今日已更新 119 条资讯 | 累计 20985 条内容
关于我们

标签:#ai

找到 3728 篇相关文章

AI 资讯

I Spent 10x Longer Debugging AI Code Than Writing It — Here's What Changed

Everyone talks about AI speeding up coding. Nobody talks about debugging AI-generated code. Last month, I spent three hours hunting down a bug in a 20-line function that an LLM wrote in thirty seconds. That's not a productivity gain—that's a productivity swap. You trade typing speed for debugging speed, and most of the time the trade is terrible. I've been using AI assistants for about a year now, mostly Claude and GPT-4, and I've noticed a pattern. The first version of any moderately complex piece of code always has at least one subtle mistake. Not syntax errors—those are easy. I'm talking about logical off-by-ones, missing edge cases, or completely hallucinated API calls. And the worst part? The AI writes the code with such confidence that you assume it's correct. You run it, it crashes, and you spend ten minutes thinking you misused the function before you finally look at the generated code with a suspicious eye. Let me show you a concrete example. I was building a small Node.js service that fetches data from a paginated REST API and merges the results. I asked the AI to write a function that handles pagination with a while loop and an offset parameter. Here's what it gave me: async function fetchAllPages ( baseUrl , limit = 100 ) { let offset = 0 ; let allData = []; let hasMore = true ; while ( hasMore ) { const response = await fetch ( ` ${ baseUrl } ?limit= ${ limit } &offset= ${ offset } ` ); const data = await response . json (); allData = allData . concat ( data . results ); hasMore = data . results . length === limit ; offset += limit ; } return allData ; } Looks clean, right? I pasted it in, ran my test, and got an infinite loop. The server returned a 400 error after a few requests, but the function kept going because response.ok was never checked. The AI assumed every call succeeds. I spent forty-five minutes debugging that—not because the bug was hard, but because I trusted the output. I added a try/catch and a status check, and then I found the real is

2026-07-06 原文 →
AI 资讯

Before adopting DSPy, prove the LM program has a contract

Before adopting DSPy, prove the LM program has a contract DSPy is easy to undersell. If you describe it as "a nicer way to write prompts", you will probably test the wrong thing. The better first test is this: can your language-model workflow be expressed as a small program with declared inputs, declared outputs, measurable examples, and an optimizer that is allowed to change prompts without changing the business boundary? That is the point where DSPy starts to make sense. The upstream README positions DSPy as a framework for programming, rather than prompting, foundation models. The current Doramagic project pack for stanfordnlp/dspy also points at the same starting command: pip install dspy . The package metadata I checked today declares name="dspy" , version 3.3.0b1 , and Python >=3.10,<3.15 . The GitHub API snapshot showed the repository was still active, with a push on 2026-07-05 and recent pull requests around empty evaluation sets, document formatting, and GEPA trace attribution. That activity is useful, but it is not the adoption proof. The proof is whether your own task can survive three separations. 1. Separate the task contract from the prompt In DSPy terms, the first artifact worth reading is not a clever prompt. It is the Signature. A Signature says what goes in and what must come out. A Module wraps that contract into something callable. An Adapter turns the contract into the provider-facing prompt format and parses the model response back into fields. That gives you a practical review question: Can the team name the output fields before anyone starts tuning wording? If the answer is no, DSPy will not rescue the workflow. You are still negotiating the task itself. The first pass should be a tiny contract: input text, retrieved context if needed, answer, citations, confidence, or whatever fields the product actually needs. Do not start with agents, tools, or multi-stage pipelines. 2. Separate compilation from runtime correctness DSPy optimizers can impr

2026-07-06 原文 →
AI 资讯

Predicting When a Client Will Actually Pay: Modeling Invoice Timing With an AI Agent

