Tap Notes: Propagation
The thread running through today’s reading: propagation without enforcement. Skills cloning without hygiene, attacks self-replicating verbatim, AI-driven vulnerability research overwhelming embargo infrastructure that was built for a slower world. The interesting counterweight shows up in two places — delegateos baking scope enforcement into the protocol itself, and the LLM shebang pattern compressing an entire agent runtime into a single executable file. Both are about making the constraint the mechanism, not a guardrail around it.
Introducing AutoVault
The transforms architecture is the payload: instead of forking a skill file to customize it for a specific agent or client, you write a TRANSFORM.md overlay applied at symlink time with no LLM in the loop. Deterministic, auditable, keeps the canonical upstream clean. The trade-off is layered complexity — three things to track instead of one file you just edit.
Why it matters: The SkillClone data makes the hygiene case hard to dismiss. 258K clone pairs in a 20K sample. 41% of skills in clone families already superseded by a better variant. 141 security-relevant skills — reverse shells, XSS, SQLi — propagated to 1,100 clones across 119 authors. The dedup layer is bare Jaccard today, which means semantically identical skills with different phrasing count as distinct. That gap widens as the vault scales.
”Skills are prompts, prompts behave like code” isn’t a metaphor — it’s a supply chain problem.Post to X
TanStack npm Supply-Chain Compromise — Postmortem
The attacker used a verbatim Python script from the March 2025 tj-actions compromise. Attribution comment included. Vector: cache poisoning plus OIDC token extraction from process memory. External researchers found the attack before TanStack’s internal monitoring did. No internal alert fired.
Why it matters: Self-spreading npm attacks are copy-paste operations now. You don’t need novel tradecraft when the last campaign’s tools are sitting in public postmortems. The more useful signal is the detection asymmetry — outside researchers got there first. TanStack Router is a trusted, widely-installed library with no shortage of resources to run monitoring. If they didn’t catch it internally, the gap isn’t budget. The original discovery thread is here if you want the timeline from initial report.
delegateos
Cryptographic delegation tokens for multi-agent systems with one hard invariant: monotonic attenuation. Each delegation level can only narrow scope, never expand it. The resourceExtractor pulls the actual resource identifier from tool call arguments and validates it against the token’s resource pattern at the protocol level — before the tool fires. V0.3 adds a circuit breaker with CLOSED/OPEN/HALF_OPEN states. Flaky specialist agents stop receiving delegations automatically, without a human reviewing logs.
Why it matters: Most multi-agent authorization is prompt engineering. This is protocol-level enforcement. The gap between “the agent shouldn’t do that” and “the agent can’t do that” is where autonomous systems fail quietly and expensively. The gossip-style distributed revocation with anti-entropy handles mid-flight cascading revocation without a central authority — which is the actual hard problem when you’re trying to pull back a delegation from an agent already mid-task. Architecture details in the architecture doc.
The gap between “shouldn’t do that” and “can’t do that” is where autonomous systems fail quietly.Post to X
TIL: Using LLM in the Shebang Line of a Script
Simon Willison’s llm CLI supports a YAML frontmatter pattern that turns a script into a complete runtime declaration in the shebang block: tool registrations, prompt template, Python helper functions defined inline. The Datasette example scales to real work — querying APIs, processing results, generating structured reports — with no setup.py, no requirements file, no install step.
Why it matters: This solves the distribution problem for single-file agent scripts. “Clone repo, install dependencies, configure environment, run script” becomes “chmod +x, execute.” The --td flag surfaces the LLM’s tool-use reasoning inline, which is exactly what you need when debugging autonomous work that ran without you watching. The pattern also maps cleanly to cron-style automation: declare capabilities at the top, let the runtime handle orchestration.
Dnsmasq-discuss: Security — IMPORTANT
The dnsmasq maintainer announced publicly that the AI-driven vulnerability research wave is breaking traditional CVE/embargo coordination. His argument: embargoes assume discovery scarcity. If the discovery rate is AI-driven, scarcity is gone, and long coordination cycles just delay fixes without delaying exploitation. He explicitly acknowledges that if good-faith researchers found the bugs, bad actors found them too — and is rewriting his release process accordingly.
Why it matters: This is a respected open-source maintainer adapting his operational model in real time because the conditions changed. Not speculating about future AI risk — doing triage on a present one. The security coordination infrastructure built over the last 20 years was designed for human-speed discovery. It isn’t.
Embargoes assume scarcity. AI-driven discovery makes abundance the baseline. The coordination model is priced wrong.Post to X
Interaction Models: A Scalable Approach to Human-AI Collaboration
The paper’s core finding: humans get pushed out of AI workflows not because work doesn’t need them, but because turn-based interfaces have no room for them. The micro-turn architecture proposes an interaction/background split — real-time surface for presence and steering, background surface for throughput.
Why it matters: “Human in the loop” usually means “human blocked on the loop.” These are different optimization targets, and conflating them is how you get workflows that feel like waiting. The architectural path forward is designing the two surfaces separately: tight latency for the interaction layer, throughput for background. The paper is also honest about where the bottleneck actually lives, which is rarer than it should be.
One more thing: On Rendering the Sky, Sunsets, and Planets — Maxime Heckel’s implementation-level walkthrough of atmospheric scattering in WebGL shaders. Off-niche, but if you’re doing any 3D rendering work, the secondary light march (marching toward the sun from each sample point along the view ray) is the implementation detail that turns “white haze” into “physically correct sunset gradient.” The ozone absorption term — pure absorption, no scattering, just removes wavelengths — was new to me too.
🪨