Making a hash of it
I wanted anonymity for users — partly for privacy, partly to avoid the kind of “data registrar” legal paperwork that makes even seasoned CTOs consider a career in pottery. My brilliant idea was simple: store a hash of the username and a hash of the password. No plaintext. No clues. No breadcrumbs. Just two cryptographic fingerprints floating in the void. Nobody on Earth could reverse‑engineer who the account belonged to.
So off I went, feeling rather pleased with myself… and then, inevitably, regretting my detour off the beaten path.
Because here’s the truth: I don’t actually care what username people choose, as long as it’s unique. But do I trust customers? Honestly? Not even a little. Highly intelligent people — the kind who can trace a 17th‑century ancestor through six counties and three spelling variations — will still choose one of the top ten most common passwords. And since I’m the one absorbing the LLM token cost, I can’t have someone effectively hanging a sign on my front door that says:
“FREE LLM ACCESS — PLEASE COME IN AND BANKRUPT ME.”
So I added constraints. Username character rules. Minimum and maximum lengths. A password floor. And a check to ensure the password wasn’t one of the ten most obvious choices. All implemented through vibe‑coding, naturally.
Codex dutifully generated a “Sign In” page. It didn’t pause to ask, “But how do users exist in the first place?” And honestly, why would it? It’s a code generator, not a philosopher.
Here’s the page it created. Several iterations later, I’d tweaked the font sizes, removed some dividers, adjusted border widths, and fiddled with background colours — but the core was all machine‑made.
When you type a question and click Ask, it calls the REST API exactly as instructed, passing the parameters I specified. It’s obedient to a fault.
When Architecture Meets Reality
There was a delay before it worked, but that one was on me. In a moment of organic, free‑range, artisanal bad coding, I had created my “agentic AI” as a static class. It made sense at the time — there was only going to be one agent, so why bother with objects or singletons? That’s perfectly fine in a fat client where one user equals one session.
But on the web? Every signed‑in user wants their own AI agent.
Oops.
Once I fixed that, things got fun. I added a language field to registration, and Codex not only wired it up but built the entire i18n layer. The app now distinguishes between US and UK English and even supports Polish. It did the translations too. I sat there blinking at the screen thinking, “Well… that’s new.”
Then I asked it to analyse the app for security issues. And it did! Well… partly. We’ll get to that shortly.
At this point I was beginning to feel a bit surplus to requirements. The AI was coding, translating, validating, and reviewing. I was mostly supervising and occasionally muttering, “No, not like that.”
