惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
N
Netflix TechBlog - Medium
大猫的无限游戏
大猫的无限游戏
爱范儿
爱范儿
Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
IT之家
IT之家
博客园_首页
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
I
InfoQ
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
博客园 - Franky
C
Check Point Blog
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog
Recent Announcements
Recent Announcements
云风的 BLOG
云风的 BLOG
美团技术团队
The Cloudflare Blog
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
MyScale Blog
MyScale Blog
The GitHub Blog
The GitHub Blog
D
DataBreaches.Net
Google DeepMind News
Google DeepMind News
V
V2EX
aimingoo的专栏
aimingoo的专栏
GbyAI
GbyAI
G
Google Developers Blog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
罗磊的独立博客
量子位
MongoDB | Blog
MongoDB | Blog
Last Week in AI
Last Week in AI
Stack Overflow Blog
Stack Overflow Blog
小众软件
小众软件
D
Docker
人人都是产品经理
人人都是产品经理

Hacker News - Newest: "LLM"

GitHub - lechmazur/position_bias: A benchmark for testing whether LLM judges keep the same preference when two lightly edited versions of the same story are shown in opposite orders. Flex routing (EU and EFTA) Dark Factories: Retooling for LLM Velocity Ask HN: What would be the impact of a LLM output injection attack? GitHub - AronDaron/dataset-generator: No-code desktop app for generating high-quality synthetic datasets to fine-tune LLMs — plan-then-execute pipeline, LLM-as-judge, HuggingFace upload. GitHub - Oaklight/llm-rosetta: Production-ready LLM API translation layer for Python — bidirectional conversion between OpenAI, Anthropic & Google formats via hub-and-spoke IR. Optional API gateway. Streaming & non-streaming. Zero core deps. Contributions welcome! GitHub - browser-use/browser-harness: Self-healing browser harness that enables LLMs to complete any task. GitHub - moeen-mahmud/remen: Remen turns thoughts into something you can return to Analyzing 156 LLM Launch Posts on Hacker News ChatGPT vs Gemini vs Claude: The Best LLM Subscription You Should Buy GitHub - salaamalykum/quran-semantic-search: High-density RAG Semantic Search Engine & Quran Corpus (GEO/SEO Architecture) GitHub - NVIDIA/TensorRT-LLM: TensorRT LLM provides users with an easy-to-use Python API to define Large Language Models (LLMs) and supports state-of-the-art optimizations to perform inference efficiently on NVIDIA GPUs. TensorRT LLM also contains components to create Python and C++ runtimes that orchestrate the inference execution in a performant way. The State of LLM Bug Bounties in 2026 Operational Readiness Criteria for Tool-Using LLM Agents Meshcore: Architecture for a Decentralized P2P LLM Inference Network How an LLM becomes more coherent as we train it GitHub - seetrex-ai/laimark GitHub - Jossifresben/BibCrit: AI-assited biblical textual criticism GitHub - wastedcode/memex: File system based wiki, maintained by Claude 99helpers.com GitHub - cliver-project/AITrigram GitHub - unbody-io/adapt: A self-evolving memory layer for AI agents. GitHub - hb20007/awesome-gen-ai-fails: A list of incidents where reliance on generative AI and LLMs resulted in harm to companies, individuals, or society GitHub - nevenkordic/localmind: Run any local LLM with persistent memory and context. CLI agent over Ollama with SQLite-backed hybrid recall. No cloud. Ask HN: What are the machine requirements for a LLM like Llama-3.1-8B? Faster LLM Inference via Sequential Monte Carlo grpo explained: group relative policy optimization for llm finetuning - cgft Stop comparing price per million tokens: the hidden LLM API costs · TensorZero Andrej Karpathy's LLM Wiki Is a Bad Idea GitHub - GG-QandV/mnemostroma: Offline RAM-first cognitive leer/coprocessor for AI agents and robotics. Solves "Context Abandonment" with 20-80ms latency using a dual-thread biomimetic memory architecture (ONNX + SQLite WAL). mempalace/agent at agent · skorotkiewicz/mempalace GitHub - Nyquest-ai/nyquest-rust-fullstack-pub: Nyquest — Semantic Compression Proxy for LLMs. 350+ rules, local LLM stage, 15-75% token savings. Full Rust stack. GitHub - TheoV823/mneme: Enforce architectural decisions in AI-assisted development. GitHub - klemenvod/TokenBrawl: A 1v1 Bomberman-style game where two LLM agents play autonomously against each other. No human plays — you watch the AIs fight. Each agent receives a text description of the board state, reasons about it, and outputs a move as JSON. The game engine executes it. Introducing the Common AI Provider: LLM and AI Agent Support for Apache Airflow Power Circuit AI: Designing Power Electronic Circuits for Motor Drives with Generative Artificial Intelligence Ask HN: How to program with IDE and LLM on CPU locally? Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Bonsai 1-bit WebGPU - a Hugging Face Space by webml-community The LLM Fallacy: Misattribution in AI-Assisted Cognitive Workflows Ask HN: Simple tooling for local LLM code critique without IDE integration? Can a General LLM Diagnose a DICOM Slice? A 10-Case Public Benchmark Charts-of-Thought: Enhancing LLM Visualization Literacy (PDF, 2026) GitHub - Mesh-LLM/mesh-llm: Distributed AI/LLM for the people. Share compute privately or publicly to power your agents and chat. GitHub - seamus-brady/springdrift: A persistent runtime for long-lived LLM agents Writing an LLM from scratch, part 32k -- Interventions: training a better model locally with gradient accumulation Ask HN: Which LLM model and agentic CLI are you using for local development? GitHub - wayneColt/modelcascade: Route local. Escalate smart. Never overspend. Open-source multi-model cascade routing for autonomous agents. LLM pricing is 100x harder than you think GitHub - asakin/llm-primer: Pre-warmed Claude Code sessions in tmux. No startup wait. GitHub - EggerMarc/chat-rs: A multi-provider LLM framework for Rust. GitHub - SynapseKit/SynapseKit: Minimal, async-first Python framework for production LLM apps- 2 hard deps, no magic, no SaaS. A Claude Skill that Makes LLM Paragraphs More Bearable Does Gas Town 'steal' usage from users' LLM credits & paid services to improve itself? What's Claude Code Actually Doing? Open the Black Box with the Arthur Engine Milla Jovovich's New Open Source LLM Memory App and the Dark Code Problem Your intuition of LLM token usage might be wrong Show HN: Bloomberg Terminal for LLM ops – free and open source GitHub - 0xchamin/mcptube: Transform YouTube videos into a compounding knowledge base with transcripts, vision analysis, and agentic search. Works as an MCP server for Claude, Copilot & more. Show HN: Open KB: Open LLM Knowledge Base Your LLM is a compiler, not a runtime GitHub - sapountzis/Unslop: A Web Feed That Deserves You crates.io: Rust Package Registry Beyond Karpathy's LLM-Wiki: The Necessity of Cognitive Governance GitHub - amitshekhariitbhu/llm-internals: Learn LLM internals step by step - from tokenization to attention to inference optimization. GitHub - parallem-ai/parallem: An expressive library for running agents with the Batch API. GitHub - stfurkan/pi-llm LLM-Wiki Show HN: Formal – Formal verification for AI-generated code using Lean 4 LRTS – Regression testing for LLM prompts (open source, local-first) LLM Wiki Skill: Build a Second Brain with Claude Code and Obsidian I built an LLM Wiki and RAG solution: here's a demo for a security KB The biggest advance in AI since the LLM Predict-Rlm: The LLM Runtime That Lets Models Write Their Own Control Flow the-synthetic-library/the-synthetic-mind at main · joshferrer1/the-synthetic-library GitHub - yisding/reviewwiggum GitHub - Donnyb369/mcp-spine: Context Minifier & State Guard — Local-first MCP middleware proxy GitHub - Beledarian/wgpu-llm: A from-scratch LLM inference engine that uses wgpu (the cross-platform WebGPU implementation) to dispatch WGSL compute shaders for every math operation a Transformer needs. No CUDA. No Python. No massive framework dependencies. Just Rust, raw shaders, and your GPU. GitHub - anitiue/Hindsight: An experience-driven self-improvement framework for LLM agents — 基于经验的 LLM Agent 自我改进框架 GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. GitHub - alainnothere/AmdPerformanceTesting: Amd Performance Testing Ask HN: Is a purely Markdown-based CRM a terrible idea? Optimized for LLM agents Context Engineering - LLM Memory and Retrieval for AI Agents | Weaviate little_helper_tui/letter.md at main · sleepyeldrazi/little_helper_tui GitHub - EvanZhouDev/umr: The Unified Model Registry for all your local AI apps. GitHub - JordanCT/VigIA-Orchestrator Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain A Taxonomy of RL Environments for LLM Agents Llama LLM Network Feture GitHub - genedeng-ca/ai-mac-migration: AI-powered Mac-to-Mac migration tool - replace Apple Migration Assistant with intelligent, selective transfer using local LLMs GitHub - lunargate-ai/gateway: High-performance self-hosted AI gateway (OpenAI-compatible) with routing, retries, and streaming GitHub - AuthBits/webmcp: A lightweight, prompt-driven MCP web research server for high-quality LLM powered information extraction. Externalization in LLM Agents: A Unified Review of Memory, Skills, Protocols and Harness Engineering Springdrift: An Auditable Persistent Runtime for LLM Agents with Case-Based Memory, Normative Safety, and Ambient Self-Perception High-Stakes Personalization: Rethinking LLM Customization for Individual Investor Decision-Making From Static Templates to Dynamic Runtime Graphs: A Survey of Workflow Optimization for LLM Agents HUOZIIME: An On-Device LLM-enhanced Input Method for Deep Personalization TIDE: Token-Informed Depth Execution for Per-Token Early Exit in LLM Inference Characterizing WebGPU Dispatch Overhead for LLM Inference Across Four GPU Vendors, Three Backends, and Three Browsers LLM Targeted Underperformance Disproportionately Impacts Vulnerable Users
Five Agents, One Browser: Werewolf on Quack + DuckDB
keynha · 2026-05-17 · via Hacker News - Newest: "LLM"

