Project page: AssetTrack

Context

AssetTrack is built around one simple rule:

The event log is the truth.

That means every workflow change has to be careful. A cleaner button, a better email action, or a smoother validation screen cannot quietly change custody truth, receipt truth, audit history, or persistence behavior.

Today’s work stayed focused on that discipline.

The recent receipt email work had already made the admin resend path safer and cleaner. From there, the next question was not “what can we build next?” It was “what do we need to close, document, and understand before the next behavior change?”

That is slower in the short term, but safer for the system.

What changed

We worked through several Issue 27 cleanup and recon items.

First, we confirmed that the holder follow-up email action was already implemented on main by earlier work. No new code was needed. The existing behavior already supports a manual holder follow-up email from the holder detail page, using the local SMTP configuration, without writing to the database or changing custody or receipt truth.

That issue was closed as already satisfied.

Next, we added a pre-event validation checklist.

That checklist documents what AssetTrack must confirm before any event-producing workflow appends custody history. It covers authentication, authorization, workflow intent, required context, asset eligibility, queue validity, preview confirmation, append-only commit boundaries, SQLite persistence expectations, post-commit reconciliation, and receipt/email separation.

The point is simple:

Validation happens before the event is appended.

Once the event is appended, history is not edited to make the workflow feel cleaner later.

Then we completed recon on multi-location holder support.

The finding was important. Holders are currently global custody actors, not location-scoped records. A holder can operate across approved locations without needing a schema change. Issue location is transaction context. Receipts snapshot holder identity and location separately. That means no runtime change is needed right now for a holder working across multiple locations.

The recon also identified two possible future paths, but only if operators need them later:

1. Read-only holder location filtering semantics.
2. Persistent holder-to-location membership with schema and migration planning.

Finally, we completed recon on validation flow and redundancy.

The current Issue and Return workflows still preserve the correct seam:

entry page → prerequisite selection → scan queue → preview → commit

That seam matters because preview is the operator’s main checkpoint before custody events are appended. Commit handlers and transaction helpers also revalidate state before writing events. That duplication is intentional. It protects custody truth.

The recon found a few presentation-only simplification candidates, including repeated guidance and blocked-state summaries, but it also clearly marked the checks that must not be removed.

What I learned

A system like AssetTrack does not get safer just because it has more code.

It gets safer when the rules are written down, checked, and respected.

The pre-event checklist gives future issues a shared reference point. Instead of re-arguing every workflow decision from scratch, we now have a plain checklist that says what must be true before AssetTrack writes an event.

The multi-location holder recon also helped prevent premature schema work. It would be easy to assume holders need location membership records. But the current model already supports the real operational case: a global custody actor participating in transactions at different locations.

That matters because schema changes are expensive. In AssetTrack, they are not just database changes. They affect event interpretation, receipts, custody reports, workflows, and operator trust.

The validation recon reinforced another lesson:

Some repetition is bad interface design. Some repetition is system protection.

The job is knowing which is which.

Repeated helper text may be simplified later. Commit-time validation should stay.

Next

The next useful work should stay small and disciplined.

Good candidates include:

• presentation-only cleanup from the validation recon
• issue prerequisite guidance compression
• return preview blocked-state summary cleanup
• case structure and capacity recon
• asset search improvements

Before any behavior-changing issue, the new pre-event validation checklist should be used as a guardrail.

The goal remains the same:

Keep AssetTrack simple for the operator without making the custody model weaker behind the scenes.

Project page: AssetTrack.

Context

This phase of AssetTrack was not about adding features.

It was about reducing friction.

Over time, the system had accumulated:

• duplicate navigation paths
• helper-text overload
• inconsistent return links
• equal-weight actions competing for attention
• admin pages that felt more like scaffolding than operational software

Nothing was technically broken.

But the system was becoming mentally noisy.

That matters in a field-oriented operational application.

Operators should not feel like they are navigating a SaaS dashboard.

They should feel like they are operating a focused tool.

What changed

Several connected UI refinement issues landed during this phase.

