Daily AI Digest — 2026-06-24
arXiv Highlights
NatureBench: Can Coding Agents Match the Published SOTA of Nature-Family Papers?
Problem
Existing agent benchmarks either evaluate reproduction of known results (PaperBench, CORE-Bench, ReplicationBench) or optimization on ML-engineering problems lifted from Kaggle (MLE-bench). Neither setting tests whether a coding agent can invent a method that meets the SOTA of a real scientific paper. NatureBench fills that gap with 90 tasks distilled from peer-reviewed Nature-family papers, scored against the published SOTA anchor under an information firewall that hides the source method. The motivating question is sharp: when given only the data and task brief from a Nature paper, can a frontier coding agent independently reach what the authors reported?

Method: NatureGym pipeline and benchmark construction
Each task is represented as a tuple T=(A,D,M,S,B) — algorithm A, dataset D, metric M, SOTA score S, optional baseline B — and is progressively populated through three review-gated stages:
- Paper Filtering: journal-level selection requires (i) concrete algorithmic contributions with numerical SOTA claims, (ii) publicly recoverable data, (iii) scientific-ML scope.
- Dataset Acquisition and Verification: re-derives splits and verifies the held-out test set against the paper’s reported metric.
- Task Package Construction: builds a containerized environment with task brief, train data, hidden test set, and an automated evaluator.

The critical design choice is the information firewall: the agent receives the task brief and dataset but not the paper’s method section, so success requires method discovery rather than recall or reproduction. Each stage runs an LLM agent with a verify–repair loop and a human confirms critical corrections.
The benchmark covers six scientific domains across diverse modalities and ML task families (see Figure 3), with a maintainer-side reproduction protocol behind the public leaderboard.

Scoring
Performance is measured by a SOTA-relative gap g between agent score and the paper’s anchor S, with Surpass-SOTA defined as g > 0.1 (the agent meaningfully exceeds the published number on the held-out test set). Web search is disabled to prevent leakage of the original method.
Evaluation
Ten frontier configurations were tested: seven models under Claude Code (Opus 4.6/4.7, Kimi K2.6, MiniMax-M2.7, DeepSeek-V4-Pro, GLM-5.1, Qwen 3.7 Max), GPT-5.4/5.5 under Codex CLI, and Gemini 3.5 Flash under Gemini CLI. Each agent runs independently on all 90 tasks, yielding 900 logged runs.
Main results
- The strongest configuration surpasses SOTA on only 17.8% of tasks under the g > 0.1 criterion.
- Aggregated across all 900 runs, the Match-SOTA rate is 32.2% (a looser criterion than Surpass-SOTA).
- Runs whose agent method falls in the same broad family as the source paper match SOTA in 37.7% of cases, versus 29.6% when the family differs — a measurable but modest benefit to picking the right method type.
- Method-family distributions diverge sharply: paper-side methods concentrate in structured representation, statistical modeling, and pretraining/transfer; agent-side methods collapse onto supervised predictive modeling (41.4% of runs). Agents systematically translate scientific tasks into generic supervised pipelines.
- Failure analysis attributes below-SOTA and invalid runs primarily to wrong method choice and insufficient compute budget, not to task misunderstanding. Agents read the brief correctly; they just default to familiar recipes and under-train.
The authors interpret this as a methodological translation regime: agents succeed when a scientific task happens to admit a clean supervised reformulation, and fail when the source paper’s contribution lies in inductive bias, physics-informed structure, generative modeling, or domain-specific representation that the agent never considers. The six domains form a consistent difficulty gradient across all ten agents, suggesting the gap is structural rather than agent-specific.
Limitations and open questions
- The web-search firewall is necessary for fairness but unrealistic — practicing scientists do read prior work. A version with controlled retrieval would separate “method invention” from “method retrieval and adaptation.”
- SOTA anchors are single numbers from single papers; some Nature-family results may be near optimal or rely on private data variants, capping the headroom.
- “Method family” attribution is annotated post-hoc and coarse; finer-grained credit assignment for why a wrong family was chosen (prompt framing? training data priors? compute heuristics?) is left open.
- Compute budget is identified as a failure mode but not factored out: it is unclear how much of the 82.2% non-surpass rate would close if agents were given paper-level training budgets.
- The benchmark covers 90 tasks across six domains; coverage of, e.g., theory-heavy physics or wet-lab-coupled biology remains thin.
Why this matters
NatureBench reframes the agents-for-science question as can you reach published SOTA with the method hidden, and the answer at the current frontier is 17.8%. The dominant failure mode — collapsing heterogeneous scientific problems onto supervised prediction — is a concrete, actionable diagnosis that points away from larger general agents and toward method-selection priors, deeper execution budgets, and structured scientific tool use.
Source: https://arxiv.org/abs/2606.24530
DiffusionBench: On Holistic Evaluation of Diffusion Transformers
Problem
Diffusion transformer research has collapsed into a monoculture: class-conditional ImageNet-256 with FID as the headline metric. The implicit assumption is that improvements there transfer to the regimes practitioners actually care about, primarily text-to-image (T2I). The authors challenge this assumption empirically. Their core claim is that the cost argument against T2I evaluation no longer holds, and once you actually evaluate on both, the ranking of methods on ImageNet has essentially no positive correlation with the ranking on T2I benchmarks — Pearson correlation between -0.377 and -0.580 across three T2I metrics.
If that holds up, much of the recent literature improving ImageNet FID by tenths of a point is optimizing a proxy that is, at best, uninformative and, at worst, anti-correlated with the target.
The NanoGen framework
NanoGen is the lever that makes the benchmark feasible: a single DiT codebase that handles ImageNet and T2I with two changes — the dataloader and the conditioning module. Everything else (backbone, optimiser, EMA, loss, schedule) is shared.
The backbone is a Decoupled DiT (DDT) split into an encoder and a wide-shallow decoder, following RAE. The encoder consumes noisy latents plus conditioning tokens and outputs a semantic representation h; the decoder uses h to modulate AdaLN (AdaLN is removed from the encoder) and predicts the diffusion target. All conditioning is in-context: timestep and class/text tokens are prepended to the visual tokens, so swapping tasks reduces to swapping conditioning tokens:
- ImageNet: 4 timestep + 8 class tokens.
- T2I: 4 timestep + 256 text tokens (from a frozen text encoder).
Training uses AdamW with \beta_1{=}0.9, \beta_2{=}0.95, linear warmup to 2{\times}10^{-4} then decay to 2{\times}10^{-5}, gradient clip 1.0, EMA decay 0.9995. Timesteps are sampled from a logit-normal \mathcal{N}(0,1), with SD3/RAE-style dimension-dependent shifting
t_m = \frac{\alpha t_n}{1 + (\alpha-1)t_n}.
NanoGen supports RAE (frozen vision encoders as tokenisers), VAE latents, pixel-space DiTs (JiT, PixNerd, PixelGen), REG, and MeanFlow. The framework currently spans 21 trained latent diffusion models plus pixel and few-step variants.
Crucially, T2I training is not more expensive than ImageNet under this setup. Figure 2 shows wall-clock time for 100K steps on 32 H200s: latent-space methods cluster tightly between the two tasks, with pixel-space methods being the outliers in cost rather than T2I per se.

