Shellsharks Blogroll - BlogFlock

Update #2 on the Framework Saga - Kev Quirk

2026-04-27T13:41:00.000Z

In case you hadn't heard (it's all I've been going on about for a couple weeks, so you probably have heard - sorry) I spilled coffee on my Framework 13, then after lots of testing and cleaning, I confirmed that the main board was dead.

The new main board was delivered this morning, so I went ahead and got it fitted to the chassis. Problem is, I'd pissed about the partitions on the 2TB NVMe so I could dump my install on the 1TB NVMe in my new ThinkPad T480. I tried booting up and fixing the 2TB NVMe, but it was screwed, so I cut my losses and went for a re-install of Ubuntu 24.04 instead.

I'm aware that Ubuntu 26.04 LTS has been released, but I prefer to wait for the first point release before upgrading.

After 10 minutes or so, the plucky little Framework was alive!

So I spent most of the day (on my day off) configuring the fresh Ubuntu install back to how I had it before. Luckily the ThinkPad is working great, so I could use that as a reference to get everything pretty much exactly the same. After 3 or so hours work, we're back up and running with all my apps, data, and config restored.

Another issue

While setting up the laptop, I noticed that there was an issue with the screen. At first I thought it was just some residue from coffee-gate, but on closer inspection it looks like the bottom corner has somehow de-laminated.

I know this wasn't caused by the coffee spillage, as the stain would be brown. Plus the laptop would smell. I'm wondering if it's some isopropyl alcohol, or contact cleaner, from when I cleaned it out.

The only other explanation is that it has de-laminated due to the heat in the conservatory, but I doubt it. It doesn't get that hot in there, and it's only April.

This is the second problem I've had with screens on the Framework. The bottom of the screen de-laminated just a week after I got the laptop. I thought it was a fluke, and Framework support sent me a replacement immediately, but this has me thinking that the screens just aren't that good.

Can anyone else who has a Framework 13 confirm if they've had issues with the 2880x1920 display?

Final thoughts

Anyway, this is the last update in the saga. For all intents and purposes the Framework is now repaired. I'm waiting to hear back from Framework support to see if they have any recommendations, but if not, I'll probably have to buy a new screen too.

It's lovely to be back typing this post on the Framework. I've really missed this laptop, and the typing experience.

Geez this has been one expensive mistake! Take note, people - if you drink coffee around your computers, keep a lid on the cup!

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

All You Fascists (Bound to Lose) - Werd I/O

2026-04-27T13:39:32.000Z

I've had "All You Fascists (Bound to Lose)" in my song rotation for a little while – for, you know, reasons.

Bette Midler's getting some coverage for her cover, so I thought I'd round up some other versions I like very much.

To begin with, here's that Bette Midler cover:

This Resistance Revival Chorus with Rhiannon Giddens version is probably my favorite: upbeat and alive.

The Billy Bragg version with Wilco is really strong too:

Nina Hagen's father Hans was a Holocaust survivor held at Moabit, and her paternal grandparents were murdered at Sachsenhausen. This is therefore a very personal cover:

Here's Ani DiFranco with Zoe Boekbinder, Gracie and Rachel, and Diane Patterson - all artists I love:

And finally, here's the great Woody Guthrie, one of my heroes, singing the original:

Theatre Review: Hadestown ★★★★★ - Terence Eden’s Blog

2026-04-27T11:34:27.000Z

Anaïs Mitchell has created something magical. I felt like giving a standing ovation after every song. Just pure theatrical joy delivered by a cast who know how to squeeze every drop of emotion from an audience.

Perhaps it was sitting right at the front of the stalls, but the opening of Hadestown feels like dinner theatre; almost cosy in its intimacy. The first act is so busy - there are a hundred-and-one things happening on stage that it occasionally becomes overwhelming. The second act is slightly more intimate, but no less dazzling.

Having the musicians on stage lends to the feel of being in a nightclub. The stereo separation makes it easier to pick out the various musical threads and brings a lovely texture to the songs. Also, who knew a trombone could steal a show?

Lots of the cast sing in their natural accents. A roaring northern Hades versus a Mancunian Orpheus makes for quite the thrilling combination. Having subsequently listened to the Broadway cast recording, it is amazing what a positive difference it makes.

And, yes, the obligatory revolve spins the performers on a near-constant merry-go-round. When I am King of the West End, the revolve will be banned for the laze cliché that it is!

A stunning show with a killer soundtrack and a delightful set of performers.

I've written before about how the pre-show and post-show experience shapes an event. The Lyric theatre is generously sized, so plenty of space to mill about before the show, rather than being crammed into a tiny bar. The toilets weren't in too bad a condition. Once again, no set dressing in the liminal spaces. Would it have been so hard to mock up some travel posters for the eponymous station? Or have something for people to take photos with?

The themed cocktail menu was inventive but shockingly expensive, even for London prices. The programme is only a fiver and, unlike other West End shows, is full of interesting information and not just an excuse to cram in adverts - excellent value for money.

After the curtain call, we get a few more minutes with the musicians, which was delightful. On the way out there was no leaflet offering a discount on return visits (unlike Avenue Q). There is, apparently, a "Hadestown Passport" which you can get stamped every visit - although I didn't see any evidence of that.

Why Is Everything Proprietary These Days? - Kev Quirk

2026-04-26T19:21:00.000Z

After 10 years of loyal service, the motorbike jacket that I wear most often gave up the ghost recently and ripped. Being a piece of protective clothing, a rip isn't a good thing, so I've been shopping around for a replacement.

But you see, motorbike jackets are complex, heavy garments that are littered with protective pads. They used to come with back protectors too, but it was later decided that these were too expensive, so you had to buy one separately.

No problem, they're standardised so you buy a good one and it can last you decades. There's just a big void in the back of the jacket with a number of velcro patches that any back protector will cling to.

That's what I have in my old jacket, and I assumed it was still the same now.

So today I bought myself a new jacket. It cost me £380 (on sale!) but you can't put a price on safety, right? I also have protective trousers that zip to my jacket all the way around my waist.

But the zip on my new jacket isn't compatible with the zip on my old trousers (how the fuck can a ZIP be incompatible??) so I bought the matching trousers for the new jacket, costing another £300.

So now I'm £650 lighter in the bank, but I have good quality motorbike clothing that should last me another decade.

This evening I went to swap the back protector from my old jacket to the new, only to find that many manufacturers now have brand-specific pads for their clothing that sit in perfectly sculpted pockets.

