Hacker News

https://news.ycombinator.com/item?id=45154609) and while there was a big response, it was very mixed! It'll probably be similar this time, but regardless of your thoughts about the concept, I think I've done a pretty good job creating one of the most nostalgic corners of the internet, especially with the latest additions.

It'll always be up for debate whether this is an effective way to get noticed as opposed to a standard, quick and easy portfolio, but I'll die on the hill that this is way more fun for both parties, every day of the week.

The original motivation was frustration with how difficult it can be to find information on early-stage startups. Most databases need accounts, or subscriptions, ro just feel too cluttered. I wanted a website that felt like Wikipedia, no accounts, no subscriptions, no weird metrics, just go in, the info is on the page.

The project is still very early, but currently includes:

Startup profiles Search and filtering Company categorization Public API (in progress)

I'm especially interested in feedback on:

What information you look for when researching startups Features missing from existing startup databases API use cases

I'd love to hear feedback.

AI can be used as both an adversarial and defensive tool in the world of cyber. A worst case outcome is if only the adversaries have access.

Meanwhile, most existing AI cyber tools are just wrappers. The problem is that they still have all the guardrails on from the foundation model where they will inherit its refusals.

For this project we've post-trained a specific model on a decade of capture-the-flag contests. This won't be made available to anyone and everyone, but we do believe that responsible SMEs and midmarket companies also need access to these tools in order to identify key vulnerabilities in their systems; not just enterprises.

We have developed two modes that run over a CLI:

• Security scan: a read-only audit of your local codebase for vulnerabilities. It only reports what it can tie to a specific file and line, so you're not wading through vibes-based findings.

• Pen test: an active adversarial mode that will try to break a live system in a sandboxed environment. It proves each vulnerability by running the exploit and showing the request it sent and the response your code gave back, not a confidence score. Currently gated.

To show what the scan does, we pointed it at Bank of Anthos and it found an integer overflow in the transfer path: amount is an int, and amount + fee can overflow negative, so the balance check passes and you move funds you don't have. Plus the usual auth and secrets issues. (Bank of Anthos is Google's open-source bank. It's a known app and some of it is intentionally weak, which is the point: you can clone it and re-run the scan yourself instead of trusting a screenshot)

The base model is a Kimi K2.6 (open weights). We didn't pretrain from scratch. We post-trained it ourselves, SFT on CTF writeups, then RL with verifiable rewards against actual exploit checks.

How the harness works:

Along with the model we built the harness to support this. The harness runs on a multi-agent swarm: an orchestrator splits the job across subagents running in parallel, each owning a slice, then synthesising one report.

The CLI is a local binary (brew/curl). It reads your code locally, then sends context to our inference API over TLS tcpdump it and you'll see exactly what leaves and where. Install is free; and you can run a scan for free up to 2m tokens, then need to pay for tokens beyond this.

For full disclosure this is a product part of Cosine (YC W23)

Up for debate: tool safety, e.g. domain verification is one method that proves control but not necessarily permission. How would you gate a pen-test tool given that?

https://cauenapier.com/blog/townsquare_release/

https://cauenapier.com/blog/townsquare/

I just think that UI should be simple — HTML and JS are enough and just need some way to make it stateful instead of making it more complicated. My idea: just using JS objects to reflect HTML, and using functions for state. When I need to reuse a component I had one more concept — just make a partial (I call it a Patch) to add props to the main object (but native props still win). With a component-based approach you get deep nesting and exploding props, but with patches you don't. The example below:

  import { ElementNode, toState } from "@domphy/core";
  import { tooltip } from "@domphy/ui";

  const count = toState(0);

  const App = {
    div: [
      { h3: (listener) => `Count: ${count.get(listener)}` },
      {
        button: "Increment",
        onClick: () => count.set(count.get() + 1),
        $: [tooltip({ content: "Add one to the count" })],
      },
    ],
    style: { display: "flex", gap: "8px", alignItems: "center" },
  };

  const root = new ElementNode(App);
  root.render(document.getElementById("app")!);

Right now I am the only one using Domphy, for around a year, for creating SketchUp and Revit plugins in the AEC (Architecture, Engineering, Construction) industry. I created Domphy before AI code generation took off, to make code humans can read and understand clearly, but now AI can build UIs with React well, so sometimes I feel my work is meaningless. But I still use Domphy for my apps, because I feel more confident when I need to read and edit UI code when the AI gets stuck.