今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#tools

找到 636 篇相关文章

AI 资讯

I picked a coding agent off a leaderboard. It flopped on our codebase.

Last year my team had to pick a coding agent, and I volunteered to run the evaluation. I felt good about it. I pulled up the public benchmark scores, lined up the contenders, took the one at the top, and told everyone we had a winner. Then we actually pointed it at our repo. It did not blow up dramatically. It just kept being slightly wrong in ways that ate our time. It wrote diffs our reviewers would not approve. It renamed a function and broke three files it had never opened. The tests it ran passed, and the repo was still broken. I had confidently recommended a tool based on a number that turned out to say almost nothing about our situation. That was embarrassing enough that I went and figured out why. It took a few weeks of reading and a couple more bad calls before I landed on something that works. This is that, written plainly, and I hope it saves you the meeting where you have to walk your recommendation back. Why the benchmark score lied to me The score was not fake. It was just measuring somebody else's code. Once I looked properly, four gaps explained the whole thing: The agent might have already seen the answers. The problems in these public benchmarks are old. Models were very likely trained on the actual fixes used to grade them. So the score partly measures memory, not problem-solving. The setup is nothing like real work. A benchmark gives the agent a clean repo, one clear issue, and one command to run the tests. My engineers give it a half-open editor, a messy branch, a Slack thread, and a reviewer comment. Completely different job. Our codebase has its own habits. Our internal libraries, our wrappers, our test style, the imports we ban. No benchmark knows any of that, so an agent can write textbook-perfect code that our reviewers still reject on sight. The bar for passing is way lower. A benchmark passes a patch if the broken test now passes. My team passes a patch if it does that, and does not break unrelated tests, does not reformat the whole file,

2026-07-15 原文 →
AI 资讯

Microsoft Patches a Record 570 Security Flaws

Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence.

2026-07-15 原文 →
AI 资讯

Fine-Tuning Qwen2-VL for Blockchain Graph Classification on AMD MI300X: What the Docs Don't Tell You

TL;DR: Graph renderings of blockchain transactions carry topology signals that serialize badly into token sequences. A hub node surrounded by 47 short-lived leaf wallets looks like a table of addresses and amounts in text form — recognizable only if you already know the pattern. 📖 Reading time: ~23 min What's in this article The Problem: Blockchain Forensics Needs Vision, Not Just Text Hardware and Environment Setup on MI300X Data Pipeline: Rendering Blockchain Graphs as Training Images Fine-Tuning Loop: LoRA on 7B vs Full-Parameter on 7B ROCm-Specific Failure Modes and How to Diagnose Them Inference Serving: vLLM on ROCm for Classification Throughput Verdict: When This Setup Makes Sense and When It Doesn't The Problem: Blockchain Forensics Needs Vision, Not Just Text Graph renderings of blockchain transactions carry topology signals that serialize badly into token sequences. A hub node surrounded by 47 short-lived leaf wallets looks like a table of addresses and amounts in text form — recognizable only if you already know the pattern. Rendered as an image, that star topology is immediately visible as a structural shape. The same applies to layering patterns in mixing operations, where funds move through sequential depth levels that form visually distinct bands, and to clustering signatures where tightly-coupled address groups show dense internal edges versus sparse external ones. A vision-language model can learn to classify on those shapes directly. A text-based LLM working from a transaction list has to reconstruct the topology from raw numbers, which is possible but brittle — edge count and clustering coefficient can be computed and injected as tokens, but that's you doing the feature engineering that the vision model can learn to do itself. The reason Qwen2-VL entered this experiment rather than a GNN is mostly practical. Graph neural networks are the academically correct tool for graph classification, but they require a fixed-schema graph dataset and a trainin

2026-07-15 原文 →
AI 资讯

Every Commit in My Repo Gets Reviewed by a Second AI. Here's What Actually Changed.

