The best Hacker News stories from Show from the past day

from

All Show

from the past*

day week month

with these search terms:

Create follow Go back

Latest posts:

Show HN: Only 1 LLM can fly a drone

Show HN: Netfence – Like Envoy for eBPF Filters

To power the firewalling for our agents so that they couldn't contact arbitrary services, I build netfence. It's like Envoy but for eBPF filters.<p>It allows you to define different DNS-based rules that are resolved in a local daemon to IPs, then pushed to the eBPF filter to allow traffic. By doing it this way, we can still allow DNS-defined rules, but prevent contacting random IPs.<p>There's also no network performance penalty, since it's just DNS lookups and eBPF filters referencing memory.<p>It also means you don't have to tamper with the base image, which the agent could potentially manipulate to remove rules (unless you prevent root maybe).<p>It automatically manages the lifecycle of eBPF filters on cgroups and interfaces, so it works well for both containers and micro VMs (like Firecracker).<p>You implement a control plane, just like Envoy xDS, which you can manage the rules of each cgroup/interface. You can even manage DNS through the control plane to dynamically resolve records (which is helpful as a normal DNS server doesn't know which interface/cgroup a request might be coming from).<p>We specifically use this to allow our agents to only contact S3, pip, apt, and npm.

Show HN: Netfence – Like Envoy for eBPF Filters

To power the firewalling for our agents so that they couldn't contact arbitrary services, I build netfence. It's like Envoy but for eBPF filters.<p>It allows you to define different DNS-based rules that are resolved in a local daemon to IPs, then pushed to the eBPF filter to allow traffic. By doing it this way, we can still allow DNS-defined rules, but prevent contacting random IPs.<p>There's also no network performance penalty, since it's just DNS lookups and eBPF filters referencing memory.<p>It also means you don't have to tamper with the base image, which the agent could potentially manipulate to remove rules (unless you prevent root maybe).<p>It automatically manages the lifecycle of eBPF filters on cgroups and interfaces, so it works well for both containers and micro VMs (like Firecracker).<p>You implement a control plane, just like Envoy xDS, which you can manage the rules of each cgroup/interface. You can even manage DNS through the control plane to dynamically resolve records (which is helpful as a normal DNS server doesn't know which interface/cgroup a request might be coming from).<p>We specifically use this to allow our agents to only contact S3, pip, apt, and npm.

Show HN: C From Scratch – Learn safety-critical C with prove-first methodology

Seven modules teaching C the way safety-critical systems are actually built: MATH → STRUCT → CODE → TEST.<p>Each module answers one question: Does it exist? (Pulse), Is it normal? (Baseline), Is it regular? (Timing), Is it trending? (Drift), Which sensor to trust? (Consensus), How to handle overflow? (Pressure), What do we do about it? (Mode).<p>Every module is closed (no dependencies), total (handles all inputs), deterministic, and O(1). 83 tests passing.<p>Built this after 30 years in UNIX systems. Wanted something that teaches the rigour behind certified systems without requiring a decade of on-the-job learning first.<p>MIT licensed. Feedback welcome.

Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions

Hi HN!<p>Fence wraps any command in a sandbox that blocks network by default and restricts filesystem writes. Useful for running semi-trusted code (package installs, build scripts, unfamiliar repos) with controlled side effects, or even just blocking tools that phone home.<p>> fence curl <a href="https://example.com" rel="nofollow">https://example.com</a> # -> blocked<p>> fence -t code -- npm install # -> template with registries allowed<p>> fence -m -- npm install # -> monitor mode: see what gets blocked<p>One use-case is to use it with AI coding agents to reduce the risk of running agents with fewer interactive permission prompts:<p>> fence -t code -- claude --dangerously-skip-permissions<p>You can import existing Claude Code permissions with `fence import --claude`.<p>Fence uses OS-native sandboxing (macOS sandbox-exec, Linux bubblewrap) + local HTTP/SOCKS proxies for domain filtering.<p>Why I built this: I work on Tusk Drift, a system to record and replay real traffic as API tests (<a href="https://github.com/Use-Tusk/tusk-drift-cli" rel="nofollow">https://github.com/Use-Tusk/tusk-drift-cli</a>). I needed a way to sandbox the service under test during replays to block localhost outbound connections (Postgres, Redis) and force the app to use mocks instead of real services. I quickly realized that this could be a general purpose tool that would also be useful as a permission manager across CLI agents.<p>Limitations: Not strong containment against malware. Proxy-based filtering requires programs to respect `HTTP_PROXY`.<p>Curious if others have run into similar needs, and happy to answer any questions!

