今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#X

找到 660 篇相关文章

AI 资讯

Your Background Subagents Can Leak Secrets — Build the Isolation Model

Developers flagged a freshly filed, reproducible issue that should make anyone running background agents pause: Claude Code's background Opus subagents intermittently stall on their first turn and, instead of producing useful work, emit system-prompt fragments — including text shaped like authorization data — as their only output. It's labeled a security issue, it has a reproduction, and it's open. That's enough to treat it as a real, if intermittent, class of failure. Here's the mental model that matters: a subagent is not a trusted subprocess. It's an autonomous loop with access to a context window, a toolset, and — too often — the same credentials as its parent. When that loop stalls and dumps its prompt instead of its result, anything that was in context is now in output. Authorization-shaped text leaking is the canary: if the prompt carried a token, a session string, or an internal endpoint, that's what surfaces. The fix is structural, not reactive. Three rules: 1. Scope credentials per subagent, not per session. A background agent that only needs to read a repo shouldn't hold deploy keys. Hand it the narrowest token that completes its task and revoke it when the task ends. If the tooling can't scope credentials, that's a gap to close before you scale subagents. 2. Treat subagent output as untrusted. Anything a subagent returns — including error text, logs, and especially "stalled" dumps — should be parsed and sanitized before it touches shared state. Don't pipe raw subagent output into a context that feeds other agents or into any log that leaves your machine. 3. Separate the system prompt from the working context. The leak happened because authorization-shaped content sat in the same window the subagent could echo. Keep credentials and internal routing data out of the prompt that a stalled loop might surface. Put them in a side channel the model can call, not text it can print. The deeper lesson is about failure modes, not one bug. Most agent setups assume th

2026-07-11 原文 →
AI 资讯

Tencent's Hy3 Coding AI Puts Input Tokens at $0.14 Per Million

The feed showed a new entrant worth watching: Tencent has launched Hy3, a coding-focused AI model, with input tokens priced at $0.14 per million. For developers who live in the terminal running coding agents, that price point lands well below the per-token rates most frontier models charge, and it puts a major lab's coding model into the "cheap enough to leave running" category. What makes this interesting isn't just the number — it's the positioning. Hy3 is being pitched specifically as a coding AI, not a general chatbot, which suggests vendors are starting to carve out developer-facing models with their own pricing tiers rather than forcing coders to pay general-purpose rates. Developers spotted the launch in the daily AI news roundup and immediately started comparing it against the cost of running their existing agents. The catch, as always, is what the headline price doesn't tell you: output token cost, context-window limits, and how the model actually performs on real repository tasks all remain open questions. A low input price is meaningless if output is expensive or if the model needs five retries to get a diff right. Still, a credible cheap coding model from a major player is exactly the kind of pressure that nudges the whole category toward per-token transparency. If nothing else, it gives every other vendor a new number to justify theirs against.

2026-07-11 原文 →
AI 资讯

Learning Xahau: HookOnV2, NamedHooks, and Transaction Simulation. More Control Over When and How Hooks Fire.

Welcome to Learning Xahau, a series of articles dedicated to helping developers, builders, and blockchain enthusiasts better understand the Xahau ecosystem. Whether you're just getting started or already building advanced applications, these posts will explore Xahau's features, architecture, and best practices through practical examples and real-world use cases. If you've been building with Hooks on Xahau, you know the basic loop: write a C program, compile it to WebAssembly, install it on an account, and it fires automatically when that account is involved in a transaction. Simple and powerful, but until the 2026.6.21 major release, there were some friction points that made real-world hook architectures more complicated than they needed to be. This release ships three improvements that directly address those friction points: HookOnV2 : split the single HookOn bitmask into separate HookOnIncoming and HookOnOutgoing controls NamedHooks : assign a human-readable name to each hook slot, so senders can choose which hook to activate Simulate RPC : preview a transaction including all hook executions without spending fees or changing ledger state None of these require rewriting your hook logic. They are configuration and tooling improvements at the SetHook and transaction level. But they fundamentally change what you can build cleanly. All code in this article targets the Xahau Testnet ( wss://xahau-test.net ) and requires xahau.js 4.1.1 or later. Clone the companion repository: git clone https://github.com/Ekiserrepe/learningxahau20260621.git cd learningxahau20260621 npm install Copy .env.example to .env and fill in the seeds used across these examples: cp .env.example .env HUB_SEED = # account that installs the directional hook (07, 08, 09) NAMED_HUB_SEED= # account that installs and owns the named hooks (10, 11, 13, 14) SENDER_SEED = # account that sends payments targeting a named hook (12, 14) All accounts need testnet funds from the Xahau Testnet Faucet . HookOnV2: Di

