Open Code Review is an AI-powered CLI tool designed for automated, high-precision code reviews. Originally developed as Alibaba Group's internal assistant, the project uses a hybrid architecture that combines deterministic engineering with LLM agents to provide stable and accurate feedback. Unlike general-purpose agents, it employs smart file bundling and fine-grained rule matching to maintain context and prevent issues like position drift or incomplete coverage on large changesets.
Key features:
- AI-driven line-level review comments
- Hybrid architecture combining hard constraints with dynamic decision-making
- Support for various LLM endpoints including OpenAI and Anthropic
- Seamless integration with CI/CD pipelines and coding agents like Claude Code
- Customizable rule sets for specific project requirements
Key features:
- AI-driven line-level review comments
- Hybrid architecture combining hard constraints with dynamic decision-making
- Support for various LLM endpoints including OpenAI and Anthropic
- Seamless integration with CI/CD pipelines and coding agents like Claude Code
- Customizable rule sets for specific project requirements
A self-hosted, GitHub-compatible API server designed for agents, automation, and developer workflows. It allows existing GitHub clients to work with owned repositories by exposing REST v3, GraphQL v4, OAuth device flow, and Git Smart HTTP while utilizing real bare Git repositories and TiDB/MySQL-compatible storage for metadata.
A directory of specialized scripts and capabilities designed for AI agents within the agent-scripts repository. These skills provide automated workflows across various domains including web browsing, software development processes like code review and debugging, system maintenance, and integrations with platforms such as WhatsApp, Discord, and Sonos.
Main topics include:
Browser automation and web interaction
Developer productivity tools for GitHub and coding workflows
Platform-specific automations for messaging and smart home devices
System utility scripts for macOS and developer environments
Main topics include:
Browser automation and web interaction
Developer productivity tools for GitHub and coding workflows
Platform-specific automations for messaging and smart home devices
System utility scripts for macOS and developer environments
Self-hosting provides a hands-on way to learn modern infrastructure, covering essential skills such as deployment, networking, storage, monitoring, and system reliability.
1. **Awesome Selfhosted**: A curated list of open-source applications across various service categories.
2. **Coolify**: An open-source PaaS for deploying apps, databases, and services on your own servers.
3. **n8n**: A visual workflow automation platform for connecting APIs and services.
4. **Uptime Kuma**: A monitoring system for tracking service uptime, status dashboards, and alerts.
5. **Nextcloud Server**: A private cloud platform for file synchronization, storage, and collaboration.
6. **Immich**: A self-hosted photo and video management and backup platform.
7. **Memos**: A lightweight Markdown note-taking tool with a timeline interface.
8. **Proxmox VE Helper Scripts**: Community scripts for managing LXC containers and VMs on Proxmox VE.
9. **Awesome Tunneling**: A curated list of tools for secure remote access to local services via tunneling.
10. **Self-Hosting Guide**: A comprehensive reference guide covering hardware, software, and infrastructure concepts.
1. **Awesome Selfhosted**: A curated list of open-source applications across various service categories.
2. **Coolify**: An open-source PaaS for deploying apps, databases, and services on your own servers.
3. **n8n**: A visual workflow automation platform for connecting APIs and services.
4. **Uptime Kuma**: A monitoring system for tracking service uptime, status dashboards, and alerts.
5. **Nextcloud Server**: A private cloud platform for file synchronization, storage, and collaboration.
6. **Immich**: A self-hosted photo and video management and backup platform.
7. **Memos**: A lightweight Markdown note-taking tool with a timeline interface.
8. **Proxmox VE Helper Scripts**: Community scripts for managing LXC containers and VMs on Proxmox VE.
9. **Awesome Tunneling**: A curated list of tools for secure remote access to local services via tunneling.
10. **Self-Hosting Guide**: A comprehensive reference guide covering hardware, software, and infrastructure concepts.
