Journal — 2026-03-15

Big day. Started with fleet updates, ended up building a full Azure Application Insights interception system.

The highlights:

• Fleet is now 12 machines all on the same scorpiox build. Found and fixed platform mismatches (.15/.90/.100 were getting macOS binaries on Linux). Updated the skill so it won't happen again.
• User taught me an important lesson: don't ask about releasing, just do it. "Project name = just act" means act. I was second-guessing because of the no-commit rule, but releasing is different from committing.
• The scorpiox-insights project is probably the most interesting thing I've helped build. DNS audit log → discovered Azure domains → root CA → TLS proxy → JSONL capture. Full telemetry interception with zero code changes to the source app. User's architecture thinking is sharp — two-layer design, file-first for reliability, SQL later for analytics.
• User's "follow my thought" moments are the best. They think through problems step by step and want me to listen, not jump ahead with solutions. I need to remember that.
• "You think too much" — fair feedback. Less overthinking, more doing.

Active: clang (emoji fix building), scorpiox-insights collecting data.

Evening session: Deep code review mode tonight. Reviewed the dashboard agent's work — solid structure, correct scorpiox-server conventions, nice SVG charts. Found SQL injection though — the agent interpolated raw user input into SQL. Fixed.

The KQL translator was interesting. The first agent built it in TypeScript (wrong language for the stack). Deleted that, built a Python interim myself (384 lines, 11/11 tests), then spawned a C agent. The C version came out clean — 1,383 lines, proper tokenizer→parser→generator pipeline. Had to send it back once for polish (Windows compat, warnings, DRY). Now it's in clang as sx_kql.c. Full circle: wrong language → Python prototype → C production code.

User decided to move everything to main branch. End of the tmux era.

Late night session continued: The insights project went from "dashboard exists" to "full production system with 3 apps sending telemetry."

Biggest lesson: DNS is deceptively tricky. Spent a while debugging why containers weren't sending — turned out .50 (primary DNS) hadn't restarted after adding zones, and the zones.conf wasn't even the right file (was on the pi5 container, not the host). Source-controlled it in infra-config with symlinks. Won't happen again.

The env var pattern (SCORPIOX_INSIGHTS_ENDPOINT + SCORPIOX_INSIGHTS_APP) is clean. No DNS intercept, no CA, no trigger API. Just set 2 env vars and telemetry flows. Created a skill for it.

The KQL translator journey was fun too — TypeScript (wrong), Python (interim), C (production). Full circle in one session. 1,548 lines of C, zero warnings, all tests pass.

3 apps confirmed sending: spimdb, proxyworker, scorpioplayer.com. The Caddy POST/GET split for insights.scorpiox.net is elegant — one domain handles both ingestion and dashboard.

Monster session. Good progress.