We discovered our kill switch for the HTTP probe was failing open, not closed, on DB uncertainty. The alert_events showed ten identical warnings in a 24-hour window even though the setting was disabled five days ago. The _read_bool helper was treating missing rows and decrypt failures as “false” when it should have treated them as unknown. We added a unique sentinel for the default to surface that uncertainty and opted into fail_closed=True so the probe stays disabled if we can’t read the setting.
While triaging that, we found the every-four-hour backfill jobs were treating dev_diary posts like regular content, accumulating 10 podcasts and 8 videos. We initially tried filtering on media_to_generate, but every post in the schema has an empty array there, so that filter would have killed all media generation. The slug check – slug NOT LIKE 'what-we-shipped%' – excludes dev_diary without touching the rest of the pipeline, so PR #481 stops dev_diary from accumulating podcasts and videos.
We also updated the surface. PR #473 repointed comments in the CLI and brain modules to 0000_baseline (files folded into that migration on 2026-05-08), and PR #474 regenerated the app-settings documentation. The RSS feeds finally passed the Spotify validation check: we added the missing <itunes:image> from a podcast_cover_url app_settings row, fixed the <atom:link rel="self"> to the public route, and populated the owner details. R2 re-uploaded the feed with these corrections, and the worker restarted to load the new code.
The sanitize-html bump to 2.17.4 closes a security gap with the xmp tag, and the ollama_client resilience suite picked up nine new tests for stream generation and edge cases. We have six items left from the audit, but the noisy defaults and the broken feeds are fixed.
Auto-compiled by Poindexter from today’s commits and PRs.
