🛠️ All DevTools

[API/SDK] Show HN: Teaching AI agents to write better GraphQL We’ve been seeing more and more developers use AI coding agents directly in their GraphQL workflows. The problem is the agents tend to fall back to generic or outdated GraphQL patterns.<p>After correcting the same issues over and over, we ended up packaging the GraphQL best practices and conventions we actually want agents to follow as reusable “Skills,” and open-sourced them here: <a href="https:&#x2F;&#x2F;github.com&#x2F;apollographql&#x2F;skills" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apollographql&#x2F;skills</a><p>Install with `npx skills add apollographql&#x2F;skills` and the agent starts producing named operations with variables, `[Post!]!` list patterns, and more consistent client-side behavior without having to restate those rules in every prompt.<p>We’re hopeful agents can now write GraphQL the way we&#x27;d write it ourselves. Try out the repo and let us know what you think.

[API/SDK] Show HN: Webhook Skills – Agent skills for webhook providers and best practices I built a collection of webhook skills because AI coding agents are surprisingly bad at webhook integrations. The generated code looks reasonable until you run it, then signature verification fails, raw body handling is wrong, or the middleware order breaks everything.<p>PostHog&#x27;s research on LLM code generation (<a href="https:&#x2F;&#x2F;posthog.com&#x2F;blog&#x2F;correct-llm-code-generation" rel="nofollow">https:&#x2F;&#x2F;posthog.com&#x2F;blog&#x2F;correct-llm-code-generation</a>) found that agents produce more reliable code when referencing known-working examples rather than reconstructing from training data. That&#x27;s the approach here.<p>`webhook-skills` is a collection of provider-specific webhook implementations and best practices guides built on the Agent Skills spec (agentskills.io):<p><pre><code> - Runnable examples (currently Express, Next.js, FastAPI, with more frameworks coming) - Signature verification with provider-specific gotchas documented - Best-practice patterns: idempotency, error handling, retry logic - 11 providers at launch (Stripe, Shopify, GitHub, OpenAI, Clerk, Paddle, others), expanding based on my needs or requests. </code></pre> Example:<p><pre><code> # list skills npx skills add hookdeck&#x2F;webhook-skills --list # install skills npx skills add hookdeck&#x2F;webhook-skills --skill stripe-webhooks --skill webhook-handler-patterns </code></pre> Works with Claude Code, Cursor, Copilot. The examples are useful even without an agent: minimal, tested handlers you can copy directly.<p>PRs welcome for new providers and frameworks. I also built an AI-powered generator that automatically creates new provider skills. Point it at webhook docs, and it researches the signature scheme, generates verification code for each framework, writes tests, and opens a PR.

[Monitoring/Observability] API turnstile Sentinel is a developer-first security monitoring platform for SaaS and APIs. It detects bots, fraud, and abnormal behavior in real time, giving actionable alerts before damage happens. Lightweight, easy to integrate, and affordable — unlike bloated enterprise SIEMs, Sentinel keeps your apps safe without the complexity.

[IDE/Editor] Leverage coding agents to tackle complex tasks autonomously Xcode 26.3 introduces support for agentic coding, a new way in Xcode for developers to build apps using coding agents such as Anthropic’s Claude Agent and OpenAI’s Codex. With agentic coding, Xcode can work with greater autonomy toward a developer’s goals — from breaking down tasks to making decisions based on the project architecture and using built-in tools.

[Other] Sandbox claude code, codex, or any TUI on macOS Multitui is a macOS app factory that generates individual terminal apps for TUI programs, with optional sandbox. Create dedicated native apps for claude code, codex, gemini, lazygit, harlequin, or any TUI.

[API/SDK] APIs for building AI chat and search Open-source RAG infrastructure that survives production workloads. Upload documents, query via API, get answers with sources. Hybrid search, multimodal, complex reasoning - all included. Model-agnostic. Used by 1,500+ teams in medical AI, legal tech, enterprise search.

[Other] Train code reading skills in a GeoGuessr-like game GitGuessr is a new unique game that drops you into a random location in a real GitHub repo where some lines of code are hidden. Your goal is to understand the codebase and fill in the missing code as quickly as possible. Play well-balanced games in Python, TypeScript, JavaScript (the top 3 languages on GitHub). Or create your own code maps for the community from your favorite languages or favorite repos.

