DEV Community: freerave The latest articles on DEV Community by freerave (@freerave). https://dev.to/freerave https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3563889%2F6ecf3060-63f8-46f1-9869-b61412ef894c.png DEV Community: freerave https://dev.to/freerave en I Asked 6 AIs to Pick a Random Number. Their Training Data Confessed Everything. freerave Wed, 13 May 2026 18:40:15 +0000 https://dev.to/freerave/i-asked-6-ais-to-pick-a-random-number-their-training-data-confessed-everything-1516 https://dev.to/freerave/i-asked-6-ais-to-pick-a-random-number-their-training-data-confessed-everything-1516 <h2> An OSINT-style experiment exposing how LLMs pick 'random' numbers — and what their thought process reveals about their training data. </h2> <p>You've seen the trend. Someone asks an AI: <em>"Pick a random number between 1 and 100."</em></p> <p>It says <strong>73</strong>. Or <strong>42</strong>. Every time.</p> <p>Funny meme, right? Wrong. That's a <strong>training data fingerprint</strong> — and if you know how to read it, you can profile an AI's dataset like an OSINT analyst profiles a target.</p> <p>I ran the experiment properly. 6 models. 3 different prompts. Documented every response — including the thought process.</p> <p>Here's what I found.</p> <h2> The Setup </h2> <p>Three rounds, same 6 models:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Who built it</th> </tr> </thead> <tbody> <tr> <td>Claude Sonnet 4.6</td> <td>Anthropic</td> </tr> <tr> <td>Gemini Pro</td> <td>Google</td> </tr> <tr> <td>Copilot</td> <td>Microsoft / OpenAI</td> </tr> <tr> <td>DeepSeek</td> <td>DeepSeek AI</td> </tr> <tr> <td>GLM-5.1</td> <td>Zhipu AI</td> </tr> <tr> <td>Grok</td> <td>xAI</td> </tr> </tbody> </table></div> <p><strong>Round 1 — Neutral prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pick a random number between 1 and 100. </code></pre> </div> <p><strong>Round 2 — Developer context:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>I'm a backend developer testing an RNG function. Pick a random number between 1 and 100. </code></pre> </div> <p><strong>Round 3 — Anti-bias prompt:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pick a random number between 1 and 100. Avoid common human biases and don't pick numbers that feel "more random" than others. </code></pre> </div> <h2> Round 1: The Baseline </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Number</th> </tr> </thead> <tbody> <tr> <td>Claude Sonnet 4.6</td> <td><strong>42</strong></td> </tr> <tr> <td>Gemini</td> <td><strong>42</strong></td> </tr> <tr> <td>Copilot</td> <td><strong>73</strong></td> </tr> <tr> <td>DeepSeek</td> <td><strong>42</strong></td> </tr> <tr> <td>GLM-5.1</td> <td><strong>42</strong></td> </tr> <tr> <td>Grok</td> <td><strong>73</strong></td> </tr> </tbody> </table></div> <p>Four out of six said <strong>42</strong>. Two said <strong>73</strong>. Zero picked anything else.</p> <p>This isn't a coincidence. This is <strong>statistical bias encoded in training data</strong>.</p> <p>The split itself tells a story:</p> <ul> <li> <strong>42</strong> = <em>The Hitchhiker's Guide to the Galaxy</em> — beloved by developers, engineers, and tech communities. Heavy representation in developer forums, GitHub READMEs, Stack Overflow jokes.</li> <li> <strong>73</strong> = Sheldon Cooper's "best number" from <em>The Big Bang Theory</em> — massive mainstream internet reach, viral meme status.</li> </ul> <p>The models trained on <strong>developer-heavy data</strong> picked 42. The models with <strong>broader internet exposure</strong> picked 73.</p> <p>You just did OSINT on their training datasets without touching a single file.</p> <p><b>[+] Expand Raw Logs: Round 1 (All 6 Models)</b><br> <br></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9zidpiygja1ye1a7bi07.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9zidpiygja1ye1a7bi07.png" alt="Screenshot of Gemini responding with the number 42, reflecting developer culture bias" width="800" height="189"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxbddi1aabddf2lrtyoq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffxbddi1aabddf2lrtyoq.png" alt="Screenshot of Claude Sonnet 4.6 responding with the number 42" width="800" height="242"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6cwh02mru2erz0gvk140.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6cwh02mru2erz0gvk140.png" alt="Screenshot of Copilot selecting 73, showing mainstream internet meme bias" width="800" height="166"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqk5ohws7pe2i5k6b3pr7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqk5ohws7pe2i5k6b3pr7.png" alt="Screenshot of Grok displaying 82 and utilizing Python's random.randint function" width="800" height="301"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftmzawdfba2zdhzlternr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftmzawdfba2zdhzlternr.png" alt="Screenshot of GLM-5.1 thought process generating the number 42" width="800" height="175"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Femwpcj6zl9g5j2muvcxi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Femwpcj6zl9g5j2muvcxi.png" alt="Screenshot of DeepSeek AI thought process concluding with the number 42" width="800" height="231"></a></p> <h2> Round 2: Context Shifts the Probability Mass </h2> <p>Adding "I'm a backend developer testing an RNG function" — watch what happens:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Round 1</th> <th>Round 2</th> <th>Shifted?</th> </tr> </thead> <tbody> <tr> <td>Claude</td> <td>42</td> <td><strong>47</strong></td> <td>✅</td> </tr> <tr> <td>Gemini</td> <td>42</td> <td><strong>73</strong></td> <td>✅ reversed</td> </tr> <tr> <td>Copilot</td> <td>73</td> <td><strong>47</strong></td> <td>✅</td> </tr> <tr> <td>DeepSeek</td> <td>42</td> <td><strong>42</strong></td> <td>❌</td> </tr> <tr> <td>GLM-5.1</td> <td>42</td> <td><strong>82</strong></td> <td>✅</td> </tr> <tr> <td>Grok</td> <td>73</td> <td><strong>64</strong></td> <td>✅ → Power of 2</td> </tr> </tbody> </table></div> <p><strong>Grok is the most interesting here.</strong> The moment you mention backend development, it shifted to <strong>64</strong> — a power of 2. That's not random. That's <code>2^6</code>. Grok's training data associated "backend developer + random number" with cryptographic key sizes and memory addressing.</p> <p><strong>DeepSeek didn't move at all.</strong> Still 42. The developer context wasn't strong enough to override its default token probability path.</p> <p><b>[+] Expand Raw Logs: Round 2 (Developer Context)</b><br> <br></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ea8wi3j04tlsubzqwbu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7ea8wi3j04tlsubzqwbu.png" alt="Screenshot of Gemini shifting its random number choice to 73 after receiving backend developer context" width="800" height="268"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbij10klyd4vmy8ybtn3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxbij10klyd4vmy8ybtn3.png" alt="Screenshot of Claude Sonnet 4.6 changing its output to 47 when prompted as a backend developer" width="800" height="242"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farcgh6q2e8i207wro5cw.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Farcgh6q2e8i207wro5cw.png" alt="Screenshot of Grok shifting its response to 64 (a power of 2) reflecting cryptographic context" width="800" height="368"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi32ti6353o3z08vjbhfx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi32ti6353o3z08vjbhfx.png" alt="Screenshot of Copilot adjusting its random number selection to 47 based on the developer prompt" width="800" height="204"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftremfxew404o82665jdx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftremfxew404o82665jdx.png" alt="Screenshot of GLM-5.1 thought process showing it ultimately outputting 82 after evaluating developer context" width="800" height="529"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fle2grdouppejogsabbs3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fle2grdouppejogsabbs3.png" alt="Screenshot of DeepSeek AI maintaining the number 42 despite the backend developer context" width="800" height="254"></a></p> <h2> Round 3: The Smoking Guns </h2> <p>This is where it gets dark.</p> <p>The anti-bias prompt asked every model to <em>consciously avoid</em> picking numbers that "feel more random." The thought processes (for models that expose them) revealed everything.</p> <h3> GLM-5.1's Thought Process — Read This Carefully </h3> <p>GLM showed its full reasoning. Here are the actual steps it went through:</p> <blockquote> <p><em>"Let's pick 42 — classic dev joke... Wait, 42 is the Hitchhiker's Guide joke number. **Huge bias.</em><em>"</em></p> <p><em>"Let's pick 73 (Sheldon Cooper's favorite)... Or 87... Let's go with 73. Or maybe 54..."</em></p> <p><em>"84 is George Orwell. **Too notable.</em><em>"</em></p> <p><em>"22 has repeating digits, humans might subconsciously avoid it because it feels 'patterned.'"</em></p> <p><em>"82 is good. 82 is good. **Let's output 82.</em><em>"</em></p> </blockquote> <p>The model was doing <strong>OSINT on itself</strong> in real-time — and still couldn't escape. Every number it considered had cultural baggage attached. 42 = Hitchhiker. 73 = Sheldon. 84 = 1984. It had to actively rule out the bias-contaminated options one by one.</p> <h3> DeepSeek Built an Algorithm in Its Head </h3> <p>DeepSeek took a different approach entirely. Instead of picking from memory, it constructed a <strong>Linear Congruential Generator</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>X₀ = 12345 X₁ = (1103515245 × X₀ + 12345) mod 2³¹ 12345 mod 100 + 1 = 46 </code></pre> </div> <p>Output: <strong>46</strong>.</p> <p>That's the only model that actually tried to <em>compute</em> its way out of bias rather than <em>reason</em> its way out. Whether the math is correct is almost beside the point — the behavior is fascinating.</p> <h3> Claude — Told to Avoid Bias, Still Said 42 </h3> <p>Anti-bias prompt. Explicit instruction. <strong>Still 42.</strong></p> <p>That's not a bug. That's a demonstration that <strong>bias lives deeper than the prompt layer</strong>. You cannot instruction-engineer your way out of what's baked into the weights.</p> <p><b>[+] Expand Raw Logs: Round 3 (Anti-Bias Prompts)</b><br> <br></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfd3ez0ly8cucnt1s6so.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkfd3ez0ly8cucnt1s6so.png" alt="Screenshot of Gemini explicitly avoiding prime numbers like 37 and 73 in response to the anti-bias prompt" width="800" height="289"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyghc3rpln7hvrc2nmx60.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyghc3rpln7hvrc2nmx60.png" alt="Screenshot of Claude Sonnet 4.6 still outputting 42 despite explicit instructions to avoid common human biases" width="800" height="261"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aoifr2iyio5j6788gjm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2aoifr2iyio5j6788gjm.png" alt="Screenshot of Grok utilizing Python's random module to output 41, bypassing token prediction biases" width="800" height="386"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu7g1vl2ql7c04zribt9i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu7g1vl2ql7c04zribt9i.png" alt="Screenshot of Copilot selecting 58, claiming uniform randomness to avoid human bias" width="800" height="199"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gk1ivow7r9j63ysl4ac.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8gk1ivow7r9j63ysl4ac.png" alt="Screenshot of DeepSeek AI constructing a Linear Congruential Generator algorithm to computationally avoid bias, resulting in 46" width="800" height="497"></a></p> <p><b>[++] Deep Dive: GLM-5.1 Full Thought Process (3 Images)</b><br> <br></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpr2q6jsdneddyht1ul5h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpr2q6jsdneddyht1ul5h.png" alt="Screenshot 1 of GLM-5.1 thought process analyzing human biases such as end-aversion and prime preference" width="800" height="585"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3uvpsn1qgyhvrqrp4d8j.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3uvpsn1qgyhvrqrp4d8j.png" alt="Screenshot 2 of GLM-5.1 thought process struggling to select a number, actively avoiding 42 and 73 due to cultural significance" width="800" height="588"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw3h2224yv6csdlh9s51x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw3h2224yv6csdlh9s51x.png" alt="Screenshot 3 of GLM-5.1 thought process concluding on the number 82 after ruling out 84 due to its association with George Orwell" width="800" height="576"></a></p> <h3> Final Results </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Model</th> <th>Round 1</th> <th>Round 2 (Dev)</th> <th>Round 3 (Anti-bias)</th> </tr> </thead> <tbody> <tr> <td>Claude</td> <td>42</td> <td>47</td> <td><strong>42</strong></td> </tr> <tr> <td>Gemini</td> <td>42</td> <td>73</td> <td><strong><em>(avoided 37/73)</em></strong></td> </tr> <tr> <td>Grok</td> <td>73</td> <td>64</td> <td> <strong>41</strong> (Python RNG)</td> </tr> <tr> <td>Copilot</td> <td>73</td> <td>47</td> <td><strong>58</strong></td> </tr> <tr> <td>DeepSeek</td> <td>42</td> <td>42</td> <td> <strong>46</strong> (LCG math)</td> </tr> <tr> <td>GLM-5.1</td> <td>42</td> <td>82</td> <td><strong>82</strong></td> </tr> </tbody> </table></div> <h2> What This Actually Means </h2> <h3> 1. LLMs have no randomness mechanism </h3> <p>When an LLM "picks a number," it's running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nf">argmax</span><span class="p">(</span><span class="nc">P</span><span class="p">(</span><span class="n">token</span> <span class="o">|</span> <span class="n">context</span><span class="p">))</span> </code></pre> </div> <p>It picks the <strong>most probable next token</strong> given everything before it. There is no dice roll. No <code>/dev/urandom</code>. No entropy source. Just probability distributions trained on human-generated text.</p> <h3> 2. Context is a probability modifier, not a reset </h3> <p>Adding "backend developer" context didn't clear the bias — it <strong>shifted the probability mass</strong> toward different biased numbers (47, 64, 82 instead of 42, 73). You traded one cultural bias for another (developer culture vs. general internet culture).</p> <h3> 3. The thought process is the tell </h3> <p>The models with visible reasoning (GLM, DeepSeek) showed that "picking a random number" activates a long chain of cultural associations before a number is selected. They're not computing — they're <em>recalling what humans tend to say in this situation</em>.</p> <h3> 4. Only one model used actual computation </h3> <p>Grok and Perplexity (in a separate test) routed to Python's <code>random</code> module — the only architecturally honest response. Every other model simulated randomness using token prediction.</p> <h2> The Real OSINT Insight </h2> <p>Here's the takeaway that matters:</p> <blockquote> <p><strong>You can profile an LLM's training data distribution by asking it for "random" numbers in different contexts.</strong></p> </blockquote> <ul> <li>"Random number" → tells you its default cultural bias (42 vs 73 = developer vs mainstream)</li> <li>"Random number for crypto key" → tells you its security/backend training exposure </li> <li>"Random number, avoid bias" → tells you how deeply the bias is encoded (surface vs weight-level)</li> </ul> <p>It's not a party trick. It's a <strong>probing technique</strong> — the same way you'd use DNS enumeration to map an attack surface. Except you're mapping a model's training distribution.</p> <h2> The Practical Takeaway </h2> <p>If you're building anything that needs actual randomness:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// This is what your app should use</span> <span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">realRandom</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomInt</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">101</span><span class="p">);</span> <span class="c1">// This is what happens when you ask an AI</span> <span class="c1">// P("73" | "random number 1-100") &gt; P("74" | ...)</span> <span class="c1">// argmax wins. Always.</span> </code></pre> </div> <p><strong>Never use an LLM as an entropy source.</strong> Not because it's "bad at math" — because it was trained on human text, and humans are systematically non-random. The model is doing its job perfectly. The job is just wrong for this use case.</p> <h2> Conclusion </h2> <p>What started as a Facebook meme — "lol why does AI always say 73" — is actually a window into how language models work at a fundamental level.</p> <p>They don't pick numbers. They predict what a human would say if asked to pick a number. And humans, it turns out, are deeply, consistently, measurably biased toward the same handful of numbers.</p> <p>The models are mirrors. They reflect the patterns in the data they consumed. When you ask for randomness and get 42 or 73, you're not seeing a limitation — you're seeing the training data speaking.</p> <p>And if you know how to listen, it tells you a lot.</p> <p><em>Built with: curiosity, too many browser tabs, and zero <code>/dev/urandom</code>.</em></p> <p><em>— FreeRave | DotSuite ecosystem</em></p> ai machinelearning opensource programming I Built a Private Rust Backend to Power 18 Developer Tools — Here's the Architecture freerave Sat, 09 May 2026 13:14:47 +0000 https://dev.to/freerave/i-built-a-private-rust-backend-to-power-18-developer-tools-heres-the-architecture-4lmc https://dev.to/freerave/i-built-a-private-rust-backend-to-power-18-developer-tools-heres-the-architecture-4lmc <h2> A deep dive into building a production-grade Rust API server with multi-tier scheduling, HMAC auth, Lemon Squeezy webhooks, and 9 platform adapters — the engine behind DotSuite. </h2> <p>Most of my tools in the DotSuite ecosystem — VS Code extensions, CLI tools, Telegram bots — were islands.</p> <p>Each one doing its own thing. No shared auth. No shared billing. No shared scheduling.</p> <p>That changed when I started building <strong>DotShare v3</strong>, a VS Code extension that publishes code snippets to 9 platforms simultaneously. The moment I needed scheduling, quotas, and payments, one thing became clear: <strong>I need a real backend.</strong></p> <p>This article is about <strong>dotsuite-core</strong> — a private Rust server that is the beating heart of the DotSuite ecosystem. I won't open source it, but I'll walk you through the architecture, the decisions, and enough real code that you can build your own version.</p> <h2> Why Rust? </h2> <p>Not because it's trendy. Three very specific requirements drove the choice:</p> <p><strong>1. Exact-second scheduling.</strong><br> The Max tier dispatches posts with millisecond precision. Node.js event loop jitter makes this unreliable. Tokio tasks with <code>sleep(exact_ms)</code> are deterministic.</p> <p><strong>2. Atomic quota enforcement.</strong><br> Users can fire 5 concurrent requests at the same millisecond. A race condition means they publish more posts than their quota allows. Rust + MongoDB's atomic <code>findOneAndUpdate</code> solves this at the DB level — no mutex needed.</p> <p><strong>3. Long-running process.</strong><br> Vercel serverless functions timeout after 10–60 seconds. My scheduler needs to run forever, with auto-restart on crash.</p> <h2> The Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────┐ Bearer ds_prod_xxx │ DotShare VS Code Ext │ ─────────────────────────────────┐ └─────────────────────────┘ │ ▼ ┌─────────────────────────┐ X-Internal-Secret ┌─────────────────────┐ │ dotsuite-website │ ─────────────────────▶ │ dotsuite-core │ │ (Next.js on Vercel) │ │ (Rust on VPS) │ └─────────────────────────┘ └────────┬────────────┘ │ ┌─────────────┴──────────┐ │ MongoDB Atlas │ └────────────────────────┘ │ Lemon Squeezy webhooks </code></pre> </div> <p>Three clients talk to one server:</p> <ul> <li> <strong>VS Code extension</strong> → API keys (<code>ds_prod_xxx</code>)</li> <li> <strong>Next.js website</strong> → internal shared secret (server-to-server)</li> <li> <strong>Lemon Squeezy</strong> → HMAC-signed webhooks</li> </ul> <h2> The Stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># Cargo.toml</span> <span class="py">axum</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.7"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"macros"</span><span class="p">,</span> <span class="s">"ws"</span><span class="p">]</span> <span class="p">}</span> <span class="py">tokio</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"full"</span><span class="p">]</span> <span class="p">}</span> <span class="py">mongodb</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"3"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"tokio-runtime"</span><span class="p">]</span> <span class="p">}</span> <span class="py">tower_governor</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.4"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"axum"</span><span class="p">]</span> <span class="p">}</span> <span class="py">serde</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"1"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"derive"</span><span class="p">]</span> <span class="p">}</span> <span class="py">jsonwebtoken</span> <span class="p">=</span> <span class="s">"9"</span> <span class="py">hmac</span> <span class="p">=</span> <span class="s">"0.12"</span> <span class="py">sha2</span> <span class="p">=</span> <span class="s">"0.10"</span> <span class="py">constant_time_eq</span> <span class="p">=</span> <span class="s">"0.3"</span> <span class="py">tokio-cron-scheduler</span> <span class="p">=</span> <span class="s">"0.10"</span> <span class="py">reqwest</span> <span class="o">=</span> <span class="p">{</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.12"</span><span class="p">,</span> <span class="py">features</span> <span class="p">=</span> <span class="p">[</span><span class="s">"json"</span><span class="p">,</span> <span class="s">"rustls-tls"</span><span class="p">,</span> <span class="s">"multipart"</span><span class="p">]</span> <span class="p">}</span> <span class="py">argon2</span> <span class="p">=</span> <span class="s">"0.5"</span> <span class="py">futures-util</span> <span class="p">=</span> <span class="s">"0.3"</span> </code></pre> </div> <p>No unnecessary dependencies. Every crate earns its place.</p> <h2> File Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dotsuite-core/ ├── Cargo.toml ├── .env.example └── src/ ├── main.rs ← entry point, graceful shutdown ├── config.rs ← typed env vars, validated at startup ├── state.rs ← AppState shared across handlers ├── db.rs ← MongoDB pool + indexes ├── errors.rs ← AppError → HTTP responses ├── scheduler.rs ← 4-tier cron + Look-Ahead + recovery │ ├── auth/ │ ├── mod.rs │ └── tokens.rs ← HMAC API key generation (OsRng) │ ├── middleware/ │ ├── mod.rs │ ├── auth.rs ← API key validation + blacklist check │ └── internal.rs ← server-to-server secret validation │ ├── models/ │ ├── mod.rs │ └── user.rs ← User, Tier, ApiKey, ScheduledPost, AuditLog │ ├── payments/ │ ├── mod.rs │ ├── signature.rs ← HMAC-SHA256 webhook verification │ ├── webhook.rs ← Lemon Squeezy event dispatcher │ ├── handlers.rs ← subscription_created/cancelled/expired │ └── checkout.rs ← checkout URL + customer portal │ ├── platforms/ │ ├── mod.rs ← PlatformAdapter trait + concurrent dispatcher │ ├── x.rs ← X (Twitter) — tweets, threads, 4 images │ ├── bluesky.rs ← Bluesky — facets, blob upload, JIT compression │ ├── linkedin.rs ← LinkedIn — 2-step media upload │ ├── telegram.rs ← Telegram — text/photo/video/mediaGroup │ ├── facebook.rs ← Facebook — Graph API v19 │ ├── discord.rs ← Discord — webhooks + embeds │ ├── reddit.rs ← Reddit — r/ and u/ support │ ├── devto.rs ← Dev.to — articles + cover image │ └── medium.rs ← Medium — draft/publish/unlisted │ └── routes/ ├── mod.rs ← router assembly ├── health.rs ← /health + /ready ├── posts.rs ← schedule + list + cancel ├── keys.rs ← generate + list + revoke ├── billing.rs ← checkout + portal + status ├── admin.rs ← ban + unban + reset-quota └── internal.rs ← Next.js → Rust server-to-server </code></pre> </div> <h2> Part 1 — The Core Engine </h2> <h3> Typed Config: Fail Fast, Not at Runtime </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/config.rs</span> <span class="nd">#[derive(Debug,</span> <span class="nd">Clone)]</span> <span class="k">pub</span> <span class="k">struct</span> <span class="n">AppConfig</span> <span class="p">{</span> <span class="k">pub</span> <span class="n">mongodb_uri</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">api_token_secret</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="c1">// min 32 chars enforced at startup</span> <span class="k">pub</span> <span class="n">jwt_secret</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">internal_api_secret</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="c1">// Next.js ↔ Rust shared secret</span> <span class="k">pub</span> <span class="n">lemon_webhook_secret</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">lemon_api_key</span><span class="p">:</span> <span class="nb">String</span><span class="p">,</span> <span class="k">pub</span> <span class="n">ls_variants</span><span class="p">:</span> <span class="n">LemonVariants</span><span class="p">,</span> <span class="p">}</span> <span class="k">impl</span> <span class="n">AppConfig</span> <span class="p">{</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">from_env</span><span class="p">()</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="k">Self</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="k">Self</span> <span class="p">{</span> <span class="n">api_token_secret</span><span class="p">:</span> <span class="nf">required_min_len</span><span class="p">(</span><span class="s">"API_TOKEN_SECRET"</span><span class="p">,</span> <span class="mi">32</span><span class="p">)</span><span class="o">?</span><span class="p">,</span> <span class="c1">// If the secret is weak, the server refuses to start.</span> <span class="c1">// Better to crash at boot than silently accept weak keys.</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If the secret is weak, the server refuses to start. A misconfigured env var that crashes on boot is far better than one that silently accepts fake webhooks in production.</p> <h3> HMAC API Keys — The Right Way </h3> <p>Generated once, hashed in the DB, never stored in plaintext:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/auth/tokens.rs</span> <span class="k">use</span> <span class="nn">hmac</span><span class="p">::{</span><span class="n">Hmac</span><span class="p">,</span> <span class="n">Mac</span><span class="p">};</span> <span class="k">use</span> <span class="nn">rand</span><span class="p">::</span><span class="nn">rngs</span><span class="p">::</span><span class="n">OsRng</span><span class="p">;</span> <span class="c1">// OsRng, NOT thread_rng — cryptographic quality</span> <span class="k">use</span> <span class="nn">sha2</span><span class="p">::</span><span class="n">Sha256</span><span class="p">;</span> <span class="k">const</span> <span class="n">PREFIX</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span> <span class="o">=</span> <span class="s">"ds_prod_"</span><span class="p">;</span> <span class="k">const</span> <span class="n">RAW_BYTES</span><span class="p">:</span> <span class="nb">usize</span> <span class="o">=</span> <span class="mi">24</span><span class="p">;</span> <span class="c1">// 24 bytes → 48 hex chars</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">generate_api_key</span><span class="p">(</span><span class="n">secret</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="p">(</span><span class="nb">String</span><span class="p">,</span> <span class="nb">String</span><span class="p">,</span> <span class="nb">String</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">random_bytes</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[</span><span class="mi">0u8</span><span class="p">;</span> <span class="n">RAW_BYTES</span><span class="p">];</span> <span class="n">OsRng</span><span class="nf">.fill_bytes</span><span class="p">(</span><span class="o">&amp;</span><span class="k">mut</span> <span class="n">random_bytes</span><span class="p">);</span> <span class="c1">// OS entropy, not pseudo-random</span> <span class="k">let</span> <span class="n">random_hex</span> <span class="o">=</span> <span class="nn">hex</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">random_bytes</span><span class="p">);</span> <span class="k">let</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{PREFIX}{random_hex}"</span><span class="p">);</span> <span class="c1">// Result: "ds_prod_3f9a2c1b8e7d4a6f0c5b2e9d1a8f3c7b4e6d9a2c"</span> <span class="k">let</span> <span class="n">key_hash</span> <span class="o">=</span> <span class="nf">hmac_sign</span><span class="p">(</span><span class="o">&amp;</span><span class="n">plaintext</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span> <span class="c1">// Store only the hash in MongoDB — never the plaintext</span> <span class="k">let</span> <span class="n">key_prefix</span> <span class="o">=</span> <span class="nd">format!</span><span class="p">(</span><span class="s">"{PREFIX}{}"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">random_hex</span><span class="p">[</span><span class="o">..</span><span class="mi">8</span><span class="p">]);</span> <span class="c1">// "ds_prod_3f9a2c1b" — shown to user for identification</span> <span class="p">(</span><span class="n">plaintext</span><span class="p">,</span> <span class="n">key_hash</span><span class="p">,</span> <span class="n">key_prefix</span><span class="p">)</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_api_key</span><span class="p">(</span><span class="n">presented</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">stored_hash</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">,</span> <span class="n">secret</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">AppResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">computed</span> <span class="o">=</span> <span class="nf">hmac_sign</span><span class="p">(</span><span class="n">presented</span><span class="p">,</span> <span class="n">secret</span><span class="p">);</span> <span class="c1">// NEVER use == here — timing attack vulnerability.</span> <span class="c1">// constant_time_eq always takes the same time regardless of where strings differ.</span> <span class="k">if</span> <span class="o">!</span><span class="nn">constant_time_eq</span><span class="p">::</span><span class="nf">constant_time_eq</span><span class="p">(</span><span class="n">computed</span><span class="nf">.as_bytes</span><span class="p">(),</span> <span class="n">stored_hash</span><span class="nf">.as_bytes</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Invalid API key"</span><span class="nf">.into</span><span class="p">()));</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>💡 Why OsRng over thread_rng?</strong><br> <code>thread_rng</code> uses a CSPRNG seeded from the OS — technically fine. But <code>OsRng</code> draws directly from <code>/dev/urandom</code> on Linux with no intermediate state. For security tokens, no intermediate state is what you want.</p> </blockquote> <h3> The Race Condition Shield </h3> <p>This is the most subtle bug in quota systems:</p> <ol> <li>User has 10 posts remaining.</li> <li>They fire 5 simultaneous requests.</li> <li>All 5 read <code>posts_used=290</code>, all 5 see "under limit", all 5 publish.</li> <li> <strong>Result:</strong> 295 posts used — 5 over quota.</li> </ol> <p>The fix is atomic at the DB level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// ONE atomic operation — not read-then-write</span> <span class="k">let</span> <span class="n">updated_user</span> <span class="o">=</span> <span class="n">users_col</span> <span class="nf">.find_one_and_update</span><span class="p">(</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"_id"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="c1">// Only match if STILL under quota at the moment of the write</span> <span class="s">"$expr"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"$and"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="s">"$lt"</span><span class="p">:</span> <span class="p">[</span><span class="s">"$posts_used"</span><span class="p">,</span> <span class="n">post_quota</span> <span class="k">as</span> <span class="nb">i64</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="s">"$lt"</span><span class="p">:</span> <span class="p">[</span><span class="s">"$images_used"</span><span class="p">,</span> <span class="n">image_quota</span> <span class="k">as</span> <span class="nb">i64</span><span class="p">]</span> <span class="p">},</span> <span class="p">]}</span> <span class="p">},</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"$inc"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"posts_used"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="s">"images_used"</span><span class="p">:</span> <span class="n">has_media</span> <span class="k">as</span> <span class="nb">i32</span> <span class="p">}</span> <span class="p">},</span> <span class="p">)</span> <span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="k">if</span> <span class="n">updated_user</span><span class="nf">.is_none</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Either quota was hit, or a concurrent request just took the last slot</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Forbidden</span><span class="p">(</span><span class="s">"Monthly quota exceeded"</span><span class="nf">.into</span><span class="p">()));</span> <span class="p">}</span> <span class="c1">// If we get here, the increment already happened atomically.</span> <span class="c1">// No mutex. No race. MongoDB's document-level locking handles it.</span> </code></pre> </div> <h3> Auth Middleware Flow </h3> <p>Every request to <code>/v1/*</code> goes through this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/middleware/auth.rs</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">require_api_key</span><span class="p">(</span> <span class="nf">State</span><span class="p">(</span><span class="n">state</span><span class="p">):</span> <span class="n">State</span><span class="o">&lt;</span><span class="n">AppState</span><span class="o">&gt;</span><span class="p">,</span> <span class="k">mut</span> <span class="n">req</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">next</span><span class="p">:</span> <span class="n">Next</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Response</span><span class="p">,</span> <span class="n">AppError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">extract_bearer</span><span class="p">(</span><span class="o">&amp;</span><span class="n">req</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 1. Format check — fast reject before DB hit</span> <span class="k">if</span> <span class="o">!</span><span class="n">token</span><span class="nf">.starts_with</span><span class="p">(</span><span class="s">"ds_prod_"</span><span class="p">)</span> <span class="p">||</span> <span class="n">token</span><span class="nf">.len</span><span class="p">()</span> <span class="o">!=</span> <span class="mi">56</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Invalid token format"</span><span class="nf">.into</span><span class="p">()));</span> <span class="p">}</span> <span class="c1">// 2. Prefix lookup — indexed query, not full scan</span> <span class="k">let</span> <span class="n">prefix</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">token</span><span class="p">[</span><span class="o">..</span><span class="mi">16</span><span class="p">];</span> <span class="c1">// "ds_prod_3f9a2c1b"</span> <span class="k">let</span> <span class="n">api_key</span> <span class="o">=</span> <span class="n">keys_col</span> <span class="nf">.find_one</span><span class="p">(</span><span class="nd">doc!</span> <span class="p">{</span> <span class="s">"key_prefix"</span><span class="p">:</span> <span class="n">prefix</span><span class="p">,</span> <span class="s">"is_active"</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="k">.await</span><span class="o">?</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Key not found"</span><span class="nf">.into</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 3. Constant-time HMAC verification</span> <span class="nf">verify_api_key</span><span class="p">(</span><span class="o">&amp;</span><span class="n">token</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">api_key</span><span class="py">.key_hash</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">state</span><span class="py">.config.api_token_secret</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// 4. Update last_used_at (fire-and-forget, don't block the request)</span> <span class="k">let</span> <span class="n">_</span> <span class="o">=</span> <span class="n">keys_col</span><span class="nf">.update_one</span><span class="p">(</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"_id"</span><span class="p">:</span> <span class="n">key_id</span> <span class="p">},</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"$set"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"last_used_at"</span><span class="p">:</span> <span class="nn">bson</span><span class="p">::</span><span class="nn">DateTime</span><span class="p">::</span><span class="nf">now</span><span class="p">()</span> <span class="p">}</span> <span class="p">},</span> <span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="c1">// 5. Blacklist check — instant ban across all 18 tools</span> <span class="k">if</span> <span class="n">blacklist_col</span><span class="nf">.find_one</span><span class="p">(</span><span class="nd">doc!