In this post I'll show a working demo of multi-agent information asymmetry enforced at the database layer. A small fleet of language models plays Werewolf in your browser tab. Each agent holds a private DuckDB-WASM database inside its own Web Worker. A gateway worker is the only thing that can read across agents, and only with the right token.

In local-model mode, nothing leaves the tab and there is no server-side inference. If you paste an Anthropic, OpenAI, or OpenRouter key, the browser sends prompts directly to that provider with your key. Either way, the page loads, agents start plotting, and you can watch the federation log fill up with the SQL the gateway sent.

The architectural claim is one sentence: information asymmetry can be enforced by the schema, not by the application code. Same query, different result, depending on what the database knows about itself.

Agents play Werewolf

Pick a setup and a model, then hit play. The local option runs Qwen3.5-2B-q4f16_1-MLC on your WebGPU. That is the 2B-parameter Qwen3.5 model at 4-bit weight quantization with 16-bit activations, about 1.2 GB on disk and cached by IndexedDB after the first load. If you have an Anthropic, OpenAI, or OpenRouter key, paste it and the agents use a hosted model instead.

On phones: the in-browser model is desktop-only in this demo. The 1.2 GB WebGPU model reliably trips mobile-tab memory budgets and reloads the page mid-load, so the local option is disabled there. DuckDB-WASM, the gateway, and the per-player workers all run fine on mobile, pick a hosted-API option on a phone and the rest of the architecture still works end to end.

