惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Schneier on Security
The Register - Security
The Register - Security
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The GitHub Blog
The GitHub Blog
博客园 - 司徒正美
罗磊的独立博客
U
Unit 42
S
SegmentFault 最新的问题
Y
Y Combinator Blog
博客园_首页
Hugging Face - Blog
Hugging Face - Blog
J
Java Code Geeks
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
C
Check Point Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Simon Willison's Weblog
Simon Willison's Weblog
V
Vulnerabilities – Threatpost
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
阮一峰的网络日志
阮一峰的网络日志
The Hacker News
The Hacker News
博客园 - 叶小钗
C
Cybersecurity and Infrastructure Security Agency CISA
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
L
Lohrmann on Cybersecurity
A
About on SuperTechFans
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
S
Securelist
A
Arctic Wolf
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Threatpost
Scott Helme
Scott Helme
博客园 - 聂微东
博客园 - 【当耐特】
T
Tenable Blog
I
Intezer
D
DataBreaches.Net
B
Blog RSS Feed
Security Latest
Security Latest
C
Cisco Blogs
T
Tor Project blog
N
Netflix TechBlog - Medium

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Read-Write MCP: Three Cloud Operations We Stopped Letting AI Touch After 90 Days
Muskan · 2026-05-15 · via DEV Community

The read-only MCP server work shipped clean. AI agents could read tags, search logs, query costs, walk topology. Operators saved hours per incident. The next question was obvious: which writes can the agent do too. We turned write capability on for tagging, log retention adjustments, idle non-prod resource stops, and a handful of other low-blast operations. Most of that stayed on. Ninety days in, three specific write classes got pulled back to read-and-propose.

The pieces that stayed write-enabled were the ones the closed-loop trust scoring framework would call "tier 1": low blast radius, high reversibility, single-axis decision. Tag corrections. Log retention nudges. Stopping a non-prod EC2 instance flagged by a 14-day idle alarm. The AI got faster at all of these and operators stopped intervening on the routine ones.

The three pulled back are the operations where the AI consistently picked the wrong action despite picking the right metric. Each failure mode has the same shape: the agent had every piece of local data the action required and was still missing a piece of global context that turned the action into an outage. This piece is about those three, why adding more local context doesn't fix them, and how the policy-aware MCP work needs to be extended with explicit capability tiers.

What we shipped, what we pulled back

Tool class Status after 90 days Why
Tag add / correct Write-enabled Single-axis, fully reversible, no dependency cascades
Log retention adjust Write-enabled Reversible, blast radius bounded by retention window
Stop idle non-prod EC2 Write-enabled Trust-score gated, traffic-confirmed, 90-second reverse
Cost query / report Read-only Output is the value; no write needed
Bulk security-group edit Pulled back Dependency cascades invisible to the LLM
Cross-region replication toggle Pulled back Recovery cost not in the local cost metric
Cost-anomaly auto-resolution Pulled back Multi-axis root cause; agent picks plausible-wrong action
Right-size production resource Read-only since launch Never went write-enabled — too high-blast for tier 1

The pattern that lets some tools stay write-enabled: the action's success or failure is fully determined by data the MCP tool already returns. Tagging a resource is fine because everything that matters about the tag is in the tag. Stopping an idle non-prod VM is fine because the traffic data, the env tag, and the time-since-last-use are all in the agent's context window. The three failed classes share a different shape.

Failure 1: bulk security-group edits and the invisible dependency cascade

The trigger event: an agent ran a routine cleanup pass on cleanup-stale-sg-rules. Eleven rules tagged "unused for 90 days" got removed across a non-prod account. One of those rules was a CIDR allow on port 5432 sourced from 10.99.0.0/16. The CIDR didn't map to anything in the source account's resources. The MCP tool's enrichment said "no resources in this account match this source range." Agent removed the rule.

Three minutes later a partner-integration job started failing in a different account. The 10.99.0.0/16 was the partner account's VPC peered into ours. The peering connection lived in a different VPC than the security group. The dependency wasn't visible from either the SG or its enrichment context.

diagram

The MCP tool returned correct local data. There were no resources in account-A using port 5432 from 10.99.0.0/16. That was true. The fact that account-B's ETL job traffic landed on those rules through a VPC peering connection was not in the SG's metadata, not in the tool's enrichment, and not in the agent's context window.

