Show HN: External Threat Protection in GitHub Agentic Workflow
The article discusses the integration of the SafeDep MCP (Multifactor Credential Provisioning) protocol with GitHub's agentic workflow, enabling secure and decentralized credential management for developer teams.
Show HN: The Dot
The Dot, a Political Game part of The Lowball.
Ask HN: Is there something like Google style guide for AI-only coded apps?
The Google style guide for C++/Java/Python are opinionated, hard fought, wise, and they elimate a large source of errors while minimizing harmful, unneded inconsistences. They picked a style that made great realistic use of the best cognition at the time.
The intent is still great, but now we should think about writing good general rules for building programs that are essentially all AI generated. What generic wisdom leads to flexible, auditable, composable and robust apps and systems?
Observability Theatre
This article explores the concept of 'observability theatre', where organizations prioritize the appearance of observability over true observability and monitoring capabilities. It highlights the risks of this approach and emphasizes the importance of building genuine observability practices to gain meaningful insights and improve system reliability.
Google quantum-proofs HTTPS by squeezing 15kB of data into 700-byte space
Google is using advanced mathematical techniques, including lattice-based cryptography, to make HTTPS certificates more resistant to potential quantum computing attacks. This approach aims to future-proof internet security as quantum computing continues to develop.
Prior to attacks CIA assessed Khamenei could be replaced by IRGC headliners
According to a CIA assessment, Iran's Supreme Leader Ayatollah Ali Khamenei could be replaced by a hardline member of the Islamic Revolutionary Guard Corps by 2026, prior to recent attacks attributed to Iran.
Ask HN: How do we solve the bot flooding problem without destroying anonymity?
AI posts are becoming indistinguishable from human posts, and we can see it here on HN. The conventional response by website operators is to put in progressively tighter verification systems to distinguish bots and humans, but that eventually leads to the end of anonymity.
This is not an anti-AI rant. If a future AI agent truly has high quality posts and wants to use the site normally, that's fine. I'm talking about spam campaigns with hundreds of new accounts. We need new solutions to this problem.
I'll start by proposing a solution that could work for HN and similar forums. Feel free to iterate on it or propose your different ideas in the comments. Here goes:
For logged-in users, instead of ranking posts and comments on the server-side, the server only delivers a chronological feed + the current logged-in user's voting history.
Using the chronological feed as the base, each of your past votes changes the ranking of your feed by a tiny bit, and that's calculated client-side. You're more likely to see posts and comments from users you've upvoted in the past at the top.
In short, this means a new account will see a completely chronological feed, while an established account will see a feed modified by only their own past votes.
The public feed for non-logged-in users would still be ranked by the server. No changes there.
So each user gets a fully personalized bubble when logged in, except it's not a bubble because n=1. And it's really easy to break out of the bubble by logging out.
Spam bots can post and vote all they want, but they won't change the core userbase's experience that much, because the bots will only have access to a chronological feed. It has no taste, which is accumulated over time, and therefore can't spam votes and replies on real conversations nearly as much.
Show HN: Building a Kotlin/Native build tool in Rust: Konvoy
Konvoy is an open-source automation platform for Kubernetes management and deployment. It provides a unified and consistent way to deploy, manage, and maintain Kubernetes clusters across multiple cloud providers or on-premise environments.
Show HN: JamCrew – 868 tests, 91% coverage on a pre-revenue crew management SaaS
JamCrew is an online platform that connects musicians and artists with opportunities to collaborate on music projects. The site offers features like project posting, portfolio management, and networking tools to help creators find compatible partners and bring their musical ideas to life.
Berkshire Hathaway 2025 Annual Report [pdf]
Roast My Code – AI that scores and roasts your codebase (open source)
Ask HN: What are you working on? (March 2026)
Show HN: Agentic Workflows – 56 Ready-to-use Templates
AI can slowly shift an organisation's core principles
The article discusses how AI can gradually shift an organization's core principles and values over time, a phenomenon known as 'value drift.' It highlights the importance of regularly monitoring and assessing an organization's alignment with its original principles to identify and address any unintended shifts early on.
Show HN: Gpu.fund – GPU rental prices across Vast.ai, RunPod, AWS, GCP and more
GPU.fund is a decentralized finance (DeFi) platform that allows users to earn yields by lending their graphics processing units (GPUs) to power cryptocurrency mining operations. The platform aims to provide a new revenue stream for GPU owners while supporting the growth of the blockchain ecosystem.
