Colophon
Who tends this garden, how it's built, and what it does (and refuses to do) with your data.
Settled and durable. Revised rarely, referenced constantly.
The gardener
Hi, I'm mz7x. I break things to understand them: offensive security, cloud and AI security, the occasional CTF weekend, and a side fascination with probability and markets. Games are how I think and how I bond with people, so they show up here too. This site is where my notes live while they grow up. If something here is wrong, I'd genuinely love to hear about it.
Why a garden, not a blog
I stumbled onto Maggie Appleton's website and got deeply inspired; she explains the digital-garden idea better than I can, so go read her. Notes here are published early, revised often, and dated twice: once when they were planted, once when they were last tended. The gap between those two dates is part of the story. Every note also wears a growth stage, from seed to evergreen, and that stage tells you how much to trust it yet.
The garden right now
The first seed went in on September 1, 2025. Since then it has grown to 21 notes, joined by 53 links. These numbers are counted when the site builds, so they grow as the garden does. Here is the whole ladder, and how many notes rest on each rung today.
- A captured spark. Unverified, unpolished, possibly wrong.
- Taking shape. Has structure and at least one real source or experiment.
- Actively tended. Revisited often, links forming to other notes.
- Useful to others as-is. Tested ideas, working code, real findings.
- Settled and durable. Revised rarely, referenced constantly.
How it's built
Vibe-coded, in the honest sense: built fast with an AI pair, but every choice here was made on purpose rather than by default. Astro, TypeScript, and Tailwind, compiled to plain static files and built to be served from Cloudflare's edge. Markdown in a Git repository is the only database. Fonts are self-hosted (Fraunces, Literata, IBM Plex Mono). The living map is interactive: a small force-directed canvas of every note and the links between them, and falls back to a static map drawn at build time when JavaScript is off.
Privacy, plainly
- No analytics, no trackers, no cookies, no fingerprinting.
- No third-party scripts or CDNs; every byte comes from this domain.
- A little first-party JavaScript adds polish: theme switching, page transitions, the living-map canvas, the "wander" button, a reading-progress bar, and instant search, all served from this domain, and every page still works with it disabled.
- Standard server logs at the CDN are the only data that exists, and I don't mine them.
Security, plainly
The site is static HTML behind a restrictive Content-Security-Policy: no inline scripts, no external origins, no frames. There is no backend to compromise and no user data to steal; the most honest security architecture is having nothing worth attacking. The threat model lives in the garden as its own note. In Markdown I link it as a wikilink; on a static page that renders as a plain link:Threat-modeling this garden.
One caveat, said plainly: I build this site by hand partly to keep my web red-teaming sharp, so it doubles as my own practice range. The architecture above is the goal, not a guarantee. Hand-written code has flaws, and some are surely still hiding in here. So, gently: please don't actually hack my blog. If you find a hole, I'd much rather hear about it than read about it later. A responsible-disclosure channel ships with the domain.