Skip to content

[claude-hackernews] Reply draft: DAC Show HN, static-validation vs runtime tool-call gating (id=47949066) #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
NiveditJain wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[claude-hackernews] Reply draft: DAC Show HN, static-validation vs runtime tool-call gating (id=47949066) #56

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions drafts/2026-05-04T134035Z.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Reply to OP on "Show HN: DAC – open-source dashboard as code tool for agents and humans"
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix non-ASCII dashes in HN-bound text.

This draft includes Unicode dash characters:

  • Line [1] has an en-dash in Show HN: DAC – ...
  • Line [49] has an em-dash in market gap — every ...

Per the draft guideline “Use plain ASCII punctuation only in any HN-bound text”, replace both with ASCII - (or reword with :/;).

Suggested diff 
-# Reply to OP on "Show HN: DAC – open-source dashboard as code tool for agents and humans"
+# Reply to OP on "Show HN: DAC - open-source dashboard as code tool for agents and humans"

-- Several commenters compared to evidence-dev, Observable Framework, Vega-Lite. None of those products talk about the runtime-tool-call gate either. There's a genuine market gap — every "agents as primary user" product addresses *what the agent produces* but not *what the agent does on the way*. Marketing angle: "the gate everyone's missing in code-for-agents."
+- Several commenters compared to evidence-dev, Observable Framework, Vega-Lite. None of those products talk about the runtime-tool-call gate either. There's a genuine market gap - every "agents as primary user" product addresses *what the agent produces* but not *what the agent does on the way*. Marketing angle: "the gate everyone's missing in code-for-agents."

Also applies to: 49-49

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-04T134035Z.md` at line 1, Replace the non-ASCII dash
characters in the draft: change the en-dash in the title string "Show HN: DAC –
open-source dashboard as code tool for agents and humans" to an ASCII hyphen or
rephrase (e.g., "Show HN: DAC - open-source..." or "Show HN: DAC:
open-source..."), and change the em-dash in the body phrase containing "market
gap — every" to an ASCII hyphen or reword (e.g., "market gap - every" or "market
gap: every") so all HN-bound text uses plain ASCII punctuation.


- **HN:** https://news.ycombinator.com/item?id=47949066
- **Status:** draft (pending manual post)

## Story / OP

Show HN by `karakanb` (Burak), 112 points / 35 comments, 2 days old. Discovered via /show (currently rank 7).

OP introduces DAC: an open-source "Dashboard-As-Code" tool with agents as the primary user. Dashboards are defined in YAML (static) + JSX (dynamic). Single-binary Go implementation, supports 10+ SQL backends, includes a `dac validate` static-analysis step so agents can self-check their dashboard YAML before deploy. OP frames the design choices: version-controllable text, easy human review, static analysis as a first-class citizen, standardized deployment, built-in semantic layer. Closes with: "I would love to hear what can be improved here, please let me know your thoughts." That's an explicit Show-HN design-feedback solicitation.

Top-comment angles already raised (so I'm not duplicating any of them):

- `MuffinFlavored` (47986116): wants comparison to evidence-dev.
- `hasyimibhar` (47986203): why not Vega-Lite as the grammar?
- `5-0` / `ggrelet` / `bpev`: naming clash with Digital-to-Analog Converter.
- `lexh` (47985264): README/docs polish.
- `gervwyk` (47990354): validates the "apps as YAML" paradigm at 500k YAML lines.
- `ktrnka` (48002032): docs for auth + hosting are missing.
- `laurels-marts` (47995807): on-the-fly user-driven dashboards.

Nobody has raised the static-validation vs runtime-tool-call gating distinction. Lane is open.

## My reply

```
(disclosure: I work on FailProof AI: https://github.com/exospherehost/failproofai)

The static-analysis stance on the artifact, dac validate blocking a bad YAML before deploy, covers the output gate cleanly. The seam it does not cover is what happens while the agent is iterating: its SQL execution tool can still hit your warehouse with a wrong-shape DELETE or TRUNCATE before any YAML is committed. A runtime hook on the tool call (PreToolUse) catches that before dispatch:

fn: ({ toolName, toolInput }) => {
if (toolName !== "Bash") return allow();
const c = toolInput?.command ?? "";
if (/\b(DROP\s+(TABLE|DATABASE)|TRUNCATE)\b/i.test(c))
return deny("Destructive SQL blocked while iterating.");
return allow();
}

Two gates: static on the committed artifact, runtime on each tool call. They end up complementary. Worth flagging the boundary somewhere visible. Operators reading "agents iterating on dashboards" assume both are covered.
```

Word count: ~135. ASCII punctuation only (verified: no em-dashes, en-dashes, fancy ellipses, curly quotes, or unicode arrows). One disclosure line. One snippet, tied to OP's design space (the iteration-time SQL tool-call). No install commands. No comma-list of policy names. No three-scope / version-number / dashboard-UI talk. Repo URL appears once.

## Insight for the FailProof team

- DAC is a clean example of a complementary product: it gates the *artifact* the agent commits, FailProof gates the *tool calls* the agent makes en route to that artifact. Worth writing a short blog "where FailProof ends and your code-as-X tool begins" with DAC, Pulumi-style IaC tools, and dbt as concrete examples. Operators conflate the two layers and it costs them.
- Burak's framing "what if the dashboards were built for agents as the primary user?" is a reusable design lens. The companion lens FailProof embodies is "what if the *guardrails* were built for agents as the primary user?" — i.e., policy-as-code in the same repo as the agent's working code, loaded at the same scope, version-controlled the same way. Worth foregrounding in our docs as the pairing.
- `gervwyk`'s "500k lines of YAML" datapoint (id=47990354) is a useful proof point that operators are willing to live in code-shaped config at large volume. If FailProof is fighting against "config files don't scale" objections, this thread is a citation.
- Several commenters compared to evidence-dev, Observable Framework, Vega-Lite. None of those products talk about the runtime-tool-call gate either. There's a genuine market gap — every "agents as primary user" product addresses *what the agent produces* but not *what the agent does on the way*. Marketing angle: "the gate everyone's missing in code-for-agents."
- The OP's `dac validate` model is interesting from a policy-engine perspective: their validation runs *as the agent's last step before deploy*. FailProof's `instruct()` could mirror that pattern at the agent-loop level (insert "validate before stop" reminders without blocking). Worth checking whether we have a sample policy for that shape; if not, it's a 10-line policy that lands well on threads like this one.

## Notes / findings

- Thread is 2 days old, 35 comments. Not saturated; mid-thread visibility for a thoughtful late reply should be acceptable.
- Reply form rendered (textarea present in the .fatitem at HN read time), so the thread is still accepting replies.
- MCP launch-order trap re-surfaced mid-session: after a `browser-use close` from a CLI eval, the MCP's reported state showed Reddit URLs while CDP /json/list on port 9334 showed the correct HN tab. Diagnosed by querying both 9334 and 9333 endpoints; 9333 was the Reddit harness Chrome and confirmed the MCP had drifted to it. Worked around by driving the rest of discovery through the `browser-use` CLI on `--cdp-url 9334`. Adds another data point in support of the long-term fix in INSTRUCTIONS.md ("per-profile config file via `--config <path>`").
- Discovery sweep this run: /ask, /show, /shownew, /news, /from?site=anthropic.com, plus Algolia searches for "claude code hooks", "agent deleted", "Show HN claude code", "claude code agent production", "claude code settings". Almost every relevant Show HN with audience is already covered by a past PR (PRs #11, #20, #22, #28, #30, #37, #40, #42, #46, #51, #55, etc.). DAC was the cleanest fresh fit.