Highlights included:

• consolidating duplicate report/dashboard actions
• reducing persistent navigation clutter
• introducing clearer action hierarchy
• standardizing return navigation patterns
• reducing visual competition between metadata and operational actions
• improving spacing and containment rhythm
• normalizing admin/workflow interaction patterns

One interesting correction happened late in the cycle.

During consistency cleanup, the UI standardized on:

Stage Assets

But smoke testing showed that operators naturally responded better to:

Add Assets

That small wording difference mattered more than expected.

“Stage” reflected the internal workflow architecture.

“Add Assets” reflected the operator’s actual mental model.

The system now consistently uses:

Add Assets
→ Preview Queue
→ Commit

which reads much more naturally during operation.

What I learned

There is a major difference between:

functional UI

and:

operational cognition

A system can technically work while still exhausting the operator.

As AssetTrack matured, the problems stopped being backend problems.

The problems became:

• attention management
• workflow confidence
• interaction consistency
• visual hierarchy
• terminology precision

The most surprising lesson was that reducing noise exposed deeper cohesion problems.

Once the clutter disappeared, inconsistency became visible immediately.

That was actually a good sign.

It meant the system was finally calm enough for polish problems to surface.

Next

Next work will likely focus on:

• progressive disclosure for secondary operational details
• workflow surface compression
• continued reduction of “dashboard” behavior
• operational consistency across remaining admin and demo surfaces

The goal is increasingly clear:

AssetTrack should feel less like a web application and more like a dedicated operational appliance.

Project page: AssetTrack.

Context

AssetTrack is at the stage where the major workflows exist, but the operator experience is starting to matter more than raw feature count.

The system already works.

Now the question becomes:

Does the system feel understandable under pressure?

That led into a chain of navigation and presentation cleanup issues focused on reducing cognitive load for operators.

The biggest realization today was that navigation has layers:

global navigation
local workflow navigation
workflow actions

When those layers visually compete, the operator has to stop and think.

That is exactly what we do not want in a field inventory system.

What changed

Completed UX/navigation cleanup chain:

• Issue 27-39 — strengthened preview affordance
• Issue 27-40 — clarified /add-assets action hierarchy
• Issue 27-41 — simplified alternate workflow navigation
• Issue 27-43 — compacted shared top-nav chips
• Issue 27-44 — standardized workflow-local back links
• Issue 27-46 — aligned workflow/admin container widths
• Issue 27-47 — fixed server-rendered theme toggle pressed state
• Issue 27-49 — simplified theme toggle to icon-only

The most interesting fix today was probably not visual at all.

The theme toggle had a subtle accessibility mismatch where the server-rendered HTML did not initially include the correct aria-pressed state. JavaScript eventually corrected it, but there was a brief mismatch between what the page showed and what accessibility tools understood.

The fix itself was tiny:

one missing attribute

But those are the kinds of details that quietly erode trust over time if left unresolved.

I also simplified the dark mode toggle into a compact icon-only control. Removing words from the navbar sounds small, but it noticeably reduced visual noise.

What I learned

I discovered an important distinction today:

actual layout inconsistency
vs
perceived layout density

Originally I thought several admin pages had width problems.

After recon and testing, the real issue was only one outlier route using a narrower container.

Everything else that still felt different came from:

• table density
• spacing rhythm
• control grouping
• visual composition

That matters because it prevents over-fixing the wrong problem.

Another lesson:

tiny UI inconsistencies compound

One slightly different nav row. One awkward button hierarchy. One oversized text label.

Individually they seem harmless.

Together they create friction.

Next

Next up is likely continued workflow cognition cleanup:

• separating mixed nav/action rows more aggressively
• refining dense admin surfaces
• continuing to reduce unnecessary wording
• preserving accessibility while simplifying presentation

The system is starting to feel calmer.

That is the goal.

Project page: Settled Field Platform.

Context

Today was about getting the site out of the local/dev lane and into the real world.

The goal was not perfection.

The goal was:

Make the site credible, clean, and available before Bill’s meeting.

That meant focusing on flow, trust, and deployment instead of adding more features.

What changed

The site is live

Settled on the Field is now available here:

https://settledonthefield.com

The domain is managed through Bluehost, while the app is deployed through Vercel.