My CLAUDE.md has one line near the bottom that I wrote months ago and mostly forgot about until I started actually paying attention to what it does: ## Important Note after your work done codex will review what you done. Terse, no punctuation, clearly typed in a hurry. But it's a real instruction that fires on every session in this repo: I finish a change, and a second model reviews it before I consider the work done. I added it half as an experiment. A few months in, it's changed how I work more than almost anything else in the setup, and not in the way I expected. I thought it would catch bugs. Mostly it doesn't, not directly. What it actually does is force a triage decision on every single piece of feedback, and getting that triage wrong is where all the pain lives. The three buckets Early on I treated every review comment the same way: read it, do it. That lasted about a week before I was silently making changes I didn't agree with because a second AI suggested them, and separately burning a stupid amount of time re-litigating comments that were just wrong or out of scope. What actually works is sorting every comment into one of three buckets before touching code: Fix it, no discussion. The comment is unambiguous, low-risk, and doesn't touch anything architecturally significant. Just do it and move on. Ask first. The comment is ambiguous, or it touches something that would require a real judgment call, or the "fix" would be a bigger refactor than the comment implies. Stop and get a human decision before acting. Skip silently. The comment is a duplicate of something already handled, or genuinely doesn't apply. Don't reply just to say "not doing this," don't leave a comment thread as evidence of having read it. Silence is the correct response to a non-issue. The failure mode I kept falling into before I had these buckets explicitly was collapsing 2 into 1: treating "ambiguous" as "just pick an interpretation and go." That's the actual source of review fatigue, not

2026-07-14 原文 →
AI 资讯

Audit-log every email your AI agent sends

When an autonomous agent gets an email address of its own, the first question your security team asks isn't "can it send mail?" It's "can you prove, six months from now, exactly what it said and to whom?" That's a different problem from "does it work." A demo that fires off a few support replies looks great in a sprint review. But the moment a real customer says "your bot promised me a refund," or a regulator asks for the complete record of what an automated system told a data subject, you need a defensible trail — an immutable record of every outbound and inbound message the agent touched, captured outside the mailbox the agent can also delete from. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. But the architectural point here is provider-agnostic and it's the part most "AI email" tutorials skip: the live mailbox is not your audit log. It's mutable, it has retention limits, and the same agent that sends mail can also trash it. If your only record of what the agent did lives in the inbox, you don't have an audit trail — you have a working copy. What "audit-log everything" actually means There are two stores in this design, and keeping them separate is the whole point. The live mailbox — the Agent Account grant. Messages flow in and out here. It's queryable, it's real-time, and it's mutable . Flags change, messages move folders, things get trashed. On the free plan it's also retention-limited: 30 days for the inbox, 7 days for spam. The audit store — your system. An append-only, write-once log keyed by message_id and thread_id . Nothing in it is ever updated or deleted in normal operation. This is the record you hand a reviewer. The audit store is the thing you build. Nylas gives you the two capture points — the send response and the inbound webhook — but the immutability is your responsibility. That means a WORM (write-once-read-many) object store, an append-only table with no UPDATE / DELETE grant for the app role, or a has

2026-07-14 原文 →
AI 资讯

One agent mailbox per tenant in a multi-tenant SaaS

Most multi-tenant SaaS apps that send email do it from one shared identity. There's a notifications@yourapp.com , every customer's mail flows through it, and the tenant is just a from_name you stamp on the subject line or a footer you swap out. That's fine until it isn't — until Tenant A's spam complaints drag down Tenant B's deliverability, until a reply from a customer lands in a single firehose inbox you now have to fan back out, until one tenant wants a stricter send cap than another and you realize you built none of that into the data model. So let's not share. Let's give every tenant its own real mailbox — a dedicated Agent Account per customer, each with its own grant_id , its own send identity, its own policy and limits, grouped into its own workspace. Not one inbox with a thousand label hacks. A thousand inboxes, isolated by construction. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for when I'm wiring this up. Every step gets the two-angle tour: the raw curl call and the nylas command that does the same thing. Why per-tenant beats one shared sender The shared-sender model fails along a few predictable seams. Per-tenant Agent Accounts close each one: Deliverability blast radius. When everyone sends from one address, one tenant's bounce rate and spam complaints poison the reputation everyone shares. Per-tenant accounts — and, if you want, per-tenant domains — keep one customer's bad behavior from sinking the rest. Inbound that actually belongs to someone. A shared sender means replies come back to one mailbox and you're left correlating them to tenants by hand. When each tenant has its own grant, an inbound message.created event already carries the grant_id . The routing is done before your handler runs. Per-tenant policy and limits. Different customers, different rules. A trial tenant capped at a low daily send; an enterprise tenant with a higher quota and longer retention. With a shared sender you'd build all of that y

