AI 资讯
MCP Server Auth: The API Is the Real Boundary
A single shared API key is fine right up until a second person uses it. intent-brain — the system, repo qmd-team-intent-kb , renamed to the intent-brain plugin v0.4.0 this day — is a team knowledge base. A Fastify HTTP API sits over a governed memory corpus. In front of that API is an MCP server named teamkb , so a teammate doesn't open a dashboard or learn an endpoint. They ask in Claude Code and get a cited answer back with qmd:// citations. That's the whole pitch: institutional memory you query in the same place you write code. Up to this day it authenticated with one shared TEAMKB_API_KEY . The shared key has two failures that only show up once the tool has more than one user. First, every request looks identical, so the audit log can't say who asked. Second, revoking one person means rotating the key for everyone — there's no per-person handle to drop. Both are structural, not bugs you patch. You fix them by giving each person their own credential. The work closed that gap with three things, in this order: per-user tokens (identity), a server-side write gate (authorization), and a per-read access log (audit). The through-line: the API is the real boundary. The MCP client-side tool gate is UX, not security. And the per-read access log stays separate from the governance audit trail — separate log, not no log. Identity: per-user tokens replace the shared key apps/api/src/auth/token-registry.ts . Each token resolves to a record: { actor, role } , where role is 'admin' | 'member' . The shared key's two failures both dissolve here — every request now carries an actor , and revoking one person is dropping one record, not a team-wide rotation. Tokens come from layered sources, in precedence order: explicit records → a TEAMKB_TOKENS JSON env → a TEAMKB_TOKENS_FILE (default ~/.teamkb/tokens.json ) → the legacy single TEAMKB_API_KEY , which becomes one admin token with actor "shared" for back-compat. Each entry is a bearer token resolved to an identity at request time. Ma
AI 资讯
The Wrapper Got Heavy: Why ChatGPT Clones Are Runtime Problems Now
A year ago, "it's just a ChatGPT wrapper" was a dismissal. You'd hear it about a startup and know what it meant: an LLM API call, a little RAG, file upload, a chat box on top. Thin. Replaceable. Probably dead the next time the base model shipped a feature. I keep coming back to that phrase, because it stopped being true in a way I didn't notice happening. The thing you'd be wrapping is no longer a model with a chat UI. It's a fast, stateful web application with its own agent loop, its own sandbox, its own artifact system. The wrapper didn't get easier to build as the models got better. It got heavier . The simple interface hides the hard part. A ChatGPT-shaped product is not just an API call with a chat box around it; it's the accumulation of many product and infrastructure decisions that make execution feel safe, stateful, and immediate. The model is the part you can buy. The surrounding runtime is the part people had to design. What gets me is the timescale. It's been roughly a year, and the question actually worth arguing about has moved out from under us — from "is this just a wrapper?" to "where does the sandbox even run?" The pace is faster than I can comfortably track. And the part I keep finding fun is that it all bends toward the practical, not away from it: every one of these shifts makes the tools more usable, more real, closer to something you'd actually ship. Surprising and, honestly, a good time to be building. This isn't a "wrappers are over" argument, and it isn't advice. It's me writing down where my thinking has drifted while trying to build these things myself — partly so I can find out where it's wrong. Read it as one person's notes. What "wrapper" used to mean The old shape was honestly small. Roughly: prompt → LLM API → (RAG retrieval) → response + file parsing on the side The whole game was prompt design, a retrieval index, and some glue. You could stand it up in a weekend. The reason "wrapper" was an insult is that the surface area was tiny —
开发者
Months Inside Andrej Karpathy's Mind
A deep dive into the podcasts, papers, tweets, and tutorials of the engineer who made me add a fifth...
AI 资讯
Anthropic Thinks Its Own Success Is Key to Making AI Safe
Anthropic's critics argue it's rapidly accumulating power. The company says that's what responsible AI development looks like.
