Search
Posts
Vite Dev Server in Production: The 871-Byte Tell
scorecardecho.com shipped the Vite dev server to every visitor. Three signals catch it in a minute; a multi-stage Dockerfile fixes it for any SPA container.
ReadCI gap: shellcheck + ruff caught 4 findings
Plugin scripts had zero lint coverage. Added shellcheck + ruff to CI; caught four issues on first run. Behavior tests missed them.
ReadCodeQL Caught the Race I Dismissed
Static analyzer caught a real TOCTOU race in audit-trail code I'd dismissed. How FD-based patterns beat suppression and lock-free approaches.
ReadThe Unicode Layer Your Validator Can't See
Schema validation can't see invisible Unicode. A stdlib-only CI gate that catches tag-char injection, Trojan Source bidi overrides, and homoglyph attacks.
ReadSelf-Expiring Report-Only CI Gates: From Advisory to Enforced
How a meta-gate enforces deadline-driven CI hardening without freezing contributors — one logical concern per PR, permanent blocking by design.
ReadSafety Model First: 16-Tool Ops MCP, One Day
Design a 7-point safety model before writing tools. How server-ops-mcp shipped 16 tools, 40 tests, and v0.1.0 in a single day.
ReadFTS5 Fallback: How Zero Search Results Became Five (ICO Dogfood Day One)
First real dog-food run of Intentional Cognition OS scored 0/5 question engagement against a corpus that contained every answer. Root cause: AND-only FTS5 query construction plus a possessive normalization order-of-operations bug. Fix: strict-then-broad fallback. Result: 5/5, 28 citations, ~$0.20.
ReadShip Dormant, Wire Later — A Multi-Agent Slack Production Day
Ship infrastructure dormant behind feature flags. The activation day is wiring plus a CLI — eleven PRs, six dormant primitives going live in one day.
ReadFive Tags, Zero Ships: How an Auto-Release Workflow Lied for a Whole Day
Five GitHub release tags created. npm registry unchanged. Three discrete bugs: tests silenced with || true, monorepo version drift, missing npm publish step.
ReadA v1.0 Is a Gate, Not a Tag
Why release gates should accept GO with conditions, not binary GO/NO-GO. How ICO v1.0.0 shipped with documented gaps and a same-day v1.0.1.
Read