I've got a couple Claude Code skills set up where I just copy/paste a Slack link into it and it links people relevant docs, gives them relevant troubleshooting from our logs, and a hook on the slack tools appends a Claude signature to make sure they know they weren't worth my time.

That said, there's this weird quicksand people around me get in where they just spend weeks and weeks on their AI tools and don't actually do much of anything? Like bro you burned your 5 hour CC Enterprise limit all week and committed...nothing?

My reaction was about the same.

I write a TON of one off scripts now at work. For instance, if I fight with a Splunk query for more than five minutes, I’ll just export the entire time frame in question and have GHCP (work mandates we use only GHCP) spit out a Python script that gets me what I want.

I use it with our internal MCP tools to review pull requests. It surfaces questions I didn’t think to ask about half the time.

I don’t know that it makes me more productive, but it definitely makes me more attentive. It works great for brainstorming design ideas.

The code generation isn’t entirely slop either. For the vast majority of corporate devs below Principal, it’s better than what they write and its basic CRUD code. So that’s where all the hyper productive magical claims come from. I spend most of my days lately bailing these folks out of a dead end fox hole GHCP led them into.

Unfortunately, it’s very much a huge time sink in another way. I’ve seen a pretty linear growth in M365 Copilot surfacing 5 year old word documents to managers resulting in big emails of outdated GenAI slop that would be best summarized as “I have no clue what I’m talking about and I’m going to make a terrible technical decision that we already decided against.”

[1]: https://github.com/usetrmnl/firmware/blob/e3db8c37990c2333ec...

[2]: https://docs.usetrmnl.com/go/diy/byod-s

[3]: https://docs.usetrmnl.com/go/private-api/introduction

The incentives at a state level around housing might actually balance differently because at that level economic activity, jobs, etc. matter more than property taxes. Something that isn't often mentioned, because the focus is always on California or the US, is that property values are directly tied to the overwhelming majority of municipal budgets via property taxes incurred as a percentage of that value. Not only do constituents vote for more expensive residential property, local governments want expensive residential property even if their voters didn't.

This is exactly why California has been trying to move some of this power to the state level: local governments are fighting tooth and nail to hold on to their tax revenue.

ETA: The property tax thing is more complex, but still applies. States like Florida and California cap how much tax assessments can increase for property you own that is your primary residence.

This still encourages these states to drive up property values because it tempts you into cashing out via selling. Every state with this sort of cap also immediately reassesses real estate to the price it sells at the following year. A high property value versus the tax assessment is just a deferred revenue stream, so it's a driver to encourage consistent turnover in the market. The only real way to do that is to constantly drive prices up, which drives the cost of living up, which turns over the residents faster.

So capping tax assessments like that, just makes the cycle even more viscous, in my experience living in Florida for a time.

Check fraud is massively on the rise. They don't even need a physical check, just the info. They're printing their own checks now and depositing them electronically. They also hire homeless right off the street to go in and cash the checks for them. Homeless keeps $100, the fraudsters make the rest.

If you're using checks the way you say you are, it's only a matter of time before you have to deal with swapping out bank account numbers.

Thanks!

Are you talking about the PKCE variant of authorization code flow which is what replaces implicit flows in native apps and SPAs? Because those use code_challenge and code_verifier fields, not the state field. If you're doing all that in the state field with signed nonces you really should move to PKCE.

You have scopes but even those outside of the OIDC scopes are wishy washy and meaningless outside of each implementation.

The server generates the auth code and redirects the user agent to your callback. You exchange that code with the IDP (over HTTPS which yeah that's its own nest of wormy trust) to get back a token. They can't inject a token because you don't get the token from them, just the one time code. If it's opaque you introspect it to validate or you just validate the JWT signature after pulling the keys from the JWKS endpoint. Introspection is standardized and an RFC. The state param is just a fucking session identifier.

All these URLs are defined and provided via the .well-known/openid-configuration endpoint. If your IDP publishes that endpoint correctly, most OAuth2 client libraries Just Work (TM) when pointed at the IDP domain.

Do EITHER of you even use OAuth2 outside of just cargo culting something you found off GitHub?

Along with all the scanning and what not, I think that’s the biggest reason you see attacks primarily on npm, PyPi, and to an extent Ruby Gems.

And emacs users never had a plain text editor, never claimed as such, and woe be to you if you call it such in front of them. Lol.