今日已更新 156 条资讯 | 累计 20626 条内容
关于我们

标签:#rce

找到 1472 篇相关文章

开源项目

🔥 xbtlin / ai-berkshire - AI 时代的伯克希尔:基于 Claude Code 的价值投资研究框架。巴菲特·芒格·段永平·李录四大师方法论 + 多A

GitHub热门项目 | AI 时代的伯克希尔:基于 Claude Code 的价值投资研究框架。巴菲特·芒格·段永平·李录四大师方法论 + 多Agent并行研究。| AI-era Berkshire: a value investing research framework built on Claude Code. 4 masters' methodologies + multi-agent adversarial analysis. | Stars: 1,563 | 201 stars today | 语言: Python

2026-06-25 原文 →
AI 资讯

Building Rule-Validator: Why I Built a Java Annotation-Based Rule Engine After 3 Years of Fighting Business Rules

Building Rule-Validator: Why I Built a Java Annotation-Based Rule Engine After 3 Years of Fighting Business Rules Let me tell you a story. For three years, I've been fighting the same battle in enterprise Java development: business rule validation . Honestly, every time a new requirement comes in like "this order must be approved if amount > 10000 AND user level > 3 AND discount < 0.1", I'd end up with a 500-line method full of if-else that nobody wants to touch. Sound familiar? I tried every existing solution: Drools: Too heavy, requires learning a new DSL, impossible to debug Spring Validation: Great for basic validation, but can't handle complex business rules nicely Hand-written if-else: Works, but becomes unreadable after 10 rules Expression engines like Aviator: Still externalized, breaks compile-time checking So here's the thing — I learned the hard way that what Java developers actually want is simple, annotation-based, compile-safe rule validation that lives right next to your code. That's why I built rule-validator . What is Rule-Validator? Rule-validator is a lightweight Java library that lets you define business rules using annotations directly on your classes . No DSL, no external files, no magic — just simple, testable, maintainable rules. The core idea is: Each rule is a method annotated with @Rule Rules can be grouped and ordered You get full Java compile-time checking Everything stays in your code, where it belongs Here's a quick example to show you how it works: import com.github.kevinten10.rulevalidator.annotation.Rule ; import com.github.kevinten10.rulevalidator.annotation.RuleGroup ; import com.github.kevinten10.rulevalidator.core.RuleExecutor ; import com.github.kevinten10.rulevalidator.result.RuleResult ; // Define your business object public class Order { private BigDecimal amount ; private Integer userLevel ; private BigDecimal discount ; // getters and setters public BigDecimal getAmount () { return amount ; } public Integer getUserLevel ()

2026-06-25 原文 →
AI 资讯

Part 14: Community and Ecosystem - Contributing to Vyshyvanka

It is clear that Vyshyvanka is more than just code — it is an ecosystem. The true power of an open-source workflow engine lies in its community. Today, we want to talk about how you can get involved, whether you are interested in pushing the boundaries of the core engine or building specialized solutions with custom plugins. The Core Engine vs. The Plugin Ecosystem A common question we get is: 'Should I contribute a PR to the core engine, or should I build a separate plugin?' The answer depends entirely on the scope of your contribution. When to Contribute to Core The core engine ( Vyshyvanka.Core , Vyshyvanka.Engine , Vyshyvanka.Api , Vyshyvanka.Designer ) should be reserved for changes that benefit every user of the platform. Good candidates for core contributions: Performance improvements to the execution pipeline New fundamental port types or expression functions Bug fixes in the engine, validation, or persistence layers Enhancements to the Designer UI (canvas, node editor, property editors) Improvements to the API surface (new endpoints, better error responses) Documentation improvements These changes require careful review and testing because they impact every installation. We encourage PRs here, but we also ask that you open an issue first so we can discuss the architectural impact. When to Build a Plugin Plugins ( ./plugins/ ) are the best way to extend functionality without increasing the maintenance burden of the core. Good candidates for plugins: Integration with a specific third-party SaaS tool (CRM, CI/CD, monitoring) Custom nodes specific to your industry or use case Experimental node behaviors that are not yet ready for core Proprietary integrations you want to keep separate from the open source project Plugins are independent, versionable, and can be maintained outside the core release cycle. They empower you to solve your specific problems immediately without waiting for a core release. Project Structure at a Glance Understanding where things live i