The specific back protector (which is a bit of rubber with some holes in it) for my jacket is fifty fucking pounds. So now I'm at £700.

Fifty quid's worth of rubber, apparently

Fuck that. I've bought a generic (but good quality) one, and I'll cut it to size.

Vendor lock-in

Whether it's phones, social networks, communication platforms, printer ink, laptop chargers, smart home systems, games consoles, coffee machines, electric toothbrush heads, camera batteries, or fucking motorbike jacket back protectors. Nothing is interchangeable.

It seems that every day another piece of standardisation is being washed away, and we as consumers need to make our choices, invest, and stick to a brand. You can switch, but it's gonna cost ya!

It's fucking ridiculous.

Over and over again we get shafted, and there's not a single thing we can do about it. I'm so tempted to take the jacket back for a refund, but what do I do then? I need a jacket for riding. I'd be screwed.

Fuck bike jacket manufacturers that do this. Fuck vendor lock-in. Fuck. This.

</rant>

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Sustaining innovation has failed us. It's time to think more radically - Werd I/O

2026-04-25T21:05:49.000Z

Link: A Three Horizons Framework for Government Reform, by Jennifer Pahlka

Important analysis from Jennifer Pahlka, founder of Code for America, that is about government technology and services but could just as easily be about news and journalism.

She introduces the Three Horizons framework for thinking about change and building towards a shared vision of the future. Here, Horizon 1 is the status quo, Horizon 2 represents improvements to that system, and Horizon 3 represents an improved system rather than an optimized present.

There are four kinds of innovation: research, sustaining, breakthrough, and disruptive. The first two don’t lead us anywhere new on their own; they might provide extra capacity and create more headroom, but they aren’t systemic change. Any fundamental problems with the status quo probably won’t go away. In contrast, breakthrough innovation brings in fresh ideas to solve problems in a new way, and disruptive innovation creates new systemic models that serve people in new ways.

Jennifer’s point is that a lot of government reform work — including Code for America — has been sustaining or incremental at best, which has relieved some pressure but hasn’t really changed anything. The same problems persist.

Philanthropic funding has compounded the problem by funding that kind of innovation instead of more radical solutions. This, for me, is the key sentence in her piece:

“Funders need to ask not just whether an investment does good but whether it changes the conditions under which good can be done at scale.”

And there’s a finite window for more aggressive change. This has been created by the AI shift, changes in the US government, the COVID-19 pandemic, and other changes that have highlighted how poorly our current system has adapted.

In government, that need has become rather obvious, but it’s true in news too — another key part of our civic framework. (And this is also true for social media!) These same factors apply, and philanthropic funding has been similarly risk-averse, aiming for sustaining innovation that builds capacity rather than changing how everything works to serve people better. The fundamentals aren’t changing and they haven’t been serving us. We need to think much more radically, and we need to fund much more radically.

In that framework, it’s incredibly important to articulate what the more radical futures we could work towards actually are. Jennifer points out that there are multiple, potentially contradictory, possible futures — the point is not to coalesce into one agreed-upon Horizon 3 end state, but to be able to describe where any current change might be leading to. Where is this taking us, and why?

Let’s allow ourselves to imagine something better. And then, let’s finally go there.

AI is not a magic wand and it won’t fix your problems - Werd I/O

2026-04-25T18:47:10.000Z

Link: Why AI alone cannot fix social problems, by Deepak Varuvel Dennison and Aditya Vashistha in Rest of World

From the AI is a tool for people and not a replacement for them dept:

“AI is often framed as a tool for efficiency, but efficiency alone does not strengthen public systems without the underlying capacity being improved. Even when tasks are completed faster, the deeper constraints of the system do not automatically disappear. In many cases, AI ends up addressing the symptoms of these problems rather than their causes.”

If an institution — or an industry — is declining, adding AI won’t magically make it better. In the cases that these Cornell researchers highlight in this piece, there were only meaningful improvements when the underlying systems were working well and the human infrastructure around the software was well-developed.

Even beyond the lack of support for some regional needs (languages, dialects, accents) that created issues here, these systems worked best when the software was designed to support existing well-functioning human systems. If the human systems don’t work, if there isn’t human support, or if people are expected to adapt their processes to the needs of the software, the projects weren’t successful.

It isn’t a magic wand. There are important lessons here for news and other declining industries: adding software doesn’t absolve you of figuring out your underlying problems, and it will not solve them for you. It might even paper over them and make them worse.

It’s just another tool. Invest in your people.

The world is not a database - Werd I/O

2026-04-25T18:31:08.000Z

Link: The People Do Not Yearn For Automation, by Nilay Patel in The Verge

This piece is important to internalize — particularly for the terminally AI-pilled and people who might want to force everyone into using LLMs to do work they were previously doing themselves.

AI is incredibly unpopular, and it’s not because it’s bad at marketing. These are multi billion dollar companies that have attracted some of the brightest talent from across Silicon Valley across all disciplines. AI vendors are not underdogs who just need to get their message across.

Indeed:

“You can’t advertise people out of reacting to their own experiences. This is a fundamental disconnect between how tech people with software brains see the world and how regular people are living their lives.”

“Software brain” is a fantastic name for a worldview that sees everything as databases that can be controlled, normalized, and optimized. As Nilay Patel puts it: “the idea that we can force the real world to act like a computer and then have AI issue that computer instructions.” This is not a new problem that has arrived with AI: we’ve been talking about people who were very good at making software who therefore thought they were geniuses who could take on any global challenge for a very long time.

Taking human experience, which is beautifully ambiguous and nuanced and nondeterministic, and trying to fit it into a database shape, is inherently extractive. Nilay points out that it flattens people, which is totally true, but it also transfers ownership of that experience from their subjective truth into a centralized database that someone else controls, sets the standards for, and profits from.

And yes: computers should support people. People shouldn’t support computers. The idea that we’ll all be left behind if we don’t pour our experiences, information, source material, communications, creativity, and all the rest of it into a computer system is absurd and offensive. By extracting that experience, flattening it, and changing ownership of it, it inherently devalues us, the humans who were its previous custodians. It certainly devalues labor, which is a problem in itself, but it also devalues all of the frictionful, living, breathing parts of being an actual human being.

The tools are useful. I think software development has probably changed forever. But they’re not useful for everything, and they’re not going to change everything. Everything isn’t a database. And if we think the world becomes better if we turn everything into one, we probably weren’t all that excited about humanity to begin with.

