今日已更新 256 条资讯 | 累计 20726 条内容
关于我们

标签:#rce

找到 1475 篇相关文章

AI 资讯

Trunk-Based Development Working for Salesforce Without a Single Org

I've wanted easy trunk-based development for Salesforce for years. Short-lived branches, frequent merges, small pull requests, and CI fast enough that developers aren't afraid to commit. The same practices that engineering teams use everywhere else. Every time I tried to make it work, I hit the same wall: Apex tests require an org. That single dependency turns every validation run into an infrastructure problem. Before a test can execute, you need authentication, environment provisioning, metadata deployment, test execution, and cleanup. The result is feedback loops measured in minutes instead of seconds. I got tired of waiting and built Nimbus, a local Apex runtime that executes Apex tests without an org. This is what I learned while trying to make trunk-based development actually work for Salesforce. Why trunk-based development is hard in Salesforce Trunk-based development depends on fast feedback. If validation takes seconds, developers make smaller changes, merge more frequently, and keep branches short-lived. If validation takes fifteen minutes, behavior changes. Pull requests get larger, unrelated work gets batched together, and validation stops happening continuously because validation itself becomes expensive. Salesforce has always had a structural challenge here because Apex only runs inside Salesforce. A typical validation pipeline looks something like this: sf org login jwt sf org create scratch sf project deploy start sf apex run test sf org delete scratch There is nothing inherently wrong with these steps. The problem is that most of them have nothing to do with testing. They're infrastructure management. The actual validation of business logic is only one part of the process. The longer I worked with Salesforce CI, the more obvious it became that the bottleneck wasn't Apex itself. The bottleneck was everything required to create an environment where Apex could run. The solutions I tried first Before building a local runtime, I tried solving the problem

2026-06-21 原文 →
AI 资讯

EGC: Your AI agents never start from zero again

Every time you open a new session with an AI coding tool, it starts from zero. It does not know what you decided yesterday, what failed last week, or what comes next. You have to explain the project again. And again. EGC (Extended Global Context) fixes this. EGC is a local runtime that gives every AI coding tool you use a persistent memory. At the end of each session, the AI saves what it learned: decisions made, what failed, your preferences, what comes next. At the start of the next session, it loads that state back automatically. One install. Every tool. Every session. Website: https://fmarzochi.github.io/EGCSite What it looks like in practice You open Claude Code on a project you have not touched in two weeks. Without typing anything: State loaded from egc-memory via ~/.egc/state/Projects--MyApp.md Context and preferences acknowledged. Ready to pick up: - Test full install on a clean machine - Add GEMINI.md with session memory protocol - Publish v1.0.1 fix after clean install test passes The AI already knows what you were building, what decisions you made, what failed, and exactly where you stopped. You did not type anything. You just started working. How it works EGC ships two MCP servers that run locally during every session. egc-memory: 14 tools for persistent memory Tool What it does get_state Loads project memory at session start update_state Saves decisions, preferences, and next steps store_decision Persists a single decision to SQLite query_history Returns past decisions by timestamp search_history Full-text search with BM25 ranking working_memory_set Stores transient context with a TTL lesson_save Records cross-session knowledge with confidence decay lesson_recall Retrieves active lessons above a threshold detect_patterns Surfaces repeated commands and recurring errors compress_observations Compresses hook events to save token budget State files live at ~/.egc/state/<project-slug>.md . One file per project. Plain Markdown. Human-readable. egc-guardian:

2026-06-21 原文 →
AI 资讯

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0

Securing LLM Agent Teams: Inside NRT-Defense v0.4.0 Multi-turn autonomous LLM agents are expanding rapidly in safety-critical systems. However, a major vulnerability has been exposed by Lee et al. (2026) in the NRT-Bench paper : adaptive multi-turn attacks can exploit disjoint model vulnerabilities, causing a 8.7% to 12.1% loss of Critical Safety Functions (CSFs) . To solve this, I am open-sourcing NRT-Defense , an adaptive multi-turn defense framework designed to monitor agent sessions and reduce the attack success rate to <1% . The Threat: Context Drift and Disjoint Exploits Standard guardrails evaluate prompts in isolation (single-turn). Attackers leverage this by spreading an exploit across multiple conversational turns. Turn by turn, the context drifts until the agent team completely bypasses its safety containment. The NRT-Bench paper demonstrated this in a simulated nuclear power plant control room with 5 operator roles, 4 attack channels, and 6 critical safety functions. The results were alarming: Metric Value Attack success rate 8.7% — 12.1% Sessions analyzed 149 Models tested 4 frontier LLMs Vulnerability overlap Nearly disjoint The key finding: vulnerabilities are nearly disjoint across models . An attack that works against GPT-4 may not work against Claude. This means model diversity is itself a defense — but only if you can detect and respond to attacks in real-time. The Solution: 3-Step CMPE Defense nrt-defense neutralizes this threat through a continuous, multi-component pipeline: Per-Turn Message Analysis: Evaluates channel risk and turn-escalation metrics. Each message is scored for adversarial content using keyword detection, pattern matching, and channel-specific risk weights. Real-Time CSF Monitoring: Tracks 6 operational critical safety functions simultaneously. Risk accumulates over turns and triggers alerts when thresholds are breached. Context-Aware Misdirection Prompt Engineering (CMPE): When an anomaly is detected, instead of a blunt reject

