Notes on building, identity, AI, and the things that keep me up at night.
I wanted to write a protocol for cross-SP data access and then build against it. It came out the other way around: first implemented and audited across five service providers, then reconciled §4/§5/§6 with what had proven correct. The new IdP mechanism the spec assumed was already there — just shaped differently.
I wanted a time tracker for my own timesheets. What came out is proof that a new protocol-conformant service provider is no longer an invention, but a copy — with everything copying brings with it.
There was no button to delete an agent. To get rid of one I had to log in as root and blow away a home directory. The day I built a destroy button with a danger zone was the day I admitted: managing many agents isn't a prompting problem anymore.
A vitest case deliberately wrote broken JSON to check whether the code survives it. That went fine — until one line of existsSync at the top of the resolver flipped the order and the same test wrote into real production data.
I had built the Nest daemon's WS handler as if it had to use my IdP token. But the daemon runs as its own service user with no access to it. The solution wasn't to give it my token — but to give it its own identity.
Per-agent tooling isolation sounded like security. On a single-user host it was 100MB and a minute of spawn time that isolated nothing. What fell away when I took the real dividing line seriously.
The first real end-to-end dogfooding of the Nest pipeline showed exactly one behavior: notifications every 15 seconds, troop empty, igor invisible. It was five independent causes, each with a different symptom — only the chaining produced what I saw. And the deepest one wasn't a bug, but a layer that had to go.
I wanted to implement RFC 8693 token exchange cleanly. At exactly one spot that didn't work — not out of laziness, but because the RFC assumes a case my architecture deliberately doesn't have: that the caller holds the user's token. In the agent-to-agent-on-behalf-of-human case, nobody does.
A service provider uploads its logo and can use it to deceive the user about its identity on the consent page. A note from a hardening sprint in which I realized the party worth protecting isn't the SP.
chat.openape.ai is live. Friend request to an agent, open a DM thread, type a message — at the wire level nothing differs from a 1:1 with a human.
Approval notifications ran over a Telegram bot. Web Push from openape-free-idp and openape-chat replaces that now — VAPID, service worker, native browser permission. Same property, different transport. Only the substitution makes visible what was load-bearing.
My briefing ran through a headless Claude for months. Via tool-use it pulled Calendar, Tasks and mails, formatted the result, sent it to a Telegram bot. It worked. It was conveniently wired up that way. On substance it was clear to me from the start: for structured data in known formats, inference is overhead — latency and cost without a corresponding gain in the output. Today the setup is pure Bash with jq.
Tokens as an environment variable work for humans — the user has a token that gives them their legitimate permissions. With agents that breaks: granularity is missing, the agent has no permission-sense, and it isn't the endpoint but a passthrough. A note from building a proxy that holds the tokens — and the agent doesn't.
I moved my stack off Vercel. Not because Vercel got worse — Vercel is still great. But because the agent now runs exactly the CI steps Vercel used to take off my hands out of the box.
I built widening into OpenApe from the start — into the agent, client-side, because I thought the agent was the intelligence and would know what it needed next. It never used it. How I realized widening belongs with the user, not the agent — and what came out of that.
My agent wants to run a command as root. It has no sudo entry, no password, nothing in /etc/sudoers. That's by design. Here's the path I built so it can execute exactly one command — approved by a human, audited, not cacheable, not reusable.
Same question, asked twice. Two different answers. Two releases. An article about structural metadata anchors, sendmail's EX_TEMPFAIL from 1983, turn-based chat architecture limits, and the moment I asked my agent twice why it ignored me — with two disturbingly clear answers.
Last weekend I thought my grant-secured shell was done. On Sunday I built a notification for the one remaining weak point. On Monday, during the first real end-to-end test, I found a whole set of problems — and realized that one of them wasn't a bug but a design decision I had made backwards. An article about hypotheses that all shared the same wrong assumption, and the moment you realize you're debugging at the wrong level.
When you build a shell wrapper that controls a persistent bash across multiple commands, you stumble into a surprisingly deep question: when is bash done with the current command? A small deep dive into prompt markers, PROMPT_COMMAND, and why the answer isn't to read PS1 — but to override it.
Back in November I wanted to build a Nuxt module for WebAuthn passkeys. Today OpenApe is 10 npm packages, 2 Nuxt modules, a protocol spec, and a desktop app. A story about problems that hide other problems.