You can parse an .env file as an .ini with PHP - but there's a catch - Terence Eden’s Blog

2026-04-25T11:34:15.000Z

The humble .env file is a useful and low-tech way of storing persistent environment variables. Drop the file on your server and let your PHP scripts consume it with glee.

But consume it how? There are lots of excellent parsing libraries for PHP. But isn't there a simpler way? Yes! You can use PHP's parse_ini_file() function and it works.

But…

.env and .ini have subtly different behaviour which might cause you to swear at your computer.

Let's take this example:

# This is a comment
USERNAME="edent"

Run $env = parse_ini_file( ".env" ); and you'll get back an array setting the USERNAME to be "edent". Hurrah! Works perfectly. Ship it!

But consider this:

# This is a comment
USERNAME="edent" # Don't use an @ symbol here.

It will happily tell you that the username is "edent# Don"

WTAF?

Here's the thing. The comment character for .ini is not # - it's the semicolon ;

Let me give you some other examples of things which will fuck up your parsing:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

That gets us back this PHP array:

[
  '# Documentation at https:/example.com/?doc' => '123',
  'DOCUMENTATION' => '123',
  'PASSWORD' => 'qwerty',
];

When the .ini is parsed, it ignores every line which doesn't have an = sign. It also treats literal semicolons as the start of a new comment until they're wrapped in quotes.

My code highlighter should show you how it is parsed:

# Documentation at https:/example.com/?doc=123
DOCUMENTATION=123
# Set the password
PASSWORD=qwerty;789

It gets worse. Consider this:

# Set the "official" name
REALNAME="Arthur, King of the Britons"

That immediately fails with PHP Warning: syntax error, unexpected '"' in envtest on line 1

You can use single quotes in pseudo-comments just fine, but if the ini parser sees a double quote without an equals then it throws a wobbly.

I'm sure there are several other gotchas as well. For example, there are certain reserved words and symbols you can't used as a key.

This will fail:

# Can we fix it? Yes we can!
FIX=true

It chokes on the exclamation point.

How to solve it (the stupid way)

The comments on an .env file start with a hash.

The comments on an .ini file start with a semicolon.

So, it is perfectly valid for a hybrid file to have its comments start with #;

Look, if it's stupid but it works…

What Have We Learned Here Today?

There's a right way and a wrong way to do .env parsing.
The wrong way works, up until the point it doesn't.
You should probably use a proper parser rather than hoping your .env looks enough like an .ini to pass muster.

On next week's show - why you shouldn't store your passwords inside a JPEG!

ThinkPad T480 Initial Thoughts - Kev Quirk

2026-04-25T10:48:00.000Z

Since my Framework had a coffee bath, I've been using a ThinkPad T480 that I picked up from eBay for £285 ($385).

This has been my main laptop for a few days now, and I have some thoughts, so I thought I'd share them since I've read mixed reviews on these plucky little laptops - everything from:

They're the best laptops in the world, EVARRRRR!

To:

They're overrated and overpriced - stop buying them!

My opinion is that the T480 is somewhere in the middle of these 2 opinions. Let's just in...

Price and condition

Like I said, I paid £285 for this laptop, which was listed as very good condition - refurbished". And I agree - the condition of the laptop is very good, especially considering it's been a corporate laptop and is 8 years old at this point.

It came with a 14" 1080p screen, 16GB RAM, a Core I5-8250U CPU (4 core, 8 thread @ 3.4GHz), a 256GB NVMe, and Windows 11 (which was promptly removed). I had a 1TB NVMe lying around, so I upgraded that first, and I've also bought a 32GB RAM upgrade costing an additional £70 ($95).

The RAM upgrade hasn't been delivered yet, so these thoughts are based on 16GB RAM.

My T480 (yes, those stickers needs to go)

Design and functionality

This laptop has bezels for days compared to my Framework, but that's to be expected. It's an old, utilitarian laptop - that didn't stop me getting a bit of a shock when I first cracked it open though. Now I've been using it a few days, the bezels don't bother me though.

I've always liked ThinkPad keyboards, and this is no exception. It works great, and has lots of travel on the keys, which I always appreciate. It's not as nice as the keyboard on my Framework, but I think that's the best keyboard I've ever used, Macbook included.

I'm not a fan of the textured finish that's all over this laptop though. It's on the case, on the keyboard, the trackpad, everywhere. It's like a slightly rubberised, gritty finish. It doesn't impact the functionality of the laptop, I'm just not a big fan of it.

The keyboard is backlit too, which I appreciate.

Battery and performance

Honestly, I was expecting the battery to be crap on the T480, being second-hand. But I was so wrong! It came with an extended battery fitted, and on checking it over, it's only had 2 charge cycles, so it brand new.

The battery will last all day, no problem at all. The other day I ran it for an entire working day, and at 15:00 it still had 61% charge left, with Ubuntu reporting another 6.5 hours of use remaining. That's incredible, in my opinion.

Ubuntu runs perfectly on this - all drivers were discovered fine, and I managed to get the fingerprint reader working with just a little bit of DuckDuckGo-fu.

Performance is good too. Everything feels snappy with no lag. Obviously it's not instant like on my Framework, but that thing is a powerhouse. Having said that, I could see myself using the T48 long-term without issue.

I'm currently running Firefox, Spotify, Obsidian, VSCodium, and a few other bits. Here's how the Ubuntu System Monitor looks:

So I'm using about half my RAM, and between 20-40% of the CPU. I don't need to upgrade the RAM, but it's nice to have the extra overhead in case I ever do need it.

I'm not much of a gamer, but the T480 will consistently run Minecraft at 40ish FPS, which is fine, and honestly better than I expected.

Final thoughts

Overall I think the T480 was good value for money. It's in really good condition, performs well, and is almost as repairable as my Framework. I think this laptop still has years of life left in it, so will it sit in a drawer once the Framework is repaired?

No, that would be a waste of both money, and a perfectly good laptop. My wife is currently using a 2014 X1 Carbon that I used for many years before switching to the Macbook M1 Air. The X1 is still going strong, but it's starting to struggle in its old age. Not to mention that my wife is still running Windows 10 on it!

So once the Framework is repaired, I'll be giving this laptop to my wife where it should continue to provide solid service for years to come, all while being a nice upgrade for her. The X1 will get the latest version of Ubuntu installed on it, and will be put out to pasture as the spare laptop for the household.

If you're on the fence about picking a T480 up, I'd say go for it. While they're no powerhouse, and won't win any beauty awards, they're a solid workhorse that still have many years of service left in them.

