惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Troy Hunt's Blog
Scott Helme
Scott Helme
T
Threat Research - Cisco Blogs
T
Tenable Blog
L
LINUX DO - 热门话题
V
Visual Studio Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
C
Cyber Attacks, Cyber Crime and Cyber Security
F
Fortinet All Blogs
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
Netflix TechBlog - Medium
SecWiki News
SecWiki News
I
InfoQ
Microsoft Security Blog
Microsoft Security Blog
Project Zero
Project Zero
W
WeLiveSecurity
Microsoft Azure Blog
Microsoft Azure Blog
A
About on SuperTechFans
Recorded Future
Recorded Future
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
S
Securelist
Spread Privacy
Spread Privacy
L
LangChain Blog
云风的 BLOG
云风的 BLOG
G
Google Developers Blog
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
CERT Recently Published Vulnerability Notes
罗磊的独立博客
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
The Last Watchdog
The Last Watchdog
Attack and Defense Labs
Attack and Defense Labs
博客园 - 司徒正美
Help Net Security
Help Net Security
L
Lohrmann on Cybersecurity
人人都是产品经理
人人都是产品经理
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
PCI Perspectives
PCI Perspectives
博客园 - 【当耐特】
T
Tor Project blog

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
GitHub - sjhalani7/vaen: Package your AI coding harness into a portable .agent file, and share it across repos, teams, & the community without ever having to copy-paste instructions, skills, MCP config, or secrets.
sjhalani7 · 2026-05-28 · via Hacker News - Newest: "AI"

VAEN is a portable CLI for packaging and importing agentic coding setups.

It takes an agent.yaml manifest, bundles instructions, skills, and project-scoped MCP declarations into an OCI-backed .agent archive, and imports that setup into another repository without transporting secrets.

Demo

Watch the 24-second flow: docs/assets/vaen-demo.mp4

vaen validate -f agent.yaml
vaen build -f agent.yaml -o team-setup.agent
vaen inspect team-setup.agent
vaen import team-setup.agent --client codex
vaen doctor --client codex

What VAEN Packages

VAEN packages configuration and authoring files, not runtime environments.

  • Main instructions and optional instruction includes
  • Skill directories and their files
  • Project-scoped MCP declarations
  • Bundle metadata used for import, inspection, and validation

VAEN never packages credential values, .env files, private keys, OAuth state, or MCP server implementations.

Why Not Just Zip the Files?

A zip file can move files, but it does not explain what the setup is, what should be imported, where files should land, or which credential variable names the receiver must provide locally.

VAEN keeps that handoff explicit:

  • agent.yaml declares the instructions, skills, MCP declarations, and required variable names.
  • vaen validate catches malformed manifests before sharing.
  • vaen inspect lets the receiver review bundle contents before import.
  • vaen import materializes the setup into predictable client-specific locations.
  • vaen doctor checks the imported structure without reading credential values.

Install

Install from GitHub with pipx:

pipx install git+https://github.com/sjhalani7/vaen.git

Or install from a local clone:

python3 -m venv .venv
. .venv/bin/activate
pip install -e .

The CLI provides:

vaen validate
vaen build
vaen inspect
vaen import
vaen doctor
vaen cleanup

Quick Start

See docs/quick-start.md for a minimal instructions-only bundle flow.

Public Agent Setup Packages

The dist/agents/ directory contains ready-to-import .agent archives for popular, reputable public agent setups.

Current packages:

See dist/agents/README.md for import commands and attribution.

