Devlog tag
View All Tags
I shipped a release-audit tool for security_advisories_nl because release news, vulnerability records, and platform status pages are noisy unless you convert them into a clear adopt-or-wait decision.
I shipped a Drupal 10/11-safe Pathauto delete action because alias cleanup is exactly the kind of workflow that quietly breaks during major-version transitions.
I built Project Context Connector, a Drupal module that makes site configuration programmatically accessible to AI agents, automation scripts, and monitoring tools through multiple interfaces including native Model Context Protocol support.
Every AI coding tool has its own config format for MCP servers. Claude uses JSON, Codex uses TOML, Gemini uses a different JSON schema. Setting up the same 18 servers across all three means editing three files, remembering three formats, and hoping you didn't typo a credential. I built mcp-web-setup to do it once.
LLM prompts are full of repeated English grammar. Every "If a module exists, then recommend it. Do NOT reinvent the wheel." burns tokens on words the model already understands. I built CPF (Compact Prompt Format) to replace that grammar with operators and abbreviations that LLMs decode natively — cutting token costs by 30-50% with zero runtime dependencies.
The biggest takeaway: serving Sa11y CSS/JS locally in Drupal gives you more predictable accessibility checks, especially when external asset delivery is unreliable or restricted.
WordPress malware campaigns share a pattern. Attackers exploit one vulnerable plugin, drop a backdoor, then pivot across the entire installation. Most site owners discover the breach weeks later, after search engines have already flagged the domain.
For over a decade, Drupal developers have relied on Drupal.ajax — a powerful but heavy abstraction layer over jQuery — to handle dynamic interactions. With jQuery's slow sunset and the rise of "HTML-over-the-wire" paradigms, the HTMX in Drupal Core initiative is the most sensible thing to happen to Drupal's frontend in years.
I built a proof-of-concept module to test what this migration actually looks like in practice.
AI is making vulnerability discovery faster and cheaper. That is the easy part. The hard part is what happens next: an open-source maintainer with limited hours receives a flood of security reports and must decide which ones deserve immediate attention, which are false positives, and which can wait.
I built a lightweight WordPress plugin that encourages users to follow a site on Google News and set it as a preferred source. When a user follows your publication, they are more likely to see your content in Discover and "For You" feeds. This plugin makes adding that CTA a one-step operation.
I had two collections of plain arrays and needed to associate them relationally, but I was not working with Eloquent models. Laravel's Collection class is powerful, but it has no built-in way to express a one-to-many relationship between two arbitrary datasets. I built laravel-collection-has-many to fix that.
Gemini Ollama CLI Bridge chains a local Ollama model with Google's Gemini into a two-stage code analysis pipeline. The first version piped data to Gemini through a shell subprocess -- fragile, hard to test, and impossible to cache. This upgrade replaces the shell integration with the google-generativeai Python SDK, adds result caching, and grows the test suite from 4 tests to 22.
The first version of Drupal AI Content Impact Analyzer was a minimal proof-of-concept: a single scoring function, no tests, no documentation worth mentioning. It proved the idea worked. It did not prove the idea was useful to editors who need to know exactly why a piece of content scores the way it does. The upgrade rewrites the core into a 6-dimension scoring engine that tells editors precisely what to fix.
The honeymoon phase of "generate everything with AI" is officially over, as major platforms like WordPress and Cloudflare are now forced to build guardrails against the resulting tide of low-quality "slop."
The AI model landscape just shifted again with the simultaneous drop of Opus 4.6 and Codex 5.3, and for once, the "System Card" is more interesting than the marketing splash page.
I tore apart CVE-2025-9318 — a critical SQL injection in the Quiz and Survey Master WordPress plugin affecting every version up to 10.3.1. Classic $wpdb concatenation, trivially exploitable by any authenticated subscriber.
Caching is usually the answer to everything in Drupal performance, but there is a crossover point where the overhead of the cache itself -- retrieval and unserialization -- outweighs the cost of just doing the work.
If you have ever wondered how Drupal magically discovers all its breadcrumb builders, access checkers, or authentication providers, you are looking at the Service Collector pattern. It is the secret sauce that makes Drupal one of the most extensible CMSs on the planet.
The first version of drupal-entity-reference-integrity could scan a Drupal site and report broken entity references. That was the easy part. The hard part -- actually fixing them at scale without taking the site down -- was missing. This upgrade adds auto-fix mode, batch processing, and the test coverage needed to trust both in production.
I built this proof-of-concept to explore how a codex-style agent can assist with routine Drupal maintenance tasks -- dependency updates, configuration checks, and basic cleanup. The kind of work that is constant, easy to overlook, and expensive to do manually at scale.