instead. For multi-threaded Python&#x2F;Ruby&#x2F;Go apps, this helps by reducing memory usage, I&#x2F;O and context switching overhead.<p>Speaking of connection pooling, PgDog can automatically rollback unfinished transactions and drain and re-sync partially sent queries, all in an effort to preserve connections to the database. If you’ve seen Postgres go to 100% CPU because of a connection storm caused by an application crash, this might be for you. Draining connections works by receiving and discarding rows from abandoned queries and sending the Sync message via the Postgres wire protocol, which clears the query context and returns the connection to a normal state.<p>PgDog is open source and welcomes contributions and feedback in any form. As always, all features are configurable and can be turned off&#x2F;on, so should you choose to give it a try, you can do so at your own pace. Our docs (<a href="https:&#x2F;&#x2F;docs.pgdog.dev">https:&#x2F;&#x2F;docs.pgdog.dev</a>) should help too.<p>Thanks for reading and happy hacking!

[Other] Use Claude Code, Cursor CLI or Codex on mobile and web with CloudCLI (aka Claude Code UI). CloudCLI is a free open source webui/GUI that helps you manage your Claude Code session and projects remotely

[Other] The JavaScript Oxidation Compiler

[CLI Tool] Aqua: A CLI message tool for AI agents

[Other] Show HN: A portfolio that re-architects its React DOM based on LLM intent Hi HN,<p>Added a raw 45-second demo showing the DOM re-architecture in real-time: <a href="https:&#x2F;&#x2F;streamable.com&#x2F;vw133i" rel="nofollow">https:&#x2F;&#x2F;streamable.com&#x2F;vw133i</a><p>I got tired of the &quot;Context Problem&quot; with static portfolios—Recruiters want a resume, Founders want a pitch deck, and Engineers want to see architecture.<p>Instead of building three sites, I hooked up my React frontend to Llama-3 (via Groq for &lt;100ms latency). It analyzes natural language intent from the search bar and physically re-architects the Component Tree to prioritize the most relevant modules using Framer Motion.<p>The hardest part was stabilizing the Cumulative Layout Shift (CLS) during the DOM mutation, but decoupling the layout state from the content state solved it.<p>The Challenge: There is a global CSS override hidden in the search bar. If you guess the 1999 movie reference, it triggers a 1-bit terminal mode.<p>Happy to answer any questions on the Groq implementation or the layout engine!

[Other] NanoClaw moved from Apple Containers to Docker

[DevOps] Show HN: Local-First Linux MicroVMs for macOS Shuru is a lightweight sandbox that spins up Linux VMs on macOS using Apple&#x27;s Virtualization.framework. Boots in about a second on Apple Silicon, and everything is ephemeral by default. There&#x27;s a checkpoint system for when you do want to persist state, and sandboxes run without network access unless you explicitly allow it. Single Rust binary, no dependencies. Built it for sandboxing AI agent code execution, but it works well for anything where you need a disposable Linux environment.

[Other] Fresh File Explorer – VS Code extension for navigating recent work

[Other] Git's Magic Files

[Other] Show HN: TLA+ Workbench skill for coding agents (compat. with Vercel skills CLI)

[DevOps] Build and deploy AI Agents on Cloudflare

[Other] Make beautiful isometric infrastructure diagrams

[Other] GitNexus: The Zero-Server Code Intelligence Engine - GitNexus is a client-side knowledge graph creator that runs entirely in your browser. Drop in a GitHub repo or ZIP file, and get an interactive knowledge graph wit a built in Graph RAG Agent. Perfect for code exploration

[Other] Show HN: Script Snap – Extract code from videos Hi HN, I&#x27;m lmw-lab, the builder behind Script Snap.<p>The Backstory: I built this out of pure frustration. A while ago, I was trying to figure out a specific configuration for a project, and the only good resource I could find was a 25-minute YouTube video. I had to scrub through endless &quot;smash the like button&quot; intros and sponsor reads just to find a single 5-line JSON payload.<p>I realized I didn&#x27;t want an &quot;AI summary&quot; of the video; I just wanted the raw code hidden inside it.<p>What&#x27;s different: There are dozens of &quot;YouTube to Text&quot; summarizers out there. Script Snap is different because it is explicitly designed as a technical extraction engine.<p>It doesn&#x27;t give you bullet points about how the YouTuber feels. It scans the transcript and on-screen visuals to extract specifically:<p>Code snippets<p>Terminal commands<p>API payloads (JSON&#x2F;YAML)<p>Security warnings (like flagging sketchy npm installs)<p>It strips out the &quot;vibe&quot; and outputs raw, formatted Markdown that you can copy straight into your IDE.<p>Full disclosure on the launch: Our payment processor (Stripe) flagged us on day one (banks seem to hate AI tools), so I&#x27;ve pivoted to a manual &quot;Concierge Alpha&quot; for onboarding. The extraction engine is fully operational, just doing things the hard way for now.<p>I&#x27;d love to hear your thoughts or harsh feedback on the extraction quality!

[Other] Official, Anthropic-managed directory of high quality Claude Code Plugins.

[Other] Build ultra fast, tiny, and cross-platform desktop apps with Typescript.

[Other] Don't create .gitkeep files, use .gitignore instead (2023)

[Testing] Testing Super Mario Using a Behavior Model Autonomously