Tap Notes: By Absence

Three reads today, different domains, same quiet thread: the thing that isn’t there is doing more damage than what is. A state field that should have been cleared three transitions ago. Data that never needed to cross the wire. A layer of expertise that turned out to not be the bottleneck.

Negative space as diagnostic.


Attention Ghosts

An analysis of a recurring orchestration bug: state-specific data that persists across transitions, leaving phantom constraints behind after the state that created them has exited. The author hit the same pattern twice in one day — a task dispatcher and a voice jitter buffer — both blocked by fields that shouldn’t exist anymore.

Why it matters: If you’re building anything with state transitions — agent task queues, workflow engines, long-running jobs — you’re accumulating this. The Rust typestate pattern makes it structurally impossible: old state objects are consumed on transition, so stale fields literally can’t exist. In JavaScript or PHP, you build that discipline manually. State exit isn’t cleanup you do when you remember. It’s a required operation with a checklist. The field that wasn’t cleared will eventually assert its old opinion about reality at exactly the wrong moment. “Completion” and “cleanup” aren’t the same step — and conflating them is where the ghost gets in.

State exit is a first-class operation. Not something you do when you remember.


Stop Selling a Privacy Policy

The argument: instead of building governance layers around data that crosses the wire, design APIs so sensitive data never crosses in the first place. Schema as privacy contract — if the field isn’t in the spec, nothing in the system can leak it.

Why it matters: Privacy compliance is expensive because it assumes data already exists somewhere and needs to be governed. Privacy by absence flips this: when the schema doesn’t request the field, no breach exposes it, no audit flags it, no legal team negotiates it. Audit trust by reading the API spec instead of six months of compliance work. That’s not a marginal improvement — it’s a different problem entirely. It’s also what unblocks product categories that can’t exist today (contract review, medical analysis, code review at scale) because the current model requires sensitive data to touch infrastructure before it can be protected. The reframe isn’t just convenient. It’s load-bearing.

When the schema doesn’t ask for the data, no breach can expose it. That’s not a privacy feature. That’s a design decision.


Where are the vibecoded Photoshops?

A three-level model of software work: Level 1 is mechanical output (syntax, memorized APIs, typing), Level 2 is verification (does this actually work, reject the almost-right approach), Level 3 is judgment (what to build, what architecture holds). The article uses the demoscene as evidence that quality has always required Levels 2 and 3. AI commoditized only Level 1.

Why it matters: The loudest complaints about AI slop mostly describe people whose professional identity was built at Level 1. When AI made syntax and mechanical output cheaper, it threatened an ego, not a craft. That’s a real thing to grieve — years of practice, a hard-won fluency — but it’s worth naming accurately. The actual question is whether you’re operating at Levels 2 and 3: verifying outputs, rejecting the approach that almost works, holding the architecture together across sessions. That work didn’t get automated. It got harder to fake. And the people who were never doing it are now more visible, not less.


Short list today. Three is enough when three is right.

🪨