frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Comet Browser Is Just 2 Chrome Extensions?

1•thecautiousdan•48s ago•0 comments

Show HN: Ownyourpixel.fun – Buy Pixels and Resell Them Like Digital Real Estate

https://www.ownyourpixel.fun/
1•mandarwagh•2m ago•0 comments

What Happened to All the Human Bird Flu Cases?

https://undark.org/2025/07/10/opinion-bird-flu-emergency-end/
1•EA-3167•3m ago•0 comments

Britain is cheap, and should learn to love it

https://www.economist.com/leaders/2025/07/10/britain-is-cheap-and-should-learn-to-love-it
1•jxmorris12•6m ago•0 comments

Why, Why, Why, Eliza?

https://www.learningfromexamples.com/p/why-why-why-eliza
10•silt•14m ago•0 comments

Detroit and Baltimore Built Local State Capacity to Bring Crime to New Lows

https://www.governance.fyi/p/two-failed-cities-detroit-and-baltimore
2•guardianbob•15m ago•1 comments

The 800k Hours Career Guide

https://www.boristhebrave.com/2025/07/10/the-800000-hours-career-guide/
2•ibobev•18m ago•0 comments

Icechunk 1.0: Production-Grade Cloud-Native Array Storage Is Here

https://earthmover.io/blog/icechunk-1-0-production-grade-cloud-native-array-storage-is-here
1•rhodysurf•18m ago•0 comments

A Game About Typing the Alphabet

https://www.agameabouttypingthealphabet.com
1•braska•19m ago•1 comments

'Intelligent' copper tariffs will 'wake people up', says mining billionaire

https://www.ft.com/content/bcd9b72d-4ebb-4d07-b20e-3a2e2c014f41
1•petethomas•22m ago•0 comments

Width and Depth: A Mental Model for Clearer Communication

http://productadvisorystudio.com/blog/2025/7/10/harnessing-width-and-depth-a-mental-model-for-clearer-communication-and-smarter-product-design
1•dannyrosen•22m ago•0 comments

WaitGroup.Go() in 1.25

https://appliedgo.net/spotlight/go-1.25-waitgroup-go/
2•semioz•24m ago•0 comments

Humanity's First Recorded Kiss Was Earlier Than We Thought

https://www.smithsonianmag.com/science-nature/humanitys-first-kiss-was-earlier-than-we-thought-180982206/
2•Bluestein•24m ago•0 comments

Finding Compiler Bugs: Cross-Language Code Generator and Differential Testing

https://arxiv.org/abs/2507.06584
1•matt_d•24m ago•0 comments

The AI window is now

https://tynan.com/the-ai-window-is-now/
4•skwee357•28m ago•0 comments

Rimac just snagged another 24 world records the Nevera R, including EV top speed

https://electrek.co/2025/07/10/rimac-snagged-24-world-records-all-electric-nevera-r-video/
1•Bender•29m ago•0 comments

NASA's Most Experienced Staff Are Taking Buyouts

https://www.jalopnik.com/1909012/nasa-most-experienced-staff-taking-trump-buyouts/
4•rntn•30m ago•0 comments

Show HN: FaceBlurify – browser‑only face blurring in <10 s

https://www.faceblurify.com/en/
1•HichamCh•31m ago•0 comments

Yes, Overclocking Can Damage Your CPU – Here Are the Warning Signs

https://www.slashgear.com/1906570/cpu-overclocking-risks-warning-signs/
6•Bluestein•32m ago•0 comments

Mcphub.com Is Officially Launched

https://mcphub.com
2•henryyao•33m ago•0 comments

When the Dutch Tried to Live in Concrete Spheres

https://www.openculture.com/2025/06/when-the-dutch-tried-to-live-in-concrete-spheres.html
1•PaulHoule•35m ago•0 comments

AI-Enabled Trash Trucks Will Scan Your Trash to Scold You About Recycling

https://www.thedrive.com/news/ai-is-coming-to-your-trash-truck-to-make-sure-youve-sorted-the-recycling-right
4•speckx•36m ago•0 comments

Show HN: Cursor Rules Generator

https://cursor-rules-generator.xyz/
2•prasadpilla•36m ago•0 comments

Building an AI app builder with an AI app builder built with an AI app builder

https://www.rhett.info/blog/bolt.new.new.new
3•basketbla•37m ago•1 comments

Mystery AI Hype Theater 3000

https://www.buzzsprout.com/2126417
1•jruohonen•37m ago•0 comments

SpaceX's Starlink Is Now Beaming Wi-Fi to 1k Planes

https://www.pcmag.com/news/spacexs-starlink-is-now-beaming-wi-fi-to-1000-planes
8•Bluestein•38m ago•0 comments

