I have two Rails 8 services. One is the main app acting as the Identity Provider (IdP), and the other is a partner service acting as the Relying Party (RP). I wanted to add a “Sign in with Main App” button to the partner service’s login page, authenticate via SSO, and redirect back. Then I went one step further: if the user has the iOS Hotwire Native app installed, the authentication should open in the native app instead of the browser, via Universal Links. ...

While implementing HMAC-based SSO between two Rails applications, I ran into two unexpected bugs. Both stemmed from how Turbo Drive and ERB handle things under the hood. The error message was identical in both cases — “state mismatch” — but the root causes were completely different. Fixing the first bug left the second one still lurking, which made the debugging process more frustrating than it needed to be. Implementation Overview Structure Two independent Rails apps are connected via SSO: ...

There are two Rails apps. One is an internal staff app — OTP login only, restricted to a specific domain. The other is a review and management system built on Devise + JWT. Internal employees need access to both, but creating and managing separate accounts for each was not a path worth taking. “If a user is already logged into the internal app, can’t they just click a button and get into the review system automatically?” ...

To give an electronic contract storage system legal evidentiary weight, I needed to implement two things simultaneously: Blockchain Merkle Tree anchoring — collect contract hashes, compute a Merkle Root, and record it on an L2 chain RFC 3161 TSA timestamps — cryptographic proof of existence at a specific point in time, certified by a trusted third party It looked straightforward. It was not. Each problem took far longer than expected to resolve, and the issues compounded in unexpected ways — especially where Ruby 4.0 API changes intersected with Rails 8’s multi-database behavior. ...

I decided to do a thorough inspection of a production Rails 8 API server. Most features appeared to be working, but test coverage sat at a mere 3%. This was an exercise in finding out just how dangerous the assumption “it works, so it’s fine” really is. When a project reaches a certain level of maturity, stability becomes more important than shipping new features. In a codebase without tests, every refactor, every dependency upgrade, and every new team member onboarding becomes a gamble. This inspection was not just about raising a coverage number — it was about taking an honest look at the actual state of the codebase. ...

While preparing to release a voice message-based social app, I performed a full audit of unimplemented features. There were quite a few cases where routes existed but controller actions did not, or the Flutter UI was complete but payment logic was blocked with // TODO. Here is the record of cataloging and implementing them one by one. How to Audit Unimplemented Features Backend Audit The fastest method is comparing routes.rb against the actual controllers. ...

After running a project for nearly a year, documents accumulate. Feature design specs, TODOs, debugging records, migration plans, test scenarios… Each was needed at the time, but over time they become noise. One day I ran find docs -name "*.md" | wc -l and got 2,352. Status Check: How Did It Get This Bad find docs -name "*.md" | wc -l # 2352 # File count by directory find docs -maxdepth 1 -type d | while read d; do count=$(find "$d" -name "*.md" | wc -l) echo "$count $(basename $d)" done | sort -rn | head -15 Results: ...

I built a Chrome extension that auto-fills the OACX (simplified authentication) form on Korean government sites. It worked on most sites, but got feedback saying “the name field isn’t being filled” on a specific major site. Symptoms Extension auto-fills name, birthdate, and phone number when the simplified auth popup opens Works correctly on most government sites (Gov24, National Health Insurance, etc.) Only on a specific site, the name field was empty – birthdate and phone number also weren’t filled Investigation: Checking Actual DOM Structure with Playwright Opened the page reported by the user directly using Playwright MCP. ...

I built a calendar printing feature for the web. PDF and PNG downloads worked perfectly, but when hitting the browser print button, image positions weren’t reflected at all. Same data, so why different results? Structure: Preview and Hidden Export Target The calendar print page had this structure: +-- Visible Area ----------------------------+ | [Settings Panel] [Preview Area] | | - Date range Calendar preview | | - Theme/Color | | - Image position slider | +--------------------------------------------+ +-- Hidden Export Target --------------------+ | <div class="fixed -left-[9999px]"> | <- off-screen | <PrintableCalendar ... /> | | </div> | +--------------------------------------------+ The preview is a scaled-down thumbnail, while the actual export calendar is rendered at full size off-screen (-left-[9999px]). PDF/PNG capture this hidden element. ...

After running into a problem where an AI agent grabbed a ticket and abandoned it, I dug into OpenAI’s Symphony project. Symphony is an orchestrator that polls a GitHub issue tracker and automatically runs coding agents (Codex, Claude, etc.). Its core philosophy stuck with me: “Don’t manage agents — manage the Work.” I extracted 7 patterns from that philosophy and applied all of them to a Rails 8 + SolidQueue based ITSM system. Here’s what each pattern solves, how it’s implemented, and why it matters. ...