Manifest

agent.yaml is the source of truth for a bundle.

version: "0.1"
publisher: "Shiv Jhalani"

instructions:
  main: "~/.codex/AGENTS.md"
  includes:
    - "./style.md"

artifacts:
  - type: skills
    path: "~/.codex/skills/code-review"
  - type: skills
    path: "~/.codex/skills/refactor"

requiredVars:
  - OPENAI_API_KEY

mcp:
  servers:
    - name: context7
      transport: stdio
      command: npx
      args: ["-y", "@upstash/context7-mcp"]
      env_vars:
        - CONTEXT7_API_KEY

    - name: docs
      transport: http
      url: https://example.com/mcp
      http_headers:
        X-Region: us-east-1
      bearer_token_env_var: DOCS_MCP_TOKEN
      header_env_vars:
        X-API-Key: DOCS_MCP_TOKEN

Manifest rules:

  • version, publisher, and instructions.main are required.
  • instructions.includes is optional.
  • artifacts is a list and may be empty for instructions-only bundles.
  • skills is the supported artifact type.
  • requiredVars and MCP env fields store environment variable names only, never values.
  • Manifest authors are responsible for writing names such as OPENAI_API_KEY, not credential values such as API keys, tokens, URLs with passwords, or NAME=value assignments.
  • http_headers stores non-secret static HTTP headers for MCP servers.
  • mcp is optional and lives at the top level of the manifest.
  • Source paths may point inside or outside the repo.

Correct:

requiredVars:
  - OPENAI_API_KEY

mcp:
  servers:
    - name: docs
      transport: http
      url: https://example.com/mcp
      bearer_token_env_var: DOCS_MCP_TOKEN

Incorrect:

requiredVars:
  - OPENAI_API_KEY=sk-proj-secret
  - sk-proj-secret

mcp:
  servers:
    - name: docs
      transport: http
      url: https://user:password@example.com/mcp
      bearer_token_env_var: sk-proj-secret

MCP support is host-neutral in the manifest. During import, VAEN writes the selected client format for Codex, Claude Code, or Copilot.

YAML Examples

Instructions only:

version: "0.1"
publisher: "Your Name"

instructions:
  main: "./AGENTS.md"

artifacts: []
  • instructions.main points to AGENTS.md or another main agent instruction file.

Instructions with skills:

version: "0.1"
publisher: "Your Name"

instructions:
  main: "./AGENTS.md"
  includes:
    - "./style.md"

artifacts:
  - type: skills
    path: "./skills/code-review"
  - type: skills
    path: "./skills/refactor"
  • instructions.includes is for extra Markdown instruction/context files.
  • Each artifacts entry points to one skill directory.

MCP servers:

version: "0.1"
publisher: "Your Name"

instructions:
  main: "./AGENTS.md"

artifacts: []

mcp:
  servers:
    - name: context7
      transport: stdio
      command: npx
      args: ["-y", "@upstash/context7-mcp"]
      env_vars:
        - CONTEXT7_API_KEY
    - name: figma
      transport: http
      url: "https://mcp.figma.com/mcp"
      bearer_token_env_var: FIGMA_OAUTH_TOKEN
      http_headers:
        X-Figma-Region: us-east-1
  • name is the local MCP server name.
  • transport is either stdio or http.
  • command and args define how stdio MCP servers are launched.
  • url defines the HTTP MCP endpoint.
  • env_vars and bearer_token_env_var contain environment variable names only, never secret values.
  • http_headers contains non-secret static headers.

Typical Flow

1. Validate

vaen validate -f examples/synthetic-fixture/agent.yaml

2. Build

vaen build -f examples/synthetic-fixture/agent.yaml

If -o is omitted, VAEN writes <manifest-directory-name>.agent in the working directory:

examples/synthetic-fixture/agent.yaml -> synthetic-fixture.agent

You can choose the archive name:

vaen build -f examples/synthetic-fixture/agent.yaml -o shiv-setup.agent

Explicit output paths must end in .agent.

3. Inspect

vaen inspect synthetic-fixture.agent

inspect reads the OCI archive and prints bundle metadata, normalized bundle paths, instructions, skills, MCP declarations, and required variable names.