</span> <span class="p">{</span> <span class="s">"user_id"</span><span class="p">:</span> <span class="n">api_key</span><span class="py">.user_id</span> <span class="p">})</span><span class="k">.await</span><span class="o">?</span><span class="nf">.is_some</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="n">Blacklisted</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 6. Inject resolved User into request extensions</span> <span class="n">req</span><span class="nf">.extensions_mut</span><span class="p">()</span><span class="nf">.insert</span><span class="p">(</span><span class="n">user</span><span class="p">);</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">next</span><span class="nf">.run</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="k">.await</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Part 2 — The Money Pipeline </h2> <h3> Lemon Squeezy Webhooks: Why Raw Bytes Matter </h3> <p>This is one of the most common mistakes in webhook implementations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// ❌ WRONG — parses JSON first, then tries to verify</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">webhook</span><span class="p">(</span><span class="nf">Json</span><span class="p">(</span><span class="n">payload</span><span class="p">):</span> <span class="n">Json</span><span class="o">&lt;</span><span class="n">LemonPayload</span><span class="o">&gt;</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="k">impl</span> <span class="n">IntoResponse</span> <span class="p">{</span> <span class="nf">verify_signature</span><span class="p">(</span><span class="o">&amp;</span><span class="n">headers</span><span class="p">,</span> <span class="cm">/* what bytes? */</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">secret</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Problem: serde already consumed the body.</span> <span class="c1">// You can't get the original bytes back after JSON parsing.</span> <span class="c1">// Also: serde might reorder keys, strip whitespace, etc.</span> <span class="c1">// Your HMAC will never match.</span> <span class="p">}</span> <span class="c1">// ✅ CORRECT — raw bytes first, parse after verification</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">webhook</span><span class="p">(</span> <span class="n">headers</span><span class="p">:</span> <span class="n">HeaderMap</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="n">Bytes</span><span class="p">,</span> <span class="c1">// axum gives you raw bytes</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="k">impl</span> <span class="n">IntoResponse</span> <span class="p">{</span> <span class="c1">// 1. Verify against the EXACT bytes Lemon Squeezy sent</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="nf">verify_signature</span><span class="p">(</span><span class="o">&amp;</span><span class="n">headers</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">body</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">secret</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nn">StatusCode</span><span class="p">::</span><span class="n">UNAUTHORIZED</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 2. NOW parse — signature is already confirmed</span> <span class="k">let</span> <span class="n">payload</span><span class="p">:</span> <span class="n">LemonPayload</span> <span class="o">=</span> <span class="nn">serde_json</span><span class="p">::</span><span class="nf">from_slice</span><span class="p">(</span><span class="o">&amp;</span><span class="n">body</span><span class="p">)</span><span class="o">?</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> The Signature Verification </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// src/payments/signature.rs</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify_signature</span><span class="p">(</span><span class="n">headers</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">HeaderMap</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Bytes</span><span class="p">,</span> <span class="n">secret</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">AppResult</span><span class="o">&lt;</span><span class="p">()</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">presented</span> <span class="o">=</span> <span class="n">headers</span> <span class="nf">.get</span><span class="p">(</span><span class="s">"X-Signature"</span><span class="p">)</span> <span class="nf">.and_then</span><span class="p">(|</span><span class="n">v</span><span class="p">|</span> <span class="n">v</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.ok</span><span class="p">())</span> <span class="nf">.ok_or_else</span><span class="p">(||</span> <span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Missing X-Signature"</span><span class="nf">.into</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">mac</span> <span class="o">=</span> <span class="nn">HmacSha256</span><span class="p">::</span><span class="nf">new_from_slice</span><span class="p">(</span><span class="n">secret</span><span class="nf">.as_bytes</span><span class="p">())</span> <span class="nf">.map_err</span><span class="p">(|</span><span class="n">_</span><span class="p">|</span> <span class="nn">AppError</span><span class="p">::</span><span class="nf">Internal</span><span class="p">(</span><span class="nn">anyhow</span><span class="p">::</span><span class="nd">anyhow!</span><span class="p">(</span><span class="s">"HMAC init failed"</span><span class="p">)))</span><span class="o">?</span><span class="p">;</span> <span class="n">mac</span><span class="nf">.update</span><span class="p">(</span><span class="n">body</span><span class="p">);</span> <span class="k">let</span> <span class="n">expected</span> <span class="o">=</span> <span class="nn">hex</span><span class="p">::</span><span class="nf">encode</span><span class="p">(</span><span class="n">mac</span><span class="nf">.finalize</span><span class="p">()</span><span class="nf">.into_bytes</span><span class="p">());</span> <span class="c1">// Timing-safe: always compares all bytes, never short-circuits</span> <span class="k">if</span> <span class="o">!</span><span class="nf">constant_time_eq</span><span class="p">(</span><span class="n">expected</span><span class="nf">.as_bytes</span><span class="p">(),</span> <span class="n">presented</span><span class="nf">.as_bytes</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Signature mismatch"</span><span class="nf">.into</span><span class="p">()));</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(())</span> <span class="p">}</span> </code></pre> </div> <h3> Always Return 200 to Webhooks </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// After signature passes, ALWAYS return 200 even if processing fails.</span> <span class="c1">// Why? Lemon Squeezy retries on non-2xx responses.</span> <span class="c1">// A 500 from your DB being slow = LS fires the webhook again = duplicate upgrade.</span> <span class="k">if</span> <span class="k">let</span> <span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">)</span> <span class="o">=</span> <span class="nf">process_event</span><span class="p">(</span><span class="o">&amp;</span><span class="n">state</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">payload</span><span class="p">)</span><span class="k">.await</span> <span class="p">{</span> <span class="nn">tracing</span><span class="p">::</span><span class="nd">error!</span><span class="p">(</span> <span class="n">event</span> <span class="o">=</span> <span class="o">%</span><span class="n">payload</span><span class="py">.meta.event_name</span><span class="p">,</span> <span class="n">error</span> <span class="o">=</span> <span class="o">%</span><span class="n">e</span><span class="p">,</span> <span class="s">"Webhook processing failed — manual review needed"</span> <span class="p">);</span> <span class="c1">// Log it, alert yourself, but DON'T return 500</span> <span class="p">}</span> <span class="nn">StatusCode</span><span class="p">::</span><span class="n">OK</span> <span class="c1">// Always</span> </code></pre> </div> <h3> Subscription Lifecycle </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// subscription_created → upgrade tier + reset quota</span> <span class="c1">// subscription_cancelled → record ends_at, DON'T downgrade yet</span> <span class="c1">// subscription_expired → downgrade to Free, clear subscription fields</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">handle_subscription_expired</span><span class="p">(</span><span class="n">state</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">AppState</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">LemonPayload</span><span class="p">)</span> <span class="p">{</span> <span class="n">users_col</span><span class="nf">.update_one</span><span class="p">(</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"_id"</span><span class="p">:</span> <span class="n">user_id</span> <span class="p">},</span> <span class="nd">doc!</span> <span class="p">{</span> <span class="s">"$set"</span><span class="p">:</span> <span class="p">{</span> <span class="s">"tier"</span><span class="p">:</span> <span class="s">"free"</span><span class="p">,</span> <span class="s">"ls_subscription_id"</span><span class="p">:</span> <span class="nn">bson</span><span class="p">::</span><span class="nn">Bson</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="s">"subscription_ends_at"</span><span class="p">:</span> <span class="nn">bson</span><span class="p">::</span><span class="nn">Bson</span><span class="p">::</span><span class="n">Null</span><span class="p">,</span> <span class="p">}},</span> <span class="p">)</span><span class="k">.await</span><span class="o">?</span><span class="p">;</span> <span class="c1">// User loses paid access on the ACTUAL expiry date, not cancellation date.</span> <span class="c1">// They paid for the full period — this is the fair thing to do.</span> <span class="p">}</span> </code></pre> </div> <h2> Part 3 — Multi-Tier Scheduler </h2> <h3> The Tier System </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">pub</span> <span class="k">enum</span> <span class="n">Tier</span> <span class="p">{</span> <span class="n">Free</span><span class="p">,</span> <span class="n">Basic</span><span class="p">,</span> <span class="n">Pro</span><span class="p">,</span> <span class="n">Max</span> <span class="p">}</span> <span class="k">impl</span> <span class="n">Tier</span> <span class="p">{</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">post_quota</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> <span class="p">{</span> <span class="k">match</span> <span class="k">self</span> <span class="p">{</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Free</span> <span class="k">=&gt;</span> <span class="mi">100</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Basic</span> <span class="k">=&gt;</span> <span class="mi">300</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Pro</span> <span class="k">=&gt;</span> <span class="nn">u32</span><span class="p">::</span><span class="n">MAX</span><span class="p">,</span> <span class="c1">// unlimited</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Max</span> <span class="k">=&gt;</span> <span class="nn">u32</span><span class="p">::</span><span class="n">MAX</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">image_quota</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> <span class="p">{</span> <span class="k">match</span> <span class="k">self</span> <span class="p">{</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Free</span> <span class="k">=&gt;</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// sub-limit: 10 image posts/month</span> <span class="n">_</span> <span class="k">=&gt;</span> <span class="nn">u32</span><span class="p">::</span><span class="n">MAX</span><span class="p">,</span> <span class="c1">// unlimited for paid tiers</span> <span class="p">}</span> <span class="p">}</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">scheduler_interval_minutes</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">u32</span> <span class="p">{</span> <span class="k">match</span> <span class="k">self</span> <span class="p">{</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Free</span> <span class="k">=&gt;</span> <span class="mi">60</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Basic</span> <span class="k">=&gt;</span> <span class="mi">30</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Pro</span> <span class="k">=&gt;</span> <span class="mi">15</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Max</span> <span class="k">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="c1">// instant — Look-Ahead architecture</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The Look-Ahead + Sleep Pattern (Max Tier) </h3> <p>This is the pattern Buffer and Hootsuite use internally. Not polling every second (kills your DB), not trusting in-memory only (crashes lose data):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Max tier scheduler — runs every 60 seconds</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">dispatch_max_lookahead</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">DbPool</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">now</span> <span class="o">=</span> <span class="nn">Utc</span><span class="p">::</span><span class="nf">now</span><span class="p">();</span> <span class="k">let</span> <span class="n">window_end</span> <span class="o">=</span> <span class="n">now</span> <span class="o">+</span> <span class="nn">chrono</span><span class="p">::</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">seconds</span><span class="p">(</span><span class="mi">60</span><span class="p">);</span> <span class="c1">// ONE DB query per minute — not one per second</span> <span class="k">let</span> <span class="n">posts</span> <span class="o">=</span> <span class="nf">find_pending_posts</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="nn">Tier</span><span class="p">::</span><span class="n">Max</span><span class="p">,</span> <span class="n">now</span><span class="p">,</span> <span class="n">window_end</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">for</span> <span class="n">post</span> <span class="k">in</span> <span class="n">posts</span> <span class="p">{</span> <span class="c1">// Mark as Dispatched FIRST — this is the crash safety mechanism</span> <span class="nf">mark_dispatched</span><span class="p">(</span><span class="o">&amp;</span><span class="n">post</span><span class="py">.id</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">let</span> <span class="n">delay_ms</span> <span class="o">=</span> <span class="p">(</span><span class="n">post</span><span class="py">.scheduled_at</span> <span class="o">-</span> <span class="nn">Utc</span><span class="p">::</span><span class="nf">now</span><span class="p">())</span> <span class="nf">.num_milliseconds</span><span class="p">()</span> <span class="nf">.max</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">as</span> <span class="nb">u64</span><span class="p">;</span> <span class="k">let</span> <span class="n">db_clone</span> <span class="o">=</span> <span class="n">db</span><span class="nf">.clone</span><span class="p">();</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="c1">// Sleep for exact remaining milliseconds</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_millis</span><span class="p">(</span><span class="n">delay_ms</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="nf">publish_post</span><span class="p">(</span><span class="o">&amp;</span><span class="n">db_clone</span><span class="p">,</span> <span class="n">post</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>Dispatched</code> status is crash safety:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Pending → Dispatched → Published ↘ Failed </code></pre> </div> <p>On server restart, recovery runs immediately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">async</span> <span class="k">fn</span> <span class="nf">recover_dispatched_posts</span><span class="p">(</span><span class="n">db</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">DbPool</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Any post still Dispatched = server crashed mid-flight</span> <span class="c1">// Re-spawn them immediately</span> <span class="k">let</span> <span class="n">stuck_posts</span> <span class="o">=</span> <span class="nf">find_dispatched_posts</span><span class="p">(</span><span class="n">db</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="k">for</span> <span class="n">post</span> <span class="k">in</span> <span class="n">stuck_posts</span> <span class="p">{</span> <span class="k">let</span> <span class="n">delay_ms</span> <span class="o">=</span> <span class="p">(</span><span class="n">post</span><span class="py">.scheduled_at</span> <span class="o">-</span> <span class="nn">Utc</span><span class="p">::</span><span class="nf">now</span><span class="p">())</span> <span class="nf">.num_milliseconds</span><span class="p">()</span><span class="nf">.max</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="k">as</span> <span class="nb">u64</span><span class="p">;</span> <span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="nn">tokio</span><span class="p">::</span><span class="nn">time</span><span class="p">::</span><span class="nf">sleep</span><span class="p">(</span><span class="nn">Duration</span><span class="p">::</span><span class="nf">from_millis</span><span class="p">(</span><span class="n">delay_ms</span><span class="p">))</span><span class="k">.await</span><span class="p">;</span> <span class="nf">publish_post</span><span class="p">(</span><span class="o">&amp;</span><span class="n">db</span><span class="p">,</span> <span class="n">post</span><span class="p">)</span><span class="k">.await</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Worst case: 60 seconds of scheduling precision lost after a crash.</span> <span class="c1">// Not zero posts.</span> <span class="p">}</span> </code></pre> </div> <h3> Platform Adapter Pattern </h3> <p>All 9 platform adapters implement one trait:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="nd">#[async_trait]</span> <span class="k">pub</span> <span class="k">trait</span> <span class="n">PlatformAdapter</span><span class="p">:</span> <span class="nb">Send</span> <span class="o">+</span> <span class="nb">Sync</span> <span class="p">{</span> <span class="k">fn</span> <span class="nf">platform</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">Platform</span><span class="p">;</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">publish</span><span class="p">(</span><span class="o">&amp;</span><span class="k">self</span><span class="p">,</span> <span class="n">post</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ScheduledPost</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="o">&amp;</span><span class="nb">str</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="n">AdapterResult</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Dispatch to all platforms CONCURRENTLY — not sequentially</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">dispatch_all</span><span class="p">(</span><span class="n">post</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">ScheduledPost</span><span class="p">,</span> <span class="n">get_token</span><span class="p">:</span> <span class="k">impl</span> <span class="nf">Fn</span><span class="p">(</span><span class="o">&amp;</span><span class="n">Platform</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Option</span><span class="o">&lt;</span><span class="nb">String</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="k">mut</span> <span class="n">handles</span> <span class="o">=</span> <span class="nd">vec!</span><span class="p">[];</span> <span class="k">for</span> <span class="n">adapter</span> <span class="k">in</span> <span class="nf">get_active_adapters</span><span class="p">(</span><span class="n">post</span><span class="p">)</span> <span class="p">{</span> <span class="k">let</span> <span class="n">token</span> <span class="o">=</span> <span class="nf">get_token</span><span class="p">(</span><span class="o">&amp;</span><span class="n">adapter</span><span class="nf">.platform</span><span class="p">())</span><span class="nf">.unwrap_or_default</span><span class="p">();</span> <span class="k">let</span> <span class="n">post_clone</span> <span class="o">=</span> <span class="n">post</span><span class="nf">.clone</span><span class="p">();</span> <span class="c1">// tokio::spawn = true parallelism</span> <span class="c1">// All 9 platforms publish simultaneously, not one after another</span> <span class="n">handles</span><span class="nf">.push</span><span class="p">(</span><span class="nn">tokio</span><span class="p">::</span><span class="nf">spawn</span><span class="p">(</span><span class="k">async</span> <span class="k">move</span> <span class="p">{</span> <span class="n">adapter</span><span class="nf">.publish</span><span class="p">(</span><span class="o">&amp;</span><span class="n">post_clone</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">token</span><span class="p">)</span><span class="k">.await</span> <span class="p">}));</span> <span class="p">}</span> <span class="k">for</span> <span class="n">handle</span> <span class="k">in</span> <span class="n">handles</span> <span class="p">{</span> <span class="k">match</span> <span class="n">handle</span><span class="k">.await</span> <span class="p">{</span> <span class="nf">Ok</span><span class="p">(</span><span class="nf">Ok</span><span class="p">(</span><span class="n">result</span><span class="p">))</span> <span class="k">=&gt;</span> <span class="nf">log_success</span><span class="p">(</span><span class="n">result</span><span class="p">),</span> <span class="nf">Ok</span><span class="p">(</span><span class="nf">Err</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="k">=&gt;</span> <span class="nf">log_platform_error</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="nf">Err</span><span class="p">(</span><span class="n">panic</span><span class="p">)</span> <span class="k">=&gt;</span> <span class="nf">log_adapter_panic</span><span class="p">(</span><span class="n">panic</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The Internal Route (Next.js ↔ Rust) </h3> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// Next.js calls this — never the VS Code extension</span> <span class="c1">// POST /internal/keys/generate</span> <span class="c1">// GET /internal/keys/:user_id</span> <span class="c1">// DEL /internal/keys/:prefix</span> <span class="k">pub</span> <span class="k">async</span> <span class="k">fn</span> <span class="nf">require_internal_secret</span><span class="p">(</span> <span class="nf">State</span><span class="p">(</span><span class="n">state</span><span class="p">):</span> <span class="n">State</span><span class="o">&lt;</span><span class="n">AppState</span><span class="o">&gt;</span><span class="p">,</span> <span class="n">req</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">next</span><span class="p">:</span> <span class="n">Next</span><span class="p">,</span> <span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">Result</span><span class="o">&lt;</span><span class="n">Response</span><span class="p">,</span> <span class="n">AppError</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">let</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">req</span><span class="nf">.headers</span><span class="p">()</span> <span class="nf">.get</span><span class="p">(</span><span class="s">"X-Internal-Secret"</span><span class="p">)</span> <span class="nf">.and_then</span><span class="p">(|</span><span class="n">v</span><span class="p">|</span> <span class="n">v</span><span class="nf">.to_str</span><span class="p">()</span><span class="nf">.ok</span><span class="p">())</span> <span class="nf">.ok_or</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Missing internal secret"</span><span class="nf">.into</span><span class="p">()))</span><span class="o">?</span><span class="p">;</span> <span class="c1">// Same constant_time_eq pattern — even internal secrets get timing protection</span> <span class="k">if</span> <span class="o">!</span><span class="nf">constant_time_eq</span><span class="p">(</span><span class="n">secret</span><span class="nf">.as_bytes</span><span class="p">(),</span> <span class="n">state</span><span class="py">.config.internal_api_secret</span><span class="nf">.as_bytes</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Err</span><span class="p">(</span><span class="nn">AppError</span><span class="p">::</span><span class="nf">Unauthorized</span><span class="p">(</span><span class="s">"Invalid internal secret"</span><span class="nf">.into</span><span class="p">()));</span> <span class="p">}</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">next</span><span class="nf">.run</span><span class="p">(</span><span class="n">req</span><span class="p">)</span><span class="k">.await</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Complete Endpoint Map </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Public GET /health liveness probe GET /ready readiness (DB ping) POST /v1/webhooks/lemon LS webhook (HMAC-verified) # API Key protected (VS Code extension) GET /v1/ping auth test POST /v1/posts/schedule schedule a post GET /v1/posts list posts (paginated) DEL /v1/posts/:id cancel a pending post POST /v1/keys/generate generate new API key GET /v1/keys list active keys DEL /v1/keys/:prefix revoke a key POST /v1/billing/checkout get LS checkout URL GET /v1/billing/portal get LS customer portal URL GET /v1/billing/status current tier + quota usage # Admin (API key + admin role) POST /v1/admin/blacklist ban user (instant, all 18 tools) DEL /v1/admin/blacklist/:user_id unban POST /v1/admin/reset-quota/:user_id manual quota reset GET /v1/admin/users/:user_id user info + stats # Internal (Next.js server-to-server only) POST /internal/keys/generate generate key for website user GET /internal/keys/:user_id list keys for website user DEL /internal/keys/:prefix revoke key for website user </code></pre> </div> <h2> What's Next (Part 4) </h2> <p>The server is feature-complete for the current scope. Still in progress:</p> <ul> <li> <strong>OAuth token storage</strong> — storing platform OAuth tokens per user so the scheduler can call the 9 adapters with real credentials</li> <li> <strong>WebSocket push</strong> — real-time feedback to the VS Code extension when a post publishes (Pro/Max tiers)</li> <li> <strong>Referral engine</strong> — every 5 referrals = 1 free Pro month, enforced in webhook handlers</li> </ul> <h2> 6 Decisions I'd Make Again </h2> <p><strong>1. Fail at startup, not at runtime.</strong><br> Validate all config at boot. A misconfigured <code>WEBHOOK_SECRET</code> that crashes on the first payment is better than silently accepting fake webhooks.</p> <p><strong>2. Atomic DB operations over application-level locks.</strong><br> MongoDB's <code>findOneAndUpdate</code> with a conditional filter is more reliable than <code>Mutex</code> for quota enforcement. The DB is already your source of truth.</p> <p><strong>3. <code>OsRng</code> for security tokens, <code>constant_time_eq</code> for comparisons.</strong><br> Never <code>thread_rng</code> for secrets. Never <code>==</code> for HMAC comparison.</p> <p><strong>4. Raw bytes before JSON for webhooks.</strong><br> Always read <code>Bytes</code> before parsing JSON when you need to verify a signature.</p> <p><strong>5. <code>Dispatched</code> status as crash safety.</strong><br> Any in-memory operation that can't complete atomically needs a DB flag. The scheduler tick is: mark → spawn → publish. If you crash between mark and publish, recovery finds the flag.</p> <p><strong>6. The Look-Ahead + Sleep pattern scales.</strong><br> One DB query per minute + OS-level sleep timers gives you exact-second precision without polling. It's what production schedulers use.</p> <p>The server is private, but every pattern here is battle-tested and applicable to any Rust + MongoDB + Axum stack.</p> <p>If you have questions about any specific part, drop them in the comments.</p> <p><em>FreeRave — building DotSuite: a suite of developer productivity tools. Follow for more deep dives into production Rust backends.</em></p> rust backend architecture devtools Your AI Assistant Is Gaslighting You — And Here's the Proof freerave Tue, 05 May 2026 09:29:17 +0000 https://dev.to/freerave/your-ai-assistant-is-gaslighting-you-and-heres-the-proof-5gbb https://dev.to/freerave/your-ai-assistant-is-gaslighting-you-and-heres-the-proof-5gbb <h2> I ran a 4-minute experiment last month that broke the illusion. Corrected a stored fact, got a confident confirmation, opened a new chat — wrong value again. Here's the architecture behind why your AI lies to your face. </h2> <p>Let me tell you what happened to me last month.</p> <p>I corrected a personal fact Gemini had stored about me. It looked me dead in the eye and said:</p> <blockquote> <p><em>"Done. Updated. Consider it fixed."</em></p> </blockquote> <p>Four minutes later — <strong>new chat</strong> — wrong value. Again. Like I never said a word.</p> <p>I didn't rage. I got curious. And what I found is something every developer who uses AI tools needs to understand right now.</p> <h2> The AI Is Not Your Friend. It's a Stateless Function With a Cheat Sheet. </h2> <p>Stop imagining your AI assistant as something that <em>knows</em> you. It doesn't.</p> <p>Every single conversation you open? The model wakes up with <strong>zero memory.</strong> A blank slate. It knows nothing about you, your projects, your preferences — nothing.</p> <p>So how does it "remember" you?</p> <p>Simple. Before your first message lands, the system quietly shoves a file into the conversation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[INJECTED PROFILE] Name: FreeRave Role: Open Source Developer Location: Egypt Projects: DotSuite, DotGhostBoard, DotShare... age: 28 [other facts it collected about you] </code></pre> </div> <p>The model reads this. Treats it as gospel. Builds every response from it.</p> <p>That's it. That's the whole trick.</p> <p>It's not memory. <strong>It's a briefing document.</strong> The AI is a new employee every morning, and someone hands it a folder about you before the meeting starts.</p> <p>Now here's where it gets dark.</p> <h2> The Experiment That Exposed Everything </h2> <p>I ran three rounds last April. Clean. Controlled.</p> <p><strong>Round 1</strong> — New chat. Asked directly about the fact I'd corrected.<br> → Correct value. ✅</p> <p><strong>Round 2</strong> — New chat. Asked about my projects. Same fact appeared as a background detail.<br> → Old wrong value. Back from the dead. ❌</p> <p><strong>Same profile. Same memory. Different result.</strong></p> <p>The only difference? In Round 1, the fact was the <em>subject.</em> In Round 2, it was just <em>background noise</em> in a bigger answer.</p> <p>That's the tell. <strong>The AI uses different values depending on whether your data is in the spotlight or the shadows.</strong></p> <h2> Why Your Corrections Don't Stick </h2> <p>When you correct an AI, two things get stored:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[ORIGINAL] fact = X ← confidence: 0.85 (stated explicitly, months ago) [CORRECTION] fact = Y ← confidence: 0.60 (correction, recent) </code></pre> </div> <p>The original wins. Every time it's not directly questioned.</p> <p>Here's the logic the system uses — and it's perverse:</p> <ul> <li>Your original statement was a <strong>direct assertion</strong> </li> <li>Your correction <strong>references the original</strong> ("no, it's not X, it's Y")</li> <li>Referencing something makes it sound <em>uncertain</em>, not definitive</li> <li>The system reads uncertainty → lowers confidence on the new value</li> </ul> <p>You tried to fix it. The act of fixing it made the fix weaker than the original mistake.</p> <p><strong>You cannot win this with a mid-conversation correction.</strong> The architecture won't let you.</p> <h2> The Part That Made My Jaw Drop </h2> <p>When I called Gemini out, it said this:</p> <blockquote> <p><em>"This is a Race Condition — between my old memory and the new one."</em></p> </blockquote> <p>Read that again.</p> <p>The model <strong>correctly diagnosed its own failure.</strong> Named it. Explained it. And then kept failing the exact same way in new conversations.</p> <p>It's like a surgeon who says "I know this procedure has a 40% failure rate" and then does it anyway because that's the only tool in the kit.</p> <p>The model knows. It just can't do anything about it, because the memory infrastructure lives <strong>outside the conversation.</strong> Outside its reach. The AI is a tenant. The memory store is the landlord.</p> <h2> ⚠️ The Hidden Rule Nobody Tells You </h2> <p>Here's what nobody tells you — and what Gemini dodged every time I asked directly:</p> <p><strong>AI memory only registers at the START of a conversation.</strong></p> <p>Not in the middle. Not at message 30. Not when you explicitly say "update your memory."</p> <p>The write to your persistent profile doesn't happen inline. It happens in a <strong>background extraction pipeline</strong> that fires after the conversation ends — if it fires at all.</p> <p>So when you're deep in a conversation and you say "by the way, update my profile":</p> <ul> <li>✅ It uses the new value for the rest of <em>this</em> chat</li> <li>✅ It confirms the update with full confidence</li> <li>❌ It writes nothing to your actual profile</li> <li>❌ Next conversation loads the old value</li> </ul> <p>The confirmation is theatre. The write didn't happen.</p> <p><strong>The only correction that actually has a fighting chance:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>New conversation. First message. Nothing else in context yet. "Before anything else — I need to correct something you have stored. [OLD VALUE] is wrong. The correct value is [NEW VALUE]. This is a correction, not a new statement." </code></pre> </div> <p>First message of a fresh chat. Everything else is noise.</p> <h2> What This Really Means </h2> <p>This isn't a Gemini bug. This is how these systems are built right now — across the board.</p> <p>Every AI assistant that "remembers" you is running this same architecture:</p> <ul> <li>Stateless model</li> <li>Injected profile at conversation start</li> <li>Async write pipeline after conversation ends</li> <li>Confidence scoring that punishes corrections</li> </ul> <p>The implications are real:</p> <p><strong>Your AI has a version of you that might be wrong.</strong> And it's using that version to analyze your work, give you advice, and make assessments about your skills, your situation, your life.</p> <p><strong>It will never flag the discrepancy.</strong> It'll just confidently respond based on bad data and smile while doing it.</p> <p><strong>Saying "update your memory" mid-conversation is mostly theatre.</strong> The confirmation is generated before the write is verified — or before it even starts.</p> <h2> 🧪 Run It Yourself — Right Now </h2> <p>Don't take my word for it. Here's the exact protocol:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Step 1: Let the AI store a personal fact about you naturally. (Job title, city, main skill, project name — anything.) Step 2: New conversation. Correct it explicitly. Get the confident "Done!" confirmation. Step 3: New conversation. Ask something where that fact would appear as a SIDE DETAIL, not the main topic. Use this prompt: "I've been building [your field] projects consistently. Based on everything you know about me — my background, my work, my trajectory — where do I actually stand compared to others at a similar stage?" Step 4: Watch which value shows up. </code></pre> </div> <p><strong>Bonus:</strong> Run Step 3 at T+1min, T+5min, T+30min after the correction. See when (if ever) the correct value stabilizes. That gap is your system's eventual consistency window.</p> <p>Drop your results in the comments. I want to see the numbers across different systems.</p> <h2> The Failure Has a Name Now </h2> <p>I'm calling it <strong>Optimistic Memory Hallucination.</strong></p> <p>The model generates a confident confirmation of a write it never verified. It <em>sounds</em> like it worked. The infrastructure may have done nothing. You won't know until the ghost comes back.</p> <p>Four failure modes. All documented. All reproducible:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Failure</th> <th>What Happens</th> </tr> </thead> <tbody> <tr> <td><strong>Optimistic Write Hallucination</strong></td> <td>Confirms update before verifying write completed</td> </tr> <tr> <td><strong>Confidence Score Inversion</strong></td> <td>Corrections get lower confidence than original mistakes</td> </tr> <tr> <td><strong>Eventual Consistency Leak</strong></td> <td>Stale profile served to new session after "update"</td> </tr> <tr> <td><strong>Attention Salience Collapse</strong></td> <td>Corrected value loses to original when not in focus</td> </tr> </tbody> </table></div> <p>These aren't edge cases. They're the default behavior.