2026-07-14 原文 →
AI 资讯

Spin up ephemeral test inboxes for email integration tests

Most teams test email by not testing it. The send path gets a mock — expect(transport.send).toHaveBeenCalledWith(...) — and everyone agrees that's "good enough." The receive path gets skipped entirely, because there's no honest way to assert on a real inbox from a test runner. So the one part of your system that talks to the outside world over an unreliable, asynchronous, third-party channel is the part with the least coverage. That's backwards. The reason email is hard to test isn't the sending. It's the asserting . You can fire POST /messages/send all day, but to prove the message actually left, rendered correctly, and arrived with the body you expected, you need a real mailbox you control — one you can read programmatically and throw away when the run finishes. Shared Gmail test accounts almost get you there, but they bring OAuth on the runner, catch-all races between parallel workers, and a 90-day token that expires the night before a release. This post is about a different fixture: a disposable Agent Account created at the start of a CI run and deleted at the end. You mint a real mailbox per run (or per test), point your application at it, send and receive real mail, assert on the actual message body, and tear the whole thing down. No OAuth. No shared inbox. No leftover state. What an Agent Account gives you here An Agent Account is just a Nylas grant with a grant_id . That's the whole trick, and it's worth saying plainly because it's what makes this pattern cheap: an Agent Account works with every grant-scoped endpoint you already know — Messages, Drafts, Threads, Folders, Attachments, Webhooks. There's nothing new to learn on the data plane . If you've ever called GET /v3/grants/{grant_id}/messages , you already know how to read a test inbox. The difference from a normal grant is provisioning. A regular grant needs a real human to complete an OAuth flow. An Agent Account is created with a single API call — no OAuth screen, no refresh token, no human. It's a m

2026-07-14 原文 →
AI 资讯

Require human approval before your agent sends email

Most "AI email agent" demos end with a triumphant send . The model writes a reply, the code POSTs it, and a real message lands in a real stranger's inbox. That's a great demo and a terrible production default. The moment your agent can send mail with nobody watching, you've handed an LLM a corporate email address and the standing authority to use it. One hallucinated price, one confidently wrong refund promise, one apology to the wrong customer, and you're explaining to legal why a bot signed an email as your company. There's a boring, durable fix that predates AI by decades: don't send — draft. Stage the message, put a human in front of it, and only send once someone with a name and a pulse approves. Email systems have had a "Drafts" folder forever for exactly this reason. The Nylas Drafts API turns that folder into something better — an approval queue your agent writes into and your reviewers drain. This post builds that queue. The agent creates a draft, a human reviews the pending drafts, and an approved draft gets sent byte-for-byte unchanged . No re-rendering, no "the agent regenerates it on approval" race where the thing you approved isn't the thing that ships. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for, and I'll pair every one with the raw curl so you can wire it into a backend in whatever language you like. This is deliberately not about escalating inbound threads to a human (that's a different problem, where the trigger is a message arriving). Here the trigger is the agent wanting to send , and the gate sits on the outbound path. Why a draft is the right approval primitive You could build approval a dozen ways. You could buffer the agent's output in a queue table and call send later. You could stash a JSON blob in Redis. Both work, and both quietly reinvent something the email stack already gives you. A draft is a real, persisted email object , on the mailbox, with a stable id . That buys you three things a homegr

2026-07-14 原文 →
AI 资讯

They Asked for My AI Rules. But I Could Not Just Hand Them Over.