2026-07-11 原文 →
开发者

How to debug why your PCIe device doesn't enumerate during bring up

Notes from bringing up a PCIe WiFi module on i.MX8MQ; symptoms and how to diagnose them. Phy link never came up — what does this mean? This message is typically seen in dmesg as shown below. [ 3.828121] imx6q-pcie 33800000.pcie: iATU: unroll T, 4 ob, 4 ib, align 64K, limit 4G [ 4.807241] imx6q-pcie 33c00000.pcie: Phy link never came up [ 4.841482] imx6q-pcie 33800000.pcie: Phy link never came up [ 5.821279] imx6q-pcie 33c00000.pcie: Phy link never came up [ 5.830481] imx6q-pcie 33c00000.pcie: PCI host bridge to bus 0001:00 [ 5.854997] imx6q-pcie 33800000.pcie: Phy link never came up [ 5.862205] imx6q-pcie 33800000.pcie: PCI host bridge to bus 0000:00 It means one of the following The PCIe peripheral is not powered up. PCIe reset is not deasserted, so the chip is in reset. This could be because the DTB is deasserting an incorrect GPIO. Reference clock is not enabled Using the incorrect PCIe controller in the device tree. As we can see that both the PCIe controllers can report this. So first determine which controller is the peripheral hooked to. More on this in the next section. Which PCIe controller is my device on? ( &pcie0 vs &pcie1 ) The rule here is to match by address and not by label/name. If the schematic calls out controllers as PCIE1 and PCIE2, and the device tree lists pcie0 and pcie1, understand the mapping. The DTS label is arbitrary - match by register base ( @address in the node name), which is the same in the DTS reg and the reference memory map. For definitive addresses look in the .dtsi , as sometimes the manuals are misleading. Given below is a mapping table for i.MX8MQ DTS. | ADDRESS (in .dtsi) | Silicon (RM) Label &pcie0 | 0x33800000 | PCIe1 &pcie1 | 0x33c00000 | PCIe2 The addresses are listed in the chip’s memory layout are from processor reference manual. Below is snapshot from the i.MX8MQ reference manual, where the layout for the core A-53 is listed. Start Address | End Address | Size | Description 3381_0000 | 3381_3FFF | 4MB | PCIe-2 << inco

2026-07-11 原文 →
AI 资讯

Your Loading Spinner Has an Emotional Job. Is It Doing It?

Most of us treat design systems as a functional problem: consistent colors, consistent spacing, consistent components. That part's solved for most teams now. The part nobody writes down is tone. How should this loading state feel? Should this error feel scary or manageable? Is this confirmation message robotic or human? Here's what I've learned paying attention to that layer. Four moments that carry the emotional weight In any app, four states do most of the emotional work: Loading Error Empty Success Get these four right and the whole product feels better, even if nothing about the actual functionality changed. ** Loading: ambiguity feels worse than the wait itself** jsx // Vague, slightly anxious < Spinner /> // Specific, calmer < div className = "loading-state" > < Spinner /> < p > Fetching your latest data... </ p > </ div > A spinner with no context makes people wonder if something's frozen. A spinner with a short label tells them exactly what's happening. Same wait time, different feeling. Errors: same bug, different emotional outcome jsx // Robotic " Error: Request failed with status 500 " // Human " Something went wrong on our end. Your changes weren't lost, try again in a moment. " The second version does three things the first doesn't: it's plain language, it removes blame from the user, and it tells them what to do next. That's the difference between an error that frustrates and one that reassures. Success: robotic vs genuine jsx // Robotic " Action completed successfully. " // Human " Done! Your changes are saved. " This message shows up constantly across a typical app. If it reads like a system log every time, the product feels cold. A small rewrite makes it feel like a person is on the other end. Micro-interactions: timing is part of tone too `jsx// No feedback during the wait, feels broken <button onClick={handleSave}>Save</button> // Immediate feedback, feels responsive <button onClick={handleSave}> {isSaving ? "Saving..." : "Save"} </button>` A butt