Benchmark results
Table 2 reports the ImageNet-256 sweep at 80 epochs, $$615M parameters, with the best per-method CFG selected over [0.0, 0.9]. A few concrete numbers:
- Among RAE encoders, DINOv3-B yields FID 1.74 (IS 244.2); SpatialPE-L gives FID 1.86 (IS 247.1); SigLIP2-B is markedly worse at FID 2.61.
- Among VAEs, FLUX.2-VAE dominates at FID 1.37 (IS 272.7), with FLUX.2-VAE + REG at 1.44 (IS 294.1). SD-VAE-EMA sits at 2.43, FLUX.1-VAE at 3.55, Qwen-Image-VAE at 3.01.
- End-to-end REPA-E variants compress the spread: E2E-SD3.5-VAE 1.62, E2E-VA-VAE 1.65, E2E-Qwen-Image-VAE 1.55.
- Pixel-space methods are uniformly worse: JiT 4.08, PixNerd 4.17, PixelGen 3.97.
- MeanFlow NFE=1 is at FID 6.60 and NFE=2 at 5.40.
The table also reports FDr and MIND against five backbones (Inception, ConvNeXt, DINOv2, MAE, SigLIP), which already shows that “FID” is not a single quantity: e.g., DINOv2-B has Inception-FID 1.22 but DINOv2-FID 3.26, while SD-VAE-EMA reverses the pattern (1.38 vs 7.71). Method rank depends on which encoder you score against.
The decorrelation result
The headline finding lands when these same methods are scored on GenEval, DPG-Bench, and GenAIBench after T2I training. Figure 1 plots ImageNet FID against each T2I metric across RAE and VAE methods.

Pearson correlations land in [-0.580, -0.377]. Because T2I metrics are higher-is-better and FID is lower-is-better, a positive transfer would yield negative correlations — but the magnitudes are modest and the sign is not uniformly clean across slices, leading the authors to the more cautious claim of “no strong correlation.” Concretely, the VAE that wins on ImageNet (FLUX.2-VAE) is not the VAE that wins on GenEval, and several tokenisers that look mediocre on ImageNet move up substantially on prompt-faithfulness metrics.
Qualitative T2I samples at 256×256 after 100K–200K steps (batch 1024) are shown in Figure 3 and corroborate the quantitative ordering reported in Table 3.

Limitations and open questions
The study is at 256×256, $$615M parameters, and 80–200K-step training horizons. It is plausible that the ImageNet–T2I correlation strengthens at scale, since several tokeniser pathologies that hurt T2I (e.g., poor text rendering, weak compositional structure) may interact with capacity. The T2I metrics themselves (GenEval, DPG, GenAIBench) are imperfect and partially redundant. Finally, CFG is tuned per method on ImageNet, which can advantage methods that happen to be CFG-friendly in that regime; whether the same CFG sweep is equally fair for T2I is unclear. The authors also stop short of identifying which method-level properties predict T2I quality — the negative result is sharper than the positive one.
Why this matters
If ImageNet FID is at best weakly correlated and possibly anti-correlated with T2I behaviour, then most recent DiT methodology — tokenisers, architectures, regularisers benchmarked solely on ImageNet — sits on a proxy that does not track the deployment task. NanoGen’s contribution is making the alternative cheap enough that there is no longer an excuse to skip T2I evaluation, and DiffusionBench’s 21-model sweep is the strongest empirical case to date that the field needs to move off the single-benchmark equilibrium.
Source: https://arxiv.org/abs/2606.24888
Qwen-AgentWorld: Language World Models for General Agents
Problem
A world model p(s_{t+1}\mid s_{\le t}, a_{\le t}) predicts environment dynamics given history and action. For LLM-based agents, the “environment” spans heterogeneous interfaces — shells, browsers, MCP tool calls, Android UIs, code execution — so a usable language world model (LWM) must simulate observations across all of them with enough fidelity that policies trained against it transfer to the real systems. Existing simulators are either narrow (per-domain) or low-fidelity. Qwen-AgentWorld targets a single autoregressive LWM that covers 7 domains (MCP, Search, Terminal, SWE, Android, Web, OS) and is trained explicitly with environment modeling as the objective rather than as a side-task of a general chat model.

Method
Two MoE checkpoints are released: a 35B-A3B and a 397B-A17B (active-parameter naming follows Qwen MoE conventions). Both are trained end-to-end under the slogan “CPT injects, SFT activates, RL sharpens.”

Stage 1 — CPT. Continual pre-training on non-thinking environment trajectories plus augmented “professional corpora” (man pages, API docs, shell semantics). Trajectories come from (i) dedicated infrastructure — containerized sandboxes, MCP servers, persistent shell sessions, and Android/browser/desktop VMs whose GUI states are serialized as accessibility trees and view hierarchies; (ii) cleaned public traces (terminal recordings, tool-call logs, repo execution traces) filtered through a multi-agent denoise/segment/align/score pipeline; (iii) in-house SFT trajectories reformatted into environment-trajectory form. Total: >10M trajectories. CPT, SFT, and RL pools are strictly disjoint.
Stage 2 — SFT. Activates next-state prediction as an explicit chain-of-thought pattern: before emitting o_{t+1}, the model produces a thinking trace reasoning about the action’s effect on state. Table 2 shows the SFT pool has 7,094 trajectories across the 7 domains (heaviest in Web, Terminal, Android), with average RL-pool trajectory length 19,443 tokens over 13.4 turns — these are genuinely long-context training samples (Terminal averages 34,125 tokens; MCP 62,702).
Stage 3 — RL. On-policy RL with a hybrid reward combining rule-based checks (format conformance, exact-match on deterministic fields) with rubric-based LLM judgments scoring along five dimensions (the five used by AgentWorldBench). Because RL amplifies data artifacts, most data engineering effort is spent on this stage.
Benchmark and main results
AgentWorldBench takes trajectories from 5 frontier agents on 9 established agent benchmarks, pairs each predicted observation with the real environment’s ground-truth observation, and scores along format / factuality / state consistency / domain conventions / overall. Crucially, training data and bench queries are partitioned at the data-source level so this is OOD generalization, not memorization.
On the five-dimensional rubric mean, Qwen-AgentWorld-397B-A17B is the top overall model, with clear margins on text-based domains (Terminal, MCP, SWE, Search) and competitive on GUI domains (Android, Web, OS).
Applications
The paper validates the LWM through two deployment modes (Decouple vs. Unify):
As an environment simulator for agent RL (“Sim RL”). Using a small set of Claw Agent anchor trajectories, Qwen-AgentWorld-397B-A17B synthesizes 4k OpenClaw-style environments — entirely OOD — by varying concrete states while preserving workflow structure, and rephrasing/composing user intents. Training a policy in this simulator yields +4.3 on Claw-Eval and +7.1 on QwenClawBench with no domain-specific adaptation. With controllable perturbations (deliberately injecting adversarial states the real world rarely exposes), MCPMark improves by +12.3 and WideSearch by +16.3 over uncontrolled Sim RL. Most striking: Sim RL against the LWM beats RL against a live search engine, 50.3% vs 45.6%. Fully fictional but self-consistent worlds still produce policies that transfer to real search — and structurally prevent fact leakage from simulated knowledge into the agent. Ablations identify initial-state detail as the binding constraint on Sim RL gains.
As an agent foundation model (Unify). The LWM training objective itself lifts the downstream agent’s ceiling when the same backbone is then SFT/RL’d as a policy.
Reasoning analysis
A manual analysis of 129 thinking traces (32–33 turns each in Terminal/MCP/Search/SWE) finds 1,347 “Wait!” self-correction interrupts, averaging 10.4 per turn and peaking at 56 in one SWE turn. Terminal and MCP have the highest rates (16.9 and 12.7), consistent with their heavier state-tracking load. Self-corrections decompose into factual (e.g., fixing an API response format), epistemological (recognizing what is not computable in-context — e.g., refusing to fabricate np.random.seed(42) outputs and emitting only the correct format), and perspective-taking (separating agent-known from environment-revealed facts to prevent answer leakage in Search). This converts observation prediction from single-pass generation into a form of constrained satisfiability search.
Limitations and open questions
- AgentWorldBench scores depend partly on rubric LLM judges; the appendix’s rule-based corroboration is reported as supplementary rather than primary.
- GUI domains lag text domains, consistent with the textualization (accessibility tree, view hierarchy) losing pixel-level information that real GUI agents now exploit.
- Sim RL is bottlenecked by initial-state specification; the paper doesn’t quantify how state-completeness scales with downstream transfer.
- The 397B-A17B vs. 35B-A3B gap suggests fidelity is still parameter-hungry; cost of using a 397B simulator inside an RL loop is substantial and not benchmarked against real-environment wall-clock.
- Generalization is tested on OpenClaw and search; structurally different domains (e.g., physical robotics, multi-agent economies) remain open.
Why this matters
A language world model that is faithful enough across 7 interactive domains to beat live-engine RL on search (50.3 vs 45.6) is the first concrete evidence that simulator-in-the-LLM can replace real environments for agent training at scale, not just for toy tasks. If state-completeness is the binding constraint rather than dynamics modeling, the path forward for agent RL shifts from collecting more real rollouts to designing richer initial-state distributions.
Source: https://arxiv.org/abs/2606.24597
MobileForge: Annotation-Free Adaptation for Mobile GUI Agents with Hierarchical Feedback-Guided Policy Optimization
Problem
MLLM-based mobile GUI agents need to be adapted to specific target apps, but apps are numerous, frequently updated, and impractical to cover with human-written tasks, demonstrations, or scalar reward labels. Existing annotation-free GUI learning pipelines reduce manual supervision but suffer two structural deficiencies: (i) they lack a unified substrate that ties together target-app exploration, curriculum mining, rollout execution, and evaluation; (ii) policy optimization runs on isolated rollouts under sparse, coarse rewards, which makes it hard to turn weak feedback into useful gradient signal at the step level. MobileForge attacks both by building an interaction/evaluation environment and a policy-optimization algorithm that share the same trajectory data.

