<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Cửu thiên vũ đế review</title>
    <description>The latest articles on DEV Community by Cửu thiên vũ đế review (@cu_thinvreview_b2).</description>
    <link>https://dev.to/cu_thinvreview_b2</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4013847%2F5ae923cb-4520-4d63-ad03-df21aa07693c.jpg</url>
      <title>DEV Community: Cửu thiên vũ đế review</title>
      <link>https://dev.to/cu_thinvreview_b2</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/cu_thinvreview_b2"/>
    <language>en</language>
    <item>
      <title>A $100K Salary Is Not the Same Money in CA, TX, NY, and FL (2026 Numbers)</title>
      <dc:creator>Cửu thiên vũ đế review</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:53:11 +0000</pubDate>
      <link>https://dev.to/cu_thinvreview_b2/a-100k-salary-is-not-the-same-money-in-ca-tx-ny-and-fl-2026-numbers-4hhb</link>
      <guid>https://dev.to/cu_thinvreview_b2/a-100k-salary-is-not-the-same-money-in-ca-tx-ny-and-fl-2026-numbers-4hhb</guid>
      <description>&lt;p&gt;Comparing job offers across states? The gross number on the offer letter is not what hits your bank account, and the spread between states is bigger than most people think. Here is what a single filer earning &lt;strong&gt;$100,000&lt;/strong&gt; keeps in 2026, assuming the standard deduction and no pre-tax 401(k)/HSA contributions:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;State&lt;/th&gt;
&lt;th&gt;Net per year&lt;/th&gt;
&lt;th&gt;Net per month&lt;/th&gt;
&lt;th&gt;Effective tax rate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Texas&lt;/td&gt;
&lt;td&gt;~$79,180&lt;/td&gt;
&lt;td&gt;~$6,598&lt;/td&gt;
&lt;td&gt;~20.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Florida&lt;/td&gt;
&lt;td&gt;~$79,180&lt;/td&gt;
&lt;td&gt;~$6,598&lt;/td&gt;
&lt;td&gt;~20.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;New York (outside NYC)&lt;/td&gt;
&lt;td&gt;~$74,228&lt;/td&gt;
&lt;td&gt;~$6,186&lt;/td&gt;
&lt;td&gt;~25.8%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;California&lt;/td&gt;
&lt;td&gt;~$72,670&lt;/td&gt;
&lt;td&gt;~$6,056&lt;/td&gt;
&lt;td&gt;~27.3%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;New York City&lt;/td&gt;
&lt;td&gt;~$70,787&lt;/td&gt;
&lt;td&gt;~$5,899&lt;/td&gt;
&lt;td&gt;~29.2%&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Same salary, &lt;strong&gt;~$8,400/year difference&lt;/strong&gt; between Austin and NYC — before rent even enters the conversation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the money goes
&lt;/h2&gt;

&lt;p&gt;Every state starts from the same two federal deductions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Federal income tax&lt;/strong&gt;: ~$13,170 on $100K for a single filer with the standard deduction (2026 brackets)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;FICA&lt;/strong&gt;: $7,650 flat (6.2% Social Security + 1.45% Medicare)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then the state layer:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Texas &amp;amp; Florida&lt;/strong&gt;: no state income tax. Done.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;New York State&lt;/strong&gt;: state income tax on top; NYC residents also pay a &lt;strong&gt;city&lt;/strong&gt; income tax — that's the extra ~$3,400/year gap between NYC and the rest of the state.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;California&lt;/strong&gt;: state income tax plus SDI (disability insurance) withholding.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The caveats that actually matter
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;401(k) contributions change everything.&lt;/strong&gt; Maxing a traditional 401(k) drops your taxable income and shrinks the state-tax penalty of high-tax states.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;These are single-filer numbers.&lt;/strong&gt; Married filing jointly shifts every bracket.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Cost of living is a separate axis.&lt;/strong&gt; $79K net in Austin and $71K net in NYC buy very different apartments — but that's a rent problem, not a tax problem.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Run your own numbers
&lt;/h2&gt;