AI 资讯
React.js ~The best practice for conditional statement~
We tend to write React as functional programming because the functional component is the mainstream. In this era, one of the issues we often encounter is conditional statements. There are a variety of conditional statements, such as if, switch, and ternary operator. We confuse when to use them properly. Assign the result of the conditional statement into a variable This makes it easy to read, test, and modify codebases. The representative case is ternary operator const userName = user ? user . name : ' No user found ' ; Of course, we can write the code another way. const point = 80 ; let result ; if ( point >= 70 ) { result = ' passed ' ; } else { result = ' failed ' ; } console . log ( result ); // passed In this way, we can not ensure the immutability of let , and this section with the conditional branch is written in a procedural style. To solve this issue, we have to wrap this in a function. const judge = ( point : number ) => { if ( point >= 70 ) { return ' passed ' ; } return ' failed ' ; }; In addition to wrapping that statement, I suggest that you use early return to save the else statement. Do not write conditional statements in the return value of tsx (the UI rendering portion) ** When there is only a single conditional statement, or there is no need for any execution in the conditional statement. Let's use the ternary operation simply. import { FC } from ' react ' ; import { useQuery } from ' @tanstack/react-query ' ; import getUser from ' domains/getUser ' ; type Props = { userId : number ; }; const Profile : FC < Props > = ( props ) => { const { userId } = props ; const getSpecificUser = async () => { const specificUser = await getUser ( userId ); return specificUser ; }; const { data : user } = useQuery ([ ' user ' , userId ], getSpecificUser ); const userName = user ? user . name : ' User not found ' ; return < p > User : { userName } < /p> ; }; export default Profile ; const userName = user ? user . name : ' User not found ' ; In this statement, you
AI 资讯
GitHub Actions adds a background marker, and the linear job stops being the only shape
A small word that changes the rhythm of a job For as long as I have been writing Actions workflows I have been carrying a quiet workaround in my head. Want to warm a cache while the build runs? Append & to the shell command, then squint at logs that arrive out of order and pray the job doesn't exit on you. It worked, sort of. It also meant that anything more interesting than "run one thing, then the next thing" lived as folklore, hidden inside run: blocks. GitHub closed that gap this week. On June 25 the Actions changelog announced that steps inside a job can now run concurrently, marked with a new background keyword and supported by helpers to wait for them and cancel them. Until now, the changelog notes, every step in a workflow ran in sequence, with each step starting only after the previous one completed. That single rule has shaped every workflow I have ever written. It is gone, and the replacement is the kind of feature you don't notice until the day you reach for it and it's there. What the keywords actually do There are four pieces, all of them documented in the announcement. background: true is the entry point. Set it on a step and that step starts running, and the next step starts immediately. It does not block the job. wait and wait-all are the rendezvous. wait pins on one or more named background steps and pauses until they finish. wait-all is the same idea against every background step still in flight. Either way you get back into a linear flow on your terms. cancel is the cleanup. It gracefully terminates a background step when you no longer need it, which is the missing piece if you have ever tried to kill a long-running side process from inside a job and ended up shelling out to kill . parallel is the convenience wrapper. The changelog describes it as taking a group of steps and converting them into background steps with a wait placed after. For the common "fan out, then join" shape, you write one block instead of decorating five steps by hand. Where
开发者
Hello World It might seem like a pretty cliché post, but it’s nice to be reminded of the fundamentals.
科技前沿
This Is Probably Your Last Chance to Buy a Cheap MacBook for a While
Apple has dramatically jacked up the price of MacBooks, making the current Prime Day pricing that much more enticing.
AI 资讯
Laravel API Development in Morocco: Architecture Guide 2026
Laravel API Development in Morocco: Architecture Guide 2026 Laravel remains the #1 PHP framework for API development in 2026 Laravel remains the #1 PHP framework for API development in 2026, and Morocco has become a hub for quality Laravel freelancers and teams. Here is the complete guide to building production-grade APIs with Laravel, based on 40+ projects shipped. Why Laravel for APIs in 2026 Eloquent ORM — most expressive DB layer in any framework Sanctum for SPA/mobile auth (simpler than Passport for most cases) Scout for Meilisearch / Algolia / Elastic full-text search Queues with Horizon for background jobs Octane for performance (Swoole / RoadRunner) Deep ecosystem : Telescope, Pulse, Forge, Vapor REST vs GraphQL — What to Choose Criteria REST GraphQL Learning curve Low Medium-high Caching Easy (HTTP) Complex Over-fetching Common Solved Mobile bandwidth Higher Optimized Best for Public APIs, simple CRUD Complex dashboards, mobile apps My default : REST with Laravel API Resources unless the client has clear GraphQL-specific needs (mobile app with variable fields, highly nested data). Standard Laravel API Architecture app/ ├── Http/ │ ├── Controllers/Api/V1/ │ ├── Requests/ (FormRequest for validation) │ └── Resources/ (API Resources for shaping output) ├── Models/ ├── Services/ (business logic) ├── Repositories/ (optional, if complex queries) ├── Jobs/ └── Events/ Key architectural decisions Versioning via URL (/api/v1/users) not headers — simpler FormRequest for validation (never validate in controller) API Resources for every response (shape, transforms, conditionals) Services layer when controllers exceed 100 lines Dedicated DTOs for complex payloads (spatie/laravel-data) Authentication — Sanctum Setup SPA on same domain : cookie-based, CSRF protected Mobile app / 3rd party : personal access tokens Revocation endpoint for logout Token abilities for granular permissions Rate Limiting & Security RateLimiter facade — per user, per IP, per endpoint CORS : use c
