While closed source AI is in shambles, open source is having one of the best weeks of all time. Z ai GLM 5.2 Minimax M3 Kimi 2.7 code

🚀 hermesd 2026.6.15 shipped. A read-only terminal dashboard for Hermes Agent — one live screen for your whole ~/.hermes/: gateway, sessions, tokens, cost, tools, cron, skills, logs, memory, kanban, operations, and curator. No API keys. No network. Zero writes to agent state. When you run an agent for real — a gateway across Telegram/Discord/Slack, cron jobs, dozens of sessions spawning sub-agents, 9 providers, skills, memory files — answering "is it healthy and where are my tokens going?" used to mean 6 commands tailing logs. hermesd reads it all and refreshes automatically. 🆕 New in this release: ▸ Curator panel (13) — the newest memory-curation run: before→after skill counts, archived/pruned/added/consolidated, a per-tool call breakdown, the state-transition trail, model/provider, duration, and the LLM summary. ▸ Sessions → Billing & Context — per session: end reason, billing endpoint (billing_base_url), billing mode, and the model's context-window limit joined from context_length_cache.yaml. ▸ Tokens → By Endpoint Cost Status — spend/tokens aggregated per billing endpoint (finer than per-provider), plus a reconciliation line splitting sessions into unknown / subscription-included / estimated. Costs now show authoritative $ for reported/exact/included and ~$ only when truly estimated. ▸ Gateway health — per-platform connection errors (e.g. discord "failed to reconnect"), active-agent count, restart-requested marker, ⚠ in the compact view. ▸ Operations → Response Store stats from response_store.db; PR-monitor reads now cover every naming family with per-repo dedup. ▸ Logs — extra streams: audit, mcp-stderr, workspace, workspace.error. ▸ Kanban — task workflow fields a parent→child decomposition tree. 🔧 Fixed (the important part): The agent had quietly changed several on-disk shapes and hermesd was reading stale formats — so panels silently blanked. Repaired: credential-pool list-vs-dict in auth.json, desktop build-stamp camelCase keys, retired pr-monitor keys, and cost-status vocabulary. To stop this recurring, I added an opt-in contract test (HERMESD_CONTRACT_TEST=1) that runs the collector against real ~/.hermes and fails the instant a populated field reads blank — catching the next drift before users do. 🛡️ Hardening: - Rich markup-injection escaping on all untrusted ~/.hermes free-text (a [/] in a value could crash the TUI) - symlink path-escape guards on every file read (stays inside the Hermes home) - SQL LIKE wildcard escaping in message search - cache-preservation invariant: on any read error, the last-good data stays on screen — the dashboard never blanks ✅ Quality: 777 tests 1 opt-in contract test, 99% coverage, ruff mypy pip-audit clean, CI matrix on Python 3.11/3.12/3.13, trusted-publish to PyPI. Read-only. Fast. Minimal deps (Rich Pydantic PyYAML). Python 3.11 . @NousResearch ⭐ github.com/mudrii/hermesd 📦 pip install hermesd → run hermesd #AIAgents #LLMOps #DevTools #Python #OpenSource #Observability

As artificial intelligence continues its disruption of the tech industry, the future of work for developers is shifting from writing implementation details to becoming "explorers of problems". ATDD IS the next generation of programming language. 📽️ Watch now (link in bio)

Released hermesd v2026.6.5. hermesd is a terminal dashboard for Hermes Agent. It gives you one place to quickly see what your agent is doing, what is running, what needs attention, and what changed recently. New in this release: - Kanban view for active, blocked, and recent agent work - Operations view for runtime activity - Better Gateway and platform visibility - More log views, including update, dashboard, gateway error, and crash logs - Richer session details - Better cron and configuration visibility - Installed hermesd version shown in the header - Updated docs and release packaging Install or upgrade: pip install -U hermesd Run: hermesd Release: github.com/mudrii/hermesd/re… PyPI: pypi.org/project/hermesd/ #AI #AIAgents #OpenSource #Python #DevTools #Automation #TerminalUI #HermesAgent @NousResearch