Show HN: Fence – Sandbox CLI commands with network/filesystem restrictions

Hi HN!<p>Fence wraps any command in a sandbox that blocks network by default and restricts filesystem writes. Useful for running semi-trusted code (package installs, build scripts, unfamiliar repos) with controlled side effects, or even just blocking tools that phone home.<p>> fence curl <a href="https://example.com" rel="nofollow">https://example.com</a> # -> blocked<p>> fence -t code -- npm install # -> template with registries allowed<p>> fence -m -- npm install # -> monitor mode: see what gets blocked<p>One use-case is to use it with AI coding agents to reduce the risk of running agents with fewer interactive permission prompts:<p>> fence -t code -- claude --dangerously-skip-permissions<p>You can import existing Claude Code permissions with `fence import --claude`.<p>Fence uses OS-native sandboxing (macOS sandbox-exec, Linux bubblewrap) + local HTTP/SOCKS proxies for domain filtering.<p>Why I built this: I work on Tusk Drift, a system to record and replay real traffic as API tests (<a href="https://github.com/Use-Tusk/tusk-drift-cli" rel="nofollow">https://github.com/Use-Tusk/tusk-drift-cli</a>). I needed a way to sandbox the service under test during replays to block localhost outbound connections (Postgres, Redis) and force the app to use mocks instead of real services. I quickly realized that this could be a general purpose tool that would also be useful as a permission manager across CLI agents.<p>Limitations: Not strong containment against malware. Proxy-based filtering requires programs to respect `HTTP_PROXY`.<p>Curious if others have run into similar needs, and happy to answer any questions!

Show HN: AutoShorts – Local, GPU-accelerated AI video pipeline for creators

Show HN: AutoShorts – Local, GPU-accelerated AI video pipeline for creators

Show HN: An interactive map of US lighthouses and navigational aids

This is an interactive map of US navigational aids and lighthouses, which indicates their location, color, characteristic and any remarks the Coast Guard has attached.<p>I was sick at home with the flu this weekend, and went on a bit of a Wikipedia deep dive about active American lighthouses. Searching around a bit, it was very hard to find a single source or interactive map of active beacons, and a description of what the "characteristic" meant. The Coast Guard maintains a list of active lights though, that they publish annually (<a href="https://www.navcen.uscg.gov/light-list-annual-publication" rel="nofollow">https://www.navcen.uscg.gov/light-list-annual-publication</a>). With some help from Claude Code, it wasn't hard to extract the lat/long and put together a small webapp that shows a map of these light stations and illustrates their characteristic with an animated visualization..<p>Of course, this shouldn't be used as a navigational aid, merely for informational purposes! Though having lived in Seattle and San Francisco I thought it was quite interesting.

Show HN: An interactive map of US lighthouses and navigational aids

This is an interactive map of US navigational aids and lighthouses, which indicates their location, color, characteristic and any remarks the Coast Guard has attached.<p>I was sick at home with the flu this weekend, and went on a bit of a Wikipedia deep dive about active American lighthouses. Searching around a bit, it was very hard to find a single source or interactive map of active beacons, and a description of what the "characteristic" meant. The Coast Guard maintains a list of active lights though, that they publish annually (<a href="https://www.navcen.uscg.gov/light-list-annual-publication" rel="nofollow">https://www.navcen.uscg.gov/light-list-annual-publication</a>). With some help from Claude Code, it wasn't hard to extract the lat/long and put together a small webapp that shows a map of these light stations and illustrates their characteristic with an animated visualization..<p>Of course, this shouldn't be used as a navigational aid, merely for informational purposes! Though having lived in Seattle and San Francisco I thought it was quite interesting.

Show HN: An interactive map of US lighthouses and navigational aids

This is an interactive map of US navigational aids and lighthouses, which indicates their location, color, characteristic and any remarks the Coast Guard has attached.<p>I was sick at home with the flu this weekend, and went on a bit of a Wikipedia deep dive about active American lighthouses. Searching around a bit, it was very hard to find a single source or interactive map of active beacons, and a description of what the "characteristic" meant. The Coast Guard maintains a list of active lights though, that they publish annually (<a href="https://www.navcen.uscg.gov/light-list-annual-publication" rel="nofollow">https://www.navcen.uscg.gov/light-list-annual-publication</a>). With some help from Claude Code, it wasn't hard to extract the lat/long and put together a small webapp that shows a map of these light stations and illustrates their characteristic with an animated visualization..<p>Of course, this shouldn't be used as a navigational aid, merely for informational purposes! Though having lived in Seattle and San Francisco I thought it was quite interesting.

Show HN: A small programming language where everything is pass-by-value

This is a hobby project of mine that I started a few years ago to learn about programming language implementation. It was created 95% without AI, although a few recent commits include code from Gemini CLI.<p>I started out following Crafting Interpreters, but gradually branched off that until I had almost nothing left in common.<p>Tech stack: Rust, Cranelift (JIT compilation), LALRPOP (parser).<p>Original title: "A small programming language where everything is a value" (edited based on comments)

Show HN: A small programming language where everything is pass-by-value

This is a hobby project of mine that I started a few years ago to learn about programming language implementation. It was created 95% without AI, although a few recent commits include code from Gemini CLI.<p>I started out following Crafting Interpreters, but gradually branched off that until I had almost nothing left in common.<p>Tech stack: Rust, Cranelift (JIT compilation), LALRPOP (parser).<p>Original title: "A small programming language where everything is a value" (edited based on comments)

Show HN: TUI for managing XDG default applications

Author here. I made this little TUI program for managing default applications on the Linux desktop.<p>Maybe some of you will find it useful.<p>Happy to answer any questions.

