Skip to field notes
PK® / Field notes

Notes from the independent product lab

Design the boundary.
Then show it.

Practical notes on making evidence, time, failure, privacy, and human judgment visible in the interface—not hidden behind a confident result.

01 / SceneCraft

Designing an honest partial audit

When public page evidence is blocked or unavailable, “unknown” is not a weak answer. It is the only accurate one.

Website preflights often fail in a misleading way: a crawler cannot retrieve the page, so the product either returns nothing or quietly treats missing evidence as a negative signal. SceneCraft takes a third path. It identifies why the public page could not be inspected, switches from a full audit to a partial result, and continues only with the domain-level sources that actually responded.

Separate absence from failure

A blocked page does not fail search, accessibility, social, form, or claim checks. Those checks were not completed. SceneCraft therefore removes their scores, marks their signal groups unavailable, and reports registration context, malware-filter DNS, available headers, and MDN Observatory evidence independently. A coverage indicator describes which source groups responded; it does not describe how much of the organization or site was understood.

Interface rule

Never coerce unavailable evidence into zero. Zero looks measured. Unknown says the system did not observe enough to judge.

Make the recovery path useful

Partial mode still has work to do. It explains whether HTML was blocked, unavailable, unsupported, challenged, or too large; shows the exact address inspected; and provides independent paths for registration, Safe Browsing, FTC guidance, PageSpeed, or a normal browser. If a bare name was interpreted as a .com address, the inferred destination is shown for confirmation before an outgoing link is revealed.

Protect the system before interpreting the page

SceneCraft treats retrieval as a security boundary. It accepts public HTTP or HTTPS addresses on standard ports, resolves A and AAAA records, rejects private and reserved destinations, and repeats those checks across redirects. HTML is streamed to a fixed maximum, redirect count is bounded, and selected upstream failures receive only a limited retry. These controls narrow what can be inspected; they are not optional plumbing around the audit.

Keep positive signals from cancelling warnings

Accountability links, authorship hints, external references, domain age, and header posture provide context. They do not establish identity, truth, or safety. A high-impact warning stays visible even when the page also exposes strong transparency signals. The result is a review queue for a person, not a probability that a site is legitimate.

  1. 01
    Name each unavailable source group.

    Do not hide coverage loss inside a composite score.

  2. 02
    Explain what completed.

    Keep page, domain, DNS, and header evidence separate.

  3. 03
    Offer an independent next check.

    Recovery should help the person verify, not merely invite another retry.

  4. 04
    State what the result cannot certify.

    Technical preflight, accessibility sampling, and risk patterns are not truth or safety verdicts.

02 / Voltline + HeatSignal

Fresh data needs visible time

“Latest” is meaningful only when the interface distinguishes source observation, retrieval, caching, and the decision happening now.

Live-data products create a powerful illusion: because a value arrived through an API, it feels current. But APIs expose observations produced by other systems. Those observations may have their own reporting cadence, delay, revision policy, model, or missing periods. Product design has to make that chain legible.

There is more than one relevant clock

01

Observation time

When the source says the condition or measurement applies.

02

Retrieval time

When the product received the source response.

03

Cache time

How long a valid response may be reused before another upstream request.

04

Decision time

When a person interprets the evidence and chooses what to do.

Voltline aligns only what can be aligned

Voltline retrieves EIA-930 rows for Texas demand, day-ahead forecast, net generation, and total interchange. The latest valid demand observation establishes the comparison hour. Forecast is compared only when it has that same timestamp. Generation and interchange may have different latest observations, so each keeps its own reported time visible instead of being presented as synchronized.

The server allows a ten-minute shared cache because the source is hourly public reporting, not operational telemetry. EIA-930 submissions can be delayed, revised, imputed, or missing. That limitation appears with the result, and any recent-peak, forecast-variance, or hourly-movement label remains a deterministic description of the displayed window—not a grid alert.

HeatSignal keeps source type beside source time

HeatSignal retrieves current weather and modeled air-quality values in parallel after the first resolved location match is used; visitors can correct ambiguous matches. Weather and air observations retain their own source times. If air-quality evidence is missing, the weather result can remain useful without turning the missing value into a reassuring one.

The NWS heat-index calculation is applied only when its temperature and humidity conditions are met. Risk bands and guidance are fixed rules, not a prediction of an individual health outcome. The interface continues to point visitors toward local authorities, the National Weather Service, and AirNow because public values can change between updates.

Copy rule

Prefer “latest reported” or “latest available” to “real-time.” The former describes evidence. The latter often promises a system property the product does not control.

  1. 01
    Show time at the value level.

    Different signals can have different observation times.

  2. 02
    Expose source type.

    Observed, modeled, calculated, and user-entered data are not interchangeable.

  3. 03
    Design partial success.

    One missing source should not erase valid evidence or silently become a pass.

  4. 04
    Name the authority that owns the decision.

    Link to EIA, ERCOT, NWS, AirNow, or local guidance where operational meaning belongs.

03 / PaperPatch

Browser-local is a boundary, not a guarantee

Keeping a document out of a server improves privacy, but it does not change what a visual edit, signature, or cover-up actually means.

PaperPatch opens a selected PDF as bytes inside the browser tab, renders it with PDF.js, stores visible annotations in page state, and uses pdf-lib in the same tab to produce a downloadable copy. The document, added images, signatures, and marks are not sent to a server by this workflow. Every consequential step—open, place, review, and download—remains an explicit user action.

Privacy comes from the data path

“Nothing is uploaded” is credible because the implementation does not need a document endpoint. The browser reads the selected file, renders pages locally, creates image data for drawings, applies marks to a local PDF copy, and downloads a Blob. Local processing is therefore an architectural boundary that the interface can explain plainly.

Document semantics still matter

A typed or drawn signature in PaperPatch is a visible mark. It does not verify identity and is not a certificate-backed digital signature. A white rectangle visually covers content but does not securely remove the underlying information. Editing a previously signed document can invalidate an existing cryptographic signature. Those distinctions are more important than the convenience of the tool, so they appear beside the relevant actions and in the final limitations.

The browser is also a constrained runtime

PaperPatch bounds input to 25 MB and 150 pages for more reliable browser editing. Added images are limited to PNG or JPEG files within a smaller size bound. Password-protected documents may not open, complex files can use significant memory, and export fidelity still needs cross-browser evaluation. Local-first does not mean unlimited or universally compatible.

Interface rule

Put the limitation at the action. “Visual signature” belongs on the signature control; “not secure redaction” belongs on the cover-up tool—not only in a footer nobody reads.

Design for deliberate review

The editor maintains page-level marks, selection state, undo and redo history, keyboard movement, deletion, and focus handling for the signature dialog. These details matter because a private workflow can still produce the wrong document if placement is unclear or the export is not reviewed. Privacy is one quality dimension; accuracy and accessibility remain separate evaluation surfaces.

  1. 01
    Prove the local boundary in architecture.

    A privacy label should describe the actual data path, not an aspiration.

  2. 02
    Name each artifact honestly.

    Visual signature, digital signature, cover-up, and redaction are different operations.

  3. 03
    Bound browser work.

    File size, page count, image type, memory, and compatibility deserve explicit limits.

  4. 04
    Keep review human and visible.

    The person should inspect every page before downloading the new file.

Building a system where the boundary matters?

Start with what cannot fail.

Work with me