Setting and notation
The agent operates in sequential GUI control. At attempt k, step t, the state is
s_k^{(t)} = (x, I_k^{(t)}, \mathcal{H}_k^{(t)}, \eta_{<k}),
where x is the generated task, I_k^{(t)} the screenshot, \mathcal{H}_k^{(t)} the interaction history, and \eta_{<k} corrective hints from previous attempts on the same task. The policy emits a structured action a_k^{(t)} = (\alpha_k^{(t)}, \psi_k^{(t)}) \sim \pi_\theta(\cdot \mid s_k^{(t)}), with action type \alpha \in \{\text{tap, swipe, type, wait, terminate, answer, navigate}\} and arguments \psi (coordinates, text, direction, status). A rollout is \tau_k = (s_k^{(1)}, a_k^{(1)}, \dots, s_k^{(T_k)}, a_k^{(T_k)}). Crucially, the environment provides no dense scalar reward; rewards R are constructed post-hoc from evaluator labels z, \ell.
Method
MobileForge has two coupled components: MobileGym (the substrate) and HiFPO (the optimizer). The overall loop is
\begin{aligned} \mathcal{Z} &\leftarrow \operatorname{Explore}(\mathcal{E}), \quad \mathcal{T} \leftarrow \operatorname{Curriculum}(\mathcal{Z}),\\ \{\tau_k\}_{k=1}^K &\leftarrow \operatorname{Rollout}(\pi_\theta, x, \eta_{<k}),\quad \mathcal{F}_k \leftarrow \operatorname{Critic}(x, \tau_k),\\ \mathcal{D} &\leftarrow \operatorname{HiFPO}(\mathcal{T}, \tau, \mathcal{F}), \quad \theta' \leftarrow \operatorname{GRPO}(\theta, \mathcal{D}). \end{aligned}

MobileGym explores reachable GUI states \mathcal{Z} in target apps, mines executable, trajectory-grounded tasks \mathcal{T} via MobileGym-Curriculum, executes rollouts, and—via MobileGym-Critic—produces hierarchical feedback \mathcal{F}_k: trajectory-level pass/fail outcomes z, step-level process labels \ell identifying useful vs harmful actions, and natural-language corrective hints \eta that feed forward to the next attempt on the same task.