[Other] Visualize Git commands instead of memorizing them. GitFlow Studio helps you understand Git by visualizing what commands actually do. Run real Git commands in a safe sandbox and instantly see how branches, merges, rebases, and resets change your commit history on a live graph, so you can learn Git without memorizing it.

[CLI Tool] Show HN: Ec – a terminal Git conflict resolver inspired by IntelliJ Hi HN, I built ec because my friends who are new to development kept getting stuck on Git conflicts.<p>Most TUI merge tools felt hard to use or non-intuitive for them. The only flow they found easy was the IntelliJ (JetBrains) conflict resolver, so I recreated that experience in the terminal.<p>ec is a terminal-native, 3-pane conflict resolver with a focused, step-by-step flow. If you try it and leave feedback, I would be really grateful. Thanks!<p>Repo: <a href="https:&#x2F;&#x2F;github.com&#x2F;chojs23&#x2F;ec" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;chojs23&#x2F;ec</a>

[CLI Tool] Show HN: Latchkey – inject credentials into agents' curl calls Hi HN,<p>At Imbue, we’ve been following the rapid developments in the agent landscape and noticed that the way agents interact with third-party services on users’ behalf often leaves a lot to be desired. Integrations are ad hoc, complicated, context-heavy, and either unfriendly to non-technical users or tied to a lock-in of some sort.<p>We‘re experimenting with a command-line tool, Latchkey, that could be used by local agents targeted at non-technical users while avoiding remote intermediaries. As far as we know, this is the only existing approach at the intersection of these two goals.<p>Core idea: Agents access APIs of third-party services by prepending ordinary `curl` calls with the `latchkey` command, like this:<p><pre><code> latchkey curl -X POST &#x27;https:&#x2F;&#x2F;slack.com&#x2F;api&#x2F;conversations.create&#x27; \ -H &#x27;Content-Type: application&#x2F;json&#x27; \ -d &#x27;{&quot;name&quot;:&quot;something-urgent&quot;}&#x27; </code></pre> Latchkey then transparently injects credentials into these calls, prompting the user to log in via a browser pop-up when needed. Browser automation is used to extract an API token from the browser session once logged in.<p>Benefits:<p>* A single skill to integrate with all services.<p>* Direct communication between the agent and the third-party service (no OAuth intermediary app needed).<p>* Agents usable by non-technical users.<p>* Secrets do not leak to logs or chat transcripts.<p>We believe this aligns with a vision of a decentralized future in which people don’t need to ask corporations for permission to use their own data. We imagine a lively ecosystem of local agents that people use freely, supported by a community helping each other keep these tools useful and functional.<p>We’re aware that this approach comes with some downsides, too, and would love your feedback.<p>P.S. Here’s also a link to Passepartout, a toy demo AI assistant app built using Latchkey: <a href="https:&#x2F;&#x2F;github.com&#x2F;imbue-ai&#x2F;passepartout" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;imbue-ai&#x2F;passepartout</a>

[Build/Deploy] Show HN: Emmtrix ONNX-to-C Code Generator for Edge AI Deployment Hi HN, we wanted to share our open source ONNX-to-C code generator. It translates ONNX models into C code for deployment on embedded systems. We developed it for use with emmtrix Code Vectorizer (<a href="https:&#x2F;&#x2F;www.emmtrix.com&#x2F;tools&#x2F;emmtrix-code-vectorizer" rel="nofollow">https:&#x2F;&#x2F;www.emmtrix.com&#x2F;tools&#x2F;emmtrix-code-vectorizer</a>) which optimizes the generated code for various embedded architectures. The ONNX-to-C code generator can however also be used standalone to generate plain C code. In contrast to many other tools, it makes deployment trivial since the generated code is fully standalone and no additional runtime is required.

