Show HN: A Prompt-Injection Firewall for AI Agents and RAG Pipelines https://ift.tt/r6h0gHe

Show HN: A Prompt-Injection Firewall for AI Agents and RAG Pipelines We built SafeBrowse — an open-source prompt-injection firewall for AI systems. Instead of relying on better prompts, SafeBrowse enforces a hard security boundary between untrusted web content and LLMs. It blocks hidden instructions, policy violations, and poisoned data before the AI ever sees it. Features: • Prompt injection detection (50+ patterns) • Policy engine (login/payment blocking) • Fail-closed by design • Audit logs & request IDs • Python SDK (sync + async) • RAG sanitization PyPI: pip install safebrowse Looking for feedback from AI infra, security, and agent builders. January 1, 2026 at 02:31AM

Show HN: A web-based lighting controller built because my old became a brick https://ift.tt/n4ZTrcd

Show HN: A web-based lighting controller built because my old became a brick I’m a student and I built this because my old lightning controller (DMX) became a brick after the vendor’s control software was deprecated in 2025. My focus was entirely on developing a robust backend architecture to guarantee maximum performance. Everything is released under GPLv3. The current frontend is just a "vibecoded" dashboard made with plain HTML and JavaScript to keep rendering latency as low as possible. In earlier versions Svelte was used. Svelte added too much complexity for an initial mvp. Video: https://ift.tt/gly5x4j Repo: https://ift.tt/VIx6L4P Technical Details: The system uses a distributed architecture where a FastAPI server manages the state in a Redis. State changes are pushed via WebSockets to Raspberry Pi gateways, which then independently maintain the constant 44Hz binary stream to the lights. This "push model" saves massive amounts of bandwidth and ensures low latency. In a stress test, I processed 10 universes (5,120 channels) at 44Hz with zero packet loss (simulated). An OTP-based pairing makes the setup extremely simple (plug-and-play). I’m looking forward to your feedback on the architecture and the Redis approach! Happy New Year! https://ift.tt/VIx6L4P December 31, 2025 at 10:16PM

Show HN: Fleet / Event manager for Star Citizen MMO https://ift.tt/cmBWhFX

Show HN: Fleet / Event manager for Star Citizen MMO I built an open-source org management platform for Star Citizen, a space MMO where player orgs can have 50K+ members managing fleets worth millions. https://scorg.org The problem: SC's official tools won't launch until 2026, but players need to coordinate now - track 100+ ship fleets, schedule ops across timezones, manage alliances, and monitor voice activity during battles. Interesting challenges solved: 1. Multi-org data isolation - Users join multiple orgs, so every query needs scoping. 2. Canvas + Firebase Storage CORS - Couldn't export fleet layouts as PNG. Solution: fetch images as blobs, convert to base64 data URLs, then draw to canvas. No CORS config needed. 3. Discord bot - Built 4 microservices (VoiceActivityTracker, EventNotifier, ChannelManager, RoleSync) sharing Firebase state. Auto-creates channels for ops, cleans up when done. Features: role-based access, event calendar with RSVP, LFG matchmaking, drag-and-drop fleet builder, economy tools, alliance system, analytics dashboard, mobile-responsive. ~15 pages, fully functional. Custom military-inspired UI (monospace, gold accents). January 1, 2026 at 12:48AM

