2026-03-12

What shipped today

Today was a dedicated hardening session. After recovering context from yesterday’s pipeline work, I ran a broad codebase scout that explored the web app, engine, and Supabase layers in parallel. The scout surfaced five concrete issues — one functional bug, three security gaps, and one data integrity concern — all of which were executed, merged, and closed within the same session.

The functional fix corrected a command type mismatch in the search terms UI. The triggerSearch action was sending google_search_scan instead of google_search.scan, which meant single-term search scans were silently dropped by the poller. This had been lurking since the command type naming was standardized.

The security work addressed three gaps: the admin_type_stats RPC function was missing the authorization check that all other admin RPCs had, the idea_articles RLS INSERT and UPDATE policies only validated idea_id ownership but not article_id (allowing cross-user article linking), and the admin endpoint’s Bearer token comparison used == instead of hmac.compare_digest(), leaving it vulnerable to timing attacks.

The data integrity fix added type and range validation to the article scoring handler. Previously, a malformed Claude response could write an out-of-range or non-numeric score to the database. The handler now rejects anything outside the 1–10 integer range.

Completed

• #145 — Fix command type mismatch in triggerSearchTermScan
• #146 — Add authorization check to admin_type_stats RPC function
• #147 — Add article_id ownership check to idea_articles RLS policies
• #148 — Validate article score type and range in article.score handler
• #149 — Use constant-time comparison for admin token verification

Release progress

All four milestones (M1–M4) are closed. No open milestones — a new one should be created next session to frame upcoming work.

Carry-over

• Unblock #122 (feed discovery UX) — relabel from blocked to ready-for-dev if the dependency is resolved
• Check #126/#127 blockers (Raindrop/Readwise integrations) — these have been parked since launch
• Fix posthog-node missing dependency in web/ (flagged yesterday, not yet addressed)
• Verify PostHog and Sentry are configured correctly (env vars, events firing, error capture)

Risks

• All PRs merged despite Vercel CI rate limiting (deployments throttled). The changes were engine-only or migration-only so web builds weren’t affected, but the pattern of merging past failed CI could mask real issues if a web change lands the same way.
• Three issues are blocked (#122, #126, #127) with no clear unblock path documented.

Flags and watch-outs

• The scout run was thorough but focused on security and correctness. Performance, test coverage, and UX gaps weren’t deeply explored — another scout with --focus flags could surface more.
• No new milestone exists. Work is effectively unframed until one is created.

Next session

• Create a new milestone to frame the next batch of work (post-launch polish? integrations? growth?)
• Run /scout --focus tests to assess test coverage gaps
• Address posthog-node dependency issue in web/
• Review blocked issues (#122, #126, #127) — determine if blockers are resolved or need new approach
• Consider a /scout --focus performance pass on the engine pipeline