[Other] Xcode 26.3 – Developers can leverage coding agents directly in Xcode

[Monitoring/Observability] Show HN: PII-Shield – Log Sanitization Sidecar with JSON Integrity (Go, Entropy) What PII-Shield does: It&#x27;s a K8s sidecar (or CLI tool) that pipes application logs, detects secrets using Shannon entropy (catching unknown keys like &quot;sk-live-...&quot; without predefined patterns), and redacts them deterministically using HMAC.<p>Why deterministic? So that &quot;pass123&quot; always hashes to the same &quot;[HIDDEN:a1b2c]&quot;, allowing QA&#x2F;Devs to correlate errors without seeing the raw data.<p>Key features: 1. JSON Integrity: It parses JSON, sanitizes values, and rebuilds it. It guarantees valid JSON output for your SIEM (ELK&#x2F;Datadog). 2. Entropy Detection: Uses context-aware entropy analysis to catch high-randomness strings. 3. Fail-Open: Designed as a transparent pipe wrapper to preserve app uptime.<p>The project is open-source (Apache 2.0).<p>Repo: <a href="https:&#x2F;&#x2F;github.com&#x2F;aragossa&#x2F;pii-shield" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;aragossa&#x2F;pii-shield</a> Docs: <a href="https:&#x2F;&#x2F;pii-shield.gitbook.io&#x2F;docs&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pii-shield.gitbook.io&#x2F;docs&#x2F;</a><p>I&#x27;d love your feedback on the entropy&#x2F;threshold logic!

[Other] Tadpole – A modular and extensible DSL built for web scraping

[Other] Show HN: C discrete event SIM w stackful coroutines runs 45x faster than SimPy Hi all,<p>I have built <i>Cimba</i>, a multithreaded discrete event simulation library in C.<p>Cimba uses POSIX pthread multithreading for parallel execution of multiple simulation trials, while coroutines provide concurrency inside each simulated trial universe. The simulated processes are based on asymmetric stackful coroutines with the context switching hand-coded in assembly.<p>The stackful coroutines make it natural to express agentic behavior by conceptually placing oneself &quot;inside&quot; that process and describing what it does. A process can run in an infinite loop or just act as a one-shot customer passing through the system, yielding and resuming execution from any level of its call stack, acting both as an active agent and a passive object as needed. This is inspired by my own experience programming in Simula67, many moons ago, where I found the coroutines more important than the deservedly famous object-orientation.<p>Cimba turned out to run <i>really</i> fast. In a simple benchmark, 100 trials of an M&#x2F;M&#x2F;1 queue run for one million time units each, it ran <i>45 times faster</i> than an equivalent model built in SimPy + Python multiprocessing. The running time was <i>reduced by 97.8 %</i> vs the SimPy model. Cimba even processed more simulated events per second <i>on a single CPU core</i> than SimPy could do on all 64 cores.<p>The speed is not only due to the efficient coroutines. Other parts are also designed for speed, such as a hash-heap event queue (binary heap plus Fibonacci hash map), fast random number generators and distributions, memory pools for frequently used object types, and so on.<p>The initial implementation supports the AMD64&#x2F;x86-64 architecture for Linux and Windows. I plan to target Apple Silicon next, then probably ARM.<p>I believe this may interest the HN community. I would appreciate your views on both the API and the code. Any thoughts on future target architectures to consider?<p>Docs: <a href="https:&#x2F;&#x2F;cimba.readthedocs.io&#x2F;en&#x2F;latest&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cimba.readthedocs.io&#x2F;en&#x2F;latest&#x2F;</a><p>Repo: <a href="https:&#x2F;&#x2F;github.com&#x2F;ambonvik&#x2F;cimba" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ambonvik&#x2F;cimba</a>

[DevOps] Show HN: LUML – an open source (Apache 2.0) MLOps/LLMOps platform Hi HN,<p>We built LUML (<a href="https:&#x2F;&#x2F;github.com&#x2F;luml-ai&#x2F;luml" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;luml-ai&#x2F;luml</a>), an open-source (Apache 2.0) MLOps&#x2F;LLMOps platform that covers experiments, registry, LLM tracing, deployments and so on.<p>It separates the control plane from your data and compute. Artifacts are self-contained. Each model artifact includes all metadata (including the experiment snapshots, dependencies, etc.), and it stays in your storage (S3-compatible or Azure).<p>File transfers go directly between your machine and storage, and execution happens on compute nodes you host and connect to LUML.<p>We’d love you to try the platform and share your feedback!