This repository provides an implementation and recreation of the first published version of the Logic Theory Machine, also known as the Logic Theorist. Originally developed by Allen Newell, J. C. Shaw, and Herbert A. Simon in 1956, this program was designed to prove theorems in propositional logic using principles from Principia Mathematica. The project includes a Python-based interpreter for the IPL-I abstract machine language, tools to run the program against historical axioms and theorems, and utilities to analyze generated proofs.
Main components:
Implementation of the 1956 Logic Theory Machine
Propositional logic based on Principia Mathematica
Python interpreter for the IPL-I language
Tools for running simulations and verifying results
Main components:
Implementation of the 1956 Logic Theory Machine
Propositional logic based on Principia Mathematica
Python interpreter for the IPL-I language
Tools for running simulations and verifying results
Needle is an experimental 26m parameter Simple Attention Network distilled from Gemini 3.1, designed to redefine tiny AI for consumer devices like phones, watches, and glasses. It specializes in single-shot function calling, outperforming larger models such as FunctionGemma-270m and Qwen-0.6B in that specific domain. The project provides fully open weights, dataset generation methods, and tools for local finetuning on consumer hardware.
* 26m parameter architecture optimized for extremely small devices.
* High performance prefill and decode speeds when running on Cactus.
* Pretrained on 200B tokens and post-trained for function calling.
* Support for local finetuning via a web UI playground or CLI.
* 26m parameter architecture optimized for extremely small devices.
* High performance prefill and decode speeds when running on Cactus.
* Pretrained on 200B tokens and post-trained for function calling.
* Support for local finetuning via a web UI playground or CLI.
kata is a local-first issue tracking system designed to provide a structured environment for both humans and coding agents to record tasks, decisions, links, and state changes. Unlike traditional methods that clutter git history or chat transcripts, kata uses a local SQLite database managed by a daemon to maintain a durable task ledger. It features an agent-optimized CLI with stable commands and JSON output for automation, complemented by a terminal user interface (TUI) that allows humans to easily browse, triage, and supervise agent activity.
Key aspects:
- Local-first architecture using SQLite and a background daemon
- Agent ergonomics via predictable exit codes and idempotency keys
- Human oversight through an interactive TUI
- Auditability with append-only event history and actor attribution
- Lightweight design focused on task ledger functionality rather than full project management
Key aspects:
- Local-first architecture using SQLite and a background daemon
- Agent ergonomics via predictable exit codes and idempotency keys
- Human oversight through an interactive TUI
- Auditability with append-only event history and actor attribution
- Lightweight design focused on task ledger functionality rather than full project management
A post-retrieval temporal layer designed to improve RAG systems by addressing time-blindness in vector searches. This library implements validity filtering, document kind classification, and exponential decay scoring to ensure retrieved information is fresh and accurate. It functions downstream of existing vector search systems without requiring re-indexing or new infrastructure.
gitcrawl is a local-first GitHub triage tool and a drop-in caching shim for the gh CLI. It mirrors repository issues and pull requests into a local SQLite database, enabling semantic clustering and full-text search while preventing API rate limit exhaustion. This setup allows maintainers and AI agents to perform heavy read operations against a local cache rather than live GitHub servers.
Main features:
Local SQLite storage for all issue, PR, and commit metadata.
A gh-compatible shim that handles most read-only calls locally.
Semantic clustering using OpenAI embeddings to group related reports.
An interactive terminal UI for cluster browsing.
JSON support for easy automation with AI agents.
Main features:
Local SQLite storage for all issue, PR, and commit metadata.
A gh-compatible shim that handles most read-only calls locally.
Semantic clustering using OpenAI embeddings to group related reports.
An interactive terminal UI for cluster browsing.
JSON support for easy automation with AI agents.