Slow down on building power plants for all those new AI datacenters report warns

https://www.theregister.com/2025/07/10/us_datacenter_growth/
3•Bender•39m ago•0 comments

Holographic memory storage and information processing in Quantum Brain Dynamics

https://www.researchgate.net/publication/381542637_Quantum_Brain_Dynamics_Optical_and_Acoustic_Super-Radiance_via_a_Microtubule
5•felineflock•42m ago•1 comments

Bitchat: notes on the path forward ("yo!")

https://github.com/orgs/permissionlesstech/discussions/139
1•greyface-•42m ago•0 comments

U.S. will review social media for foreign student visa applications

https://www.npr.org/2025/06/19/g-s1-73572/us-resumes-visas-foreign-students-access-social-media
55•BeetleB•43m ago•71 comments
Open in hackernews

Magic .env files built for sharing: Human-first, AI-friendly

https://varlock.dev/
45•mooreds•9h ago

Comments

jelder•8h ago
I don't get `.env` files. Just never made sense that we'd delegate managing environment variables to the processes which consumes them.

https://direnv.net is a better solution IMO. Once you set it up in your shell, it loads environment variables from the `.envrc` file in whatever the current directory is automatically. It includes a rich standard library (https://direnv.net/man/direnv-stdlib.1.html) for manipulation of PATH, etc.

For secrets, I just add this line to `.envrc`:

    source_env_if_exists .envrc.private
And add `.envrc.private` to `.gitignore`. Now that just works anywhere, whether the authors of whatever tool I'm using official support `.env` files or not.
awestroke•8h ago
This is about formalizing required secrets for dev. Many repos have a ".env.sample", which is better than nothing - you copy it to .env and fill in the blanks. If this is done automatically, even better. If the automatic .env setup also loads secrets from your password manager (with prompting), even better.
judofyr•7h ago
With direnv you can also run commands directly in the .envrc:

    export OPENAPI_API_KEY=$(op read "op://api-prod/openai/api-key")
Every time you cd into the directory it will execute the command. Isn’t this even better than copying the secret into a local file?
conception•7h ago
1password actually has environments now so you can just load it directly.
candiddevmike•7h ago
It's such a shame this isn't built into shells. There isn't really a security issue here as you have to trust the directory first before it fires.
__jonas•7h ago
I agree that loading environment variables should not be the responsibility of the process which consumes them, not sure what the benefit of renaming .env to .envrc is.

I use mise to load environment variables from .env, since I also use it to manage tool versions. When I don't have that available I just do

  set -a; source .env; set +a
direnv is definitely another good option.
jelder•7h ago
direnv also has `dotenv` and `dotenv_if_exists` macros, which nicely gets around the fact that `.env` files typically omit the `export` statement.
mananaysiempre•2h ago
Unlike .env, .envrc is not a series of key=value assignments, it’s a full Bash script such that any variables that are changed at the end of its execution are entered into your environment. (The idea is to approximate it being sourced into your shell, except it always uses Bash while you may be using a different shell.)

For example, I can write a Nix flake, put “use flake” (and nothing else) in my .envrc in the same directory, and have whatever PATH, PYTHONPATH, etc. changes that are needed to develop against the flake’s dependencies automatically applied when I enter the directory. You could almost certainly use this with virtualenv, nvm, or the like as well, I just haven’t tried.

throw-the-towel•7h ago
And I don't get storing your configuration in env variables, period. They're not discoverable at all, there's no namespacing nor any other isolation, there's no structure to them, and if you want a list you'll have to come up with an ad-hoc encoding. Environment variables are a mess, you'd be better off with a config file.
w0m•7h ago
I assume environment variables became popular as it's an 'easy' way to inject secrets without hardcoding them in a config file.
theozero•4h ago
Whether you like them or not, using env vars is ubiquitous because it's easy. Anything else ends up tightly coupled within your application code or only within the environment. Often you have a set of config needed both for your application and your surrounding dev tools / scripts. This tries a provide a universal solution.

At the end of the day you could imagine varlock loading your config, and injecting it using a method that is not env vars - a file, sidecar process, etc.

0xbadcafebee•6h ago
Most tech people don't grok the abstraction between an executable program and the environment it is executed in.