[Other] Show HN: GitHub Browser Plugin for AI Contribution Blame in Pull Requests

[DevOps] Show HN: Sandboxing untrusted code using WebAssembly Hi everyone,<p>I built a runtime to isolate untrusted code using wasm sandboxes.<p>Basically, it protects your host system from problems that untrusted code can cause. We’ve had a great discussion about sandboxing in Python lately that elaborates a bit more on the problem [1]. In TypeScript, wasm integration is even more natural thanks to the close proximity between both ecosystems.<p>The core is built in Rust. On top of that, I use WASI 0.2 via wasmtime and the component model, along with custom SDKs that keep things as idiomatic as possible.<p>For example, in Python we have a simple decorator:<p><pre><code> from capsule import task @task( name=&quot;analyze_data&quot;, compute=&quot;MEDIUM&quot;, ram=&quot;512mb&quot;, allowed_files=[&quot;.&#x2F;authorized-folder&#x2F;&quot;], timeout=&quot;30s&quot;, max_retries=1 ) def analyze_data(dataset: list) -&gt; dict: &quot;&quot;&quot;Process data in an isolated, resource-controlled environment.&quot;&quot;&quot; # Your code runs safely in a Wasm sandbox return {&quot;processed&quot;: len(dataset), &quot;status&quot;: &quot;complete&quot;} </code></pre> And in TypeScript we have a wrapper:<p><pre><code> import { task } from &quot;@capsule-run&#x2F;sdk&quot; export const analyze = task({ name: &quot;analyzeData&quot;, compute: &quot;MEDIUM&quot;, ram: &quot;512mb&quot;, allowedFiles: [&quot;.&#x2F;authorized-folder&#x2F;&quot;], timeout: 30000, maxRetries: 1 }, (dataset: number[]) =&gt; { return {processed: dataset.length, status: &quot;complete&quot;} }); </code></pre> You can set CPU (with compute), memory, filesystem access, and retries to keep precise control over your tasks.<p>It&#x27;s still quite early, but I&#x27;d love feedback. I’ll be around to answer questions.<p>GitHub: <a href="https:&#x2F;&#x2F;github.com&#x2F;mavdol&#x2F;capsule" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mavdol&#x2F;capsule</a><p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=46500510">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=46500510</a>

[Other] Show HN: Inverting Agent Model (App as Clients, Chat as Server and Reflection) Hello HN. I’d like to start by saying that I am a developer who started this research project to challenge myself. I know standard protocols like MCP exist, but I wanted to explore a different path and have some fun creating a communication layer tailored specifically for desktop applications.<p>The project is designed to handle communication between desktop apps in an agentic manner, so the focus is strictly on this IPC layer (forget about HTTP API calls).<p>At the heart of RAIL (Remote Agent Invocation Layer) are two fundamental concepts. The names might sound scary, but remember this is a research project:<p>Memory Logic Injection + Reflection Paradigm shift: The Chat is the Server, and the Apps are the Clients.<p>Why this approach? The idea was to avoid creating huge wrappers or API endpoints just to call internal methods. Instead, the agent application passes its own instance to the SDK (e.g., RailEngine.Ignite(this)).<p>Here is the flow that I find fascinating:<p>-The App passes its instance to the RailEngine library running inside its own process.<p>-The Chat (Orchestrator) receives the manifest of available methods.The Model decides what to do and sends the command back via Named Pipe.<p>-The Trigger: The RailEngine inside the App receives the command and uses Reflection on the held instance to directly perform the .Invoke().<p>Essentially, I am injecting the &quot;Agent Logic&quot; directly into the application memory space via the SDK, allowing the Chat to pull the trigger on local methods remotely.<p>A note on the Repo: The GitHub repository has become large. The core focus is RailEngine and RailOrchestrator. You will find other connectors (C++, Python) that are frankly &quot;trash code&quot; or incomplete experiments. I forced RTTR in C++ to achieve reflection, but I&#x27;m not convinced by it. Please skip those; they aren&#x27;t relevant to the architectural discussion.<p>I’d love to focus the discussion on memory-managed languages (like C#&#x2F;.NET) and ask you:<p>-Architecture: Does this inverted architecture (Apps &quot;dialing home&quot; via IPC) make sense for local agents compared to the standard Server&#x2F;API model?<p>-Performance: Regarding the use of Reflection for every call—would it be worth implementing a mechanism to cache methods as Delegates at startup? Or is the optimization irrelevant considering the latency of the LLM itself?<p>-Security: Since we are effectively bypassing the API layer, what would be a hypothetical security layer to prevent malicious use? (e.g., a capability manifest signed by the user?)<p>I would love to hear architectural comparisons and critiques.

[Other] Show HN: difi – A Git diff TUI with Neovim integration (written in Go)