This is such a great idea. When I'm building net-new projects, I typically end up working with the AI assistant to build a comprehensive AGENTS.md as the first thing before any work gets done: specify tools, dependencies, architecture requirements, style, etc.
I end up getting way better quality.
The same is true for existing projects, but it always takes a whole lot longer as I'm typically chatting with my AI assistant to figure out what conventions are there that I forgot, etc., before building an AGENTS.md to make future changes simpler.
Thank you!
The idea is that static analysis can recover most of the mechanical truth of a repo (stack, commands, layout), and then you can layer intentional constraints on top if you want. If this saves even a few of those back-and-forth setup chats, it’s doing its job.
Feel free to contribute if you find the right fit
He also taught me networking in C in the early 2000's! A few years ago I moved from the Bay Area up to Bend, Oregon and ended up running into him in-person at one of the tech meetups.
I was so floored to meet him in person, and as you'd probably imagine, he's super kind and relaxed =D
A++ human being who's contributed so much to our field.
At Snyk, we've been working on this for a while. Here's our flagship open source project consolidating a lot of the MCP risk factors we've discovered over the last year or so into actionable info: https://github.com/invariantlabs-ai/mcp-scan
ALAN
It's called Tron. It's a security
program itself, actually. Monitors
all the contacts between our system
and other systems... If it finds
anything going on that's not scheduled,
it shuts it down. I sent you a memo
on it.
DILLINGER
Mmm. Part of the Master Control Program?
ALAN
No, it'll run independently.
It can watchdog the MCP as well.
DILLINGER
Ah. Sounds good. Well, we should have
you running again in a couple of days,
I hope.
I believe one of the main differences is that our scanner looks for toxic flows between mcp endpoints regarding how they interact with one another. Unless I'm missing something, the Cisco tool does not support this.
Our research lab discovered this novel threat back in July: https://invariantlabs.ai/blog/toxic-flow-analysis and built the tooling around it. This is an extremely common type of issue that many people don't realize (basically, when you are using multiple MCP servers that individually are safe, but together can cause issues).
Here's a better option -- what we've been working on at Snyk.
- Take something like Cursor and plug the Snyk MCP server into it: https://docs.snyk.io/integrations/developer-guardrails-for-a... (it has a one-click install)
- Then, either within your project or via global settings, create some human-language rules for your AI code editor to use (this works basically the same between all editors: Claude Code, Cursor, Windsurf, etc...)
For example, a rule might state:
"If you add or change any code, run a Snyk Code scan on the modified files then fix the detected vulnerabilities. When you're done fixing them, perform another scan to ensure they're fixed, and if not, keep iterating until the code is secure."
Obviously, there are other rules you can use here, such as using Snyk's open source dependency testing to identify vulns in third-party dependencies and handle package updates/rewrites/etc., but you get the idea.
This works insanely well -- I've been playing around with it for a while now and we're getting close to rolling this out to all of our users in a major way =)
The best part about it is that you can just "vibe code" whatever you want, and you get really accurate static analysis security testing incorporated by default automagically.
I recorded a little video here that walks through this in-depth (https://www.youtube.com/watch?v=hQtgR1lTPYI), if you want to see the part I'm referencing, jump to 20:09 =)
Great article. This may be my all-time favorite deep dive post on RAG strategies.
It’s super interesting to me how the process of fully making audio/video searchable requires so much processing. Like, extracting the audio and video, transcribing the audio, chunking the video into 15-sec scenes and describing them visually, etc.
I wonder if as a test you could use the video descriptions, run them as a prompt through something like Veo, then stitch them together into something close to the original. Wild.
I wasn't sure if I should post this or not, but if you ever met Michael you probably remember him. He was a kind soul and helped grow the Python developer community in LA for well over a decade.
In addition to being an excellent engineer and human, Michael was also the definition of a hacker. It feels suitable to share the news here.
He was an incredible person and touched many lives. If you ever got to meet him (in person or online), please share your experiences on his in memoriam page.
Ragie (a RAG company) published an interactive chatbot that lets you ask questions about the JFK files. It’s pretty interesting, they had to do a lot of OCR on old docs to get it to a usable state.
The way XML digital signatures work is so weird. This routinely comes up year-after-year. When I was working at Okta this also resulted in a number of annoying breaches, including this one: https://developer.okta.com/blog/2018/02/27/a-breakdown-of-th...
I have a decently-sized homelab and I've been renting out unused disk space. I actually allocated 20TB of disk space (RAID 1) and have been renting the space out via the Storj network (https://www.storj.io).
If you haven't heard of it, Storj is essentially a distributed S3 that's been around for many years now, and the way it works is that various people run Storj nodes while the Storj company runs a proxy server that breaks files up into small encrypted chunks and stores them across N peers for redundancy.
In my case, I back up my family photos/videos/documents to a Synology NAS, and my NAS is backed up to Storj. So when I run a Storj node with part of my disk space, the payments they give me essentially cover my own backups. I'm not making a ton of money or anything, but it's enough to pay for my own backups and that's a great deal.
If you're looking to do what the OP is talking about in a simple way, this is by far the best way I've found to do it.
A lot of the article can be generalized to "don't run a business in your home". It sounds like in this case, Storj is the one running the business while you are a customer (paying with storage), so you are shielded from a lot of the risks mentioned in the article.
By the way, I can't find the exact plan you described on the storj.io site, but there is this page that mentions STORJ tokens, so now I am confused as to whether this is a cryptocurrency thing or not.
> A lot of the article can be generalized to "don't run a business in your home". It sounds like in this case, Storj is the one running the business while you are a customer (paying with storage), so you are shielded from a lot of the risks mentioned in the article.
If you make any income (even $1), you still have to report it on your taxes though. You might or might not be obligated to do all the other business-y stuff, but I dont think "paying with storage" gets you off the hook for taxes if you are also getting paid for storage.
It’s an option for payment. Detailed on the same link:
> Storj created the STORJ utility token as a medium of exchange on its decentralized cloud storage network. The STORJ utility token facilitates payments from people around the world for their use of the Storj network to store their data, and Storj uses it to pay our community of Storage Node Operators that rent their unused hard drive capacity and bandwidth to the network.
I end up getting way better quality.
The same is true for existing projects, but it always takes a whole lot longer as I'm typically chatting with my AI assistant to figure out what conventions are there that I forgot, etc., before building an AGENTS.md to make future changes simpler.
Love how this takes care of that.
reply