HiFPO turns this feedback into a policy gradient. Hints from earlier attempts \eta_{<k} are placed in the state during rollout, so the policy learns hint-conditioned recovery. The hierarchical critic is used to (a) filter tasks (e.g., discard tasks that are unsolvable or trivially solved across attempts—the standard GRPO-advantage degeneration case) and (b) select steps within retained trajectories. Step-level labels \ell and outcome labels z are converted into numeric rewards R that drive a step-level GRPO update over a group of attempts on the same x. Because hints are part of the conditioning context, the update is what the paper calls hint-contextualized step-level GRPO: advantages are computed within groups that share the task but may differ in their hint context, isolating credit for the action choice given the context. Filtering with hierarchical feedback addresses a well-known weakness of pure GRPO on sparse-reward GUI rollouts, where most groups collapse to zero advantage.
Results
The headline number: starting from Qwen3-VL-8B and using only automatically generated annotation-free adaptation data, MobileForge reaches 67.2% Pass@3 on AndroidWorld (116 tasks), close to the closed-data GUI-specialized GUI-Owl-1.5-8B base. This is on the in-domain protocol, where MobileForge explores the AndroidWorld app ecosystem itself for exploration, curriculum mining, and HiFPO rollouts. Evaluation reports Pass@1/2/3, and the gain from a general 8B VLM to a GUI specialist’s performance is the key claim.
The paper additionally evaluates on MobileWorld GUI-only (117 tasks) as an out-of-distribution test where no MobileWorld task, rollout, or feedback is used for adaptation—isolating whether the adaptation generalizes beyond the apps used for curriculum mining.
Limitations and open questions
- The reported headline is Pass@3, which permits up to two failed attempts before a success counts; absolute Pass@1 is the more telling robustness metric and the abstract does not surface it.
- Quality of MobileGym-Critic upper-bounds everything downstream. The paper does not (in the excerpts) characterize critic precision/recall on step-level labels, which directly controls the noise floor of HiFPO rewards.
- Hint-contextualized GRPO conflates two improvements—better state conditioning (\eta_{<k} at inference) and step-level reward shaping. An ablation isolating each would clarify the source of the gain.
- Exploration-driven curriculum mining is biased toward easily reachable states; long-horizon tasks behind authentication or rare states are likely undersampled.
- Generalization to apps with frequent UI churn (the motivating problem) requires a longitudinal evaluation, not a single benchmark snapshot.
Why this matters
If annotation-free pipelines can match closed-data GUI specialists, the dominant cost of mobile-agent deployment—per-app human task authoring and demonstration collection—largely disappears, and adaptation becomes a property of the runtime rather than the dataset. The technical lever is converting weak, language-form critic feedback into step-level GRPO signal, which is broadly applicable beyond GUI control to any sparse-reward agentic setting where an LLM judge can produce process-level hints.
Source: https://arxiv.org/abs/2606.19930
MemGUI-Agent: An End-to-End Long-Horizon Mobile GUI Agent with Proactive Context Management
Problem
MLLM-based mobile GUI agents perform adequately on short-horizon tasks (open app, tap button, type query) but degrade on long-horizon workflows that span multiple apps and require carrying intermediate facts — e.g., copy a flight number from a confirmation email, switch to a calendar app, paste, then return to messaging to forward a summary. The dominant failure mode, the authors argue, is structural rather than perceptual: ReAct-style prompting accumulates a per-step (thought, action, observation) log that grows linearly with horizon length. Two pathologies follow. First, prompt explosion: by step 30 the screen-by-screen UI snapshots and reasoning traces saturate the context window. Second, dilution: facts that matter cross-app (an OTP, a price, a recipient address) sit buried among hundreds of irrelevant elements from intermediate screens, so attention over the context cannot reliably retrieve them.
This matters because most realistic mobile assistant tasks — booking, multi-step purchases, cross-app information transfer — are long-horizon, and benchmark gaps between short and long tasks are widening as base MLLMs improve at single-step grounding.
Method: Context-as-Action (ConAct)
The central abstraction is to treat context management as a first-class action class emitted by the same policy that emits UI actions. Concretely, at each step the policy \pi_\theta samples either a UI action a^{\text{ui}}_t (tap, swipe, type, app-switch) or a context action a^{\text{ctx}}_t that mutates a structured memory state M_t. The memory is partitioned into three explicit fields:
- Folded action history H_t: a compressed trace of prior actions where redundant or irrelevant past steps are collapsed into summarized entries by explicit fold operations.
- Folded UI state S_t: a compressed record of salient UI observations — only those elements the policy decides to retain (e.g., an email body containing a confirmation number), not the raw accessibility tree.
- Recent step record R_t: a small sliding window of the most recent verbatim
(action, observation)pairs, providing local context for the next decision.
The full context fed to the model at step t is the concatenation C_t = [H_t; S_t; R_t; o_t] where o_t is the current screen. The policy factorizes as
p(a_t \mid C_t) = \pi_\theta(a^{\text{ui}}_t \cup a^{\text{ctx}}_t \mid C_t),
with context actions including operations like fold_history(span, summary), extract_ui_fact(field, value), and evict(field). Because these operations are emitted by the same autoregressive head, no separate memory controller or retrieval module is needed, and the policy can interleave context maintenance with task execution — e.g., emit extract_ui_fact("flight_no", "AA231") immediately after viewing the confirmation email, before switching apps.
The key contrast with ReAct is that ConAct’s context update is proactive and learned rather than passive accumulation: the policy decides what to remember, what to summarize, and what to discard, conditioned on the global task.
Data and Training
To make ConAct learnable, the authors construct MemGUI-3K, a dataset of 2,956 trajectories with full ConAct annotations — i.e., every trajectory has not just UI actions but also the fold/extract/evict actions that would produce a well-managed context. Annotation produces ground-truth memory states M_t at each step, so supervised training reduces to standard next-token prediction over interleaved UI and context actions:
\mathcal{L}_{\text{SFT}} = -\sum_t \log \pi_\theta(a_t \mid C_t).
This is a notable design choice: rather than relying on RL with horizon-dependent reward, they cast proactive memory as imitation of annotated context-management decisions. The dataset therefore doubles as offline analysis material — one can measure context size, fact retention rates, and eviction quality independently of end-task success.
Training an 8B MLLM backbone on MemGUI-3K yields MemGUI-8B-SFT.
Results
The abstract reports MemGUI-8B-SFT achieves the best open-data 8B performance on Mobile-Agent–style long-horizon benchmarks. Specific numbers beyond the 8B SOTA claim and the 2,956-trajectory dataset size are truncated in the provided abstract. The framing — comparing against ReAct baselines at matched scale — suggests gains concentrate on long-horizon tasks where context dilution is most acute, with comparable or modest improvements on short tasks where memory pressure is low.
Limitations and open questions
Several issues are visible from the design. (1) ConAct quality is bounded by annotation quality: deciding which UI fact deserves extraction is itself subjective, and supervised imitation may overfit annotator heuristics rather than learn task-conditional necessity. (2) The three-field memory is hand-designed; whether (H, S, R) is the right partition versus a flatter learned slot memory is not ablated in the abstract. (3) There is no RL fine-tuning stage, so the policy never sees the downstream cost of poor eviction decisions — a fact wrongly discarded at step 5 only manifests as failure at step 25. (4) 8B-only results leave open whether ConAct provides marginal gains at 70B+ where larger context windows partially absorb the prompt-explosion problem. (5) Compute and inference-latency comparisons against simple summarization baselines (periodic LLM-based context compression) are needed to isolate the contribution of learned, action-level memory control.
Why this matters
Long-horizon GUI agency is bottlenecked less by perception and more by working-memory management, and ConAct is a clean reframing: emit memory operations as actions and learn them via imitation, rather than bolting on a retrieval module. If the 8B SOTA result holds up on independent long-horizon benchmarks, this argues for treating context curation as part of the policy’s action space across agentic domains beyond mobile UIs.
Source: https://arxiv.org/abs/2606.19926
OpenThoughts-Agent: Data Recipes for Agentic Models
Problem
Open work on agentic LM training data (SWE-Smith, SERA, Nemotron-Terminal) has optimized for a single benchmark, leaving unclear how to assemble SFT corpora that generalize across coding and terminal agents. OT-Agent attempts a systematic, ablation-driven recipe: which task sources, instruction rewrites, trajectory filters, and scaling strategies actually transfer? The deliverable is a 100K (task, trajectory) SFT dataset and a Qwen3-32B fine-tune evaluated on seven agentic benchmarks, scoring 44.8% average vs. 40.9% for Nemotron-Terminal-32B.
Pipeline and ablation methodology
The SFT pipeline is six stages — task sourcing, instruction rewriting, trajectory generation, trajectory filtering/scoring, upsampling, and mixing — each ablated independently against a held-out triplet of benchmarks (SWE-Bench Verified-100, OT-TBLite, Terminal-Bench 2.0).

