惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
Threat Research - Cisco Blogs
L
LangChain Blog
Simon Willison's Weblog
Simon Willison's Weblog
Project Zero
Project Zero
Latest news
Latest news
S
Schneier on Security
Cisco Talos Blog
Cisco Talos Blog
MyScale Blog
MyScale Blog
C
Check Point Blog
IT之家
IT之家
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
CERT Recently Published Vulnerability Notes
Scott Helme
Scott Helme
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
G
Google Developers Blog
T
Tor Project blog
T
Threatpost
D
DataBreaches.Net
博客园 - 【当耐特】
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
博客园_首页
S
Securelist
T
The Exploit Database - CXSecurity.com
Last Week in AI
Last Week in AI
量子位
U
Unit 42
Know Your Adversary
Know Your Adversary
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
Google Online Security Blog
Google Online Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
N
News and Events Feed by Topic
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
The CORE Agentic Workflow: Task Plan Review Approve PR
Sahil Kathpa · 2026-05-01 · via DEV Community
The standard agentic loop — give the agent a task, get code back — has no checkpoint between your intent and the agent's execution. You find out what the agent decided to do by reading what it already did. The CORE workflow closes that gap by splitting every agentic task into two sequential sessions: one that drafts a plan and stops, and one that executes the approved plan and returns a PR. Human judgment sits at the decision point between them — not at every tool call, not after the damage is done. TL;DR The agentic approval workflow has six stages: Write a structured task file with scope constraints and an explicit stop instruction Run a planning session — agent drafts a plan, writes it to disk, and stops Review the plan file, edit if needed, then approve by leaving it unchanged Run a separate execution session that reads the approved plan and returns a diff Run a QA inspector agent to audit the diff for scope violations before merge Review the PR diff against the approved plan and merge No micromanaging tool calls. Two human decision points. Every irreversible action is preceded by a plan you reviewed. Goal Build a repeatable workflow where AI coding agents handle implementation autonomously while human judgment gates two high-stakes checkpoints: what the agent is about to do (the plan), and what the agent actually did (the diff). The output of every task is a reviewable PR — not a clarification question, not a half-finished change, not a surprise. The pattern is called the CORE workflow, shared by developers in r/ClaudeCode who wanted to "write tasks and come back to PRs, not decisions." It works with any Claude Code-compatible setup and requires no additional tooling to get started. Prerequisites Claude Code installed and authenticated ( claude --version ) Git initialized in your project directory A consistent task file format (templates below) Optional: Grass for mobile approval forwarding when sessions run while you're away from your desk Step 1: Write a Structured Task File A task file is not a prompt. It's a contract between you and the agent. It specifies the objective, the scope boundaries, the constraints, and — critically — an explicit stop instruction that prevents the agent from executing before you've reviewed the plan. # TASK.md ## Objective Add JWT-based authentication to the Express API. ## Scope - In scope: src/middleware/, src/routes/api.ts, src/models/User.ts - Out of scope: src/frontend/, package.json (list proposed dependency additions in PLAN.md only — do not install anything during the planning phase) ## Constraints - Do not modify existing route signatures - All new functions require a corresponding test - No network calls during the planning phase ## Deliverable Write your implementation plan to PLAN.md. List every file you will create or modify with a one-line summary of each change. List any dependencies you need to add with version numbers. DO NOT write any source code. Write PLAN.md and stop. The last line is the checkpoint instruction. Burying it inside the constraints section weakens it — agents prioritize recency, and the final instruction carries the most weight. Putting it in all-caps at the end of the file is not excessive; it's precise. Scope files as a broader pattern: Developers running multiple concurrent agents extend this into a per-agent scope file architecture. As documented in a multi-agent ops thread on r/ClaudeCode , practitioners running seven agents across three concurrent projects maintain separate scope files (what each agent can touch), soul files (decision heuristics and style preferences), and guardrail files (hard stops and forbidden operations) for each agent. The QA inspector is the seventh agent — reviewing the outputs of the other six. We'll implement that pattern in Step 5. Step 2: Run the Planning Session Invoke Claude Code against your task file with a prompt that