惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
Google Developers Blog
Jina AI
Jina AI
大猫的无限游戏
大猫的无限游戏
Martin Fowler
Martin Fowler
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
C
Cybersecurity and Infrastructure Security Agency CISA
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
S
Securelist
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
L
LINUX DO - 热门话题
博客园 - 三生石上(FineUI控件)
T
Threatpost
T
The Blog of Author Tim Ferriss
C
CERT Recently Published Vulnerability Notes
IT之家
IT之家
P
Palo Alto Networks Blog
Microsoft Azure Blog
Microsoft Azure Blog
Spread Privacy
Spread Privacy
Cyberwarzone
Cyberwarzone
腾讯CDC
L
LangChain Blog
Know Your Adversary
Know Your Adversary
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
I
Intezer
T
Tor Project blog
AWS News Blog
AWS News Blog
T
Tenable Blog
NISL@THU
NISL@THU
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
MongoDB | Blog
MongoDB | Blog
MyScale Blog
MyScale Blog
D
DataBreaches.Net
Microsoft Security Blog
Microsoft Security Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
量子位
美团技术团队
The Cloudflare Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
罗磊的独立博客
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Stack Overflow Blog
Stack Overflow Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
ClauseGuard — Technical Walkthrough
Muhammad Bin · 2026-05-09 · via DEV Community

How I built an AI contract risk analyzer with Qwen on AMD
**

1. Project concept

ClauseGuard analyzes legal contracts and flags risky clauses. Instead of reading through 20 pages of legalese, you upload a PDF or DOCX and get a structured risk report with plain English explanations, safer alternatives, and negotiation scripts.
The core idea: chain multiple specialized AI agents together, each handling one part of the analysis, rather than asking a single model to do everything at once.

2. Architecture decisions

Why a 5-agent pipeline

Early experiments with a single prompt (extract clauses AND classify AND score risks) produced inconsistent results. The model would skip steps or produce shallow analysis. Splitting into 5 dedicated agents gave each one a narrow, focused task:
Extractor → Classifier → Risk Scorer → Translator → Reporter
Each agent receives the output of the previous one. If any agent fails, the pipeline degrades gracefully rather than crashing entirely.

Why Streamlit

FastAPI with React would have given more control but Streamlit let me build the full UI in hours instead of days. Session state handles data sharing between pages naturally. The dark theme customization with custom CSS gave it a polished look without frontend overhead.

Why Qwen 2.5 1.5B on AMD

DeepSeek API was the original backend but switching to a self-hosted open source model was the goal. Qwen 2.5 1.5B is small enough to run with low latency but capable enough for structured legal analysis when given focused prompts. AMD MI300X with vLLM provided the OpenAI-compatible API layer, so the same Python SDK worked without changes.

3. Data models

Everything flows through Pydantic models. This enforced type safety across all 5 agents and made parsing reliable. Twelve clause types are defined as a strict enum: NDA, IP_ASSIGNMENT, NON_COMPETE, ARBITRATION, AUTO_RENEWAL, LIABILITY_CAP, TERMINATION, DATA_SHARING, GOVERNING_LAW, PAYMENT, INDEMNIFICATION, and OTHER.
Each Clause has an ID, raw text, plain English translation, classified type, section heading, and position. RiskFindings carry severity (CRITICAL through INFO), a specific risk reason citing the actual clause language, a recommended action, a safer rewritten version, a negotiation message, and impact scenarios. The FinalReport ties everything together with summary statistics, a machine-readable markdown report, and a CSV export.

4. File parsing layer

Three file types needed support: PDF, DOCX, TXT. For PDF I used PyMuPDF as primary with pdfplumber as fallback. Some scanned PDFs have no extractable text, so pdfplumber catches those edge cases. For DOCX, python-docx extracts paragraphs while preserving order. TXT files use chardet for automatic encoding detection (UTF-8, Latin-1, Windows-1252). Files over 10 MB are rejected before processing.

5. Model service layer

The key insight: instead of each agent creating its own API client, a single shared service handles all communication with the model. A lazy singleton AsyncOpenAI client is shared across all 6 agents. The call_model function wraps every request with configurable timeout, one automatic retry on JSON parse failure, markdown fence stripping, and JSON validation.
Temperature is set to 0.0 for deterministic outputs. On JSON parse failure, the retry appends a stronger instruction to the user prompt. Timeouts prevent hanging if the model endpoint is slow. This single shared function eliminated about 150 lines of duplicated retry, timeout, and JSON cleaning code that previously existed in all 6 agent files.

6. Prompt engineering

The hardest part was getting a 1.5B parameter model to produce consistent structured JSON. Several techniques made this work reliably:

Explicit schemas with examples

Every prompt includes a concrete JSON schema and at least one input/output pair. The model follows patterns better than abstract instructions.