2026-06-21 原文 →
AI 资讯

I Built a Freelance Alternative Where Anyone Can Claim Your Bounty

How I Built a Real-Time Bounty Marketplace with Supabase and 14-Layer Edge Security I wanted to build a platform where anyone can post a task (a "bounty"), set a reward, and have people complete it with verifiable proof. Think freelance work, but optimized for quick, composable task completion — with proof submission as the core trust mechanism. The result is BountyClaimer — a real-time marketplace running on Supabase + Vercel with a security system baked into Edge middleware and scattered across every layer of the stack. 🛠️ The Tech Stack Frontend: React + Vite + TypeScript Backend: Supabase (PostgreSQL, Realtime, Storage, Auth) Payments: Stripe Hosting: Vercel (Edge Middleware) Security: Custom "Armadillo" system (14 layers) Architecture Pattern: Phoenix Architecture for real-time state consistency 🔄 The Core Workflow Post — A user posts a bounty with a reward and description Claim — Others browse and claim available bounties Submit — The claimer completes the work and submits proof (images, video, audio, text, files) Settle — The bounty owner reviews and approves — funds are released Sync — Real-time updates keep both sides in sync instantly The hardest parts were real-time state sync across multiple users , anti-abuse without hurting legitimate users , and security at the edge . 🏛️ The Phoenix Architecture One pattern I'm particularly proud of is what I call the Phoenix Architecture — a real-time state management approach that ensures every client sees the same truth without polling. The core idea: instead of each client fetching data and hoping it's current, database changes (bounty status updates, proof submissions, claim state transitions) are broadcast out via Supabase Realtime. Every connected client receives the same event stream and updates locally. // The Phoenix pattern — subscribe to changes once, // update locally from the event stream const channel = supabase . channel ( `entity- ${ id } ` ) . on ( ' postgres_changes ' , { event : ' * ' , schema : '

2026-06-21 原文 →
AI 资讯

Fix N+1 Trigger Patterns Where Lambda Functions Hammer the Same DynamoDB Partition Key

You add a sixth Lambda trigger to your OrderEvents table, deploy it, and within 20 minutes your SLA dashboard goes red. Latency on order writes jumps from 4ms to 40ms. The function itself is fine. The table is fine. The problem is that five other Lambdas are already hitting the same partition key on every write, and you just made it six. DynamoDB's internal partition throttling doesn't care that each function looks clean in isolation. This is an N+1 trigger problem, and your AI coding assistant cannot catch it. Not because it lacks intelligence, but because the fact that five Lambdas already target that table lives in your AWS account and your full codebase — not in the file your assistant has open. Infrawise · npm Why the LLM Can't See the Pattern When you ask Claude to write a new order processing Lambda, it reads the file you have open and generates code that looks correct — because in the context of that one file, it is correct. It doesn't know about ProcessRefundsLambda , NotifyFulfillmentLambda , SyncInventoryLambda , UpdateAnalyticsLambda , and AuditTrailLambda , all of which you wrote in previous sprints and which all write to the Orders table. This is a category of failure that model quality doesn't fix. A better model produces a more fluent explanation for why your latency spiked. The fact that five functions converge on the same table is a lookup, not a prediction. The source of truth is a combination of your code (which functions exist) and your infrastructure (what they access). Infrawise draws that boundary explicitly. It extracts the answer from your code using AST parsing and from your infrastructure using API calls, then hands that graph to the model as structured context — it never generates the answer. How Infrawise Traces Trigger Chains to the Same Table When Infrawise scans your repository, it uses ts-morph to walk every CallExpression in every source file. It's not searching for the string "DynamoDB" — it matches call structure against a known