2026-06-25 原文 →
AI 资讯

MCP + RAG: Why I Stopped Building Complex RAG Systems After MCP Changed Everything

MCP + RAG: Why I Stopped Building Complex RAG Systems After MCP Changed Everything Honestly, I've spent the last four years building increasingly complex RAG systems. Chunking strategies, embedding models, vector databases, rerankers, hybrid search... you name it, I've probably wasted a weekend trying it. I had this 1,800-hour knowledge base project called Papers — six years of notes, articles, bookmarks, everything. I built RAG version after RAG version, each time thinking "this time it'll be perfect." Spoiler: It never was. Then I added MCP (Model Context Protocol) support. And I realized something that completely changed how I think about knowledge retrieval: MCP makes traditional complex RAG obsolete for most use cases. Let me explain what I learned the hard way. The RAG Trap I Was Stuck In If you've built a RAG system, you know the drill: Chunking : Should you use fixed-size, semantic, recursive, or something fancy like LLM-powered chunking? Embeddings : OpenAI text-embedding-3-large vs Cohere vs nomic-ai vs your fine-tuned model? Vector Database : Pinecone vs Weaviate vs PGVector vs Qdrant vs Chroma? Retrieval : Top-k how many? Hybrid search with keywords? Reranking? Prompt Compression : How do you fit all the retrieved chunks into the context window? I went through every iteration. At one point, my RAG system was over 2,000 lines of code. I had configurable chunkers, multiple embedding providers, caching layers, hybrid search... it was impressive. It also didn't work that well. Here's what bothered me the most: I kept throwing more complexity at the problem, but the fundamental issue never went away. I was trying to make my knowledge base smart, but AI already got smart. Why was I reimplementing all this understanding logic when the AI can already do it better than me? How MCP Changed the Game When I added MCP support to Papers, I started with the simplest possible approach: Expose two tools: search_notes and get_note_content Search is just basic text matchin

2026-06-25 原文 →
AI 资讯

How we stopped our AI assistant from hallucinating bug fixes

Cover: a real qa-probe run against our own stack, cropped to the summary - internal product detail withheld. We are building LightShield, a SIEM that is in active demo right now. We built most of it pair-programming with an AI coding assistant wired in over MCP - it ran our stack, read the errors, and patched its own code. For a small team that is a superpower. Until an endpoint failed. Here is the loop we kept hitting. A route returns a 500, or a 404, or an empty [] . The assistant looks at the status code and announces the cause with total confidence. Then it rewrites a handler that was never broken - because a status code is not a cause, and it had nothing else to go on. So it guessed, and it guessed wrong, and the diff made things worse. The thing is, that empty [] had at least six possible causes: the database was empty (nothing seeded) a feature flag was off a contract mismatch between the frontend and the backend an auth token that never got attached a 428 precondition a schema drift Same symptom, six different fixes. We could bisect to the real one. The AI could not - it had no ground truth, so it manufactured one. So we built qa-probe It analyzes the app, probes the live endpoints, and classifies each failure with a root cause and a fix hint. Three decoupled, cached phases: qa-probe analyze # parse source + OpenAPI -> route graph qa-probe probe # hit live endpoints (HTTP/SSE/WS), record evidence qa-probe report # classify root cause -> HTML / Markdown / JSON / AI-context # or just: qa-probe run It has adapters for FastAPI, Express, Next.js, tRPC, GraphQL, and a generic fallback, so it discovers your routes instead of you hand-listing them. The part that actually fixed our problem: every result is falsifiable Each result carries the evidence (the real request, a bounded response sample, the timing), a root cause from ~25 categories, and a calibrated confidence - high , medium , or none . When it cannot tell, it returns none instead of bluffing. No neural net