hermesd 2026.6.3 is out — a read-only TUI dashboard for the Hermes AI agent. ▎ ▎ If you run Hermes Agent, you've probably wished for a single pane of glass over everything it's doing — sessions, token spend, tool calls, cron jobs, providers, logs, memory. That's hermesd: a live terminal dashboard that ▎ reads straight from ~/.hermes/ and renders it in a 10-panel Rich UI. ▎ ▎ The hard constraint that shapes the whole project: hermesd is strictly read-only. It never writes to the agent's data directory and never imports a line of agent code. It's a pure observer — so it can't corrupt the thing ▎ it's watching. That discipline runs deep: read-only SQLite URIs, cache-preservation on transient errors (the display never blanks), and WAL-aware snapshots so it sees uncommitted data without touching the live DB. ▎ ▎ What's in 2026.6.3: ▎ 🔒 Cleared CVE-2026-45409 by bumping a transitive dependency — lockfile-only, runtime closure untouched. ▎ 🧱 Refactored the token-summary path to build its validated model once at the boundary instead of mutating it in place, so Pydantic validation can no longer be skipped. ▎ ✅ Added regression tests pinning the three behaviors that refactor had to preserve. ▎ ▎ No new features in this one — it's a security-and-quality release. Sometimes the best release is the one nobody notices because nothing broke. ▎ ▎ Built in Python 3.11 , tested across 3.11/3.12/3.13, 396 tests, TDD throughout. MIT licensed. ▎ ▎ 👉 github.com/mudrii/hermesd ▎ ▎ #Python #AIagents #OpenSource #DevTools #TUI #Observability

OpenClaw Dashboard v2026.6.1 is shipped 🚀 ▎ ▎ A zero-dependency Go binary embedded SPA for real-time monitoring of the OpenClaw AI gateway. No npm tree, no go.sum — just stdlib. This release wasn't about flashy features; it was the unglamorous, trust-building work ▎ that most changelogs skip. ▎ ▎ 🔒 Security held the line. Mid-release, the govulncheck gate caught two reachable Go stdlib CVEs (net/textproto crypto/x509). I bumped the toolchain go1.26.3 → go1.26.4, re-verified clean, and refused to tag until it was ▎ green. Every artifact ships with an SBOM and a keyless cosign signature — supply chain stays tight, no shortcuts. ▎ ▎ 🐛 Three real bugs killed — each one revert-tested: ▎ • A log-timestamp parser that could infinite-recurse into a stack overflow on malformed input ▎ • A model-cache deadlock where one panicking refresh left every waiting request hung forever ▎ • Dashboard panels rendering blank when a metric hit zero or a plugin lacked a label ▎ ▎ Every fix landed with a regression test — and I proved each test by reverting the fix and watching it fail. That's the difference between a test that guards a bug and a test that just happens to pass today. Proof, not ▎ vibes. ▎ ▎ ⚙️ Plus hardening: observable cache-discard warnings (no more silent drops), defense-in-depth HTTP timeouts, a bounded --refresh CLI, and magic numbers promoted to named constants. ▎ ▎ 📦 Multi-platform signed binaries (darwin/linux × amd64/arm64), a Homebrew tap, and signed checksums. CI runs vet lint race govulncheck on every single PR. ▎ ▎ Open source, MIT-licensed, built entirely in the open — CHANGELOG, build logs, and the full review trail are all public. ▎ ▎ 👉 github.com/mudrii/openclaw-d… ▎ ▎ #golang #opensource #devops #securityengineering #observability

You asked for it, so here it is: a deep-dive on my new /handoff skill. It's an alternative to /compact that gives you WAY more flexibility with your context window. - Think of an idea, handoff to another agent to implement - Grill, handoff to prototype, handoff BACK Enjoy:

Can't recommend @cotypist cotypist.app enough. Autocomplete everywhere.

Hermes Agent now has access to hundreds of browser skills through @browserbase’s new Browse.sh hub, so agents can more reliably perform any task on the internet. You can try a skill from their catalog or contribute your own.

🦞 Shipped OpenClaw Dashboard v2026.5.20 v2026.5.21 — same-day double release after a 6-pass audit cycle. What landed in 24 hours of focused hardening: 🔒 Security • Atomic file ops in appruntime: CopyIfMissing rewritten with os.Link syncDir parent fsync — concurrent first-run callers now race-safe across crash boundaries. • Content-Security-Policy X-Frame-Options Referrer-Policy on the SPA response. Default-src 'self', connect-src 'self', frame-ancestors 'none'. • Loopback-only bind enforcement with an explicit env opt-in for containers (OPENCLAW_DASHBOARD_ALLOW_NON_LOOPBACK=1) — and an audit log so operators see the bypass in their journal. • Gateway port bounds, validateAbsPath preflight on launchd/systemd Install, decodeJSON scan-all-braces for hostile log preambles. 📦 Supply chain • Keyless cosign signatures on release checksums via GitHub OIDC Sigstore Fulcio/Rekor. • CycloneDX SBOM per archive via syft. • Pinned action versions, dependabot weekly for github-actions docker, automated Homebrew tap formula. • Go toolchain bumped 1.26.0 → 1.26.3 — closed 5 stdlib CVEs (net.Dialer NUL byte, x509 cert verify, url.Parse, tls.Conn) caught only because govulncheck ran in CI against the old toolchain. 🏗️ Build & test parity • Makefile, Dockerfile, .goreleaser.yml, flake.nix all set CGO=0, embed BuildVersion via -X, strip with -s -w. One binary, four reproducible paths. • Linters tightened: gosec errorlint enabled, all gosec exclusions documented per-rule. • GitHub Actions: linux macos matrix, govulncheck job, top-level read-only permissions, concurrency groups, per-job timeouts. • Live smoke on :8081 verified 30 endpoint, header, traversal, rate-limit, and shutdown checks before each tag. 📊 Numbers • 6 audit passes — every pass found NEW issues the previous one missed • ~85 findings raised → ~45 real fixes applied (after second-pass validation) • 2 CI failures recovered without rollback (cosign-installer pin, --bundle flag) • Zero regressions, zero new third-party Go deps. 9.3MB static binary. The methodology lesson worth keeping: every defensive layer has a second-order cost. Atomic publish via os.Link cleared one race but opened cross-filesystem and umask edge cases. CSP unsafe-inline closed XSS exfil but will silently break the next CDN integration. The fix isn't to stop hardening — it's to enumerate the new surface explicitly in INFRA-CHECKLIST.md so the next maintainer inherits the tradeoffs, not just the wins. Zero-dep Go stdlib all the way. Single static binary. Loopback-only by design. → github.com/mudrii/openclaw-d… #golang #opensource #devops #security #softwareengineering #supplychain #sigstore

