Posts
All the articles I've posted.
-
Cracking Open the Electron safeStorage Black Box: AES-128-CBC, a Hardcoded IV, and the Things Nobody Tells You
safeStorage is Electron's recommended API for storing secrets, but its implementation details are rarely discussed. This post cracks open the source: roughly 100 lines of C++ wrapping Chromium's OSCrypt, AES-128-CBC, an IV hardcoded to 16 spaces, and PBKDF2 with a single iteration. Paired with real cases — VS Code credentials read directly by extensions, VoidStealer grabbing the master key with a hardware breakpoint — it ends with a threat-model-based storage decision table.
-
7 "Anti-AI-Tone" Principles I Distilled After Writing 80+ Blog Posts with Claude Code
Roughly 70% of posts blog080-166 on this blog were written with Claude Code's help, yet readers almost never notice. Here are the 7 "anti-AI-tone" principles I distilled — the goal isn't to make AI sound less like AI, it's to make AI sound like you. Includes the automated check script from my blog-preflight Skill.
-
AI Model Comparison, Mid-2026 Edition: Two Months After blog080, the Model Layer Has Turned Over
blog080 was written in early March 2026. Two-plus months later, GPT-5.5, Claude Opus 4.7, and Gemini 3.1 Pro have all shipped, and open-source flagships GLM-5.1/Qwen 3 Coder have closed the gap to within 5-15 points of closed models. This is the May update: what changed, and how to adjust your March picks.
-
AI Tooling Supply Chain Security Checklist: 8 Defense Principles Distilled from the Vercel and Nx Console Incidents
Neither the Vercel breach nor the Nx Console incident was a protocol vulnerability—both were credential governance failures. This post distills these two AI tooling supply chain attacks into 8 defense principles plus a 1-hour audit checklist, covering OAuth least privilege, secret tiering, managed device isolation, and IDE extension credential isolation—a security playbook indie developers and small teams can act on immediately.
-
Claude Code Multi-Agent Orchestration Plugins Compared 2026: Choosing Between Ruflo, Maestro, Claude Octopus, and Codex Peer Review
A head-to-head comparison of multi-agent orchestration plugins: Ruflo calls itself the "leading Claude orchestration platform" but underdelivers in execution, Maestro stays lightweight, Claude Octopus runs reviews across 8 models in parallel, and Codex Peer Review gates merges behind three sequential reviewers. From architecture to measured token costs — a decision framework for indie developers.
-
Claude Code Workflow Plugins Compared (2026): Superpowers, Shipyard, Ralph Loop, Maestro, or Karpathy CLAUDE.md?
The Claude Code ecosystem has splintered into 100+ plugins as of May. This post zooms in on the "workflow methodology" category—Superpowers, Shipyard, Ralph Loop, Maestro, and Karpathy CLAUDE.md. Design philosophy, context overhead, fit, and combination strategies, plus a decision tree for indie developers.
-
Astro 5 to 6, Fully Documented: Real Migration Data from a 48-Page Blog — the Official "2x Faster" Claim Doesn't Hold for Small Blogs
I upgraded my own blog (48 pages, Astro 5.16.6) to Astro 6.3.1 and recorded what actually changed, whether builds got faster, and what broke. Verdict: near-zero migration cost for a small blog, but the official "2x faster" claim doesn't hold at 48 pages — measured build times were essentially flat.
-
AI Agent Persistent Memory Architectures Compared: File-Based vs Vector Retrieval, Benchmarked with a blog-preflight Subagent
I hooked the same Subagent up to both Claude Code's built-in file-based memory and mem0's vector retrieval, then compared token cost, recall quality, and cross-session learning. The result: concrete thresholds for which approach fits which data scale, plus a look at procedural memory—the weakest but most promising direction.