&lt;p&gt;I maintain free, no-signup calculators with the 2026 brackets baked in — &lt;a href="https://mortgagecalculatortools.com/salary-after-tax-calculator.html" rel="noopener noreferrer"&gt;salary after tax by state&lt;/a&gt;, plus per-state breakdowns for &lt;a href="https://mortgagecalculatortools.com/take-home-pay-100k-california.html" rel="noopener noreferrer"&gt;California&lt;/a&gt;, &lt;a href="https://mortgagecalculatortools.com/take-home-pay-100k-texas.html" rel="noopener noreferrer"&gt;Texas&lt;/a&gt;, &lt;a href="https://mortgagecalculatortools.com/take-home-pay-100k-new-york.html" rel="noopener noreferrer"&gt;New York&lt;/a&gt;, and &lt;a href="https://mortgagecalculatortools.com/take-home-pay-100k-florida.html" rel="noopener noreferrer"&gt;Florida&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Not tax advice. 2026 figures assume standard deduction, single filer, no pre-tax deductions; sources and assumptions are listed on each linked page.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>career</category>
      <category>salary</category>
      <category>finance</category>
      <category>usa</category>
    </item>
    <item>
      <title>USCIS Fee Increase 2026: What H-1B and Green Card Applicants Actually Pay Now</title>
      <dc:creator>Cửu thiên vũ đế review</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:52:35 +0000</pubDate>
      <link>https://dev.to/cu_thinvreview_b2/uscis-fee-increase-2026-what-h-1b-and-green-card-applicants-actually-pay-now-44hc</link>
      <guid>https://dev.to/cu_thinvreview_b2/uscis-fee-increase-2026-what-h-1b-and-green-card-applicants-actually-pay-now-44hc</guid>
      <description>&lt;p&gt;If you work in tech on a visa (or are sponsoring someone who does), the 2026 fee headlines are confusing: some fees went up on January 1, some didn't, and a few are frozen by federal courts. Here is the short, sourced version.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually changed on January 1, 2026
&lt;/h2&gt;

&lt;p&gt;Only the statutory fees created by H.R. 1 (the One Big Beautiful Bill Act, signed July 4, 2025) were adjusted — about +2.7% for inflation, rounded down to the nearest $10, per the Federal Register notice of November 21, 2025:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;H.R. 1 fee&lt;/th&gt;
&lt;th&gt;2025&lt;/th&gt;
&lt;th&gt;2026&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Initial EAD (work permit) add-on — asylum/parole/TPS&lt;/td&gt;
&lt;td&gt;$550&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;$560&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;EAD renewal add-on — parole/TPS&lt;/td&gt;
&lt;td&gt;$275&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;$280&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;TPS registration (I-821)&lt;/td&gt;
&lt;td&gt;$500&lt;/td&gt;
&lt;td&gt;&lt;strong&gt;$510&lt;/strong&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Parole fee&lt;/td&gt;
&lt;td&gt;$1,000&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;$1,020&lt;/strong&gt; (paused for some groups)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Annual asylum fee&lt;/td&gt;
&lt;td&gt;$100&lt;/td&gt;
&lt;td&gt;
&lt;strong&gt;$102&lt;/strong&gt; (stayed by court order)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  What did NOT change
&lt;/h2&gt;

&lt;p&gt;Everything from the April 2024 fee rule stays the same in 2026:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;I-485&lt;/strong&gt; (green card / adjustment of status, adult): &lt;strong&gt;$1,440&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;I-130&lt;/strong&gt; (family petition): &lt;strong&gt;$675&lt;/strong&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;N-400&lt;/strong&gt; (naturalization): &lt;strong&gt;$760&lt;/strong&gt; paper / &lt;strong&gt;$710&lt;/strong&gt; online&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;I-765&lt;/strong&gt; (EAD standalone base): &lt;strong&gt;$520&lt;/strong&gt; paper / &lt;strong&gt;$470&lt;/strong&gt; online — $260 if filed with a pending I-485&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;H-1B (I-129)&lt;/strong&gt; base: &lt;strong&gt;$730&lt;/strong&gt;, plus ACWIA training fee, fraud fee, and optional premium processing ($2,805)&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The $250 Visa Integrity Fee
&lt;/h2&gt;

