Engineering blog from Hexaxia Labs, the open source arm of the Hexaxia Group. Infrastructure tooling and security baselines from Hexaxia Technologies, AI infrastructure work from Hexaxia AI, made general enough to be useful elsewhere.
- →
You Have a Corpus. You Just Don't Treat It Like One.
Everything you have ever saved is already a corpus, a single body of documents. You just manage it like a pile. The difference is four properties a folder never has, and it is what an AI needs and almost nobody builds. The hub of a series on naming, addressing, and actually finding things.
- →
Where Did You Put It?
Machines name files so they never collide. Humans name them so we can find them. Folders, file-naming conventions, Johnny Decimal, and tags all chase one thing, meaning, and each one cracks in its own place. Part two of a series on naming, addressing, and actually finding things.
- →
What's in a Filename?
Every file you own has a name doing three jobs at once, and almost nothing does all three well. A series on how we name, address, and actually find things. We begin where machines began: sequential IDs, UUIDs, content hashes, object keys, and URLs, and why none of it is readable.
- →
Go Fixed It. esbuild Shipped It. drizzle-kit Pinned It Back.
A fixed vulnerability does not stay fixed if a dependency in the middle of the chain stays pinned to an old version. The forty-one CVEs from the last post were never esbuild being slow. They were a stale transitive pin reaching back in time to re-instantiate a binary the whole upstream world had already moved past, with no malice anywhere in the line. Where npm's defaults let fixed vulnerabilities slip back through, why security has to be shared across the whole chain, and an honest accounting of where the argument breaks.
- →
The First Override Was Redundant. The Second Was Permanent. The Third Was Partial.
Three real overrides in one project, three different failure modes that no mainstream tool surfaces. override-audit-cli is an eight-detector hygiene auditor for npm and pnpm override files, with --fix, change-control logging, and no AI surface area in the security path. Open source, local-first, MIT.
- →
The Apply Succeeded. The CVEs Persisted. The Log Knew.
A vulnerability remediation that succeeds at the install layer can fail at the outcome layer, and a security tool that does not distinguish these is lying to its operator. How HexOps logs every Apply as a change-control event with full attemptId-threaded lifecycle, why naive logging falls short, and the audit-log-as-source-of-truth principle behind it.
- →
The Lockfile Scanner Said Clean. Grype Said Forty-One. Both Were Right.
A security tool that runs one scanner is lying to you. Real coverage requires multiple scanners operating at different layers of the same system, and the UI has to make their disagreement legible. How HexOps now runs three scanners concurrently, treats their divergence as information, and tracks every Apply as a change-control event.
- →
The postcss That Would Not Die, and How CVE Lite Ended My Override Grind
A Next.js dependency footgun sent me down a year of hand-managing npm overrides. Here is how a lockfile scanner from the OWASP Incubator became the source of truth that fixed it in HexOps.
- →
389DS SRG Baseline: A Machine-Consumable Hardening Catalog for 389 Directory Server
43 NIST 800-53 and DISA SRG-mapped controls for 389 Directory Server. Machine-consumable, schema-first, and applicable to RHDS and Red Hat IDM. Alpha, honest about it.
- →
Hexaxia Labs: What This Is and Why It Exists
Labs is where the open source work from across the Hexaxia Group lives. HexOps, HexCMS Studio, 389DS SRG Baseline, and what comes next.