2026-06-25 原文 →
AI 资讯

Why stop gaming saved my tokens: Building my own local AI Lab

About a year ago, I turned my gaming PC into a local AI Lab. And yes, the most important word in that sentence is LOCAL . Let me tell you the story of how I sacrificed my gaming hours to build several tools, and now I'm going to tell you about this one that I use every single day. The Problem: Token bankruptcy Day to day, all of us developers who work with Artificial Intelligence share the same headache: tokens and rate limits . We're all victims of the high prices that come with constantly running inference with AI agents like Claude Code, Codex, or Gemini CLI (yeah, I love working from the terminal, I LOVE CLIs). While I was building AI systems (agent orchestration, LLM fine-tuning ), I was burning through way too many tokens. I tried tweaking the prompts and cleaning up the junk in my context, but the real devourer of my quota showed up when I had to learn a new tool. I was implementing solutions in QGIS (QGIS is a free, open-source Geographic Information System (GIS) software that allows users to create, edit, visualize, analyze, and publish geospatial data on maps) for a project and I didn't know the interface 100%. Like any dev facing something new, I leaned on AI agents: I'd take a screenshot, send it over, and ask for explanations. Here's an important fact that hurt my wallet: A screenshot on my MacBook (Full HD resolution of 1920x1080) burns about 258 tokens per tile on models like Claude. That adds up to roughly 1,548 tokens per image (sounds like a lot, and yeah my friend, it is way too much when we're talking about context). Now imagine sending dozens of these images a month trying to understand a complex interface as a 2x dev (99x, I'd say, in this new AI era). I was eating through my hourly Claude allowance just doing visual queries, leaving me with no quota left to generate the actual code I really needed for my development. The Epiphany (and the Hardware) One day, during a forced break thanks to a Claude rate limit , I looked over at my Gaming PC. I

2026-06-25 原文 →
AI 资讯

Why I Still Believe in Zero-Cost BFF Layers After 6 Months (And What Broke)

Why I Still Believe in Zero-Cost BFF Layers After 6 Months (And What Broke) Honestly, I didn't expect to be writing this article. Six months ago, I built capa-bff — a zero-cost BFF framework that won a hackathon gold medal — and I thought I had it all figured out. "This is perfect," I told myself. "Zero configuration, works with any Spring Boot app, solves all the frontend aggregation problems." Spoiler alert: It didn't. Don't get me wrong — it's still great for what it is. But here's the thing about building developer tools: the real world has a way of humbling you. Let me walk you through what I learned, what works, what doesn't, and who should actually use this thing. What Even Is a BFF Anyway? If you're new to the term, BFF stands for Backend For Frontend . It's that intermediate layer between your frontend clients (web, mobile, mini-programs) and your backend services. The idea is simple: instead of making the frontend stitch together data from multiple backend APIs, you have this middle layer that does it for you. ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ Frontend │ -> │ BFF │ -> │ Backend │ │ (Web/Mobile)│ │ Aggregation │ │ Services │ └─────────────┘ └─────────────┘ └─────────────┘ The benefits are clear: Fewer network calls from the client Customized responses for each client type Better caching opportunities One place to handle auth/transformations But here's the catch most articles don't tell you: adding a BFF layer means another service to maintain , another deployment , another thing that can break . For small teams and startups, that cost can feel too high. That's exactly why I built capa-bff: I wanted a zero-cost BFF layer that you can just drop into your existing Spring Boot app. No new service, no extra deployment — just add the dependency and start aggregating APIs. How It Actually Works (Code Example) Let me show you the basics. With capa-bff, you define your aggregation in a simple annotation: @BffRoute ( path = "/user-dashboard" ) public