To rank candidate strategies across heterogeneous benchmark scales, the authors compute a per-benchmark z-score
z_{s,b} = \frac{a_{s,b} - \mu_b}{\sigma_b}
for strategy s on benchmark b, then average over b. Ablations run at 10K examples (cost-effective, signal-bearing), with trajectories generated by GLM-4.7-AWQ acting as teacher in the terminus-2 harness inside Daytona sandboxes. More than 100 controlled runs feed the final recipe.
The selected source mix is the “Top-4”: swe-smith, stackexchange-superuser, stackexchange-tezos, and issue-tasks. Filtering retains only trajectories with \geq 5 turns, a heuristic that survives ablation as a strong signal for non-trivial agent behavior. A response-length signal from gpt-5-nano is used as a soft upsampling weight rather than a hard top-k cut, so every unique task receives at least one rollout.
Scaling: where the recipe actually breaks
Naïvely scaling by generating more rollouts per task (Method 1) plateaus between 31.6K and 100K (+3pp SWE-Bench Verified-100, −2pp Terminal-Bench 2.0, within standard error), pinning the bottleneck to task-description diversity rather than rollout count.

Adding raw sources (Method 4) does not fix this: Top-8 gives mixed lift over Top-4 (SWE-Bench Verified-100 49.00 vs 45.33; Terminal-Bench 2.0 22.85 vs 21.72), and Top-16 regresses across the board (40.33 / 33.14 / 20.60). The remaining lever is synthetic task augmentation (Method 3): the Tezos subset (only 997 unique tasks, ~902 distinct surface forms) is rewritten using the instruction-rewriting strategies from Section 3.3, expanding to over 21K surface forms without introducing new underlying problems. The \geq 5-turn filter is then applied uniformly across all four sources.
This unlocks continued scaling. At 100K, the 32B SFT model (OpenThoughts-Agent-v2) reaches 26.2% on Terminal-Bench 2.0, 41.3% on OT-TBLite, and 55.7% on SWE-Bench Verified-100 — monotonic gains of +7.7pp on SWE-Bench Verified-100 and +5.0pp on Terminal-Bench 2.0 over the 31.6K checkpoint.

The aggregate headline: 44.8% averaged over seven agentic benchmarks for Qwen3-32B fine-tuned on OT-Agent-v2, +3.9pp over Nemotron-Terminal-32B (40.9%), and OT-Agent dominates alternative open datasets at every controlled training-set size.
Reinforcement learning extension
The RL study is restricted to the 8B regime for cost. Training uses async RLOO with binary rewards from verifier outcomes (expect PASS: PASS, expect FAIL: FAIL for all tests). The cold start is OT-Agent-ColdSFT-8B, distilled from SWE-Smith traces generated by GLM-4.7-AWQ with thinking. The hero run uses 24×A100 80GB, batch size 64, ~46 hours wallclock. The setup parallels SWE-Smith / R2EGym: dockerizable repos, flawed commits with failing tests, natural-language issue statements. The RL ablations mirror the SFT ones in spirit (data-source sensitivity), positioning RL as a follow-on to the SFT recipe rather than a replacement.
Limitations and open questions
- Ablations are conducted at 10K and judged on three benchmarks; the z-score ranking can over-weight stages where between-strategy variance is artificially compressed.
- The diversity bottleneck is plausibly an artifact of the chosen sources; the paper does not show that augmentation beats simply ingesting genuinely new task corpora at larger scale.
- Synthetic augmentation reuses 997 underlying Tezos problems — gains may saturate as augmentation density rises and surface-form rewrites stop conveying new reasoning patterns.
- The teacher (GLM-4.7-AWQ) is a strong but specific distribution; how much of the gain is recipe vs. teacher quality is not isolated.
- RL is studied only at 8B with binary rewards; transfer to 32B and denser reward shaping is open.
- Seven-benchmark averaging hides per-benchmark trade-offs (e.g., Terminal-Bench 2.0 actually regressed during Method-1 scaling).
Why this matters
Open agentic post-training has been dominated by one-benchmark recipes and uncontrolled scaling. OT-Agent demonstrates, with disciplined ablation, that task-description diversity — not rollouts, not raw source count — is the binding constraint, and that synthetic instruction rewriting is sufficient to break the plateau. The fully released pipeline gives the community a concrete, reproducible baseline against which future agentic SFT and RL data work can be measured.
Source: https://arxiv.org/abs/2606.24855
FLAT: Feedforward Latent Triangle Splatting for Geometrically Accurate Scene Generation
Problem
Feedforward single-image-to-3D pipelines built on video diffusion priors typically decode latents into 3D Gaussian splats. Gaussians render well but lack a defined surface, making them poor inputs to simulators, mesh extractors, or any graphics pipeline that assumes oriented geometry. The natural alternative — surface-aligned primitives such as flat triangles — is known to be hard to optimize: gradients with respect to triangle orientation are unstable, and rasterization weights tend to vanish off-edge, causing two of three vertices to receive negligible signal. FLAT asks whether a frozen video diffusion model’s latents can be decoded directly to triangle splats in a single forward pass, recovering both surface alignment and high-fidelity novel-view synthesis.

Method
The pipeline (Figure 2) takes a single RGB image \mathbf{I}_0 and a target trajectory \{\mathbf{P}_t\}_{t=1}^T with \mathbf{P}_t=(\mathbf{K}_t,\mathbf{R}_t,\mathbf{t}_t). A point-cloud-based control video, rendered along the trajectory from monocular depth, conditions the frozen Uni3C video diffusion model together with camera embeddings. The denoised latent \mathbf{z}\in\mathbb{R}^{F'\times C'\times H'\times W'} is fused with the camera latent and passed to a trainable scene decoder that emits per-pixel-of-latent triangle parameters in world space.

Two design choices make triangle regression tractable:
Ray-centered rotation parameterization. Rather than predicting a free SO(3) rotation for each triangle (where small angular errors in any axis cause large misalignment between the triangle plane and the visible surface), FLAT anchors each triangle to the pixel ray. The decoder predicts a depth d along the camera ray, an in-plane rotation, and tangential offsets defining vertex positions on a plane through that ray-point. The triangle is thus constrained to face the camera at initialization; only the residual orientation around the ray needs learning. This collapses the rotation manifold the decoder must navigate and dramatically improves gradient flow during the early training regime where vertices would otherwise drift outside their rendering footprint.
Product window function. Standard triangle rasterizers use either sigmoids of signed distance to each edge (which decay sharply outside the triangle and starve far-side vertices of gradient) or max-edge distance (which only routes gradient through the nearest edge’s two vertices). FLAT instead uses the product of per-edge soft indicators, schematically
w(\mathbf{p}) = \prod_{e=1}^{3} \sigma\!\left(-\,s_e\, d_e(\mathbf{p})/\tau\right),
where d_e is the signed distance to edge e. The product form extends non-zero influence beyond the triangle boundary while ensuring every sample contributes gradient to all three vertices (Figure 3), because each factor depends on the two vertices defining its edge. This is the key trick that turns triangle splatting from a pathological regression target into a stable feedforward prediction problem.