AI 资讯
Sarout Morocco
An innovative Moroccan platform for finding, renting, and selling real estate, offering a simple and seamless experience tailored to the local market. Challenge Launch Sarout.ma, an innovative Moroccan platform dedicated to searching, renting and selling real estate, on an ultra-competitive market dominated by a few historical players often criticized for dated ergonomics and uneven listing quality. The challenge: build an intuitive, modern real estate marketplace able to connect individual owners, agencies and tenants across all of Morocco — Casablanca, Rabat, Marrakech, Tangier, Agadir — with clear navigation and smart search. It also required enriched, geolocated listings updated in real time, and a journey differentiated by user profile (searcher, owner, professional agency). Solution Development of a site with a clean, fully responsive interface, designed mobile-first since most real estate searches in Morocco happen on smartphones. Integration of advanced dynamic filters (city, neighborhood, price, surface, number of rooms, property type, furnished/unfurnished) with instant result refresh. Listing management via a complete owner dashboard: creation, editing, view statistics, photo management with multi-upload and automatic compression, scheduling of paid promotions. Each property page has an SEO-optimized URL, rich descriptive content, precise geolocation on an interactive map, and the option to directly request a viewing. SEO architecture focused on local ranking: category pages per city and neighborhood, Schema.org RealEstateListing markup, dynamic sitemap. Email alert system for saved searches, listing moderation, and a professional agency dashboard for premium accounts. Results A high-performing, accessible real estate portal that significantly simplifies property search for individuals and strengthens listing visibility across Morocco. The interface fluidity stands out in a market where competition remains rough around the edges. Steady growth in publishe
AI 资讯
For ECCV, Springer Metor. How are we supposed to upload the files? [D]
source files + final paper pdf. ZIP containing the source files and final paper.pdf. Where does the supplemental materiel get uploaded? Because in that email it says include it in a "supplementary_materiel" folder. this is all very confusing. can someone clarify? submitted by /u/redskydawns [link] [留言]
AI 资讯
Why Amazon Dropped Its OpenAI Movie, Data Center Workers Fight Back, and Meta Leaks Employee Data
Amazon-owned MGM Studios’ decision to drop the OpenAI movie is just part of AI and film industries becoming increasingly intertwined. On Uncanny Valley, we take a look at where this is all headed.
AI 资讯
Evaluating performance and efficiency of the GitHub Copilot agentic harness across models and tasks
Explore how the GitHub Copilot agentic harness delivers strong results across multiple benchmarks and leading token efficiency, while maintaining flexibility to choose among more than 20 models. The post Evaluating performance and efficiency of the GitHub Copilot agentic harness across models and tasks appeared first on The GitHub Blog .
AI 资讯
Venezuela’s Powerful Earthquakes Were a Rare ‘Seismic Doublet’
The country was hit hard by a pair of quakes that happened in quick succession and were likely driven by stress being transferred from one part of the fault that runs through the country to another.
AI 资讯
Context engineering is engineering work — not prompt-writing
TL;DR — When the spec is good, implementation needs less model. I started using a top-tier model to write the spec and a cheaper, faster one to implement it — still using the strong model, just spending it on the spec instead of the implementation. The gain isn't some magic prompt phrasing; it's the context: explicit business rules, audited project constraints, a defined output contract. That's systems engineering — the discipline of anyone who's kept real software alive, whatever their stack. Every backend dev knows the scene: the Swagger is out of date, the last hotfix shipped without a unit test, and the README.md documents a command nobody's used in six months. The code works. The docs lie. And the gap between the two is exactly where AI — and we — start to go wrong. I've spent the last few months developing with AI for real inside production projects, not tutorial greenfield. My takeaway was less about which model to use and more about a shift that already has a name: the move from prompt engineering to context engineering . The difference isn't semantic. Prompt engineering treats the problem as writing — finding the magic phrase. Context engineering treats it as what it always was: a systems engineering problem . And it's where my backend background applied most directly — though anyone who's kept a real system alive has the same instinct. The experiment that convinced me Let me start with the evidence, because that's what made me take this seriously. My reflex, for a long time, was to reach for the strongest model for everything — more expensive, smarter, fewer errors. Makes sense on paper. In practice, I saw something else. When the task's specification is well done — explicit business rules, audited project constraints, a defined output format — the model capability needed for implementation drops sharply. Enough to split the work by stage: I started using a top-tier model (currently Opus) to write the spec , and a cheaper, faster model (Sonnet) to implemen
科技前沿
Commodore has dropped the price of its retro phone by $100 ahead of preorders
A refreshing direction for a price change.