A team lead announces that the team will start using AI-assisted development. Everyone nods. Nobody asks what that actually means on Monday morning. Some times ago I was in that position. A project I was working on needed to start using AI-assisted development, and the team was new to it. Nobody had rules written down for an agent to follow. Nobody had skills defined for it to load. There was no shared idea of how this should work inside our specific repo. Someone had to go first. That someone was me. The rules worked because I built them for one repo I spent time curating a set of rules and skills for that project. Not generic ones. I shaped them tightly around how that repo was actually structured, its conventions, its layout, the things a new engineer usually has to learn by asking around. I wanted an agent working inside that codebase to already know what a human teammate would have picked up in the first two weeks. I gave a demo. It landed well. Well enough that it got shared further across team, as something other teams could learn from. I gave the demo again. Same reaction. Then a few developers reached out for the actual rules and skills files. I said sure, and then I actually looked at what I would be handing them. The problem showed up the moment other people wanted in It was not copy-paste-able. The rules referenced folder names, module boundaries, and patterns specific to one repo. Handing them over as-is would have meant handing over advice that was wrong for their project, dressed up as a shortcut. So I told them to use it as a reference. Look at the structure, understand the reasoning, adapt it to your own repo. That is correct advice. I watched people nod at it and then quietly missing it. I was solving the wrong problem the whole time I had been thinking about this as a documentation problem. Write good rules, explain them well, let people copy the idea. What I actually had was a generation problem. The rules that worked were the ones rendered speci

2026-07-14 原文 →
AI 资讯

Introducing InterceptX: The Ultimate Modern Alternative to ModHeader

Introducing InterceptX: The Ultimate Modern Alternative to ModHeader for HTTP Modifications As web developers, API engineers, and security auditors, we spend a significant portion of our time inspecting and tweaking HTTP traffic. For years, extensions like ModHeader have been the go-to utility for modifying request and response headers on the fly. However, as the browser extension landscape transitions fully to Manifest V3 —bringing stricter security, better performance, and tighter permission rules—many developers are looking for a modern, lightweight, and local-first alternative. Enter InterceptX . What is InterceptX? InterceptX is a high-performance, compact Chrome extension designed to give you complete control over browser network requests. Built from the ground up on Manifest V3 using the declarative declarativeNetRequest API, it is fast, secure, and preserves your battery life by running lightweight matching rules inside the browser engine itself. Whether you need to bypass CORS policies, simulate mobile user-agents, override security headers, or redirect API endpoints to your local development server, InterceptX does it all with a premium, glassmorphic UI. Key Features at a Glance If you are familiar with ModHeader, you will feel right at home with InterceptX—but with several modern upgrades: 1. Request & Response Header Modifications Inject, append, or strip headers on outgoing requests or incoming responses: Set : Override an existing header or add a new one (e.g., setting custom auth tokens or Origin ). Append : Append values to headers like Accept or Cookie . Remove : Completely strip headers (e.g., testing behaviors when header keys are omitted). 2. URL Redirections Need to test API endpoints or redirect files? InterceptX features a built-in regex redirect engine (using RE2 syntax). You can redirect matching patterns and even use capture groups (e.g., redirecting https://api.production.com/(.*) to http://localhost:3000/\1 ). 3. Granular URL & Domain Fil

2026-07-13 原文 →
AI 资讯

When Upgrading Your AI Model Makes It Both Faster and Cheaper

Most people assume better AI performance means a bigger bill. That assumption is quietly being proven wrong. The "Don't Touch It" Trap in AI Products There's a psychological pattern that shows up in almost every team running a live AI-powered product: once something works, nobody wants to mess with it. And honestly, that instinct makes sense. You've tuned your prompts, worked out the edge cases, trained your users, and finally gotten the thing stable. The idea of swapping out the underlying model - the engine of the whole operation - feels like pulling a thread that might unravel everything. So teams stay put. They watch new model releases come out, read the benchmark comparisons, and quietly decide it's not worth the risk. The phrase you hear most often is "if it ain't broke, don't fix it." The problem is that this logic made sense when model upgrades were expensive and disruptive. That's no longer the default reality. What's actually happening now is that AI providers are competing hard on price-per-token while simultaneously improving quality. That combination - better output, lower cost - breaks the old mental model most product people are still operating with. What a Model Migration Actually Involves Let's be clear: switching AI models isn't a one-click operation. But it's also not the months-long project many teams imagine it to be. At its core, a model migration for an AI agent involves three things: re-evaluating your prompts (because different models respond differently to the same instructions), running parallel tests to compare output quality on your real use cases, and updating any API parameters that differ between versions. That's the actual work. For most small-to-medium deployments, that's days of effort, not weeks. The bigger shift is in how you think about model versions. Rather than treating the model as permanent infrastructure, it helps to think of it more like a dependency in your software stack - something you update deliberately, test careful

