Security

cartoon cover for: Two Birds That Read the Web for Me: One Hoards, One Scatters

Two Birds That Read the Web for Me: One Hoards, One Scatters

I gave my second brain two agents that read the outside world and collide it against my notes. A Magpie watches my GitHub stars and only speaks when something hits live work. A Blue Jay reads a handful of RSS feeds and surfaces the distant, not-yet-relevant connection. They share a security spine — and they have deliberately opposite jobs. Here’s why the split is the whole design.

cartoon cover for: Is Anyone Knocking? A Security Pass on My Homelab

Is Anyone Knocking? A Security Pass on My Homelab

I set out to answer a simple worry — is someone trying to get into my server? — and found the scarier question underneath it: if they did, would I even know? My front door was solid. The inside had an alarm with the wires cut, a web terminal sitting on the open internet, and no floor under the blast radius. Here’s the audit, and the three things I fixed.

cartoon cover for: I Built a Usage Dashboard and Tripped Claude Fable 5's Safety Net

🚩 I Built a Usage Dashboard and Tripped Claude Fable 5's Safety Net

I asked Claude Fable 5 to help me self-host a dashboard for my own Claude usage. Halfway through, its dual-use safety measures flagged the conversation and downshifted me to Opus 4.8. Nothing I did was wrong — the request just had the shape of something that is. That gap, between what a thing looks like and what it’s for, turns out to be the whole story.

the little robot stands guard at a doorway like a friendly bouncer, holding up a hand to check a stack of papers, while the boy in the cap watches; a shield symbol floats above them, protective and watchful

🔒 Building a PII Guardrail Proxy for Cloud LLM Calls

A local model classifies every prompt before it leaves the cluster. If it’s sensitive, it’s blocked. If it’s clean, it goes to NVIDIA NIM. 150 lines of FastAPI, deployed on k3s.

cartoon cover for: Privacy-Preserving LLM Pipelines: Anonymize Before You Send

🕵️ Privacy-Preserving LLM Pipelines: Anonymize Before You Send

Replace PII with semantically realistic fakes before sending to a cloud LLM, then restore the originals from the response. Started with a general model and prompt engineering — then upgraded to a purpose-built 1.7B fine-tune via Ollama.

cartoon cover for: Someone kubectl apply'd a Hotfix Directly. How Do You Detect and Prevent It?

🔄 Someone kubectl apply'd a Hotfix Directly. How Do You Detect and Prevent It?

Manual kubectl in production is the Kubernetes equivalent of SSH’ing into a server and editing files. It works until it doesn’t, and when it doesn’t, nobody knows why.

cartoon cover for: How Do You Prevent a Compromised Pod From Calling Your Database?

🛡️ How Do You Prevent a Compromised Pod From Calling Your Database?

Default Kubernetes is a flat network. Every pod can reach every other pod. In a cluster with ten services, that’s ten potential blast radiuses instead of one.

cartoon cover for: Deploy to Kubernetes Without Storing Any Cluster Credentials in CI

🔑 Deploy to Kubernetes Without Storing Any Cluster Credentials in CI

A common interview question in 2026. If your answer is ‘kubeconfig in a CI secret’, you’re not wrong — but you’re also not getting the job.

cartoon cover for: How Do You Handle Secrets in a GitOps Repository?

🤫 How Do You Handle Secrets in a GitOps Repository?

GitOps says Git is the source of truth. Secrets say don’t put them in Git. These two things appear to be in direct conflict. They’re not.

cartoon cover for: Building a QR Code Login for a Homelab (And Accidentally Reverse-Engineering oauth2-proxy's Internals)

📱 Building a QR Code Login for a Homelab (And Learning oauth2-proxy's Session Format the Hard Way)

My homelab uses oauth2-proxy for GitLab SSO. I wanted a QR code login for the TV dashboard. Two days and four complete rewrites later, I knew more about oauth2-proxy’s session format than I ever planned to.