🔥 ggml-org / llama.cpp - LLM inference in C/C++
GitHub热门项目 | LLM inference in C/C++ | Stars: 115,098 | 199 stars today | 语言: C++
找到 1401 篇相关文章
GitHub热门项目 | LLM inference in C/C++ | Stars: 115,098 | 199 stars today | 语言: C++
GitHub热门项目 | Open Source Computer Vision Library | Stars: 87,900 | 58 stars today | 语言: C++
Building a Deterministic Security Scanner for AI-Generated Code TL;DR: I built TruffleKit , a CLI security scanner that catches 22 vulnerability classes in under 2 seconds with zero false positives. Here's how the scanning engine works under the hood. AI code generation is producing more production code than ever. But AI models are trained on public code — which means they reproduce the same security mistakes the open-source ecosystem has been making for decades. In my tests, 73% of AI-generated code snippets contain at least one security vulnerability that a standard linter would completely miss. I couldn't find a tool that was fast, deterministic, and had zero false positives. So I built one. The Architecture The scanner is a rule-based deterministic engine written in Python. Each rule is a self-contained module that pattern-matches against a file's AST or raw content. scanner/ ├── __init__.py ├── engine.py # Orchestrator ├── reporter.py # Output formatting ├── rules/ │ ├── __init__.py │ ├── secret_detection.py │ ├── sql_injection.py │ ├── path_traversal.py │ ├── weak_encryption.py │ ├── cors_misconfig.py │ └── ... (22 rules total) └── models.py Key Design Decisions 1. AST-Based Pattern Matching For languages like Python and JavaScript, we parse the file into an AST and match against structural patterns — not regex. This eliminates false positives from strings that happen to look like code. import ast class SQLInjectionRule ( BaseRule ): def check ( self , tree : ast . AST , filename : str ) -> list [ Finding ]: findings = [] for node in ast . walk ( tree ): # Match: cursor.execute(f"...{variable}...") if isinstance ( node , ast . Call ): func_name = self . _get_call_name ( node ) if func_name in ( ' cursor.execute ' , ' db.execute ' , ' connection.execute ' ): for arg in node . args : if self . _is_f_string_or_concat ( arg ): findings . append ( self . _make_finding ( severity = ' high ' , message = ' SQL injection: parameterized query required ' , line = node .
There's a pattern I've noticed with every new AI coding tool that comes out: they all want you to switch editors. Or open a new terminal. Or context-switch into some standalone app. I DON'T WANT TO DO THAT My entire dev workflow lives in VS Code. My keybindings, my split panes, my snippets, my extensions — all of it. When Google released the Antigravity CLI ( agy ), an agentic coding assistant, I genuinely liked what it could do. But to use it properly, I had to live in a terminal window, manually managing sessions, typing slash commands from memory, and losing my editor context entirely. So I built a VS Code extension for it instead. What is Antigravity? Google Antigravity is Google's agentic coding CLI — think of it as a Gemini-powered dev assistant that can read your project, run tools, execute terminal commands, and help you build. It's the kind of tool that can handle complex multi-step tasks, not just autocomplete. The CLI is called agy , and it's genuinely capable. The problem was the workflow: terminal-first, session management by hand, and no visual layer over the context you're already in. The Extension: Antigravity for VS Code Install it on the VS Code Marketplace Source on GitHub The core idea is simple: the extension is a UI layer. It never bundles or replaces the agy binary — it shells out to whichever version you have installed locally. Same philosophy as the Claude Code VS Code extension: the editor provides the surface, the CLI does the work. Here's what it actually does: Sessions List The sidebar panel opens to all your saved sessions. You can open an existing one, delete it, or start fresh. New sessions can be launched in sandboxed mode or with permissions bypassed — accessible right from the "New Session" overflow menu, without memorizing CLI flags. Any session with an active turn shows a loading indicator in its row, so you always know what's in flight. Chat Panel (Material 3 Expressive) This is the main surface. Each session runs its own live,