reinforces the stop instruction: claude --model claude-sonnet-4-6 \ "Read TASK.md carefully. Write your implementation plan to PLAN.md \ exactly as instructed. Stop when PLAN.md is written. Do not modify \ any other files." The agent reasons through the implementation, writes PLAN.md, and exits. Your terminal returns. No source files were touched. No dependencies were installed. This is the key architectural decision in the CORE workflow: planning and execution are separate invocations , not a single long session with an internal checkpoint. A single session with a "plan first, then wait for my approval" instruction is unreliable — the agent may misread its own prior output or interpret a follow-up message as implicit approval. Two sessions with an explicit handoff removes that ambiguity entirely. Step 3: Review and Approve the Plan Open PLAN.md and read it. This is the moment where you see the agent's intentions before they become actions. A well-structured PLAN.md looks like: # Implementation Plan: JWT Authentication ## Files to create or modify - src/middleware/auth.ts — CREATE; JWT verification middleware - src/routes/api.ts — MODIFY lines ~45–60; add auth middleware to /api/data - src/models/User.ts — MODIFY; add passwordHash field + bcrypt methods ## Proposed dependencies - jsonwebtoken@9.0.0 - bcrypt@5.1.0 ## New test files - src/__tests__/auth.test.ts — CREATE; integration tests for token issuance and verification ## Execution sequence 1. Update User model with password hashing 2. Create auth middleware 3. Protect routes 4. Write tests 5. Create branch feat/jwt-auth and commit all changes Review checklist before approving: [ ] All listed files are within the scope defined in TASK.md [ ] No files listed that you didn't expect [ ] Proposed dependencies are acceptable (version ranges, license) [ ] Execution sequence doesn't front-load destructive operations [ ] Test coverage is specified, not implied If something's wrong, edit PLAN.md directly. You don't need another round-trip with the agent — the execution session reads what's on disk, not what the planning session originally proposed. Edit the plan, save it, and you've changed the execution contract. Step 4: Run the Execution Session With PLAN.md reviewed and correct, trigger the execution session: claude --model claude-sonnet-4-6 \ "PLAN.md has been reviewed and approved. Execute it exactly as specified. \ When complete: run the test suite, fix any failures, then create branch \ feat/jwt-auth and commit all changes. Do not ask clarifying questions — \ if you encounter ambiguity, make the conservative choice and note it in \ a NOTES.md file." This session runs autonomously. The agent implements what the plan specified, runs tests, and produces a clean branch. You don't watch it. You don't approve individual tool calls. The plan review was your checkpoint. As Martin Fowler notes in his exploration of humans and agents in software engineering loops , the practical design question is where human judgment belongs in the loop — not whether to include it. Inserting humans at every bash execution kills the productivity gain. Inserting them at plan review and diff review keeps judgment at the decisions that actually matter. One caveat on session length: Autonomy instructions erode as context accumulates. Complex executions — especially those involving 15 or more tool calls — are where agents start inserting unsolicited check-ins or silently revising the plan toward a "safer" interpretation that wasn't requested. See Why Your Claude Agent Ignores Rules Past ~15 Tool Calls for the root cause analysis. For large tasks, break the execution into stages (each with its own PLAN.md equivalent) and run each stage as a separate session. Step 5: Run the QA Inspector The QA inspector is the oversight layer most people skip. It's a separate Claude Code invocation — the "seventh agent" in the multi-agent framework — that reviews the execution diff before you look at it manually. It catches silent scope expansion and security patterns that are easy to miss in a line-by-line diff review. claude --model claude-sonnet-4-6 \ "You are a QA inspector. Review the output of 'git diff main...feat/jwt-auth'. Check for: 1. Scope violations — files modified that are NOT listed in PLAN.md 2. Security patterns — hardcoded secrets, unvalidated user input in SQL queries or shell commands, missing input sanitization 3. Coverage gaps — new functions without corresponding test assertions 4. Dependency drift — packages installed that are not in PLAN.md Output format: STATUS: PASS or FAIL If FAIL, list each issue as: - [SCOPE|SECURITY|COVERAGE|DEPENDENCY] file/path:line — description" Give the inspector a specific rubric. A vague instruction ("check for security issues") produces vague output that doesn't catch real problems. Specific patterns — "unvalidated user input in SQL queries," "hardcoded secrets matching /api[_-]?key|token/i" — produce actionable line references. Step 6: Review the Diff and Merge Once