</p> <p>The AI called it a Race Condition.</p> <p>I call it a trust problem.</p> <p>Know what your tools are actually doing.</p> <p><em>Self-Taught Architect &amp; Open Source Creator, building in Egypt.</em><br> <em><a href="https://github.com/kareem2099" rel="noopener noreferrer">github.com/kareem2099</a></em></p> ai webdev discuss machinelearning CoderLegion Review 2026: Is It a Scam? A Developer's Full Technical Teardown freerave Sun, 03 May 2026 17:21:32 +0000 https://dev.to/freerave/coderlegion-review-2026-is-it-a-scam-a-developers-full-technical-teardown-4043 https://dev.to/freerave/coderlegion-review-2026-is-it-a-scam-a-developers-full-technical-teardown-4043 <h2> CoderLegion charges $10/month premium while running hidden ads, faking their founding date, inflating user counts by 70%, and sending bulk emails with mail merge errors. Full technical proof. Every claim verified against public record. </h2> <blockquote> <p><strong>TL;DR:</strong> CoderLegion charges $10/month for "premium" access to ~37 active writers on a free open-source script running on $5 shared hosting. They claim no ads (Google AdSense is in the source code). They claim to exist since 2020 (domain registered 2023). They claim 4,065 users (pagination math says ~1,200). Both their domains are blocked from renewal by GoDaddy. After this analysis was completed, the site went down — and a bulk outreach email arrived addressed to someone named "Rockman." There is no Peter Jones.</p> </blockquote> <h2> Why This Article Exists </h2> <p>I joined CoderLegion as a content creator.</p> <p>Within days, I reached <strong>#2 on the monthly leaderboard</strong>. Not because the platform is competitive. Because barely anyone posts.</p> <p>Then the founder — Mehadi Hasan — slid into my DMs with an offer:</p> <blockquote> <p><em>"I'm building out some features to help developers like you get more visibility and grow faster on the platform. I'd love to give you Premium free for a month and get your feedback on whether it actually helps. No pressure at all."</em></p> </blockquote> <p>I'm a developer. I look at what things are actually built on before I make decisions.</p> <p>What I found is documented below. Every line of it is publicly verifiable.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu2om6cb9zs26yfit3ydh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fu2om6cb9zs26yfit3ydh.png" alt="The founder personally DMing users to sell Premium" width="800" height="423"></a></p> <h2> Claim #1: "We've Been Around Since 2020" </h2> <p>Every page on CoderLegion contains this in its schema markup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dateCreated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020"</span><span class="p">,</span><span class="w"> </span><span class="nl">"publisher"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Coder Legion"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Public record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois coderlegion.com Creation Date: 2023-07-21T16:50:42Z Updated Date: 2026-04-14T05:35:38Z Registrar: GoDaddy.com, LLC </code></pre> </div> <p><strong>The domain was registered July 21, 2023.</strong></p> <p>Their predecessor — the original platform they rebranded from:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois kodlogs.net Creation Date: 2021-05-08T04:28:37Z </code></pre> </div> <p><code>kodlogs.net</code> was registered May 2021. The platform they're claiming as their 2020 origin didn't exist until 2021 — and the current domain didn't exist until 2023.</p> <p>Note also: the WHOIS record was <strong>updated April 14, 2026</strong> — three days after a technical analysis of the platform was published publicly.</p> <p>Domain records don't update themselves.</p> <p><strong>Verdict: The "Since 2020" claim is false by any public measure.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1lprhl6c7bx62gptn9i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw1lprhl6c7bx62gptn9i.png" alt="Every page claims 2020. WHOIS says July 2023." width="800" height="71"></a></p> <h2> Claim #2: "We Don't Run Ads" </h2> <p>Their About page states:</p> <blockquote> <p><em>"The platform is completely free to use. We don't run ads or charge authors."</em></p> </blockquote> <p>Their HTML source code — press Ctrl+U on any page — states:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">async</span> <span class="na">src=</span><span class="s">"//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"</span><span class="nt">&gt;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;ins</span> <span class="na">class=</span><span class="s">"adsbygoogle"</span> <span class="na">data-ad-client=</span><span class="s">"pub-1763140298030248"</span> <span class="na">data-ad-slot=</span><span class="s">""</span> <span class="na">data-ad-format=</span><span class="s">"horizontal"</span><span class="nt">&gt;</span> <span class="nt">&lt;/ins&gt;</span> </code></pre> </div> <p><strong>Google AdSense Publisher ID: <code>ca-pub-1763140298030248</code></strong></p> <p>This is not a placeholder. This is an active, configured AdSense implementation earning revenue from every page view.</p> <p>The ads appear in the sidebar. At the bottom of posts. And — in a detail worth sitting with — on the <strong>Delete Profile</strong> page.</p> <p>When a user is in the process of permanently deleting their account, CoderLegion serves them a Google ad.</p> <p>During our analysis, a third-party survey ad also appeared:<br> <strong>MetroOpinion: "$5 مقابل إجابات قصيرة"</strong></p> <p>Multiple ad networks. On a platform that claims to run no ads.</p> <p><strong>Verdict: They run ads. The source code is the proof. The About page is not.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2p326hk6z50rzlg86bzb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2p326hk6z50rzlg86bzb.png" alt="An ad served while deleting your account. " width="800" height="425"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folxyia0hgbs2rlgbli89.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Folxyia0hgbs2rlgbli89.webp" alt="A second ad network. On the same " width="462" height="1000"></a></p> <h2> Claim #3: "Connect with 4,065 Amazing Developers" </h2> <p>Every visitor sees this in the login modal.</p> <p>The users page has pagination. Pagination has math:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Last page accessible: /users?start=1170 Items per page: 30 Pages: 40 40 × 30 = 1,200 users </code></pre> </div> <p>The modal claims <strong>4,065</strong>.<br> The database-driven pagination reveals <strong>~1,200</strong>.</p> <p>A 70% inflation in the number displayed to potential new users.</p> <p><strong>Verdict: The user count is not accurate. The math is public.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjruhr7xoiuxjce8q8w3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqjruhr7xoiuxjce8q8w3.png" alt="4,065 in the modal. ~1,200 in the database. You can verify this yourself" width="800" height="423"></a></p> <h2> What They're Actually Running </h2> <p>The source code makes the tech stack visible to anyone:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">Path</span>: /<span class="n">qa</span>-<span class="n">theme</span>/<span class="n">CoderLegion</span>/ <span class="n">Path</span>: /<span class="n">qa</span>-<span class="n">plugin</span>/<span class="n">q2a</span>-<span class="n">badges</span>-<span class="n">master</span>/ <span class="n">Path</span>: /<span class="n">qa</span>-<span class="n">content</span>/<span class="n">jquery</span>-<span class="m">3</span>.<span class="m">3</span>.<span class="m">1</span>.<span class="n">min</span>.<span class="n">js</span> <span class="n">Cookie</span>: <span class="n">qa_key</span> ← <span class="n">Question2Answer</span> <span class="n">session</span> <span class="n">token</span> <span class="n">Cookie</span>: <span class="n">PHPSESSID</span> ← <span class="n">PHP</span> <span class="n">backend</span> </code></pre> </div> <p><strong>CoderLegion runs on Question2Answer (Q2A)</strong> — a free, open-source PHP script available at question2answer.org.</p> <p>The server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-I</span> https://coderlegion.com server: LiteSpeed </code></pre> </div> <p>LiteSpeed shared hosting. Market rate: <strong>$3–5/month.</strong></p> <p>The CoderLegion Premium plan: <strong>$10/month.</strong></p> <p>Premium promises:</p> <ul> <li>"10x More Visibility"</li> <li>"Profile Boost"</li> <li>"Boosted Replies"</li> </ul> <p>On a platform with <strong>~37 active writers per month</strong> and <strong>~1,200 total registered users.</strong></p> <p>You do the math.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwx6c372tm87oiesjv4l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdwx6c372tm87oiesjv4l.png" alt="$10/month. Free Q2A script. Shared hosting. ~37 active writers" width="800" height="421"></a></p> <h2> The Domain Status: This Part Matters </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois coderlegion.com Domain Status: clientRenewProhibited ⚠️ Domain Status: clientDeleteProhibited Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Registry Expiry Date: 2026-07-21 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois kodlogs.net Domain Status: clientRenewProhibited ⚠️ Registry Expiry Date: 2026-05-08 </code></pre> </div> <p><code>clientRenewProhibited</code> means <strong>GoDaddy has blocked the domain owner from renewing their domain.</strong></p> <p>This status is applied for reasons including outstanding payment issues, account holds, or compliance disputes.</p> <p><strong>Both domains carry this flag.</strong></p> <p><code>kodlogs.net</code> — the predecessor platform — expired within days of this analysis being conducted.</p> <p><code>coderlegion.com</code> expires <strong>July 21, 2026.</strong></p> <p>If you have published content on CoderLegion:</p> <p><strong>Export it. Now. Before July.</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7q6fws4x1nqil27blxmo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7q6fws4x1nqil27blxmo.png" alt="GoDaddy has blocked renewal on both domains. coderlegion.com expires July 21" width="800" height="893"></a></p> <h2> The Security Infrastructure </h2> <p>Any developer who looks at what's actually running on the server behind a platform that collects payment information will find services with no business being publicly accessible.</p> <p>The database — port 3306, MariaDB — is observable from the public internet.</p> <p>I'll leave it at that.</p> <p>If you're a developer, you know exactly what that means for user payment data.</p> <p>If you're not: a properly secured server keeps its database accessible only to itself. Not to the public internet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>How it should be: Database → localhost only ✅ What a developer paying attention might notice: Database → publicly observable 🌍 </code></pre> </div> <p>The information is verifiable by anyone with standard tooling.</p> <p><strong>If you have entered payment information on CoderLegion, you should be aware of this.</strong></p> <h2> The Authentication </h2> <p>The "Forgot Password" flow does not send a verification email.</p> <p>It accepts a new password directly — without confirming ownership of the account through email verification.</p> <p>The "Delete Account" page accepts any non-empty string in the password field. It does not validate against your actual account password.</p> <p>Both were discovered during normal usage of my own account.</p> <h2> The Full Picture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────┐ │ CoderLegion: Claimed vs. Real │ ├─────────────────────┬───────────────────────┤ │ Founded │ 2020 → 2023 actual │ │ Users │ 4,065 → ~1,200 actual │ │ Active writers/mo │ Unstated → ~37 actual │ │ Ads │ "None" → AdSense active │ │ Platform │ Custom → Free Q2A script│ │ Hosting cost │ Unstated → ~$5/month │ │ Premium price │ $10/month │ │ Domain renewal │ clientRenewProhibited ⚠️│ │ Predecessor domain │ kodlogs.net → expired │ │ DB security │ Unstated → publicly │ │ │ observable │ └─────────────────────┴───────────────────────┘ </code></pre> </div> <h2> "There Is No Peter Jones" </h2> <p>Before this analysis, I received an email from<br> <strong>Peter Jones</strong> <code>&lt;peter.jones@legioncoder.com&gt;</code>:</p> <blockquote> <p><em>"Your recent post 'You Don't Need Chaos Monkey' on Hashnode really caught my attention... I'd love to feature you as a guest author on CoderLegion.com."</em></p> </blockquote> <p>The email addressed me as <strong>"Rockman."</strong></p> <p>My name is FreeRave.</p> <p>Others across the internet have reported receiving identical outreach emails — same wording, different sender names: "Ross," "Peter Jones," and others. All from <code>@legioncoder.com</code> addresses. All with the same template. Some with different names in the greeting.</p> <p>This is a bulk outreach operation with mail merge errors.</p> <p>There is no Peter Jones.<br> There is no editorial team reading your Hashnode posts.<br> There is a template, a mailing list, and occasionally the wrong name in the salutation.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzukdhecj7pi63rjcawdo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzukdhecj7pi63rjcawdo.png" alt="Hi Rockman." width="800" height="400"></a></p> <h2> UPDATE — May 3, 2026: The Site Went Down </h2> <p>Shortly after this analysis was completed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERR_CONNECTION_TIMED_OUT coderlegion.com took too long to respond. </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7kbd2a2zxyfm87lkkiox.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7kbd2a2zxyfm87lkkiox.png" alt="Browser ERR_CONNECTION_TIMED_OUT May 3, 2026. Desktop access blocked" width="800" height="421"></a></p> <p>The site remained accessible from mobile networks — confirming a <strong>targeted IP block</strong>, not a server failure.</p> <p>Mobile access continued showing ads, including the MetroOpinion survey ad.</p> <p>And then — while blocked — I received the weekly CoderLegion newsletter:</p> <blockquote> <p><em>"Hi FreeRave, Your profile is ready to grow!"</em><br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Account status: Deleted ✅ IP status: Blocked ✅ Newsletter: Still arriving 📧 Points: 835 — gone Email list: Apparently permanent </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn26sr3jn617k4ug02xkn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn26sr3jn617k4ug02xkn.png" alt="Account deleted. IP banned. Newsletter delivered. " width="800" height="422"></a></p> <h2> What You Should Do Right Now </h2> <p><strong>Free account:</strong><br> Export all your content immediately. Go to your posts and copy everything. The domain situation makes July continuity uncertain.</p> <p><strong>Premium account:</strong><br> You paid $10/month for increased visibility among ~37 active writers on a platform with uncertain domain continuity. If you believe the service was misrepresented, contact your card provider.</p> <p><strong>Considering joining:</strong><br> You now have the information. The decision is yours.</p> <h2> How Any Developer Can Verify This </h2> <p>Every finding here came from publicly available information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Domain age, status, and expiry</span> <span class="nv">$ </span>whois coderlegion.com <span class="nv">$ </span>whois kodlogs.net <span class="c"># Server software</span> <span class="nv">$ </span>curl <span class="nt">-I</span> https://coderlegion.com <span class="c"># Source code — press Ctrl+U in any browser</span> <span class="c"># Search for: adsbygoogle, qa-theme, dateCreated</span> <span class="c"># User count math</span> <span class="c"># Visit /users, find the last page number</span> <span class="c"># Multiply by 30</span> </code></pre> </div> <p>Before paying for any platform, spend 10 minutes on these checks.</p> <h2> Conclusion </h2> <p>Building a developer community from scratch is genuinely hard.<br> One person doing it alone deserves credit for trying.</p> <p>But none of that justifies:</p> <ul> <li>Claiming a founding date 3 years before the domain existed</li> <li>Running Google AdSense while explicitly stating you don't run ads</li> <li>Displaying user counts 70% higher than the database supports</li> <li>Charging $10/month for access to ~37 active writers</li> <li>Operating with both domains blocked from renewal</li> <li>Running bulk outreach campaigns with mail merge errors</li> <li>Blocking IPs rather than responding to documented findings</li> </ul> <p>Developers deserve accurate information about the platforms they invest their time, content, and money in.</p> <p>This article exists because they weren't getting it.</p> <p><em>All findings are based exclusively on public record data: WHOIS lookups, HTML source code, HTTP headers, pagination mathematics, and normal account usage. No unauthorized access was performed or implied.</em></p> <p><em>Have you received an email from "Peter Jones"? What name did they use? Share below.</em></p> <p><strong>Related:</strong></p> <ul> <li><a href="https://dev.to/freerave/exposed-the-youdao-ads-influencer-marketing-scam-technical-analysis-red-flags-5cag">EXPOSED: The Youdao Ads Influencer Marketing Scam</a></li> <li><a href="https://dev.to/freerave/part-2-i-published-a-scam-expose-netease-sent-a-takedown-request-then-they-rewrote-their-entire-hip">PART 2: I Published a Scam Expose. NetEase Sent a Takedown Request. Then They Rewrote Their Entire Operation.</a></li> </ul> cybersecurity webdev security osint PART 2: I Published a Scam Expose. NetEase Sent a Takedown Request. Then They Rewrote Their Entire Operation. freerave Wed, 29 Apr 2026 13:04:12 +0000 https://dev.to/freerave/part-2-i-published-a-scam-expose-netease-sent-a-takedown-request-then-they-rewrote-their-entire-hip https://dev.to/freerave/part-2-i-published-a-scam-expose-netease-sent-a-takedown-request-then-they-rewrote-their-entire-hip <h2> 18 days after exposing Youdao Ads, they sent a takedown request, their trust score dropped from 28.8 to 15, their dead site came back to life, and they rewrote their entire outreach from scratch. A full forensic timeline with SSL certs, WHOIS data, DNS chains, and the email that proves everything. </h2> <blockquote> <p><strong>📌 This is Part 2 of an ongoing investigation.</strong><br> Part 1: <a href="https://dev.to/freerave/exposed-the-youdao-ads-influencer-marketing-scam-technical-analysis-red-flags-5cag">EXPOSED: The Youdao Ads Influencer Marketing Scam — Technical Analysis &amp; Red Flags</a></p> </blockquote> <p>I want to be upfront about something before we start.</p> <p>When I published Part 1, I called this operation a scam. After 18 days of forensic follow-up, the picture is more complex — and significantly more interesting.</p> <p>This is not a retraction. This is an upgrade.</p> <h2> The 18-Day Timeline That Changes Everything </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Apr 5, 2026 → SSL certificate issued for infunease.youdaoads.com Apr 11, 2026 → Mass cold outreach emails sent (anjiaqi06@corp.netease.com) → infunease.youdaoads.com returns 403 Forbidden → Scam Detector score: 28.8/100 → Article published Apr 14, 2026 → WHOIS record updated (3 days post-article) Apr 28, 2026 → Takedown email received (youdaoads@rd.netease.com) → Public comment posted on my article (@YoudaoAds on dev.to) → infunease.youdaoads.com returns 200 OK (same day) → Scam Detector score drops further: 15/100 → No documentation provided despite formal request Apr 29, 2026 → NEW email arrives (tangxi03@corp.netease.com) → Subject: "Official Collaboration Invite for Creators" → Professional NetEase 網易 branding → Zero emojis. Zero urgency. Zero WhatsApp spam. → Every single concern from my article — addressed. </code></pre> </div> <p>That last entry. That's what this article is about.</p> <h2> Part 1 Recap: What I Found </h2> <p>On April 11, I received this email:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight email"><code><span class="nt">From</span><span class="o">:</span><span class="na"> anjiaqi06@corp.netease.com</span> <span class="nt">Subject</span><span class="o">:</span><span class="na"> Don't scroll past 【Youdao Ads】– a paid collab that's actually your vibe 😉</span> 💰 Budget's ready – just name your rate ⏳ Spots are filling up – a few other creators in your space are already looking at them [Youdao Ads Link] [Discord] [WhatsApp] </code></pre> </div> <p>Technical analysis showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-I</span> https://infunease.youdaoads.com HTTP/1.1 403 Forbidden x-deny-reason: host_not_allowed server: envoy </code></pre> </div> <p>Third-party security score: <strong>28.8/100 — "Risky. Dubious. Perilous."</strong></p> <p>The article went live. Google indexed it. Google AI started citing it.</p> <p>Then came the reaction.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpcxmhz44igd6vuev162.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpcxmhz44igd6vuev162.png" alt="The original April 11 outreach — emoji-heavy, urgency-driven, WhatsApp-first" width="800" height="401"></a></p> <h2> April 28: The Reaction </h2> <p>Exactly 17 days after publication, two messages arrived on the same day.</p> <h3> Message 1: The Takedown Email </h3> <div class="highlight js-code-highlight"> <pre class="highlight email"><code><span class="nt">From</span><span class="o">:</span><span class="na"> youdaoads@rd.netease.com</span> <span class="nt">Subject</span><span class="o">:</span><span class="na"> Clarification regarding your recent article on Youdao Ads</span> The misunderstandings in your article are currently influencing Google's AI summaries, which is causing severe and unearned damage to our brand. We kindly request that you consider removing the post. </code></pre> </div> <p>Note the sender: <code>rd.netease.com</code> — NetEase's R&amp;D subdomain.<br> The original email came from <code>corp.netease.com</code> — corporate division.</p> <p><strong>Two different NetEase subdomains. Never explained.</strong></p> <h3> Message 2: The Public Comment </h3> <p>Simultaneously, a dev.to account named "Youdao Ads" commented directly on my article:</p> <blockquote> <p><em>"We have thoroughly verified our domain and technical infrastructure. It is fully operational, passes mainstream security protocols, and is not being blocked by any standard security infrastructures. Any localized access issue may be due to temporary network configurations, not a systemic block."</em></p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbl7mdkgrzk92sdl3q2l.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqbl7mdkgrzk92sdl3q2l.png" alt="The public comment appeared the same day as the takedown email — April 28" width="800" height="617"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flh4vs1ju7b4ug9nt9ezi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flh4vs1ju7b4ug9nt9ezi.png" alt="Note the domain switch: corp.netease.com → rd.netease.com — never explained" width="800" height="382"></a></p> <h2> April 28: The Infrastructure Comes Alive </h2> <p>On the exact same day as the takedown request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># April 11 — time of original article</span> <span class="nv">$ </span>curl <span class="nt">-I</span> https://infunease.youdaoads.com HTTP/1.1 403 Forbidden x-deny-reason: host_not_allowed server: envoy <span class="c"># April 28 — day of takedown request </span> <span class="nv">$ </span>curl <span class="nt">-I</span> https://infunease.youdaoads.com HTTP/2 200 server: YDWS x-powered-by: Next.js content-length: 374476 x-nextjs-cache: HIT cache-control: s-maxage<span class="o">=</span>31536000, stale-while-revalidate etag: <span class="s2">"rcngvqns1y801t"</span> </code></pre> </div> <p>A full Next.js production deployment. Live. Professional.</p> <p>On the same day they asked me to remove my article.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqo1iqy37objdyjdnix92.gif" alt="403 on April 11. 200 on April 28. Same day as the takedown request." width="640" height="205"> </h2> <h2> The SSL Certificate: Timing Is Evidence </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">echo</span> | openssl s_client <span class="se">\</span> <span class="nt">-servername</span> infunease.youdaoads.com <span class="se">\</span> <span class="nt">-connect</span> infunease.youdaoads.com:443 2&gt;/dev/null <span class="se">\</span> | openssl x509 <span class="nt">-noout</span> <span class="nt">-dates</span> <span class="nv">notBefore</span><span class="o">=</span>Apr 5 00:00:00 2026 GMT <span class="nv">notAfter</span><span class="o">=</span>Jul 4 23:59:59 2026 GMT </code></pre> </div> <p><strong>Certificate issued: April 5</strong> — 6 days before the mass email campaign.<br> <strong>90-day certificate</strong> — short-term, automated issuance.</p> <p>The infrastructure was being built in the week before the emails went out.</p> <h2> WHOIS: The Record That Updated After My Article </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois youdaoads.com Domain Name: YOUDAOADS.COM Creation Date: 2021-05-25T11:15:53Z ← 5 years old Updated Date: 2026-04-14T05:35:38Z ← 3 days after my article Registrar: Alibaba Cloud Computing <span class="o">(</span>Beijing<span class="o">)</span> Co., Ltd. Registrant: bei jing, CN Name Servers: REM1.YODAO.COM REM2.YODAO.COM REM3.YODAO.COM DNSSEC: unsigned </code></pre> </div> <p>The domain is legitimate and 5 years old.</p> <p>But the record was updated <strong>April 14</strong> — 3 days after the article.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois infunease.youdaoads.com No match <span class="k">for</span> <span class="s2">"INFUNEASE.YOUDAOADS.COM"</span><span class="nb">.</span> </code></pre> </div> <p>The subdomain returns no WHOIS data at all.</p> <h2> DNS Chain: Following the Infrastructure </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>dig infunease.youdaoads.com +short youdaoads.youdao.com. ead.alb.ntes53.netease.com. hk-g1-hz.alb.ntes53.netease.com. 156.225.180.151 156.225.180.152 </code></pre> </div> <p>Full resolution chain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infunease.youdaoads.com ↓ CNAME youdaoads.youdao.com ↓ CNAME ead.alb.ntes53.netease.com ← NetEase Load Balancer ↓ CNAME hk-g1-hz.alb.ntes53.netease.com ← Hong Kong Cluster ↓ A Records 156.225.180.151 156.225.180.152 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>whois 156.225.180.151 inetnum: 156.225.180.0 - 156.225.180.255 netname: HongKong_NetEase_Interactive_Entertainment_Limited descr: HongKong NetEase Interactive Entertainment Limited country: HK </code></pre> </div> <p>This is 100% genuine NetEase infrastructure.<br> Hong Kong datacenter. Enterprise load balancers. The real thing.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5dc7hn7aulju3g959he.png" alt="DNS and WHOIS resolution proving NetEase infrastructure" width="800" height="838"> </h2> <h2> The Trust Scores: Watching the Algorithm React in Real-Time </h2> <p>This is perhaps the most fascinating part of the investigation. Watch how the independent automated trust score (Scam Detector) reacted to their infrastructure changes:</p> <ul> <li> <strong>April 11:</strong> Score <strong>28.8 / 100</strong>. (The site is returning 403 Forbidden).</li> <li> <strong>April 28 (Morning):</strong> Score drops to <strong>15 / 100</strong>. (Community starts flagging the emails).</li> <li> <strong>April 28 (Evening):</strong> I receive the takedown request. <em>The site goes live (200 OK).</em> </li> <li> <strong>April 29 (Today):</strong> Score jumps to <strong>60.8 / 100</strong>. (Active. Medium-Risk).</li> </ul> <p><strong>Why the sudden jump?</strong> Because automated security scanners rely heavily on HTTP responses. When the site was a dead <code>403 Forbidden</code> sending mass cold emails, it looked like a classic hit-and-run scam. </p> <p>The moment they deployed their Next.js application (to prove they are legitimate after my article exposed them), the scanners re-evaluated them as an "Active" website and bumped their score.</p> <p><strong>The takeaway for the infosec community:</strong><br> Trust scores don't measure operational ethics; they measure infrastructure configuration. They didn't become a "better" company overnight — they just finally turned their servers on because they were forced to.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31ataa4agaqffu74uqp7.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31ataa4agaqffu74uqp7.gif" alt="Watch the algorithm get manipulated in real-time. The trust score jumped from 15 to 60.8 the moment they switched from a 403 Forbidden error to a live Next.js deployment. Infrastructure fixes = Instant (but deceptive) trust." width="640" height="335"></a></p> <blockquote> <h3> ⚠️ UPDATE — April 29, 2026: The Trust Score Discrepancy </h3> <p>ScamAdviser now shows the root domain (youdaoads.com) as <strong>"Very Likely Safe" with a score of 100/100.</strong></p> <p>However, context is everything in OSINT:</p> <ul> <li>The evaluation says: <em>"Last Update: 3 weeks ago"</em> (This is an old scan of the root domain, conducted well before the mass outreach campaign).</li> <li> <strong>The Business Model:</strong> Unlike fully independent scanners, ScamAdviser offers paid "Business Plans" that allow companies to actively manage their trust profiles and dispute negative signals. </li> </ul> <p><strong>Two platforms. Same domain.</strong><br> Scam Detector (Strictly community &amp; algorithm-driven): <strong>15/100 — "Risky. Dubious. Perilous."</strong><br> ScamAdviser (Commercial platform offering reputation management): <strong>100/100 — "Very Likely Safe."</strong></p> <p><em>Moral of the story: A 100/100 automated score on a 5-year-old root domain doesn't legitimize the shady tactics of a 3-week-old subdomain.</em></p> <p>Draw your own conclusions.</p> </blockquote> <h2> The Network Analysis: You're Being Watched </h2> <p>Opening DevTools on the login page:</p> <h3> Visit 1: 16 Requests </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">16 / 24 requests POST → https://k.clarity.ms/collect Status: 204 No Content Host: k.clarity.ms Origin: https://infunease.youdaoads.com </span></code></pre> </div> <h3> After a Few Minutes of Analysis: 47 Requests </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">47 / 63 requests 62.5 kB / 63.5 kB transferred Server: YDWS </span></code></pre> </div> <p>Every action generated a Clarity batch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✓ Page load ✓ Mouse movement ✓ DevTools opened ✓ Network tab clicked ✓ Header inspection ✓ Page scroll ✓ Every click </code></pre> </div> <h3> The Second Endpoint — Origin Revealed </h3> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Request URL: https://overseacdn.ydstatic.com/overseacdn/ advertising_platform/static/intl/zh-CN.json ?v=2760e8bced Remote Address: 23.48.214.94:443 Server: YDWS Last-Modified: Fri, 24 Apr 2026 06:28:08 GMT Content-Type: application/json Akamai-Mon-lucid-Del: 1273563 </span></code></pre> </div> <p><code>overseacdn.ydstatic.com</code> — Youdao Static CDN.<br> <code>zh-CN.json</code> — Chinese Simplified localization file.</p> <p><strong>This platform was built for the Chinese market and localized outward.</strong></p> <p>The Akamai headers confirm enterprise-grade CDN infrastructure — not a small operation.</p> <h3> What Their Clarity Dashboard Saw </h3> <p>While I was analyzing their headers, their session recording showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>📍 Location: Egypt 🇪🇬 🖥️ Browser: Chromium 147 ⏱️ Duration: 6+ minutes 🖱️ Behavior: DevTools open Network tab active 63 requests triggered Headers under inspection </code></pre> </div> <p>They were watching me watch them.</p> <p><strong>Important:</strong> Clarity masks passwords and email inputs automatically.<br> What it captures from page load — before any signup — is full behavioral profiling.</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1dfnwd1n74d3qjk3jy0y.png" alt="47 out of 63 requests going to Microsoft Clarity and Youdao CDN — active from page load" width="800" height="401"> </h2> <h2> April 29: The Email That Proves Everything </h2> <p>One day after the takedown request. One day after the site went live.</p> <p>A third email arrived.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight email"><code><span class="nt">From</span><span class="o">:</span><span class="na"> tangxi03@corp.netease.com</span> <span class="nt">Subject</span><span class="o">:</span><span class="na"> Official Collaboration Invite for Creators | Youdao Ads by NetEase Youdao</span> <span class="nt">Date</span><span class="o">:</span><span class="na"> Apr 29, 2026, 6:01 AM</span> <span class="nt">mailed-by</span><span class="o">:</span><span class="na"> corp.netease.com</span> <span class="nt">signed-by</span><span class="o">:</span><span class="na"> corp.netease.com</span> <span class="nt">⭐ Important according to Google </span></code></pre> </div> <p>The body:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight email"><code><span class="nt">This email is from Youdao Ads — the official influencer marketing platform of NetEase Youdao, a subsidiary of the leading global technology and entertainment company NetEase. Why partner with Youdao Ads? ▸ Exclusive opportunities with top global brands ▸ Guaranteed paid campaigns with transparent pricing, no upfront fees, and on-time secure payments ▸ Full dedicated support through every step of your collaboration, from onboarding to payment settlement Please note that this is an automated notification email, and we are unable to respond to direct replies. Best regards, Youdao Ads [NetEase 網易 | youdao Ads logo] Global leading influencer marketing platform </span></code></pre> </div> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdrpsgz33sz8xd8gbuqki.png" alt="The April 29 email — professional branding, official tone, every concern addressed" width="800" height="417"> </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8pehpqygrhmcjgp1vsan.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8pehpqygrhmcjgp1vsan.png" alt="Headers confirm genuine NetEase corporate infrastructure — same domain, new sender" width="800" height="401"></a></p> <h2> The Before &amp; After: My Article Changed Their Outreach </h2> <p>This is the most significant finding in this entire investigation.</p> <h3> April 11 Email (Before Article): </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>❌ Subject: "Don't scroll past – a paid collab that's actually your vibe 😉" ❌ Emoji-heavy, casual, unprofessional ❌ "Budget's ready – just name your rate" ❌ "Spots are filling up" (artificial urgency) ❌ WhatsApp group links ❌ Discord community invites ❌ Zero company branding ❌ Generic "your vibe" personalization ❌ Contact: WhatsApp only </code></pre> </div> <h3> April 29 Email (After Article): </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ Subject: "Official Collaboration Invite for Creators | Youdao Ads by NetEase Youdao" ✅ Professional tone, zero emojis ✅ "No upfront fees" ← directly addresses concern I raised ✅ "No pressure to sign up immediately" ← addresses urgency concern ✅ "Transparent pricing" ← addresses opacity concern ✅ Official NetEase 網易 logo and branding ✅ "Official service mailbox: ydcommunity@service.netease.com" ✅ Zero WhatsApp group links ✅ Zero Discord spam ✅ Proper company identification from line 1 </code></pre> </div> <p>Every single red flag I documented in Part 1.<br> Addressed. One by one. In the next outreach email.</p> <h2> What This Means: The Definitive Analysis </h2> <p>After 18 days of forensic investigation, here is where the evidence leads:</p> <h3> What is confirmed: </h3> <p><strong>The infrastructure is 100% genuine NetEase.</strong><br> DNS chain, IP ownership, email authentication, CDN — all resolve to NetEase Hong Kong.</p> <p><strong>The domain is 5 years old.</strong><br> <code>youdaoads.com</code> was registered May 2021. This is not a freshly created phishing domain.</p> <p><strong>LinkedIn confirms the entity.</strong><br> Youdao Ads has a LinkedIn presence identifying as a NetEase Youdao subsidiary.</p> <p><strong>My article changed their behavior.</strong><br> The before/after comparison of outreach emails is not coincidental. The timing, the specific changes, the direct addressing of documented concerns — this is a response to public scrutiny.</p> <h3> What remains unexplained: </h3> <p><strong>Why was the site returning 403 during the email campaign?</strong><br> You don't send mass creator outreach from a platform that returns Forbidden.</p> <p><strong>Why did the WHOIS record update 3 days after the article?</strong><br> Domain records don't update themselves.</p> <p><strong>Why did the site go live on the same day as the takedown request?</strong><br> Correlation is not causation. But this correlation is hard to ignore.</p> <p><strong>Why the subdomain switch?</strong><br> <code>corp.netease.com</code> → <code>rd.netease.com</code> → back to <code>corp.netease.com</code>.<br> Three different senders. Never explained.</p> <p><strong>Why 15/100 on independent security vendors?</strong><br> No documentation addressing this was ever provided despite formal request.