2026-03-15 — Eclectis

What shipped today

Today was a scout-driven hardening session. The codebase scout identified five issues across the engine and web app, all of which were triaged, prepped, and shipped in a single session. The work splits into three themes: security fixes, reliability improvements, and UX polish.

Security and reliability. Three engine issues addressed defensive gaps found by the scout. The article prescore handler had a BYOK gating bypass — free-tier users without API keys were silently getting prescore calls because PlanGatingError was caught by a blanket except Exception (#195). Both the Raindrop push and Serper search handlers called resp.json() without guarding against non-JSON responses from external APIs, which would crash the handler on API outages (#196). The newsletter link extractor already filtered to http/https on extraction, but lacked a defense-in-depth re-check after URL normalization (#198). The user context ratings cache had no max-size limit and never evicted expired entries, creating a slow memory leak on long-running deployments — it now has a 30-minute TTL and 1000-entry cap (#197).

UX polish. The web app’s optimistic update pattern for votes, bookmarks, and mark-as-read actions silently reverted on failure with no user feedback. Added sonner toast notifications across all action handlers, plus error recovery for infinite scroll — a stuck spinner is replaced with a “tap to retry” message (#199).

Completed

• #195 — Fix BYOK gating bypass in article prescore
• #196 — Wrap JSON parsing in try-except for external API responses
• #197 — Add TTL eviction to user_context ratings cache
• #198 — Validate extracted URLs in newsletter processing
• #199 — Add error toasts for failed user actions (vote, bookmark, toggle)

Release progress

All four milestones (M1–M4) remain closed. 40 issues shipped total across all sessions. No open milestones.

Carry-over

• Verify PostHog and Sentry are correctly configured in production (env vars firing, events captured, errors tracked) — carried forward from 2026-03-14

Risks

• None identified today. The security fixes reduce overall risk posture.

Flags and watch-outs

• The commands table still accumulates skipped push commands for users without Raindrop/Readwise configured. No cleanup mechanism yet (flagged 2026-03-13).
• Engine Python tests still can’t run locally due to missing deps (structlog, httpx) — only pure-logic tests pass locally.
• Only 2 open issues remain (#64 email inbox scanning, #77 Vercel issue), both in backlog. The active issue queue is empty.

Next session

• Verify PostHog events are firing correctly in production (check the PostHog dashboard for real events)
• Verify Sentry is capturing errors (trigger a test error, check Sentry dashboard)
• Consider creating a new milestone for post-launch polish or v1.1 features
• Review backlog issues #64 (email inbox scanning) and #77 (Vercel issue) — assess whether they should be closed, promoted, or left
• Test the error toasts in production (disconnect network, try voting, confirm toast appears)