Most online file converters require uploading your documents, images, or videos to an unknown server. This is slow, inconvenient, and raises serious privacy concerns. I decided to build something different: a converter that works entirely inside your browser. Processing large files without a backend presents two main engineering challenges: How do you avoid consuming all available RAM? How do you prevent the user interface from freezing? This article explains how I solved these problems using OPFS, Web Workers, and a Backpressure mechanism. The result is a working tool you can try right now: PixelForge Free . The Architecture at a Glance Here is the simplified data flow of the entire pipeline: Drag & Drop → OPFS (Virtual Disk) → Worker Pool (Backpressure) → ZIP Stream → Download Problem 1: Out-of-Memory (OOM) Crashes The Challenge: Loading many files directly into the browser's memory is impossible. A user dropping a folder with 100+ high-resolution images would instantly crash the tab. The Solution: Origin Private File System (OPFS) OPFS provides a fast, isolated virtual disk inside the browser. Instead of loading files into RAM, my pipeline intercepts the drop event and streams the raw binary data directly to this virtual disk. Here is a simplified version of how it works: // Get a reference to the virtual disk const root = await navigator . storage . getDirectory (); const fileHandle = await root . getFileHandle ( `input_ ${ id } .raw` , { create : true }); // Create a writable stream to the disk const writable = await fileHandle . createWritable (); // Stream the file directly from the user's computer to the virtual disk await file . stream (). pipeTo ( writable ); This allows the application to accept a folder with 500+ items without consuming more than a few megabytes of actual RAM. The data stays on the user's SSD, not in memory. Problem 2: UI Freezing The Challenge: Image compression, PDF parsing, and video encoding are CPU-intensive operations. Running them
Why RAG needs context judgment, not just better retrieval Most RAG systems optimize for retrieval. That makes sense. Search better. Embed better. Chunk better. Rank better. Fetch more sources. All of that matters. But retrieval alone does not answer a different question: Should this context actually influence the model? That is the problem FreshContext is built around. FreshContext is context judgment infrastructure for AI agents, RAG systems, and retrieval workflows. The simple version: candidate context in decision-ready context out Retrieval is not judgment A retriever usually answers: What might be relevant? A context judgment layer asks: What should happen to this context before it reaches the model? Those are different problems. A source can be relevant but stale. A source can be recent but low-confidence. A source can be useful as background but not strong enough to cite. A source can have no reliable date. A source can be a duplicate. A source can need verification before it should influence an answer. A normal RAG pipeline can retrieve all of that and still pass it straight into the prompt. That is where things get messy. The model may reason fluently from weak context, and the final answer can look confident even when the input material was stale, uncertain, or not citation-grade. The missing layer between retrieval and reasoning FreshContext sits after retrieval and before reasoning. It does not try to replace search, vector databases, RAG frameworks, or agent frameworks. It focuses on the boundary between them and the model. The product spine looks like this: candidate context -> FreshContext Core -> freshness / provenance / confidence / utility / source profile -> decision helper -> decision-ready output -> model / agent / app The goal is not just to produce another score. The goal is to turn candidate context into a decision. Example decisions include: cite_as_primary cite_as_supporting use_as_background needs_refresh needs_verification watch_only excl
Here is the bet we made: build software memory-first, not model-first , and it will outperform. Everyone else is racing to wrap the next model. We did the opposite. We built the memory layer first, the routing first, tool-calling, now the recursive engine, then let the model be a swappable part. Today that bet has a name: Backboard Development Studio . It starts with the R-CLI , a coding harness now in open beta. The headline result? It beats frontier models using open ones. Keep reading, the numbers are below and there is a promo code at the bottom. Test it. The beta is open. Two lines and you are running. # macOS / Linux curl -fsSL https://app.backboard.io/api/cli | bash # Windows (PowerShell) irm https://app.backboard.io/api/cli/windows | iex Get your API key: https://app.backboard.io Promo code: DEVTOCLI for credit toward inference while you put it through its paces. Find the Promo submit in the top right corner of the billing page. The hypothesis, stated plainly Model-first thinking says: pick the smartest model, prompt it well, hope it remembers. Memory-first thinking says: give the system real persistence, real routing, real recall, and a "smaller" model will outwork a "smarter" one that forgets everything between turns. We believed the second one. So we built it. The R-CLI is powered by our memory algorithms (the same ones that rank #1 on LoCoMo and LongMemEval ) and runs on Backboard's unified API: memory, routing across 17,000+ models , RAG, and stateful threads behind one key. Then we tested it in public. That part did not go quietly. The numbers we're getting on internal test runs this week 92% on Terminal Bench 2.1 running Codex 5.5 70% on Terminal Bench 2.1 running GLM 5.1 , an open-source model Up to 30% fewer tokens and up to 90% lower cost than the closed harnesses 0% of your code used to train anyone's model <-- Please read the T's & C's of your fav harnesses... Read that second line again. An open model, inside our harness, posting numbers that go
So far I've only been running openclaw agents and had a steep learning curve. "self-improvement" became a very attractive term on this journey. So I took a dive into Hermes Agent, the self-improving agent runtime from Nous Research. One of the first things I wanted to understand was a risk: what actually happens when you install a community skill? Skills are code and instructions that the agent will execute, and Hermes pulls them from an open ecosystem. So I read the install path in the source - instead of blindly trusting the docs. What I found is better than I expected in one way and structurally limited in another. What Hermes already has on board Hermes does not install external skills blindly. Every externally-sourced skill goes through a real gate before it lands on disk. In hermes_cli/skills_hub.py , the install flow is: fetch → quarantine → scan → policy decision → install or block-and-audit. The scan lives in tools/skills_guard.py and runs regex-based static analysis for known-bad patterns: secret exfiltration ( curl interpolating $API_KEY / $TOKEN / $SECRET ), reads of credential stores ( ~/.ssh , ~/.aws , ~/.gnupg , ~/.kube , and Hermes's own ~/.hermes/.env ), destructive commands, persistence, and obfuscation. If the scan blocks an install, the quarantined copy is deleted and the event is written to an audit log. This is more than most agent tooling ships with. If you remember the wave of malicious skills that hit competing ecosystems, a chunk of that class of attack would be caught here before anything ran. Someone thought about this. The part that doesn't scale imo The scanner produces a verdict — safe , caution , or dangerous . That verdict is then combined with a trust level to decide whether to install. The trust levels and their policies look like this: INSTALL_POLICY = { # safe caution dangerous " builtin " : ( " allow " , " allow " , " allow " ), " trusted " : ( " allow " , " allow " , " block " ), " community " : ( " allow " , " block " , " bloc
Aerospace completely revolutionized my workflow after 15 years of using macOS the way Apple intended. I no longer hunt for apps and windows in Mission Control or drag them around spaces to organize. I can open as many windows as I need and have them all under my fingertips. And instead of swiping around to find one, I instantly teleport to where they are. This incredible software is technically aimed at advanced users. It’s installed from the command line and offers extensive configuration options. For basic use though, you don’t need to configure it at all, and if you have opened the Terminal application before and know what running a command means, you should be good to go. Rest assured, I will not show you how to configure Aerospace with Vim, or show you how to create an elaborate but useless dashboard! Just the essentials to get you started. How to set up Aerospace Aerospace is a menu bar application, but you can’t download it from an App Store or get it as a DMG file. You need a package manager. Go to the Homebrew website and follow the installation guide. Make sure to accurately follow the on-screen instructions. This may include any of the following: A prompt to enter your password. When you type passwords in Terminal, you will not see stars or anything. Just make sure you’re typing the