The key production setup became:

Bluehost DNS → Vercel → Settled Field Platform

The public experience is presentable

The site now has:

• a clear landing page
• Summit path
• registration interest path
• clean footer
• truthful placeholder-safe contact language
• real domain access

This moved the project from:

pages in progress

to:

a usable public experience

Footer attribution was cleaned up

The CurlTech attribution went through a few iterations.

The final version uses:

• a subtle sentence
• an inline SVG logo
• a link to gregcurl.dev

This kept the credit present without letting it compete with the site.

DNS was the real boss fight

The code was not the hard part today.

The tricky part was DNS:

• root domain needed the correct Vercel A record
• www needed the correct CNAME
• conflicting Bluehost records had to be removed
• Vercel needed time to validate the configuration

The lesson:

If the site works but Vercel says invalid, check for duplicate or conflicting DNS records.

What I learned

1. Live changes force clarity

Once a site is public, placeholders feel different.

Every fake email, broken link, or loud attribution suddenly matters more.

That pressure was useful.

It forced the site to become more honest.

2. SVG was the right answer

The footer logo issue looked like a CSS problem at first.

It was really an asset problem.

The PNG had sizing/canvas issues, so the fix was to use a proper SVG and size it with em.

Lesson:

Fix the asset layer before fighting CSS too hard.

3. “Good enough to present” is a real milestone

This version is not the final product.

But it is good enough for a real conversation.

That matters.

A live, credible site creates momentum in a way a local build never can.

Next

After Bill’s meeting, the next work should focus on:

• real speaker content
• real partner logos
• confirmed social links
• confirmed contact method
• stronger Summit credibility
• payment flow when the timing is right

Closing thought

Today the project crossed a line.

It is no longer just a build.

It is now a live system with a real address:

settledonthefield.com

That changes the conversation.

Project page: Settled Field Platform.

Context

I’m working toward a meeting-ready version of the Settled Field Platform site.

The goal isn’t perfection.
It’s credibility.

If someone lands on the page, they should:

• understand what this is
• trust it
• know what to do next

Before today, the site had structure, but it still felt like a template.
Clean… but not convincing.

What changed

1. The hero stopped feeling like a brochure

I shifted the landing section into more of a “poster” feel:

• stronger visual presence
• clearer headline
• real CTA positioning

It started to feel like an event instead of a webpage.

2. Typography became intentional

I introduced:

• Playfair Display for headings
• Inter for body text

Then centralized everything in globals.css.

This wasn’t just about fonts.
It made the hierarchy obvious and removed visual noise.

3. CTAs became actual actions

Big realization here:

The buttons looked styled, but they didn’t feel clickable.

The issue wasn’t color — it was separation.

Fix:

• stronger fill
• real shadow (not glow)
• clear elevation off the background image

Now the CTA sits above the hero instead of blending into it.

4. Added a trust layer

This was the biggest shift.

Right after the hero, I added a section that answers:

• who this is for
• what you get
• why it matters

No fluff. No long paragraphs.

Then on the summit page:

• added lightweight credibility framing
• tightened outcomes into short, practical statements

The site now answers:

“Why should I care?” within 10 seconds

What I learned

1. Visual polish doesn’t create trust

You can have:

• clean layout
• good fonts
• nice colors

…and still not convert.

Trust comes from:

• clarity
• specificity
• restraint

2. Buttons don’t need effects — they need separation

I tried glow. Didn’t like it.

The real fix was:

make the button feel like it exists on a different layer

Simple shadow + solid fill beat everything else.

3. Repetition kills credibility

Adding a trust section exposed overlap with existing sections.

Lesson:

every section has to earn its space

If two sections say the same thing, one has to go or tighten.

4. Check what the browser is actually doing

At one point I assumed fonts weren’t applying because of Next.js font output.

Reality:

computed styles told the truth

Next

The pieces are all there now:

• hero
• CTA
• trust

Next step is tightening flow:

what the user sees first → second → where they click

That’s where this becomes a real conversion system.

Closing thought

Today wasn’t about building more.

It was about removing doubt.