2026-07-11 原文 →
AI 资讯

Streaming journald logs to the browser with SSE

I got tired of SSHing into the box every time I shipped something, just to watch the logs come up. So I wanted a page in the admin panel where the lines scroll past as they happen, no dashboard, no Grafana, just the raw tail. The surprising part was how little I had to build for it, most of the pieces were already sitting on the server waiting for me to connect them. Here's the whole idea. The app writes JSON to stdout, systemd grabs that stdout and drops every line into the journal, and journalctl can follow the journal and hand the lines back live. All three of those already exist on an Ubuntu box. So the "live log viewer" is really just me spawning journalctl on the server and piping its output to the browser over an EventSource , which is a lot less code than it sounds like. journald is boring and well understood. SSE is boring and well understood (it's been in browsers since about 2011). Nobody gets excited about either one on its own. But snap the two together and you get a real-time log tail with no agent, no log shipper, no vendor, and nothing new to keep alive. Two defaults meeting each other and pretending to be a feature. Systemd thing People have opinions about systemd. Some of them are that you should avoid every part of it that you can, run your own supervisor, ship logs somewhere with your own daemon, and treat journald as a thing to route around. That's a fine hobby if you have the time for it. I don't. The box boots, systemd starts my unit, and when the unit writes to stdout the line ends up in the journal without me configuring anything. Being a purist here costs real hours and buys me a philosophy. Being pragmatic costs nothing and buys me a log tail. So this is the pragmatic path. If you're on a distro where journald is the default (Ubuntu, Debian, Fedora, most of them now) the setup below is basically free. Getting logs into the journal Here is the part most people overcomplicate. You do not "set up journald". You do not open a socket to it or p

2026-07-11 原文 →
AI 资讯

The Shell You Know vs The Shell You Deserve

Hello, I'm Maneshwar. I'm building git-lrc, a Micro AI code reviewer that runs on every commit. It is free and source-available on Github. Star git-lrc to help devs discover the project. Do give it a try and share your feedback. You've been using the terminal for months/ years. Maybe you cd into a folder, ls around, run your script, and call it a day. That's fine. That's like knowing how to boil water and calling yourself a chef. But the terminal has layers . It's basically an onion that occasionally makes you cry, usually around 12 AM when a script fails silently and you have no idea why. So grab your coffee and let's talk about the command line tricks that actually make your life better. Not the "did you know ls -la shows hidden files" tier tips. Your Terminal Has A Memory. Use It. Most devs mash the up arrow like it's 2007 and they're trying to beat a Flash game. Stop that. Press ctrl-r instead. It searches your command history live. Type a few letters, it finds the last matching command. Press ctrl-r again to cycle back further. Found it? Hit Enter to run it, or the right arrow to drop it into your prompt so you can edit it first. ctrl-r ( reverse-i-search ) ` docker run ` : docker run -it --rm -v $( pwd ) :/app node:20 bash Pair this with ctrl-w (delete last word) and ctrl-u (nuke the line back to the cursor) and you'll start editing commands like you're speedrunning a text adventure. And if you're the type who types a whole essay of a command and then realizes you forgot something at the start, ctrl-a jumps to the beginning of the line and ctrl-e jumps to the end. No more holding the left arrow key like it owes you money. Pro tip: if you're a TUI fan and ctrl-r's default search feels a bit flat, check out McFly xargs Is The Friend Who Actually Shows Up Pipes ( | ) are great. They pass output from one command into another. But sometimes you don't want to pass output as input , you want to pass it as arguments . That's where xargs comes in, and once you get it,