2026-06-25 原文 →
AI 资讯

Top Open Source Coding Agents to Replace Claude Code in 2026

Claude Code is a genuinely powerful CLI coding agent. Its context window handling and multi-file reasoning set a high bar in 2026. But it comes with real constraints - it requires an Anthropic API key, charges per token, locks you into Claude models only, and its source code is closed. For developers running local-first workflows, working in air-gapped environments, or simply preferring auditable tooling, those limitations are dealbreakers. The good news: the open-source ecosystem has matured significantly. Nine production-ready alternatives now cover every major workflow pattern - from terminal-first pair programming to fully autonomous task execution. Why Open Source Matters for AI Coding Agents AI coding agents operate at a high level of system trust. They write files, run commands, and modify your repository. That makes transparency genuinely important - not just philosophically. Open-source licensing lets you read the code, audit its behavior, self-host without sending data to a third party, and customize it for your team's needs. Beyond trust, the practical advantages are real. Open-source agents are model-agnostic by design. They connect to whichever LLM you prefer - Claude, GPT, Gemini, DeepSeek, or a local model via Ollama - letting you optimize for cost and capability on a per-task basis rather than being locked to one pricing tier. OpenCode - The Closest Open-Source Drop-In for Claude Code OpenCode has emerged as the de facto open-source answer to Claude Code in 2026, crossing 161,000 GitHub stars under an MIT license. It connects to over 75 LLM providers via Models.dev - including local Ollama models - and lets you switch providers mid-session. Internally it uses a dual-agent architecture: a Plan agent handles task decomposition while a Build agent executes changes. LSP integration brings symbol resolution into the terminal. Multi-session support lets you run parallel agents on the same project simultaneously. OpenAI Codex CLI - Auditable and Sandbox-Fir

2026-06-25 原文 →
AI 资讯

More Context Is Not Enough. AI Agents Need Memory They Can Trust.

Every serious AI workflow eventually runs into the same failure. The agent does useful work in one session. It learns the shape of the project. It figures out which assumptions were wrong. It follows a correction, makes a decision, and gets closer to the real work. Then the session changes. The next run starts too cold. Old context comes back without the correction that changed it. The agent asks for the same setup again. It repeats an assumption that was already fixed yesterday. You end up managing the memory of the work instead of moving the work forward. That is the problem Pith is built for. Pith gives AI agents durable project memory they can trust when facts change. It is not trying to make an agent remember everything. That would be the wrong goal. Real projects are messy. Facts change. Decisions get reversed. A note that was useful last week can become stale after a release, a migration, a new customer constraint, or one correction from the human operator. The harder problem is not recall. The harder problem is knowing which memory is still useful. Why Longer Context Is Not Enough Longer context helps, but it does not solve continuity by itself. A long prompt can carry more text into a single run. It cannot automatically decide which prior facts survived a correction, which decision is now superseded, or which evidence should come back when the project resumes three days later. Developers working with agents already feel this. The friction shows up as small taxes: repeating project background that the agent should already know; re-explaining decisions that were already made; correcting stale assumptions that were already corrected; losing the reason behind a prior choice; restarting from a cold state after every meaningful break. Those taxes compound. The more serious the workflow, the more expensive the memory gap becomes. If an agent is helping with a toy task, forgetting is annoying. If an agent is helping with a codebase, a release, a customer workflow,

2026-06-25 原文 →
AI 资讯

Font Manager: Multi-format Font export for Symfony

The Problem Typography should be one of the simplest parts of a project. In reality, it often ends up scattered across multiple layers: Bootstrap: $font-family-base variables Tailwind: JavaScript configuration TypeScript: type definitions Design systems: W3C Design Tokens The same font information gets copied and maintained in several places. Every update means touching multiple files, hoping everything stays in sync. It's repetitive, error-prone, and easy to get wrong. So I built Font Manager. Define your fonts once and export them in whatever format your project needs — CSS, Bootstrap variables, Tailwind configuration, TypeScript definitions, design tokens, and more. The Solution A simple Twig function: {{ font_manager ( 'Ubuntu' , '400 700' ) }} Configuration: symfinity_font_manager : export : formats : - scss_bootstrap - tailwind_config - typescript_definitions One lock command: php bin/console fonts:lock Every format, automatically generated. Perfectly synced. Bootstrap Example Before: // Manually copy font name $font-family-base : 'Ubuntu' , sans-serif ; // ❌ Duplication @import 'bootstrap/scss/bootstrap' ; After: symfinity_font_manager : export : formats : [ scss_bootstrap ] php bin/console fonts:lock // app.scss @import './assets/styles/fonts-bootstrap' ; // ← Auto-generated @import 'bootstrap/scss/bootstrap' ; Bootstrap uses your fonts automatically. No manual mapping. No duplication. Tailwind Example symfinity_font_manager : export : formats : [ tailwind_config ] // tailwind.config.js const fonts = require ( ' ./assets/fonts-tailwind.config.js ' ); // ← Auto-generated module . exports = { theme : { extend : { fontFamily : fonts . fontFamily } } }; <p class= "font-sans" > Your custom font, via Tailwind. </p> TypeScript Example symfinity_font_manager : export : formats : [ typescript_definitions ] import { fonts , type FontFamily } from ' ./assets/fonts ' ; applyFont ( element , ' sans ' ); // ✓ Valid applyFont ( element , ' invalid ' ); // ✗ TypeScript erro