AI 资讯
Building Autonomous AI Agents in the Enterprise
Autonomous AI agents are transitioning from experimental developer playgrounds into the core of enterprise application architecture. For organizations looking to automate complex workflows that require decision-making, reasoning, and tool use, agentic AI represents a paradigm shift. However, moving from a simple demo script to a reliable, production-ready enterprise agent system requires addressing significant architectural challenges. In this article, we will examine the core components of enterprise agent systems, design patterns for robust execution, and security considerations. The Core Architecture of an AI Agent An enterprise AI agent is more than just a large language model (LLM) loop. It is a system composed of four critical pillars: Reasoning & Planning (The Core LLM): The orchestrator that decides how to approach a problem, breaks down tasks, and analyzes output. Memory: Storing short-term execution traces (context) and long-term knowledge (vector databases, semantic memory). Tools (Action Space): APIS, databases, calculators, and code execution sandboxes that the agent can invoke to retrieve information or perform tasks. Guardrails & Evaluators: Decoupled verification layers that inspect the agent's plans and tool execution to enforce policy and security. +-------------------------------------------------------------+ | USER REQUEST | +-------------------------------------------------------------+ | v +-------------------------------------------------------------+ | AGENT ORCHESTRATOR / LLM LOOP | | * Planning (ReAct, Plan-and-Solve) | | * Memory retrieval | +-------------------------------------------------------------+ | ^ v (Call Tool) | (Tool Results) +------------------------+ +----------------------+ | TOOL ROUTER | | GUARDRAILS LAYER | | * APIs * Code Exec | | * Safety filter | | * DBs * RAG Lookup | | * Data sanitization | +------------------------+ +----------------------+ Planning Patterns: ReAct vs. Plan-and-Solve When designing how an agent re
AI 资讯
Repricing of Software Engineering Labor
I started my career in the late 2010s, and I have had a front-row seat to the growth of the industry that has given me everything: software engineering. Looking back over the last decade, I have mixed feelings about some of the calls I made. And I am seeing the same patterns play out again now. So for engineers who are confused about where this is headed and how to navigate it, here is how I think about it. Generalist SWEs were a product of cheap money The late 2010s, I saw an huge amount of startup funding, globally. Flipkart, Snapdeal, Jugnoo, and hundreds of others were scaling hard and one hiring pattern I saw was that: everyone wanted generalist software engineers. People who could easily get upto speed across the stack.- backend, frontend, infra, deployment and simply ship. Building software was expensive. Automation was still low. Kubernetes had just gone mainstream. Shipping still meant a surprising amount of manual work: SSH-ing into servers, copying artifacts around, running mvn builds by hand, debugging deployments straight in production, duct-taping infrastructure that today you would never touch. Companies fought over engineers who maximized feature throughput. Breadth was a premium, because every extra engineer increased the rate at which software got built. It helped because the money was also free and VCs rewarded growth over efficiency, and hiring software engineers in bulk was the easiest way to spend it. Pull up a resume from an engineer who started around that time and you will usually see the same shape: a long list of technologies and frameworks, broad and adaptable, but rarely deep in any one thing. There was no incentive to go deep. LLMs Changed The Dynamics LLMs did not kill software engineering. It compressed the cost of implementation. The work that got hit first was the work that was already standardized: CRUD apps; API integration and glue code; Framework-heavy backend work; Frontend scaffolding; Standard architectural patterns. What use
AI 资讯
Patronus AI lands $50M to build ‘digital worlds’ that stress-test AI agents
Agent-testing startup Patronus AI, founded by former Meta AI researchers, is experiencing nearly insatiable demand, its investor says.
AI 资讯
Kuma: compiling PyTorch models into self-contained WebGPU executables [P]
I've been experimenting with a compiler/runtime project that I'm not entirely sure is a good idea, so I'd love some feedback from people who've worked on deployment systems. The idea is to compile an exported PyTorch model into a self-contained package that contains: graph binary weights backend kernels (currently WGSL) runtime metadata A lightweight runtime loads that package and executes it directly in the browser with WebGPU. No Python, no server inference, and no dependency on a heavyweight runtime. Right now the attached demos are just neural video representations because they were easy to test, but the motivation is actually operator networks and scientific ML, where I like the idea of distributing a single portable artifact. The repo is here: https://github.com/Slater-Victoroff/Kuma I'm mostly looking for architectural feedback. Some questions I'm wrestling with: Is embedding backend kernels in the artifact a terrible idea? Is this solving a real deployment problem or just reinventing ONNX Runtime? Are there existing systems I should study that take a similar approach? If you were designing a deployment format today, what would you change? I'd especially appreciate thoughts from people who've worked on ONNX, IREE, TVM, ExecuTorch, MLIR, or similar compiler/runtime projects. submitted by /u/svictoroff [link] [留言]