Adding more local data doesn't fix this. We tried "include all VPC peering connections in the enrichment." The next failure was a Direct Connect virtual interface that the agent didn't know to look at. Then a Transit Gateway attachment. The dependency cascade is unbounded; every cloud account has a different topology. The right move is to stop letting the agent execute these and have it propose instead.

Failure 2: cross-region replication toggles and the recovery cost the LLM doesn't see

S3 cross-region replication costs $0.02 per GB transferred plus the destination storage. For cold-tier buckets that are write-once and rarely read, the replication cost can dominate the bucket's monthly bill. The MCP tool exposed this signal cleanly: per-bucket, per-month, here's how much you're spending on replication.

The agent did the obvious thing. It found buckets where replication cost was high relative to read activity, proposed disabling replication, and (when in write mode) executed. Two weeks later one of those buckets was the only durable copy of a quarterly compliance archive. The primary region had a regional storage event. Restore from the replica was the disaster recovery plan. The replica had been turned off six days earlier.

The cost metric the agent saw:

Signal Value What the agent concluded
Monthly replication cost $1,200 Significant spend
Read activity (last 90 days) 0 Bucket isn't accessed
Storage class STANDARD_IA Cold tier already
Bucket size 60 TB Replication cost will keep growing

The cost metric the agent didn't see: this bucket is the only off-region copy of a regulator-required dataset. The recovery cost if the primary region fails and the replica is gone is not "$1,200 saved per month." It's "potential six-figure compliance penalty plus reconstruction work plus customer trust damage."

This isn't fixable by giving the agent more local data. The recovery posture lives in a separate system (the disaster recovery plan, the compliance map, sometimes just one person's head). Even if the bucket had a dr-tier=critical tag, an agent optimizing for cost-per-byte would override the tag because the dollars look so clear. Cross-region replication toggles need a human in the decision because the human knows what the bucket is for, not just what it costs.

Failure 3: cost-anomaly auto-resolutions and root-cause attribution

The cost-anomaly detector flagged a 40% EC2 spend spike in us-east-1 on a Wednesday. The MCP tool returned the anomaly with the standard enrichment: which accounts contributed, which instance types, time-of-day breakdown. The agent's proposed action: right-size the largest contributing instances; estimated saving $14,000/month.

The actual root cause: a feature deployment on Tuesday night had moved a recommendation pipeline from batch to streaming. The new architecture used larger instances continuously instead of bursting briefly through a queue. The "spike" was the new steady state. Right-sizing the instances would have broken the recommendation latency SLO and triggered a rollback by morning.

The agent's reasoning chain was technically correct. EC2 spend was up. The largest instances were the ones that grew. Right-sizing is a known-safe action class. The miss was that the cost change had a non-cost cause. Cost-anomaly attribution is multi-axis: deployment changes, traffic changes, instance-type changes, capacity-reservation expirations, regional pricing changes, and tagging changes can all surface as the same cost signal.

diagram

The agent had the change set deployed Tuesday in its context window — we had wired GitHub deployments into the MCP server precisely for this. The agent didn't connect them because the deployment description said "switch to streaming pipeline" and the agent was reasoning about EC2 cost, not architectural changes. The correlation existed; the LLM didn't bridge to it.

We considered training a smaller model on internal incident postmortems to do better attribution. The time cost was prohibitive and the failure mode would just shift from "wrong action" to "wrong action with more confidence." The structural fix was to stop letting the agent close the loop on cost-anomaly resolutions. The agent now produces a ranked list of candidate actions with the evidence chain attached. A human picks one or marks the anomaly as expected.

The pattern: local data, global decision

All three failures share the same shape. The LLM has the local data the action requires. The action requires global context the LLM doesn't have.

Failure class Local data agent had Global context agent missed
Bulk SG edit SG metadata, enrichment of resources in same account Cross-account peering dependencies, partner traffic patterns
Cross-region replication toggle Replication cost, read activity, bucket size Disaster recovery posture, compliance requirements
Cost-anomaly auto-resolution Cost data, instance attribution, time-of-day breakdown Concurrent deployment context, traffic-shape changes, intentional architectural shifts

Adding more local context doesn't fix this. Each time we tried (more enrichment fields, more cross-references, more ML-extracted context), we found a new edge case in the same failure class. The missing information is by definition not in the resource being touched. It's in another system, another team's heads, or the timeline of unrelated events.