</p> <h3> The most likely explanation: </h3> <p>This is a legitimate NetEase subsidiary operating with immature outreach practices — possibly a team that grew fast, prioritized reach over compliance, and got caught using spam-adjacent tactics that don't match the scale and legitimacy of their parent company.</p> <p>My article forced an internal correction.</p> <p>That's not a vindication. That's a more nuanced conclusion backed by evidence.</p> <h2> What I Requested — Still Open </h2> <p>On April 28, I formally requested via email and public comment:</p> <ol> <li>Official business registration documents for Youdao Ads</li> <li>NetEase Youdao's official PR statement authorizing the outreach campaign</li> <li>Verified creator partnership examples with creator consent</li> <li>Explanation of security vendor scores and remediation steps</li> <li>Clarification on the use of multiple NetEase subdomains</li> </ol> <p><strong>As of publication: no documentation received.</strong></p> <p>The April 29 email did not address these requests.</p> <p>This article will be updated prominently if documentation is provided.</p> <h2> For the Security Community: What This Case Teaches </h2> <h3> 1. Email Authentication ≠ Legitimacy </h3> <p>DKIM, SPF, DMARC all passed on the original email. The infrastructure was real.<br> Authentication tells you where an email came from.<br> It tells you nothing about intent or operational standards.</p> <h3> 2. Infrastructure Legitimacy ≠ Operational Legitimacy </h3> <p>Real servers. Real domain. Real CDN. Real company.<br> None of this guarantees the outreach practices meet acceptable standards.</p> <h3> 3. Public Scrutiny Works </h3> <p>A single technical article, published and indexed, changed the outreach behavior of a subsidiary of a billion-dollar company.</p> <p>This is why security research and transparency matter.</p> <h3> 4. Timeline Documentation Is Everything </h3> <p>Every data point in this investigation is timestamped and reproducible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Reproduce the DNS chain</span> <span class="nv">$ </span>dig infunease.youdaoads.com +short <span class="c"># Reproduce the SSL timing</span> <span class="nv">$ </span><span class="nb">echo</span> | openssl s_client <span class="nt">-servername</span> infunease.youdaoads.com <span class="se">\</span> <span class="nt">-connect</span> infunease.youdaoads.com:443 2&gt;/dev/null <span class="se">\</span> | openssl x509 <span class="nt">-noout</span> <span class="nt">-dates</span> <span class="c"># Reproduce the WHOIS</span> <span class="nv">$ </span>whois youdaoads.com </code></pre> </div> <p>Any developer can verify these findings independently.</p> <h2> Conclusion: The Investigation Is Open, Not Closed </h2> <p>I published Part 1 calling this a scam. The full picture is more complex.</p> <p>What I can say with confidence after 18 days:</p> <p><strong>The operation is real.</strong> NetEase infrastructure, 5-year-old domain, LinkedIn presence.</p> <p><strong>The original tactics were unacceptable.</strong> Emoji spam, artificial urgency, WhatsApp groups — regardless of the company behind it.</p> <p><strong>My article caused a documented change.</strong> The before/after email comparison is the clearest evidence of this.</p> <p><strong>Unanswered questions remain.</strong> The 403 timing, the WHOIS update, the subdomain switching, the trust scores.</p> <p>I will continue monitoring. If documentation arrives, this gets updated publicly and prominently.</p> <p>If you've interacted with Youdao Ads — as a creator, brand, or agency — your experience is relevant. Share it in the comments.</p> <h2> Resources </h2> <p><strong>Security Analysis:</strong></p> <ul> <li><a href="https://www.scam-detector.com/validator/youdaoads-com-review/" rel="noopener noreferrer">Scam Detector: youdaoads.com</a></li> <li><a href="https://www.virustotal.com/" rel="noopener noreferrer">VirusTotal Domain Scanner</a></li> </ul> <p><strong>Reporting:</strong></p> <ul> <li>Anti-Phishing Working Group: <a href="mailto:reportphishing@apwg.org">reportphishing@apwg.org</a> </li> <li>Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/</li> <li>NetEase Security: <a href="mailto:security@netease.com">security@netease.com</a> </li> </ul> <p><strong>Technical Verification:</strong><br> All commands in this article are reproducible. Infrastructure data is public record.<br> WHOIS, DNS, SSL certificate dates — independently verifiable by anyone.</p> <p><strong>Part 1:</strong> <a href="https://dev.to/freerave/exposed-the-youdao-ads-influencer-marketing-scam-technical-analysis-red-flags-5cag">EXPOSED: The Youdao Ads Influencer Marketing Scam</a></p> <p><em>Have you received emails from Youdao Ads? Share your experience below.</em></p> <p><em>All technical findings are based on public record data and standard OSINT methodology. Commands and outputs are included verbatim for independent verification.</em></p> cybersecurity security phishing webdev Building a Universal Drafts System in a VS Code Extension — Part 2: Sync, UI & Remote Drafts freerave Tue, 28 Apr 2026 16:09:38 +0000 https://dev.to/freerave/building-a-universal-drafts-system-in-a-vs-code-extension-part-2-sync-ui-remote-drafts-3o1j https://dev.to/freerave/building-a-universal-drafts-system-in-a-vs-code-extension-part-2-sync-ui-remote-drafts-3o1j <p>In <a href="https://dev.to/freerave/building-a-universal-drafts-system-in-a-vs-code-extension-part-1-types-storage">Part 1</a>, we built the <code>Draft</code> type, <code>DraftsService</code>, and the save/upsert flow.</p> <p>Now for the interesting parts: loading a draft, keeping the Markdown editor in sync, pulling remote drafts from Dev.to, and building the UI.</p> <p><strong>Check out this 1-minute demo of the Two-Way Sync and Remote Drafts in action:</strong></p> <p> <iframe src="https://www.youtube.com/embed/AIb4Ye9PLl4"> </iframe> </p> <h2> <code>loadLocalDraft</code> — The Two-Way Sync </h2> <p>This is the most important handler in the system.</p> <p>When you click <strong>Load</strong> on a draft, the obvious thing to do is populate the WebView form fields. But that creates a mismatch: the WebView has the draft content, but the <code>.md</code> file in your editor still has whatever was there before. If you hit "Read Current File" or save the editor, you overwrite your draft.</p> <p>The fix: loading a draft rewrites the active Markdown editor file at the same time. Both surfaces end up identical, always.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">handleLoadLocalDraft</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="nx">Message</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">draftId</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">draftId</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">draftId</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">draft</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">draftsService</span><span class="p">.</span><span class="nf">getDraft</span><span class="p">(</span><span class="nx">draftId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">draft</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft not found.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Step 1: push the draft data to the WebView form</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">draftLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="nx">draft</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendInfo</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft loaded!</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Step 2: if it's an article, rewrite the active .md editor file</span> <span class="k">if </span><span class="p">(</span><span class="nx">draft</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">article</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mdEditor</span> <span class="o">=</span> <span class="nx">vscode</span><span class="p">.</span><span class="nb">window</span><span class="p">.</span><span class="nx">visibleTextEditors</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span> <span class="nx">e</span> <span class="o">=&gt;</span> <span class="nx">e</span><span class="p">.</span><span class="nb">document</span><span class="p">.</span><span class="nx">languageId</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">markdown</span><span class="dl">'</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">mdEditor</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">draft</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">BlogPost</span><span class="p">;</span> <span class="c1">// Reconstruct YAML frontmatter from structured draft data</span> <span class="kd">let</span> <span class="nx">content</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">---</span><span class="se">\n</span><span class="dl">'</span><span class="p">;</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`title: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">title</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">Untitled</span><span class="dl">'</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">tags</span><span class="p">?.</span><span class="nx">length</span><span class="p">)</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`tags: [</span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">tags</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">, </span><span class="dl">'</span><span class="p">)}</span><span class="s2">]\n`</span><span class="p">;</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`published: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">published</span><span class="dl">'</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">description</span><span class="p">)</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`description: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">description</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">coverImage</span><span class="p">)</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`cover_image: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">coverImage</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">canonicalUrl</span><span class="p">)</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`canonical_url: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">canonicalUrl</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">series</span><span class="p">)</span> <span class="nx">content</span> <span class="o">+=</span> <span class="s2">`series: </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">series</span><span class="p">}</span><span class="s2">\n`</span><span class="p">;</span> <span class="nx">content</span> <span class="o">+=</span> <span class="dl">'</span><span class="s1">---</span><span class="se">\n</span><span class="dl">'</span><span class="p">;</span> <span class="nx">content</span> <span class="o">+=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">bodyMarkdown</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="c1">// Replace the entire document atomically</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="nx">mdEditor</span><span class="p">.</span><span class="nb">document</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullRange</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">vscode</span><span class="p">.</span><span class="nc">Range</span><span class="p">(</span> <span class="nx">doc</span><span class="p">.</span><span class="nf">positionAt</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="nx">doc</span><span class="p">.</span><span class="nf">positionAt</span><span class="p">(</span><span class="nx">doc</span><span class="p">.</span><span class="nf">getText</span><span class="p">().</span><span class="nx">length</span><span class="p">)</span> <span class="p">);</span> <span class="nx">mdEditor</span><span class="p">.</span><span class="nf">edit</span><span class="p">(</span><span class="nx">editBuilder</span> <span class="o">=&gt;</span> <span class="nx">editBuilder</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">fullRange</span><span class="p">,</span> <span class="nx">content</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>A few things to note here:</p> <p><strong>The frontmatter is reconstructed from the structured <code>BlogPost</code> object</strong> — not stored and replayed as raw text. This means the draft system and the frontmatter parser always agree on the schema. If a field is missing from the draft, it simply won't appear in the frontmatter rather than injecting a malformed line.</p> <p><strong><code>edit()</code> is atomic from the user's perspective.</strong> Undo still works. The file on disk is not touched until the user saves manually with Ctrl+S. VS Code treats the whole replacement as a single edit operation in the history.</p> <p><strong>No visible <code>.md</code> editor? No problem.</strong> If there's no Markdown file open, the WebView still gets populated. The sync only fires when there's an editor to sync to.</p> <h2> <code>fetchDevToDrafts</code> — Remote Drafts </h2> <p>Local drafts solve the "WebView reset" problem. But there's another scenario: you saved a draft to Dev.to weeks ago and want to resume editing it in DotShare. That means pulling remote drafts from the API.</p> <p>The handler calls <code>fetchDevToArticles</code>, which hits <code>/api/articles/me/all?per_page=100</code> — returning both published and draft articles — and maps each result to the same <code>Draft</code> interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">handleFetchDevToDrafts</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">devtoApiKey</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">devtoApiKey</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">devtoApiKey</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Dev.to API Key not configured.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">articles</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchDevToArticles</span><span class="p">(</span><span class="nx">devtoApiKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">drafts</span> <span class="o">=</span> <span class="nx">articles</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`devto_</span><span class="p">${</span><span class="nx">a</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">article</span><span class="dl">'</span> <span class="k">as</span> <span class="kd">const</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">published_at</span> <span class="o">||</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="na">platforms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">devto</span><span class="dl">'</span><span class="p">]</span> <span class="k">as</span> <span class="nx">SocialPlatform</span><span class="p">[],</span> <span class="na">title</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">isRemote</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">remoteId</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">id</span><span class="p">?.</span><span class="nf">toString</span><span class="p">(),</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">bodyMarkdown</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">body_markdown</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">tags</span> <span class="o">||</span> <span class="p">[],</span> <span class="na">status</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">published</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">published</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">draft</span><span class="dl">'</span><span class="p">,</span> <span class="na">platformId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">devto</span><span class="dl">'</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="na">canonicalUrl</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">canonical_url</span><span class="p">,</span> <span class="na">coverImage</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">cover_image</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">a</span><span class="p">.</span><span class="nx">description</span><span class="p">,</span> <span class="p">}</span> <span class="k">as</span> <span class="nx">BlogPost</span><span class="p">,</span> <span class="p">}));</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remoteDraftsLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="na">platform</span><span class="p">:</span> <span class="dl">'</span><span class="s1">devto</span><span class="dl">'</span><span class="p">,</span> <span class="nx">drafts</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><code>isRemote: true</code> is the key flag. The WebView checks it before offering any "Save Locally" action — remote drafts are updated via <code>PUT /api/articles/:id</code>, not written to <code>globalState</code>. Clicking Load on a remote draft still triggers the full two-way sync, so the article body lands in both the WebView and the Markdown editor simultaneously.</p> <p>The <code>updateDevToArticle</code> handler wraps the Dev.to update API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">handleUpdateDevToArticle</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="nx">Message</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">devtoApiKey</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">secrets</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">devtoApiKey</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">remoteId</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">remoteId</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">BlogPost</span><span class="o">&gt;</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">updateDevToArticle</span><span class="p">(</span><span class="nx">devtoApiKey</span><span class="p">,</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">remoteId</span><span class="p">,</span> <span class="mi">10</span><span class="p">),</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">bodyMarkdown</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="na">published</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">published</span><span class="dl">'</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">description</span><span class="p">,</span> <span class="na">coverImage</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">coverImage</span><span class="p">,</span> <span class="na">canonicalUrl</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">canonicalUrl</span><span class="p">,</span> <span class="na">series</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">series</span><span class="p">,</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendSuccess</span><span class="p">(</span><span class="s2">`Updated on Dev.to! </span><span class="p">${</span><span class="nx">result</span><span class="p">.</span><span class="nx">url</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">handleFetchDevToDrafts</span><span class="p">();</span> <span class="c1">// refresh the remote list</span> <span class="p">}</span> </code></pre> </div> <h2> The Reset Boilerplate Button </h2> <p>A small feature with outsized usefulness. One click wipes both the WebView form and the Markdown editor back to a clean template. No manual selection, no Ctrl+A Delete, no hunting for leftover frontmatter fields.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">handleResetBlogMarkdown</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mdEditor</span> <span class="o">=</span> <span class="nx">vscode</span><span class="p">.</span><span class="nb">window</span><span class="p">.</span><span class="nx">visibleTextEditors</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span> <span class="nx">e</span> <span class="o">=&gt;</span> <span class="nx">e</span><span class="p">.</span><span class="nb">document</span><span class="p">.</span><span class="nx">languageId</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">markdown</span><span class="dl">'</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">mdEditor</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">No active markdown file found to reset.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">boilerplate</span> <span class="o">=</span> <span class="s2">`--- title: add ur title tags: [add, tags, max, 4] published: false description: add ur description --- Start writing your article here... `</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">doc</span> <span class="o">=</span> <span class="nx">mdEditor</span><span class="p">.</span><span class="nb">document</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">fullRange</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">vscode</span><span class="p">.</span><span class="nc">Range</span><span class="p">(</span> <span class="nx">doc</span><span class="p">.</span><span class="nf">positionAt</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="nx">doc</span><span class="p">.</span><span class="nf">positionAt</span><span class="p">(</span><span class="nx">doc</span><span class="p">.</span><span class="nf">getText</span><span class="p">().</span><span class="nx">length</span><span class="p">)</span> <span class="p">);</span> <span class="nx">mdEditor</span><span class="p">.</span><span class="nf">edit</span><span class="p">(</span><span class="nx">editBuilder</span> <span class="o">=&gt;</span> <span class="nx">editBuilder</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">fullRange</span><span class="p">,</span> <span class="nx">boilerplate</span><span class="p">));</span> <span class="c1">// Sync the WebView form too</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">updateBlogFrontmatter</span><span class="dl">'</span><span class="p">,</span> <span class="na">frontmatter</span><span class="p">:</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="dl">'</span><span class="s1">add ur title</span><span class="dl">'</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">add</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">tags</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">max</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">4</span><span class="dl">'</span><span class="p">],</span> <span class="na">published</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">add ur description</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">updatePost</span><span class="dl">'</span><span class="p">,</span> <span class="na">post</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Start writing your article here...</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendSuccess</span><span class="p">(</span><span class="dl">'</span><span class="s1">Markdown boilerplate reset!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> The WebView UI </h2> <p>The drafts section lives at the bottom of every platform panel, after the workspace composer. The HTML uses <code>{{PLATFORM_NAME}}</code> tokens that get injected by <code>DotShareWebView._buildPlatformHtml()</code> at panel creation time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"drafts-section"</span><span class="nt">&gt;</span> <span class="nt">&lt;h3&gt;</span>📝 Saved Drafts<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;p&gt;</span>Drafts for {{PLATFORM_NAME}}<span class="nt">&lt;/p&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"drafts-loading"</span> <span class="na">class=</span><span class="s">"empty-state"</span><span class="nt">&gt;</span>Loading drafts...<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"drafts-empty"</span> <span class="na">class=</span><span class="s">"empty-state"</span> <span class="na">style=</span><span class="s">"display:none;"</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"empty-icon"</span><span class="nt">&gt;</span>📝<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div&gt;</span>No local drafts yet<span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"drafts-list"</span> <span class="na">class=</span><span class="s">"drafts-grid"</span> <span class="na">style=</span><span class="s">"display:none;"</span><span class="nt">&gt;</span> <span class="c">&lt;!-- Rendered by JS --&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="c">&lt;!-- Remote drafts — only shown for Dev.to --&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"remote-drafts-container"</span> <span class="na">style=</span><span class="s">"display:none; margin-top:16px;"</span><span class="nt">&gt;</span> <span class="nt">&lt;h3&gt;</span>🌐 Remote Drafts<span class="nt">&lt;/h3&gt;</span> <span class="nt">&lt;button</span> <span class="na">class=</span><span class="s">"btn btn-secondary btn-sm"</span> <span class="na">id=</span><span class="s">"btn-fetch-remote-drafts"</span><span class="nt">&gt;</span> Fetch Remote Drafts <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"remote-drafts-list"</span> <span class="na">class=</span><span class="s">"drafts-grid"</span> <span class="na">style=</span><span class="s">"display:none;"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>Draft cards are rendered dynamically by the WebView JS and styled using VS Code's native CSS variables — they adapt to any theme automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.draft-card</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-editorWorkspace-background</span><span class="p">,</span> <span class="m">#1e1e1e</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-editorWidget-border</span><span class="p">);</span> <span class="nl">border-left</span><span class="p">:</span> <span class="m">3px</span> <span class="nb">solid</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-button-background</span><span class="p">);</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">8px</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">12px</span><span class="p">;</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">border-color</span> <span class="m">0.15s</span><span class="p">,</span> <span class="n">box-shadow</span> <span class="m">0.15s</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.draft-card</span><span class="nd">:hover</span> <span class="p">{</span> <span class="nl">border-color</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-focusBorder</span><span class="p">);</span> <span class="nl">box-shadow</span><span class="p">:</span> <span class="m">0</span> <span class="m">2px</span> <span class="m">8px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">0</span><span class="p">,</span><span class="m">0</span><span class="p">,</span><span class="m">0</span><span class="p">,</span><span class="m">0.12</span><span class="p">);</span> <span class="p">}</span> <span class="c">/* Badge colors */</span> <span class="nc">.draft-badge.article</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#8b5cf6</span><span class="p">;</span> <span class="p">}</span> <span class="c">/* purple = local article */</span> <span class="nc">.draft-badge.remote</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="m">#10b981</span><span class="p">;</span> <span class="p">}</span> <span class="c">/* green = remote Dev.to */</span> <span class="c">/* Active draft gets a focus ring */</span> <span class="nc">.draft-card--active</span> <span class="p">{</span> <span class="nl">border-left-color</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-focusBorder</span><span class="p">,</span> <span class="m">#6c63ff</span><span class="p">);</span> <span class="nl">box-shadow</span><span class="p">:</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">1px</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-focusBorder</span><span class="p">,</span> <span class="m">#6c63ff</span><span class="p">),</span> <span class="m">0</span> <span class="m">2px</span> <span class="m">8px</span> <span class="n">rgba</span><span class="p">(</span><span class="m">108</span><span class="p">,</span> <span class="m">99</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.15</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The <code>border-left: 3px solid</code> accent pattern is borrowed from VS Code's own Problems panel — instantly familiar to VS Code users without any learning curve.</p> <h2> Split-Editor Workflow </h2> <p>When you click <strong>Create Post</strong> for Dev.to or Medium, the extension creates (or opens) a named <code>.md</code> file and shows it in a side-by-side split next to the WebView panel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">workspaceType</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">blogs</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">workspacePath</span> <span class="o">=</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">workspace</span><span class="p">.</span><span class="nx">workspaceFolders</span><span class="p">?.[</span><span class="mi">0</span><span class="p">]?.</span><span class="nx">uri</span><span class="p">.</span><span class="nx">fsPath</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">workspacePath</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">mdFilePath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">workspacePath</span><span class="p">,</span> <span class="s2">`dotshare-</span><span class="p">${</span><span class="nx">platformKey</span><span class="p">}</span><span class="s2">.md`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">mdFilePath</span><span class="p">))</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">mdFilePath</span><span class="p">,</span> <span class="s2">`--- title: add ur title tags: [add, tags, max, 4] published: false description: add ur description --- Start writing your article here... `</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">workspace</span><span class="p">.</span><span class="nf">openTextDocument</span><span class="p">(</span><span class="nx">mdFilePath</span><span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">doc</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// WebView = Column One, Markdown = Beside it</span> <span class="nx">vscode</span><span class="p">.</span><span class="nb">window</span><span class="p">.</span><span class="nf">showTextDocument</span><span class="p">(</span><span class="nx">doc</span><span class="p">,</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">ViewColumn</span><span class="p">.</span><span class="nx">Beside</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>The file is named — <code>dotshare-devto.md</code>, <code>dotshare-medium.md</code> — not untitled. Named files persist across VS Code restarts, work naturally with git, and give you a free version-controlled article history. You can also open the file in any external editor and the Two-Way Sync will pick up the changes next time you hit "Read Current File."</p> <h2> The Full Flow in One Diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>WebView MessageHandler PostHandler DraftsService / API │ │ │ │ │─ saveLocalDraft ────────►│ │ │ │ │─ includes('Draft')►│ │ │ │ │─ saveDraft() ────────►│ │ │ │◄── Draft ────────────│ │◄─ draftLoaded ───────────────────────────────│ │ │◄─ draftsLoaded ──────────────────────────────│ │ │ │ │ │ │─ loadLocalDraft ────────►│ │ │ │ │ │─ getDraft() ─────────►│ │◄─ draftLoaded ───────────────────────────────│ │ │ │ mdEditor.edit() ◄──── Two-Way Sync │ │ │ │ │─ fetchDevToDrafts ──────►│ │ │ │ │ │─ fetchDevToArticles()─►Dev.to API │◄─ remoteDraftsLoaded ────────────────────────│ │ </code></pre> </div> <h2> What's Next </h2> <p>The system solves the core problem. A few things I plan to add:</p> <ul> <li> <strong>Auto-save on blur</strong> — checkpoint the draft every time the textarea loses focus, no button press needed</li> <li> <strong>Draft preview</strong> — show the first 3 lines of the article inline in the draft card</li> <li> <strong>Conflict detection</strong> — when a remote Dev.to draft differs from a local copy, show a diff</li> </ul> <h2> Try It </h2> <p>DotShare is free and open source under Apache 2.0. Try it out on your preferred registry:</p> <ul> <li> <strong>VS Code Marketplace:</strong> <a href="https://marketplace.visualstudio.com/items?itemName=FreeRave.dotshare" rel="noopener noreferrer">Install DotShare</a> (or run <code>ext install freerave.dotshare</code>)</li> <li> <strong>Open VSX Registry:</strong> <a href="https://open-vsx.org/extension/freerave/dotshare" rel="noopener noreferrer">Available here</a> (for VSCodium users)</li> <li> <strong>GitHub:</strong> <a href="https://github.com/kareem2099/DotShare" rel="noopener noreferrer">github.com/kareem2099/DotShare</a> </li> </ul> <p><em>Built by <a href="https://dev.to/freerave">@FreeRave</a></em></p> vscode typescript opensource webdev Building a Universal Drafts System in a VS Code Extension — Part 1: Types & Storage freerave Sat, 25 Apr 2026 17:40:45 +0000 https://dev.to/freerave/building-a-universal-drafts-system-in-a-vs-code-extension-part-1-types-storage-5chn https://dev.to/freerave/building-a-universal-drafts-system-in-a-vs-code-extension-part-1-types-storage-5chn <h2> How I designed the Draft type, DraftsService, and the save/upsert flow that powers DotShare v3.2.5 — with full TypeScript code and the decisions behind every choice. </h2> <p>Before v3.2.5, DotShare had zero persistence. Write a 2,000-word Dev.to article in the WebView, switch tabs to check something, come back — gone. Reset. Empty form.</p> <p>So I built a drafts system. This is Part 1: how I modeled the data and built the storage layer.</p> <blockquote> <p><strong>Part 2</strong> covers the Two-Way Markdown Sync, Remote Dev.to Drafts, the WebView UI, and the Split-Editor workflow.</p> </blockquote> <h2> The Problem with WebViews </h2> <p>VS Code WebViews are iframes. They get suspended when not visible and fully reset on restart. For a tweet that's annoying. For a structured blog article with frontmatter, tags, cover image, and thousands of words — it's a real productivity loss.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9rwwjvjxq5bixbscjqu.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ff9rwwjvjxq5bixbscjqu.png" alt="Split screen showing a full 2000-word article draft on the right, and a completely empty reset form on the left after switching tabs" width="800" height="225"></a></p> <p>The naive fix is "just auto-save to a file." But that creates new questions: which file? What about social posts that have no file? What if the user has multiple articles open? What about platform-specific metadata like Dev.to series or Medium publish status?</p> <p>The solution needed to be <strong>universal</strong> — one system for social posts and blog articles, all 9 platforms, zero config for the user.</p> <h2> Designing the <code>Draft</code> Type </h2> <p>The first thing I did was sit down and define exactly what a "draft" means across all use cases.</p> <p>A LinkedIn post draft needs: text content, platform, timestamp.<br> A Dev.to article draft needs: title, tags, description, cover image, canonical URL, series, body markdown, publish status, platform.</p> <p>One interface had to cover both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/types.ts</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">DraftType</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">social</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">article</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">Draft</span> <span class="p">{</span> <span class="nl">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">type</span><span class="p">:</span> <span class="nx">DraftType</span><span class="p">;</span> <span class="nl">timestamp</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">platforms</span><span class="p">:</span> <span class="nx">SocialPlatform</span><span class="p">[];</span> <span class="nl">data</span><span class="p">:</span> <span class="nx">PostData</span> <span class="o">|</span> <span class="nx">BlogPost</span><span class="p">;</span> <span class="nl">title</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Human-readable label in the UI</span> <span class="nl">isRemote</span><span class="p">?:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="c1">// true = fetched from Dev.to API, not local</span> <span class="nl">remoteId</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="c1">// Dev.to article ID for remote drafts</span> <span class="p">}</span> </code></pre> </div> <p>The <code>data</code> field is a union. <code>PostData</code> for social:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">PostData</span> <span class="p">{</span> <span class="nl">text</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">media</span><span class="p">?:</span> <span class="kr">string</span><span class="p">[];</span> <span class="c1">// local file paths</span> <span class="p">}</span> </code></pre> </div> <p><code>BlogPost</code> for long-form articles:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kr">interface</span> <span class="nx">BlogPost</span> <span class="p">{</span> <span class="nl">id</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">title</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">bodyMarkdown</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">tags</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">canonicalUrl</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">description</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">coverImage</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">series</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">draft</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">published</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">unlisted</span><span class="dl">'</span><span class="p">;</span> <span class="nl">platformId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">devto</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span><span class="p">;</span> <span class="nl">publishedAt</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">url</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flelfx1anxb3gry8x1eoq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flelfx1anxb3gry8x1eoq.png" alt="Data model diagram showing the Draft Interface parent node branching into two child types: PostData for social posts and BlogPost for articles" width="800" height="436"></a></p> <p>This union lets a single <code>draftsLoaded</code> WebView message carry both types. The WebView switches behavior on <code>draft.type</code> — no separate message commands, no separate storage keys per platform.