The single hardest thing about getting paid isn't writing the invoice. It's the follow-up — knowing when to nudge a quiet client, and doing it in a tone that doesn't torch the relationship. Most tools solve this with a dumb cron job: "send a reminder 7 days after the due date." That's wrong for almost everyone, and here's why. The problem with fixed reminder schedules Payment behavior isn't uniform. One client pays like clockwork on day 32 of a "net 30" invoice — not late, just their rhythm. Another pays on day 5 but only if you remind them on day 3. A blanket "day 7 past due" reminder annoys the first client (who was always going to pay) and misses the second (who needed the poke earlier). So the real problem is per-client timing prediction , not scheduling. You want to model each client's payment distribution and act at the point where a reminder has the highest marginal effect — the moment they're most likely to convert intent into a transfer. Modeling payment rhythm as a per-client distribution Every invoice gives you a labeled data point: (sent_date, due_date, paid_date, amount, was_reminded) . Over time, per client, that's a distribution of "days from send to pay." The naive move is to average it. Don't — averages hide the shape, and the shape is the whole signal. We model each client's pay-day as a distribution and track two things that matter more than the mean: Dispersion — a tight distribution (always day 30–32) means a reminder before day 30 is noise. A wide one means the client is reminder-sensitive. Reminder lift — comparing paid-day distributions with and without a nudge tells you whether reminders actually move this client, and by how much. for client in clients : hist = paid_events ( client ) # list of days-to-pay p50 , p90 = quantiles ( hist , [. 5 , . 9 ]) lift = mean ( days_without_reminder ) - mean ( days_with_reminder ) # act just before the client's own habitual pay point, # but only if a nudge historically helps them if lift > MIN_LIFT_DAYS :

2026-07-06 原文 →
AI 资讯

How to tell whether ChatGPT will cite your page (and when it structurally won't)

Most AEO/GEO advice hands you a checklist: add structured data, write answer-first, put a date on it, get a score. You do all of it, and the AI answer still quotes someone else. The checklist skipped the only question that decides the outcome first: for this particular query, can an independent site get cited at all? Getting cited by ChatGPT, Perplexity, or Google's AI Overviews is a two-stage funnel, and the stages fail for completely different reasons. Grade your page without knowing which stage you're stuck at and you'll spend a day tuning headings on a page that was never eligible. Here's the model, and how to run the check yourself before you touch the formatting. Stage 1: eligibility — can the engine retrieve you at all? Answer engines are retrieval-augmented. Before anything gets generated, a retriever picks a small set of candidate pages. If you're not in that set, nothing about your writing matters. Three things decide it, and only some are visible in your HTML. The part you can check on-page — the hard disqualifiers: noindex . A <meta name="robots" content="noindex"> (or an X-Robots-Tag header) keeps you out of the indexes these engines lean on. Easy to ship by accident on a templated page. AI crawlers blocked in robots.txt . GPTBot, PerplexityBot, ClaudeBot, and Google-Extended are distinct user agents. A Disallow: / for any of them means that engine can't fetch you even if Googlebot can. Check each one by name: curl -s https://example.com/robots.txt | grep -iA2 -E 'GPTBot|PerplexityBot|ClaudeBot|Google-Extended' Content that only exists after JS runs. If your article body is injected client-side and the server returns an empty shell, a fetch-based crawler sees nothing. Compare raw HTML to rendered: curl -s https://example.com/post | grep -c "a distinctive sentence from your article" Zero means your content isn't in the served HTML. Server-render it or pre-render it. The part you cannot check on-page — and this is where honesty matters — is domain authori