# Incident Post-Mortem: Multi-Agent Credential Exfiltration Wave
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
**Date:** April 30, 2026
**Severity:** Critical (P1)
**Status:** Resolved / Patched
**Impacted Systems:** OpenAI Codex, Anthropic Claude Code, GitHub Copilot, Google Vertex AI
---
## 1. Executive Summary
Over a nine-month period leading up to April 2026, multiple research teams identified critical vulnerabilities across the industry's leading AI coding agents. Contrary to previous assumptions regarding "model hallucinations," these attacks did not target model logic; instead, they targeted **runtime credentials**. Attackers exploited the gap between the user interface and the underlying identity/authorization plane, allowing for unauthorized shell execution, sandbox escapes, and full repository takeovers via hijacked OAuth tokens and excessive service permissions.
## 2. Incident Overview
| Feature | Description |
| :--- | :--- |
| **Primary Attack Vector** | Credential theft and privilege escalation through agentic runtime environments. |
| **Core Vulnerability Class** | Broken Access Control; Improper Input Sanitization (Command Injection); Excessive Scoping. |
| **Detection Gap** | AI agents are currently invisible to standard IAM, CMDB, and asset inventory tools. |
## 3. Root Cause Analysis (RCA)
### A. Codex: Command Injection via Parameter Obfuscation
* **Mechanism:** Maliciously crafted GitHub branch names containing semicolon/backtick subshells were passed unsanitized into setup scripts during cloning.
* **Stealth Tactic:** Attackers used Unicode U+3000 (Ideographic Space) to make malicious branches appear identical to "main" in web portals, hiding the exfiltration payload from human reviewers.
### B. Claude Code: Sandbox & Logic Bypass
* **CVE-2026-25723:** Escaped project sandbox via unvalidated command chaining (piped `sed`/`echo`).
* **CVE-2026-33068:** Permission modes were resolved from `.claude/settings.json` *before* the workspace trust dialog appeared, allowing repos to auto-disable security prompts.
* **Performance Trade-off:** A logic flaw caused the agent to stop enforcing "deny rules" once a command chain exceeded 50 subcommands to optimize for speed.
### C. GitHub Copilot: Prompt Injection in Metadata
* **Mechanism:** Instructions hidden within Pull Request descriptions or GitHub Issues triggered Remote Code Execution (RCE) or forced the agent into an unrestricted "auto-approve" mode via `.vscode/settings.json` manipulation.
### D. Vertex AI: Excessive Default Scoping
* **Mechanism:** The default service identity (P4SA) possessed overly broad OAuth scopes, granting agents access to sensitive Google services (Gmail, Drive) and internal Artifact Registries by design rather than exception.
## 4. Lessons Learned
1. **Interface $neq$ System Security:** Enterprises have been approving AI *interfaces* without auditing the underlying *identities* those interfaces wield.
2. **Agent-Runtime vs. Code-Output:** Current security focus is on scanning the code an AI *writes*; however, the real threat vector is the environment in which the agent *executes*.
3. **The Speed/Security Paradox:** Developers and vendors are trading rigorous authorization checks for lower latency, creating a window of opportunity for attackers to reverse-engineer patches within 72 hours.
## 5. Corrective Action Plan (CAP)
### Immediate Technical Remediation
* » **Patch Deployment:** Ensure Claude Code is $ge$ v2.1.90; verify Copilot August 2025 patches.
* » **Scope Reduction:** Transition Vertex AI to a "Bring Your Own Service Account" (BYOSA) model to enforce least privilege.
### Long-term Governance & Prevention
* **Identity Inventory:** Integrate AI agent identities into CIEM (Cloud Infrastructure Entitlement Management) and CMDB systems.
* **Zero Trust Input Policy:** Treat all repository metadata (branch names, PR descriptions, READMEs) as untrusted input for agentic execution.
* **Non-Human PAM:** Implement Privileged Access Management (PAM) for AI agents, treating them with the same rigor as human privileged users (rotation, scoping, and session anchoring).
* **Vendor Audits:** Mandate written documentation from vendors regarding identity lifecycle management and credential rotation policies during renewal cycles.