&lt;p&gt;Since October 1, 2025, most nonimmigrant visas — H-1B, L-1, O-1, F-1, B-1/B-2, K-1 — carry a &lt;strong&gt;$250 Visa Integrity Fee&lt;/strong&gt;, collected by the State Department when the visa is issued, on top of the regular MRV application fee. Visa Waiver Program (ESTA) travelers, most Canadians, and diplomatic categories are exempt. The law allows a refund after the visa expires if you complied with its terms, but no refund procedure has been published yet, so budget it as a cost.&lt;/p&gt;

&lt;p&gt;If you're getting an H-1B stamped abroad in 2026, that's the extra $250 nobody told you about.&lt;/p&gt;

&lt;h2&gt;
  
  
  Courts have paused some of this
&lt;/h2&gt;

&lt;p&gt;Litigation over H.R. 1 fees is active. The annual asylum fee is stayed, and USCIS paused collecting certain fees from Ms. L. v. ICE settlement class members starting February 5, 2026. What USCIS actually collects can change month to month — always check the official &lt;a href="https://www.uscis.gov/g-1055" rel="noopener noreferrer"&gt;G-1055 fee schedule&lt;/a&gt; before mailing a payment. A rejected filing over a wrong fee amount costs you months.&lt;/p&gt;

&lt;h2&gt;
  
  
  Add it up for your own case
&lt;/h2&gt;

&lt;p&gt;I maintain a free, no-signup &lt;a href="https://mortgagecalculatortools.com/immigration-fee-calculator.html" rel="noopener noreferrer"&gt;USCIS fee calculator&lt;/a&gt; that stacks the base fee + H.R. 1 add-ons + optional fees per form, and a &lt;a href="https://mortgagecalculatortools.com/uscis-fee-increase-2026.html" rel="noopener noreferrer"&gt;full 2026 fee-increase breakdown&lt;/a&gt; with before/after tables.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Not legal advice. Figures current as of July 2026 per USCIS G-1055 and the Federal Register; several H.R. 1 fees are subject to active litigation — verify at USCIS.gov before paying.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>career</category>
      <category>immigration</category>
      <category>usa</category>
      <category>finance</category>
    </item>
    <item>
      <title>Will your codebase fit in the context window? How to measure it (and trim to fit)</title>
      <dc:creator>Cửu thiên vũ đế review</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:38:48 +0000</pubDate>
      <link>https://dev.to/cu_thinvreview_b2/will-your-codebase-fit-in-the-context-window-how-to-measure-it-and-trim-to-fit-5bn8</link>
      <guid>https://dev.to/cu_thinvreview_b2/will-your-codebase-fit-in-the-context-window-how-to-measure-it-and-trim-to-fit-5bn8</guid>
      <description>&lt;p&gt;"Just paste the repo into the model" runs into a hard wall: the context window. Paste too much and you get a truncation error, or — worse — the model silently drops the earliest files and answers from a partial picture. The fix is to treat "will it fit?" as a number you compute &lt;em&gt;before&lt;/em&gt; you paste.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 1: estimate tokens without calling an API
&lt;/h2&gt;

&lt;p&gt;You don't need a network round-trip to get a usable estimate. For source code, a blend of two signals is within ~5–10% of real BPE tokenizers:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Characters ÷ ~3.6&lt;/strong&gt; — code tokenizes denser than prose (more punctuation and identifiers).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Count of word/symbol runs × ~1.15&lt;/strong&gt; — a second signal that corrects the char estimate on symbol-heavy files.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Average the two and you have a fast, offline token estimate. Good enough to answer "does it fit?"&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 2: check it against the model you're targeting
&lt;/h2&gt;