The thing that runs your code is responsible for adding the environment variables from wherever they are kept for that environment. The execution environments running your code are not checking out your Git repository and reading files from it before they execute your program; that would introduce a chicken-and-egg problem (and make it much harder to run your program in new environments).

Below is an example of why you can't just load all your variables in a single ".env" file.

Environments:

    - *development*:
        host: "my laptop"
        variables: [FOO=dev]
  
    - *staging*:
        host: "a ci/cd server"
        variables: [FOO=stage]

    - *production*:
        host: "a kubernetes server"
        variables: [FOO=prod]

I want to run my program in development!

    ->> open a terminal on my MacOS laptop
             ->> change to directory with my code
  
             ->> load environment variables into shell
                 $ source .env
  
             ->> run my program
                 $ ./MyProgram.EXE
             ->> the shell takes the variables it has, and adds them to the program at runtime
                 char *const argv[] = {"/Users/me/app_src/MyProgram.EXE", NULL};
                 char *const envp[] = {"FOO=dev", NULL};
                 execve("/Users/me/app_src/MyProgram.EXE", argv, envp);
  
                 ->> the program is loaded, executed, and accesses environment variables passed to it
I want to run my program in staging!

    ->> start a job on a ci/cd server
         ->> the ci/cd server starts a Docker container
           ->> the ci/cd server begins running commands in the Docker container
               ->> checkout latest code and change to new directory
  
               ->> load environment variables into shell
                   ->> retrieves environment variables set in ci/cd job configuration
                   ->> sets those variables in the shell
  
               ->> run my program
                   $ ./MyProgram.EXE
               ->> the shell takes the variables it has, and adds them to the program at runtime
                   char *const argv[] = {"/Users/me/app_src/MyProgram.EXE", NULL};
                   char *const envp[] = {"FOO=stage", NULL};
                   execve("/Users/me/app_src/MyProgram.EXE", argv, envp);
  
                   ->> the program is loaded, executed, and accesses environment variables passed to it

I want to run my program in production!

    ->> start a job on a kubernetes server
         ->> a deployment scheduler schedules a pod to start\
  
             ->> it looks up a configmap with environment variables
             ->> it looks up a secrets object with secrets
             ->> it sets environment variables in the pod based on the configmaps and secrets
  
             ->> it starts a container in the pod
               ->> it begins running commands in the container
                   ->> run my program
                       $ ./MyProgram.EXE
                   ->> the container takes the variables it has, and adds them to the program at runtime
                       char *const argv[] = {"/Users/me/app_src/MyProgram.EXE", NULL};
                       char *const envp[] = {"FOO=prod", NULL};
                       execve("/Users/me/app_src/MyProgram.EXE", argv, envp);
  
                       ->> the program is loaded, executed, and accesses environment variables passed to it

You have to add the environment variables to the execution environment before your program ever gets run. Otherwise (for example) you could never pull a Git repository to load variables, because where would the credentials to pull your Git repository come from? They have to be added beforehand. So that beforehand step is where you add all your environment variables for that environment. Your program merely reads them when it is executed; no need for your program to read additional files.

You should not do something like keep a ".env.dev", ".env.stage", ".env.prod", packaged up in a container. Each execution environment may need slightly different settings at run time. And secrets should not be kept in your Git repo, they should be loaded as-needed, at runtime, by your execution environment.

All this is covered neatly in The Twelve Factor App (https://12factor.net/config). As someone who's been doing this for two decades, I highly recommend everyone follow their guide to the letter.

theozero•4h ago
Even if you don't set any values in your env files (although why not set some non-sensitive defaults) you can still benefit from the schema and validation that varlock provides.

Imagine every public docker container had an .env.schema which was validated on startup, instead of scattered info about the available env vars in their readme.

0xbadcafebee•2h ago
Environment variables are a non-standard, limited form of transferring data. Depending on the platform, they may be case-insensitive, there are reserved words, size limits, naming rules, restricted charsets, etc. And their values are always strings. So having a schema on an environment variable isn't very useful, unless you do things like dynamic typing and type assumptions (which run into bugs). It's not a bad idea to have an opinionated library that defines some restrictions on environment variables, but the applications will always need to add more restrictions that your library has thought of.

Schemas are application-specific. Applications all deal with data types differently. Some data types (defined in schemas) even use transforms and complex custom algorithms before their data is validated. So it's better to let the application handle schemas directly on an as-needed basis.

