惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - Franky
有赞技术团队
有赞技术团队
博客园 - 司徒正美
量子位
N
News and Events Feed by Topic
T
Threatpost
Last Week in AI
Last Week in AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
酷 壳 – CoolShell
酷 壳 – CoolShell
C
CERT Recently Published Vulnerability Notes
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
I
Intezer
人人都是产品经理
人人都是产品经理
T
Tenable Blog
IT之家
IT之家
雷峰网
雷峰网
腾讯CDC
博客园 - 聂微东
V
Visual Studio Blog
S
SegmentFault 最新的问题
Scott Helme
Scott Helme
Spread Privacy
Spread Privacy
月光博客
月光博客
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
V2EX
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
爱范儿
爱范儿
T
Tailwind CSS Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
N
Netflix TechBlog - Medium
J
Java Code Geeks
宝玉的分享
宝玉的分享
F
Full Disclosure
WordPress大学
WordPress大学
A
Arctic Wolf
小众软件
小众软件
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
NISL@THU
NISL@THU
AI
AI
Hugging Face - Blog
Hugging Face - Blog
F
Fortinet All Blogs
云风的 BLOG
云风的 BLOG
N
News | PayPal Newsroom
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How to onboard an existing project with AI tools
Vilius · 2026-06-26 · via DEV Community

You cloned a mature project, pointed an AI agent at it, and it produced garbage. It didn't know the auth flow, tripped on schema quirks, and kept writing code that didn't fit. You blamed the model. It wasn't the model's fault.

The problem isn't the agent's ability to code. It's your project's ability to be coded by an agent. This guide fixes that — one phase at a time. You don't need to finish all of them today. Do one, come back next week. The goal is progress, not perfection.


Before you start — take stock

Not every project needs the same treatment. Spend 10 minutes assessing what you're working with:

  • Does it have docs? Are they accurate?
  • Is there a test suite? Unit, integration, E2E?
  • What's the auth situation? Service account, MFA, SSO?
  • What does the README claim vs what's actually true?
  • Is there a committed schema (GraphQL, OpenAPI) or is the contract tribal knowledge?

You're looking for gaps in what an agent needs to work effectively. You'll fill them one at a time.


Phase one: Documentation baseline

An agent relearns your project every session unless you give it somewhere to look. That somewhere is a docs/ folder at project root. Every plan, spec, architecture decision, and bug fix goes there. Organized home, reduced mental load.

What lives in docs/:

AGENTS.md — how the agent should write code for this project. Conventions to follow, patterns to avoid, gotchas that aren't obvious from the code. This is more important than the README in 2026. Start with one, keep it honest. (If your tool prefers CLAUDE.md or CURSOR_RULES, use those — same purpose, different name.)

docs/BUGS.md — bug catalog with root causes, symptoms, and fixes. The same issue doesn't need to be fixed twice. The agent reads this before starting new work.

docs/LESSONS.md — things that went wrong. Architectural decisions that aged poorly. What the agent should never do. This is durable institutional memory — more valuable than any lint rule. New team members (human or agent) read this first.

docs/TECH-DEBT.md — anti-pattern inventory with a phased fix plan. The agent checks this before refactoring so it doesn't step into known traps.

docs/SPECS/ — feature specs and implementation plans. The agent works from a written spec, not memory. One plan per feature, organised by status.

docs/SCHEMA.md (optional) — data model reference. Committed types, API contracts, field descriptions. If your project has a formal schema, document it. If not, the existing code is the contract — and that's fine.

Frontend docs cross-reference backend docs. One entry point. The agent goes there first, guesses second.

Setup in one paste — single source of truth

mkdir -p docs/SPECS && cat > AGENTS.md << 'EOF'
# AGENTS.md

Before writing code: read this file, then check docs/ for known issues,
the data model, and project conventions. Tests must pass after changes.

All project knowledge lives in docs/. Single source of truth.
Read docs/BUGS.md, docs/LESSONS.md, and docs/TECH-DEBT.md before any work.
EOF
touch docs/BUGS.md docs/LESSONS.md docs/TECH-DEBT.md
echo "✅ docs/ + AGENTS.md created — agent entry point is set"

Paste that in your project root. Creates docs/ as the single source of truth and AGENTS.md as the agent's entry point. The agent reads AGENTS.md first, everything else branches from docs/. Works with Claude Code, Codex, Cursor, Pi — any agent that respects project docs.

The agent only links to AGENTS.md. That file points to docs/. One entry point, everything discoverable from there.

⚠️ The /init trap

Your favourite CLI will scan your project and generate documentation. Some of it will be wrong — wrong architecture labels, wrong folder purposes, wrong dependency descriptions. Service-layered vs atomic architecture look identical to a scanner. They aren't.

Read every line it wrote. Find what's incorrect. Fix it. The effort isn't generating text — it's curation.


Phase two: Testing — the trust threshold

This is the hard part. It determines how much AI can assist and how much trust you can hand over. Evals, regression safety, autonomous debugging — everything lives or dies on whether this works.

Don't have a full suite yet? Start with one smoke test. One spec that proves auth works. Expand later — the first domino matters more than full coverage.

Authentication — the blocker

Most mature apps won't let an agent in without MFA, SSO, or some redirect chain. If a service account exists, use it. Otherwise:

Ideally, use a persistent browser profile. Login once, the profile saves, reuses forever. Covers MFA, SSO, redirect chains — handled on day one, never touched again. Playwright makes this trivial:

npx playwright open --save-storage=.auth/profile.json
# login manually once in the headed browser window
# profile.json now saves the session — reuse everywhere

If you can't create a dedicated profile, clone your actual profile. Less ideal — you're coupling test setup to your personal session — but it works and gets you moving.