Short focused prompts

Long system prompts confuse smaller models. I cut each prompt to under 30 lines. If a rule could be demonstrated by example, I removed the text description.

Severity rubrics

Instead of asking the model to judge risk abstractly, I gave it a decision tree. CRITICAL triggers for IP covering personal work, unlimited liability, or mandatory arbitration waiving jury rights. HIGH triggers for non-competes over 1 year, auto-renewal without opt-out, or one-sided indemnification. MEDIUM for standard non-competes, net-60 payment terms, or out-of-state governing law. LOW for standard confidentiality and governing law. INFO for definitions, severability, and entire agreement clauses. This mechanical approach produced far more consistent results.

Negotiation generation

For CRITICAL and HIGH clauses, the Translator agent also generates a safer clause rewrite plus a ready-to-send negotiation email. The email follows a template: opening concern, specific suggestion, fairness rationale, closing.

7. Pipeline orchestration

The orchestrator runs all 5 agents in sequence with error isolation. Each agent call is wrapped in asyncio.wait_for with a 120-second timeout. If the Extractor fails, the pipeline still produces a report marked as partial. If the Risk Scorer fails, a fallback assigns MEDIUM severity to all clauses with a "Needs Human Review" label so the user can still see the clauses instead of getting a misleading "no issues found" message.
A live event callback system emits status updates (running, completed, failed) for each agent. The UI renders these as a real-time pipeline status panel showing which agent is currently working, which completed, and which failed.

8. Frontend design

Streamlit native components handle most of the UI. The dark theme is set via config.toml. Custom CSS handles the polish: gradient buttons, animated agent status indicators, severity color coding, responsive expanders. Each severity level has a consistent color scheme used everywhere: badges, borders, backgrounds, chart bars.
The multi-page structure splits the single screen into focused views: Home for upload and overview, Clauses for individual clause cards with severity filters, Negotiation for side-by-side current vs safer comparisons with email templates, Chat for the AI assistant with full contract context, and Downloads for markdown, CSV, and safer contract exports. Session state is initialized once with defaults for report, error, analyzing status, agent statuses, chat history, and cache keys. All pages read from the same state.

9. Error handling strategy

The biggest problem with the first version: when the model API was unreachable, the pipeline silently produced an empty report and showed "No issues found" with a green checkmark. Completely misleading. Three fixes addressed this:
Pre-flight connectivity check. Before analysis starts, a 10-second call to client.models.list() tests the endpoint. If unreachable, the user sees a specific error (Connection refused or Cannot resolve host) with instructions.
Zero-clause detection. If the pipeline produces a FinalReport with 0 clauses, the UI shows a red error banner identifying which agent failed, instead of the empty report.
Fallback scoring. When the Risk Scorer agent fails, a fallback function builds ScoredClause objects with MEDIUM severity and "Needs Human Review" labels. Users still see their clauses with a clear warning that automated scoring was incomplete.

10. Testing

13 tests cover the critical paths. Extractor tests verify JSON parsing handles both dict and list response formats, strips markdown fences, validates minimum clause counts, and processes real sample contracts. Risk scorer tests verify severity assignment logic (IP assignment should be CRITICAL, governing law should be LOW), ensure every clause gets a non-empty risk reason, and confirm all 5 severity levels are parseable.
Pipeline integration tests mock the model service to verify the full 5-agent chain produces valid FinalReport objects, detects at least one CRITICAL or HIGH finding in known risky contracts, generates non-empty markdown, and handles extractor failure gracefully. All mocks use unittest.mock.patch on the agent module call_model import paths.

11. Project structure

The codebase is organized into clear layers: app.py is the Streamlit home page with upload and overview. ui.py contains all shared rendering functions and constants. The pages directory holds the 4 multi-page Streamlit files. The agents directory contains the 5 pipeline agents plus the orchestrator and copilot. services holds the shared model service layer. config has settings and all 5 system prompts. models defines Pydantic schemas. tools handles file parsing, clause utilities, and report formatting. tests contains 13 pytest tests covering extraction, risk scoring, and full pipeline integration.

12. What I would do differently

Better prompt iteration tooling. I wrote prompts by hand and tested by running the full pipeline. A side-by-side comparison tool that shows the same contract analyzed with different prompts would have saved hours.
Streaming responses. Currently the pipeline blocks until each agent completes. Streaming token by token would give users real-time visibility into what the model is thinking.
Caching layer. The same clause analyzed twice produces the same result. A clause-hash to response cache would eliminate redundant API calls when users re-upload similar contracts.
PDF table support. Multi-column layouts and tables in PDFs get garbled during text extraction. A layout-preserving parser would handle employment contracts and SaaS agreements with tabular fee schedules better.
Model fallback chain. Currently the app uses one model endpoint. A chain that tries Qwen first, falls back to DeepSeek API, and finally uses local regex-based extraction would make the demo work reliably on any deployment platform.