The latest CodexBar update renders API costs wayyyy nicer. codex.bar

codex is the best AI coding product and we want to make it easy to try. for the next 30 days, we are giving companies that want to try switching over two months of free codex usage.

Today we release Token Superposition Training (TST), a modification to the standard LLM pretraining loop that produces a 2-3× wall-clock speedup at matched FLOPs without changing the model architecture, optimizer, tokenizer, or training data. During the first third of training, the model reads and predicts contiguous bags of tokens, averaging their embeddings on the input side and predicting the next bag with a modified cross-entropy on the output side. For the remainder of the run, it trains normally on next-token prediction. The inference-time model is identical to one produced by conventional pretraining. Validated at 270M, 600M, and 3B dense scales, and at 10B-A1B MoE. The work on TST was led by @bloc97_, @gigant_theo, and @theemozilla.

golink v26.05.13 is out — a hardening release for the LinkedIn CLI built for humans and LLM agents. What landed in this cycle: 🔒 Cross-process durability Every append-only JSONL store (audit, idempotency, approval, schedule, HTTP record/replay) now holds a sidecar flock and fsyncs writes plus parent directory before close. Survives kernel crashes and concurrent CLI invocations. 🔁 Refresh-token race closed Two `golink` processes racing into auto-refresh used to risk double-spending a rotated refresh token. Now serialised via sidecar lock with post-lock re-read; hard-fails on lock or persistence errors instead of returning a half-persisted session. 🛡️ Privacy Inline `Bearer <token>` strings now redacted in audit previews and HTTP cassettes. Approval store keeps payloads verbatim (file mode 0o600 is the access control — documented contract, not a regression). ✅ Plus - Stable SHA256 plan hashes via json.Number canonicalisation - Retry-After header honored on 429/503 - Percent-encoded URN keys decoded in SocialMetadata - 4 HIGH 14 MEDIUM review findings resolved Install: go install github.com/mudrii/golink@v26… brew install mudrii/golink/golink Built in Go 1.26.3. make ci clean (vet golangci-lint 0 issues race govulncheck). Repo changelog: github.com/mudrii/golink/rel… #golang #linkedinapi #cli #devtools #opensource #automation

🚀 openclaw-dashboard v2026.5.13 is out A bugfix security hardening release. 🔒 Security • Service files: 0o600 atomic write (was world-readable) • Static handler: symlink-escape blocked • Gateway auth tokens redacted from error logs • 64 KB cap on upstream JSON fetchers ⚡ Reliability • Fixed a latent race in the cached-data path • Removed torn reads in stale-cache classification • Graceful shutdown now accelerates on second Ctrl C • Atomic file copy in the runtime package 🧪 Quality • Coverage 60.7% → ~65% • Race detector green across 9 packages • Zero new dependencies — stdlib only, as always 📦 Update: brew upgrade openclaw-dashboard Or grab a binary for darwin/linux × amd64/arm64. 🔗 github.com/mudrii/openclaw-d…

Thanks to the @huggingface team for adding Hermes Agent to local apps and shipping a native Hermes traces viewer!

RepoBar 0.5.0 is live 📋 GitHub refs from your clipboard 🔎 Issue, PR, and commit previews 🟢 Open/closed/merged at a glance ⚡ Fast lookups, cache-first Tiny bar, much less mystery. github.com/steipete/RepoBar/…

🎚️ CodexBar 0.25 is live 🧩 New providers: Manus, MiMo, Qwen, Doubao, Venice more 🔔 Quota warning notifications 👥 Stacked Codex account switchers 📊 Faster cost history via models.dev Big one. Menu bar still tiny. github.com/steipete/CodexBar…