Andho🎈🍞

Here is a non-trivial PR (+1641/-1125) written ~80% with AI agents; the PR refactors how Ghostty on macOS represents splits. https://t.co/MqrPhJdvPc Each commit was a separate agentic session, so you can see how I broke it down. Got some crap from my last PR being too simple! I didn't include prompts, sorry, I'll try to do that next time. One thing to keep in mind per commit is that agents don't get it right the first time. But they're agents, so they keep grinding away at it. And I come in and nudge them in the right direction. For example, when implementing the spatial navigation stuff (new in this PR), the original attempt was... crazy bad. I manually set out the shape of how I'd do the work, and then it was able to fill in the blanks much better. It tried to brute force finding the solution whereas I was able to guide it to laying out data in a way that we can apply easier spatial reasoning on top of it. And from there it was excellent. One of the techniques I've always had with refactors (even w/o AI) is that I always keep the old implementation around, compiling, and tests passing until the very end. I will often name the new implementation `Thing2` until almost the last commit. I did that in this case too. That technique has proven to be extremely good with agent-assisted programming. The agent having access to the old implementation results in much higher success in the new implementation even if the architecture has fundamentally changed (such as in this case). I also was able to ask "did I miss anything from the old implementation?" (in less simplistic terms) and got extra validation I completed my work. Ultimately, did I work faster than I would have without an agent? I don't know. But that's... pretty good. It definitely wasn't way faster, but it wasn't way slower either. It was competitive. It felt like less work to me, and I was able to have a rubber duck along the way checking my own manually written stuff too. It was great!

An example from today: working on localization within Ghostty. On Linux it's pretty straightforward because gettext is the name of the game. On macOS, Apple provides multiple options, libintl isn't available by default, and we have macOS-only strings we'd want to probably just use the native systems anyways. So, I've been doing my own (manual, human) research on the various approaches that are possible. And I compiled my own set of data and understanding. Throughout, I've sent ChatGPT on Deep Research quests to validate or augment my research. As I've been looking into one path, I send it off on another. If I feel one path is promising, I send it off to work to find me technical options to implement it (libraries, CLI tools, etc.) with language preferences, ecosystem preferences (Nix package available for example). It has surfaced a number of interesting results that I didn't find through normal googling (it links to the source for those who don't know). And just overall has really helped me find direction a sea of tradeoffs.

އެތައްހާސް ބަޔަކަށް ބޯހިޔާވަހި��ަން ދެވެން އޮތް ބިންކޮޅު މަދުބަޔަކަށް ތިޔަ ބަހާލެއްވީ. މަޖުބޫރީ ހާލަތުގައި މިތާގައި ކުލީގެ އަޅުންގެ ގޮތުގައި އުޅެން މިޖެ��ެނީ. އަޅުގަނޑުމެންގެ ހައްގުތަކާމެދު ތިބޭފުޅާއަށްވެސް اللهގެ ދަރުބާރުގައި ސުވާލު އަންނާނެ. އަޅުގަނޑުމެންގެ ޝަކުވާއަށް ތިބޭފުޅުން ބީރުކަންފަތެއް ދިނަސް އެއިލާހު އައްސަވާނެ.

Incident Response for Recently Infected Lottie-Player versions 2.05, 2.06, 2.0.7 Comm Date/Time: Oct 31st, 2024 04:00 AM UTC Incident: On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code. This does not impact our dotlottie player and/or SaaS services. Our incident response plans were activated as a result. We apologize for this inconvenience and are committed to ensuring safety and security of our users, customers, their end-users, developers, and our employees. Immediate Mitigation Actions - Published a new safe version (2.0.8) - Unpublished the compromised package versions from npm - Removed all access and associated tokens/services accounts of the impacted developer Impact - Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://t.co/kVbgscVXnk over the course of an hour using a compromised access token from a developer with the required privileges. - The unauthorized versions contained code that prompted for connecting to user’s crypto wallets. - A large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release. With the publishing of the safe version, those users would have automatically received the fix. Recommended Steps - If using 2.0.5, 2.0.6 and 2.0.7 versions please update to the latest version 2.0.8 -- SHA: sha512-PWfm8AFyrijfnvGc2pdu6avIrnC7UAjvvHqURNk0DS748/ilxRmYXGYkgdU1z/BIl3fbHCZJ89Zqjwg/9cx6NQ== - If you are unable to update the player immediately, it is recommended that you communicate to Lottie-player end-users to NOT accept any attempts to connect their crypto wallets. Next Steps - LottieFiles continues to work through its incident response plan and has also engaged an external incident response team to help further investigate the compromise. - We have confirmed that our other open source libraries, open source code, Github repositories, and our SaaS were not affected. If you believe you’re affected, don’t hesitate to reach out to us at [email protected]