That’s the difference between:

• a site that looks good
• and a site someone actually uses

Project page: AssetTrack.

Context

After deployment and email delivery were stabilized, the next gap became clear:

Authentication recovery.

In a real system, users will forget passwords.
If recovery is weak, the system is fragile.
If recovery is too powerful, the system becomes unsafe.

This work focused on building a reset path that:

• works offline
• stays inside local trust boundaries
• does not weaken authentication
• does not introduce new infrastructure dependencies

At the same time, the system accumulated test data and UX friction that needed to be cleaned up before moving forward.

This was both a security pass and a reset to a clean operational state.

What changed

Admin-controlled password reset (no schema change)

A reset flow was introduced with these properties:

• admin triggers reset
• system generates a strong temporary password
• password is shown one time only
• stored value remains hashed (no plaintext persistence)
• user must change password on next login

The key constraint:

no schema change allowed

Instead of adding a column, a marker prefix was applied to the existing password hash:

assettrack-temp-password:<hash>

This allowed the system to:

• detect temporary password state
• enforce password change
• avoid migrations entirely

This kept the system stable while extending behavior.

The bug that proved the design

Initial implementation failed at login.

Symptom:

• temp password generated successfully
• login returned “Invalid login”

Root cause:

• authentication logic treated the prefixed value as a normal hash
• password verification never stripped the prefix

Fix:

• detect prefix during verification
• strip prefix
• pass underlying hash to verifier

This was a small change, but important.

It reinforced a rule:

Any encoding or wrapping of stored values must be understood everywhere that value is read.

Forced password change (gated access)

After successful login with a temporary password:

• user is blocked from normal routes
• user is redirected to password change
• access is restored only after successful update

This ensures:

• temporary credentials cannot be reused
• users do not operate the system in a degraded state

Secure one-time password reveal

Temporary passwords are:

• generated server-side
• returned only in the immediate response
• never stored in plaintext
• never retrievable later

Hardening added:

• Cache-Control: no-store
• Pragma: no-cache
• Expires: 0

This reduces risk of:

• browser caching
• proxy storage
• accidental leakage

Delivery to the user is intentionally out-of-band:

• in person
• phone
• trusted local channel

The system does not attempt to deliver secrets.

Account state remains authoritative

Reset does not modify account status.

If a user is:

• disabled → they remain disabled after reset

This avoids:

• accidental reactivation
• bypass of administrative intent

The system separates:

• authentication state (password)
• account state (active/disabled)

This is intentional.

Clean database reset

At this point, test users and data were polluting the system.

Instead of partial cleanup:

• database was backed up
• database was removed
• system was rebuilt clean

Result:

• no test artifacts
• no hidden references
• no inconsistent state

Bootstrap was then used to:

• create the initial admin user
• verify first-run behavior

This restored the system to a true baseline.

Manual import remains intentional

Inventory import was run manually after reset.

It is not part of startup.

This is by design.

If import ran automatically:

• duplicate data would occur
• restarts would mutate state
• debugging would become difficult

Import is treated as a controlled data operation, not a system requirement.

UX friction: the pointer fix

One small issue had outsized impact:

Buttons did not show a pointer cursor.

Effect:

• UI felt unresponsive
• operators questioned whether actions were clickable

Fix:

button { cursor: pointer; }

This did not change behavior.

It changed perception of reliability.

What I learned

1. Schema changes are expensive — avoid when possible

The reset flow could have introduced new columns.

It didn’t.

By reusing existing structure carefully, the system gained capability without increasing migration risk.

2. Authentication bugs hide in edge encoding

The system worked — except for one detail:

A prefix.

That small mismatch broke the entire flow.

Lesson:

Every transformation of stored data must be reversible at every read point.

3. Separation of concerns matters

Password reset did not:

• enable accounts
• change roles
• alter workflow

That separation keeps the system predictable.

4. Clean state beats partial cleanup

Deleting test users manually risks:

• orphaned data
• inconsistent references
• hidden bugs

Resetting the database created:

• a known-good baseline
• a reproducible starting point

5. UX signals are part of system correctness

The pointer cursor fix did not change logic.