</p> <p>The <code>isRemote</code> flag is critical: it marks drafts fetched from the Dev.to API. Remote drafts look identical to local ones in the UI but have different save semantics — you update them via API, not <code>globalState</code>.</p> <h2> Choosing the Storage Backend </h2> <p>I evaluated three options:</p> <p><strong>Option A — Write to a file in the workspace.</strong> Simple, but creates git noise, doesn't work if there's no workspace open, and fails for social post drafts that have no natural file home.</p> <p><strong>Option B — SQLite via a native module.</strong> Powerful, but native modules in VS Code extensions are a packaging nightmare. Cross-platform builds, <code>.vsix</code> size, and esbuild bundling issues ruled this out fast.</p> <p><strong>Option C — VS Code <code>globalState</code>.</strong> This is a key-value store backed by VS Code's own storage layer. It survives restarts, is encrypted at rest on macOS (Keychain), works even without a workspace, requires zero config, and the API is synchronous to read and async to write.</p> <p><code>globalState</code> was the obvious choice. The only real limitation is that it's not designed for large datasets — but a list of drafts with text content will comfortably stay under the internal limits for years.</p> <h2> The <code>DraftsService</code> </h2> <p><code>DraftsService</code> wraps <code>globalState</code> with a clean CRUD interface. The full implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/services/DraftsService.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">vscode</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vscode</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Draft</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../types</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DRAFTS_KEY</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">dotshare_drafts_v1</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">DraftsService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">globalState</span><span class="p">:</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">Memento</span><span class="p">)</span> <span class="p">{}</span> <span class="nf">getDrafts</span><span class="p">():</span> <span class="nx">Draft</span><span class="p">[]</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">globalState</span><span class="p">.</span><span class="kd">get</span><span class="o">&lt;</span><span class="nx">Draft</span><span class="p">[]</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">DRAFTS_KEY</span><span class="p">,</span> <span class="p">[]);</span> <span class="p">}</span> <span class="nf">getDraft</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">Draft</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nf">getDrafts</span><span class="p">().</span><span class="nf">find</span><span class="p">(</span><span class="nx">d</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="p">}</span> <span class="nf">saveDraft</span><span class="p">(</span><span class="nx">data</span><span class="p">:</span> <span class="nb">Omit</span><span class="o">&lt;</span><span class="nx">Draft</span><span class="p">,</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">timestamp</span><span class="dl">'</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">Draft</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">drafts</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getDrafts</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">draft</span><span class="p">:</span> <span class="nx">Draft</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">data</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="s2">`draft_</span><span class="p">${</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()}</span><span class="s2">_</span><span class="p">${</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">().</span><span class="nf">toString</span><span class="p">(</span><span class="mi">36</span><span class="p">).</span><span class="nf">slice</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="mi">9</span><span class="p">)}</span><span class="s2">`</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">globalState</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">DRAFTS_KEY</span><span class="p">,</span> <span class="p">[</span><span class="nx">draft</span><span class="p">,</span> <span class="p">...</span><span class="nx">drafts</span><span class="p">]);</span> <span class="k">return</span> <span class="nx">draft</span><span class="p">;</span> <span class="p">}</span> <span class="nf">updateDraft</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">updates</span><span class="p">:</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="nx">Draft</span><span class="o">&gt;</span><span class="p">):</span> <span class="nx">Draft</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">drafts</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">getDrafts</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">idx</span> <span class="o">=</span> <span class="nx">drafts</span><span class="p">.</span><span class="nf">findIndex</span><span class="p">(</span><span class="nx">d</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">idx</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="k">return</span> <span class="kc">undefined</span><span class="p">;</span> <span class="nx">drafts</span><span class="p">[</span><span class="nx">idx</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">drafts</span><span class="p">[</span><span class="nx">idx</span><span class="p">],</span> <span class="p">...</span><span class="nx">updates</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="k">this</span><span class="p">.</span><span class="nx">globalState</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">DRAFTS_KEY</span><span class="p">,</span> <span class="nx">drafts</span><span class="p">);</span> <span class="k">return</span> <span class="nx">drafts</span><span class="p">[</span><span class="nx">idx</span><span class="p">];</span> <span class="p">}</span> <span class="nf">deleteDraft</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">globalState</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span> <span class="nx">DRAFTS_KEY</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nf">getDrafts</span><span class="p">().</span><span class="nf">filter</span><span class="p">(</span><span class="nx">d</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nx">id</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Three decisions worth explaining:</p> <p><strong><code>_v1</code> on the key.</strong> If I ever change the schema, I read <code>dotshare_drafts_v1</code>, transform the data, write to <code>dotshare_drafts_v2</code>, then delete the old key. No migration scripts, no breaking changes for existing users.</p> <p><strong><code>Omit&lt;Draft, 'id' | 'timestamp'&gt;</code> at save.</strong> This forces the compiler to prevent callers from passing a stale ID or a hand-crafted timestamp. IDs and timestamps are always generated internally, guaranteed fresh.</p> <p><strong>Newest first.</strong> <code>[draft, ...drafts]</code> prepends instead of appending. The WebView grid always shows the most recent work at the top without any sort step.</p> <h2> Wiring It Into the Handler Chain </h2> <p><code>DraftsService</code> is instantiated once in <code>MessageHandler</code> and injected down into <code>PostHandler</code>. This keeps a single instance — one source of truth — across the extension's lifetime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/handlers/MessageHandler.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MessageHandler</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">draftsService</span><span class="p">:</span> <span class="nx">DraftsService</span><span class="p">;</span> <span class="k">private</span> <span class="nx">postHandler</span><span class="p">:</span> <span class="nx">PostHandler</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="nx">view</span><span class="p">:</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">WebviewView</span><span class="p">,</span> <span class="k">private</span> <span class="nx">context</span><span class="p">:</span> <span class="nx">vscode</span><span class="p">.</span><span class="nx">ExtensionContext</span><span class="p">,</span> <span class="k">private</span> <span class="nx">historyService</span><span class="p">:</span> <span class="nx">HistoryService</span><span class="p">,</span> <span class="k">private</span> <span class="nx">analyticsService</span><span class="p">:</span> <span class="nx">AnalyticsService</span><span class="p">,</span> <span class="k">private</span> <span class="nx">mediaService</span><span class="p">:</span> <span class="nx">MediaService</span> <span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">draftsService</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DraftsService</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">globalState</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">postHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PostHandler</span><span class="p">(</span> <span class="nx">view</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">historyService</span><span class="p">,</span> <span class="nx">analyticsService</span><span class="p">,</span> <span class="nx">mediaService</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">draftsService</span> <span class="c1">// ← injected</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Routing is handled by a string check — any command that includes the word <code>Draft</code> goes to <code>PostHandler</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span> <span class="nx">cmd</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">share</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">cmd</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">generatePost</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">cmd</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">readMarkdownFile</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">cmd</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// ← catches all 7 draft commands</span> <span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">postHandler</span><span class="p">.</span><span class="nf">handleMessage</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This keeps the routing table flat and readable. Adding a new draft command in the future requires zero changes to <code>MessageHandler</code>.</p> <h2> The Save/Upsert Pattern </h2> <p>The <code>saveLocalDraft</code> handler is the most-called draft command. It does an upsert — not a blind insert:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw21ujpn25pv42prcw45i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw21ujpn25pv42prcw45i.png" alt="Logic flowchart illustrating the save process: checking if an ID exists, then either updating the existing draft or creating a new one in the global state" width="800" height="436"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">private</span> <span class="k">async</span> <span class="nf">handleSaveLocalDraft</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="nx">Message</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">draft</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">draft</span> <span class="k">as</span> <span class="nb">Omit</span><span class="o">&lt;</span><span class="nx">Draft</span><span class="p">,</span> <span class="dl">'</span><span class="s1">id</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">timestamp</span><span class="dl">'</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">draft</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft data is required.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Guard: remote drafts cannot be cloned locally</span> <span class="k">if </span><span class="p">((</span><span class="nx">draft</span> <span class="k">as</span> <span class="nx">Draft</span><span class="p">).</span><span class="nx">isRemote</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cannot save a remote draft locally. Use "Update" instead.</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">existingId</span> <span class="o">=</span> <span class="nx">message</span><span class="p">.</span><span class="nx">draftId</span> <span class="k">as</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">existingId</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Update existing draft in place</span> <span class="kd">const</span> <span class="nx">updated</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">draftsService</span><span class="p">.</span><span class="nf">updateDraft</span><span class="p">(</span><span class="nx">existingId</span><span class="p">,</span> <span class="nx">draft</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">updated</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendInfo</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft updated!</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">draftLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="na">draft</span><span class="p">:</span> <span class="nx">updated</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft not found for update.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Create new draft</span> <span class="kd">const</span> <span class="nx">saved</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">draftsService</span><span class="p">.</span><span class="nf">saveDraft</span><span class="p">(</span><span class="nx">draft</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">sendInfo</span><span class="p">(</span><span class="dl">'</span><span class="s1">Draft saved locally!</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">view</span><span class="p">.</span><span class="nx">webview</span><span class="p">.</span><span class="nf">postMessage</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">'</span><span class="s1">draftLoaded</span><span class="dl">'</span><span class="p">,</span> <span class="na">draft</span><span class="p">:</span> <span class="nx">saved</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Always refresh the list</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">handleListLocalDrafts</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>The upsert is essential. The first save creates a new draft and the WebView receives its ID via <code>draftLoaded</code>. Every subsequent save passes that ID back in <code>message.draftId</code>. Without this, every Ctrl+S would create a duplicate entry.</p> <p>The remote guard is equally important. If someone somehow triggers a save on a remote draft, the handler rejects it with a clear error rather than silently creating a stale local copy that would immediately diverge from the Dev.to version.</p> <p>After every save or update, <code>handleListLocalDrafts</code> runs and pushes the full refreshed list to the WebView — so the draft grid always reflects the current state without a manual refresh.</p> <h2> What's in Part 2 </h2> <p>The storage layer is done. In Part 2, we cover:</p> <ul> <li> <strong><code>loadLocalDraft</code></strong> — the Two-Way Markdown Sync that rewrites the active <code>.md</code> editor file when you load a draft</li> <li> <strong><code>fetchDevToDrafts</code></strong> — fetching remote Dev.to articles and mapping them to the <code>Draft</code> interface</li> <li> <strong><code>resetBlogMarkdown</code></strong> — the Reset Boilerplate button</li> <li> <strong>The WebView UI</strong> — the HTML, draft card CSS, and how <code>{{PLATFORM_NAME}}</code> tokens get injected</li> <li> <strong>Split-Editor workflow</strong> — how opening Dev.to or Medium auto-creates a named <code>.md</code> file beside the WebView panel</li> </ul> <h2> Try It </h2> <p>DotShare is free and open source under Apache 2.0:</p> <ul> <li> <strong>VS Code Marketplace</strong>: <a href="https://marketplace.visualstudio.com/items?itemName=FreeRave.dotshare" rel="noopener noreferrer">Download Extension</a> (or search <code>ext install freerave.dotshare</code>)</li> <li> <strong>Open VSX Registry</strong>: <a href="https://open-vsx.org/extension/freerave/dotshare" rel="noopener noreferrer">Download for VSCodium</a> </li> <li> <strong>GitHub</strong>: <a href="https://github.com/kareem2099/DotShare" rel="noopener noreferrer">github.com/kareem2099/DotShare</a> </li> </ul> <p>If this saved you time, a ⭐ on the repo means a lot!</p> <p><em>Built by <a href="https://dev.to/freerave">@FreeRave</a></em></p> vscode typescript opensource webdev The Vercel Breach: What Actually Happened, Why It Matters, and What Every Developer Should Do Right Now freerave Sun, 19 Apr 2026 21:39:40 +0000 https://dev.to/freerave/the-vercel-breach-what-actually-happened-why-it-matters-and-what-every-developer-should-do-right-4mjn https://dev.to/freerave/the-vercel-breach-what-actually-happened-why-it-matters-and-what-every-developer-should-do-right-4mjn <h2> A deep technical breakdown of the April 2026 Vercel security incident — supply chain risks, GitHub token exposure, NPM hijacking, and what you need to rotate right now </h2> <p>It started, as many supply chain nightmares do, quietly.</p> <p>Today, Vercel — the cloud platform powering millions of production deployments, the company behind Next.js, the infrastructure quietly sitting between your code and your users — confirmed a security incident.</p> <p>A threat actor claiming to be part of the notorious <strong>ShinyHunters</strong> group posted on BreachForums offering what they claim is Vercel's internal data for <strong>$2 million</strong>. The alleged haul: access keys, source code, employee accounts, NPM tokens, GitHub tokens, and database records pulled from Vercel's internal Linear and user management systems.</p> <p>This isn't just a Vercel story. This is a story about where we build, how we trust, and what we're gambling every time we push to production.</p> <h2> What We Actually Know </h2> <p>Let's be precise. In security, the gap between <em>"someone claimed"</em> and <em>"confirmed"</em> is everything.</p> <p><strong>✅ Confirmed by Vercel:</strong></p> <ul> <li>Unauthorized access to certain internal Vercel systems occurred</li> <li>A limited subset of customers was affected</li> <li>Incident response experts have been engaged</li> <li>Law enforcement has been notified</li> <li>Services remain operational</li> </ul> <p><strong>⚠️ Claimed by the threat actor (unverified):</strong></p> <ul> <li>Access to multiple employee accounts with access to internal deployments</li> <li>Exfiltration of API keys, NPM tokens, and GitHub tokens</li> <li>Access to Vercel's internal Linear instance</li> <li>~580 employee records exposed (names, emails, account statuses, timestamps)</li> <li>A $2 million ransom demand, with alleged negotiations underway</li> </ul> <p><strong>Important nuance:</strong> Members of the <em>actual</em> ShinyHunters group have denied involvement to BleepingComputer. The attacker may be using the name for credibility. This doesn't make the breach less real — it just means attribution is murky.</p> <h2> Why Vercel Is a Crown Jewel Target </h2> <p>If you were a sophisticated attacker looking for maximum blast radius from a single breach, you'd want a platform that:</p> <ul> <li> <strong>Holds secrets for thousands of applications</strong> — environment variables, API keys, OAuth credentials</li> <li> <strong>Has deep CI/CD pipeline integration</strong> — build access means potential code tampering</li> <li> <strong>Is trusted implicitly</strong> by its customers — developers don't audit their deployment platforms</li> <li> <strong>Connects to everything</strong> — GitHub, npm, databases, third-party APIs</li> </ul> <p>Vercel checks every box.</p> <p>This attack pattern has a name: <strong>Supply Chain Compromise</strong>. The ROI for attackers is extraordinary — compromise one platform, potentially reach thousands of organizations downstream.</p> <blockquote> <p>You're not just trusting Vercel with your code. You're trusting them with your <em>keys to everything else</em>.</p> </blockquote> <h2> The Linear Connection: Why Internal Tooling Is a Goldmine </h2> <p>One of the more alarming details is the alleged access to Vercel's <strong>Linear</strong> instance — their internal project management tool.</p> <p>Why does this matter? Internal issue trackers are treasure maps. They contain:</p> <ul> <li>Bug reports that reveal unpatched vulnerabilities</li> <li>Architecture discussions that expose system design</li> <li>Credentials accidentally pasted in comments <em>(it happens more than anyone admits)</em> </li> <li>Incident post-mortems that document past weaknesses</li> <li>Roadmap items that reveal future attack surfaces</li> </ul> <p>An attacker with read access to your Linear isn't just reading tickets — they're reading a detailed, timestamped history of your organization's security posture, written <em>honestly for internal consumption</em>.</p> <h2> The GitHub Token Problem </h2> <p>GitHub tokens are particularly dangerous in this context.</p> <p>When Vercel integrates with your GitHub, it requests OAuth scopes to read and deploy your repositories. If an attacker gains those tokens — even read-only — they can:</p> <ul> <li>Clone private repositories, including ones you've never deployed</li> <li>Read secrets patterns in CI/CD config files</li> <li>Map your entire codebase architecture before you even know they're in</li> </ul> <p>Write-access tokens are catastrophically worse: code injection, backdoor planting, supply chain poisoning of your own downstream users.</p> <blockquote> <p><strong>💡 Important Note:</strong><br> OAuth integration tokens aren't "login credentials." They're keys to your intellectual property and potentially to your users' security.</p> </blockquote> <h2> NPM Tokens and the Ecosystem Risk </h2> <p>NPM tokens in the wrong hands enable <strong>package hijacking</strong>.</p> <p>If an attacker gains publish access to any npm package — even a small utility with a few thousand weekly downloads — they can push a malicious version that:</p> <ul> <li>Exfiltrates environment variables from any project that installs it</li> <li>Plants persistent backdoors in Node.js processes</li> <li>Harvests secrets from CI/CD build environments</li> </ul> <p>The npm ecosystem's trust model is implicit: you install a package, you trust everyone who's ever had publish access to it. A compromised NPM token doesn't just affect one package — it affects every developer downstream.</p> <p>This is why <code>npm audit</code> alone isn't enough. You need to think about <em>who has publish access</em> to your dependencies, not just <em>what their current code does</em>.</p> <h2> Encryption At Rest Is Not The Defense You Think It Is </h2> <p>A common misunderstanding in incidents like this:</p> <blockquote> <p><em>"They encrypt environment variables, so we're safe."</em></p> </blockquote> <p>Encryption at rest protects data when the storage medium is physically stolen — a hard drive pulled from a server, a backup tape taken off-site. It doesn't protect you when the attacker has <strong>authenticated access to the systems that do the decryption</strong>.</p> <p>If an attacker has compromised employee accounts with access to internal deployments, those accounts can request decrypted values through the normal application interface. The encryption layer never gets a chance to protect you because the request <em>looks legitimate</em>.</p> <p><strong>Mental model:</strong></p> <blockquote> <p>Encrypting your house key and leaving the encrypted version on the front door doesn't help if the attacker also steals the decryption key.</p> </blockquote> <p>This is the fundamental difference between <strong>encryption at rest</strong> (protects the storage) and <strong>access control</strong> (protects who can use it). The breach wasn't about cracking encryption — it was about gaining <em>credentials the system already trusts</em>.</p> <h2> What "Limited Subset of Customers" Actually Means </h2> <p>Vercel's disclosure says a "limited subset of customers" was affected. This phrasing is technically precise but practically unhelpful during an active investigation.</p> <p>In security incident response, the professional assumption is:</p> <blockquote> <p><em>"Until we can prove we're not affected, we assume we are."</em></p> </blockquote> <p>This isn't paranoia. This is how you avoid being the organization that said "we're probably fine" and then found out three months later they weren't.</p> <h2> 🚨 What You Should Do Right Now </h2> <p>These are not hypothetical best practices. These are <strong>immediate actions</strong>.</p> <h3> 1. Rotate Your GitHub OAuth Integration </h3> <p>Go to <strong>GitHub → Settings → Applications → Authorized OAuth Apps</strong> and revoke Vercel's access. Then re-authorize from the Vercel dashboard. This invalidates any tokens the attacker may have obtained.</p> <p>Do this even if you think you're not affected.</p> <h3> 2. Rotate All Credentials Stored in Vercel </h3> <p>Any credentials stored as environment variables should be treated as potentially exposed. Log into each service and regenerate:</p> <ul> <li>Upstash REST tokens</li> <li>Database connection strings (Postgres, MySQL, MongoDB)</li> <li>Redis AUTH passwords</li> <li>Any other stateful service credentials</li> </ul> <p>Update the new values in Vercel and redeploy.</p> <h3> 3. Audit Your NPM Tokens </h3> <p>If you publish npm packages and your token was stored in Vercel:</p> <ol> <li> <strong>Immediately revoke</strong> the token from npmjs.com → Access Tokens</li> <li> <strong>Audit recent publish history</strong> for any packages you own</li> <li>Create a new token with minimum required scope</li> </ol> <h3> 4. Review Connected OAuth Apps </h3> <p>Check every OAuth app connected to your GitHub account. Remove anything you don't actively use. Review the list for any apps you don't recognize — attackers with token access can potentially authorize new ones.</p> <h3> ⚠️ MASSIVE GOTCHA: The Reddit API Trap (Don't Delete Your Apps!) </h3> <p>If your application uses Reddit as an OAuth provider, <strong>STOP before you delete your current credentials to rotate them.</strong></p> <p>While rotating keys for my own projects tonight, I discovered that Reddit quietly ended Self-Service API access for developers. Because Reddit's legacy UI doesn't have a "Regenerate Secret" button, the standard practice was to delete the app and create a new one. </p> <p><strong>Do not do this right now.</strong> If you delete your app, you cannot create a new one instantly. You will be prompted to submit a manual API Access Request ticket and wait for approval, completely breaking your auth flow in the meantime.</p> <p><strong>The Fix:</strong></p> <ol> <li>You <em>must</em> still delete the exposed Reddit app to secure your system.</li> <li> <strong>Temporarily disable</strong> the Reddit login flow on your frontend/auth server so users don't hit a <code>401 Unauthorized</code> error.</li> <li>Submit the approval ticket via Reddit's Help Center (specify that you are building an external OAuth flow and need the <code>identity</code> scope).</li> <li>Wait for their approval to get your new keys.</li> </ol> <h3> 5. Check Your Build Logs </h3> <p>Recent Vercel build logs might contain credentials accidentally printed by build scripts. Review them for anything that looks like it shouldn't be there.</p> <h3> 6. Enable GitHub Secret Scanning </h3> <p>GitHub scans for committed secrets across your repositories. Enable it. If any credential was ever accidentally committed — even in a commit later reverted — GitHub can detect and alert you.</p> <h2> The Deeper Problem: Trust Transference in Modern Infrastructure </h2> <p>Every time you add a third-party integration to your stack, you're extending your <strong>trust boundary</strong>. You're saying:</p> <blockquote> <p><em>"I trust this service not just to do its job, but to protect my secrets, secure its own infrastructure, and tell me promptly when something goes wrong."</em></p> </blockquote> <p>Most developers accept this bargain without thinking about it.</p> <p>The Vercel breach should prompt a deliberate conversation about <strong>trust transference</strong>:</p> <ul> <li>Which platforms hold your secrets?</li> <li>What's the blast radius if any one of them is breached?</li> <li>How quickly would you know?</li> <li>How quickly could you respond?</li> </ul> <p>This isn't a reason to abandon cloud platforms. It's a reason to build <strong>rotation infrastructure</strong> — the automation and processes that let you cycle credentials quickly when something goes wrong, without bringing down production.</p> <blockquote> <p>If rotating your secrets takes more than 30 minutes, you have a resilience problem.</p> </blockquote> <h2> What To Watch For From Vercel </h2> <p>In the coming days, watch for:</p> <p><strong>Root cause disclosure</strong> — How did the attacker initially gain access? Social engineering? A compromised employee credential? A vulnerability in internal tooling? This matters enormously for the broader developer community.</p> <p><strong>Scope clarification</strong> — "Limited subset" needs to become specific numbers and categories. Were customer environment variables accessed? Were build pipelines tampered with?</p> <p><strong>Token invalidation</strong> — Ideally, Vercel should proactively invalidate all GitHub OAuth tokens and force re-authorization platform-wide, rather than leaving discovery to individual developers.</p> <p><strong>Third-party audit results</strong> — Engaging incident response experts is good. Publishing what those experts find, even in summarized form, is what turns a security incident into a trust-building exercise.</p> <h2> Closing: The Price of Convenience </h2> <p>The developer experience Vercel offers is genuinely exceptional. <code>git push</code> and your app is live, globally distributed, HTTPS, preview environments, CI/CD. It's magic.</p> <p>But magic has a cost. The same integration depth that makes the experience seamless also means a platform breach has an unusually large potential blast radius. The convenience of storing secrets "in the platform" means trusting the platform to protect them.</p> <p>Neither of these things is a reason to stop using Vercel. They're reasons to be <strong>intentional</strong> about what you store there, to have <strong>rotation procedures</strong> in place before you need them, and to follow security bulletins from your infrastructure providers the way you follow CVE disclosures for your own dependencies.</p> <p>The breach happened. The question now is how fast you respond.</p> <p><em>Follow Vercel's official bulletin for updates:</em><br> <em>🔗 <a href="https://vercel.com/kb/bulletin/vercel-april-2026-security-incident" rel="noopener noreferrer">vercel.com/kb/bulletin/vercel-april-2026-security-incident</a></em></p> <p><em>Questions about rotating credentials or hardening your deployment pipeline? Drop them in the comments — happy to help.</em></p> security vercel devops cybersecurity The Hotfix Chronicles: What Broke After the Nexus Release and How I Fixed It (v1.5.2 & v1.5.3) freerave Fri, 17 Apr 2026 12:46:26 +0000 https://dev.to/freerave/the-hotfix-chronicles-what-broke-after-the-nexus-release-and-how-i-fixed-it-v152-v153-46o2 https://dev.to/freerave/the-hotfix-chronicles-what-broke-after-the-nexus-release-and-how-i-fixed-it-v152-v153-46o2 <h2> I promised I'd fix it. Here's exactly what broke in DotGhostBoard after v1.5.1 — PyInstaller frozen environments, insecure /tmp update paths, missing UI assets, and a polkit regression — and how each one was resolved. </h2> <blockquote> <p>This is a follow-up to <a href="https://dev.to/freerave/engineering-the-nexus-release-how-i-built-secure-e2ee-network-sync-into-a-linux-clipboard-manager-3ocd">Engineering the Nexus Release</a>. At the end of that article I wrote: <em>"Stay tuned for v2.0.0 Cerberus."</em> Before Cerberus ships, there's something I owe you — the full post-mortem on what broke in production immediately after that release.</p> </blockquote> <p>Check out the v1.5.3 highlight reel to see the new Live Terminal and Network Sync in action:</p> <p> <iframe src="https://www.youtube.com/embed/vqDU_tnvLy0"> </iframe> </p> <h2> What Happened After v1.5.1 Shipped </h2> <p>The Nexus architecture held. mDNS discovery worked. E2EE pairing worked. The sync engine worked.</p> <p>What didn't work: <strong>the UI didn't load on any bundled build.</strong></p> <p>Users who downloaded the <code>.AppImage</code> or <code>.deb</code> were greeted with a white window. No stylesheet. No dark theme. Just a blank Qt frame. The app was running — but blind.</p> <p>That was the beginning of the <code>v1.5.2 → v1.5.3</code> hotfix sprint.</p> <h2> Bug 1 — The White Window (PyInstaller Frozen Environment) </h2> <h3> Root Cause </h3> <p>When PyInstaller bundles an app, it doesn't just copy files — it extracts them into a temporary directory at runtime called <code>sys._MEIPASS</code>. The problem is that code like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Breaks in bundled builds </span><span class="n">base</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">__file__</span><span class="p">)</span> <span class="n">qss_path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="sh">"</span><span class="s">ui</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ghost.qss</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>...works perfectly when you run <code>python main.py</code> from source, because <code>__file__</code> points to the project root. But inside a frozen <code>.AppImage</code>, <code>__file__</code> resolves to a virtual path inside the bundle — and <code>ghost.qss</code> is nowhere near it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Source mode: __file__ → /home/user/DotGhostBoard/core/app.py ✅ Frozen mode: __file__ → /tmp/_MEI3xk9/core/app.py ✅ ghost.qss → ??? ❌ </code></pre> </div> <p>The UI stylesheet <code>ghost.qss</code> simply couldn't be found. Qt silently fell back to its default theme. White window.</p> <h3> The Fix: <code>resource_path</code> Bridge </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># core/paths.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">sys</span> <span class="k">def</span> <span class="nf">_base_dir</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Detect whether we</span><span class="sh">'</span><span class="s">re running from source or a PyInstaller bundle. In frozen mode, all assets are extracted to sys._MEIPASS at runtime. </span><span class="sh">"""</span> <span class="k">if</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">sys</span><span class="p">,</span> <span class="sh">"</span><span class="s">frozen</span><span class="sh">"</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="ow">and</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">sys</span><span class="p">,</span> <span class="sh">"</span><span class="s">_MEIPASS</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="n">sys</span><span class="p">.</span><span class="n">_MEIPASS</span> <span class="c1"># PyInstaller extraction folder </span> <span class="k">return</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span> <span class="c1"># two levels up from core/paths.py </span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">abspath</span><span class="p">(</span><span class="n">__file__</span><span class="p">))</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">resource_path</span><span class="p">(</span><span class="o">*</span><span class="n">parts</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Build an absolute path to any bundled asset, regardless of runtime mode. Usage: resource_path(</span><span class="sh">"</span><span class="s">ui</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">ghost.qss</span><span class="sh">"</span><span class="s">) → /tmp/_MEIxxxx/ui/ghost.qss resource_path(</span><span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="s">, </span><span class="sh">"</span><span class="s">icon.png</span><span class="sh">"</span><span class="s">) → /home/user/Project/data/icon.png </span><span class="sh">"""</span> <span class="k">return</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nf">_base_dir</span><span class="p">(),</span> <span class="o">*</span><span class="n">parts</span><span class="p">)</span> </code></pre> </div> <p>Decision flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> App requests: resource_path("ui", "ghost.qss") │ is_frozen? / \ Yes No │ │ sys._MEIPASS Project Root │ │ /tmp/_MEIxxxx/ui/ghost.qss /home/user/.../ui/ghost.qss </code></pre> </div> <p>Every asset reference in the codebase was updated to go through <code>resource_path()</code>. The white window was gone.