I'm very happy with my purchase.

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

Craft and Artistry - Hey, it's Jason!

2026-04-25T00:00:00.000Z

That time I went to a show in Japan by one of my favorite artists! 😱

Notable links: April 24, 2026 - Werd I/O

2026-04-24T13:32:23.000Z

Most Fridays, I share a handful of pieces that caught my eye at the intersection of technology, media, and society.

Did I miss something important? Send me an email to let me know.

The Technological Republic, in brief

Palantir CEO Alex Karp wrote a book last year called the Technological Republic, but perhaps because it didn’t have the impact he hoped, the company posted a tweet thread (and LinkedIn post, etc) that summarizes its core points. Which are, to be clear, an argument for hard-right nationalism — complete with remilitarization and implied cultural hierarchy — and fusing Silicon Valley with the national security state.

In Karp’s world, Silicon Valley innovators have an obligation to build weapons through a kind of moral debt to the country. He also wants to see Germany and Japan re-militarized, escalating tensions that will see his company make more money through those arms sales — particularly as his manifesto declares that AI weapons, exactly of the kind he happens to sell, are an inevitable future of military action.

He says we should be more tolerant of billionaires and scrutinize their private lives less, while being less tolerant of other cultures. He declares that no nation has advanced progressive values more than the US (a tough sell in itself), but then recites a litany of anti-progressive ideas. He takes time to defend Elon Musk by name.

He also furthers the idea that people who further progressive ideas are some kind of “elite”, instead of what they actually are: people from all slices of life, including working class unions, who want to have a more inclusive, more peaceful society.

Bellingcat founder Eliot Higgins has a great Bluesky thread that lays out the issues plainly:

“Point 21 is the giveaway, some cultures produce "wonders," others are "regressive and harmful." Once you accept that hierarchy, you've quietly been given permission to apply different standards of verification to different actors. The form of verification stays, but the democratic function doesn’t.

This is what verification looks like once national identity sits above method. Rigorous when it's pointed at adversaries, conveniently absent when it's pointed at us. Symmetric, evidence-led investigation of allied conduct, exactly what Bellingcat does, becomes the thing the worldview can't tolerate”

In short, I find this offensive, often contradictory, and terrifying in equal measure. It makes clear that Palantir, its associates, and companies like it (Anduril, for example) are a threat to a democratic, peaceful, inclusive society. There’s no point in being cautious or pulling punches; it must be opposed.

“Data embassies” and safeguarding digital assets during wartime

Among the targets in the war between Iran and the US have been data centers. AWS was hit by drones, and Iran has threatened to target US tech. This piece makes the point that these buildings don’t just store vast amounts of civilian customer data: increasingly, they store military data, too. That make them an even more attractive target and makes the security consequences of an attack that much worse.

Meanwhile, data centers — including here in Pennsylvania, where I live, as well as Chile, India, and many other places around the world — have been the cause of significant objections from local populations. They push energy costs up, have a serious environmental footprint, and can even change the local climate.

So why have these giant megascale data centers at all?

““It’s very possible that we see a move away from hyperscalers to small data centers for greater safety,” [Viktor Mayer-Schoenberger, professor of internet governance and regulation at the University of Oxford] said. “Lots of small data centers with randomly distributed backup copies of data are more resilient – but harder and more complex to build, more costly to maintain, and less effective, as data needs to be kept up to date not just in one or two centers, but in many.””

The latter half of Mayer-Schoenberger’s claim is true if we cling to the same architectures. But if we embrace more decentralization on the architectural level as a founding premise, some of these inefficiencies become less of a problem. It could even be worth it to companies like AWS to build new underlying services that make decentralization easier: abstractions that allow data to be sharded across distributed data stores, and that make secure communication between distributed nodes easier.

That’s clearly necessary if we move to smaller data centers: a smaller venue can’t simply hold a copy of all the same data as the larger ones but in more places. It also opens up the possibility for mesh application layers rather than the monolithic mainframe-style architectures we’ve mostly seen on the cloud. Behind the scenes, cloud services are a sea of proprietary micro services and components; building more distributed architectures could more easily allow each component to be built, hosted, and supported by different entities.

Regardless, the change is an interesting thing to think about, and the cause for it is sobering. What does data infrastructure look like in an increasingly antagonistic world — one with more war, accelerated climate change, and authoritarian threats? Those considerations will need to be built into the internet at a backbone level, and into its applications from the ground up.

Flare Before You Focus

Corey Ford’s advice on separating flaring and focusing is something I draw on every workday: it prevents self-editing, allows more creative ideas to flourish, and helps enforce a more rigorous creative process. But as he points out here, to encourage curiosity on your team, you’ve got to model it yourself.

I have been in this meeting so many times:

“Two people, both in Focus mode, talking across each other, each trying to prove they have the sharper analysis. Everyone in the room thinks they're having a robust debate. What they're actually having is two monologues masquerading as a conversation. […] They're asking themselves, How do I make sure everyone knows I'm smart?”

The thing is, when everyone is coming into a brainstorm with genuine curiosity, and when everyone has the right to share and ideate without the outcome being predetermined, it’s genuinely more fun. It’s certainly more inclusive. And when it’s both of those things, you get more interesting ideas. If you “yes and” those ideas and model what it looks like to build with curiosity, you get more of them. It’s a virtuous circle.

Conversely, if you’re coming in with predetermined ideas, or you set the tone of a meeting to be evaluative rather than collaborative, people won’t speak up. The output becomes monocultural. Or, at its worst, you get the kind of posturing that Corey described above: a culture where people want to be recognized for being smart rather than helping to get to the best possible outcome.

It helps to be genuinely curious; playful; maybe risk being a little bit unserious. Then people start to loosen up, and that’s when the good stuff starts coming.

The Content Management System Is Dead. Long Live the Context Management System.

I thought this demo, by Hacks / Hackers founder Burt Herman, was pretty compelling. It’s obviously a proof of concept, but it points to some interesting places journalism could go, and it opens up some new platform questions in the process.

In Burt’s vision, the reader has a profile that expresses their interests, and then the newsroom curates material that is surfaced using that lens. His demo makes that more concrete: here he’s pointed an engine at communications from New York City Mayor Mamdani’s office, and set up personas like “renter in Bushwick” and “parent in Park Slope” that are served a briefing drawn from different information depending on that persona’s particular lens. A parent in Park Slope receives more information about schools in that neighborhood; a retiree in the West Village receives information about their neighborhood but also about services that pertain to them.