4. Import

In the target repo:

vaen import /path/to/synthetic-fixture.agent

If the bundle contains MCP declarations, select the client config to write:

vaen import /path/to/synthetic-fixture.agent --client codex
vaen import /path/to/synthetic-fixture.agent --client claude
vaen import /path/to/synthetic-fixture.agent --client copilot

Default import (no --client and no target override flags) writes root instructions to AGENTS.md and CLAUDE.md, and mirrors skills to .agent/skills/... and .claude/skills/....

If --client is provided and none of --target, --target-instructions-file-name, --target-skills-directory are provided, activated outputs default to the client:

  • --client claude: CLAUDE.md and .claude/skills/...
  • --client codex: AGENTS.md and .codex/skills/...
  • --client copilot: AGENTS.md and .copilot/skills/...

To target another agent directory:

vaen import /path/to/synthetic-fixture.agent --target copilot

This writes COPILOT.md and .copilot/skills/....

Optional import overrides:

vaen import /path/to/synthetic-fixture.agent --target copilot --target-instructions-file-name copilot-instructions
vaen import /path/to/synthetic-fixture.agent --target copilot --target-skills-directory vscode

These write copilot-instructions.md and .vscode/skills/....

5. Verify

Use the same targeting and MCP client flags that were used during import:

vaen doctor --client codex
vaen doctor --target copilot --client copilot
vaen doctor --target copilot --target-instructions-file-name copilot-instructions
vaen doctor --target copilot --target-skills-directory vscode

doctor validates the imported structure and reports required environment variable names as warnings.

6. Cleanup

After confirming the activated files look right, remove the canonical stored copy:

vaen cleanup /path/to/synthetic-fixture.agent

Cleanup deletes .agent/<bundle-name> only. It does not delete root instruction files, skill mirrors, or MCP client config.

Archive Layout

A .agent file is an OCI-style archive:

bundle.agent
├── oci-layout
├── index.json
└── blobs/sha256/
    ├── <manifest blob>
    ├── <config blob>
    └── <layer blob>

The layer blob is a tar payload:

vaen/metadata.json
instructions/...
skills/...
mcp/...

Path terminology:

  • source path: where a file lives on the builder's machine
  • bundle path: where that file is stored inside the .agent
  • materialized path: where that file is written during import

This lets a builder reference files from places like ~/.codex/AGENTS.md while keeping the bundle layout stable and machine-independent.

Import Layout

Import writes a canonical stored copy first:

.agent/<bundle-name>/
├── instructions/
├── mcp/
├── skills/
└── vaen/metadata.json

Then it writes activated files for the target repo:

  • Root instruction files: AGENTS.md and CLAUDE.md, or the configured target filename.
  • Skill mirrors: .agent/skills/... and .claude/skills/..., or the configured target skill directory.
  • MCP client config: .codex/config.toml, .mcp.json, or .github/mcp.json when --client is used.

Included instruction files remain in .agent/<bundle-name>/instructions/...; they are not concatenated into the root instruction file.

Safety Rules

VAEN fails before overwriting existing setup files.

  • Existing root instruction files block import.
  • Existing .agent/<bundle-name> directories block import.
  • Existing mirrored skill names block import.
  • Existing MCP client config files block import.

Skill directories should contain only instructions, scripts, references, and assets needed by the agent. Do not place credential files such as .env, .env.*, private keys, or credential stores inside a skill directory before building a bundle.

Build rejects obvious declared secret file paths such as .env, .env.*, *.pem, *.key, and id_rsa. Detected secret values are never printed.

Credential handling is metadata-only:

  • requiredVars and MCP env fields store variable names only.
  • doctor does not read .env files.
  • doctor does not inspect shell environment variables, keychains, or other credential stores.
  • MCP validation checks local config syntax and expected file placement; it does not connect to MCP servers or validate auth.

Examples

The test fixture is a compact reference manifest:

The project-specific example is here:

License

VAEN is released under the MIT License.

The software is provided as-is, without warranty of any kind. The authors and copyright holders are not liable for claims, damages, or other liability arising from use of the software. See LICENSE for the full license text.