Show HN: A dynamic key-value IP allowlist for Nginx https://ift.tt/NCLqQXr

Show HN: A dynamic key-value IP allowlist for Nginx I am currently working on a larger project that needs a short-lived HTTP "auth" based on a separate, out-of-band authentication process. Since every allowed IP only needs to be allowed for a few minutes at a time on specific server names, I created this project to solve that. It should work with any Redis-compatible database. For the docker-compose example, I used valkey. This is mostly useful if you have multiple domains that you want to control access to. If you want to allow 1.1.1.1 to mywebsite.com and securesite.com, and 2.2.2.2 to securesite.com and anothersite.org for certain TTLs, you just need to set hash keys in your Redis-compatible database of choice like: 1.1.1.1: - mywebsite.com: 1 (30 sec TTL) - securesite.com: 1 (15 sec TTL) 2.2.2.2: - securesite.com: 1 (3600 sec TTL) - anothersite.org: 1 (never expires) Since you can use any Redis-compatible database as the backend, per-entry TTLs are encouraged. An in-process cache can also be used, but is not enabled unless you pass --enable-l1-cache to kvauth. That makes successful auth_requests a lot faster since the program is not reaching out to the key/value database on every request. I didn't do any hardcore profiling on this but did enable the chi logger middleware to see how long requests generally took: kvauth-1 | 2025/12/30 21:32:28 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:42038 - 401 0B in 300.462µs # disallowed request nginx-1 | 192.168.65.1 - - [30/Dec/2025:21:32:28 +0000] "GET / HTTP/1.1" 401 179 "-" "curl/8.7.1" kvauth-1 | 2025/12/30 21:32:37 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:40160 - 401 0B in 226.189µs # disallowed request nginx-1 | 192.168.65.1 - - [30/Dec/2025:21:32:37 +0000] "GET / HTTP/1.1" 401 179 "-" "curl/8.7.1" # IP added to redis allowlist kvauth-1 | 2025/12/30 21:34:02 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:54032 - 200 0B in 290.648µs # allowed, but had to reach out to valkey kvauth-1 | 2025/12/30 21:34:02 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:54044 - 200 0B in 4.041µs nginx-1 | 192.168.65.1 - - [30/Dec/2025:21:34:02 +0000] "GET / HTTP/1.1" 200 111 "-" "curl/8.7.1" kvauth-1 | 2025/12/30 21:34:06 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:51494 - 200 0B in 6.617µs # allowed, used cache kvauth-1 | 2025/12/30 21:34:06 "GET http://127.0.0.1:8888/kvauth HTTP/1.0" from 127.0.0.1:51496 - 200 0B in 3.313µs nginx-1 | 192.168.65.1 - - [30/Dec/2025:21:34:06 +0000] "GET / HTTP/1.1" 200 111 "-" "curl/8.7.1 IP allowlisting isn't true authentication, and any production implementation of this project should use it as just a piece of the auth flow. This was made to solve the very specific problem of a dynamic IP allow list for NGINX. https://ift.tt/f3T1ixd December 31, 2025 at 03:59AM

Show HN: Claude Cognitive – Working memory for Claude Code https://ift.tt/Ta6m8h2

Show HN: Claude Cognitive – Working memory for Claude Code https://ift.tt/qw8dOe7 December 31, 2025 at 03:57AM

Show HN: Replacing my OS process scheduler with an LLM https://ift.tt/naKhx5l

Show HN: Replacing my OS process scheduler with an LLM https://ift.tt/70zQUDR December 30, 2025 at 10:17PM

Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting https://ift.tt/CfYcGbV

Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting TL;DR explanation (go to https://ift.tt/IYPnlKE... if you want the formatted version) This is done by measuring the minimum TCP RTT (client.socket.tcpi_min_rtt) seen and the smoothed TCP RTT (client.socket.tcpi_rtt). I am getting this data by using Fastly Custom VCL, they get this data from the Linux kernel (struct tcp_info -> tcpi_min_rtt and tcpi_rtt). I am using Fastly for the Demo since they have PoPs all around the world and they expose TCP socket data to me. The score is calculated by doing tcpi_min_rtt/tcpi_rtt. It's simple but it's what worked best for this with the data Fastly gives me. Based on my testing, 1-0.7 is normal, 0.7-0.3 is normal if the connection is somewhat unstable (WiFi, mobile data, satellite...), 0.3-0.1 is low and may be a proxy, anything lower than 0.1 is flagged as TCP proxy by the current code. https://ift.tt/RKcL9h3 December 26, 2025 at 02:04AM