You can easily imagine how this might scale up to a newsroom. An engine like this doesn’t have to be limited to source material as in Burt’s demo: it could also be journalistic investigations, interviews, and net-new content created by skilled reporters. In some ways it’s a vision for a better homepage (often among the least-visited parts of a news website) more than a redefinition of journalism itself, except in the sense that surfacing more raw material is welcome.

There are so many interesting questions to consider — many of which dovetail with ideas that have been tackled outside news for years.

For example: if a reader creates a profile, where does that live? Is it on the news website, in which case they have to create a new profile every time they read another site? Or does it live in the browser, so that the user creates their profile once and consents to share it with the various sites they read? People have been working on browser-based identity, and now identity for agentic users, for a long time. It may make sense to apply that work here.

Where should the briefing live? Is it a news website’s homepage, as I’ve surmised above, or is it actually also at the browser or news reader level, drawing not just from one newsroom, but all the newsrooms a user reads? And if it’s the latter, how does the newsroom retain credit, get compensated, and build a first-party relationship with the reader?

I also think there’s an obvious business model here: when a user has created a profile for themselves, it’s just as easy to say that they’re in the market for a car, or that they enjoy single-origin coffee beans. Then you can serve useful sponsored content (like deals) to people who actually want to buy those things, which is both significantly more valuable to an advertiser and more consensual / less adversarial for a reader. It brings newsrooms very close to the Customer Commons ideas that people like Doc Searls have been talking about for many years.

I agree with Burt’s warning here:

“For publishers and journalists who ignore this: Don't be surprised when human readers stop coming to your websites and mobile apps. Not because the journalism is bad, but because it's more efficient to send an AI agent to gather what you've published, sift out what's truly relevant to the user's own context, and reassemble it in whatever format works best for them.”

What might a version of this future that centers reader needs but does it in alignment with the newsroom’s needs and values look like? It’s a good time to start experimenting.

Launching XOXO Explore

I freaking loved XOXO, the experimental festival for independent artists and creators from the internet. I attended the first one during a fraught, stressful, often sad period of my life; I’d ripped my life up to move to the US to be nearer to my terminally ill mother. I thought I knew where my life was going, and then everything was uncertain.

And here was this joyful festival of people doing things on their own terms, in their own way. I attended with my partner at the time, who was visiting back from the UK, and we discovered Portland itself in the process. We played Johann Sebastian Joust with Dan Harmon. Ben Brown, who I had followed for years, silently sidled up at an arcade and played the 1990s X-Men cabinet game with me. We had a beer with MC Frontalot. And felt home in a way I desperately needed to.

Clearly, a ton of work went into this archive site, which contains almost every talk. (One in particular was too sensitive to record.) I’m grateful that this exists. I can relive Maggie Vail and Jesse Von Doom’s CASH Music talk; relive one of my childhood heroes, Tim Schafer, talking about his work; and see talks from years I couldn’t attend by people I am in awe of like Molly White and Erin Kissane. It’s really worth plumbing the archive; it’s all good stuff.

It can’t show me the absolutely insane Q&A with the Don’t Hug Me I’m Scared team ("...How?" "Because!"), or remind me or chatting with Cory Doctorow, or let me cuddle a baby goat again. But I can remember. And this is a lovely start.

Bonus link: here’s how I wrote about the first event at the time.

Copyright and DMCA Best Practices for Fediverse Operators

A useful guide for anyone who is running their own community space — which includes folks running Mastodon instances, Bluesky hosts, RSS services, and so on. As the author explains in the preamble, there’s the potential for “massive, unpredictable financial liability”. It’s therefore really important to find ways to limit risk.

A lot of this is common sense:

“Finally, make sure that nothing you post or advertise actively encourages copyright infringement. For example, don’t post examples of users uploading copyrighted music or video without permission, or insinuate that your server is a good place for infringing content.”

Some of it is less obvious but still important. For example, responding promptly to DMCA notices — and not ignoring them regardless of technicalities — is one place where a less-savvy operator might fall over.

It’s easy to imagine compliance as a service for these kinds of operators, baked into the platforms themselves. So if you install a Mastodon instance and you could be subject to US law (which isn’t limited to instances operating in the US), there could be an easy way to set up with a service to handle all that for you. It could sit right alongside trust and safety services that are more aligned for community safety.

In wartime, megascale data centers may make way for distributed architectures - Werd I/O

2026-04-24T13:29:18.000Z

Link: “Data embassies” and safeguarding digital assets during wartime, by Rina Chandran in Rest of World

So why have these giant megascale data centers at all?

““It’s very possible that we see a move away from hyperscalers to small data centers for greater safety,” [Viktor Mayer-Schoenberger, professor of internet governance and regulation at the University of Oxford] said. “Lots of small data centers with randomly distributed backup copies of data are more resilient – but harder and more complex to build, more costly to maintain, and less effective, as data needs to be kept up to date not just in one or two centers, but in many.””

Does Mythos mean you need to shut down your Open Source repositories? - Terence Eden’s Blog

2026-04-24T11:34:30.000Z

Much Sturm und Drang in the world of Open Source with the announcement that the "Mythos" AI is now the ultimate hacker and is poised to unleash havoc on every code base.

So should you close all your Open Source projects to make them safe?

No.

Firstly, all your Open Source code has already been slurped up.

It was all ingested for "training purposes" years ago. If it was moderately interesting then it was backed-up by a digital hoarder. It has been archived by various digital libraries. Anyone who wants to do research on your code base can.

Closing now doesn't meaningfully protect you.

Secondly, most of the security holes in your systems are probably not in your code. Vulnerabilities exist throughout your supply chain. All the dependencies - your OS, libraries, and even hardware - are all richer targets for hackers. Finding a CVE in a popular library is almost certainly more worthwhile than investigating your Open Source code.

The bigger risk comes not from subtle logic bugs but from phishers, poor password hygiene, and insider threats. Securing your existing systems provides more protection than rushing to close-source your code.

Finally, closing the source of something doesn't protect you. These new AI models can easily investigate and your closed source systems and potentially penetrate them. It has always been possible to analyse websites and binaries. AI doesn't change that - although it might accelerate it.

Open Source does have risks but AI doesn't upend decades of evidence that closed-source is just as vulnerable to attackers.

In cases where the state creates code using public money, it has a responsibly to share that code. Automated threat analysis - even by hypercapabe AI - doesn't change that.

