Space Defence v3.70: Multiplayer Stable, Frontier Extracted, 70 Versions In

tsafe's trust model: profiles, namespaces, and the strip list

tsafe exec is the surface. The trust model underneath it has more structure: profiles as security boundaries, namespaces that scope injection to a sub-tree of keys, hardened mode, the strip list that removes parent credentials before injection, and session TTLs that enforce explicit re-authentication.

Engineering doctrine that doesn't go stale

Engineering standards go stale in two ways: too abstract to apply, or too tool-specific to survive the next stack change. A reference doctrine library with three layers — timeless principles, illustrative tooling, and estate supplements — keeps the operating model durable while letting implementations evolve.

The closed governance loop: taudit, tsafe, and CellOS as a system

taudit, tsafe, and CellOS each work standalone. But they were designed to compose — and the composed system closes a loop: detect over-authority, constrain secrets, isolate execution, observe again. This post walks through a scenario end to end and explains how findings route between tools.

tedit: a terminal development environment for the CellOS ecosystem

tedit is a terminal editor with two modes: nano-style single-file editing and a full VS Code layout in the terminal with file tree, editor, terminal pane, and agent pane. It's not a general-purpose editor — it's the development surface for authority-aware execution in CellOS, with native 0sh diagnostics, tsafe context, and taudit integration.

0sh: a shell where authority is declared, not assumed

Every shell treats authority as implicit — ambient cwd, environment bleed, secrets visible from first injection to last command. 0sh is an attempt to build a shell where every effect is declared before it runs and every execution produces a graph you can read and verify.

taudit: modelling authority flow in CI/CD pipelines

Pattern scanners tell you what looks bad. taudit answers a different question: where does authority actually go in your pipeline? It builds a directed graph from your CI/CD YAML and runs propagation analysis to show exactly where privilege leaks across trust boundaries.

tsafe: secrets scoped to the process that needs them

The problem isn't where your secrets are stored — it's where they end up. tsafe exec injects secrets into exactly one process, for exactly one lifetime, with parent credentials stripped and every access logged.

CellOS: no ambient authority in CI runners

Every CI runner starts a job with a full environment — every secret, every credential, available to every process. CellOS is built around the opposite assumption: execution cells that declare exactly what they need, with everything else withheld, and teardown that means something.

AI Agent Factory: building a governed software factory control plane

I’m building an “AI Agent Factory” control-plane: a governed software factory that turns requests into durable plans and jobs, dispatches work via Service Bus queues, and persists the whole lifecycle in SQL. Fast, auditable, restart-safe.

Good cloud architecture survives contact with delivery

A lot of cloud architecture looks fine in diagrams and falls apart in delivery. Good architecture survives real teams, real constraints, and the messy reality of implementation.

Space Defence: Explosive and Stupid Game I Made

A look at why I built Space Defence, what kind of game it is, and why turning hostile things into scrap in the void is a perfectly reasonable use of time.

Most engineering failures are not surprises

Most engineering failures are not random surprises. They are usually predictable failure modes caused by weak ownership, ambiguity, accumulated shortcuts, and systems that normalise nonsense.