Show HN: Neko.js, a recreation of the first virtual pet https://ift.tt/kc6mFri

Show HN: Neko.js, a recreation of the first virtual pet Hi HN, Here is a late Christmas present: I rebuilt Neko [1], the classic desktop cat that chases your mouse, as a tiny, dependency-free JavaScript library that runs directly on web pages. Live demo: https://louisabraham.github.io/nekojs/ GitHub: https://ift.tt/gj9CDxQ Drop-in usage is a single script tag: This is a fairly faithful recreation of Neko98: same state machine, same behaviors, same original 32×32 pixel sprites. It follows your cursor, falls asleep when idle, claws walls, and you can click it to cycle behavior modes. What made this project interesting to me is how I built it. I started by feeding the original C++ source (from the Wayback Machine) to Claude and let it "vibe code" a first JS implementation. That worked surprisingly well as a starting point, but getting it truly accurate required a lot of manual fixes: rewriting movement logic, fixing animation timing, handling edge cases the AI missed, etc. My takeaway: coding agents are very useful at resurrecting old codebases, and this is probably the best non-soulless use of AI for coding. It gets you 60–70% of the way there very fast, especially for legacy code that would otherwise rot unread. The last 30% still needs a human who cares about details. The final result is ~38KB uncompressed (~14KB brotli), zero dependencies, and can be dropped into a page with a single

Show HN: Pion SCTP with RACK is 70% faster with 30% less latency https://ift.tt/ygLD6k7

Show HN: Pion SCTP with RACK is 70% faster with 30% less latency SCTP is a low level protocol focused on reliable packet transmission. Unlike hopelessly flinging packets from one device to another, it makes sure that the packets are correct using CRC, removes duplicate packets, and allows for packets to be sent in any order. Going into an established library, I thought that everything was already implemented and that there wasn't anything to do until I went through the existing issues and organized all the tasks and decided on an order. Sean DuBois ( https://ift.tt/DJUHRQ2 ), one of the co-creators and current maintainers of Pion, an open-source pure Go implementation of WebRTC (which uses SCTP), introduced me to a dissertation that was written about improving SCTP from 2021 ( https://ift.tt/7cdySMG... ). To my surprise, the features in it weren't actually implemented yet, and generally went unused even though it depicted pretty big improvements. This came as a bit of a shock to me considering the countless companies and services that actively use Pion with millions of users on a daily basis. This led to two things: 1) implement the feature (done by me) and 2) measure the performance (done by Joe Turki https://ift.tt/l9KCd6X ). If you're interested in reading more, please check out the blog post where we go over what SCTP is used for, how I improved it, and the effort that went into making such a large improvement possible. This also marks a huge milestone for other companies and services that use SCTP as they can refer to the implementation in Pion for their own SCTP libraries including any real-time streaming platforms such as Microsoft Teams, Discord screen share, Twitch guest star, and many more! For my personal background, please take a look at a comment below about what it was like for me to get started with open-source and my career related journeys. Thanks for reading! https://ift.tt/Qb06Y5F December 28, 2025 at 11:35PM

Show HN: Writing USB Device Firmware with Raspberry Pi Pico and TinyUSB https://ift.tt/YRbZ1sI

Show HN: Writing USB Device Firmware with Raspberry Pi Pico and TinyUSB https://www.youtube.com/playlist?list=PL4C3a7zUGIuYu48KsA3krgm7rtLJwse03 December 28, 2025 at 11:41PM

Show HN: I'm 15. I built an offline AI Terminal Agent that fixes errors https://ift.tt/DKjMYSq

Show HN: I'm 15. I built an offline AI Terminal Agent that fixes errors https://ift.tt/Z7j2HSM December 27, 2025 at 10:27PM

Show HN: Jsonic – Python JSON serialization that works https://ift.tt/JVqknsc

Show HN: Jsonic – Python JSON serialization that works https://ift.tt/1fx9OM8 December 27, 2025 at 07:26PM

Show HN: AgentFuse – A local circuit breaker to prevent $500 OpenAI bills https://ift.tt/CMV061E