Show HN: TUI for managing XDG default applications

Author here. I made this little TUI program for managing default applications on the Linux desktop.<p>Maybe some of you will find it useful.<p>Happy to answer any questions.

Show HN: TUI for managing XDG default applications

Author here. I made this little TUI program for managing default applications on the Linux desktop.<p>Maybe some of you will find it useful.<p>Happy to answer any questions.

Show HN: Bonsplit – Tabs and splits for native macOS apps

Show HN: Bonsplit – Tabs and splits for native macOS apps

Show HN: I built a space travel calculator using Vanilla JavaScript

I built this because measuring my age in years felt boring—I wanted to see the kilometers.<p>The first version only used Earth's orbital speed (~30km/s), but the number moved too slowly. To get the "existential dread" feeling, I switched to using the Milky Way's velocity relative to the CMB (~600km/s). The math takes some liberties (using scalar sum instead of vector) to make the speed feel "fast," but it gets the point across.<p>Under the hood, it's a single HTML file with zero dependencies. No React, no build step. The main challenge was the canvas starfield—I had to pre-allocate the star objects to stop the garbage collector from causing stutters on mobile.<p>Let me know if the physics makes you angry or if the stars run smooth on your device.

Show HN: Coi – A language that compiles to WASM, beats React/Vue

I usually build web games in C++, but using Emscripten always felt like overkill for what I was doing. I don't need full POSIX emulation or a massive standard library just to render some stuff to a canvas and handle basic UI.<p>The main thing I wanted to solve was the JS/WASM interop bottleneck. Instead of using the standard glue code for every call, I moved everything to a Shared Memory architecture using Command and Event buffers.<p>The way it works is that I batch all the instructions in WASM and then just send a single "flush" signal to JS. The JS side then reads everything directly out of Shared Memory in one go. It’s way more efficient, I ran a benchmark rendering 10k rectangles on a canvas and the difference was huge: Emscripten hit around 40 FPS, while my setup hit 100 FPS.<p>But writing DOM logic in C++ is painful, so I built Coi. It’s a component-based language that statically analyzes changes at compile-time to enable O(1) reactivity. Unlike traditional frameworks, there is no Virtual DOM overhead; the compiler maps state changes directly to specific handles in the command buffer.<p>I recently benchmarked this against React and Vue on a 1,000-row table: Coi came out on top for row creation, row updating and element swapping because it avoids the "diffing" step entirely and minimizes bridge crossings. Its bundle size was also the smallest of the three.<p>One of the coolest things about the architecture is how the standard library works. If I want to support a new browser API (like Web Audio or a new Canvas feature), I just add the definition to my WebCC schema file. When I recompile the Coi compiler, the language automatically gains a new standard library function to access that API. There is zero manual wrapping involved.<p>I'm really proud of how it's coming along. It combines the performance of a custom WASM stack with a syntax that actually feels good to write (for me atleast :P). Plus, since the intermediate step is C++, I’m looking into making it work on the server side too, which would allow for sharing components across the whole stack.<p>Example (Coi Code):<p>component Counter(string label, mut int& value) {<p><pre><code> def add(int i) : void { value += i; } style { .counter { display: flex; gap: 12px; align-items: center; } button { padding: 8px 16px; cursor: pointer; } } view { <div class="counter"> <span>{label}: {value}</span> <button onclick={add(1)}>+</button> <button onclick={add(-1)}>-</button> </div> }</code></pre> }<p>component App { mut int score = 0;<p><pre><code> style { .app { padding: 24px; font-family: system-ui; } h1 { color: #1a73e8; } .win { color: #34a853; font-weight: bold; } } view { <div class="app"> <h1>Score: {score}</h1> <Counter label="Player" &value={score} /> <if score >= 10> <p class="win">You win!</p> </if> </div> }</code></pre> }<p>app { root = App; title = "My Counter App"; description = "A simple counter built with Coi"; lang = "en"; }<p>Live Demo: <a href="https://io-eric.github.io/coi" rel="nofollow">https://io-eric.github.io/coi</a><p>Coi (The Language): <a href="https://github.com/io-eric/coi" rel="nofollow">https://github.com/io-eric/coi</a><p>WebCC: <a href="https://github.com/io-eric/webcc" rel="nofollow">https://github.com/io-eric/webcc</a><p>I'd love to hear what you think. It's still far from finished, but as a side project I'm really excited about :)