2026-07-13 原文 →
AI 资讯

Egregor: Локальный консилиум ИИ для комплексного аудита смарт-контрактов и кода

Автор: Владислав Штер, соло-фаундер экосистемы SovereignПоследнее обновление: Июль 2026 года Поиск критических уязвимостей через нейросетевой консилиум Egregor. Десктопное приложение Egregor находит критические уязвимости в смарт-контрактах с помощью одновременной работы нескольких ИИ-моделей. Этот инструмент создан для Web3-разработчиков, которым необходимо проверять сложный код без риска пропустить ошибки, свойственные одиночным нейросетям. В ходе тестирования консилиум Egregor обнаружил 4 критические проблемы (включая уязвимость Reentrancy и вечные права деплоера) в смарт-контрактах SovereignBank Web3, тогда как 13 ручных проверок одиночными топовыми ИИ (Claude, Gemini, ChatGPT, DeepSeek, Grok) назвали код полностью чистым. Используйте платформу Egregor для проведения глубокого аудита кода, чтобы получать верифицированные решения вместо догадок одной модели. Защита от эхо-камеры и слепых зон алгоритмов в программе Egregor Система Egregor устраняет эффект эхо-камеры и систематические слепые зоны нейросетей за счет встроенных механизмов Anti-Groupthink и "Адвоката дьявола". При анализе сложной логики одиночные нейросети часто вежливо соглашаются друг с другом, но алгоритмы Egregor запрещают моделям принимать чужие выводы без подтвержденных в коде фактов. Во время аудита смарт-контракта механизм перекрестной проверки в Egregor отсеял неподтвержденные гипотезы и позволил 5 моделям в разных ролях перекрыть слепые зоны друг друга. Запускайте локальный консилиум Egregor, чтобы система сама отделяла реальные баги от шума и выдавала финальный вердикт Модератора с оценкой уверенности от 1 до 5. Стоимость многоуровневого анализа кода на платформе Egregor Программа Egregor кардинально снижает финансовые затраты на профессиональный аудит кода до нескольких центов. Данное решение идеально подходит для инди-разработчиков и участников хакатонов, у которых нет бюджетов в тысячи долларов на заказ проверок у специализированных аудиторских компаний. Полноценный комплексный прогон мо

2026-07-12 原文 →
AI 资讯

Handling Lazy-Loaded Content in Automated Screenshots

You set up Puppeteer, navigate to a page, call page.screenshot() , and the bottom half of your image is blank placeholder boxes. Welcome to lazy loading. Most modern sites defer images and heavy content until the user scrolls. Your headless browser never scrolls. So those elements never load. Here's how to deal with it. The scroll trick The most common fix is to programmatically scroll down the page before taking the screenshot: async function scrollToBottom ( page ) { await page . evaluate ( async () => { const delay = ms => new Promise ( r => setTimeout ( r , ms )); const distance = 300 ; while ( window . scrollY + window . innerHeight < document . body . scrollHeight ) { window . scrollBy ( 0 , distance ); await delay ( 150 ); } window . scrollTo ( 0 , 0 ); }); } await page . goto ( " https://example.com " , { waitUntil : " networkidle2 " }); await scrollToBottom ( page ); await page . waitForTimeout ( 1000 ); await page . screenshot ({ fullPage : true }); The 150ms delay between scrolls gives IntersectionObserver -based lazy loaders time to trigger. Too fast and you'll scroll past elements before they start loading. That final waitForTimeout after scrolling back to top lets any remaining images finish rendering. Not elegant, but necessary. Why networkidle2 isn't enough You'd think waitUntil: "networkidle2" would handle this. It waits until there are no more than 2 network connections for 500ms. But lazy-loaded images haven't even been requested yet at that point — they're waiting for a scroll event that never happens. networkidle2 only helps with content that loads on page init. For scroll-triggered content, you need the scroll. The loading="eager" override Some sites use the native loading="lazy" attribute. You can override it before images load: await page . evaluateOnNewDocument (() => { Object . defineProperty ( HTMLImageElement . prototype , " loading " , { set : function ( val ) { this . setAttribute ( " loading " , " eager " ); }, get : function () { retu