I would strongly recommend reading the UK's AI Safety Institute's evaluation of Claude Mythos Preview’s cyber capabilities and the NCSC's advice. Neither of them recommend closing down Open Source code.

XOXO Explore is fitting showcase for a brilliant experiment - Werd I/O

2026-04-24T01:44:35.000Z

Link: Launching XOXO Explore, by the Andys

Bonus link: here’s how I wrote about it at the time.

Budget friendly tech isn't what it used to be - Joel's Log Files

2026-04-23T23:26:26.000Z

Apple and affordability

A €700 laptop is not cheap, a €700 phone is not cheap. My iPhone SE from 2022 cost €500 and it wasn't cheap either given what it had to offer. The price may be lower in comparison with other products from the brand and the prices of modern technology—which are madness. They may offer a good value for the money. That seems to be the case for this laptop. But it is not cheap.

Read the Full Post by Adrián Perales on adrianperales.com

I saw this post (originally in Spanish, title and quote translated by me) which dealt with something that I used to think a lot more, but sort of accepted given my current situation, but the more I thought about it, I kind of hate it.

Back in the day, I used to watch phone reviews that recommended budget friendly devices. Stuff like the Redmi 4A and 5A were the kings of low-budget gadgets, at a price around $100 bucks. That was the first phone I ever paid for, and 18-year-old me only had half of that money, my dad to paid the rest, and even that was too much for him. He wasn’t being greedy, but my previous phone still worked, so it was not a necessary purchase.

The flagship smartphones at the time? $500 bucks or so, the base iPhone 7? $650 USD, the one with 256 GB of storage? $969 USD. We both know storage wasn’t worth that much, but even then the Apple markup was acting up. The high tier was expensive, and it still is. Like Adrian, I am extremely surprised when I see people saying the Macbook Neo is “budget-friendly.”

I’ve said before how I am often disconnected from my own culture, as a Latino who mostly interacts with American/English-speaking communities online and watches video reviews from people living there.

The people in my country who buy a Macbook Neo are either part of the upper class—or in debt. After all, owning an Apple device is a status symbol, for some reason, and even those who can’t afford it what those bragging rights.

The average person where I live has a two or three year old device that they got used from Facebook Marketplace, a chinese device from Oppo, Poco, Honor, Xiaomi or maybe Motorola. People will buy the flagship devices from these brands and think they are expensive and great quality. And yeah, they often have much better feature than Apple or Samsung products, even if riddled with tracking and advertising.

Alas, such brands are at a price people are actually willing to pay, as much as I don’t like it.

I’ve bought devices and things from China and chinese websites. Let’s talk the Miyoo Mini Plus, the Anbernic RG35XX SP, The Miyoo Mini Flip and the XTEINK X4, and all of them have been at under $70 USD. All of them are extremely affordable and found for even cheaper during sales.

Some of that price may be lowered because Chinese companies overwork people or do shady business practices, but reality is that the markup of most modern tech sold from more popular brands on this side of the globe are simply off the charts. A clear middle ground with a sensible approach can’t be that hardcan right? But no, just look at the “minimalist” devices out there, all above 300, 400, 600 bucks and they are hardly worth that much, the marketing is more expensive than the hardware itself, I suspect.

I guess most big tech review channels seem to just take this for granted, 700 bucks for an Apple laptop? Very cheap, sure.

The worst is that they barely mention actually cheap stuff. Personally, I think they realized that people who watch phone reviews for a living like to see expensive stuff—that they won’t buy—more than cheap stuff—that they won’t buy anyway, so they go and make that kind of content to appease the algorithm and get more revenue. Also cheap stuff has compromises which are often negative, so brands don’t like those to be brought up, even if at the price they are justified.

The people who genuinely look for reviews for actually budget devices are usually confined to content from smaller channels or from creators from India where those devices are more popular. Nothing wrong with that, of course, it’s a similar situation to Latin America, the concept of “budget friendly” is more akin to reality, and those reviews tend to be more honest anyway.

Right now I’m thankful for my current situation, which is rather privileged—single and without any debts—allowing me the purchasing power to consider expensive tech (as long as it isn’t Apple) among my options (although I would still probably go for whatever is cheaper or has better design). Still, I’d love if we recalibrated what “value for money” actually means, and what sort of hardware is actually enough, so we can stop allowing these companies to raise prices for no reason.

This is day 56 of #100DaysToOffload

Reply to this post via email | Reply on Fediverse

Untitled - Posts feed

2026-04-23T17:16:51.000Z

The user-tailored newsroom - Werd I/O

2026-04-23T13:58:43.000Z

Link: The Content Management System Is Dead. Long Live the Context Management System., by Burt Herman at Hacks / Hackers

I thought this was a pretty compelling demo. It’s obviously a proof of concept, but it points to some interesting places journalism could go, and it opens up some new platform questions in the process.

There are so many interesting questions to consider — many of which dovetail with ideas that have been tackled outside news for years.

I agree with Burt’s warning here:

“For publishers and journalists who ignore this: Don't be surprised when human readers stop coming to your websites and mobile apps. Not because the journalism is bad, but because it's more efficient to send an AI agent to gather what you've published, sift out what's truly relevant to the user's own context, and reassemble it in whatever format works best for them.”

What might a version of this future that centers reader needs but does it in alignment with the newsroom’s needs and values look like? It’s a good time to start experimenting.

Update on My Coffee Ridden Framework 13 - Kev Quirk

2026-04-23T13:43:00.000Z

A week or so ago, I talked about how I might have killed my Framework 13 by dumping a full mug of coffee over it while it was running.

In that last post I explained how I'd stripped the laptop down and was waiting for some isopropyl alcohol (IPA) to be delivered so I could more thoroughly clean it. Well dear reader, the IPA turned up, I cleaned it as best I could, and left it for 24 hours to dry off.

The next day I came back to it, re-assembled it and hit the power button with a fair amount of trepidation.

Nothing.

I think it's dead, Jim. And I can't help thinking that turning the laptop on in haste, after the first clean is what completely screwed it. Oh well, we live and learn.

In my desperation, I contacted Framework support and explained the whole saga to see if there was anything I was missing.

There wasn't. They told me that the LED pattern I was seeing when powered on was indicative of a communication error with the board, so it's dead and needed to be replaced.

Problem is, a new board is £700 (~$950) and I didn't fancy shelling out that much money out of my own pocket, so I contacted my home insurance provider to make a claim, and to be fair they were great.

A case was logged and a couple of days later I had a payout that would cover the whole amount.