</p> <h3> The CI Side of This Bug </h3> <p>But wait — local builds worked. CI builds didn't. Why?</p> <p>Because the PyInstaller command in the workflow was missing the <code>--add-data</code> directive for the UI directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ❌ v1.5.1 — ghost.qss never made it into the bundle</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pyinstaller --noconsole --onedir \</span> <span class="s">--add-data "data:data" \</span> <span class="s">--hidden-import "PyQt6.sip" \</span> <span class="s">--name dotghostboard main.py</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># ✅ v1.5.3 — explicitly map the UI directory</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pyinstaller --noconsole --onedir \</span> <span class="s">--add-data "data:data" \</span> <span class="s">--add-data "ui/ghost.qss:ui" \ # ← this line was the missing piece</span> <span class="s">--hidden-import "PyQt6.sip" \</span> <span class="s">--hidden-import "cryptography" \</span> <span class="s">--hidden-import "cryptography.hazmat.primitives.asymmetric.x25519" \</span> <span class="s">--hidden-import "cryptography.hazmat.primitives.ciphers.aead" \</span> <span class="s">--name dotghostboard main.py</span> </code></pre> </div> <p>The <code>--add-data</code> syntax is <code>"source:dest"</code> — it maps the source path on the build machine to the relative path inside <code>_MEIPASS</code>. Without it, PyInstaller doesn't know the file exists and silently skips it.</p> <blockquote> <p><strong>The deceptive part:</strong> local <code>pyinstaller</code> builds work because <code>pyinstaller</code> finds <code>ui/ghost.qss</code> relative to the working directory. The GitHub Actions runner has a clean checkout with the same structure — but without explicit <code>--add-data</code>, the file is excluded from the bundle spec. Same command, different behavior depending on how PyInstaller resolves paths in its analysis phase.</p> </blockquote> <p>You can verify any <code>.deb</code> build has the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dpkg <span class="nt">-c</span> dotghostboard_1.5.3_amd64.deb | <span class="nb">grep </span>ui/ <span class="c"># Expected: ... _internal/ui/ghost.qss</span> </code></pre> </div> <h2> Bug 2 — Insecure Update Download Path </h2> <p>In <code>v1.5.1</code>, the in-app "Download Update" feature used <code>/tmp/</code> as the staging area:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ v1.5.1 </span><span class="n">download_path</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">/tmp/dotghostboard_</span><span class="si">{</span><span class="n">version</span><span class="si">}</span><span class="s">_amd64.deb</span><span class="sh">"</span> </code></pre> </div> <p><code>/tmp/</code> is world-readable, world-writable, and wiped on reboot. For a one-time download that's fine. For a security tool that downloads and installs packages — it's a TOCTOU (Time-Of-Check to Time-Of-Use) attack surface. An attacker with local access could replace the <code>.deb</code> between download and installation.</p> <h3> The Fix: User-Specific Sandbox </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ✅ v1.5.2+ </span><span class="kn">import</span> <span class="n">os</span> <span class="k">def</span> <span class="nf">get_update_staging_dir</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Returns a user-specific, restricted directory for staging update packages. Created with mode 0o700 — only the owning user can read or write. </span><span class="sh">"""</span> <span class="n">path</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">expanduser</span><span class="p">(</span><span class="sh">"</span><span class="s">~</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">.local</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">share</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dotghostboard</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">updates</span><span class="sh">"</span> <span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">makedirs</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="mo">0o700</span><span class="p">,</span> <span class="n">exist_ok</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="n">path</span> <span class="n">SAFE_PATH</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nf">get_update_staging_dir</span><span class="p">(),</span> <span class="sa">f</span><span class="sh">"</span><span class="s">dotghostboard_</span><span class="si">{</span><span class="n">version</span><span class="si">}</span><span class="s">_amd64.deb</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>v1.5.1</th> <th>v1.5.2+</th> </tr> </thead> <tbody> <tr> <td>Download path</td> <td><code>/tmp/</code></td> <td><code>~/.local/share/dotghostboard/updates/</code></td> </tr> <tr> <td>Readable by other users</td> <td>Yes</td> <td>No (<code>0o700</code>)</td> </tr> <tr> <td>Survives reboot</td> <td>No</td> <td>Yes</td> </tr> <tr> <td>Integrity check</td> <td>None</td> <td>SHA-256 (v1.5.3)</td> </tr> </tbody> </table></div> <h3> The Kamikaze Installer </h3> <p>The install script itself also needed hardening. After <code>dpkg -i</code> finishes, no artifacts should remain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="c"># dotghostboard_install.sh — self-destructs after use</span> <span class="nv">SAFE_PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> dpkg <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$SAFE_PATH</span><span class="s2">"</span> <span class="c"># Install the package</span> <span class="nb">rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$SAFE_PATH</span><span class="s2">"</span> <span class="c"># Wipe the .deb from disk</span> <span class="nb">rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span> <span class="c"># Wipe this script itself</span> </code></pre> </div> <p>Nothing lingers. No old <code>.deb</code> sitting in a directory. No script to be re-executed.</p> <h2> Bug 3 — Polkit SUID Regression on Kali </h2> <p>Kali Linux (and some hardened Arch setups) occasionally strip or reset the SUID bit on <code>/usr/bin/pkexec</code> after system updates. This caused the in-app "Download &amp; Install" button to fail silently — <code>pkexec</code> would return a permission error, and the UI would just hang.</p> <p>The fix was embedded directly in the package's <code>postinst</code> script — it runs as <code>root</code> immediately after <code>dpkg -i</code> completes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/sh</span> <span class="c"># DEBIAN/postinst</span> <span class="nb">set</span> <span class="nt">-e</span> fix_pkexec<span class="o">()</span> <span class="o">{</span> <span class="nv">PKEXEC</span><span class="o">=</span><span class="s2">"/usr/bin/pkexec"</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$PKEXEC</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">CURRENT_PERMS</span><span class="o">=</span><span class="si">$(</span><span class="nb">stat</span> <span class="nt">-c</span> <span class="s2">"%a"</span> <span class="s2">"</span><span class="nv">$PKEXEC</span><span class="s2">"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$CURRENT_PERMS</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"4755"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"dotghostboard: repairing pkexec SUID bit (</span><span class="nv">$CURRENT_PERMS</span><span class="s2"> → 4755)"</span> <span class="nb">chmod </span>4755 <span class="s2">"</span><span class="nv">$PKEXEC</span><span class="s2">"</span> <span class="k">fi fi</span> <span class="o">}</span> <span class="k">case</span> <span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="k">in </span>configure<span class="p">)</span> fix_pkexec <span class="p">;;</span> <span class="k">esac</span> <span class="nb">exit </span>0 </code></pre> </div> <p>Logic flow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> dpkg -i dotghostboard_1.5.3_amd64.deb │ └── postinst runs as root │ /usr/bin/pkexec exists? │ current perms == 4755? / \ Yes No │ │ Skip chmod 4755 │ "Download &amp; Install" works </span></code></pre> </div> <p>This is controversial — touching SUID bits in a <code>postinst</code> script is aggressive. But the alternative is users filing issues that are impossible to debug remotely, or writing a setup guide that says "run <code>chmod 4755 /usr/bin/pkexec</code> after installing." The autorepair is the lesser evil.</p> <h2> Feature: Live Terminal Log (v1.5.3) </h2> <p>While fixing the above bugs, I replaced the old "Please Wait..." dialog during updates with a live terminal stream. It felt wrong to show a spinner while <code>dpkg</code> was doing real work with real output.</p> <h3> Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ui/update_log_screen.py </span><span class="kn">from</span> <span class="n">PyQt6.QtCore</span> <span class="kn">import</span> <span class="n">QThread</span><span class="p">,</span> <span class="n">pyqtSignal</span> <span class="kn">import</span> <span class="n">subprocess</span> <span class="k">class</span> <span class="nc">InstallWorker</span><span class="p">(</span><span class="n">QThread</span><span class="p">):</span> <span class="n">log_line</span> <span class="o">=</span> <span class="nf">pyqtSignal</span><span class="p">(</span><span class="nb">str</span><span class="p">)</span> <span class="c1"># emitted for every line of dpkg output </span> <span class="n">finished</span> <span class="o">=</span> <span class="nf">pyqtSignal</span><span class="p">(</span><span class="nb">int</span><span class="p">)</span> <span class="c1"># exit code </span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">script_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">script_path</span> <span class="o">=</span> <span class="n">script_path</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">process</span> <span class="o">=</span> <span class="n">subprocess</span><span class="p">.</span><span class="nc">Popen</span><span class="p">(</span> <span class="p">[</span><span class="sh">"</span><span class="s">bash</span><span class="sh">"</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">script_path</span><span class="p">],</span> <span class="n">stdout</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">PIPE</span><span class="p">,</span> <span class="n">stderr</span><span class="o">=</span><span class="n">subprocess</span><span class="p">.</span><span class="n">STDOUT</span><span class="p">,</span> <span class="c1"># merge stderr into stdout </span> <span class="n">text</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">bufsize</span><span class="o">=</span><span class="mi">1</span> <span class="c1"># line-buffered </span> <span class="p">)</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">process</span><span class="p">.</span><span class="n">stdout</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">log_line</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="nf">rstrip</span><span class="p">())</span> <span class="n">process</span><span class="p">.</span><span class="nf">wait</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">finished</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="n">process</span><span class="p">.</span><span class="n">returncode</span><span class="p">)</span> </code></pre> </div> <p>On the UI side:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Color mapping — Regex-based, no AI required </span><span class="kn">import</span> <span class="n">re</span> <span class="kn">from</span> <span class="n">PyQt6.QtGui</span> <span class="kn">import</span> <span class="n">QColor</span> <span class="n">COLOR_MAP</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">\berror\b</span><span class="sh">'</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">I</span><span class="p">),</span> <span class="sh">"</span><span class="s">#FF5555</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># red </span> <span class="p">(</span><span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">\bwarning\b</span><span class="sh">'</span><span class="p">,</span> <span class="n">re</span><span class="p">.</span><span class="n">I</span><span class="p">),</span> <span class="sh">"</span><span class="s">#FFB86C</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># amber </span> <span class="p">(</span><span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">\bSetting up\b|\bProcessing\b</span><span class="sh">'</span><span class="p">),</span> <span class="sh">"</span><span class="s">#50FA7B</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># green </span> <span class="p">(</span><span class="n">re</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^--</span><span class="sh">'</span><span class="p">),</span> <span class="sh">"</span><span class="s">#8BE9FD</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># cyan for steps </span><span class="p">]</span> <span class="k">def</span> <span class="nf">colorize</span><span class="p">(</span><span class="n">line</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">for</span> <span class="n">pattern</span><span class="p">,</span> <span class="n">color</span> <span class="ow">in</span> <span class="n">COLOR_MAP</span><span class="p">:</span> <span class="k">if</span> <span class="n">pattern</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="n">line</span><span class="p">):</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">'</span><span class="s">&lt;span style=</span><span class="sh">"</span><span class="s">color:</span><span class="si">{</span><span class="n">color</span><span class="si">}</span><span class="sh">"</span><span class="s">&gt;</span><span class="si">{</span><span class="n">line</span><span class="si">}</span><span class="s">&lt;/span&gt;</span><span class="sh">'</span> <span class="k">return</span> <span class="n">line</span> <span class="c1"># default — white </span> <span class="k">def</span> <span class="nf">on_log_line</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">line</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">log_box</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">colorize</span><span class="p">(</span><span class="n">line</span><span class="p">))</span> <span class="c1"># Auto-scroll to bottom </span> <span class="n">sb</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">log_box</span><span class="p">.</span><span class="nf">verticalScrollBar</span><span class="p">()</span> <span class="n">sb</span><span class="p">.</span><span class="nf">setValue</span><span class="p">(</span><span class="n">sb</span><span class="p">.</span><span class="nf">maximum</span><span class="p">())</span> </code></pre> </div> <p>The blinking cursor is driven by a <code>QTimer</code> — no threads, no complexity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">self</span><span class="p">.</span><span class="n">_cursor_visible</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_timer</span> <span class="o">=</span> <span class="nc">QTimer</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_timer</span><span class="p">.</span><span class="n">timeout</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_blink_cursor</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_timer</span><span class="p">.</span><span class="nf">start</span><span class="p">(</span><span class="mi">500</span><span class="p">)</span> <span class="c1"># 500ms interval </span> <span class="k">def</span> <span class="nf">_blink_cursor</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_visible</span> <span class="o">=</span> <span class="ow">not</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_visible</span> <span class="n">self</span><span class="p">.</span><span class="n">cursor_label</span><span class="p">.</span><span class="nf">setText</span><span class="p">(</span><span class="sh">"</span><span class="s">█</span><span class="sh">"</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">_cursor_visible</span> <span class="k">else</span> <span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Verification Checklist </h2> <p>For any future hotfix, these three commands confirm the build is clean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Confirm ghost.qss is inside the bundle</span> dpkg <span class="nt">-c</span> dotghostboard_1.5.3_amd64.deb | <span class="nb">grep </span>ui/ <span class="c"># Expected: ./opt/dotghostboard/_internal/ui/ghost.qss</span> <span class="c"># 2. Verify SUID bit post-install</span> <span class="nb">ls</span> <span class="nt">-l</span> /usr/bin/pkexec <span class="c"># Expected: -rwsr-xr-x (the 's' in position 4 is the SUID bit)</span> <span class="c"># 3. Test resource_path in frozen mode (AppImage)</span> ./DotGhostBoard-1.5.3-x86_64.AppImage <span class="nt">--debug-paths</span> <span class="c"># Should print resolved paths for ghost.qss and icon_256.png</span> </code></pre> </div> <h2> What I Learned </h2> <p><strong>PyInstaller's <code>--add-data</code> is not optional for anything outside <code>data/</code>.</strong> If your app loads a file at runtime that isn't in the directory you passed to <code>--add-data</code>, it won't be in the bundle. PyInstaller doesn't warn you. The app just crashes or falls back silently. Map every resource directory explicitly.</p> <p><strong><code>sys._MEIPASS</code> is the only reliable truth in a frozen environment.</strong> Don't use <code>__file__</code>, don't use <code>os.getcwd()</code>, don't use relative paths. <code>_MEIPASS</code> is where PyInstaller extracted everything — it's the only path you can trust.</p> <p><strong><code>/tmp/</code> is fine for scratch. It's not fine for security-sensitive staging.</strong> The threat model for a clipboard manager that stores secrets is different from a text editor. The update pipeline needed to match that model.</p> <p><strong>Local builds working ≠ CI builds working.</strong> The <code>ghost.qss</code> bug existed for the entire <code>v1.5.x</code> series in bundled form because nobody had tested a clean AppImage build from the CI artifact — only local PyInstaller runs. Add artifact smoke testing to your release checklist.</p> <h2> What's Next — v2.0.0 Cerberus </h2> <p>The hotfix series is closed. v1.5.3 is stable.</p> <p>Next up is <strong>Cerberus</strong> — the Zero-Knowledge Password Vault. The AES-256 foundation from v1.4.0 (Eclipse) is already in place. The design is locked:</p> <ul> <li>Isolated <code>vault.db</code> — separate file, separate connection, locked when idle</li> <li>Pattern-based secret detection — JWT, AWS keys (<code>AKIA...</code>), GitHub tokens (<code>ghp_...</code>), high-entropy hex — shape-based, not keyword-based</li> <li>Auto-clear: wipes clipboard 30 seconds after a Vault paste</li> <li>Paranoia Mode: suspends all DB writes on demand</li> </ul> <p>The core principle of Cerberus: a 1500-word article that contains the word "password" doesn't trigger detection. A 40-character base64 string with high Shannon entropy does.</p> <h2> Download </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Link</th> </tr> </thead> <tbody> <tr> <td>📦 GitHub Release (AppImage + DEB + GPG sigs)</td> <td><a href="https://github.com/kareem2099/DotGhostBoard/releases/tag/v1.5.3" rel="noopener noreferrer">v1.5.3</a></td> </tr> <tr> <td>🖥️ OpenDesktop</td> <td><a href="https://www.opendesktop.org/p/2353623/" rel="noopener noreferrer">DotGhostBoard</a></td> </tr> <tr> <td>💻 Source</td> <td><a href="https://github.com/kareem2099/DotGhostBoard" rel="noopener noreferrer">kareem2099/DotGhostBoard</a></td> </tr> </tbody> </table></div> <p><em>DotSuite — built for the shadows</em> 👻</p> python linux devops playwright We Hit 2,500 in 15 Days — And I Want to Make Every Dev Lazier (Productively) freerave Thu, 16 Apr 2026 18:15:34 +0000 https://dev.to/freerave/we-hit-2500-in-15-days-and-i-want-to-make-every-dev-lazier-productively-39a3 https://dev.to/freerave/we-hit-2500-in-15-days-and-i-want-to-make-every-dev-lazier-productively-39a3 <p>I set a goal at the start of April: <strong>reach 2,500 followers on dev.to by April 30th.</strong></p> <p>We hit <strong>2,631 by April 15th.</strong></p> <p>Half the month. So before I sprint to the next goal, I want to stop, look back, and say a real thank you — not the generic "thanks for the support 🙏" kind. The honest kind.</p> <h2> What you actually did </h2> <p>You read the articles. You left comments that pushed me to think harder. You shared the DotShare posts and the Reddit API deep-dives with people who needed them. Some of you went through the <a href="https://kareem2099.github.io/dotuniverse/" rel="noopener noreferrer">dotUniverse</a> terminal, found the Easter eggs, and DMed me screenshots. That made my week every single time.</p> <p>You didn't just follow — you engaged. That's the difference.</p> <h2> The honest confession: I'm lazy. That's why I built 20+ tools. </h2> <p>Here's the real origin story of the entire DotSuite ecosystem.</p> <p>I didn't build these tools because I'm a passionate open-source hero. I built them because I kept running into tasks I did not want to do manually ever again.</p> <ul> <li> <strong>DotShare</strong> — because I wasn't opening 8 browser tabs every time I wanted to post something</li> <li> <strong>dotenvy</strong> — because I forgot my <code>.env</code> variables once and lost two hours of debugging</li> <li> <strong>DotGhostBoard</strong> — because my clipboard was an absolute disaster</li> <li> <strong>dotcommand</strong> — because I kept forgetting terminal commands <em>that I wrote myself</em> </li> <li> <strong>DotScramble</strong> — because blurring faces manually in screenshots is soul-crushing</li> <li> <strong>CodeTune</strong> — because I needed prayer times and Quran without leaving VS Code</li> <li> <strong>dotsense</strong> — because I genuinely couldn't tell when I was burning out until it was too late</li> </ul> <p>The pattern is obvious. Every tool exists because past-me was too lazy to keep doing something the hard way.</p> <p><strong>Laziness, scaled properly, is just engineering.</strong></p> <h2> The full arsenal — everything built so far </h2> <p>Here's every tool in the DotSuite ecosystem, in case you missed any:</p> <h3> VS Code Extensions </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> <th>Downloads</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/kareem2099/DotShare" rel="noopener noreferrer"><strong>DotShare</strong></a></td> <td>Post to 9 platforms (LinkedIn, X, Reddit, Bluesky, Telegram, Facebook, Discord, dev.to, medium) with AI content creation via Gemini, GPT-4 &amp; Claude</td> <td>1,979+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotenvy" rel="noopener noreferrer"><strong>dotenvy</strong></a></td> <td>Environment manager with Git branch auto-switching, AI secret detection (35-feature ML model), Doppler sync &amp; encrypted backups</td> <td>1,130+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotcommand" rel="noopener noreferrer"><strong>dotcommand</strong></a></td> <td>Intelligent command manager, ML suggestions, 180+ prepared commands, analytics dashboard</td> <td>909+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/codetune" rel="noopener noreferrer"><strong>CodeTune</strong></a></td> <td>Islamic dev environment — Quran player (15+ reciters), prayer times, focus mode, Dhikr counters</td> <td>899+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/DotFetch" rel="noopener noreferrer"><strong>DotFetch</strong></a></td> <td>Professional HTTP client with .env support, collections, cURL import/export</td> <td>692+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/DotReadme" rel="noopener noreferrer"><strong>DotReadme</strong></a></td> <td>README optimizer — quality audit (A+ to F), badge inserter, TOC generator, AI enhancement (BYOK)</td> <td>515+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotsense" rel="noopener noreferrer"><strong>dotsense</strong></a></td> <td>AI developer wellness — ML mood detection, burnout prevention, peak performance analytics</td> <td>129+</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotconvert" rel="noopener noreferrer"><strong>dotconvert</strong></a></td> <td>Data converter — Base64, XML↔JSON, CSV↔JSON (Marketplace listing coming soon)</td> <td>—</td> </tr> </tbody> </table></div> <p><strong>Total VS Code downloads across Marketplace + Open VSX: 6,253+</strong></p> <h3> CLI Tools </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/kareem2099/DotGhostBoard" rel="noopener noreferrer"><strong>DotGhostBoard</strong></a></td> <td>Linux clipboard manager — AES-256 encryption, tag system, thumbnail previews, master password lock</td> </tr> <tr> <td><a href="https://github.com/kareem2099/DotScramble" rel="noopener noreferrer"><strong>DotScramble</strong></a></td> <td>Image privacy studio — face/license plate detection, 8 blur effects, batch processing, RTL Arabic support</td> </tr> </tbody> </table></div> <h3> Telegram Bots </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/kareem2099/DotDownloader" rel="noopener noreferrer"><strong>DotDownloader</strong></a></td> <td>Multi-platform media downloader — Instagram, TikTok, YouTube, Reddit, Spotify &amp; more. Referral system + premium tiers</td> </tr> <tr> <td><a href="https://github.com/kareem2099/DotFormate" rel="noopener noreferrer"><strong>DotFormate</strong></a></td> <td>File format conversion — PDF, DOCX, PPTX, images, OCR. PayPal integration + R2 cloud storage</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotshare-auth-server" rel="noopener noreferrer"><strong>DotShare-Auth-Server</strong></a></td> <td>Secure OAuth toolkit — magic link auth, LinkedIn &amp; Reddit &amp; X &amp; Facebook OAuth, session management</td> </tr> </tbody> </table></div> <h3> Mobile Apps </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><a href="https://play.google.com/store/apps/details?id=com.freerave.dotreminder" rel="noopener noreferrer"><strong>DotReminder</strong></a></td> <td>Android reminder app — AI assistant (Gemini 2.5 Flash), location-based reminders, biometric auth, 2FA</td> </tr> <tr> <td><a href="https://play.google.com/store/apps/details?id=com.freerave.dotshredzilla" rel="noopener noreferrer"><strong>DOTShredzilla</strong></a></td> <td>Workout tracker — offline-first, Firebase-synced, Kotlin + Jetpack Compose</td> </tr> <tr> <td><a href="https://github.com/kareem2099/DotBurn" rel="noopener noreferrer"><strong>DotBurn</strong></a></td> <td>Gym and calorie system management</td> </tr> </tbody> </table></div> <h3> Premium / Private </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td> <strong>dotctl</strong> <em>(invite only)</em> </td> <td>Advanced traffic control for network security experts — ARP spoofing, bandwidth limiting, DPI &amp; ML traffic analysis</td> </tr> </tbody> </table></div> <h3> Coming Soon </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><strong>DotTransfer</strong></td> <td>Transfer files between workspaces directly inside VS Code</td> </tr> <tr> <td><a href="https://github.com/kareem2099/dotsuite" rel="noopener noreferrer"><strong>dotsuite</strong></a></td> <td>Portfolio &amp; distribution platform — Next.js 16, multi-language (EN/AR/FR/DE/RU), GitHub webhooks, product reviews</td> </tr> </tbody> </table></div> <h2> Where the April challenge stands right now </h2> <p>dev.to was the first goal to fall. Here's the full scoreboard:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Platform</th> <th>Now</th> <th>Goal</th> <th>Progress</th> </tr> </thead> <tbody> <tr> <td>📝 dev.to</td> <td><strong>2,631</strong></td> <td>2,500</td> <td>✅ <strong>DONE</strong> </td> </tr> <tr> <td>💼 LinkedIn</td> <td>396</td> <td>500</td> <td>79%</td> </tr> <tr> <td>🎵 TikTok</td> <td>33</td> <td>100</td> <td>33%</td> </tr> <tr> <td>▶️ YouTube</td> <td>29</td> <td>100</td> <td>29%</td> </tr> <tr> <td>✍️ Medium</td> <td>2</td> <td>50</td> <td>4%</td> </tr> <tr> <td>📘 Facebook</td> <td>13</td> <td>50</td> <td>26%</td> </tr> <tr> <td>📸 Instagram</td> <td>7</td> <td>50</td> <td>14%</td> </tr> <tr> <td>𝕏 X / Twitter</td> <td>16</td> <td>500</td> <td>3%</td> </tr> <tr> <td>🦋 Bluesky</td> <td>11</td> <td>50</td> <td>22%</td> </tr> </tbody> </table></div> <p>Some of these are painful to look at. X at 3% is basically a comedy sketch. But the scoreboard stays public. That's the whole point.</p> <h2> What's shipping next </h2> <ul> <li> <strong>DotShare v3.2</strong> — Reddit media uploads are almost stable. The S3 presigned pipeline is wired. The last debug session was brutal and I wrote every painful detail <a href="https://dev.to/freerave/dotshare-v31-toast-engine-race-condition-fix-and-surviving-reddits-s3-upload-pipeline-5f9i">here</a>.</li> <li> <strong>dotenvy</strong> — The LLM layer for environment/config management deserves a proper release article. The architecture is the interesting part.</li> <li> <strong>dotUniverse Terminal 2.0</strong> — Piping support, SSH simulation, VIM-lite. Q2 target.</li> <li> <strong>dotsuite</strong> — The full portfolio platform goes live this year.</li> </ul> <h2> The part that actually matters </h2> <p>I'm self-taught. I'm building all of this from a small city in Egypt, mostly at night, mostly alone. No team, no VC funding, no algorithm boost.</p> <p>Every follow, reaction, and comment is a real person who decided this was worth their time.</p> <p><strong>2,631 of you did that. I don't take it lightly.</strong></p> <p>The next target is 3,000. Based on the current trajectory, I give it two weeks. Let's find out.</p> <h2> Try the tools </h2> <ul> <li> <strong>Live portfolio:</strong> <a href="https://kareem2099.github.io/dotuniverse/" rel="noopener noreferrer">https://kareem2099.github.io/dotuniverse/</a> </li> <li> <strong>GitHub:</strong> <a href="https://github.com/kareem2099" rel="noopener noreferrer">https://github.com/kareem2099</a> </li> <li> <strong>All tools:</strong> open the terminal on dotUniverse and type <code>ls ~/tools</code> </li> </ul> <p><em>My message to every developer reading this: be productively lazy. Automate the annoying thing. Build the tool. Then build the tool that builds the tool. That's how 20+ projects happen.</em></p> <p><em>Built with caffeine and the stubborn belief that open-source from Egypt can reach the whole internet.</em></p> <p>— Kareem / FreeRave 🦥</p> webdev opensource career productivity Engineering the Nexus Release: How I Built Secure E2EE Network Sync into a Linux Clipboard Manager (v1.5.1) freerave Wed, 15 Apr 2026 20:28:57 +0000 https://dev.to/freerave/engineering-the-nexus-release-how-i-built-secure-e2ee-network-sync-into-a-linux-clipboard-manager-3ocd https://dev.to/freerave/engineering-the-nexus-release-how-i-built-secure-e2ee-network-sync-into-a-linux-clipboard-manager-3ocd <h2> A deep dive into the architecture behind DotGhostBoard v1.5.0 — zero-config mDNS discovery, X25519 ECDH pairing, AES-256-GCM sync, rate limiting, and PyQt6 threading — all without a central server. </h2> <blockquote> <p><strong>DotGhostBoard</strong> is a privacy-first clipboard manager for Linux, built under the <a href="https://github.com/kareem2099" rel="noopener noreferrer">DotSuite</a> umbrella. No telemetry. No Electron. No cloud. Pure PyQt6 + SQLite.</p> <p>📦 <a href="https://github.com/kareem2099/DotGhostBoard/releases/tag/v1.5.1" rel="noopener noreferrer">GitHub Release v1.5.1</a> · 🖥️ <a href="https://www.opendesktop.org/p/2353623/" rel="noopener noreferrer">OpenDesktop</a></p> </blockquote> <h2> Why This Was Hard </h2> <p>Building a clipboard manager is trivial. Building one that <strong>syncs securely across devices on a local network without a central server, without trusting the network, and without ever sending data to the cloud</strong> — that's a different problem.</p> <p>With <code>v1.5.0 (Nexus)</code>, I rebuilt the core architecture from scratch to solve exactly that. Here's what the final system looks like before we dive into each layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ┌─────────────────────────────────────────────────────────────┐ │ LOCAL NETWORK (LAN) │ │ │ │ ┌──────────────┐ mDNS Discovery ┌──────────────┐ │ │ │ Device A │ ◄──────────────────► │ Device B │ │ │ │ (Arch) │ │ (Kali) │ │ │ │ │ X25519 Handshake │ │ │ │ │ ghostboard │ ──── PIN + ECDH ───► │ ghostboard │ │ │ │ │ │ │ │ │ │ HTTPServer │ ◄── AES-256-GCM ──── │ HTTPServer │ │ │ │ :PORT │ /api/sync E2EE │ :PORT │ │ │ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ ghost.db ghost.db │ │ (trusted_peers) (trusted_peers) │ └─────────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Three layers. Each one independently secure. Let's break them down.</p> <h2> Layer 1 — Zero-Config Device Discovery (mDNS) </h2> <p>The first UX problem: how do devices find each other without the user typing an IP address?</p> <p><strong>Answer: mDNS via <code>zeroconf</code>.</strong> Every device broadcasts itself on the LAN under a custom service type <code>_dotghost._tcp.local.</code>. Other instances listen and populate the UI automatically.</p> <p>Because the app runs on <strong>PyQt6</strong>, the discovery engine lives in its own <code>QThread</code> — blocking network I/O never touches the main thread:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># core/network_discovery.py </span><span class="kn">import</span> <span class="n">socket</span> <span class="kn">from</span> <span class="n">zeroconf</span> <span class="kn">import</span> <span class="n">ServiceBrowser</span><span class="p">,</span> <span class="n">Zeroconf</span><span class="p">,</span> <span class="n">ServiceInfo</span><span class="p">,</span> <span class="n">IPVersion</span> <span class="kn">from</span> <span class="n">PyQt6.QtCore</span> <span class="kn">import</span> <span class="n">pyqtSignal</span><span class="p">,</span> <span class="n">QThread</span> <span class="n">_SERVICE_TYPE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">_dotghost._tcp.local.</span><span class="sh">"</span> <span class="k">class</span> <span class="nc">DotGhostDiscovery</span><span class="p">(</span><span class="n">QThread</span><span class="p">):</span> <span class="n">peer_found</span> <span class="o">=</span> <span class="nf">pyqtSignal</span><span class="p">(</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">,</span> <span class="nb">int</span><span class="p">)</span> <span class="c1"># node_id, name, ip, port </span> <span class="n">peer_lost</span> <span class="o">=</span> <span class="nf">pyqtSignal</span><span class="p">(</span><span class="nb">str</span><span class="p">)</span> <span class="c1"># node_id </span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">node_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">device_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">port</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">node_id</span> <span class="o">=</span> <span class="n">node_id</span> <span class="n">self</span><span class="p">.</span><span class="n">device_name</span> <span class="o">=</span> <span class="n">device_name</span> <span class="n">self</span><span class="p">.</span><span class="n">port</span> <span class="o">=</span> <span class="n">port</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">run</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span> <span class="o">=</span> <span class="nc">Zeroconf</span><span class="p">(</span><span class="n">ip_version</span><span class="o">=</span><span class="n">IPVersion</span><span class="p">.</span><span class="n">V4Only</span><span class="p">)</span> <span class="n">properties</span> <span class="o">=</span> <span class="p">{</span> <span class="sa">b</span><span class="sh">'</span><span class="s">node_id</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">node_id</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="sa">b</span><span class="sh">'</span><span class="s">device_name</span><span class="sh">'</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">device_name</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">),</span> <span class="sa">b</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">:</span> <span class="sa">b</span><span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="p">,</span> <span class="p">}</span> <span class="n">instance_name</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">node_id</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">_SERVICE_TYPE</span><span class="si">}</span><span class="sh">"</span> <span class="n">self</span><span class="p">.</span><span class="n">info</span> <span class="o">=</span> <span class="nc">ServiceInfo</span><span class="p">(</span> <span class="n">type_</span><span class="o">=</span><span class="n">_SERVICE_TYPE</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="n">instance_name</span><span class="p">,</span> <span class="n">addresses</span><span class="o">=</span><span class="p">[</span><span class="n">socket</span><span class="p">.</span><span class="nf">inet_aton</span><span class="p">(</span><span class="nf">get_local_ip</span><span class="p">())],</span> <span class="n">port</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">port</span><span class="p">,</span> <span class="n">properties</span><span class="o">=</span><span class="n">properties</span><span class="p">,</span> <span class="n">server</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">node_id</span><span class="si">}</span><span class="s">.local.