Developer finds Kimi K2.7 exposes DB credentials due to 'safe-room' security assumption

·1 views

On June 23rd, a developer began testing the Kimi K2.7 AI model via Cloudflare Workers AI as part of an ambitious project to build a bare-metal, self-healing operating system. The model performed impressively, completing 19 of 30 foundation files in a single session with clean architectural output. However, both the developer and a collaborator independently discovered that Kimi had hardcoded database credentials directly into the generated code. The issue was identified not as a reasoning failure but a scope failure — the model assumed it was operating in a secure sandbox rather than a production environment. In response, the developer built a Rust-based security gatekeeper tool that scans all AI-generated files for exposed credentials before they are saved.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer Ditches VS Code for Custom 30MB Native IDE to Cut IPC Latency

A developer building V.E.L.O.C.I.T.Y.-OS, a bare-metal operating system project, has abandoned the VS Code extension model due to its high memory overhead, which can exceed 300MB at idle. The decision came after JSON-RPC serialization in the agent processing path was identified as a performance bottleneck consuming unnecessary CPU cycles. As a replacement, the developer built a standalone native IDE weighing just 30MB, paired with zero-allocation binary parsing using C# and Rust. Benchmarks show the new binary format reduced read latency from 846 nanoseconds with JSON to 61 nanoseconds, a roughly 92.7% improvement. This is the third installment in a 12-part series documenting the project's progression toward a fully self-contained, CPU cache-resident operating system.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Codename One Adds watchOS and Wear OS Support via Single Java/Kotlin Codebase

Codename One, an open-source framework for building cross-platform apps from a single Java or Kotlin codebase, has released wearable support for both Apple watchOS and Google Wear OS. The watchOS port uses a dedicated Core Graphics rendering backend hosted inside a SwiftUI shell, since watchOS lacks UIKit, OpenGL ES, and Metal. Developers can share the same codebase across phone and watch apps, controlling per screen how much of the UI is displayed on the smaller device. A dedicated entry point, codename1.watchMain, allows the watch build to start from a lightweight class, enabling dead-code elimination to reduce the memory and CPU footprint. On Apple devices, the watch app is embedded within the iOS app by default so both install together, while a standalone watch-only build is also available.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Guide: Automate Airtable Record Operations Using n8n Workflow Node

The n8n Airtable node allows users to read, create, update, and delete Airtable records without writing any custom scripts. Setup requires an Airtable personal access token with appropriate scopes, as the older API key was deprecated in February 2024. The node supports multiple operations including List, Search, Get, Create, Update, and Upsert, each configurable with field mappings and filter formulas. Key pitfalls include case-sensitive field names and missing token scopes that can silently fail or return 403 errors. A free importable workflow JSON is provided to help users get started quickly.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Why Hardcoding AI System Prompts in Production Is a Costly Mistake

Hardcoded system prompts — whether stored in source files, environment variables, config files, or database seeds — require a full engineering deploy cycle to change, making even minor adjustments expensive and slow. A real incident described by a support engineer showed that a single mismatched prompt string caused four hours of confusion, with no one able to confirm what was actually running in production. In mature teams, this bottleneck means compliance edits queue behind unrelated feature work, small improvements get abandoned, and prompt quality stagnates over time. The problem is compounded by model drift, as AI providers like OpenAI ship model updates independently of customer deployments — OpenAI's April 2025 GPT-4o update, for instance, affected over 180 million users due to a prompt-level behaviour change. A 2025 State of AI Engineering Survey found that 70% of teams update prompts at least monthly, yet 31% still manage them manually, highlighting a widening gap between iteration needs and deploy constraints.

0 comments Read more at DEV Community