The new board and a ThinkPad

The payout from the insurance was more than the repair cost, so I decided to upgrade from my current Ryzen 7 7840, to an AI 300 series board instead - nice little upgrade!

The Framework site said it would be shipped in 5 days, and would probably be subject to delays of a further 7 days due to global freight disruptions. So I bought myself a ThinkPad T480 to see me through (which I'm typing this post on) as I couldn't bear to be on MacOS for another second.

Framework overachieved again and the board is due for delivery tomorrow (Friday 24th April 2026).

Nice!

Once the board is delivered and my beloved Framework is (hopefully) working again, this nice little ThinkPad will go to my wife as an upgrade from here 2014(!) Gen 2 X1 Carbon.

How did it die?

I've had a few people reach out telling me that they'd done something similar and their device's had survived. Unfortunately I wasn't as lucky, so what happened?

I think it's because I didn't spill the coffee on my laptop, but next to it. Then as the puddle of coffee made its way over my desk and inevitably under my laptop, the spinning fan must have sucked it up and perfectly spread the coffee all over the main board.

Thanks for that. Stupid fan. 🤣️

Had I spilled the coffee on my laptop, it would have had to make its way through the keyboard and chassis before it got to the board, by which point I would have had the laptop switched off and draining.

I can't say for sure, but that's my theory.

So anyway, wish my luck with the new board, folks!

Thanks for reading this post via RSS. RSS is ace, and so are you. ❤️

You can reply to this post by email, or leave a comment.

It pays to reward curiosity more than looking smart - Werd I/O

2026-04-23T13:28:28.000Z

Link: Flare Before You Focus, by Corey Ford at Point C

Corey’s advice on separating flaring and focusing is something I draw on every workday: it prevents self-editing, allows more creative ideas to flourish, and helps enforce a more rigorous creative process. But as he points out here, to encourage curiosity on your team, you’ve got to model it yourself.

I have been in this meeting so many times:

“Two people, both in Focus mode, talking across each other, each trying to prove they have the sharper analysis. Everyone in the room thinks they're having a robust debate. What they're actually having is two monologues masquerading as a conversation. […] They're asking themselves, How do I make sure everyone knows I'm smart?”

It helps to be genuinely curious; playful; maybe risk being a little bit unserious. Then people start to loosen up, and that’s when the good stuff starts coming.

[Link]

Trailmark turns code into graphs - Trail of Bits Blog

2026-04-23T12:00:00.000Z

We’re open-sourcing Trailmark, a library that parses source code into a queryable call graph of functions, classes, call relationships, and semantic metadata, then exposes that graph through a Python API that Claude skills can call directly. Install it now:

uv pip install trailmark

“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” John Lambert’s widely cited observation about network security applies just as well to AI-assisted software analysis.

When Claude reasons about a codebase, it reasons about lists: findings from static analyzers, surviving mutants from mutation testing, and line-by-line coverage reports. But the question that actually matters is a graph question: can untrusted input reach this code, and what breaks if it’s wrong?

We built Trailmark to answer that question. It gives Claude a graph to think with instead of a list. We’re also releasing eight Claude Code skills we’ve built on top of it, designed for mutation triage, test vector generation, protocol diagramming, and more.

When lists fall short

Mutation testing is a great example of a method that benefits from graph-level reasoning. It’s one of the best ways to measure test quality. It makes small changes to your source code (e.g., swapping a < for <=, replacing + with -) and checks whether your tests catch the difference. Mutants that survive reveal gaps in your test suite that code coverage metrics might miss. The downside is that a mutation testing run on a real codebase can produce hundreds of surviving mutants of varying significance. This is very much a list.

Some surviving mutants are equivalent: the mutation doesn’t change the program’s behavior because of structural or mathematical constraints that the mutation testing tool can’t see. Some are in dead code; some are in error message formatting; some are in the finite field arithmetic that underpins every cryptographic operation in your library. A flat list of surviving mutants doesn’t tell you which is which.

We wanted to know whether Claude could use graph-level reasoning about a codebase to automatically triage surviving mutants by security relevance: which are reachable from untrusted input, which affect high-blast-radius functions, and which represent genuine gaps in security-critical code?

How Trailmark works

Trailmark uses tree-sitter for language-agnostic AST parsing and rustworkx for high-performance graph traversal. It operates in three phases:

Parse: Walk a directory, extract functions, classes, call edges, type annotations, cyclomatic complexity, and branch counts from source code.
Index: Load the resulting graph into a rustworkx PyDiGraph with bidirectional ID/index mappings for fast traversal.
Query: Answer questions: callers, callees, all paths between two nodes, attack surface enumeration, and complexity hotspots.

It currently supports 17 languages, including C, Rust, Go, Python, PHP, JavaScript, Solidity, Circom, and Miden Assembly.

The graph is the substrate. The skills are where the analysis happens.

The skills

The Trailmark plugin ships eight Claude Code skills that use the graph API as their backbone:

Skill	What it does
`trailmark`	Build and query a code graph with pre-analysis passes: blast radius, taint propagation, privilege boundaries, and entrypoint enumeration
`diagram`	Generate Mermaid diagrams from code graphs: call graphs, class hierarchies, complexity heatmaps, data flow
`crypto-protocol-diagram`	Extract protocol message flow from source code or specs (RFCs, ProVerif, Tamarin) into annotated sequence diagrams
`genotoxic`	Triage mutation testing results using graph analysis: classify surviving mutants as equivalent, missing test coverage, or fuzzing targets
`vector-forge`	Mutation-driven test vector generation: find coverage gaps via mutation testing, then generate Wycheproof-style vectors that close them
`graph-evolution`	Compare code graphs at two snapshots to surface security-relevant structural changes that text diffs miss
`mermaid-to-proverif`	Convert Mermaid sequence diagrams into ProVerif formal verification models
`audit-augmentation`	Project SARIF and weAudit findings onto code graph nodes as annotations, enabling cross-referencing of static analysis results with blast radius and taint data

Each skill calls the Trailmark Python API directly. When genotoxic triages a surviving mutant, it queries engine.paths_between to check reachability from untrusted input. When diagram generates a complexity heatmap, it calls engine.complexity_hotspots. The graph is what makes those questions answerable in seconds rather than hours of manual tracing.

Trailmark also ingests SARIF output from static analyzers and weAudit annotations, mapping external findings onto graph nodes by file and line range. This lets Claude layer static analysis results, audit notes, and mutation testing data onto a single unified graph, then query across all of them.