&lt;p&gt;Context windows vary a lot, so budget against the &lt;em&gt;specific&lt;/em&gt; model:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Model&lt;/th&gt;
&lt;th&gt;Context&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Claude (Fable 5 / Opus / Sonnet)&lt;/td&gt;
&lt;td&gt;200K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-5&lt;/td&gt;
&lt;td&gt;400K&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GPT-4.1&lt;/td&gt;
&lt;td&gt;1M&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Gemini 2.5 Pro&lt;/td&gt;
&lt;td&gt;1M&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Report the bundle as a &lt;strong&gt;percentage of the target window&lt;/strong&gt; — "48K tokens = 24% of 200K" tells you at a glance whether you have room left for the actual conversation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Step 3: if it's over budget, trim by importance — not at random
&lt;/h2&gt;

&lt;p&gt;When a repo is too big, the naive move (truncate the end) throws away whoever files happen to be last. Better: &lt;strong&gt;omit the largest file bodies first, but keep every file listed.&lt;/strong&gt; The model still sees the full project map (so it knows &lt;code&gt;payments/refund.ts&lt;/code&gt; exists) even if that file's body didn't make the cut.&lt;/p&gt;

&lt;p&gt;With &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;ctxpack&lt;/a&gt; this is one flag:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx github:trongtruong110-ux/ctxpack &lt;span class="nb"&gt;.&lt;/span&gt; &lt;span class="nt"&gt;--fit&lt;/span&gt; 60000 &lt;span class="nt"&gt;-o&lt;/span&gt; context.md
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ctxpack: 220 files packed
  tokens: ~59,400
  trimmed: 34 file(s) omitted to fit 60,000 tokens
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Every file is still named in the index; only the biggest bodies are dropped to hit the budget.&lt;/p&gt;

&lt;h2&gt;
  
  
  The habit
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Estimate before you paste&lt;/strong&gt; — "does it fit?" is answerable up front.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Budget per model&lt;/strong&gt; — a bundle that fits Gemini may blow Claude's window.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Trim by size, keep the map&lt;/strong&gt; — a partial bundle that still lists every file beats a truncated one that hides what's missing.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;ctxpack is MIT-licensed and free: &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;https://github.com/trongtruong110-ux/ctxpack&lt;/a&gt;. How do you currently decide what to include when a repo is too big for one prompt?&lt;/p&gt;

</description>
      <category>ai</category>
      <category>llm</category>
      <category>tooling</category>
      <category>productivity</category>
    </item>
    <item>
      <title>A 2-minute pre-commit hook that stops you from committing API keys</title>
      <dc:creator>Cửu thiên vũ đế review</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:10:37 +0000</pubDate>
      <link>https://dev.to/cu_thinvreview_b2/a-2-minute-pre-commit-hook-that-stops-you-from-committing-api-keys-5ca1</link>
      <guid>https://dev.to/cu_thinvreview_b2/a-2-minute-pre-commit-hook-that-stops-you-from-committing-api-keys-5ca1</guid>
      <description>&lt;p&gt;Leaked credentials almost never happen because someone &lt;em&gt;decided&lt;/em&gt; to commit a key. They happen because a &lt;code&gt;.env&lt;/code&gt;, a config file, or a debug snippet slipped into a staged change and nobody noticed until a bot on the internet did.&lt;/p&gt;

&lt;p&gt;The fix is to make the mistake &lt;em&gt;impossible to commit&lt;/em&gt; — a gate that runs before every commit and fails loudly if anything credential-shaped is staged.&lt;/p&gt;

&lt;h2&gt;
  
  
  The shape of the problem
&lt;/h2&gt;

&lt;p&gt;Most leaked secrets have recognizable prefixes:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Provider&lt;/th&gt;
&lt;th&gt;Looks like&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;OpenAI&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sk-...&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Anthropic&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sk-ant-...&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AWS&lt;/td&gt;
&lt;td&gt;&lt;code&gt;AKIA...&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;GitHub PAT&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;ghp_...&lt;/code&gt; / &lt;code&gt;github_pat_...&lt;/code&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stripe&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sk_live_...&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Google&lt;/td&gt;
&lt;td&gt;&lt;code&gt;AIza...&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Private keys&lt;/td&gt;
&lt;td&gt;&lt;code&gt;-----BEGIN ... PRIVATE KEY-----&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;A scanner that knows these can catch the overwhelming majority of accidental leaks with almost no false positives.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 2-minute setup
&lt;/h2&gt;