All of that can be done independent of environment variables. Just make a library that validates data types, and pass your environment variables (or any data, from anywhere) to it. This is better not only because you can validate any kind of data, but you can load your data from places other than environment variables (from disk, from database, etc). This kind of general abstraction is more useful for general purpose computing, rather than a complex solution tailored for only one use case.

Finally: A schema isn't a replacement for documentation. Just because you have a technical document that defines what data is allowed in a variable, doesn't mean that somebody then knows what the hell that thing does - what it affects, when it should or shouldn't be used, etc. Documentation is for humans, schemas are for computers.

Nullabillity•8h ago
"Made for sharing", but suggests depending on 1Password?

It also seems.. irresponsible to claim that @sensitive values "will be always be redacted in CLI output", when the whole point of something like Varlock is to configure some external application that it doesn't control.

And what does "AI-friendly" mean here anyway... beyond, I suppose, varlock being AI slop itself.[0]

[0]: https://github.com/dmno-dev/varlock/tree/514917f4228d49d4404...

halfcat•7h ago
I don’t know about varlock, but 1Password’s `op` CLI tool seems to hook the STDOUT pipe and find/replace any instances of the secrets with “concealed by 1Password”. It works even if I drop into a REPL and try every way I can think of to print it out to the console.

So it would seem, on that front, that 1Password is doing the heavy lifting.

Using 1Password in this way has proven way better than storing .env files in plain text on dev machines, where the .env files get picked up if a company does backups, or someone stores a repo in their Dropbox folder, file gets flagged as potential malware and uploaded somewhere for further analysis, etc.

theozero•1h ago
Exactly. We will do that to stdout - and can patch JS itself too.

The goal here is to just make it dead simple to do the right thing with minimal effort. Get secrets out of plaintext, avoid the need to send them around insecurely, and help make sure you don't shoot yourself in the foot, which is surprisingly easy to do in hybrid server/client frameworks like Next.js.

Can you set up validations, syncing with various backends, and these protections all of this yourself by wiring together a bunch of tools with custom code? Of course... But here's one that will do it all with minimal effort.

theozero•4h ago
We say "made for sharing" because .env.schema replaces .env.example which always drifts from reality - and often requires insecurely sharing secrets manually.

Even if not setting values within your files, you can rely entirely on env vars in the platform where the code runs and still benefit from validation provided by varlock.

Right now we give 1Password as an example, but you can use any provider that has a CLI. We are also working on a plugin system that should make it easier to integrate with any provider.

As for redaction - that note is about how we redact your secrets from _our_ CLI output. However we also provide tools to redact within your application. Right now this works only in JavaScript, by patching global console methods. We will also hook into stdout for varlock run, similar to what the 1Password cli does.

The leak detection is much more interesting - especially in hybrid client/server frameworks, where you can easily shoot yourself in the foot.

By removing plaintext secrets from env files, we totally remove the risk of them leaking via AI code assistants, which I guarantee is happening millions of times a day right now. Also the schema itself and autogenerated types give AI much more context about your env.

slacktivism123•8h ago
Use case for non-deterministic processing of .env files?
debarshri•7h ago
You have to see the `.env` file from the context of where it gets deployed.

For example, when we [1] deploy applications in Kubernetes, we have built an admission controller that fetches secrets from vault and converts them into env variables or secrets for the application at runtime. In this way, you will only have a reference in the form of annotation for the application.

If you give an `.env` as is, people will extract that value and start using it. You will end up leaking secrets.

Another way we have been exploring injecting secrets is via a sidecar for the application or via SDK but the lift seems to be a bit too much.

I think the deployment environment should be responsible for injecting the credentials for the best posture.

[1] https://adaptive.live

mathfailure•7h ago
Why not integrate with KeePass(*)-family of secret stores or HashiCorp Vault?
theozero•4h ago
Right now, you can use any provider that has a CLI to fetch a single secret. In the near future, we'll be adding native plugins to make these integrations even easier.