What Claude found

We’ve been using these skills internally on several cryptographic libraries, combining graph analysis with language-appropriate mutation testing frameworks. Here’s what the graph let Claude see that flat lists couldn’t.

Equivalent mutants are the majority in well-tested crypto

When we ran mutation testing against an Ed448 implementation in Go, 45 mutants survived out of 583 covered. A flat list of 45 surviving mutants looks like a serious test gap. But when Claude used the Trailmark call graph (332 nodes, 3,259 call edges) to triage via genotoxic, 33 of those 45 (73%) were equivalent mutants. The mutations were unobservable because the code’s mathematical structure constrained values more tightly than the explicit bounds checks that were mutated.

For example, nine surviving mutants modified boundary conditions in NAF (non-adjacent form) digit range checks. These look like real bugs in isolation. But the NAF digits are structurally bounded by the nonAdjacentForm algorithm itself: the values that would trigger the altered boundary can never appear. The graph confirmed these functions were called from specific contexts that made the mutations undetectable.

The 12 genuine gaps were concrete and actionable: a cross-package coverage gap where Go’s coverage profiling attributed execution to the calling package instead of the defining package, a 255-byte context string boundary condition that was never tested, and overflow carry paths in wide-integer parsing that required near-maximum input values that no existing test vector produced.

Architectural bottlenecks are invisible without a graph

When Claude built a Trailmark graph of libhydrogen, a compact C cryptographic library, the graph immediately highlighted something that wasn’t obvious from linearly reading the source files: the entire library funnels through a single permutation primitive, gimli_core_u8, which receives 37 direct calls. Every cryptographic operation (hashing, encryption, key exchange, signatures, and password hashing) depends on this one function.

This isn’t a bug. It’s a deliberate design choice common in lightweight crypto libraries. But it means the blast radius of a flaw in Gimli is total. The graph quantified this: a mutation in gimli_core_u8 affects 100% of the library’s security-critical functionality. Gimli was also eliminated from the NIST Lightweight Cryptography competition. Together, these facts represent the kind of architectural risk that’s invisible in a line-by-line code review. The graph makes it obvious.

Mutation testing finds what KATs can’t cover

For standardized algorithms like Ed25519 or ML-KEM, known-answer tests (KATs) and projects like Wycheproof provide test vectors that exercise edge cases. But for novel constructions (libhydrogen’s combination of Gimli and Curve25519, for instance), independent KATs don’t exist. No one has published “if you give Gimli-based AEAD this input, you should get this output” vectors, because the construction is unique to this library.

This is where mutation testing fills the gap. It doesn’t need reference implementations or published test vectors. It tests whether your tests actually constrain your code’s behavior. The surviving mutants tell you exactly which aspects of the implementation aren’t pinned down by your test suite, regardless of whether anyone else has ever tested that specific construction.

In the RustCrypto/KEMs crates (ML-KEM, X-Wing), vector-forge found that seven surviving mutants targeted NTT multiplication (mutations like replacing * with + in polynomial dot products). These survived because the test suite only exercised NTT through full KEM round-trips. The algebraic properties of NTT were never tested directly. Existing Wycheproof vectors and NIST KATs caught most higher-level issues, but the internal algebraic invariants had no direct coverage.

Three patterns that showed up everywhere

Across multiple codebases analyzed with Trailmark, the same patterns emerged:

Blast radius concentrates in arithmetic modules. In libsodium (1,597 nodes, 9,574 call edges), the ed25519_ref10 module had the highest blast radius, underpinning Ed25519 signatures, Curve25519 key exchange, Ristretto255, and X-Wing KEM. In ML-KEM, the algebra module had a blast radius of 28; every polynomial and matrix operation depended on its Elem arithmetic. Graph analysis consistently identified these modules as the highest-priority targets for thorough testing.
Codec parsers are high-value fuzzing targets that rarely get prioritized. Multiple analyses flagged hex/Base64 decoders and IP address parsers as high-complexity functions with external input exposure. libsodium’s parse_ipv6 had a cyclomatic complexity of 18; libhydrogen’s hydro_hex2bin was the most complex function in the entire library, with a cyclomatic complexity of 11. These functions are natural targets for fuzzing, and the graph confirms they’re reachable from untrusted input.
Property-based testing is sparse. Across the Rust cryptographic crates we examined, property-based testing was either absent or incomplete. The KEMs crates had zero property-based tests. Barrett reduction in ML-KEM was tested with only five points, even though exhaustive testing over all 11 million values of q = 3329 is computationally feasible. The graph’s blast radius analysis shows where property-based tests would have the greatest impact.

Connecting the graph to everything else

The graph is most useful when it serves as the connective tissue between other analysis tools. When the constant-time analysis skill flags a function, Trailmark tells Claude its blast radius. When mutation testing produces survivors, Trailmark tells Claude which ones are reachable from untrusted input. When an auditor annotates a finding in weAudit, audit-augmentation shows what else in the graph is affected.

We use this internally to write targeted fuzzing harnesses. The graph identifies high-complexity functions reachable from external input; mutation testing identifies which of those functions have test gaps; the combination tells Claude exactly where a fuzzing harness will have the highest marginal value.

Start querying your codebase

Trailmark is open source under Apache-2.0. The library is on PyPI; the skills plugin is in the same repository.

Install the library (required by the skills):

uv pip install trailmark

Add the skills to Claude Code:

/plugin marketplace add trailofbits/skills

Then select the Trailmark plugin from the menu.

You can also explore the graph directly from the CLI:

# Full JSON graph
trailmark analyze path/to/project

# Analyze a specific language
trailmark analyze --language rust path/to/project

# Complexity hotspots
trailmark analyze --complexity 10 path/to/project

Or call the Python API to build your own skills on top of the graph:

from trailmark.query.api import QueryEngine

engine = QueryEngine.from_directory("path/to/project", language="c")

# What's reachable from this entrypoint?
engine.callees_of("handle_request")

# Call paths from entrypoint to sensitive function
engine.paths_between("handle_request", "crypto_verify")

# Functions with cyclomatic complexity >= 10
engine.complexity_hotspots(10)

# Run pre-analysis (blast radius, taint, privilege boundaries)
engine.preanalysis()

The graph API is designed to be called by skills, not just humans. If you’re building Claude Code skills for security analysis, code review, or test generation, Trailmark gives you the structural substrate to ask questions that lists can’t answer.

Seventeen languages. A graph, not a list. The code is on GitHub.