HackerTrans
TopNewTrendsCommentsPastAskShowJobs

systima

no profile record

Submissions

Show HN: AI skills for program / project / delivery managers

2 points·by systima·há 2 meses·0 comments

[untitled]

9 points·by systima·há 3 meses·0 comments

Show HN: Open-Source EU AI Act Compliance Scanning for CI/CD

1 points·by systima·há 4 meses·0 comments

Show HN: XML, Markdown, or JSON: Which gives LLMs the most reliable boundaries?

systima.ai
3 points·by systima·há 4 meses·2 comments

Show HN: Open-Source Article 12 Logging Infrastructure for the EU AI Act

42 points·by systima·há 4 meses·10 comments

[untitled]

1 points·by systima·há 4 meses·0 comments

comments

systima
·há 2 meses·discuss
Is this allowed under Apple's ToS?

I recall the Beeper Mini debacle not so long ago, and fear that this may be a house built on sand.
systima
·há 2 meses·discuss
How does this differ to Mastra?
systima
·há 3 meses·discuss
[dead]
systima
·há 3 meses·discuss
[dead]
systima
·há 3 meses·discuss
As the entire planet now knows, the Claude Code source leaked on March 31.

The engineering-focused findings have been covered extensively (fake tool injection, Undercover Mode, KAIROS, etc).

This piece focuses on what these findings mean if you're using Claude Code to build AI systems subject to the EU AI Act.

TL;DR / spoiler:

Claude Code isn't a high-risk AI system in and of itself.

The EU AI Act regulates your deployed system and your process, not your tool vendor's internal engineering practices.
systima
·há 3 meses·discuss
How does this differ to Open Code Desktop?
systima
·há 4 meses·discuss
Sorry, I missed part of your question:

What caused the switch was that we're building AI solutions for sometimes price-conscious customers, so I was already familiar with the pattern of "Use a superior model for setting a standard, then fine-tuning a cheaper one to do that same work".

So I brought that into my own workflows (kind of) by using Opus 4.6 to do detailed planning and one 'exemplar' execution (with 'over documentation' of the choices), then after that, use Opus 4.6 only for planning, then "throw a load of MiniMax M2.5s at the problem".

They tend to do 90% of the job well, then I sometimes do a final pass with Opus 4.6 again to mop up any issues, this saves me a lot of tokens/money.

This pattern wasn't possible with Claude Code, thus my move to Open Code.
systima
·há 4 meses·discuss
Yes I regularly plan in Opus 4.6 and execute in “lesser” models ie MiniMax
systima
·há 4 meses·discuss
Open Code has been the backbone of our entire operation (we used Claude Code before it, and Cursor before that).

Hugely grateful for what they do.
systima
·há 4 meses·discuss
I agree.

In my experience, this correlates more with soft skills and “one man band” founder/maker companies that tend to sell training products or (if they do exist in a company environment at all) invariably work in DevRel and aren’t pushing code.
systima
·há 4 meses·discuss
Thank you — Excellent points. Will think about them.
systima
·há 4 meses·discuss
I don’t think it’s that.

I think it’s more about setting a norm and precedent that “Age verification is not our responsibility; the App Store layer does that and it’s an established truth now”.

Which itself conveniently helps as a defence in lawsuits when a teenager kills themselves over harmful content etc.
systima
·há 4 meses·discuss
"But there is an obvious solution: mandate the operating systems (iOS and Android) to share device users' ages when they download apps from the app stores – data the operating systems get as part of the hardware acquisition already. This would be a simple one-step way for parents to control all the different apps that their kids use (in the US, the average teen uses forty different apps per month) and would remedy the fractured app-by-app approach we have today. We should make a societal judgement about whether to set these age limits for smartphones or social media use at thirteen, fourteen, fifteen or sixteen, then write it into law." in How to Save the Internet by Nick Clegg
systima
·há 4 meses·discuss
Follow what Nick Clegg has been saying post-Meta. He might give a big clue.
systima
·há 4 meses·discuss
Maybe https://usepec.eu ?
systima
·há 4 meses·discuss
Impressive! Well done
systima
·há 4 meses·discuss
Respectfully, this is not really engaging withe content of the post.
systima
·há 4 meses·discuss
IMO what you’re describing is essentially crypto-shredding.

It would definitely work (and when dealing with petabyte levels of data the simplicity of only having to delete the key is convenient).

We’re leaning toward the dual-layer separation I described though (metadata separate to content) mainly because crypto-shredding means every read (including regulatory reconstruction) depends on a key store.

In my view that’s a significant dependency for an audit log whose whole purpose is reliable reconstructability, whereas dual-layer lets the chain stand on its own.

Your point about developer mistakes is fair. It applies to dual layer as you say with your example, but I’d say crypto shredding isn’t immune to mistakes because (for example) deleting the key only works if the key and plaintext never leaked elsewhere accidentally in logs / backups etc.
systima
·há 4 meses·discuss
Great question.

voxic11 is right that the AI Act creates a legal obligation that provides a lawful basis for processing under GDPR Article 6(1)(c).

To add to that, Article 17(3)(b) specifically carves out an exemption to the right to erasure where retention is necessary to comply with a legal obligation.

(So the defence works at both levels; you have a lawful basis to retain, and erasure requests don’t override it during the mandatory retention period).

That said, GDPR data minimisation (Article 5(1)(c)) still constrains what you log.

The library addresses this at write-time today, in that the pii config lets you SHA-256 hash inputs/outputs before they hit the log and apply regex redaction patterns, so personal data need never enter the chain in the first place.

This enables the pattern of “Hash by default, only log raw where necessary for Article 12”.

For cases where raw content must be logged (eg, full decision reconstruction for a regulator), we’re planning a dual-layer storage approach. The hash chain would cover a structural envelope (timestamps, decision ID, model ID, parameters, latency, hash pointers) while the actual PII-bearing content (input prompts, output text) would live in a separate referenced object.

Erasure would then mean deleting the content object, and the chain would stay intact because it never hashed the raw content directly.

The regulator would also therefore see a complete, tamper-evident chain of system activity.
systima
·há 4 meses·discuss
Thanks for the thoughts and feedback.

Fair point on the reconstruction attack.

The library is deliberately scoped as tamper-evident, not tamper-proof; it detects modification but does not prevent wholesale chain reconstruction by someone with storage access. The design assumes defence-in-depth: S3 Object Lock (Compliance mode) at the infrastructure layer, hash chain verification at the application layer.

External timestamping (OpenTimestamps, RFC 3161) would definitely add independent temporal anchoring and is worth considering as an optional feature. From what I can see, Article 12 does not currently prescribe specific cryptographic mechanisms (but of course the assurance level would increase with it).

On the regulatory question: Article 12 requires "automatic recording" that enables monitoring and reconstruction and current regulatory guidance does not require tamper-proof storage (only trustworthy, auditable records). The hash chain plus immutable storage is designed to meet that bar, but what you raise here is good and thoughtful.