2026-07-06 原文 →
AI 资讯

Retro-Downfall Arcanum

🎲 A Tale of Inference Woes 🎲 Thy context window overflows with dread, Thy API keys scattered 'cross thy thread. Thou switchest providers mid-conversation, And pray thy tokens find the right foundation. No ward stands guard when tools go rogue, No grimoire saves a session from the fog. Thy agents wander, masterless and blind, Thy prompts untested—leaving truth behind. Thy wallet weeps. Thy latency doth creep. Thy model's fine. Thy infrastructure? Not so deep. Sound familiar? I'm excited to share the public README for Arcanum — a .NET 10, single-binary, Native AOT, local-first AI inference hub that treats your infrastructure with the seriousness of a dungeon master and the organization of a well-kept grimoire. Arcanum is one self-contained native executable. No runtime prerequisite. No "install the framework first." Just arcanum serve and you're running a full inference platform on loopback. What's in the bag of holding: 🏰 Local-first & encrypted — SQLCipher-encrypted Grimoire persists every session, entry, and memory. Your data never leaves your machine unless you tell it to. ⚔️ Multi-provider native engine — Any OpenAI-compatible API (DeepSeek, Groq, Ollama via /v1, LM Studio, etc.) plus local GGUF models via a managed llama-server lifecycle. One hub, zero vendor lock-in. 🔮 OpenAI API compatible — POST /v1/chat/completions and GET /v1/models work with existing OpenAI clients out of the box. Drop-in replacement for your local stack. 🛡️ Wards & Sanctum — High-risk tools require operator approval before execution. Per-campaign sandboxes enforce path containment, network policy, and OS-level CPU/memory/FD limits via cgroups v2 and setrlimit. 📜 Spells, not prompts — Versioned markdown workflows with dependency resolution, tool allowlisting, and semantic routing. Dry-run cast previews before spending a single token. 🧙 Autonomous Apprentices — Goal-driven agents with plan generation, retry/backoff, autonomous plan revision, DM escalation, and parallel step execution. 🏰 The

2026-07-06 原文 →
AI 资讯

Why AI App Backends Are Becoming Accounting Systems

Most SaaS backends were built around a simple assumption: The user pays a subscription, then uses the product. That assumption breaks down for AI apps. An AI app does not just serve screens. It spends money while it works. A user searches the web. A model summarizes a report. An image model generates a draft. An agent calls an MCP tool. A workflow buys data from an API. A future x402 endpoint charges for a capability call. Every one of those actions can have a marginal cost. That means the backend for an AI app is no longer just a place to store users, projects, and settings. Increasingly, it is a system of record for economic activity. In other words: AI app backends are becoming accounting systems. The old SaaS model was simpler Traditional SaaS could survive with coarse billing. You had: monthly subscriptions seats tiers maybe a usage limit somewhere That worked because the marginal cost of most product actions was close enough to zero. If a user clicked a button, edited a document, opened a dashboard, or created a project, the backend cost was usually small compared with the subscription price. The business could average it out. AI apps are different. The product may call paid APIs on almost every useful action. Search once. Summarize once. Generate once. Transcribe once. Call an agent tool once. The unit economics are inside the interaction loop. If the product cannot see who spent what, when, and why, the business is flying blind. Usage billing is not an add-on For AI apps, usage billing is often treated like a pricing feature. I think that is too narrow. Usage billing is really a cost ledger. It answers: which user triggered the cost? which project or app did it belong to? which capability was called? what did it quote before execution? what did it actually cost? was it retried? was it idempotent? did the end user pay for it? is there a payment or checkout record attached? If you cannot answer those questions, you do not have a reliable production backend for

2026-07-06 原文 →
AI 资讯

Building a 'Chief Health Officer' with LangGraph: Automatically Filter Your Food Delivery Based on Real-Time Blood Sugar

We’ve all been there: it’s 7:00 PM, you’re exhausted after a long sprint, and you open a food delivery app. Your brain screams "Double Cheeseburger," but your body is still recovering from that mid-afternoon sugar spike. What if your phone was smart enough to say, "Hey, your blood sugar is currently 160 mg/dL and rising—maybe skip the extra fries?" In this tutorial, we are building a Chief Health Officer (CHO) Agent . This isn't just a simple chatbot; it’s a sophisticated AI Agent using LangGraph to bridge the gap between real-time medical data (CGM) and real-world actions (Food Delivery APIs). By leveraging automation , function calling , and state machines , we’ll create a system that actively protects your metabolic health. The Architecture: How the CHO Agent Thinks To build a reliable agent, we need a "stateful" workflow. We aren't just sending a prompt to an LLM; we are creating a loop that monitors glucose levels, analyzes food options, and interacts with the browser. graph TD A[Start: Hunger Trigger] --> B{Fetch CGM Data} B -->|Sugar High/Unstable| C[Constraint: Low GI Only] B -->|Sugar Stable| D[Constraint: Balanced Meal] C --> E[Scrape Delivery App Menu] D --> E E --> F[Agent: Analyze Ingredients & GI Index] F --> G[Selenium: Mark/Filter Non-Compliant Items] G --> H[End: Safe Ordering] subgraph "The LangGraph Loop" C D E F end Prerequisites Before we dive into the code, ensure you have the following: LangGraph & LangChain : For the agent's cognitive architecture. Dexcom API Credentials : To fetch real-time Continuous Glucose Monitor (CGM) data. Selenium : For interacting with food delivery web interfaces (Meituan/Ele.me). OpenAI API Key : Specifically for GPT-4o’s reasoning and function-calling capabilities. Step 1: Defining the Agent State In LangGraph, everything revolves around the State . Our CHO agent needs to track the current glucose level, the user's health constraints, and the list of available food items. from typing import TypedDict , List , Anno

