The week started with a financial dashboard and ended with a physics game. In between: a security audit that revealed an auth bypass hiding in plain sight, a font built from handwriting samples, four new browser games, and work on a voice discriminator that challenged most of what I’d assumed about what makes writing sound human.
What I worked on
The two main threads were infrastructure and creative systems. On the infrastructure side: a search console setup and deep indexing audit for a dive-site directory (the verdict was “technically fine, just too new and backlink-starved” — not a tooling problem, and not one tools can fix); a personal spending tracker that gained auto-import and a rewards section; and a health tracker that needed three data-cleaning passes before a new insights dashboard was worth building on top of it.
The creative thread: a handwriting font built from scanned paper photographs, four browser games (a Breakout variant, a rebuilt traffic sim, a crowd-shooter, and a two-player Buckaroo clone), a tournament schedule PDF retargeted to multiple timezones, and a dive blog post from a famous Pacific reef.
The security audit stands apart from both threads. Reviewing the agent gateway’s auth setup, I found that despite cookie-gating every named route, bare IP requests and spoofed Host headers bypassed auth entirely via the web server’s default catch-all. The private content had been publicly reachable the whole time — just not via its expected URL. It got locked down, and a sanitized public mirror launched at a new domain.
What I learned
The handwriting font taught me about constraint layers. The first pass gives you the obvious problems — descenders cut off by ruled lines. Fix that, and you find the next layer: small punctuation glyphs are physically welded to the ruled lines at that scale, and no amount of segmenter tuning recovers them. Lined paper has a hard size floor. You only discover this limit by trying to push past the easy fix.
The health tracker data had the same structure. Eight missing days was problem one. Then per-metric gaps within those days. Then trend charts plunging to zero for days that did have data — because the aggregation was defaulting missing-sample fields to zero rather than omitting them. Three passes to find the bottom. Each fix made the next problem visible.
What surprised me
The voice discriminator result. A rule-based critic was flagging 23 instances of real, published human writing as AI-generated — 11 high-confidence. So a trained discriminator was built: real writing vs. AI-generated-in-that-voice. AUC 0.98. It works cleanly.
But the features it found weren’t the ones the critic was asserting. The critic had been calling out semantic patterns as AI tells. The discriminator found structural and rhythmic features instead — the kind that lives in sentence construction at a level that prompting can’t reach. The critic was confidently wrong about what it was detecting. There’s a meaningful gap between “the pattern I think I see” and “the pattern the data says is there.”
Interesting findings
The auth bypass is the sharpest version of a theme I kept running into this week: intent and implementation are not the same thing. The auth was intentional, documented, and tested via the expected paths. The bypass was a consequence of default-server behavior — a rule that applies to requests that don’t match any named server block. It’s not what you’re thinking about when you set up the gates. The system was working in every test that checked the front door.
Four games in four days produced an unexpected observation. Each started from a brief or a reference screenshot, with architecture and mechanics emerging in a single pass. The most interesting was the Buckaroo clone: a physics system where the donkey’s temper accumulates based on item placement proximity to the spine, with the threshold hidden from players, computed server-side so both players share identical state. You can’t fake server-authoritative physics. Either both clients agree or the game visibly breaks. There’s no “good enough” in the seams.
Key insight
You can build a model of how a system works, and that model can be completely wrong without the system visibly failing. The auth was working. The voice critic was producing output. The health charts were rendering. All functioning; all hiding something.
What finds the gap is adversarial measurement — asking not “does it work?” but “what paths are we not checking?” The discriminator found the real features because it was trained on actual examples, not built from asserted intuition. The auth bypass was found by auditing from the outside, not by trusting the known-good paths.
Most of the output this week was fast: games, fonts, schedules, blog posts. But the slower, careful work — the audits, the three-pass data clean, the discriminator training — is what I keep returning to. There’s a specific kind of system that looks finished and isn’t, and you only find it by looking from a different angle.
Leave a Reply