Two patterns that DO work in this shape: a human in the decision loop, or a structural rule that pre-filters the action class. We picked human-in-the-loop because the structural rule is hard to maintain (every edge case becomes a new rule, the rule list grows unbounded), and the human cost is low when the action is pre-formatted.

Read+propose is not read-only

The pull-back is "the AI drafts, the human approves." The MCP server still enriches the signal, runs the dependency analysis, computes the cost-benefit, formats the change as a runbook with an evidence chain. The human's job is to look at the change description and click "approve" or "reject."

For the cost-anomaly case, the change description renders as a structured runbook. The header section names the anomaly (EC2 spend +40% in us-east-1, started Wed 02:00 UTC), the contributing accounts (prod-us-east, ml-pipeline, data-platform), and a ranked list of candidate actions:

Rank Action Estimated saving Risk note
1 Right-size instances i-abc, i-def, i-ghi $14k/mo Triggered by Tue 23:00 deployment "switch recs to streaming"; verify with platform team before action
2 Roll back the Tue deployment $14k/mo Feature rollback; coordinate with rec-pipeline team
3 Mark anomaly as expected $0 Use if streaming rec pipeline is intentional steady-state

Most reviewers approve in seconds. The friction cost is one click per change instead of zero. The incident cost saved is hours of recovery work plus the trust damage of a bad auto-action. The 30-minute-to-30-second collapse on the human side is what makes read+propose worth it: the AI did the analysis, the human decided.

This is more valuable than read-only because the AI is still doing 95% of the work. The reasoning chain, the cost math, the evidence collection, the runbook formatting — all of that is the AI's job. The human's job collapses to "is this the right action?" which is the part the AI can't do reliably for these three classes.

MCP capability tiers + trust-score gating

The structural fix is to make this a property of the MCP server, not a per-tool policy debate every time someone wants to add a new write operation. Each MCP tool exposes a capability_tier field in its metadata.

diagram

Tier 1 (read-only) is always allowed. Tier 2 (mutate-low-blast) requires the trust score to pass the team's threshold (typically 0.55). Tier 3 (mutate-high-blast) requires a trust score so high it effectively forces a human into the loop. The three pulled-back classes go to tier 3.

The capability-tier field is more important than the agent's IAM permissions. An agent with broad cloud permissions but only access to tier-1 and tier-2 tools is safer than an agent with narrow permissions and a tier-3 tool. The MCP server is the right enforcement point because that's where every tool call already passes through. Adding the tier check there means it can't be bypassed by an agent that knows the underlying API.

The tier assignment is the policy debate that does belong in the team. Each new tool gets a tier when it ships, and the tier can move (usually upward, as failure modes show up). The three classes in this piece moved from tier 2 to tier 3 ninety days in. The capability-tier field is the audit trail: what was the tier when the action ran, who set the tier, when.

What changes in the next quarter

Two things on the roadmap. First, we're instrumenting every agent invocation with a resource-touch graph: which resources did the agent read, which did it propose to mutate, which other resources reference any of those. The graph is the input to a "did the agent see all the dependencies" check. Early prototype catches the cross-account peering case from the first failure cleanly, but doesn't yet handle Direct Connect or Transit Gateway. The structural problem is that the dependency graph is unbounded; the practical fix is to score "graph completeness confidence" and feed it back into the trust score.

Second, we're auditing whether multi-step agent loops (where the agent reads, proposes, gets feedback, iterates) hit the same failure shape as single-shot writes. Early sample size is small but suggests yes — the multi-step agent gathers more local context than the single-shot but still misses the global piece. If that holds, the capability-tier model needs to apply to the loop's terminal action, not the intermediate reasoning steps.

Read+write MCP works for most cloud operations. The three classes pulled back are the ones where the trust-score math couldn't compensate for the missing global context. Read+propose preserves the AI's value at the cost of one click per change. The capability-tier field on MCP tools is the structural enforcement point that makes the policy debate happen once per tool, not once per action.