the QA inspector passes, review the diff yourself: git diff main...feat/jwt-auth Everything in the diff should match what PLAN.md specified. If there are surprises — files you didn't expect, changes outside the planned scope — check the session's transcript before deciding whether to merge or roll back. The post How to Review AI-Generated Code That Ships Faster Than You Can Read covers the four-checkpoint review framework for diffs that move faster than you can read them linearly. Verification: Is the Workflow Running Correctly? A correctly functioning workflow has these observable properties: PLAN.md exists and is timestamped before any source files in the execution branch are modified The QA inspector produces output with specific file paths and line numbers, not generic statements Every changed file in the PR diff is listed in PLAN.md Long executions are split into discrete stages — no single session runs more than 15–20 tool calls before a checkpoint If your execution session is producing PLAN.md and modifying source files in the same session, the planning checkpoint isn't holding. The stop instruction needs to be more explicit, or you need to run the planning invocation with a more restricted scope (e.g., read-only tool access). Troubleshooting Agent starts executing during the planning session The stop instruction needs to be the last line of the prompt, not embedded in a constraint list. Make it explicit and terminal: "Write PLAN.md and stop. Do not modify any source files under any circumstances." Some developers run the planning session with a .claude/settings.json that sets "allowedTools": ["Read", "Write"] — limiting the session to file reads and the single PLAN.md write. Agent drifts from the approved plan during execution This is the context erosion problem documented in Why Your Claude Agent Ignores Rules Past ~15 Tool Calls . The most reliable fix: include the full text of PLAN.md in the execution prompt body, not just a reference to the file. As context accumulates, the agent's attention to the original file reference degrades; quoted plan text in the prompt is more durable. QA inspector flags false positives Tighten the rubric. Replace "check for security issues" with specific patterns the inspector should match against. Provide an example of a PASS output and a FAIL output in the prompt so the inspector has a calibration reference before it starts reviewing. Subagents don't follow the plan When Claude Code spawns subagents via Task() calls internally, those agents don't inherit the parent session's PLAN.md context. Pass the relevant sections of PLAN.md explicitly in the subagent's task description. For tool-level control during execution, How to Build Human-in-the-Loop Approval Gates for AI Coding Agents covers the PreToolUse hook layer that sits beneath the plan-review layer described here. The Subagent Visibility Gap The five-step workflow above closes the plan-review checkpoint cleanly. There's one scenario it doesn't fully handle: subagents running inside an execution session. When your primary agent spawns subagents via internal Task() calls, you lose three things simultaneously. As one developer described in a r/ClaudeCode thread on subagent usage : "can't see diffs like main agent, difficult to interrupt, auto-allow means no feedback loop when denying permissions." The structural fix: treat subagents as separate sequential sessions, each with their own scoped PLAN.md, rather than concurrent fire-and-forget spawns. Each subagent task gets its own planning checkpoint before execution begins. This makes the subagent outputs independently reviewable rather than folded invisibly into the parent session's diff. As breyta.ai's overview of human-in-the-loop coding agents notes : "Human-in-the-loop workflows add planned human checkpoints to agent runs. Coding agents do the work. People approve, correct, or supply context when it matters." The planning session is where context is supplied — not mid-execution. Inference.sh's approval gates documentation captures the design principle directly: "Approval gates are not a limitation on agent capability. They are what makes powerful capabilities safe to deploy. The combination of automation for routine actions and oversight for consequential ones gives you the benefits of both without the risks of either alone." The CORE workflow operationalizes this by making plan review the non-negotiable gate for every consequential action. How Grass Makes This Workflow Better The five-step workflow above runs entirely from your terminal. It works well when you're at your desk. Where it breaks down: the execution session is running, it hits an unexpected permission gate — a file write outside the planned scope, a bash command with side effects you didn't anticipate — and you're not there. In a standard setup, that means either the session blocks indefinitely waiting for a terminal response, or auto-allow mode runs the operation through and you find out about it only when you