Robert Kitlowski’s Post

From the leaked Claude source code, people are porting the architecture and logic to a different language (python) to avoid legal issues. One example is this one: https://lnkd.in/eVpnWN-n I remember using claude code to reverse engineering it itself, the intention? to enable a custom llm proxy, and it worked! The llm proxy didn't follow the regular authentication mechanism (required extra headers, custom url pattern) plus a custom change in the response. It was the opencode before opencode 😅🤣

Supply Chains this, Supply Chains that, we all know the deal lately 🫠 I pulled together a new post on hardening the software supply chain with good practices, sprinkled in with some recent and cited write-ups (including public reporting and analysis around incidents like LiteLLM on PyPI, Shai-Hulud, etc etc) I also lined that up with what I’ve actually done locking down npm / JavaScript, Python, and Go in my own pipelines: hash-aware lockfiles (specifically with Python), attestations, cooldowns on brand-new releases, continuous dependency scanning across the full tree, why SBOMs matter once they’re saved as build artifacts and why one measure isn't a silver bullet, all the good stuff. If you’re tired of “pin the version and hope" (spoiler alert, it's not enough) then it’s a practical read. 😆 Read it here: https://lnkd.in/gXuB57Ah #SoftwareSupplyChain #DevSecOps #AppSec #npm #go #pip #uv #python #SCA

🚨 𝟱𝟬𝟬,𝟬𝟬𝟬+ 𝗹𝗶𝗻𝗲𝘀 𝗼𝗳 𝗔𝗜 𝗰𝗼𝗱𝗲... 𝗹𝗲𝗮𝗸𝗲𝗱 𝗯𝘆 𝗺𝗶𝘀𝘁𝗮𝗸𝗲. 𝗔𝗻𝘁𝗵𝗿𝗼𝗽𝗶𝗰 𝗮𝗰𝗰𝗶𝗱𝗲𝗻𝘁𝗮𝗹𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱 𝗶𝘁𝘀 Claude 𝗖𝗼𝗱𝗲 𝘀𝗼𝘂𝗿𝗰𝗲 𝘃𝗶𝗮 𝗮 `.𝗺𝗮𝗽` 𝗳𝗶𝗹𝗲 𝗶𝗻 𝗮𝗻 𝗻𝗽𝗺 𝗿𝗲𝗹𝗲𝗮𝘀𝗲 — 𝗿𝗲𝘃𝗲𝗮𝗹𝗶𝗻𝗴 𝘁𝗵𝗲 𝗳𝘂𝗹𝗹 𝗶𝗻𝘁𝗲𝗿𝗻𝗮𝗹 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲. (Axios) Within hours, the internet did what it does best: → mirrored it on GitHub → analyzed it → rebuilt it One repo stood out: 👉 https://lnkd.in/gEJzYmXx But the real twist? Developers moved beyond copying. They created clean-room reimplementations in Rust & Python (Claw Code) — replicating the architecture without using the original code. (Claw Code) https://lnkd.in/guiUu3Ch This is classic software history repeating itself. 💡 Lesson: It’s not always hacks that break systems — sometimes it’s a single config mistake. And sometimes, that mistake teaches the whole industry how your system works. #AI #DevOps #Security #OpenSource #SoftwareEngineering

Excited to share something I've been building: Slop Report — a GitHub Action that automatically posts a code quality summary on every Python pull request. Instead of asking reviewers to hunt down coverage gaps, dependency risks, or performance regressions, Slop Report surfaces the signal directly in the PR comment thread:   Change Risk — % of modified lines covered by your test suite   Blast Radius — how many modules are affected by the change   Performance — per-test timing vs. the base branch   Maintainability — MI regression on modified files + quality of newly added code It plugs into your existing CI in minutes, never blocks a merge, and gives reviewers the data they need without leaving GitHub. Now available on the GitHub Marketplace: https://lnkd.in/eyFJvnRu Would love feedback from anyone working on Python projects or developer tooling — what metrics would you want to see next? #DevTools #GitHub #GitHubActions #Python #CodeQuality #OpenSource