2026-07-11 原文 →
AI 资讯

Netflix is turning into YouTube

Netflix has shows and movies. And video games. And live sports. And podcasts. And also, apparently, YouTube videos? For a company that used to seem like the next big thing in TV, it all feels a little frenetic, and maybe a tad desperate. For a company that sees sleep as its primary competitor, it might […]

2026-07-11 原文 →
AI 资讯

Server Components vs Client Components: The Mental Model Shift Every Vite Developer Needs

Introduction If you have been building applications using Vite, you are likely used to a specific workflow: write React components, bundle them with esbuild/Rollup, and serve a single HTML file that fetches a large JavaScript bundle. In this world, everything is a "Client Component." However, as the React ecosystem shifts toward the App Router and React Server Components (RSC), the architecture is fundamentally changing. For developers moving from a Vite-centric mindset to a Next.js framework, the biggest hurdle isn't the syntax—it's the mental model. In this guide, we will break down the core differences between Server and Client components and how to adapt your Vite-based habits to this new reality. The Vite World: Single-Page Application (SPA) Default In a standard Vite + React project, your entire application lifecycle happens in the browser. The browser requests the page. The server sends a nearly empty index.html . The browser downloads the JS bundle. React hydrates the app, fetches data from an API via useEffect , and renders the UI. While this is excellent for developer experience (DX) and highly interactive dashboards, it often leads to "Layout Shift" and slower "Time to Interactive" for content-heavy pages because the client has to do all the heavy lifting. The Shift: Thinking in "Environment Splits" With React Server Components, the paradigm shifts from "Everything happens on the client" to "Compute where it makes sense." 1. What are Server Components? By default, in the Next.js App Router, every component is a Server Component. These components execute only on the server . They never send their code to the client-side bundle. This allows you to: Access backend resources directly: You can query your database or file system inside the component. Keep secrets safe: API keys and sensitive logic stay on the server. Reduce bundle size: Large dependencies (like a markdown parser or date library) stay on the server and only the resulting HTML is sent to the user

2026-07-10 原文 →
AI 资讯

Node.js Internals Explained by Uncle to Nephew — Part 4: Express Plumbing, Error Handling & The Full Roadmap

Bonus round. Parts 1–3 covered why Node exists, what's happening inside it, and the full request journey. This part mops up the pieces that didn't fit anywhere else — the Express plumbing, error handling, and a checklist to test yourself against. Saturday, Round 4 Nephew: Uncle, one more round? I promise this is the last one for a while. Uncle: pours chai — you said that last time too. Fine, what's bugging you now? Nephew: Small things, actually. express.json() , cookie-parser , express.Router() — I use all of them, copy-pasted from old projects, but I couldn't explain any of them if you asked me directly. Uncle: That's exactly the right instinct — the things you copy-paste without understanding are always the things that break at 2 AM. Let's fix that. Part 4.1 — Two Directions Node Never Confuses Uncle: Before plumbing, one small but important idea that ties Parts 2 and 3 together. Everything Node does falls into exactly two directions . DIRECTION 1 — Incoming Events "The outside world is telling Node something happened" OS → libuv → Event Loop → Your JavaScript Examples: HTTP request arrives, TCP connection opens, WebSocket message arrives DIRECTION 2 — Outgoing Async Operations "Your JavaScript is asking Node to go do something" JavaScript → libuv → Worker Thread → OS → Disk/DB ↓ result comes back through libuv → Event Loop → your callback Examples: fs.readFile(), crypto.pbkdf2(), dns.lookup() Nephew: So an incoming HTTP request and a fs.readFile() call both eventually pass through libuv and the event loop — but they enter from completely opposite directions? Uncle: Exactly. One is the world pushing something at Node. The other is Node reaching out to go get something. Same event loop handles both, but the journey to get there is different — an HTTP request never touches the thread pool; a file read almost always does. Incoming HTTP Request: File Reading: Browser JavaScript | | OS libuv | | libuv Worker Thread | | Event Loop Operating System | | JavaScript Disk |

2026-07-10 原文 →