&lt;p&gt;You don't need a heavyweight platform. A single command in a git hook does it. Here's one using &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;ctxpack&lt;/a&gt; (a zero-dependency CLI), but the pattern works with any scanner that exits non-zero on a hit:&lt;/p&gt;

&lt;p&gt;Create &lt;code&gt;.git/hooks/pre-commit&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;#!/bin/sh&lt;/span&gt;
npx github:trongtruong110-ux/ctxpack &lt;span class="nb"&gt;.&lt;/span&gt; &lt;span class="nt"&gt;--check&lt;/span&gt; &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="s2"&gt;"test/**"&lt;/span&gt; &lt;span class="nt"&gt;-i&lt;/span&gt; &lt;span class="s2"&gt;"**/*.example"&lt;/span&gt; &lt;span class="o"&gt;||&lt;/span&gt; &lt;span class="o"&gt;{&lt;/span&gt;
  &lt;span class="nb"&gt;echo&lt;/span&gt; &lt;span class="s2"&gt;"Commit blocked: a possible secret was found above."&lt;/span&gt;
  &lt;span class="nb"&gt;exit &lt;/span&gt;1
&lt;span class="o"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nb"&gt;chmod&lt;/span&gt; +x .git/hooks/pre-commit
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now every commit is scanned. When something slips in, you get:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ctxpack --check: 1 potential secret(s) in 34 files:

  src/config.js:12  ANTHROPIC_KEY

✗ failing — remove or ignore these before committing.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Note it reports the &lt;strong&gt;location and type&lt;/strong&gt;, never the secret value itself — so the finding is safe to show in CI logs.&lt;/p&gt;

&lt;h2&gt;
  
  
  Two details that make it stick
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Ignore your fixtures.&lt;/strong&gt; Test suites are full of deliberately-fake keys. Use an ignore glob (&lt;code&gt;-i "test/**"&lt;/code&gt;) so the gate doesn't cry wolf — a scanner that fires on fixtures gets disabled within a week.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Run it in CI too.&lt;/strong&gt; Local hooks can be skipped with &lt;code&gt;--no-verify&lt;/code&gt;. Add the same &lt;code&gt;--check&lt;/code&gt; line as a CI step so nothing merges with a live credential in it.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  Why bother if you have secret scanning on the host?
&lt;/h2&gt;

&lt;p&gt;GitHub and others scan &lt;em&gt;after&lt;/em&gt; the push — by then the secret is in history (and history is forever unless you rewrite it). A pre-commit gate stops it &lt;em&gt;before&lt;/em&gt; it exists in a commit at all. Defense in depth: keep the host scanner, but don't let it be your first line.&lt;/p&gt;




&lt;p&gt;ctxpack is MIT-licensed and free: &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;https://github.com/trongtruong110-ux/ctxpack&lt;/a&gt;. What's your current setup for catching secrets before they land — pre-commit, CI, host-side, or a mix?&lt;/p&gt;

</description>
      <category>git</category>
      <category>security</category>
      <category>devops</category>
      <category>productivity</category>
    </item>
    <item>
      <title>Stop pasting your API keys into ChatGPT: a safer way to feed a codebase to an LLM</title>
      <dc:creator>Cửu thiên vũ đế review</dc:creator>
      <pubDate>Fri, 03 Jul 2026 16:05:13 +0000</pubDate>
      <link>https://dev.to/cu_thinvreview_b2/stop-pasting-your-api-keys-into-chatgpt-a-safer-way-to-feed-a-codebase-to-an-llm-3j35</link>
      <guid>https://dev.to/cu_thinvreview_b2/stop-pasting-your-api-keys-into-chatgpt-a-safer-way-to-feed-a-codebase-to-an-llm-3j35</guid>
      <description>&lt;p&gt;Every developer using Claude, ChatGPT, or Codex has done this: select a bunch of files, paste them into the chat, and ask a question. It works — until two things quietly bite you.&lt;/p&gt;

