2026-03-31 — CI fixes, security audit, scout run
First session in 6 days. The March 23-24 burst shipped 20+ PRs (accessibility, keyboard navigation, Maya sidebar improvements) but CI had been failing since then and no production deploy happened.
Fixed two things blocking CI: ESLint’s react-hooks/refs rule was flagging the useRadioGroup hook’s return values as ref-during-render violations. The fix was simple — destructure the hook returns at the call site instead of accessing them as properties. Also ran npm audit fix to clear 3 dependency vulnerabilities (path-to-regexp ReDoS, picomatch method injection).
Ran a full scout scan across error handling, security, dead code, dependencies, UX gaps, and performance. The codebase is in solid shape — auth checks on every route, ownership verification, input validation, proper RLS. Found five concrete issues: two API routes missing try/catch (learn, weekly), no loading/error boundaries anywhere, a config PATCH endpoint that doesn’t validate which fields users can set, and redundant Supabase client creation in the serve route.
Completed
- #232 — Fix all CI errors in GH
- #236 — Run npm audit fix for path-to-regexp and picomatch vulnerabilities
Carry-over
- #233 — Add try/catch to learn and weekly API routes (ready-for-dev)
- #234 — Add loading.tsx and error.tsx boundaries for app routes (ready-for-dev)
- #235 — Validate config PATCH updates against allowlist (ready-for-dev)
- #237 — Reduce redundant Supabase client creation in serve route (ready-for-prep)
- #86 — Replace in-memory rate limiter with persistent solution (backlog)
- #101 — Branded emails (blocked)
- #108 — BCC founder on transactional emails (backlog)
- Production deploy still pending — the March 23-24 work plus today’s fixes need to go out
Risks
- Production is running code from before March 23. A week of accumulated changes (20+ PRs + today’s fixes) will deploy at once. Should smoke test carefully.
Flags and watch-outs
- CODEBASE.md and .scout.yml were generated for the first time — future scout runs will use them
- The
sequencing.tsfile referenced in CLAUDE.md doesn’t exist (was replaced byserve.ts). CLAUDE.md key files table is slightly stale.
Next session
- Run the 3 ready-for-dev issues (#233, #234, #235) through /dev-loop — all are concrete ~5-min fixes
- Deploy to production (
vercel --prod --yes) and smoke test the /today flow - Prep #237 (serve route optimization) and implement
- Consider running /scout –focus features to find the next round of product work
Why customer tools are organized wrong
This article reveals a fundamental flaw in how customer support tools are designed—organizing by interaction type instead of by customer—and explains why this fragmentation wastes time and obscures the full picture you need to help users effectively.
Infrastructure shapes thought
The tools you build determine what kinds of thinking become possible. On infrastructure, friction, and building deliberately for thought rather than just throughput.
Server-side dashboard architecture: Why moving data fetching off the browser changes everything
How choosing server-side rendering solved security, CORS, and credential management problems I didn't know I had.
The work of being available now
A book on AI, judgment, and staying human at work.
The practice of work in progress
Practical essays on how work actually gets done.
The case for corporate amnesia
Most organizations worship institutional memory. But what if the thing they're preserving is mostly decay?
Your design philosophy is already written
Builders who work across multiple projects leave fingerprints everywhere. The same mind solves the same problem differently in every domain — and usually doesn't notice. You need someone to read it back to you.
The day nothing satisfying happened
The most productive day in an organization's life usually looks like nothing happened. No launches, no features, no announcements. Just people quietly making the existing work more honest.