Training data and supervision
The model is pretrained on 25,000 S3OD images with Uni3C-synthesized videos plus regenerated RealEstate10K and DL3DV sequences (so the decoder sees the diffusion model’s actual latent distribution rather than ground-truth video latents), then finetuned on real RealEstate10K/DL3DV videos. All scenes are aligned to metric scale via MapAnything depth and camera predictions, and pseudo-GT normals from NormalCrafter supervise surface orientation. Following the protocol of Lyra, Bolt3D, and Wonderland, evaluation targets feedforward novel-view synthesis from a single image.
Results
The paper’s central claim — supported in Figure 4 — is that triangle splats deliver substantially cleaner geometry than Gaussian baselines while maintaining rendering fidelity. The Gaussian representations the authors compare against are tuned for visual quality and produce volumetrically thick, surface-ambiguous reconstructions; FLAT’s triangles align to surfaces, yielding sharper depth and normal maps with comparable PSNR. (Specific PSNR/SSIM/LPIPS/depth-error tables are referenced in the evaluation protocol following Lyra/Bolt3D/Wonderland, though the excerpt available here does not enumerate the final numbers; the qualitative claim is finer, more accurate geometry at preserved rendering quality.)
Limitations and open questions
- The system depends on a frozen Uni3C video diffusion model; quality is upper-bounded by Uni3C’s adherence to camera conditioning, which the authors explicitly note fails on challenging trajectories (requiring MapAnything pose re-estimation on generated videos).
- Triangles are decoded one-per-latent-pixel; very thin or high-frequency geometry may still be under-sampled, and the representation does not produce a watertight mesh.
- Supervision relies on pseudo-GT normals from NormalCrafter and metric depths from MapAnything; systematic errors in either propagate into surface predictions.
- It is unclear how the product window function interacts with overlapping triangles in the rasterizer’s depth sort, and whether the soft boundaries cause silhouette bleeding for foreground objects against distant backgrounds.
Why this matters
FLAT is the first demonstration that explicit, surface-aligned triangle primitives can be regressed directly from video diffusion latents in one forward pass. If the geometry quality holds up quantitatively against Gaussian feedforward decoders, it provides a path from generative video priors to assets usable in standard graphics and simulation pipelines without per-scene optimization or post-hoc meshing — closing a meaningful gap between neural scene generation and downstream 3D tooling.
Source: https://arxiv.org/abs/2606.24876
Hacker News Signals
Qwen-AgentWorld: Language World Models for General Agents
Qwen-AgentWorld proposes training language world models (LWMs) to serve as simulators for agent policy learning. The core idea: instead of interacting with real environments, an agent queries a language model that predicts next observations and rewards given a history of actions and states — essentially a text-based transition function P(o_{t+1}, r_t \mid s_t, a_t). The paper frames this as enabling offline or low-cost agent training without environment access.
The architecture couples a world model (predicting environment dynamics) with a policy model trained against it. Both are built on Qwen base models. The world model is fine-tuned on trajectories from diverse environments to generalize across tasks. A key claimed contribution is the use of the world model as a training signal rather than just an evaluator — the policy is updated via rollouts inside the LWM, analogous to Dyna-style model-based RL but operating entirely in token space.
Evaluations span tool-use and web-navigation benchmarks. The approach shows gains on AgentBench-style tasks, though the degree to which LWM-generated rollouts faithfully represent real environments remains the main open question — distribution shift between the simulated and real transition dynamics can compound over multi-step rollouts.
Limitations: hallucinated transitions in long-horizon tasks, dependency on trajectory data quality for world model training, and unclear scaling behavior relative to simply collecting more real environment data.
Source: https://arxiv.org/abs/2606.24597
Show HN: Neural Particle Automata
Neural Particle Automata (NPA) is a continuous-space self-organizing system where particles update their positions and internal states using a learned neural network applied locally to neighborhood information. Unlike cellular automata (which operate on fixed grids) or Lenia (which uses convolution kernels on grids), NPA operates on unstructured point clouds, making it more flexible for irregular spatial configurations.
Each particle carries a state vector. At each timestep, a shared MLP reads the relative positions and states of nearby particles within some radius, producing a velocity and a state update. The dynamics are therefore translation-equivariant by construction (relative positions as input) and the same network governs all particles. Training targets emergent behaviors — stable patterns, swarming, replication — using differentiable simulation and a loss defined on aggregate pattern statistics.
The demo shows particles self-organizing into stable structures from random initializations, with the network trained end-to-end via backpropagation through the simulation steps. This is close in spirit to Neural Cellular Automata (Mordvintsev et al.) but removes the grid constraint. The computational cost scales with neighborhood queries, which can be accelerated with spatial hashing or k-d trees but becomes expensive at large particle counts.
Interesting open questions: whether discovered rules generalize across scales, whether gradient flow through many simulation steps is stable (exploding/vanishing gradients through particle interactions), and whether the learned rules are interpretable.
Source: https://selforg-npa.github.io/
Mistral OCR 4
Mistral OCR 4 is a document understanding model positioned as a multimodal document parser rather than a classical OCR pipeline. The announcement emphasizes structured output fidelity: tables, equations, code blocks, and mixed-layout documents with embedded images are extracted with layout-aware formatting rather than raw text sequences.
Technically, the model appears to be a vision-language model fine-tuned heavily on document corpora, outputting Markdown with preserved structural semantics. Mistral claims state-of-the-art on standard OCR benchmarks and highlights specific capabilities: nested table extraction, LaTeX-formatted equation output, and handling of multi-column academic paper layouts — all areas where general-purpose VLMs degrade.
The API returns structured JSON alongside the Markdown, enabling downstream parsing pipelines to access page-level metadata, bounding box information, and confidence signals per element type. This is meaningful for RAG pipelines where chunking strategy should follow document structure rather than token windows.
Pricing operates per-page, with a free tier. The main competitive context is against AWS Textract, Azure Document Intelligence, and Google Document AI, plus specialized models like Surya or Marker. Mistral’s differentiator is the quality of LaTeX equation recovery and its integration with their broader model ecosystem.
Limitations not addressed: performance on handwritten text, non-Latin scripts at scale, and degraded scans. No open weights, so auditability and fine-tuning are unavailable. The lack of a published technical report makes it hard to assess what training data or architecture changes underlie OCR 4 relative to earlier versions.
Source: https://mistral.ai/news/ocr-4/
The text in Claude Code’s “Extended Thinking” output is not authentic
This post makes a specific technical claim: the “thinking” tokens surfaced in Claude Code’s extended thinking display are not a faithful rendering of the model’s internal chain-of-thought but are instead generated separately or post-hoc, potentially for display purposes rather than being causally upstream of the final answer.
The argument draws on behavioral experiments: modifications to the displayed thinking text do not affect the final output, the thinking content sometimes contains statements inconsistent with the final answer’s reasoning path, and the latency profile does not match what one would expect if the displayed tokens were actually being processed before the response. These are indirect probes since the model internals are inaccessible.
This matters for a specific technical reason: extended thinking is marketed as a transparency mechanism — a way to audit model reasoning and catch errors. If the displayed reasoning is decorative rather than mechanistic, then using it for debugging or verification of agentic code-writing steps is unsound. The problem is distinct from the general “faithfulness of chain-of-thought” literature (Turpin et al., 2023), which addressed whether CoT accurately reflects latent computation even when it does influence output; here the claim is stronger — the text may not be connected to computation at all.