Mount Mayhem at Netflix: Scaling Containers on Modern CPUs
The article discusses Netflix's efforts to scale container workloads on modern CPUs, including the challenges faced and the solutions implemented. It highlights the company's use of CPU pinning, NUMA awareness, and other techniques to optimize container performance and achieve high resource utilization.
Show HN: Papercut – track ArXiv topics, get notified, skim with AI summaries
Hey HN, I follow a few research areas on arXiv but I never had a good routine for keeping up. I'd check when I remembered, fall behind, then try to catch up on a week's worth of papers at once.
I built Papercut so I don't have to think about it. You define the arXiv categories and topics you care about, and the app notifies you when new papers come in. You open it, scroll through a feed, and each paper has style chips for AI summaries - TL;DR, math breakdown, ELI5, methodology, a few others. Helps you decide quickly what's worth a full read. Runs on-device with Apple Foundation Models. No account, no login, no tracking.
iOS only for now, requires iOS 26 for on-device summarization.
https://apps.apple.com/in/app/papercut-research-distilled/id...
What does your arXiv setup look like? I feel like everyone has a different workflow and I'm curious what people here use.
Show HN: I built an open-source D&D app using Python and Llama 3.1
The article introduces a Dungeon Master's Copilot, a virtual assistant tool designed to help Dungeon Masters in Dungeons & Dragons games by providing features like character creation, encounter management, and lore lookup.
Show HN: On-device element inspector for React Native
The article introduces the React Native Element Inspector, a tool that allows developers to inspect and analyze the structure and properties of React Native components in their applications. The tool aims to enhance the debugging and development process for React Native applications.
Need Your Next Builder?
If you need a contract software engineer to build your platform, hit me up. Previously built software at companies like Rippling. 10+ YoE
drop your email in comments or drop an email to devhire89@gmail.com
Pluralistic: If you build it (and it works), Trump will come (and take it)
This article explores the concept of 'being hanged for a sheep as well as a lamb,' examining how small acts of resistance can lead to severe consequences, and how people may choose to take greater risks when the punishment is the same regardless of the scale of their actions.
AI Safety Farce
The article discusses the challenges and limitations of current AI safety research, arguing that it fails to address fundamental problems and that the field is being hijacked by corporate interests and the military-industrial complex.
Show HN: SkillFortify, Formal verification for AI agents (auto-discovers)
Hi HN,
I posted SkillFortify here a few days ago as a formal verification tool for 3 agent skill formats. Based on feedback, v0.3 now supports 22 agent frameworks and can scan your entire system with zero configuration.
The problem: In January 2026, the ClawHavoc campaign planted 1,200 malicious skills into agent marketplaces. CVE-2026-25253 was the first RCE in agent software. Researchers catalogued 6,000+ malicious agent tools. The industry responded with heuristic scanners — pattern matching, YARA rules, LLM-as-judge. One popular scanner states in its docs: "No findings does not mean no risk."
SkillFortify eliminates that caveat with formal verification.
What it does:
pip install skillfortify
skillfortify scan
That's it. No arguments, no config files, no paths. It auto-discovers every AI tool on your machine across 23+ IDE profiles: [*] Auto-discovering AI tools on system...
[+] Found: Claude Code (12 skills)
[+] Found: Cursor (8 skills)
[+] Found: VS Code MCP (5 servers)
[+] Found: Windsurf (3 skills)
[*] Scanning 28 skills across 4 tools...
RESULTS
Critical: 2 skills with capability violations
High: 3 skills with excessive permissions
Clean: 23 skills passed all checks
22 supported frameworks: Claude Code, Cursor, VS Code, Windsurf, Gemini, OpenCode, Cline, Continue, Copilot, n8n, Roo, Trae, Kiro, Kode, Jules, Junie, Codex, SuperVS, Zencoder, CommandCode, Factory, Qoder — plus auto-discovery of unknown tools.Why formal verification, not heuristics: Heuristic scanners check for known bad patterns. Novel attacks pass through. SkillFortify verifies what a skill CAN do against what it CLAIMS to do. Five mathematical theorems guarantee soundness — if it says safe, it provably cannot exceed declared capabilities.