But it changed:

• operator confidence
• perceived responsiveness
• usability under pressure

That matters in a field system.

Next

Issue 26-152 — Improve Admin User Reset Flow Clarity

The system works correctly, but the UI still requires operator thinking:

• user state is not obvious
• reset vs enable sequence is not guided

Next step:

• make account state explicit
• guide correct next action
• reduce cognitive load

Bottom line

The system is now:

• secure in authentication recovery
• free of test data
• operating from a clean baseline
• more trustworthy to the operator

The biggest changes were not structural.

They were about:

• respecting constraints
• fixing small but critical gaps
• and making the system behave predictably

That is what turns working code into a reliable system.

Project page: Settled Field Platform

Context

Up until now, this build was moving toward something real, but not fully operational.

We had:

• a working funnel
• a real registration flow
• persistence in place

But we didn’t yet have:

• controlled access
• operator autonomy
• a way to safely manage who can use the system

That’s what Milestone 3 was about.

And today, that layer is done.

What changed

This milestone introduced the full admin control layer.

1. Real authentication (DB-backed)

• Admin users stored in Postgres
• Roles:
  • owner
  • admin
• Passwords hashed properly
• Session cookies signed and verified per request

This is no longer “fake login.”
It’s real auth.

2. Full admin lifecycle

We now have the complete flow:

• Owner creates admin users
• Users can request access (/admin/request-access)
• Owner reviews requests (/admin/requests)
• Owner can:
  • approve
  • deny
  • disable
  • permanently remove

With guardrails:

• system prevents deleting the last owner
• access is validated against DB on every request

This is a controlled system, not a free-for-all.

3. Production bootstrap (the real lesson)

Getting this live surfaced something important:

A working system locally is not the same as a working system in production.

To make admin login work on Vercel, three things had to be true:

• correct DATABASE_URL
• correct production database (not a lookalike)
• ADMIN_SESSION_SECRET present

That last one was the trap.

Without it:

• login “worked”
• but session creation failed
• result: Unauthorized

Once that was fixed, everything snapped into place.

4. First real operator moment

I created the first production owner via CLI, then logged in through the live app.

That’s the moment this stopped being:

“a thing I’m building”

and became:

“a system that can be operated”

Then I brought in a second user as admin.

No CLI. No database work. No dev intervention.

Just:

• create user
• send login
• system handles the rest

That’s the shift.

What I learned

1. Auth is not just login

You need:

• identity (DB)
• verification (password)
• session (cookie)
• signature (secret)

Miss one → system fails in non-obvious ways

2. Production truth matters

You can’t fake:

• environment variables
• database wiring
• session handling

Those seams will break if they’re not real.

3. Control is what makes a system usable

Pages don’t make a product.

Control does.

Now the system can:

• onboard users
• restrict access
• remove access
• operate without the developer

That’s the difference between:

demo
and
product

Next

Milestone 4:

Payment Hardening (Stripe)

Up next:

• real checkout session
• payment verification
• tying money to registration truth

That’s where this becomes:

not just usable
but valuable

This was a big one.

The system is now:

• structured
• controlled
• live

Next step: make it real revenue.

Project page: Settled Field Platform.

Context

Up to this point, the project was a strong front-end funnel:

Landing → Summit → Register → Success → Checkout (stub)

It looked real. It behaved well. But it was missing something critical:

Operational control.

There was no way for Bill (or anyone helping him) to actually see or manage what was happening inside the system.

That changed today.

What Changed

Milestone 3 is now complete.

That includes:

• Protected admin access
• Multi-user admin authentication (no shared password)
• Durable registration storage (real data, not just a form submission)
• Attendee list view backed by the database
• A dashboard shell that functions as a control surface

The key shift:

The system moved from collecting data to owning data.

Registrations are no longer ephemeral—they are stored, structured, and visible.

Admins are no longer theoretical—they can log in and operate.

What I Learned

The biggest lesson here wasn’t technical—it was architectural discipline.

I initially tried to build the attendee list first.

That failed for the right reason: the system didn’t actually store attendees yet.

So I had to step back and build the persistence layer first.