Don't use CDP. Chrome DevTools Protocol sounds elegant. Every time I've tried it, it flakes. Connection drops, session expires mid-test, weird race conditions. More time debugging the connection than writing tests.

After auth — the details

Login scripts. Cookie popup dismissals. Wait-for-element by specific selectors. Build these once, commit them, forget them. The agent inherits the same setup — same profile, same scripts, same waits.


Phase three: MCP servers — extending what the agent can do

Once docs and auth are in place, the next step is giving the agent tools it doesn't have natively. MCP servers do that — they're project-local services the agent discovers and calls automatically.

Two that matter for project onboarding:

Playwright MCP
Drives a real browser. The agent navigates to URLs, clicks buttons, reads the DOM, takes screenshots. Uses the same persistent profile from phase two, so auth just works. Drop a link and describe the bug — the agent reproduces it, inspects the mismatch, and writes a fix. No manual reproduction steps, no screenshot pasting.

Configured in the project's .mcp.json, pointing at a dedicated Playwright instance with the persistent Chrome profile. The agent discovers it automatically on session start.

Context7 MCP
Gives the agent up-to-date documentation and code examples for any library or framework. When the agent needs to use an unfamiliar API, it queries Context7 instead of guessing or hallucinating. Covers the full ecosystem — React, Fastify, GraphQL, Playwright, everything with published docs.

Where to get these

  • Playwright: npm install -D @playwright/test then npx playwright install chromium. The MCP server comes from @anthropic-ai/mcp-playwright or configure it manually via the MCP specification.
  • Context7: Available at context7.com — install their MCP server and configure it in your project.
  • Auth setup: Run npx playwright open --save-storage=.auth/profile.json, login once, reuse everywhere.

Phase four: Feedback loop

Now you have docs, auth'd tests, and tool access. What connects them is the workflow:

  1. Write a spec
  2. Agent implements against it
  3. Tests run — pass or fail
  4. Agent fixes or you review the output
  5. Commit

This is the cadence. It doesn't need tooling — a single cycle proves the chain works. The loop matters before the automation does.


Useful add-ons (not inbuilt, go install these)

Beyond the setup, there are third-party tools worth knowing about. These aren't built into any framework — you find and install them yourself:

Caveman — compressed specification writing for agent-friendly specs. Cuts token count ~75% while staying precise. Useful when you need the agent to work from a spec that's dense enough to fit in context and precise enough to not hallucinate around.

Ponytail — efficiency patterns for agentic development. Developer-laziness-as-virtue philosophy: ship what you own, validate what you don't. Covers code compression, structural laziness patterns, and avoiding over-engineering.


What this unlocks

Once docs, auth, and MCP tools exist, you've passed the threshold. Not the finish line — but the point where the agent becomes useful instead of dead weight.

Drop a link, describe the bug — the agent debugs it itself.
Playwright MCP opens the browser, navigates, interacts, reads the DOM. One prompt: "the dropdown on this page shows wrong values" → agent reproduces, identifies the mismatch between API response and render, fixes it.

Feed design screenshots — the agent builds from them.
Pixel-perfect? Not yet. Close enough that your job shifts from building to reviewing.

Ask for a new field — the agent checks the schema, migrates if needed, builds.
If your project has a committed schema (GraphQL, OpenAPI, types file), the agent reuses what exists or creates the migration. If it doesn't, the agent works from the existing code as the implicit contract. Either way, backend and frontend stay consistent without manual coordination.

Hand off to a colleague on another OS.
Windows, macOS, Linux — same setup, same agent, same reliability. I handed over a solution on a 2-hour call. The agent drove a persistent Chrome browser until deployment issues were resolved. No SSH. Just "fix this."

Ask it to fix code smells across the codebase.
With the test suite as a safety net, the agent can refactor confidently.


2026 best practices that changed the game

Agent-specific docs over human READMEs.
CLAUDE.md / AGENTS.md is the most important file in the project now. READMEs tell humans how to run it. Agent docs tell the agent how to think about it. Different audiences.

Document the data model.
If your project has a formal schema (GraphQL, OpenAPI, protobuf), commit it and make it the source of truth. If it doesn't, document the implicit contract — key types, API shapes, field meanings — in docs/SCHEMA.md. The agent reads this before touching data-layer code. The goal isn't a perfect schema, it's less guesswork.

Auth persistence as infrastructure.
Persistent browser profiles aren't a convenience. They're infrastructure. Without them, the agent spends half its context on re-authenticating. With them, every session starts ready to work.

LESSONS.md as institutional memory.
What went wrong last sprint. Why the agent should never mutate cache in a certain path. This prevents more bugs than any lint rule.

Document the anti-patterns, not just the patterns.
What not to do is more valuable than what to do. An agent can guess the pattern. It can't guess the mistake you made three months ago unless you wrote it down.

MCP servers extend tool reach.
The trend in 2026 is project-local MCP servers that give the agent capabilities it doesn't have natively — browser driving (Playwright MCP), documentation lookup (Context7 MCP). Configure them in the project, commit the config, the agent discovers them automatically.


What still needs you

  • Cross-file refactors with implicit dependencies — the agent misses ripple effects across distant modules
  • Product judgment — anything that needs taste, not correctness
  • First-time architectural patterns — you scaffold the structure, the agent fills it in
  • Curating the docs baseline — the initial curation is still a human task

The ratio shifts hard. Most of what took hours now takes minutes of review.


When to stop

You don't need full coverage. You need enough coverage to trust the output. One auth'd E2E test, one docs baseline, one MCP server — that's the minimum viable setup. Everything else is compound returns.

If today wasn't the day — that's fine. The project will be here tomorrow. Pick one thing, move it forward, stop when you've made progress.


Phases one and two are the hard ones. The rest is where the compound returns live. You can stop after any of them.