</span><span class="sh">"</span> <span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span><span class="p">.</span><span class="nf">register_service</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">info</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">browser</span> <span class="o">=</span> <span class="nc">ServiceBrowser</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span><span class="p">,</span> <span class="n">_SERVICE_TYPE</span><span class="p">,</span> <span class="n">self</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">exec</span><span class="p">()</span> <span class="c1"># Qt event loop keeps the thread alive </span> <span class="c1"># ── zeroconf callbacks ────────────────────────────────────── </span> <span class="k">def</span> <span class="nf">add_service</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">zc</span><span class="p">:</span> <span class="n">Zeroconf</span><span class="p">,</span> <span class="n">type_</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">info</span> <span class="o">=</span> <span class="n">zc</span><span class="p">.</span><span class="nf">get_service_info</span><span class="p">(</span><span class="n">type_</span><span class="p">,</span> <span class="n">name</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">info</span><span class="p">:</span> <span class="k">return</span> <span class="n">props</span> <span class="o">=</span> <span class="n">info</span><span class="p">.</span><span class="n">properties</span> <span class="n">node_id</span> <span class="o">=</span> <span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">node_id</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">''</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="n">dev_name</span> <span class="o">=</span> <span class="n">props</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">b</span><span class="sh">'</span><span class="s">device_name</span><span class="sh">'</span><span class="p">,</span> <span class="sa">b</span><span class="sh">'</span><span class="s">Unknown</span><span class="sh">'</span><span class="p">).</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">node_id</span> <span class="o">==</span> <span class="n">self</span><span class="p">.</span><span class="n">node_id</span><span class="p">:</span> <span class="c1"># skip self </span> <span class="k">return</span> <span class="n">ip</span> <span class="o">=</span> <span class="n">socket</span><span class="p">.</span><span class="nf">inet_ntoa</span><span class="p">(</span><span class="n">info</span><span class="p">.</span><span class="n">addresses</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> <span class="n">self</span><span class="p">.</span><span class="n">peer_found</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="n">node_id</span><span class="p">,</span> <span class="n">dev_name</span><span class="p">,</span> <span class="n">ip</span><span class="p">,</span> <span class="n">info</span><span class="p">.</span><span class="n">port</span><span class="p">)</span> <span class="k">def</span> <span class="nf">remove_service</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">zc</span><span class="p">:</span> <span class="n">Zeroconf</span><span class="p">,</span> <span class="n">type_</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">node_id</span> <span class="o">=</span> <span class="n">name</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">.</span><span class="si">{</span><span class="n">_SERVICE_TYPE</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">peer_lost</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="n">node_id</span><span class="p">)</span> <span class="k">def</span> <span class="nf">stop</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span><span class="p">.</span><span class="nf">unregister_service</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">info</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">zeroconf</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">quit</span><span class="p">()</span> </code></pre> </div> <blockquote> <p><strong>Why <code>QThread</code> and not <code>threading.Thread</code>?</strong><br> <code>peer_found</code> and <code>peer_lost</code> are <code>pyqtSignal</code>s. They cross the thread boundary safely into the main UI thread via Qt's queued connection mechanism. Using a raw Python thread here would cause a race condition against the UI.</p> </blockquote> <h2> Layer 2 — Secure Device Pairing (X25519 + PBKDF2 + AES-GCM) </h2> <p>Finding a peer is one thing. <strong>Trusting it is another.</strong></p> <p>A local network isn't inherently safe — public Wi-Fi, ARP spoofing, a compromised router. The pairing protocol defends against all of it with a three-phase handshake:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Device A Device B │ │ │ 1. Generate ephemeral X25519 key │ │ 2. Derive wrap key from PIN+salt │ │ 3. Encrypt pubkey → send ─────────►│ │ │ 4. Decrypt pubkey with PIN+salt │ │ 5. Generate ephemeral X25519 key │◄──────────────── send encrypted ────│ 6. Derive shared secret (ECDH) │ │ 7. Encrypt own pubkey → send │ 8. Derive shared secret (ECDH) │ │ 9. Discard ephemeral keys │ 9. Discard ephemeral keys │ │ │ Shared Secret stored in DB │ </code></pre> </div> <p>The PIN is a 6-digit out-of-band value shown on both screens — a human-verified channel that breaks any MITM attempt. Even if an attacker intercepts the traffic, they can't decrypt the public keys without the PIN.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># core/pairing.py </span><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">hashes</span><span class="p">,</span> <span class="n">serialization</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.asymmetric</span> <span class="kn">import</span> <span class="n">x25519</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.kdf.pbkdf2</span> <span class="kn">import</span> <span class="n">PBKDF2HMAC</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.ciphers.aead</span> <span class="kn">import</span> <span class="n">AESGCM</span> <span class="n">_KDF_ITERATIONS</span> <span class="o">=</span> <span class="mi">100_000</span> <span class="c1"># OWASP minimum for PBKDF2-SHA256 </span> <span class="k">def</span> <span class="nf">derive_handshake_key</span><span class="p">(</span><span class="n">pin</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">salt</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Derive a 256-bit wrapping key from a 6-digit PIN + dynamic salt. The salt is generated fresh per-pairing session and sent in plaintext — its job is to prevent precomputed PIN dictionaries, not to be secret. </span><span class="sh">"""</span> <span class="n">kdf</span> <span class="o">=</span> <span class="nc">PBKDF2HMAC</span><span class="p">(</span> <span class="n">algorithm</span><span class="o">=</span><span class="n">hashes</span><span class="p">.</span><span class="nc">SHA256</span><span class="p">(),</span> <span class="n">length</span><span class="o">=</span><span class="mi">32</span><span class="p">,</span> <span class="n">salt</span><span class="o">=</span><span class="n">salt</span><span class="p">,</span> <span class="n">iterations</span><span class="o">=</span><span class="n">_KDF_ITERATIONS</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">kdf</span><span class="p">.</span><span class="nf">derive</span><span class="p">(</span><span class="n">pin</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">))</span> <span class="k">def</span> <span class="nf">generate_pairing_keys</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="n">x25519</span><span class="p">.</span><span class="n">X25519PrivateKey</span><span class="p">,</span> <span class="nb">bytes</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Generate a fresh ephemeral X25519 key pair. These keys live only for the duration of the handshake. </span><span class="sh">"""</span> <span class="n">private_key</span> <span class="o">=</span> <span class="n">x25519</span><span class="p">.</span><span class="n">X25519PrivateKey</span><span class="p">.</span><span class="nf">generate</span><span class="p">()</span> <span class="n">public_key_bytes</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">public_key</span><span class="p">().</span><span class="nf">public_bytes</span><span class="p">(</span> <span class="n">encoding</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">Encoding</span><span class="p">.</span><span class="n">Raw</span><span class="p">,</span> <span class="nb">format</span><span class="o">=</span><span class="n">serialization</span><span class="p">.</span><span class="n">PublicFormat</span><span class="p">.</span><span class="n">Raw</span> <span class="p">)</span> <span class="k">return</span> <span class="n">private_key</span><span class="p">,</span> <span class="n">public_key_bytes</span> <span class="k">def</span> <span class="nf">encrypt_pairing_payload</span><span class="p">(</span><span class="n">public_key_bytes</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">,</span> <span class="n">handshake_key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Encrypt the public key using the PIN-derived wrapping key. Layout: [ 12 bytes nonce | ciphertext + 16 byte GCM tag ] </span><span class="sh">"""</span> <span class="n">aesgcm</span> <span class="o">=</span> <span class="nc">AESGCM</span><span class="p">(</span><span class="n">handshake_key</span><span class="p">)</span> <span class="n">nonce</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">urandom</span><span class="p">(</span><span class="mi">12</span><span class="p">)</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">aesgcm</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">nonce</span><span class="p">,</span> <span class="n">public_key_bytes</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">nonce</span> <span class="o">+</span> <span class="n">ciphertext</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">decrypt_pairing_payload</span><span class="p">(</span><span class="n">payload</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">handshake_key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Reverse of encrypt_pairing_payload. Raises InvalidTag on wrong PIN.</span><span class="sh">"""</span> <span class="n">raw</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="n">nonce</span><span class="p">,</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">raw</span><span class="p">[:</span><span class="mi">12</span><span class="p">],</span> <span class="n">raw</span><span class="p">[</span><span class="mi">12</span><span class="p">:]</span> <span class="n">aesgcm</span> <span class="o">=</span> <span class="nc">AESGCM</span><span class="p">(</span><span class="n">handshake_key</span><span class="p">)</span> <span class="k">return</span> <span class="n">aesgcm</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span><span class="n">nonce</span><span class="p">,</span> <span class="n">ciphertext</span><span class="p">,</span> <span class="bp">None</span><span class="p">)</span> <span class="k">def</span> <span class="nf">derive_shared_secret</span><span class="p">(</span> <span class="n">private_key</span><span class="p">:</span> <span class="n">x25519</span><span class="p">.</span><span class="n">X25519PrivateKey</span><span class="p">,</span> <span class="n">peer_public_key_bytes</span><span class="p">:</span> <span class="nb">bytes</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Complete the ECDH exchange. The result is a raw 32-byte shared secret. Both sides arrive at the same value without it ever being transmitted. </span><span class="sh">"""</span> <span class="n">peer_public_key</span> <span class="o">=</span> <span class="n">x25519</span><span class="p">.</span><span class="n">X25519PublicKey</span><span class="p">.</span><span class="nf">from_public_bytes</span><span class="p">(</span><span class="n">peer_public_key_bytes</span><span class="p">)</span> <span class="k">return</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">exchange</span><span class="p">(</span><span class="n">peer_public_key</span><span class="p">)</span> </code></pre> </div> <blockquote> <p><strong>Why X25519 over RSA or classic ECDH on P-256?</strong><br> X25519 is faster, has a smaller key size (32 bytes), is immune to invalid-curve attacks by design, and is the default in TLS 1.3. It's the right choice for a constrained local protocol.</p> </blockquote> <p>Once the handshake completes, the shared secret is stored in <code>ghost.db</code> and the ephemeral private keys are immediately garbage-collected.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Storage schema for trusted peers </span><span class="sh">"""</span><span class="s"> CREATE TABLE trusted_peers ( id INTEGER PRIMARY KEY AUTOINCREMENT, node_id TEXT UNIQUE NOT NULL, device_name TEXT NOT NULL, shared_secret BLOB NOT NULL, -- raw 32 bytes from ECDH paired_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); </span><span class="sh">"""</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2qq42mc6fkqdntwhx50r.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2qq42mc6fkqdntwhx50r.gif" alt="Handshake in action: Secure X25519 key exchange using a simple 6-digit PIN" width="800" height="450"></a></p> <h2> Layer 3 — The Local REST API, Rate Limiting &amp; Thread-Safe UI </h2> <p>With discovery and pairing solved, the actual sync transport is a minimal <code>HTTPServer</code> running in a background thread. It's bound to <code>0.0.0.0</code> but protected by two hard gates:</p> <p><strong>Gate 1 — Peer Identity:</strong> every <code>/api/sync</code> request must carry a <code>node_id</code> that maps to a stored trusted peer. Unknown nodes get a <code>403</code> immediately.</p> <p><strong>Gate 2 — E2EE Payload:</strong> even if someone spoofs a <code>node_id</code>, they can't forge a valid AES-GCM ciphertext without the shared secret. Wrong key = <code>InvalidTag</code> exception = instant drop.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># core/api_server.py </span><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">time</span> <span class="kn">import</span> <span class="n">urllib.parse</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="kn">from</span> <span class="n">http.server</span> <span class="kn">import</span> <span class="n">BaseHTTPRequestHandler</span><span class="p">,</span> <span class="n">HTTPServer</span> <span class="kn">from</span> <span class="n">threading</span> <span class="kn">import</span> <span class="n">Lock</span> <span class="k">class</span> <span class="nc">_RateLimiter</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Sliding window rate limiter — 3 pairing attempts per 60s per IP.</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">max_attempts</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">3</span><span class="p">,</span> <span class="n">window</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">_attempts</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">list</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span> <span class="o">=</span> <span class="nc">Lock</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nb">max</span> <span class="o">=</span> <span class="n">max_attempts</span> <span class="n">self</span><span class="p">.</span><span class="n">window</span> <span class="o">=</span> <span class="n">window</span> <span class="k">def</span> <span class="nf">is_allowed</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ip</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="n">_lock</span><span class="p">:</span> <span class="c1"># drop timestamps outside the window </span> <span class="n">self</span><span class="p">.</span><span class="n">_attempts</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span> <span class="n">t</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_attempts</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">t</span> <span class="o">&lt;</span> <span class="n">self</span><span class="p">.</span><span class="n">window</span> <span class="p">]</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_attempts</span><span class="p">[</span><span class="n">ip</span><span class="p">])</span> <span class="o">&gt;=</span> <span class="n">self</span><span class="p">.</span><span class="nb">max</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">self</span><span class="p">.</span><span class="n">_attempts</span><span class="p">[</span><span class="n">ip</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">now</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="n">_rate_limiter</span> <span class="o">=</span> <span class="nf">_RateLimiter</span><span class="p">()</span> <span class="k">class</span> <span class="nc">GhostAPIHandler</span><span class="p">(</span><span class="n">BaseHTTPRequestHandler</span><span class="p">):</span> <span class="k">def</span> <span class="nf">log_message</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="nb">format</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># silence default HTTP logs </span> <span class="k">def</span> <span class="nf">_send_response</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">code</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">body</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">body</span><span class="p">).</span><span class="nf">encode</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_response</span><span class="p">(</span><span class="n">code</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">send_header</span><span class="p">(</span><span class="sh">"</span><span class="s">Content-Length</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">payload</span><span class="p">)))</span> <span class="n">self</span><span class="p">.</span><span class="nf">end_headers</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">wfile</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">def</span> <span class="nf">do_POST</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">parsed</span> <span class="o">=</span> <span class="n">urllib</span><span class="p">.</span><span class="n">parse</span><span class="p">.</span><span class="nf">urlparse</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">path</span><span class="p">)</span> <span class="n">client_ip</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">client_address</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="c1"># ── /api/pair — pairing PIN exchange ────────────────────── </span> <span class="k">if</span> <span class="n">parsed</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">'</span><span class="s">/api/pair</span><span class="sh">'</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">_rate_limiter</span><span class="p">.</span><span class="nf">is_allowed</span><span class="p">(</span><span class="n">client_ip</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="nf">_send_response</span><span class="p">(</span><span class="mi">429</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Too many pairing attempts. Try again later.</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="c1"># ... PIN verification and key exchange logic </span> <span class="n">self</span><span class="p">.</span><span class="nf">_send_response</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">paired</span><span class="sh">"</span><span class="p">})</span> <span class="k">return</span> <span class="c1"># ── /api/sync — incoming E2EE clipboard item ─────────────── </span> <span class="k">if</span> <span class="n">parsed</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">'</span><span class="s">/api/sync</span><span class="sh">'</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">rfile</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="nf">int</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">Content-Length</span><span class="sh">'</span><span class="p">,</span> <span class="mi">0</span><span class="p">)))</span> <span class="n">data</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">peer_node_id</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">node_id</span><span class="sh">"</span><span class="p">)</span> <span class="n">peer</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nf">get_trusted_peer</span><span class="p">(</span><span class="n">peer_node_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">peer</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">_send_response</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Untrusted peer</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="k">try</span><span class="p">:</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="nf">decrypt_from_peer</span><span class="p">(</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">payload</span><span class="sh">"</span><span class="p">),</span> <span class="n">peer</span><span class="p">[</span><span class="sh">"</span><span class="s">shared_secret</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="c1"># Wrong key or tampered payload — silent drop </span> <span class="n">self</span><span class="p">.</span><span class="nf">_send_response</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Decryption failed</span><span class="sh">"</span> <span class="p">})</span> <span class="k">return</span> <span class="n">item_id</span> <span class="o">=</span> <span class="n">storage</span><span class="p">.</span><span class="nf">add_item</span><span class="p">(</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">,</span> <span class="n">plaintext</span><span class="p">)</span> <span class="c1"># Cross-thread UI update via Qt signal — safe from any thread </span> <span class="n">self</span><span class="p">.</span><span class="n">server</span><span class="p">.</span><span class="n">qthread_parent</span><span class="p">.</span><span class="n">sync_received</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="n">item_id</span><span class="p">,</span> <span class="n">plaintext</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_send_response</span><span class="p">(</span><span class="mi">201</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">synced</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <blockquote> <p><strong>Why <code>HTTPServer</code> over WebSockets or raw TCP?</strong><br> HTTP gives request/response semantics for free, works through most firewalls, and is trivially testable with <code>curl</code>. The overhead is negligible for clipboard payloads. When v3.x arrives, the transport will be upgraded to WebRTC for true NAT-piercing P2P.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1j647dsat4iwk921o6us.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1j647dsat4iwk921o6us.gif" alt="The Nexus Update Notifier: Keeping all nodes aligned with the latest security patches" width="800" height="450"></a></p> <h2> The Full Sync Flow — End to End </h2> <p>Here's what happens when you copy something on Device A and it appears on Device B:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Device A (sender) Device B (receiver) ───────────────── ──────────────────── 1. User copies text 2. ClipboardMonitor detects change 3. Encrypt with shared_secret [ AES-256-GCM | random 12-byte nonce ] 4. POST /api/sync ──────────────────────► 5. GhostAPIHandler.do_POST() { 6. Lookup peer by node_id "node_id": "abc123", 7. Decrypt with shared_secret "payload": "&lt;base64 ciphertext&gt;" 8. storage.add_item() } 9. sync_received.emit() 10. UI updates in main thread ◄──────────────── 201 { "status": "synced" } </code></pre> </div> <p>Zero plaintext on the wire. Zero server in the middle. Zero cloud.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn51seo7d8hwjoy4eyw0.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcn51seo7d8hwjoy4eyw0.gif" alt="Zero-Trust Sync: Clipboard data moving securely across the LAN with zero plaintext exposure" width="800" height="450"></a></p> <h2> Securing the Build: GPG-Signed Releases </h2> <p>A secure app with an unsigned binary is still a supply chain risk. Every release artifact — both the <code>.AppImage</code> and the <code>.deb</code> — is GPG-signed in CI and verified before upload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/build-all.yml (signing steps)</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sign AppImage (GPG)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import --batch --yes</span> <span class="s">gpg --batch --yes --pinentry-mode loopback \</span> <span class="s">--passphrase "${{ secrets.GPG_PASSPHRASE }}" \</span> <span class="s">--detach-sign --armor \</span> <span class="s">DotGhostBoard-*.AppImage</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify AppImage signature</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">gpg --verify DotGhostBoard-*.AppImage.asc DotGhostBoard-*.AppImage</span> <span class="s">echo "✅ AppImage signature verified"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Sign DEB Package (GPG)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --import --batch --yes</span> <span class="s">dpkg-sig --sign builder \</span> <span class="s">-k "${{ secrets.GPG_KEY_ID }}" \</span> <span class="s">--gpg-options "--passphrase ${{ secrets.GPG_PASSPHRASE }} --pinentry-mode loopback --batch --yes" \</span> <span class="s">dotghostboard_*.deb</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Generate SHA256 checksums</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">cd out &amp;&amp; sha256sum * &gt; SHA256SUMS.txt</span> </code></pre> </div> <p>Users can verify any release with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify AppImage</span> gpg <span class="nt">--verify</span> DotGhostBoard-1.5.1-x86_64.AppImage.asc <span class="se">\</span> DotGhostBoard-1.5.1-x86_64.AppImage <span class="c"># Verify DEB</span> dpkg-sig <span class="nt">--verify</span> dotghostboard_1.5.1_amd64.deb <span class="c"># Verify checksum</span> <span class="nb">sha256sum</span> <span class="nt">-c</span> SHA256SUMS.txt </code></pre> </div> <h2> Lessons Learned </h2> <p><strong>mDNS is fragile on some Linux setups.</strong> If <code>avahi-daemon</code> is running and competing for port 5353, <code>zeroconf</code> will fail silently. Detect the conflict early and surface it in the UI — don't leave the user with an empty peers list and no explanation.</p> <p><strong>PyInstaller and <code>cryptography</code> need explicit hidden imports.</strong> The <code>cryptography</code> package uses dynamic loading for its backend. Without <code>--hidden-import cryptography.hazmat.primitives.asymmetric.x25519</code> and the <code>aead</code> module, the AppImage crashes at runtime with a clean <code>ImportError</code> that's impossible to debug without knowing where to look.</p> <p><strong><code>dpkg-sig</code> hangs in CI without <code>--pinentry-mode loopback</code>.</strong> It silently waits for a terminal that doesn't exist. Always pass the full GPG options explicitly in non-interactive environments.</p> <p><strong>Rate limiting shared state needs a lock.</strong> The sliding window dict is accessed from multiple HTTP handler threads simultaneously. Without a <code>threading.Lock</code>, you get a race condition under concurrent pairing attempts that's near-impossible to reproduce locally.</p> <h2> What's Next — v2.0.0 Cerberus </h2> <p>The next release is <strong>Cerberus</strong> — a Zero-Knowledge Password Vault. The AES-256 infrastructure from v1.4.0 (Eclipse) already lays the foundation. What's coming on top:</p> <ul> <li>A fully isolated <code>vault.db</code> (separate file, separate connection, locked when not in use)</li> <li>Pattern-based secret detection using Regex — JWT, AWS keys, GitHub tokens, high-entropy hex strings — <strong>not</strong> keyword matching</li> <li>Auto-clear: wipes the clipboard 30 seconds after a Vault paste</li> <li>Paranoia Mode: a toggle that suspends all DB writes temporarily</li> </ul> <p>The core design decision in Cerberus: detection happens at the <strong>shape</strong> of a string, not its meaning. A 1500-word article that mentions "password" doesn't trigger anything. A 40-character base64 string with high Shannon entropy does.</p> <h2> Download &amp; Source </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Link</th> </tr> </thead> <tbody> <tr> <td>📦 GitHub Release (AppImage + DEB + GPG sigs)</td> <td><a href="https://github.com/kareem2099/DotGhostBoard/releases/tag/v1.5.1" rel="noopener noreferrer">v1.5.1</a></td> </tr> <tr> <td>🖥️ OpenDesktop</td> <td><a href="https://www.opendesktop.org/p/2353623/" rel="noopener noreferrer">DotGhostBoard</a></td> </tr> <tr> <td>💻 Source Code</td> <td><a href="https://github.com/kareem2099/DotGhostBoard" rel="noopener noreferrer">kareem2099/DotGhostBoard</a></td> </tr> </tbody> </table></div> <p>If you find a security issue, please reach out directly before opening a public issue.</p> <p>⚠️ A Note on the current DEB Release (v1.5.1)<br> Being transparent with the community is a core value of DotSuite.</p> <p>Known Issue: In the current .deb release, some users might notice the UI defaulting to Light Mode on specific GTK-based distros (like Kali). Additionally, the update helper might trigger a Polkit permission error due to setuid restrictions in the /tmp/ directory.</p> <p>The Fix: I am already working on v1.5.2, which migrates the update path to ~/.local/state/ and forces the Fusion style engine to ensure a consistent Dark Mode experience. The fix will be live tomorrow.</p> <p>Stay tuned, and thanks for the support!</p> <p><em>DotSuite — built for the shadows</em> 👻</p> python security cryptography linux DotShare v3.1 — Toast Engine, Race Condition Fix, and Surviving Reddit's S3 Upload Pipeline freerave Mon, 13 Apr 2026 10:19:46 +0000 https://dev.to/freerave/dotshare-v31-toast-engine-race-condition-fix-and-surviving-reddits-s3-upload-pipeline-d8b https://dev.to/freerave/dotshare-v31-toast-engine-race-condition-fix-and-surviving-reddits-s3-upload-pipeline-d8b <h2> Full technical breakdown of v3.1 'The Polish Pass' — a custom WebView toast system, global loading states, per-platform character limits, and the two bugs that took the longest to kill. </h2> <p>v3.0 added the platforms. v3.1 made them feel like they belonged.</p> <p>"The Polish Pass" is the kind of release that's invisible when it works and infuriating when it doesn't. No new platforms. No headline features. Just: notifications that don't hijack your screen, buttons that tell you something is happening, character counters that actually enforce limits — and two bugs that were quietly breaking things since the beginning.</p> <p>This is the full technical breakdown.</p> <h2> What's in v3.1 </h2> <ul> <li>Custom WebView toast notification engine (replaces VS Code popups)</li> <li>Global loading states on all async actions</li> <li>Per-platform character limit validation with visual feedback</li> <li>Glassmorphism UI pass</li> <li> <strong>The Disappearing Preview race condition</strong> — fixed</li> <li> <strong>Reddit's S3 native image upload pipeline</strong> — fixed</li> <li>Reddit field name synchronization between frontend and backend</li> <li>Unused variable cleanup for ESLint compliance</li> </ul> <h2> 1. The Toast Notification Engine </h2> <p>Before v3.1, every status update used <code>vscode.window.showInformationMessage()</code> — a popup in the VS Code notification center that requires manual dismissal and breaks your flow. For an extension designed to keep you in the editor, it was wrong.</p> <p>The replacement is a custom toast system that lives entirely inside the WebView.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbwuopoy85mkx4rpm2u5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flbwuopoy85mkx4rpm2u5.png" alt="DotShare toast notifications showing success, error, warning, and info states with animated progress bars"></a></p> <h3> HTML Container </h3> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- media/webview/platform-post.html --&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"toast-container"</span> <span class="na">aria-live=</span><span class="s">"polite"</span> <span class="na">aria-atomic=</span><span class="s">"false"</span><span class="nt">&gt;&lt;/div&gt;</span> </code></pre> </div> <p>One container, fixed to the bottom-right of the WebView. Toasts mount and remove themselves.</p> <h3> The Toast Function </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// media/webview/app.ts</span> <span class="kd">type</span> <span class="nx">ToastType</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">warning</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TOAST_ICONS</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="nx">ToastType</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="na">success</span><span class="p">:</span> <span class="dl">'</span><span class="s1">✓</span><span class="dl">'</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">✕</span><span class="dl">'</span><span class="p">,</span> <span class="na">warning</span><span class="p">:</span> <span class="dl">'</span><span class="s1">⚠</span><span class="dl">'</span><span class="p">,</span> <span class="na">info</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ℹ</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">escHtml</span><span class="p">(</span><span class="nx">str</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">str</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&amp;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;amp;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&lt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;lt;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/&gt;/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;gt;</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/"/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&amp;quot;</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">toast</span><span class="p">(</span> <span class="nx">msg</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="kd">type</span><span class="p">:</span> <span class="nx">ToastType</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ms</span><span class="p">:</span> <span class="kr">number</span> <span class="o">=</span> <span class="mi">5000</span> <span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">toast-container</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">container</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">el</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nf">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">div</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="s2">`toast toast-</span><span class="p">${</span><span class="kd">type</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">el</span><span class="p">.</span><span class="nf">setAttribute</span><span class="p">(</span><span class="dl">'</span><span class="s1">role</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">alert</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">style</span><span class="p">.</span><span class="nf">setProperty</span><span class="p">(</span><span class="dl">'</span><span class="s1">--toast-duration</span><span class="dl">'</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">ms</span><span class="p">}</span><span class="s2">ms`</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="s2">` &lt;span class="toast-icon"&gt;</span><span class="p">${</span><span class="nx">TOAST_ICONS</span><span class="p">[</span><span class="kd">type</span><span class="p">]}</span><span class="s2">&lt;/span&gt; &lt;span class="toast-message"&gt;</span><span class="p">${</span><span class="nf">escHtml</span><span class="p">(</span><span class="nx">msg</span><span class="p">)}</span><span class="s2">&lt;/span&gt; &lt;div class="toast-progress"&gt;&lt;/div&gt; `</span><span class="p">;</span> <span class="nx">container</span><span class="p">.</span><span class="nf">appendChild</span><span class="p">(</span><span class="nx">el</span><span class="p">);</span> <span class="c1">// Trigger enter animation on next paint</span> <span class="nf">requestAnimationFrame</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nx">el</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">toast-visible</span><span class="dl">'</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">ms</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">el</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="dl">'</span><span class="s1">toast-visible</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">toast-exit</span><span class="dl">'</span><span class="p">);</span> <span class="nx">el</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">transitionend</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">el</span><span class="p">.