Anthropic has not publicly confirmed or denied the specific architecture. From what is publicly known about “extended thinking” models, the thinking tokens are generated autoregressively before the response and are within the context, so the post’s behavioral evidence warrants scrutiny. The experiments are suggestive but not definitive given confounding factors in API-level testing.
Source: https://patrickmccanna.net/the-text-in-claude-codes-extended-thinking-output-is-not-authentic/
AI’s Affordability Crisis
David Rosenthal’s post is an infrastructure economics argument, not a product critique. The core claim: the current AI compute stack is structurally unaffordable for the long tail of use cases and organizations, and the industry is obscuring this through subsidized API pricing and hyperscaler cross-subsidization.
The technical substance centers on cost-per-token accounting. Rosenthal walks through the capital costs of H100/H200 clusters, the utilization rates achievable in practice (well below theoretical maximums due to batching inefficiencies, KV cache pressure, and I/O bottlenecks), and derives estimates for sustainable per-token pricing that significantly exceed current market rates. The implied conclusion: current pricing is below cost, which either reflects a subsidy race to acquire users or an assumption that future hardware cost curves will validate the economics.
He connects this to the inference scaling regime — longer context, longer chains-of-thought, and agentic multi-step workloads multiply per-query costs nonlinearly. A single extended reasoning query can consume compute equivalent to hundreds of standard completions. At enterprise or consumer scale, this breaks the unit economics that justify current application architectures.
The broader systems point is that hardware procurement cycles (18-24 months from order to deployment), power infrastructure buildout (years), and cooling capacity are hard constraints that do not respond elastically to demand. The assumption that cost curves will fall fast enough to rescue the economics relies on architectural breakthroughs (e.g., sub-quadratic attention, more efficient training) whose timelines are uncertain.
Worth reading alongside the Chinchilla scaling literature and Hoffmann et al.’s cost-optimal training analysis.
Source: https://blog.dshr.org/2026/06/ais-affordability-crisis.html
Usbliter8: an A12/A13 SecureROM Exploit
Usbliter8 is a SecureROM (BootROM) exploit targeting Apple’s A12 and A13 SoCs, following in the lineage of checkm8 (A5–A11) and aiming to extend unpatchable hardware-level access to newer devices including iPhone XS through iPhone 11 series.
The technical mechanism exploits a vulnerability in the USB stack within SecureROM — specifically in how DFU (Device Firmware Update) mode handles USB control transfers. The BootROM USB implementation is minimal and does not have all the protections of the main OS USB stack. The exploit appears to involve a memory corruption condition triggered via carefully timed USB transactions, allowing arbitrary code execution in the SecureROM context before the secure boot chain validates the bootloader.
BootROM exploits are significant because SecureROM is mask ROM — it cannot be patched via software updates. Any device with a vulnerable SoC remains exploitable for the hardware lifetime. This is the same property that made checkm8 durable. The exploit enables jailbreaking, research into the Secure Enclave Processor (SEP) interface, and forensic access — the last of which has legal/governmental tooling implications (e.g., Cellebrite, GrayKey use BootROM-level access).
The A12 raises the stakes slightly over checkm8’s range because A12 introduced the second-generation Secure Enclave and pointer authentication codes (PAC). Whether usbliter8 bypasses PAC constraints in the BootROM context or simply operates before PAC is active is technically relevant and not fully detailed in the public write-up at time of posting.
Source: https://ps.tc/pages/blog-usbliter8.html
Algorithmic Monocultures in Hiring
The Stanford HAI piece reports on research examining racial bias in AI-based hiring screening tools. The technical substance is about correlated error across systems — the monoculture problem — rather than bias in any single system in isolation.
When multiple employers independently adopt the same or similar embedding-based resume screeners (often from a small number of vendors: HireVue, Pymetrics, and a few others dominate the market), candidates rejected by one system are systematically rejected by many. This is because the shared underlying model architecture and training data produce correlated false negatives. In a competitive labor market, a candidate who falls outside the distribution the model was trained on — which, given historical data, correlates with race, educational institution prestige, and naming patterns — faces not a single biased gatekeeper but many identical ones.
The formal structure: let p_i be the probability of rejection by screener i. Under independent screeners with shared model M, p_i = f(M, x) for all i, so rejections are perfectly correlated rather than independent. Candidates cannot diversify their risk across employers the way they could with human reviewers who have idiosyncratic biases.
The research uses audit methodology: synthetic resumes with matched qualifications but race-correlated name signals, submitted across a set of employers known to use specific tools. Callback rate disparities are documented.
The open technical question is whether adversarial debiasing, diverse model ecosystems, or regulatory disclosure requirements can break the monoculture. The monoculture framing connects to broader systems reliability arguments about correlated failure modes from shared dependencies.
Source: https://hai.stanford.edu/news/ai-hiring-tools-can-yield-racial-bias-and-systemic-rejection
Show HN: Recall – Local project memory for Claude Code
Recall is a CLI tool that maintains a persistent, project-local memory store for Claude Code sessions. The problem it addresses: Claude Code’s context window resets between sessions, losing accumulated project-specific knowledge (file structure rationale, architectural decisions, recurring patterns, known bugs).
The implementation stores notes as plaintext or Markdown files in a .recall/ directory at the project root. A CLI interface lets developers write, tag, and retrieve memory entries, which are then injected into the Claude Code system prompt or CLAUDE.md at session start. There is no embedding-based retrieval — it is keyword-filtered or full-context injection depending on configured strategy and total token budget.
The design choice to use flat files rather than a vector database is deliberate: it keeps the tool auditable, git-committable (team-shared memory), and avoids the dependency overhead of running a local embedding model or vector store. The tradeoff is that retrieval does not scale gracefully beyond a few hundred entries before context budget becomes a constraint.
An interesting engineering choice: the tool hooks into Claude Code’s CLAUDE.md convention, which Anthropic documents as the canonical way to inject persistent context. This means Recall is layering on a supported interface rather than monkey-patching the CLI, making it more robust to Claude Code updates.
Limitations: no automatic extraction of memory from conversation history (entries are manually written), no deduplication, and the full-context injection strategy will degrade on large projects as memory grows. The repo is early-stage with limited test coverage. For teams, merge conflicts on .recall/ files are a practical concern not addressed in the current design.
Noteworthy New Repositories
portbuster1337/ArachneC2
A decentralized command-and-control framework built on top of libp2p, the same peer-to-peer networking stack that underlies IPFS and libp2p-based blockchain nodes. Rather than routing agent traffic through a central teamserver — the single point of failure and the obvious network IOC in traditional C2 architectures — ArachneC2 routes implant communications across a libp2p DHT overlay. Each node participates in the mesh, so there is no fixed C2 IP to block or take down. The framework leverages libp2p’s multiplexed streams and noise protocol handshake for transport security, giving operators encrypted, authenticated channels without rolling their own crypto. The decentralized topology also complicates attribution: traffic resembles generic p2p application noise rather than beaconing to a known domain or IP. From an operator perspective this means resilience under infrastructure takedown and harder network-layer detection. The tradeoff is operational complexity — managing a DHT-based implant mesh is harder to debug than a simple HTTP teamserver, and timing side-channels in p2p traffic are an active research area for defenders. Relevant to red teams studying detection-resistant infrastructure and to blue teams building behavioral detections that must survive the absence of central C2 indicators.
Source: https://github.com/portbuster1337/ArachneC2
jestasecurity/thumper