correct one and hit Enter. A prompt to install XCode Command Line Tools . Somewhere around the end of the installation process, you may get a prompt to run some extra commands, which depend on your system. Make sure you run them as instructed. To test if you have correctly installed Homebrew, run which brew in Terminal. If you see a path printed out, like /opt/homebrew/bin/brew , you’re good to go. If not, something has gone wrong. Try searching for other, more focused guides on installing Homebrew. With Homebrew, you can install applications from the Terminal app using the brew command. For Aerospace, you would run the following command: brew install --cask nikitabobko/tap/ae
Hey DEV community! 👋 I built IMGVO — a free image tool that works entirely in your browser. What it does Convert JPG, PNG, WebP, AVIF, HEIC and more Compress images up to 90% without quality loss Crop, resize, rotate, watermark Works offline (PWA) Why I built it Most image tools upload your files to servers. I wanted something private and instant. Tech 100% vanilla JavaScript No backend, no server Works offline as PWA Privacy first No files uploaded to any server. Everything runs locally in your browser. 🆓 Free, no signup required. 👉 Try it: https://imgvo.com Would love your feedback! 🙏
Most AI products today are wrappers. Different interfaces. Different branding. Different marketing. But underneath many of them is the same pattern: centralized models, rented intelligence, recurring dependence, and cloud-first control. The user doesn’t own the intelligence. They lease access to it. I think that creates a dangerous future. AI Is Quietly Becoming Infrastructure We’re moving toward a world where AI won’t just help write emails or generate images. It will: operate businesses, manage workflows, coordinate logistics, assist with infrastructure, analyze systems, monitor environments, and increasingly act as operational infrastructure. That changes the stakes dramatically. If AI becomes operational infrastructure, then ownership matters. Control matters. Resilience matters. And right now, most users have very little of any of those things. The Problem With Generalized Intelligence One of the biggest issues I see in modern GenAI is overgeneralization. We’re trying to build one giant intelligence that does everything: coding, marketing, legal reasoning, architecture, writing, support, psychology, operations, and research. The results can be impressive. But also unreliable. Hallucinations happen because the systems are stretched across too many domains simultaneously. The broader the intelligence becomes, the harder consistency becomes. That’s why I’ve become increasingly interested in specialized AI systems. AI Should Work Like A Workforce Instead of one giant model pretending to know everything, I believe AI should operate more like a coordinated workforce. Specialized agents. Focused responsibilities. Defined operational boundaries. For example: a development agent, an infrastructure agent, a security agent, a documentation agent, a research agent, a support agent, a creative writing agent. Each one optimized for a specific domain. Each one independently updateable. Independently replaceable. Independently trainable. Not one brain. Many experts. Local-Firs
GitHub热门项目 | A modern runtime for JavaScript and TypeScript. | Stars: 106,979 | 15 stars today | 语言: Rust
GitHub热门项目 | 🥧 Savoury implementation of the QUIC transport protocol and HTTP/3 | Stars: 11,540 | 7 stars today | 语言: Rust
GitHub热门项目 | A set of beautifully-designed, accessible components and a code distribution platform. Works with your favorite frameworks. Open Source. Open Code. | Stars: 115,842 | 73 stars today | 语言: TypeScript
GitHub热门项目 | Storybook is the industry standard workshop for building, documenting, and testing UI components in isolation | Stars: 90,212 | 11 stars today | 语言: TypeScript
GitHub热门项目 | Vite plugin that reimplements the Next.js API surface — deploy anywhere | Stars: 8,149 | 8 stars today | 语言: TypeScript
GitHub热门项目 | The swiss army knife of lossless video/audio editing | Stars: 40,995 | 67 stars today | 语言: TypeScript
GitHub热门项目 | the full-stack Vue framework | Stars: 60,358 | 14 stars today | 语言: TypeScript
GitHub热门项目 | Next generation frontend tooling. It's fast! | Stars: 81,082 | 71 stars today | 语言: TypeScript
GitHub热门项目 | Free, open-source and self-hosted CAPTCHA alternative to reCAPTCHA. Privacy-first and powered by proof-of-work and instrumentation challenges. | Stars: 6,767 | 59 stars today | 语言: JavaScript