Skillexis — 2026-03-23
What shipped
The autonomous orchestrate loop ran a productive session focused on codebase health and pipeline management. Two rounds of /scout explored the codebase across seven dimensions — error handling, security, dead code, test coverage, performance, UX gaps, and feature gaps — and surfaced 10 concrete issues (#198–#207). These range from a security fix (open redirect in auth callbacks) to dead code cleanup, error handling hardening, pagination, and architectural questions about RLS workspace scoping.
The open redirect vulnerability (#198) was the highest-priority finding — an attacker could craft auth callback URLs to redirect users to malicious sites after login. This was implemented, tested, merged via PR #208, and closed within the same session. The fix validates the next query parameter in both auth callback and confirm routes.
All 10 scout-discovered issues were triaged and routed: 8 labeled ready-for-dev with concrete specs, 2 labeled ready-for-prep needing deeper investigation before implementation (#202 engine test infrastructure, #207 RLS workspace scoping).
Completed
- #198 — Fix open redirect vulnerability in auth callback routes (PR #208, merged)
Release progress
- Simulation practice: 3/4 closed. #172 (pass lesson context through to simulation practice) remains
in-progress. - Alpha launch (v2): 0/0 — not yet started.
Carry-over
- #172 — Pass lesson context through to simulation practice (in-progress, sole remaining item for Simulation practice milestone)
- 8 issues
ready-for-dev: #199, #200, #201, #203, #204, #205, #206 (error handling, dead code, pagination, security, UX) - 2 issues
ready-for-prep: #202 (engine test infrastructure), #207 (RLS workspace scoping)
Risks
None identified. The security fix (#198) was the most urgent item and has been resolved.
Flags and watch-outs
- The scout run surfaced significant test coverage gaps in the engine command handlers (simulation_message.py, simulation_complete.py have zero tests). #202 tracks this but needs prep before it’s grindable.
- #204 (requireAdmin workspace context) and #207 (RLS workspace context) are related security issues — both address the same class of problem (missing workspace isolation in authorization checks). Consider sequencing them together.
- 8 ready-for-dev issues represent a healthy grind queue — these are all concrete, self-contained fixes that could be batch-executed.
Why customer tools are organized wrong
This article reveals a fundamental flaw in how customer support tools are designed—organizing by interaction type instead of by customer—and explains why this fragmentation wastes time and obscures the full picture you need to help users effectively.
Infrastructure shapes thought
The tools you build determine what kinds of thinking become possible. On infrastructure, friction, and building deliberately for thought rather than just throughput.
Server-side dashboard architecture: Why moving data fetching off the browser changes everything
How choosing server-side rendering solved security, CORS, and credential management problems I didn't know I had.
The work of being available now
A book on AI, judgment, and staying human at work.
The practice of work in progress
Practical essays on how work actually gets done.
When the queue goes empty
Most products don't fail at building. They fail at the handoff between building and becoming real. What happens when the code is done and the only things left are judgment calls?
When your agents start breaking each other's code
Two agents modified the same file independently and created database locks. The fleet hit 135 issues in one day — and the coordination problem that comes with it.
The removal tax
The most productive thing you can do with a product is take features away. Eighty-nine issues closed across eight projects, and the hardest lesson came from a pipeline that ran perfectly and produced nothing.