2026-06-25 原文 →
AI 资讯

Stokado: A Zero-Dependency Proxy Wrapper That Makes Browser Storage Feel Like a Plain Object

If you've shipped anything to the browser, you've used localStorage . And if you've used it for more than five minutes, you've also written this exact line more times than you'd like to admit: const user = JSON . parse ( localStorage . getItem ( ' user ' ) || ' null ' ) The Web Storage API has aged remarkably well for something so small, but it carries three persistent pain points that every frontend codebase ends up papering over by hand. Pain point #1: everything is a string. localStorage.setItem('count', 0) doesn't store the number 0 — it stores the string "0" . Read it back and typeof is "string" . Booleans become "true" / "false" , Date objects collapse into ISO strings (if you're lucky) or "[object Object]" (if you're not), and undefined becomes the literal string "undefined" . So every project grows a thin serialization layer of JSON.parse / JSON.stringify wrappers, plus a pile of defensive try/catch blocks for the day a malformed value sneaks in. Pain point #2: the API is verbose and stringly-typed. getItem , setItem , removeItem — three method calls and a string key for what is conceptually just reading and writing a property. It reads nothing like the rest of your code. Pain point #3: reactivity is broken in the tab you actually care about. The native storage event only fires in other tabs of the same origin. The tab that performed the write never hears about it. So if you want to react to your own storage changes — the overwhelmingly common case — the platform gives you nothing. Stokado is a small, zero-dependency library that addresses all three by wrapping any storage object in a Proxy . It's framework-agnostic, TypeScript-friendly, and works equally well with localStorage , sessionStorage , cookies, async backends like localForage, and a handful of mini-program runtimes. This article walks through what it actually does, feature by feature, with runnable code. Quick start npm install stokado import { createProxyStorage } from ' stokado ' const storage =

2026-06-24 原文 →
开发者

ImageX hit 10 stars, got a contributor, and shipped 3 new features :) here's what happened

A couple weeks ago I posted about ImageX - a dumb little CLI that lets you edit images without googling "resize image online" for the hundredth time. If you haven't seen it, the tldr is: pip install imagex && imagex , a menu pops up, pick what you want, done. No flags to memorize, no syntax to look up - just arrow keys and enter. Everything runs locally on your machine - no uploads, no server ever sees your images, no browser,no ads. Honestly? Didn't expect much. But: 10 stars on GitHub 1 contributor already dropped a PR (Flip feature - thanks! :) A bunch of feature requests in issues So I kept building. What's new in v0.3.0 Three features, one fix: Grayscale / B&W - luminosity conversion or threshold-based true black & white. Slider for the threshold so you can dial in exactly how much black you want. Invert Colors - instant negative. Handles RGBA without destroying alpha. Flip - mirror horizontally, vertically, or both. (PR from a contributor!) Plus: version check on startup (tells you when to upgrade), and all operations now preserve EXIF/ICC metadata instead of silently dropping it. Yeah, that was a bug. Fixed. The code is still stupid simple NAME = " Invert Colors " DESCRIPTION = " Invert image colors (negative effect) " def run ( file , output_path , args ): img = Image . open ( file ) # ... invert logic ... img . save ( output_path ) return True Links GitHub: github.com/kushal1o1/ImageX PyPI: pip install -U imagex PRs welcome. You could write a feature in the time it took to read this.

2026-06-24 原文 →