Update for the week ending on Friday, Apr 24, 2026

Refactoring English

• Continued working on AI chapter
• Updated metadata for HN Popularity Contest
• Reached out to a new reader

simpleauth

• Overhauled the API so that simpleauth handles sessions and no longer layers in a separate session library.
  • The side effect is that it no longer handles session storage, which the session library used to do.
  • This is really complicated, but I find it less complicated than the previous implementation where logic was scattered across consuming project, simpleauth, and the session library.
• Move the project from Github to Codeberg
• Switched from CircleCI to NixCI
• Add a .gitignore file

ScreenJournal

ScreenJournal is basically Goodreads, but for TV and movies. Or letterboxd, but focused on small communities.

• Started migrating to new simpleauth
  • This is practice for Little Moments so I can get all of the little issues figured out on a more familiar codebase.
• Switched to the codeberg version of simpleauth
• Updated to go 1.26.1
  • Integrated recent Go language improvements
  • Upgraded to errcheck v1.10.0
  • Fixed GOROOT to match Go 1.26 in dev shell
    • I feel like I have to do this or undo this every few Go releases and don’t understand why.
• Dropped ldflags from go tool installs
  • They were causing issues, and I apparently don’t need them now that I’ve eliminated the CGO dependency
• Added more paths to .gitignore

Little Moments

Little Moments is an open-source web app I’m working on to replace the current family photo sharing app (TinyBeans) I used (which I strongly dislike).

• Worked on integrating the new simpleauth into magic login authentication

Weekly Updates

• Deleted the unused .clinerules folder

Security Research

• Created a tool for automatically checking a class of bugs I’ve been finding with AI
• Reported 8 new security vulnerabilities to a vendor

NixOS Config

• Tried a new sandbox setup using a VM
  • My standard local sandbox is an ephemeral project-scoped podman container, but the host-guest isolation restrictions often get in the way of work
  • With a VM that has limited access to the host, I can do stuff like VMs in VMs or Docker in VMs.
  • The downside is that if one project is compromised, they’re all compromised because it’s otherwise too hard to keep per-project VMs.
• Expanded my .npmrc to reduce attack surface:

  save-exact=true
  ignore-scripts=true
  min-release-age=21
  

• Tried again to prevent Awesome WM from resetting my desktop setup occasionally

Misc

• Submitted an image compression PR to Michael Stapelberg’s blog