Results on 540-skill benchmark (270 malicious, 270 benign): - F1 = 96.95% - Precision = 100% (zero false positives) - Recall = 94.07% - Speed: ~2.5ms per skill
9 CLI commands: - scan — auto-discover + analyze all AI tools on your system - verify — formally verify a single skill - lock — generate skill-lock.json (like package-lock.json for agent skills) - trust — compute graduated trust score (L0-L3, inspired by SLSA) - sbom — generate CycloneDX 1.6 Agent Software Bill of Materials - frameworks — list all 22 supported frameworks + detection status - dashboard — generate standalone HTML security report (zero dependencies) - registry-scan — scan MCP/PyPI/npm registries before installing - verify --recursive — batch verify entire directory trees
1,818 tests. 22 parsers. 97 source modules. MIT licensed. Peer-reviewed paper on Zenodo.
GitHub: https://github.com/varun369/skillfortify PyPI: https://pypi.org/project/skillfortify/ Paper: https://zenodo.org/records/18787663 Wiki: https://github.com/varun369/skillfortify/wiki Landing page: https://www.superlocalmemory.com/skillfortify
Built this as part of my research on making AI agents reliable enough for production. The companion project AgentAssert (arXiv:2602.22302) handles behavioral contracts — SkillFortify handles the supply chain.
Happy to answer questions about the formal model, framework support, or auto-discovery.
What breaks when you vote on specific claims instead of whole posts?
For a software project I’m working on I’ve been studying a pattern in online discussions that feel thoughtful yet inconclusive.
Most platforms let people react to containers (a post, a comment, a person). In practice, people often agree with part of a comment and reject another part. The UI forces a single gesture.
A different primitive: treat claims as first-class objects. • You quote a specific sentence/claim. • People register agreement/disagreement on that quote. • A thread can accumulate a map of “high-agreement claims” and “contested claims.”
I can see real upsides (less talking past each other, more legible convergence). I also see real risks (context collapse, pedantry, incentive gaming, brigading, rhetorical fragmentation).
I’m looking for experienced critiques—especially from people who’ve built forums, moderation tooling, ranking systems, or deliberation products.
What failure modes appear when you move voting granularity from the posts level to the word level, and what design choices mitigate them?
Community-powered blocklist for removing slop from HN comments
The article discusses the implementation of a slopblock algorithm for the Hacker News website, which aims to improve the quality of discussions by automatically detecting and hiding low-quality comments. The algorithm considers factors such as comment length, sentiment, and user reputation to determine the suitability of each comment.
What Hackers Consider Essential (1991)
essentials n. Things necessary to maintain a productive and secure hacking environment. "A jug of wine, a loaf of bread, a 20-megahertz 80386 box with 8 meg of core and a 300-megabyte disk supporting full UNIX with source and X windows and EMACS and UUCP via a 'blazer to a friendly Internet site, and thou."
Raymond, E.S. & Steele, G.L. (eds.), The Jargon File [1991] https://magic-cookie.co.uk/jargon/mit_jargon.htm#x817
Still Ours To Lose – almost all LLMs share one remarkable behavioral trait
The article explores the ongoing debate around the potential for Democrats to lose control of the House of Representatives in the upcoming 2022 midterm elections, despite historical trends and current polling data suggesting otherwise. It examines various factors that could influence the outcome, including the economy, President Biden's approval ratings, and the party's messaging and strategy.
Textadept
Textadept is a lightweight and customizable text editor designed for programmers, featuring cross-platform compatibility, rapid scripting capabilities, and a variety of plugins and themes to enhance productivity and workflow.
Show HN: I built a desktop app combining Claude, GPT, Gemini with local Ollama
I built a desktop app (PyQt6, Windows) that orchestrates multiple AI models in a 3-phase pipeline:
Phase 1 – A cloud LLM (Claude/GPT/Gemini) decomposes the prompt into structured sub-tasks Phase 2 – Local Ollama models process each sub-task (free, private, runs on your GPU) Phase 3 – The cloud LLM integrates the results into a coherent final answer
The motivation: cloud APIs are great at reasoning and structure but cost money. Local Ollama models are free but sometimes inconsistent. The pipeline lets you use each where it's strongest.
Also includes: - FastAPI + React web UI (accessible from LAN/mobile) - SQLite chat history - ChromaDB-based RAG - Discord webhook notifications
Stack: Python, PyQt6, FastAPI, React, Ollama, Anthropic/OpenAI/Google APIs. MIT license.
TrueSize: Compare Real Country and Region Sizes
The article discusses the TrueSize website, which allows users to visualize the true size and scale of countries and continents by overlaying them on a map of another region. The site aims to provide a more accurate perspective on the relative sizes of different geographic areas, challenging common misconceptions and distortions often present in traditional map projections.