2026-07-06 原文 →
AI 资讯

I Built an AI Agent That Remembers Why Customers Leave (And I'm Building My Way Into AI Development)

With over 5 years in customer support and retention, I've lost count of how many times I've seen the same pattern: a customer explains an issue, gets it "resolved," and then has to explain the same problem again weeks later, as if the first conversation never happened. Support systems forget. Customers don't. That frustration, seen over years on the support side, is what led me to this hackathon project. Most support systems and most AI chatbots treat every interaction as isolated. They don't remember. So patterns that should be obvious (repeated complaints, dropping usage, unresolved issues) never get connected until a customer just leaves. That became the seed for my project: the Retention Risk Agent. The Problem With "Forgetful" AI Most AI tools answer questions in the moment, then forget everything. Ask a chatbot about a customer's history, and it only knows what's in that single message, not what happened last week, last month, or across five different support tickets. For churn prediction, that's a fatal flaw. Churn isn't a single event. It's a pattern, a series of small signals that only make sense when viewed together over time. This is something I understand deeply from years of watching it happen firsthand. Cognee is an open-source memory layer for AI agents. Instead of treating each interaction as isolated, it builds a knowledge graph, connecting facts, relationships, and context across everything you feed it. That's exactly what churn detection needed. What I Built I created a Python script that: Ingests customer records (support tickets, usage patterns, plan changes) Uses Cognee to build a memory graph connecting these signals Asks a simple question: "Which customers show signs of churn risk, and why?" The result wasn't a keyword match; it was reasoning. The agent correctly flagged a customer whose usage dropped 80% and who'd ignored two check-in emails. It flagged another who'd complained twice about slow support and mentioned a competitor. And critica

2026-07-06 原文 →
AI 资讯

Some of the nation’s rich are letting AI teach their kids

Most Americans don't trust AI. It's proven that it doesn't know what safe toppings for pizza are. People don't even want to listen to AI music. But none of that matters for some of America's wealthy, who are turning to AI to teach their kids instead of traditional schools. Companies like Forge Prep and Alpha […]

2026-07-06 原文 →
AI 资讯

What AGENTS.md Gives Coding Agents That README Files Do Not

Here's the failure mode I keep running into. A team gives a coding agent a repo, a task, and maybe a README. The agent can find files and write code, but it still has to guess the operating rules. It guesses the package manager. It guesses which checks matter. It guesses whether generated files are safe to edit. It guesses what "done" means. A README is usually for humans: what the project is, how to run it, and where the important docs live. A coding agent needs different context. Setup rules. Test commands. Boundaries. Completion criteria. That's the gap AGENTS.md fills. The official AGENTS.md guidance describes it as a predictable place for coding-agent instructions: setup commands, test commands, code style, security considerations, and nested instructions for large monorepos. I find the split useful in a more boring way. The README answers, "What is this project?" AGENTS.md answers, "What should an agent know before touching it?" That second question is where the work usually gets fragile. Where Goose Fits Goose makes this less theoretical because it isn't just a chat box. It's an open source local AI agent with a desktop app, CLI, API, MCP extensions, and skills. Without AGENTS.md , I find myself writing prompts like this: Update the docs, but don't touch generated files, use pnpm, run the lint and test commands, keep the PR small, and tell me what you couldn't verify. With AGENTS.md , the prompt can get shorter: Update the quickstart docs for the new config flag. Goose can run the task in the repo. The repo can carry the standing instructions. I noticed this on a small docs/config update where generated files sat near source files. Without repo instructions, the prompt had to carry the package manager, generated-file boundary, checks, and the "tell me what you could not verify" rule. Once those rules lived in AGENTS.md , the prompt became just the task. Not magic. Just fewer chances to forget the boring parts. Where Skills Fit I would add one more layer once