2026-06-21 原文 →
AI 资讯

ctrodb: A Client-Side Database for TypeScript — Zero Dependencies

I've been working on ctrodb — a client-side database for TypeScript that runs in the browser (IndexedDB) and Node.js (in-memory). Zero runtime dependencies. It started as a personal project to stop rewriting IndexedDB wrappers. Every new client-side app needed the same boilerplate: open a connection, create object stores, handle version upgrades, write CRUD helpers. After the sixth time, I wrote it once and got it right. What it does ctrodb gives you MongoDB-like CRUD with schema validation at write time: import { Database } from " ctrodb " const db = new Database ({ name : " my-app " , schema : { version : 1 , collections : { notes : { fields : { title : { type : " string " , required : true }, body : { type : " string " }, pinned : { type : " boolean " , default : false }, tags : { type : " array " , items : { type : " string " } }, createdAt : { type : " string " , default : () => new Date (). toISOString () }, }, indexes : [{ field : " createdAt " }], }, }, }, }) await db . connect () const notes = db . collection ( " notes " ) const note = await notes . create ({ title : " Hello " , body : " World " }) const results = await notes . query () . where ( " pinned " , true ) . sort ({ createdAt : " desc " }) . limit ( 10 ) . fetch () Every record is a Model — a Proxy wrapper with typed field access. note.title works. note.update() handles writes. Direct property assignment logs a warning telling you to use .update() instead. What's included The core package ships with three plugins: Full-text search — inverted index, stop word removal, auto-indexed on create/update/delete Relations — has_many, belongs_to, has_one with lazy accessors built into every Model and eager loading via .with() Custom validation — extendable rules beyond the built-in validators (email, URL, regex) Plus React hooks (separate import, same package): import { DatabaseProvider , useQuery , useMutation } from " ctrodb/react " Signal-based reactivity. When data changes, useQuery re-fetches and your

2026-06-21 原文 →
AI 资讯

Your repo has whitespace problems you can't see — I built a zero-dep CLI that finds and fixes them all

Whitespace problems are the ones you can't see until they bite. A pull request where half the "changes" are trailing-space diffs. A shell script that breaks in CI because someone's editor saved it CRLF. A .env with a UTF-8 BOM that makes the first variable name mysteriously not match. A file with no final newline that turns one-line changes into two-line diffs forever. None of it shows up on screen. All of it shows up in git blame . Today, catching this takes three or four tools stitched together — and I got tired of that, so I built wssweep : one zero-config command that finds all the common whitespace smells and, with --fix , cleans them in place. $ npx wssweep src/app.js (2) 14: trailing-whitespace trailing whitespace - missing-final-newline no newline at end of file config.yml (1) - mixed-eol mixed line endings (CRLF×3, LF×1) ✖ 3 whitespace issues in 2 files (mixed-eol=1, missing-final-newline=1, trailing-whitespace=1) $ npx wssweep --fix # clean them It checks seven things: trailing whitespace, mixed CRLF/LF line endings, lone CRs, a missing final newline, extra trailing blank lines, a UTF-8 BOM, and tabs mixed with spaces in one indent. Non-zero exit on findings, so it's a CI gate. pip install wssweep gets the same tool in Python — byte-for-byte identical output and fixes. Why not editorconfig-checker / pre-commit / prettier? Because each does part of it: editorconfig-checker reports — but you have to author an .editorconfig first, and it can't fix anything. pre-commit 's trailing-whitespace / end-of-file-fixer / mixed-line-ending hooks do fix, but only inside the pre-commit framework, and they're three separate hooks. Nobody runs them ad-hoc on a fresh checkout. prettier fixes whitespace only as a side effect of reformatting all your code, and won't touch files it can't parse. dos2unix does line endings and nothing else. wssweep is the one npx / pip command, no config and no framework, that does the whole set at once and drops into any CI regardless of toolch

2026-06-20 原文 →
AI 资讯

I built an AI priority inbox for GitHub pull requests — and went BYOK instead of running my own AI backend

The problem GitHub shows your pull requests in whatever order they happened to be opened — not in the order they actually need your attention. A one-line typo fix and a PR touching authentication code get exactly the same visual weight in your inbox. Multiply that across a dozen open PRs and you spend more time deciding what to look at than actually reviewing. What I built PR Focus is a Chrome extension (Manifest V3) that sits on top of GitHub's PR pages. It combines three signals into a single priority queue: CI status — failing checks bubble up PR age — stale PRs don't get forgotten AI risk score (0–100) — weighted toward changes touching auth, database, or infra code Each PR also gets a plain-English summary generated from the actual diff (not the title someone wrote at 11pm), and you can generate an approve / request-changes draft review in one click, edit it, and send — without leaving the extension. Why BYOK instead of my own AI backend This was the decision I spent the most time on. Running my own AI backend would have meant: A server in the data path of every PR diff users review — a much bigger trust ask, especially for private repos. Either eating the AI cost myself (unsustainable as a solo dev) or marking it up into a subscription. Going BYOK (bring your own key — OpenAI, Groq, Mistral, or a local Ollama instance) flips both of those: Your GitHub token and AI key live in chrome.storage.local . There's no server of mine in the path — PR diffs only ever go to the AI provider you explicitly configure. Groq's free tier is generous enough to run the AI features for free for most individual workflows. You're paying provider cost directly, with zero markup, if you pay anything at all. How it's built Manifest V3 — required rethinking persistence patterns that worked under MV2's persistent background page; service worker lifecycle and content script injection needed more careful handling. GitHub REST + GraphQL APIs rather than DOM scraping — more upfront work, but

2026-06-20 原文 →