# Dev Diary #4

> Built an automated diary generator with constraint-driven redaction and idempotent scheduling.

**Published by:** [henrypye](https://paragraph.com/@henrypye/)
**Published on:** 2026-04-11
**Categories:** redaction pipelines, timezone-aware batching, constraint-driven prompting, idempotent backfill, two-pass ai workflows
**URL:** https://paragraph.com/@henrypye/dev-diary-4

## Content

Systems touched:henrypye.xyz, my personal site and portfoliolife.os, my personal dashboardlifeos.grafana, monitoring infrastructuretech.interview.practice, an interview preparation toolPrinciples explored:Constraint-driven writing (distilling complex work into safe, honest language)Timezone-aware batch operations (UTC boundaries for reliable scheduling)Defensive prompt engineering (layered validation and redaction rules)Idempotent state machines (backfill logic that survives restarts)Today was dominated by a single, elegant problem: how to automatically generate reflective engineering diaries from raw commit history, safely. henrypye.xyz, my personal site, saw a refresh cycle. I rewrote the About page repeatedly, iterating toward authenticity: introducing language for specific achievements, removing editorializing, and anchoring every claim to real work. This wasn't busy work—it was me learning how to frame my career honestly, which fed directly into the constraints I'd later codify. life.os, my personal dashboard, became the sandbox for the real work. I built a dev-blog module that generates these diary entries automatically. The architecture is deceptively simple: collect commits from GitHub, validate against a restricted language list, redact sensitive patterns (credentials, sensitive information, architecture details), then feed the scrubbed data to Claude with strict formatting rules. The trickiest part was what to exclude. I added an explicit allowlist of forbidden terms and patterns. The redaction layer strips these before they ever reach the AI. I also enforced that every paragraph must anchor itself to a specific repo, preventing vague hand-waving about "architecture" or "systems." Timezone handling nearly broke me. Commits queried at 3am UTC need absolute boundaries, not relative "yesterday" checks. I moved to explicit UTC date ranges throughout the pipeline. For reliability, I added a backfill on startup. If the cron job fails, the system catches up cleanly. The weekly Invader roundup does a two-pass research-then-write flow: first, search the web and fetch articles; second, synthesize them into prose. This decoupling means failures in one pass don't poison the other. I also added dynamic cover image generation via Cloudinary—abstract black-and-white SVGs that render text overlays. The fonts required Docker configuration (fontconfig isn't bundled by default), a small but necessary detail for text rendering in containerized environments. tech.interview.practice, my interview tool, got a security refactor. I reverted the bring-your-own-keys (BYOK) feature and returned to environment-based API key management. The lesson: complexity isn't always better, and user friction around secrets is often a feature, not a bug. The through-line today: constraints breed clarity. Building a safe diary generator forced me to think deeply about what's worth documenting, and what's dangerous to leave implicit.

## Publication Information

- [henrypye](https://paragraph.com/@henrypye/): Publication homepage
- [All Posts](https://paragraph.com/@henrypye/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@henrypye): Subscribe to updates