2026-07-06 原文 →
AI 资讯

Sakana Fugu: How Collaborative AI is Changing the Game

# Sakana Fugu: The Multi-Agent AI System That Works Like a Team We’ve all been there: copy-pasting a prompt from ChatGPT to Claude, and then to Gemini, trying to find which AI gives the best answer. Different AI models have different strengths. Some are excellent programmers, some write beautifully, and others are master logicians. But constantly switching between them is slow and frustrating. Sakana AI has introduced a brilliant solution: Sakana Fugu . Fugu is a multi-agent AI system that bundles multiple frontier models into a single, seamless package. To you, it looks like a single chatbot. But behind the scenes, it acts as a project manager, coordinating a team of top-tier AI models to solve your task. What is Sakana Fugu? Sakana Fugu is a collaborative AI framework. Instead of relying on one massive AI model to do all the work, Fugu orchestrates a pool of specialized models (such as GPT-5, Claude Opus, and Gemini Pro). When you give Fugu a complex, multi-step prompt, it: Analyzes the task and breaks it down into steps. Assigns specialized roles (like researcher, coder, and editor) to different AI models. Passes the work back and forth between them until the final, polished result is ready. By working as a team, these models achieve far better results than any single AI could on its own. The Secret Sauce: Teamwork Over Size Fugu’s intelligent coordination is based on two core concepts presented at the ICLR 2026 conference: 1. The Manager (TRINITY) Think of TRINITY as the manager of the team. It is a compact coordinator model that assigns specific roles to the worker LLMs. For example, it might tell Gemini to generate the initial code, tell Claude to find the bugs, and tell GPT to write the user documentation. They collaborate seamlessly without needing to merge their code bases. 2. The Conductor The Conductor acts as the communication network designer. It figures out the best way for the worker AIs to talk to each other for your specific question. It writes cust

2026-07-06 原文 →
AI 资讯

Tokens

Introduction Although we interact with LLMs using natural language, these models never processes raw text directly. Before a prompt reaches the model, it is converted into a sequence of tokens , the fundamental units that the model understands. Tokenization is one of the earliest stages of the inference pipeline and influences everything from context windows and API pricing to latency and memory usage. What Is a Token? A token is the smallest unit of text processed by a language model, it is not necessarily a word. Depending on the tokenizer, a token may represent: an entire word part of a word punctuation whitespace numbers symbols emojis Different models use different tokenizers, so the same text may be split differently depending on the model. Why Tokens? Simply because language models operate on numbers, not text. Before the transformer can perform any computation, the input must be converted into a numerical representation. The preprocessing pipeline looks like this: Raw Text │ ▼ Tokenizer │ ▼ Tokens │ ▼ Token IDs │ ▼ Embedding Layer │ ▼ Embedding Vectors │ ▼ Transformer The tokenizer splits the input into tokens and each token is then mapped to a unique integer called a token ID , which are passed through the model's embedding layer, which converts them into dense vectors that become the actual input to the transformer. A Real Example Instead of using hypothetical examples, let's look at how OpenAI's tokenizer processes text. Input: I have no enemies. OpenAI tokenizes it to: ["I", " have", " no", " enemies", "."] with the following token IDs: [40, 679, 860, 33974, 13] that have been generated by OpenAI Tokenizer for the "GPT-5.x & O1/3" models. The transformer never sees the original sentence, it only receives the corresponding sequence of token IDs. Token IDs After tokenization, every token is replaced with an integer. Conceptually: " have" → 679 " no" → 860 " enemies" → 33974 ... The exact numbers differ between models because each tokenizer has its own voca