2026-07-12 原文 →
AI 资讯

How to Debug AI API Failures Across Multiple Models

Getting an AI API request to return a response is only the beginning. For real AI products, the harder question is what happens when something goes wrong. A chatbot may become slower. A RAG answer may stop using the right context. A structured extraction workflow may start returning invalid JSON. An agent may trigger the wrong tool. A fallback model may answer correctly, but at a much higher cost. In a single-model prototype, debugging is usually simple. You check one provider, one API key, one model, and one request format. In a multi-model application, debugging becomes an infrastructure problem. A product may use GPT for one workflow, Claude for another, Gemini for multimodal tasks, DeepSeek for cost-sensitive reasoning, Qwen or Kimi for Chinese-language workflows, GLM for enterprise scenarios, and MiniMax or Doubao for other product features. When something fails, developers need to know more than whether the API returned an error. They need to know which workflow failed, which model handled it, whether fallback happened, whether latency changed, and whether the final output was still good enough for production. Why multi-model debugging is different AI API failures are not always clean outages. Sometimes the request fails completely. But many production issues are softer: latency increases structured output fails validation tool calls become unstable fallback routes trigger too often answers become less grounded costs increase silently one language performs worse than another a model works for chat but fails for agent workflows That is why teams should not treat AI debugging as simple error handling. They need visibility across the full request path. Start with a failure taxonomy The first step is to classify failures in a way developers can act on. A useful AI API failure taxonomy may include: authentication errors rate limits quota limits timeout errors model unavailable errors high latency responses invalid JSON output schema validation failures tool call fa

2026-07-12 原文 →
AI 资讯

Image-to-Video Is a Constraint Problem: A Practical Seedance 2.0 Workflow

Image-to-video generation is often described as a simple interaction: upload image -> describe motion -> get video That description hides the real problem. A single still contains only one view of a subject. When we ask a model for a fast camera orbit, a full-body walk, or expressive gestures, we are asking it to invent information that was never present in the source. That is where identity drift, unstable lighting, texture flicker, and waxy faces come from. The useful way to approach Seedance 2.0 image-to-video is not as a prompt-writing contest. It is a constraint-management workflow. Give the model a strong identity anchor, request motion that the source image can support, and evaluate one variable at a time. This post explains that workflow in a way that is useful whether you are animating a product render, a character portrait, an approved client still, or a visual asset for a prototype. Note: Model capabilities, pricing, model availability, and input limits change quickly. Check the current documentation and the terms of the platform you use before committing a production workflow. Why image-to-video is different from text-to-video Text-to-video is excellent when invention is the point. You describe a scene and let the model make creative decisions about characters, lighting, composition, and motion. Image-to-video is the better tool when those decisions have already been made and must remain stable. Situation Better starting mode Why Product hero shot Image-to-video Label, shape, material, and color must remain recognizable Character-led sequence Image-to-video One strong reference can anchor a character across clips Approved campaign still Image-to-video The source already represents the accepted art direction Atmospheric B-roll Text-to-video Exact subject identity matters less than visual exploration Abstract concept film Text-to-video Inventing a scene is more valuable than preserving one Existing brand-photo library Image-to-video Stills become reusable

2026-07-12 原文 →