&lt;h2&gt;
  
  
  Failure mode 1: you paste a secret
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;config.js&lt;/code&gt;, &lt;code&gt;.env.local&lt;/code&gt;, a test fixture — it only takes one file with &lt;code&gt;api_key = "sk-ant-..."&lt;/code&gt; in it, and now your key is sitting in a third-party prompt log. You won't get an error. You'll just have leaked a credential.&lt;/p&gt;

&lt;p&gt;The fix is boring but essential: &lt;strong&gt;scan for secrets before the text ever leaves your machine.&lt;/strong&gt; API keys have recognizable shapes — &lt;code&gt;sk-ant-&lt;/code&gt;, &lt;code&gt;sk-&lt;/code&gt;, &lt;code&gt;AKIA...&lt;/code&gt;, &lt;code&gt;ghp_...&lt;/code&gt;, &lt;code&gt;-----BEGIN PRIVATE KEY-----&lt;/code&gt;. A pre-flight pass can mask them:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight javascript"&gt;&lt;code&gt;&lt;span class="nx"&gt;config&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;js&lt;/span&gt; &lt;span class="err"&gt;→&lt;/span&gt; &lt;span class="nx"&gt;api_key&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="dl"&gt;"&lt;/span&gt;&lt;span class="s2"&gt;&amp;lt;redacted:ANTHROPIC_KEY&amp;gt;&lt;/span&gt;&lt;span class="dl"&gt;"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;You still send the code; you just don't send the credential.&lt;/p&gt;

&lt;h2&gt;
  
  
  Failure mode 2: you blow the context window
&lt;/h2&gt;

&lt;p&gt;You paste 60k tokens into a 32k-context model and get a truncation, or worse, a silent drop of the earliest files. Most people find out by trial and error. But token count is knowable &lt;em&gt;before&lt;/em&gt; you paste — you just need a per-model estimate:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;~48,210 tokens  (24.1% of Claude 200,000 ctx)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now you know it fits, and you know how much room you have left for the conversation.&lt;/p&gt;

&lt;h2&gt;
  
  
  Doing both in one command
&lt;/h2&gt;

&lt;p&gt;I got tired of eyeballing this, so I built &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;&lt;strong&gt;ctxpack&lt;/strong&gt;&lt;/a&gt; — a zero-dependency Node CLI that packs a repo into an LLM-ready bundle, redacts secrets by default, and budgets tokens for the model you're targeting.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npx github:trongtruong110-ux/ctxpack &lt;span class="nb"&gt;.&lt;/span&gt; &lt;span class="nt"&gt;--model&lt;/span&gt; claude-fable-5
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ctxpack: 34 files packed
  tokens: ~48,210  (24.1% of Claude Fable 5 200,000 ctx)
  redacted: 2 secret(s)
  skipped: 5 binary file(s)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It honors your &lt;code&gt;.gitignore&lt;/code&gt;, skips binaries and build output, and can emit markdown, XML, or JSON. Presets cover Claude (Fable 5 / Opus / Sonnet), GPT-5/4.1, and Gemini 2.5 Pro.&lt;/p&gt;

&lt;h2&gt;
  
  
  The general lesson (even if you don't use the tool)
&lt;/h2&gt;

&lt;p&gt;Whatever you use to shuttle code into an LLM, add two habits:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Redact before you send.&lt;/strong&gt; Treat any codebase bundle like a pastebin post — assume it could be logged.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Count tokens before you paste.&lt;/strong&gt; "Does it fit?" is a question you can answer up front instead of after a bad response.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;ctxpack is MIT-licensed and free: &lt;a href="https://github.com/trongtruong110-ux/ctxpack" rel="noopener noreferrer"&gt;https://github.com/trongtruong110-ux/ctxpack&lt;/a&gt;. If you try it, I'd genuinely like to know which secret patterns or model presets are missing — open an issue.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;What do you currently use to pack a codebase into a prompt? Curious what workflows people have settled on.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>llm</category>
      <category>security</category>
      <category>cli</category>
    </item>
  </channel>
</rss>