Learn how to build a Model Context Protocol server in Python using FastMCP, expose custom tools to Claude, and connect it to Claude for Desktop via STDIO transport. Not with a plugin or a third-party integration - just a Python file and about 15 minutes. That is what MCP (Model Context Protocol) actually is: you write a function, decorate it with @mcp.tool(), and Claude can call it directly from chat. The thing that genuinely surprised me when building this: you never write a JSON schema for the tool. FastMCP reads your type hints and docstring at startup and generates the schema automatically. That docstring is literally what Claude reads when it decides whether and how to call your function - so you write it like API documentation, not a code comment. That distinction matters more than it sounds. The full walkthrough is on my blog - 7 steps, free National Weather Service API, no API key needed. You finish with two working tools (get_alerts and get_forecast) registered in Claude for Desktop and callable from chat with real live data. https://lnkd.in/ee-EpVht

How's this for a Monday morning read? A dive into engineering principles behind our architectural decisions for Apache Fluss (Incubating) Rust, Python and C++ clients. Read about our rationale behind adopting single-core multi-language pattern, core implementation in Rust, Apache Arrow format for performance and our aspiration for DataFusion integration, multi-protocol query gateway and more. Anton Borisov Yuxia Luo https://lnkd.in/ey6NmP6Q

As of today, there is a new Python library available: kibana-py. It is a pythonic wrapper for the Kibana REST API, designed to feel familiar to anyone who has used the official elasticsearch-py library. This was my capstone project with AI-assisted development. I used the project's evolution to test GitHub Copilot, Kiro, Antigravity, and Claude Code along the way. This allowed me to see how each handled architectural decisions, refactoring, and documentation in a real-world scenario. Building demos is a good starting point for learning, but building something functional is far more gratifying (and frustrating, in a healthy way). While the library does not yet cover the entire Kibana REST API, it provides a clean, idiomatic way to interact with the endpoints it does support and, importantly, includes bootstrapped OpenTelemetry instrumentation to provide out-of-the-box observability. The screenshot shows how easy it is to use (there are plenty of other examples in the Github repo). This is a totally unofficial library, but I hope others find it useful for their automation workflows. To the team at Elastic: if you ever want to take this under your wing, just say the word. The code is available on GitHub and the documentation is live on ReadTheDocs. (Links in the comments)

Software news: teiphy v.0.1.24 is now available at https://lnkd.in/gjXnatFh! I've made some Dependabot-informed dependency updates (which unfortunately required me to drop Python 3.9 support); conversion methods now include a progress bar; and BEAST 2.7 XML outputs are more streamlined to reduce unnecessary computation. As always, you can check out the source code directly on GitHub, or you can install the latest version easily with pip via pip install teiphy

Python has become the go-to language for developers across industries, powering everything from data science and machine learning to web development and automation. With its popularity comes a critical challenge: maintaining a secure and reliable supply chain for Python packages while ensuring they stay up-to-date. Tools like Anaconda make this process easier, but organizations can also take control by hosting their own internal Python package server, giving full oversight of dependencies, security, and version management. https://lnkd.in/guZAVxgy

PySpector v0.1.8 is out🚀 Me and the PySpector Core Team worked really hard to deploy this version, so here's what changed: - A new vulnerability leading to arbitrary code execution via plugin bypass was patched (and its #GHSA was published) - Docs were updated and improved🫡 - We fixed a bug preventing the generation of html reports, as well as 2 other bugs preventing the --wizard and -- supply-chain flag from working properly - We expanded error messages during #AST file parsing and added a new #CLI flag to enable Python SyntaxWarnings during code scanning - And last we (finally) expanded support for Python up to the latest #Python3.14 (while before v.0.1.8, Python support stopped at #Python3.12) Thanks to all the #contributors and the awesome SecurityCert community who made this possible🫶 Repo: https://lnkd.in/d7CppftJ