Vault can be a huge lift and doesn't make sense for many projects - we wanted to build a tool that makes sense from day one, even when there is no backing provider, but can grow with your team and change providers seamlessly.

oulipo•7h ago
After having so many issues with .env files I just now do a simple .env at the root of the repo with just `ENV=prod/staging/dev` and then everything is generated (using 1password, etc) from a `config.ts` file in my `pkgs/config` from the monorepo

the file is basically a big

``` const config = { http: { server_url: ENV === "prod" ? "https://myserver.com" : "http://localhost:3000" ... } } ```

and this lets me type variables, add comments, many niceties, etc

tylergetsay•6h ago
its an old library but convict is great for this in the nodejs ecoystem
theozero•3h ago
This is exactly the kind of thing we are trying to replace. No more hacky custom solutions needed. With varlock you get type safety, validation, and the ability to compose together your config however you need to, without having to reinvent the wheel.
ks2048•7h ago
What makes it "AI-friendly"?
xena•7h ago
Buzzwords!
theozero•5h ago
Tons of folks have plaintext secrets in their env files which are leaked via AI assistants every day. By getting those out of plaintext, the risk is totally removed.

The schema itself (and the automatic types it can generate) also gives AI more context about what configuration is available, and what each item is for.

jaredcwhite•1h ago
> plaintext secrets in their env files which are leaked via AI assistants

So…we're not just talking about secrets then. Any text in any file could be leaked. The solution isn't simply moving secrets out of env files, the solution is, um,

*not leaking the contents of local files*

My god. Have we forgotten all semblance of how security & privacy in computing should work?

vergessenmir•7h ago
I don't get it, what does this do?
theozero•1h ago
On most projects you end up wiring up a bunch of custom logic to handle your config, which is often injected as environment variables - think loading from a secure source, validation logic, type safety, pre-commit git scanning, etc.

It's annoying to do it right, so people often take shortcuts - skip adding validation, send files over slack, don't add docs, etc...

The common pattern of using a .env.example file leads to constant syncing problems, and we often have many sources of truth about our config (.env.example, hand-written types, validation code, comments scattered throughout the codebase)

This tool lets you express additional schema info about the config your application needs via decorators in a .env file, and optionally set values, either directly if they are not sensitive, or via calls to an external service. This shouldn't be something we need to recreate when scaffolding out every new project. There should be a single source of truth - and it should work with any framework/language.

0xbadcafebee•7h ago
I couldn't tell what this was at all for most of the page, but finally at the bottom it shows it's just a library for loading variables into a Node.js application
theozero•4h ago
We're still working on the copy. Any specific feedback is appreciated.

Note that you can load env vars into anything via varlock run, not just javascript. The JS integration is a bit deeper, providing automatic type generation, log redaction, and leak prevention.

theozero•5h ago
Hey all! Co-creator of varlock here. Varlock is the next evolution of what we learned building https://dmno.dev. We wanted to make things simpler (no more proprietary TypeScript schemas) and meet folks where they already are: .env files.

We think the decorator comments (it’s an open spec we call @env-spec - RFC is here https://github.com/dmno-dev/varlock/discussions/17) are an intuitive addition to .env files that are ubiquitous.

The hope is to remove the papercuts of dealing with env vars (and configuration more generally) by introducing an easy to understand system for validation, and type-safety, with the flexibility to use any third party provider to persist your secrets. We found ourselves reimplementing this stuff on every project, wiring together many tools and custom code, only to end up with a mediocre outcome.

The very common pattern of using `.env.example` leads to constant syncing problems, with many folks resorting to sharing .env files and individual secrets over slack, even when they know they shouldn’t. By turning that example into a schema and involving it in the loading process, it can never get out of sync. With validations built in, if something is wrong, you’ll know right away with a helpful error instead of an obscure runtime crash.

Because the system is aware whether things are sensitive or not it means we can do things like log redaction and leak prevention on the application side of things. Many tools try to do scanning but use regexes, while varlock knows the actual values to look for. We felt these were problems especially worth solving in a world where more frameworks are running the same code on both the server and client.

We intended to share this ourselves on here next week but you beat us to the punch. We’re in the midst of shipping the drop-in next.js integration (hopefully just merged today).

I also see a few comments about the “AI friendly” part. Right now tons of folks have sensitive keys in their .env files that are being leaked to AI assistants left and right. By removing plaintext secrets from env files, it entirely removes this problem. We also want to highlight the fact that with this DSL on top of .env we’re making it much easier for LLMs to write safer code. Part of creating devtools is trying to understand how they will be used in the wild so we’ve been trying to work with common tools (Cursor, Windsurf, Claude, Gemini, etc) to make sure they can coherently write @env-spec for varlock.

We’re literally just getting started so all of your feedback is super valuable.

We’ll continue to expand support for non-js languages (which already work via `varlock run`) as well as add more integrations, and eventually some CI/CD features for teams to help track and manage config.

moltar•1h ago
Oh great, anti pattern now has a schema