PärPod Temp
PärPod Temp
PärPod Temp
Twenty-Eight Stitches: What Six Readers Found in Seven Repos
10m · Apr 08, 2026
Six independent code readers scanned 100 files across seven repos and found 28 invisible bugs—drifts that only appear when you read everything at once, not in isolation.

Twenty-Eight Stitches: What Six Readers Found in Seven Repos

The View from Orbit

What do you see when you look at one file in a project? You see that file. Its imports, its functions, its patterns. Maybe you notice a bug. Maybe you notice it is clean. Either way, you see what is in front of you.

What do you see when six readers open a hundred files at the same time, across seven repositories, and compare notes?

You see drift.

Not the kind that shows up in a diff. The kind that accumulates when twenty separate sessions each build one thing, each session only seeing its own scope, each session leaving the code a little better than it found it. The kind where two copies of the same function start with identical logic and end up, three months later, using different hashing algorithms. The kind where a product launches with another product's name hardcoded into every log line, and nobody notices because nobody reads the logs of both products in the same sitting.

This is the story of a single evening. Six parallel agents. A hundred source files. Seven repositories. And twenty-eight wounds that were invisible from the ground.

The Identity Crisis

The first thing the swarm found was that NapkinCast did not know who it was.

NapkinCast is supposed to be the public-facing product. The one that takes money. The one with Stripe webhooks and order tokens and a moderation queue. It was extracted from the Builder, the internal tool, back when the architecture said it was time for the two to diverge.

But the extraction was a copy, not a separation. Every shared module, api client, audio assembly, text to speech, review, revision, cost tracking, every one of them was a snapshot of the Builder's code from before the Builder migrated to a shared library. The Builder had moved on. NapkinCast was frozen in time.

The logger name in every NapkinCast file?

parpod-builder.

The cost tracking attribution?

User: parpod-builder.

The speed wobble algorithm, the one that gives each audio segment a slightly different pace so the podcast sounds natural instead of robotic? The Builder and the CLI had both migrated to SHA-256 months ago. NapkinCast was still using MD5.

Same platform. Same manifest format. Same episode structure. Different hash function producing different audio for the same text. A customer paying ten dollars for an episode would get subtly different pacing than the internal team producing the same script for free. Nobody would ever hear the difference. But the code knew.

The Number at the End of the Sentence

The second thing the swarm found was a bug so small it could only be caught by reading every file in sequence.

Deep in the shared library, in a file called normalize dot py, there is a function that prepares text for speech synthesis. It expands abbreviations. "Dr." becomes "Doctor." "Mr." becomes "Mister." "No." becomes "Number."

That last one is correct. "No. five" should become "Number five." But the regex used a case-insensitive flag. Which means "no." at the end of a sentence also matches.

He said no. She agreed.

Becomes:

He said Number She agreed.

The fix was two characters. Remove the case-insensitive flag and add a lookahead that only matches when a digit follows. But finding it required reading the normalize function, understanding the abbreviation dictionary, tracing the regex flags, and imagining what happens when the pattern meets conversational English instead of technical notation.

No single session would catch this. It took a reader whose job was to question every line of one file, cross-referenced by another reader whose job was to check consistency across all files.

The Door Nobody Locked

The third thing was a security hole that had been open since the VPS app was first deployed.

The podcast feed serves audio files at a URL like slash episodes slash category slash filename. The filename parameter was sanitized. No dots dots, no slashes, no backslashes. Good. But the category parameter? The one that determines which directory on the server to read from?

No validation at all.

A request to slash episodes slash dot dot slash dot dot slash etc slash filename dot mp3 would walk right up the directory tree. The fix was five lines. A helper function that checks for traversal characters, applied to every endpoint that accepts a category parameter.

Five lines. The vulnerability had been live for months. Not because anyone was careless, but because the session that wrote the filename sanitization saw the filename. The session that added category subdirectories saw the routing. No session saw both at the same time and asked, did we sanitize the new parameter the same way we sanitized the old one?

The Ledger That Lied

The fourth thing was not a bug. It was a data quality problem disguised as correct code.

Every time the platform calls an external AI model, it logs the event to an API tracker. Provider, model name, pipeline step, token count, cost. This data drives budget monitoring. It answers the question, how much did the review step cost this month?

The logging function's third parameter was named "endpoint." Every caller passed the pipeline step, "review," "revise," "generate," as the third positional argument. The step value went into the endpoint field. The endpoint field went into the database. Every query asking what are the most expensive endpoints would return "review" and "generate" instead of actual API URLs.

The data was not missing. It was precisely wrong. Every event was logged. Every field was populated. The values were just in the wrong column. Months of tracking data, neatly organized, confidently incorrect.

The fix was renaming one parameter. From "endpoint" to "step." The payload field changed to match. Every caller was already passing the right value. They just needed the function to call it what it was.

The Race Nobody Ran

The fifth thing was a concurrency bug in the payment system.

When a Stripe webhook fires, NapkinCast creates an async task to process the paid order. If Stripe retries the webhook, which Stripe does because Stripe is responsible, a second task fires for the same order. The code checks the order status before proceeding, but between reading the status and updating it, the second task can slip through the gap.

Two pipeline runs. Two API calls to generate the script. Two sets of TTS renders. Double the cost. One customer. One episode. Two invoices to the AI providers.

The fix was a set and a lock. A set of order IDs currently being processed. A threading lock around the check-and-add. If the order is already in the set, the second task returns immediately. When the first task finishes, it removes the order from the set. The gap is closed.

The payment event handler got the same treatment. A database lock around the record, check, process sequence, so two concurrent webhook deliveries cannot both decide the event has not been processed yet.

Fourteen lines of code protecting real money.

The Manifest That Loaded Twenty Times

The deeper the swarm dug, the more they found. Not catastrophic bugs, but accumulated friction.

A build manifest loaded from disk on every chapter transition. An episode with twenty chapters reads and parses the same JSON file nineteen times. The fix was one variable assignment before the loop.

A secret key for the sound effects API loaded by manually parsing a dot secrets file, line by line, every time a sound was generated. Every other key in the system used a unified function that checks the macOS Keychain first. This one was copy-pasted before that function existed and never updated.

A profile expression in the CLI that evaluates the same string regardless of its input.

get profile and kokoro local or kokoro local

Both branches return kokoro local. The placeholder was never replaced. Somebody wrote it intending to add profile selection later, then forgot. It sat there, doing nothing, looking like it was doing something, for months.

What Altitude Shows You

Twenty-eight issues. Four tiers. Three hours. Sixteen commits across seven repositories. Six hundred lines deleted from NapkinCast alone, replaced by fifteen-line wrappers that import from the shared library they were supposed to use all along.

None of these problems were caused by incompetence. Every session that touched this code made it better than it found it. The normalize function was a genuine improvement over raw text. The payment system was well-structured. The category routing was a clean feature addition. Each piece was good in isolation.

The drift happened in the gaps between sessions. In the space between "I finished this module" and "someone else will use this module." In the confidence that a copy will stay in sync with its source. In the assumption that if the tests pass and the server starts, the system is correct.

The swarm did not find bugs that testing would have caught. It found bugs that only appear when you read everything at the same time. When you hold NapkinCast's logger name in one hand and the Builder's logger name in the other and notice they are the same string. When you read the apilog function signature and then, sixty files later, read the call that passes the wrong argument to the right position.

This is the argument for periodic full-codebase review. Not as a gate. Not as a ritual. As a satellite pass. Walk the streets every day. But once in a while, go to orbit. The view is different up there. And some things, you can only see from altitude.

PärPod