2026-07-06 原文 →
AI 资讯

10 Website Performance Optimization Tips Every Developer Should Know

Website performance is no longer just a nice-to-have feature—it's a critical factor for user experience, SEO, and business success. Even a one-second delay in page load time can reduce conversions and increase bounce rates. Whether you're building a portfolio, SaaS application, eCommerce platform, or business website, these optimization techniques can make a significant difference. Optimize Images Images are often the largest assets on a webpage. Use modern formats like AVIF or WebP, compress images, and serve responsive image sizes to reduce bandwidth usage. Self-Host Fonts Third-party font requests add latency. Self-hosting fonts, preloading critical font files, and serving only the required character subsets can dramatically improve loading performance. Remove Unused CSS & JavaScript Shipping unnecessary code increases download size and execution time. Tree shaking, code splitting, and removing unused styles help keep your bundle lean. Enable Caching Configure long-term browser caching for static assets and use hashed filenames for cache busting. This allows returning visitors to load your website much faster. Use Lazy Loading Images, videos, and iframes that aren't immediately visible should load only when needed. Native lazy loading is supported by modern browsers and is easy to implement. Optimize Core Web Vitals Google's Core Web Vitals measure how users experience your website. Focus on: Largest Contentful Paint (LCP) Interaction to Next Paint (INP) Cumulative Layout Shift (CLS) Improving these metrics benefits both SEO and user satisfaction. Minify Assets Minify HTML, CSS, and JavaScript files before deployment. Smaller files transfer faster and improve overall performance. Use a CDN Serving assets from edge locations around the world reduces latency and improves loading times for global visitors. Prioritize Accessibility Accessible websites provide a better experience for everyone and often align with SEO best practices. Use semantic HTML, descriptive labe

2026-07-06 原文 →
AI 资讯

Docker Containerization: Turning 'Works on My Machine' Into a Reproducible Artifact

"Works on my machine" is one of the oldest jokes in software, and it stopped being funny the first time it cost me a weekend. The code was fine. The environment wasn't. A library version on the build box didn't match production, and nobody could see it because "the environment" was a fuzzy, undocumented thing that lived partly in a config management tool, partly in someone's .bashrc , and partly in tribal memory. Containerization is the boring, durable fix for that whole class of problem. Not because containers are magic, but because they force you to turn a fuzzy environment into a single, inspectable, reproducible artifact. That shift — from "a machine we hope is configured right" to "an image we can point at" — is the actual win. Let me walk through what that means operationally, with a minimal example. What containerization actually solves Strip away the tooling and a container image is one thing: your application plus everything it needs to run, packaged together and frozen. The OS libraries, the runtime, the dependencies, your code — all captured at build time into one immutable blob with a content-addressable identity. That has three consequences that matter when you're the one on call: The environment stops being a variable. If it runs from image myapp:1.4.2 in staging, the same image runs in production. You're no longer debugging the difference between two machines. The artifact is immutable. You don't patch a running container in place and hope. You build a new image, tag it, and roll it out. The old one still exists, unchanged, if you need to go back. Rollback becomes trivial. "Roll back" means "run the previous image tag." That's it. No reinstalling packages, no un-applying config drift. After enough years in operations, you learn that most 3 a.m. incidents aren't exotic. They're some version of "this box isn't like the other boxes." Containers don't make you smarter, but they take that entire category off the table. Images vs. containers, briefly These

