// chris johnsonField notes on cybersecurity, AI-assisted development, infrastructure, and the craft of shipping things that actually work.
Get a weekly email with what I learned, summaries of new posts, and direct links. No spam, unsubscribe anytime.
Part 1 of a 2-part series on replacing the Mission Control Dashboard's SQLite-only event store with a Vector + ClickHouse log-lake on a Mac mini. This post covers the use case, the reasoning behind going custom instead of off-the-shelf, the three ingestion patterns, and the ClickHouse engine choices. Part 2 covers the implementation phases and the gotchas that almost shipped.
A red dns_bypass card on my home dashboard sat at 0.667. Closing it took two ZBF rules, a deliberately incomplete remediation on the Default subnet, and a new traffic_rules surface in the chris2ao/unifi-mcp v0.4.0 release. Here is the full walk.
A fourth-party supply-chain breach prompted Vercel to flag nine of my production credentials for rotation out of an abundance of caution. Twenty minutes after reading the disclosure I was rotating keys, and sixty minutes later I had a full audit and a hardened account. Here is how Claude Code turned a day of incident response into an hour, and why the chain that got here should change how you pick vendors.
A pairing/admin-approval privilege escalation CVE hit OpenClaw. My security agent ran a threat hunt, my builder agent implemented a Security Panel on the Mission Control dashboard, and 15 files later the system can see itself. Here is the full story.
I set up notebooklm-py as a programmatic content creation pipeline for CryptoFlex LLC, building a custom agent and skill that turns blog posts into branded infographics and slide decks with automated QA. Here is how the security review went, what the pipeline looks like, and what I learned about trusting reverse-engineered APIs.
I set up the Claude Code iMessage plugin as a proof of concept, debugged two real bugs, and discovered a fundamental security flaw that made me tear the whole thing down. Here's the full story.
How a routine search for blog content tools led to discovering critical security risks in a popular MCP server, and why I built my own secure alternative.
A technical deep-dive into rebuilding a 1990 Windows 3.1 artillery game as a modern web app with Next.js 15, Canvas 2D, Web Audio synthesis, 6 weapons, 4 terrain biomes, AI personality, and a tri-specialist security audit. From empty repo to 20-feature modernization in two sessions.
After Part 1's fortress locked itself out, I rebuilt OpenClaw incrementally: one security control at a time, with 7 agents, 6 Telegram bots, and verification after every step.
I used a team of 5 AI security agents to build a hardened OpenClaw deployment on my M4 Mac Mini. After implementing every security control imaginable, nothing worked. Here is what happened, why I did not quit, and what I planned instead.
What happens when a 5-agent security team audits a client-side browser game? 26 findings, a 'God Mode in 30 seconds' attack chain, and 4 parallel developers shipping every fix before the coffee got cold.
How a basic page-view tracker evolved into a 9-section, 26-component analytics command center with heatmaps, scroll depth tracking, bot detection, and API telemetry. Includes the reasoning behind every upgrade and enough puns to make a data scientist groan.
I tasked four AI agents with auditing my production site for OWASP vulnerabilities. They found 16 findings, fixed 6, and wrote 37 tests in under 30 minutes. Traditional pentesting may never be the same, but red teamers shouldn't worry.
How I built a subscriber-gated comment system with thumbs up/down reactions, admin moderation, and a one-time welcome email blast, including the PowerShell quirks and Vercel WAF rules that nearly blocked everything.
How I built a full newsletter system for this site with secure subscriptions, HMAC-verified unsubscribes, branded HTML emails, and a Vercel Cron that sends a weekly digest every Monday. Includes the WAF rule that broke everything and the firewall tightening that followed.
I've managed firewalls for years. When it came time to add WAF protection to my own site, I evaluated Cloudflare's free tier against Vercel's built-in WAF. Here's the comparison, the implementation, the config that broke the build, and the curl tests that proved it all works.
A security professional audits his own code: blog posts leaking private repo names, query-string secrets in browser history, SSRF vectors, and error messages handing attackers the database schema. 19 findings and the journey to fix every one.
How I built a custom analytics system with interactive visualizations, IP intelligence, and a Leaflet world map, using Next.js, Neon Postgres, and Claude Code. Includes the full Vercel Analytics integration and why custom tracking fills the gaps.