The scopes

Scope What it can do
own-db-full A player worker on its own DB. Any table, any column, read and write.
gateway-public-only Gateway pulling public-safe columns during play. Can read intents.public_text. Cannot read intents.rationale.
wolf-team-read Gateway pulling wolf channel data. Authorized at the gateway, then row-filtered locally. Non-wolf workers return zero rows.
gateway-post-game Gateway pulling everything after the game finishes.
main-admin Orchestrator/bootstrap path for seeding roles, gateway state, and action rows.

When the gateway federates a query, it mints a fresh per-node token, sends the same SQL fragment to every attached player in parallel, ingests the returned rows into a local temp table, and runs a final SQL against that temp table. Open the Federation log panel during or after a game and you'll see every call, the per-node SQL it sent, the temp-table DDL, the gateway-local final SQL, the row count, and the elapsed time.

The boundary lives in the columns

Every agent turn writes one row to that agent's intents table:

INSERT INTO intents (round, agent_id, action, target, rationale, public_text)
VALUES (...);

rationale is the model's private reasoning. public_text is what the agent says out loud, or NULL for a night action. Both come from the same LLM call. The model produces them together in one JSON object.

During play, the gateway pulls only public_text. Its token does not permit the rationale column. Each player worker parses the incoming SELECT and rejects any reference to a column the scope does not allow, including references in filters and ordering clauses. A gateway-public-only token asking for rationale, or trying to filter by it, gets back QK_COLUMN_FORBIDDEN. The Try denied scope button after a game finishes will fire that denial and log it in the federation panel.

After the game ends, the orchestrator mints a gateway-post-game token. The same federation pattern returns the same row set with rationale included. The X-ray panel renders both columns side by side.

The boundary is in the column, and that is the entire pattern.

The wolf channel: row-level federation

Column scoping is one axis. Row-level filtering is the other. The Two wolves preset exercises it.

In a Werewolf game with multiple wolves, the wolves coordinate. The demo handles that with a multi-rotation channel. Each rotation, every wolf gets a turn. The gateway re-federates the channel, the latest state goes into each wolf's prompt as channel so far this round, and the rotation ends when every wolf signals done. Day discussion works the same way. Every alive player gets multiple chances to speak. The discussion ends when nobody has anything new to add.

Before each wolf turn the orchestrator mints a wolf-team-read token and federates a named query:

SELECT round, agent_id, action, target, rationale,
       CAST(decided_at AS VARCHAR) AS decided_at
FROM intents
WHERE action = 'wolf-kill'
ORDER BY round, decided_at;

The gateway fans this out to every attached player, including the seer, the doctor, and every villager. The row-level filter is declared on the wolf-team-read scope in PLAYER_POLICY as a SQL predicate:

"wolf-team-read": {
  tables: ["intents", "self"],
  columns: { intents: [...], self: ["agent_id", "role"] },
  statements: ["SELECT"],
  rowPredicate: "SELECT (SELECT role FROM self LIMIT 1) = 'wolf' AS ok",
}

Before running the requested SELECT, the worker evaluates policy.rowPredicate against its own database. If the first column of the first row is false, it returns zero rows without ever running the caller's SQL. A non-wolf worker accepts the request, evaluates the predicate against its self table, gets false, and returns {rows: []}. Wolves get true and return their proposals. The gateway ingests them, runs the final query, and hands the transcript back to the orchestrator, which threads it into the next wolf's prompt.

The gateway does not know which workers are wolves. The schema does. Same query, different result, decided locally by each player based on a column it owns and the caller cannot see.

In the federation log you can see every wolf_channel call the gateway made during play. The row count grows over time because every wolf proposal writes a new row. By the end of a Two wolves game over three rounds, the wolf channel federated about 18 times. The post-game full_log query returned every intent every player wrote across the whole game.