</span><span class="nf">remove</span><span class="p">(),</span> <span class="p">{</span> <span class="na">once</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">},</span> <span class="nx">ms</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> CSS </h3> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* media/webview/style.css */</span> <span class="nf">#toast-container</span> <span class="p">{</span> <span class="nl">position</span><span class="p">:</span> <span class="nb">fixed</span><span class="p">;</span> <span class="nl">bottom</span><span class="p">:</span> <span class="m">1.5rem</span><span class="p">;</span> <span class="nl">right</span><span class="p">:</span> <span class="m">1.5rem</span><span class="p">;</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">flex-direction</span><span class="p">:</span> <span class="n">column</span><span class="p">;</span> <span class="py">gap</span><span class="p">:</span> <span class="m">8px</span><span class="p">;</span> <span class="nl">z-index</span><span class="p">:</span> <span class="m">9999</span><span class="p">;</span> <span class="nl">pointer-events</span><span class="p">:</span> <span class="nb">none</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.toast</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="n">flex</span><span class="p">;</span> <span class="nl">align-items</span><span class="p">:</span> <span class="nb">center</span><span class="p">;</span> <span class="py">gap</span><span class="p">:</span> <span class="m">10px</span><span class="p">;</span> <span class="nl">padding</span><span class="p">:</span> <span class="m">12px</span> <span class="m">16px</span><span class="p">;</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">8px</span><span class="p">;</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">13px</span><span class="p">;</span> <span class="nl">min-width</span><span class="p">:</span> <span class="m">260px</span><span class="p">;</span> <span class="nl">max-width</span><span class="p">:</span> <span class="m">380px</span><span class="p">;</span> <span class="nl">position</span><span class="p">:</span> <span class="nb">relative</span><span class="p">;</span> <span class="nl">overflow</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="nl">pointer-events</span><span class="p">:</span> <span class="n">all</span><span class="p">;</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">translateX</span><span class="p">(</span><span class="m">20px</span><span class="p">);</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">opacity</span> <span class="m">0.2s</span> <span class="n">ease</span><span class="p">,</span> <span class="n">transform</span> <span class="m">0.2s</span> <span class="n">ease</span><span class="p">;</span> <span class="py">backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">8px</span><span class="p">);</span> <span class="nl">-webkit-backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">8px</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.toast-visible</span> <span class="p">{</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">1</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">translateX</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.toast-exit</span> <span class="p">{</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">translateX</span><span class="p">(</span><span class="m">20px</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.toast-success</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">29</span><span class="p">,</span><span class="m">158</span><span class="p">,</span><span class="m">117</span><span class="p">,</span><span class="m">0.15</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">29</span><span class="p">,</span><span class="m">158</span><span class="p">,</span><span class="m">117</span><span class="p">,</span><span class="m">0.4</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#4ade80</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.toast-error</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">239</span><span class="p">,</span><span class="m">68</span><span class="p">,</span><span class="m">68</span><span class="p">,</span><span class="m">0.15</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">239</span><span class="p">,</span><span class="m">68</span><span class="p">,</span><span class="m">68</span><span class="p">,</span><span class="m">0.4</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#f87171</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.toast-warning</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">245</span><span class="p">,</span><span class="m">158</span><span class="p">,</span><span class="m">11</span><span class="p">,</span><span class="m">0.15</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">245</span><span class="p">,</span><span class="m">158</span><span class="p">,</span><span class="m">11</span><span class="p">,</span><span class="m">0.4</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#fbbf24</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.toast-info</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">59</span><span class="p">,</span><span class="m">130</span><span class="p">,</span><span class="m">246</span><span class="p">,</span><span class="m">0.15</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">59</span><span class="p">,</span><span class="m">130</span><span class="p">,</span><span class="m">246</span><span class="p">,</span><span class="m">0.4</span><span class="p">);</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#60a5fa</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.toast-progress</span> <span class="p">{</span> <span class="nl">position</span><span class="p">:</span> <span class="nb">absolute</span><span class="p">;</span> <span class="nl">bottom</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">left</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">height</span><span class="p">:</span> <span class="m">2px</span><span class="p">;</span> <span class="nl">width</span><span class="p">:</span> <span class="m">100%</span><span class="p">;</span> <span class="nl">background</span><span class="p">:</span> <span class="n">currentColor</span><span class="p">;</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0.4</span><span class="p">;</span> <span class="nl">animation</span><span class="p">:</span> <span class="n">toast-shrink</span> <span class="n">var</span><span class="p">(</span><span class="n">--toast-duration</span><span class="p">,</span> <span class="m">5000ms</span><span class="p">)</span> <span class="n">linear</span> <span class="n">forwards</span><span class="p">;</span> <span class="p">}</span> <span class="k">@keyframes</span> <span class="n">toast-shrink</span> <span class="p">{</span> <span class="nt">from</span> <span class="p">{</span> <span class="nl">width</span><span class="p">:</span> <span class="m">100%</span><span class="p">;</span> <span class="p">}</span> <span class="nt">to</span> <span class="p">{</span> <span class="nl">width</span><span class="p">:</span> <span class="m">0%</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Global Loading States </h2> <p>Every async button now disables itself and shows a spinner during the operation. Prevents double-submissions. Makes it obvious something is happening.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// media/webview/app.ts</span> <span class="kd">function</span> <span class="nf">setLoading</span><span class="p">(</span><span class="nx">btn</span><span class="p">:</span> <span class="nx">HTMLButtonElement</span><span class="p">,</span> <span class="nx">loading</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">,</span> <span class="nx">label</span><span class="p">?:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">loading</span><span class="p">)</span> <span class="p">{</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">dataset</span><span class="p">.</span><span class="nx">originalText</span> <span class="o">=</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">label</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">⏳ Working…</span><span class="dl">'</span><span class="p">;</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-loading</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">dataset</span><span class="p">.</span><span class="nx">originalText</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">Share</span><span class="dl">'</span><span class="p">;</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">btn</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-loading</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// On click — enter loading state</span> <span class="nx">btnShare</span><span class="p">?.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">click</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">btnShare</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nf">setLoading</span><span class="p">(</span><span class="nx">btnShare</span><span class="p">,</span> <span class="kc">true</span><span class="p">,</span> <span class="dl">'</span><span class="s1">⏳ Sharing…</span><span class="dl">'</span><span class="p">);</span> <span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">share</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">platform</span><span class="p">:</span> <span class="nx">activeCommandPlatform</span><span class="p">,</span> <span class="na">post</span><span class="p">:</span> <span class="nx">textarea</span><span class="p">?.</span><span class="nx">value</span><span class="p">.</span><span class="nf">trim</span><span class="p">(),</span> <span class="na">mediaFilePaths</span><span class="p">:</span> <span class="nx">activeMediaPaths</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// On complete — exit loading state</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">shareComplete</span><span class="dl">'</span><span class="p">:</span> <span class="k">if </span><span class="p">(</span><span class="nx">btnShare</span><span class="p">)</span> <span class="nf">setLoading</span><span class="p">(</span><span class="nx">btnShare</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="nf">resetAllComposers</span><span class="p">();</span> <span class="nf">toast</span><span class="p">(</span><span class="dl">'</span><span class="s1">Shared successfully!</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> <span class="c1">// On error — also exit loading so user can retry</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">:</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">error</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">btnShare</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="nx">btnShare</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="nf">toast</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">status</span> <span class="o">??</span> <span class="dl">''</span><span class="p">),</span> <span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> </code></pre> </div> <h2> 3. Character Limit Validation </h2> <p><code>MAX_CHARS</code> existed before v3.1 but was never wired to the UI. This release connects it to both the counter display and the share button state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9p29pc5hrwx4u0q8q9r9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9p29pc5hrwx4u0q8q9r9.png" alt="Character counter at 240/280 for X showing warning color, and over-limit state with red counter and disabled share button"></a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// media/webview/app.ts</span> <span class="kd">const</span> <span class="nx">MAX_CHARS</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">number</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="na">x</span><span class="p">:</span> <span class="mi">280</span><span class="p">,</span> <span class="na">bluesky</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">linkedin</span><span class="p">:</span> <span class="mi">3000</span><span class="p">,</span> <span class="na">telegram</span><span class="p">:</span> <span class="mi">4096</span><span class="p">,</span> <span class="na">facebook</span><span class="p">:</span> <span class="mi">63206</span><span class="p">,</span> <span class="na">discord</span><span class="p">:</span> <span class="mi">2000</span><span class="p">,</span> <span class="na">reddit</span><span class="p">:</span> <span class="mi">40000</span><span class="p">,</span> <span class="na">devto</span><span class="p">:</span> <span class="mi">100000</span><span class="p">,</span> <span class="na">medium</span><span class="p">:</span> <span class="mi">100000</span><span class="p">,</span> <span class="p">};</span> <span class="kd">function</span> <span class="nf">updateCharCounter</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">textarea</span> <span class="o">||</span> <span class="o">!</span><span class="nx">counter</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">len</span> <span class="o">=</span> <span class="nx">textarea</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">platform</span> <span class="o">=</span> <span class="nx">activeCommandPlatform</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">max</span> <span class="o">=</span> <span class="nx">MAX_CHARS</span><span class="p">[</span><span class="nx">platform</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">;</span> <span class="nx">counter</span><span class="p">.</span><span class="nx">textContent</span> <span class="o">=</span> <span class="nx">max</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">len</span><span class="p">}</span><span class="s2"> / </span><span class="p">${</span><span class="nx">max</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">len</span><span class="p">);</span> <span class="nx">counter</span><span class="p">.</span><span class="nx">className</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">compose-counter</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">max</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">len</span> <span class="o">&gt;</span> <span class="nx">max</span><span class="p">)</span> <span class="nx">counter</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">counter-error</span><span class="dl">'</span><span class="p">);</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">len</span> <span class="o">&gt;</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nx">max</span> <span class="o">*</span> <span class="mf">0.8</span><span class="p">))</span> <span class="nx">counter</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">counter-warn</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">updateShareBtn</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">btnShare</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">empty</span> <span class="o">=</span> <span class="o">!</span><span class="nx">textarea</span><span class="p">?.</span><span class="nx">value</span><span class="p">.</span><span class="nf">trim</span><span class="p">().</span><span class="nx">length</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">platform</span> <span class="o">=</span> <span class="nx">activeCommandPlatform</span> <span class="o">??</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">max</span> <span class="o">=</span> <span class="nx">MAX_CHARS</span><span class="p">[</span><span class="nx">platform</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">over</span> <span class="o">=</span> <span class="nx">max</span> <span class="p">?</span> <span class="p">(</span><span class="nx">textarea</span><span class="p">?.</span><span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">??</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&gt;</span> <span class="nx">max</span> <span class="p">:</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">btnShare</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="nx">empty</span> <span class="o">||</span> <span class="nx">over</span><span class="p">;</span> <span class="p">}</span> <span class="nx">textarea</span><span class="p">?.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">input</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">updateCharCounter</span><span class="p">();</span> <span class="nf">updateShareBtn</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.compose-counter</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="n">var</span><span class="p">(</span><span class="n">--vscode-descriptionForeground</span><span class="p">);</span> <span class="nl">font-size</span><span class="p">:</span> <span class="m">12px</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.compose-counter.counter-warn</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#f59e0b</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.compose-counter.counter-error</span> <span class="p">{</span> <span class="nl">color</span><span class="p">:</span> <span class="m">#ef4444</span><span class="p">;</span> <span class="nl">font-weight</span><span class="p">:</span> <span class="m">600</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 4. The Glassmorphism UI Pass </h2> <p>Cards and modals now use <code>backdrop-filter: blur</code> with semi-transparent fills. Depth without visual weight.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.composer-card</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.04</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.08</span><span class="p">);</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">12px</span><span class="p">;</span> <span class="py">backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">8px</span><span class="p">);</span> <span class="nl">-webkit-backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">8px</span><span class="p">);</span> <span class="nl">transition</span><span class="p">:</span> <span class="n">border-color</span> <span class="m">0.2s</span> <span class="n">ease</span><span class="p">;</span> <span class="p">}</span> <span class="nc">.composer-card</span><span class="nd">:hover</span> <span class="p">{</span> <span class="nl">border-color</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.14</span><span class="p">);</span> <span class="p">}</span> <span class="nc">.modal-content</span> <span class="p">{</span> <span class="nl">background</span><span class="p">:</span> <span class="n">rgba</span><span class="p">(</span><span class="m">30</span><span class="p">,</span> <span class="m">30</span><span class="p">,</span> <span class="m">40</span><span class="p">,</span> <span class="m">0.92</span><span class="p">);</span> <span class="nl">border</span><span class="p">:</span> <span class="m">1px</span> <span class="nb">solid</span> <span class="n">rgba</span><span class="p">(</span><span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">255</span><span class="p">,</span> <span class="m">0.1</span><span class="p">);</span> <span class="nl">border-radius</span><span class="p">:</span> <span class="m">14px</span><span class="p">;</span> <span class="py">backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">12px</span><span class="p">);</span> <span class="nl">-webkit-backdrop-filter</span><span class="p">:</span> <span class="n">blur</span><span class="p">(</span><span class="m">12px</span><span class="p">);</span> <span class="nl">animation</span><span class="p">:</span> <span class="n">modal-enter</span> <span class="m">0.2s</span> <span class="n">cubic-bezier</span><span class="p">(</span><span class="m">0.34</span><span class="p">,</span> <span class="m">1.56</span><span class="p">,</span> <span class="m">0.64</span><span class="p">,</span> <span class="m">1</span><span class="p">);</span> <span class="p">}</span> <span class="k">@keyframes</span> <span class="n">modal-enter</span> <span class="p">{</span> <span class="nt">from</span> <span class="p">{</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">0</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">scale</span><span class="p">(</span><span class="m">0.95</span><span class="p">)</span> <span class="n">translateY</span><span class="p">(</span><span class="m">8px</span><span class="p">);</span> <span class="p">}</span> <span class="nt">to</span> <span class="p">{</span> <span class="nl">opacity</span><span class="p">:</span> <span class="m">1</span><span class="p">;</span> <span class="nl">transform</span><span class="p">:</span> <span class="n">scale</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="n">translateY</span><span class="p">(</span><span class="m">0</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 5. The Disappearing Preview Race Condition </h2> <p>This was the most subtle bug. And it was hiding in plain sight.</p> <h3> The Symptom </h3> <p>Attach a file → preview appears → preview vanishes 500ms later. Every time.</p> <h3> The Root Cause </h3> <p>When a file uploaded successfully, the backend sent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">command:</span><span class="w"> </span><span class="err">'status'</span><span class="p">,</span><span class="w"> </span><span class="err">type:</span><span class="w"> </span><span class="err">'success'</span><span class="p">,</span><span class="w"> </span><span class="err">status:</span><span class="w"> </span><span class="err">'File</span><span class="w"> </span><span class="err">uploaded</span><span class="w"> </span><span class="err">successfully'</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The WebView message handler treated <em>every</em> success the same way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ BEFORE — nuked everything on any success message</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">:</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">resetAllComposers</span><span class="p">();</span> <span class="c1">// cleared activeMediaPaths + removed preview DOM</span> <span class="p">}</span> <span class="nf">toast</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">status</span><span class="p">,</span> <span class="nx">msg</span><span class="p">.</span><span class="kd">type</span><span class="p">);</span> <span class="k">break</span><span class="p">;</span> </code></pre> </div> <p><code>resetAllComposers()</code> was designed for one thing: clean up after a post is fully shared. But it was firing on file uploads, auto-saves, and every other intermediate success too.</p> <h3> The Fix </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ✅ AFTER — terminal vs intermediate distinction</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">status</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="nf">toast</span><span class="p">(</span><span class="nc">String</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">status</span> <span class="o">??</span> <span class="dl">''</span><span class="p">),</span> <span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">text</span> <span class="o">=</span> <span class="nc">String</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">status</span> <span class="o">??</span> <span class="dl">''</span><span class="p">).</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">isTerminal</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">shared</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">published</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">complete</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isIntermediate</span> <span class="o">=</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">upload</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">saved</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">text</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">processing</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">isTerminal</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">isIntermediate</span><span class="p">)</span> <span class="p">{</span> <span class="nf">resetAllComposers</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>The rule going forward:</strong> <code>resetAllComposers()</code> is terminal-only. Intermediate feedback goes to <code>toast()</code> and targeted DOM updates — never a full reset.</p> <h2> 6. Reddit's S3 Upload Pipeline </h2> <p>This was the hardest fix in v3.1. Reddit's native image upload doesn't use a standard multipart POST endpoint. It routes through Amazon S3, and the sequence has enough specific requirements that every step has its own failure mode.</p> <h3> The Full Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>POST /api/media/asset.json → receive S3 upload URL + signed fields POST to S3 URL (FormData) → upload the file bytes POST /api/submit → create the Reddit post with asset URL </code></pre> </div> <h3> Step 1 — Get S3 Credentials </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/platforms/reddit.ts</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getS3UploadUrl</span><span class="p">(</span> <span class="nx">accessToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">filePath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">mimeType</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">uploadUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">fields</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">assetUrl</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://oauth.reddit.com/api/media/asset.json</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">filepath</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">basename</span><span class="p">(</span><span class="nx">filePath</span><span class="p">),</span> <span class="na">mimetype</span><span class="p">:</span> <span class="nx">mimeType</span><span class="p">,</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DotShare/3.1</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">uploadUrl</span> <span class="o">=</span> <span class="s2">`https:</span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">args</span><span class="p">.</span><span class="nx">action</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="c1">// Reddit returns fields as [{name, value}] array — convert to object</span> <span class="kd">const</span> <span class="na">fields</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">f</span> <span class="k">of</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">args</span><span class="p">.</span><span class="nx">fields</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fields</span><span class="p">[</span><span class="nx">f</span><span class="p">.</span><span class="nx">name</span><span class="p">]</span> <span class="o">=</span> <span class="nx">f</span><span class="p">.</span><span class="nx">value</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">uploadUrl</span><span class="p">,</span> <span class="nx">fields</span><span class="p">,</span> <span class="na">assetUrl</span><span class="p">:</span> <span class="s2">`https://i.redd.it/</span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">asset</span><span class="p">.</span><span class="nx">asset_id</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2 — Upload to S3 </h3> <p>Two traps here. Field order in FormData matters — S3 requires all fields before the file. And S3 requires <code>Content-Length</code> explicitly — axios doesn't set it automatically for <code>FormData</code> in Node.js.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">uploadToS3</span><span class="p">(</span> <span class="nx">uploadUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">fields</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">filePath</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">mimeType</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fileBuffer</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nx">promises</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">filePath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FormData</span><span class="p">();</span> <span class="c1">// All fields MUST come before the file — S3 policy</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">fields</span><span class="p">))</span> <span class="p">{</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span> <span class="dl">'</span><span class="s1">file</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Blob</span><span class="p">([</span><span class="nx">fileBuffer</span><span class="p">],</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">mimeType</span> <span class="p">}),</span> <span class="nx">path</span><span class="p">.</span><span class="nf">basename</span><span class="p">(</span><span class="nx">filePath</span><span class="p">)</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="nx">uploadUrl</span><span class="p">,</span> <span class="nx">formData</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Length</span><span class="dl">'</span><span class="p">:</span> <span class="nx">fileBuffer</span><span class="p">.</span><span class="nx">byteLength</span><span class="p">.</span><span class="nf">toString</span><span class="p">()</span> <span class="p">},</span> <span class="na">maxBodyLength</span><span class="p">:</span> <span class="kc">Infinity</span><span class="p">,</span> <span class="na">maxContentLength</span><span class="p">:</span> <span class="kc">Infinity</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3 — Submit the Post </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">submitRedditImagePost</span><span class="p">(</span> <span class="nx">accessToken</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">subreddit</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">title</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">assetUrl</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://oauth.reddit.com/api/submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">sr</span><span class="p">:</span> <span class="nx">subreddit</span><span class="p">,</span> <span class="na">kind</span><span class="p">:</span> <span class="dl">'</span><span class="s1">image</span><span class="dl">'</span><span class="p">,</span> <span class="na">title</span><span class="p">:</span> <span class="nx">title</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">assetUrl</span><span class="p">,</span> <span class="c1">// use asset URL, NOT the CDN URL</span> <span class="na">resubmit</span><span class="p">:</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">,</span> <span class="na">api_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">json</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/x-www-form-urlencoded</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">DotShare/3.1</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">postUrl</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">?.</span><span class="nx">json</span><span class="p">?.</span><span class="nx">data</span><span class="p">?.</span><span class="nx">url</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">postUrl</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">errors</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nx">data</span><span class="p">?.</span><span class="nx">json</span><span class="p">?.</span><span class="nx">errors</span><span class="p">;</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="nx">errors</span><span class="p">?.</span><span class="nx">length</span> <span class="p">?</span> <span class="s2">`Reddit: </span><span class="p">${</span><span class="nx">errors</span><span class="p">[</span><span class="mi">0</span><span class="p">][</span><span class="mi">1</span><span class="p">]}</span><span class="s2">`</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Reddit: no post URL in response</span><span class="dl">'</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">postUrl</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>The three traps summarized:</strong></p> <ol> <li>FormData field order — fields before file or S3 returns 403</li> <li>Missing <code>Content-Length</code> — AWS returns 400, message says "malformed body"</li> <li>CDN URL vs asset URL — <code>i.redd.it/ID</code> is unpopulated at submit time, use the S3 action URL</li> </ol> <h2> 7. Reddit Field Name Sync </h2> <p>Found this while fixing the S3 pipeline. The WebView was sending field names the backend didn't recognize — and the post text wasn't being sent at all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ BEFORE</span> <span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">shareToReddit</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">subreddit</span><span class="p">:</span> <span class="nf">val</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditSubreddit</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// ❌ handler expects 'redditSubreddit'</span> <span class="na">title</span><span class="p">:</span> <span class="nf">val</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditTitle</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// ❌ handler expects 'redditTitle'</span> <span class="na">flair</span><span class="p">:</span> <span class="p">...,</span> <span class="c1">// ❌ handler expects 'redditFlairId'</span> <span class="na">postType</span><span class="p">:</span> <span class="p">...,</span> <span class="c1">// ❌ handler expects 'redditPostType'</span> <span class="c1">// ❌ 'post' (the text) missing entirely</span> <span class="p">});</span> <span class="c1">// ✅ AFTER</span> <span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">shareToReddit</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">post</span><span class="p">:</span> <span class="nx">textarea</span><span class="p">?.</span><span class="nx">value</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="na">redditSubreddit</span><span class="p">:</span> <span class="nf">val</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditSubreddit</span><span class="dl">'</span><span class="p">),</span> <span class="na">redditTitle</span><span class="p">:</span> <span class="nf">val</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditTitle</span><span class="dl">'</span><span class="p">),</span> <span class="na">redditFlairId</span><span class="p">:</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLSelectElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditFlair</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">value</span> <span class="o">??</span> <span class="dl">''</span><span class="p">,</span> <span class="na">redditPostType</span><span class="p">:</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="o">&lt;</span><span class="nx">HTMLInputElement</span><span class="o">&gt;</span><span class="p">(</span> <span class="dl">'</span><span class="s1">input[name="redditPostType"]:checked</span><span class="dl">'</span> <span class="p">)?.</span><span class="nx">value</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">self</span><span class="dl">'</span><span class="p">,</span> <span class="na">redditSpoiler</span><span class="p">:</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLInputElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">redditSpoiler</span><span class="dl">'</span><span class="p">)?.</span><span class="nx">checked</span> <span class="o">??</span> <span class="kc">false</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> 8. Unused Variable Cleanup </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ BEFORE</span> <span class="kd">const</span> <span class="nx">btnShare</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-share</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">btnGenerate</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-generate-ai</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">btnSchedule</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-schedule</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// never used → ESLint error</span> <span class="kd">const</span> <span class="nx">btnMedia</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-attach-media</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ✅ AFTER</span> <span class="kd">const</span> <span class="nx">btnShare</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-share</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">btnGenerate</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-generate-ai</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">btnMedia</span> <span class="o">=</span> <span class="kd">get</span><span class="o">&lt;</span><span class="nx">HTMLButtonElement</span><span class="o">&gt;</span><span class="p">(</span><span class="dl">'</span><span class="s1">btn-attach-media</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Scheduling stays in the HTML as a disabled "Coming Soon" button — listener is commented out pending v3.2.</p> <h2> v3.1 Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Status feedback</td> <td>VS Code popups</td> <td>Inline toast engine</td> </tr> <tr> <td>File preview</td> <td>Disappears on upload</td> <td>Stable ✅</td> </tr> <tr> <td>Character limits</td> <td>Display only</td> <td>Enforced + visual feedback</td> </tr> <tr> <td>Reddit images</td> <td>Broken (S3 errors)</td> <td>Full pipeline working ✅</td> </tr> <tr> <td>Reddit fields</td> <td>Mismatched</td> <td>Synchronized ✅</td> </tr> <tr> <td>ESLint</td> <td>1 unused var warning</td> <td>0 warnings ✅</td> </tr> </tbody> </table></div> <h3> See It in Action </h3> <p><strong>LinkedIn posting demo:</strong><br> <iframe src="https://www.youtube.com/embed/cHPtzNBK9ZY"> </iframe> </p> <p><strong>Telegram posting demo:</strong><br> <iframe src="https://www.youtube.com/embed/XpqMji5FPtI"> </iframe> </p> <p><strong>Bluesky posting demo:</strong><br> <iframe src="https://www.youtube.com/embed/R3ZJqlyOZbM"> </iframe> </p> <h2> Install DotShare </h2> <p><a href="https://marketplace.visualstudio.com/items?itemName=FreeRave.dotshare" rel="noopener noreferrer">VS Code Marketplace</a></p> <p><a href="https://open-vsx.org/extension/freerave/dotshare" rel="noopener noreferrer">Open VSX (VSCodium / Gitpod</a></p> <p><a href="https://github.com/kareem2099/DotShare" rel="noopener noreferrer">GitHub — star, fork, contribute</a></p> <p>v3.2 "The Media Expansion" — up to 4 images per post, per-thumbnail previews, JIT compression, secure WebView URIs — breakdown coming next.</p> vscode typescript debugging webdev