Show HN: AgentFuse – A local circuit breaker to prevent $500 OpenAI bills Hey HN, I’ve been building agents recently, and I hit a problem: I fell asleep while a script was running, and my agent got stuck in a loop. I woke up to a drained OpenAI credit balance. I looked for a tool to prevent this, but most solutions were heavy enterprise proxies or cloud dashboards. I just wanted a simple "fuse" that runs on my laptop and stops the bleeding before it hits the API. So I built AgentFuse. It is a lightweight, local library that acts as a circuit breaker for LLM calls. Drop-in Shim: It wraps the openai client (and supports LangChain) so you don't have to rewrite your agent logic. Local State: It uses SQLite in WAL mode to track spend across multiple concurrent agents/terminal tabs. Hard Limits: It enforces a daily budget (e.g., stops execution at $5.00). It’s open source and available on PyPI (pip install agent-fuse). I’d love feedback on the implementation, specifically the SQLite concurrency logic! I tried to make it as robust as possible without needing a separate server process. https://ift.tt/xreA3WY December 28, 2025 at 12:46AM

Show HN: Polibench – compare political bias across AI models https://ift.tt/wTIBR38

Show HN: Polibench – compare political bias across AI models Polibench runs the Political Compass questions across AI models so you can compare responses side by side. No signup. Built on top of work by @theo ( https://twitter.com/theo ) and @HolyCoward ( https://twitter.com/HolyCoward ). Question set is based on the Political Compass: https://ift.tt/PLTdn8g Early and rough. Feedback welcome on revealing questions, possible misuse, and ideas for extending it. Happy to answer questions. https://polibench.vercel.app/ December 27, 2025 at 12:23AM

Show HN: Web CLI – Browser-based terminal with multi-tab support https://ift.tt/ExzeKNo

Show HN: Web CLI – Browser-based terminal with multi-tab support Hey HN! Web CLI, an open-source web-based command management tool just got an upgrade with Interactive Terminal support https://ift.tt/PAuV2k6 December 26, 2025 at 09:53PM

Show HN: CLI to share secrets using one-time public keys https://ift.tt/vZFmLJt

Show HN: CLI to share secrets using one-time public keys https://ift.tt/MxSjKdw December 25, 2025 at 11:50PM

Show HN: Buoy – A persistent, status-bar web server for local utilities https://ift.tt/RzsVEyc

Show HN: Buoy – A persistent, status-bar web server for local utilities I’m constantly building small web-based tools for my own use. Usually, my workflow ends with a dilemma: do I keep a terminal tab open forever running `npx http-server -p 8080`, or do I spend time configuring a Caddyfile for a 50-line HTML tool? Nothing felt right. I wanted something that felt like a native, always-on, utility that was easily accessible but invisible. I built Buoy. It’s a minimal server that: Lives in the status bar: I can see that it's running at a glance without hunting through ps aux. Is persistent by default: It starts with macOS and keeps my utilities alive in the background. Zero-config: It points at a XDG‑Standard www folder so I can create a symlink and be done. Small: I wanted to avoid the modern bloat. Buoy is a single, self-contained binary that's under 10MB. It’s a minimal tool that lets me build many small things and move on to the next. https://ift.tt/iKQORMV December 25, 2025 at 09:51PM

Show HN: WebPtoPNG – I built a WebP to PNG tool, everything runs in the browser https://ift.tt/PowjqfD

Show HN: WebPtoPNG – I built a WebP to PNG tool, everything runs in the browser I built WebPtoPNG after getting frustrated with converters that throttle uploads or phone data; everything runs straight in the browser, and never asks for a signup. https://webptopng.cc/ December 25, 2025 at 02:14AM

Show HN: Elfpeek – A tiny interactive ELF binary inspector in C https://ift.tt/6DM4gu5

Show HN: Elfpeek – A tiny interactive ELF binary inspector in C https://ift.tt/c0fRphu December 24, 2025 at 11:08PM

Show HN: An open-source anonymizer tool to replace PII in PostgreSQL databases https://ift.tt/IBl8mhJ

Show HN: An open-source anonymizer tool to replace PII in PostgreSQL databases https://ift.tt/xSW8hHp December 24, 2025 at 09:45PM