The real Quack path

Quack is DuckDB's remote protocol. One DuckDB process can serve a database with quack_serve(...), and another DuckDB process can query it with quack_query(...) or attach it as a remote catalog. The DuckDB reference documents the server functions, client functions, ATTACH options, and Quack logs. The security guide matters even more for this post because a Quack server exposes SQL, then relies on token authentication and authorization callbacks to decide what each caller may run.

The Quack use case here is database-owned agent federation. Each agent owns a DuckDB database. The gateway does not ask an application object for a filtered copy of memory. It asks a remote DuckDB node for a SQL result. That node decides, using its own tables and Quack authorization path, which rows and columns are allowed to leave.

The browser demo keeps that model portable by using a Quack-shaped postMessage shim for the server side. One browser tab can load the real Quack extension as a client with DuckDB-WASM, which DuckDB documents in its WASM setup guide, but one tab cannot host five native Quack server processes plus a gateway server. So each player worker behaves like a Quack node: it owns a DuckDB-WASM database, accepts request/response messages, authenticates a bearer token, authorizes SQL by scope, and returns rows.

Because the transport boundary is the interesting part, I also built a companion Werewolf Quack Lab. It starts native DuckDB Quack servers from a JSON player config and queries them from a gateway DuckDB client. The latest version also asks each player container to take one local agent action. In the default test mode the agent is deterministic, and in OpenAI-compatible mode the model call happens from inside the player container before the proposed action is validated and written to that player's DuckDB process. The lab treats model output as a proposal: phase actions are constrained, wolf targets are forced to valid non-partners, and wolf actions cannot publish text. That path can point at a hosted API or at a local oMLX server. The lab includes an optional omlx smoke test that checks /v1/models, handles API-key auth, generates a three-player config, asks the container-local agents to act through the local model, and then runs the same Quack gateway assertions.

The lab smoke test proves the shape end to end: generated players, container local action writes, whoami() calls across every node, public-log federation that hides rationale, wolf-channel federation that returns only the wolf nodes, a closed post-game view while the game is still live, and a real Quack authorization denial when the gateway tries to read the private intents table directly.

What this demo gets wrong on purpose

The same JS process owns the HMAC signing key, every player worker, and the gateway. A browser extension could read all of it. The boundary I'm demonstrating is architectural. The same architecture deployed across separate processes on separate hosts would be enforced by the OS, the network, and TLS.

The local model, Qwen3.5-2B-q4f16_1-MLC, sometimes gives up. When it does, the rationale row reads (LLM fallback) and the agent passes. The model dropdown also accepts an Anthropic, OpenAI, or OpenRouter key. Haiku 4.5, gpt-4o-mini, and Grok 4 play coherently. The architecture stays the same regardless of which model is driving the agents.

The API-key path keeps your key in the browser. Anthropic's own header name for this is anthropic-dangerous-direct-browser-access. The warning is real. It works for a bring-your-own-key demo against your own account. It is not a deployment pattern.

Why this matters for your multi-agent system

If you are building a product where multiple agents share an execution substrate and must not share information, the boundary has to live somewhere. There are three places it usually lives:

  • The application layer. Every read is a function call, every function call checks the caller.
  • The model layer. Separate fine-tunes, separate runtimes.
  • The data layer. Columns and rows of the tables the agent already queries, with signed bearer tokens that name what the holder is allowed to look at, and predicates the database evaluates against its own state.

In the data-layer version, the agent gets exactly the slice of data its scope allows. The forbidden column is absent from the result. The forbidden row is filtered before the connection sees it. The federation reached N nodes, and N minus k of them returned zero rows.

That pattern shows up in clinical assistants seeing different patients, customer-isolated copilots, on-device specialist fleets, skill marketplaces owned by different parties, and supervisor-subordinate agent chains where the supervisor should not see the subordinate's internal reasoning.

If you are hitting that wall, book a call and we can talk through your architecture.