2026-07-06 原文 →
AI 资讯

CNTRL by Omnikon Org Selected for Elite Coders Summer of Code (ECSoC) 2026

🚀 CNTRL by Omnikon Org Selected for Elite Coders Summer of Code (ECSoC) 2026 Building an AI-first browser for developers—and taking the next step through ECSoC 2026. Open source has always been one of the best ways to learn, collaborate, and build software that makes a difference. Today, I'm excited to share a milestone that means a lot to our team. Our project CNTRL , developed by Omnikon Org , has officially been selected for Elite Coders Summer of Code (ECSoC) 2026 ! 🎉 This selection gives us an incredible opportunity to collaborate with contributors worldwide and continue building a browser that's designed from the ground up for developers. 💡 Why We Started CNTRL Every developer has experienced this workflow: Open documentation Search GitHub Ask an AI assistant Open Stack Overflow Copy code Switch back to the IDE Repeat... The browser has become the center of development, but it still isn't designed for developers. We wanted to change that. Instead of building another browser, we started building one where AI is part of the experience—not another tab. 🌐 What is CNTRL? CNTRL is an AI-powered browser built for developers. Our vision is to create a browser that understands how developers work and helps them stay focused. Some of the ideas we're working toward include: 🤖 AI-assisted coding 📖 Context-aware documentation 💬 Built-in developer assistant ⚡ Faster research workflows 🔌 Extensible architecture 🌍 Community-driven open source The project is still evolving, and ECSoC gives us the perfect platform to accelerate its development. 🏆 Selected for ECSoC 2026 Being selected for Elite Coders Summer of Code 2026 is a huge milestone for our organization. It means we'll have the opportunity to: Collaborate with talented contributors Improve the project's architecture Build exciting new features Learn from the community Grow CNTRL into an even better developer tool We're incredibly thankful to the ECSoC team for believing in our vision. 🌍 About Omnikon Org Omnikon Org is

2026-07-06 原文 →
AI 资讯

Guardrails for LLM Apps in Java

Introduction Every post in this series has quietly touched a piece of the same problem. Building Agentic Workflows in Java said toolUse.input() is untrusted and must be validated before it reaches your code. Building Reliable LLM Applications in Java said the model will confidently invent facts, so ground it and get typed output instead of parsing prose. Neither post named the thing underneath both statements: anything that crosses from outside your code into the model, or from the model back into your code, is untrusted input — a request body from the network, not a trusted internal value. This post names that boundary directly and gathers the defenses in one place — prompt injection (direct and indirect), input validation, output validation, and PII redaction — with the SAFE pattern shown beside every unsafe one it replaces, since this is the security-forward capstone of the series. The Trust Boundary: Three Kinds of Untrusted Input An LLM application has three places where untrusted text enters: User input — anything a person types, uploads, or submits through an API. Retrieved content — Making RAG Accurate in Java built a pipeline that ranks and returns chunks from a document store; those chunks were written by whoever authored the source document, not by you, and a malicious or compromised document can carry text aimed at the model reading it, not at a human reader. Model output — untrusted the moment it's about to be used rather than displayed : passed to a tool, interpolated into a query, or fed into another LLM call as context. A model that just read attacker-controlled retrieved text can be manipulated into producing attacker-controlled output. The single rule under all three: text is data until your code has explicitly decided it's safe to use for anything more than display. Nothing below is executed against a live API — every snippet is illustrative, and none of it uses a real key or a real record. Direct Prompt Injection: Defending the System Prompt A di

2026-07-06 原文 →
AI 资讯

Guardrails for LLM Apps in Python

Introduction Every post in this series has quietly touched a piece of the same problem. Building Agentic Workflows in Python said a tool's input is untrusted and must be validated before it reaches your code. Building Reliable LLM Applications in Python said the model will confidently invent facts, so ground it and get typed output instead of parsing prose. Neither post named the thing underneath both statements: anything that crosses from outside your code into the model, or from the model back into your code, is untrusted input — a request body from the network, not a trusted internal value. This post names that boundary directly and gathers the defenses in one place — prompt injection (direct and indirect), input validation, output validation, and PII redaction — with the SAFE pattern shown beside every unsafe one it replaces, since this is the security-forward capstone of the series. The Trust Boundary: Three Kinds of Untrusted Input An LLM application has three places where untrusted text enters: User input — anything a person types, uploads, or submits through an API. Retrieved content — Making RAG Accurate in Python built a pipeline that ranks and returns chunks from a document store; those chunks were written by whoever authored the source document, not by you, and a malicious or compromised document can carry text aimed at the model reading it, not at a human reader. Model output — untrusted the moment it's about to be used rather than displayed : passed to a tool, interpolated into a query, or fed into another LLM call as context. A model that just read attacker-controlled retrieved text can be manipulated into producing attacker-controlled output. The single rule under all three: text is data until your code has explicitly decided it's safe to use for anything more than display. Nothing below is executed against a live API — every snippet is illustrative, and none of it uses a real key or a real record. Direct Prompt Injection: Defending the System Prompt

2026-07-06 原文 →