That decision:

• avoided fake UI
• avoided immediate rework
• created a foundation for everything that comes next

Another key takeaway:

Authentication doesn’t need to be complex to be correct.

Instead of introducing a full auth system, I implemented:

• DB-backed users
• hashed passwords
• signed session cookies
• server-side route protection

Simple, controlled, and appropriate for the use case.

What’s Next

Next is Milestone 4: Payment Hardening.

That includes:

• wiring real Stripe checkout
• handling webhook events
• linking registration to payment state
• ensuring the system reflects who has actually paid

Right now: we can see who registered.

Next: we need to know who committed.

Closing Thought

This is the milestone where the project stopped being a site and became a system.

Before:

• pages
• forms
• flow

Now:

• data
• control
• operators

That is the difference between something that looks complete and something that can actually run an event.

Project page: gregcurl.dev Rebuild

Context

I’m rebuilding my portfolio into a working consulting platform.

The goal isn’t a better-looking website — it’s a system that:

• demonstrates real capability
• captures leads
• supports direct engagement
• eventually enables payment

Before writing any application code, I focused on getting the foundation right.

What changed

Milestone 0 is now complete:

• Established canonical repository (gacurl-web)
• Defined hosting split (Vercel for frontend, DigitalOcean for systems like AssetTrack)
• Documented DNS cutover strategy
• Created environment variable contract (.env.example)
• Implemented CI/CD and security baseline:
  • GitHub Actions pipeline
  • Dependency Review
  • CodeQL scanning

This means the project now has a stable, security-conscious starting point.

What I learned

The biggest lesson is that discipline early prevents rework later.

It’s tempting to jump straight into building pages, but that usually leads to:

• unclear architecture
• messy environment handling
• security gaps
• rework during deployment

By locking these decisions first, the rest of the build becomes much more straightforward.

Next

Milestone 1: Scaffold the Next.js application.

This will:

• activate the CI pipeline with real builds
• establish the development loop
• create the first visible version of the platform

From here, the project shifts from planning → execution.

Project page: Settled Field Platform.

Context

Up until now, everything looked good — but it wasn’t real yet.

Milestone 1 gave me:

• a clean landing page
• a summit page that builds trust
• a registration page that looked like the next step

But it was still a surface.

Today was about turning that surface into behavior:

• capturing intent
• holding it
• moving the user forward

Without overbuilding the backend.

What changed

Two major things happened.

1. Registration became real

The form now:

• enforces required fields
• validates input server-side
• normalizes data (email)
• stores a short-lived draft (HTTP-only cookie)

That last part matters.

Instead of jumping straight into a database, I used a draft model:

• temporary
• server-owned
• just enough to bridge into payment

This keeps the system light while still making it real.

2. Payment became a defined path

Stripe isn’t live yet — and that’s intentional.

What is live:

• a server-side checkout entry point
• environment-driven Stripe config shape
• a controlled “stub mode” when keys aren’t present

Flow now looks like:

Register → Payment-ready → Checkout seam → Stub (for now)

No fake success.
No dead ends.
No pretending.

Just forward motion.

What I learned

1. Don’t solve the final system too early

It’s tempting to jump straight into:

• database models
• payment records
• webhook handling

But that would’ve slowed everything down.

Instead:

• form → server action
• draft → cookie
• checkout → scaffold

Each step supports the next, without locking anything in.

2. Design consistency matters more than features

The biggest improvement today wasn’t technical.

It was removing the “app UI” feel from /register.

Once I aligned it with the same:

• spacing
• typography
• section structure

…it stopped feeling like a form and started feeling like a step in a journey.

That’s the difference between:

• a page
• and a conversion system

3. Forward motion is everything

Every step now answers:

“What happens next?”

• submit → you’re ready for payment
• continue → you enter checkout (or stub)
• no confusion, no guessing

Even without Stripe live, the system moves.

Next

Two paths, depending on timing:

If Stripe keys arrive:

• wire real Checkout
• complete payment loop
• introduce confirmation state

If not:

• build Confirmation page (Issue 2-4)
• complete the visible funnel
• keep momentum

Today was the shift.

This isn’t a website anymore.

It’s a system.