read the diff. How Grass closes the gap: Grass is a machine built for AI coding agents. The CLI ( npm install -g @grass-ai/ide ) runs a local HTTP server that bridges your running Claude Code sessions to a native iOS app. Permission requests from any active session — including subagent sessions that would normally be invisible — surface as modal notifications on your phone. You see the exact tool name, the exact command or file path, and tap Allow or Deny. No terminal polling. No SSH session open on your phone. npm install -g @grass-ai/ide grass start # Scan the QR code with the Grass iOS app # Running sessions now forward permission requests to your phone The Grass diff viewer shows git diff HEAD parsed into per-file views with syntax-highlighted additions and deletions — the same review you'd run manually in step 6, accessible from your phone as soon as the execution session finishes. You can approve the plan in step 3 and review the output diff in step 6 from the same surface, without being at your laptop for either. For sessions that run over long time windows — overnight builds, tasks dispatched during your commute — Grass runs on an always-on cloud VM per user. Agents don't die when your laptop sleeps. The execution session you dispatched at 8am is still running when you check from your phone at noon. The Grass server also supports a mode parameter in the chat API: "plan" (planning only, no tool execution) and "build" (execution mode). This maps directly to the CORE workflow's two-session split — you can trigger the planning session and the execution session from your phone without re-entering prompts. Setup (optional enhancement to the core workflow): Free tier at codeongrass.com : 10 hours, no credit card required. FAQ How do I prevent my AI coding agent from running code before I've reviewed the plan? Split the task into two separate Claude Code invocations: a planning session that writes PLAN.md and stops, and an execution session that reads the approved PLAN.md and implements it. The stop instruction must be the final, explicit directive in your planning prompt: "Write PLAN.md and stop. Do not modify any source files." Running them as separate sessions removes ambiguity about when execution begins — there is no way for the agent to "accidentally" continue into execution when the session has already exited. What is the CORE agentic approval workflow? CORE is a task management pattern for AI coding agents: write a structured task file → agent drafts a plan → human reviews and approves → a separate session executes the plan → session returns a reviewable PR. The key property is that the agent never writes source code without a human-reviewed plan on disk. The pattern was shared by developers in r/ClaudeCode who wanted to dispatch tasks and return to PRs rather than mid-task decision prompts. What is the 7-agent framework and what is the QA inspector's role? A multi-agent architecture documented by developers running concurrent agents across multiple projects. Each agent gets three files: a scope file (what directories and files it can touch), a soul file (decision heuristics and style preferences), and a guardrail file (hard stops and forbidden operations). The seventh agent is a QA inspector that runs after execution and before the diff is merged — reviewing every other agent's output for scope violations, security patterns, and coverage gaps. It's the oversight layer that most multi-agent setups omit. How do I handle permission requests from subagents I can't monitor directly? The structural fix is to avoid concurrent subagent spawning. Run subagents as sequential, scoped tasks — each with its own plan checkpoint — so you can review between runs. For live permission forwarding from active subagent sessions, Grass surfaces all permission requests (including from subagents) as mobile notifications that can be allowed or denied without a terminal. What should the QA inspector check in a post-execution diff? At minimum: scope violations (files modified that weren't in the approved PLAN.md), security patterns (hardcoded secrets, unvalidated input in SQL or shell commands, missing sanitization), coverage gaps (new functions without corresponding test assertions), and dependency drift (packages installed that weren't in the plan). Always give the inspector a specific, enumerated rubric rather than a generic "check for issues" instruction — vague prompts produce vague output that doesn't catch real problems. Next steps: The plan-review layer handles upstream scope control. For the tool-level enforcement layer beneath it — blocking specific bash patterns, allowlisting file operations, and forwarding live approval gates — see How to Build Human-in-the-Loop Approval Gates for AI Coding Agents . The two layers are complementary: plan review catches scope before execution starts; PreToolUse hooks catch dangerous operations during execution. Run both and you've covered both checkpoints. Originally published at codeongrass.com