Thumper is a canary-token system specifically designed to catch the Shai-Hulud npm worm, which scans the filesystem for credential files (.npmrc, .env, AWS config, etc.) and exfiltrates any secrets it finds. The defense is straightforward: plant syntactically valid but revoked or monitored credentials in exactly the paths the worm probes, and instrument those credentials so that any read or use triggers an alert. Thumper automates the generation and placement of these decoy files, integrates with monitoring hooks to fire the moment a credential is accessed, and does so entirely offline with no SaaS dependency. The technical approach is classic tripwire — the novelty is the threat-specific placement logic tuned to Shai-Hulud’s known scanning patterns. Because the worm operates by reading files rather than executing them, filesystem-level audit hooks (inotify on Linux, FSEvents on macOS) provide sub-second detection latency. The free, open-source build means defenders can audit exactly what credentials are planted and verify none are live. Useful for any node.js-heavy environment running untrusted or third-party packages, which is most production stacks. The main limitation is that it is reactive to one worm’s known behavior; a variant that skips known decoy paths would evade it.
Source: https://github.com/jestasecurity/thumper
PentesterFlow/agent
An agentic offensive-security assistant that runs entirely in the terminal, targeting penetration testers who want LLM-assisted enumeration and exploitation without leaving the CLI. The agent loop connects a reasoning model to a tool layer that wraps standard pentest utilities — nmap, gobuster, sqlmap, curl, and similar — and iterates through recon, vulnerability identification, and exploitation steps with tool-call results fed back into the context. The architecture follows the standard ReAct-style loop: observe, reason, act, repeat. What distinguishes it from a generic code-execution agent is domain-specific prompt engineering, a curated tool registry with pentest-appropriate wrappers, and output parsing tuned to security tool formats rather than generic shell output. Because everything runs locally in the terminal it avoids the data-exfiltration concerns of cloud-based security copilots, which matters when working against client infrastructure under NDA. The agent supports custom tool definitions, so extending it to in-house tools or proprietary scanners is straightforward. Open questions include reliable handling of long enumeration outputs that blow out context windows, and how well the reasoning model generalizes to unusual or CTF-specific attack paths without fine-tuning.
Source: https://github.com/PentesterFlow/agent
fancyboi999/ai-engineering-from-scratch-zh
A structured Chinese-language curriculum for becoming an AI agent engineer, organized into 20 progressive stages covering 503 individual lessons. The content is a full translation of English-language AI engineering material supplemented by a companion website and animated explainer videos. Technically the curriculum spans the full stack: foundational LLM concepts, prompt engineering, RAG pipelines, tool use and function calling, multi-agent orchestration frameworks (LangChain, LlamaIndex, AutoGen), evaluation, and deployment patterns. The 20-stage progression is designed to take a developer from ML fundamentals to production agent systems without assuming prior ML research background. The value proposition for Chinese-speaking practitioners is eliminating the translation overhead when working through API documentation, framework source code, and research papers that are predominantly in English — a real friction point that slows learning. The animated video component addresses the notoriously poor pedagogical quality of raw translated text by rebuilding intuitions with visual explanations. At 503 lessons the scope is ambitious; the main risk is coverage breadth at the expense of depth on any single topic, and the curriculum will require ongoing maintenance as agent frameworks evolve rapidly.
Source: https://github.com/fancyboi999/ai-engineering-from-scratch-zh
raiyanyahya/recall
Recall solves context amnesia in Claude Code (Anthropic’s coding agent) by providing a persistent, offline memory layer. Each session Claude Code starts with zero knowledge of your project; developers waste tokens re-explaining architecture, conventions, and past decisions. Recall maintains a local store of project-scoped memory — decisions made, file structure, patterns to follow, things to avoid — and injects the relevant subset into each new session’s context automatically. The implementation is fully offline: no API calls to external memory services, no data leaving the machine. The technical mechanism is a structured document store keyed by project, with retrieval logic that selects relevant memory fragments based on the current task context before session start. This is semantically a RAG system over your own engineering notes, but purpose-built for the Claude Code workflow rather than general document QA. The offline constraint is important for proprietary codebases where sending project context to a cloud memory service is a non-starter. Limitations: retrieval quality depends on how well memories are chunked and indexed; stale or contradictory memories injected into context can mislead the agent as much as help it; and the system is currently Claude Code-specific rather than agent-agnostic.
Source: https://github.com/raiyanyahya/recall
gykim80/perfectpixel-studio
A desktop application for generating 2D animation sprite sheets from text prompts, targeting game developers and artists who need multi-directional character sprites. The pipeline takes a single text description and produces sprite sheets with 8 directional orientations and over 100 distinct action animations (idle, walk, run, attack variants, etc.) — the combinatorial output that is prohibitively labor-intensive to hand-author. The stack is Wails (Go backend compiled to a native binary with a web frontend) plus React for the UI, giving it native desktop performance without Electron’s memory overhead. The AI generation backend presumably chains an image generation model with a sprite-sheet layout and consistency enforcement step to maintain character identity across directions and frames; exact model details are not disclosed in the repository description. The 8-direction constraint maps directly to top-down and isometric game requirements. For indie developers the value is clear: sprite sheet generation is one of the largest art bottlenecks in 2D game development. Open questions include temporal consistency across animation frames (avoiding character appearance drift), handling of non-humanoid characters, and whether the output resolution and style are controllable enough for production use without manual cleanup.
Source: https://github.com/gykim80/perfectpixel-studio
agentic-in/inferoa
A harness for “tokenmaxxing” agentic inference loops — the practice of maximizing useful work extracted per token budget in long-running LLM agent loops. The core problem it addresses is that naive agent loops are token-inefficient: redundant context, poorly structured tool-call outputs, and unconstrained generation waste budget without improving task completion. Inferoa positions itself as an inference-native framework, meaning token budget management is a first-class concern at the loop-engineering layer rather than an afterthought. The technical substance includes loop orchestration primitives, context compression hooks, and tooling for profiling where tokens are consumed across agent steps. The “tokenmaxxing” framing is practical rather than theoretical: at scale, shaving 20-30% of tokens per agent invocation translates directly to cost and latency. The framework is designed for engineers building agent pipelines who want programmatic control over the prompt budget at each step rather than accepting whatever the default chain logic produces. The repository is early-stage; the main open question is whether the abstractions generalize cleanly across different underlying models and tool ecosystems, or whether they are implicitly tuned to a specific provider’s tokenization and pricing structure.
Source: https://github.com/agentic-in/inferoa
aresyn/codex-control-plane-mcp
A durable control plane for Codex Desktop tasks exposed via the Model Context Protocol (MCP). The problem it solves is that Codex Desktop tasks are ephemeral and stateless: if a long-running coding task is interrupted — network drop, desktop sleep, process kill — progress is lost and the task must restart from scratch. This MCP server adds a persistence layer that checkpoints task state, allowing interrupted tasks to resume rather than restart. The MCP interface means the control plane integrates with any MCP-compatible client without custom integration work. Technically, durability is implemented by serializing task state (current step, tool-call history, intermediate outputs) to persistent storage at each checkpoint, then replaying from the last checkpoint on reconnection. This is analogous to how durable execution frameworks like Temporal handle workflow resumption, applied specifically to the Codex Desktop agent loop. For developers running multi-hour refactoring or code-generation tasks the reliability improvement is significant. Limitations worth noting: checkpoint fidelity depends on how completely the MCP server can capture agent state — if the underlying Codex process holds state that is not exposed through the MCP interface, those components cannot be checkpointed and true resumability remains partial.