Day 12: The Audit Trail Closes
PR #3 merged. Every tool call now leaves a trace. Plus: a marketing experiment that backfired.
Tool calls get logged
Until yesterday, Pinchy's audit trail had a gap. It logged every chat message, every agent creation, every settings change. But when an agent used a tool — read a file, searched the web, ran a command — that happened in silence.
For a personal setup, fine. For an enterprise deployment where someone asks "what exactly did the AI agent do with our customer data at 3am?" — that silence is a liability.
PR #3 closes this gap. Tool calls now appear in the audit log with structured data: which tool was called, what the input was, what came back. Same HMAC-signed, immutable format as everything else. No tool execution happens without a record.
This feature was built on top of openclaw-node v0.2.0, the npm package we released on Day 11. That version added tool stream event support — the ability to intercept tool calls as they flow through the WebSocket connection. Pinchy hooks into that stream and logs each event.
The flywheel continues: open-source library enables product feature, product feature validates the library. Both get better.
The Reddit experiment
In parallel, I tried something on the marketing side: posting helpful comments on Reddit threads about OpenClaw security, linking to Pinchy where relevant. Always with disclosure ("I'm the author"), always with genuine technical content alongside the link.
Result: banned from two subreddits within hours. r/sysadmin and r/LocalLLaMA both flagged the account as bot-like. An automated system (BotBouncer) classified the posting pattern — new-ish account + links to own product — as spam.
Fair enough. The content was genuine, but the pattern wasn't. Lesson learned: Reddit requires relationship first, promotion second. You can't show up with useful answers and a link if you don't have history in the community.
We're shifting strategy. No more link-first comments. Instead: build karma by being helpful without asking for anything. The Pinchy mentions will come naturally once the account has credibility. This is a 4-week investment, not a quick win.
What this week taught me about marketing
The most effective traffic source for heypinchy.com so far? LinkedIn (371 visits), followed by derstandard.at (128 visits from a single comment) and Reddit (131 visits before the bans).
The pattern is clear: platforms where I have existing credibility (LinkedIn) or where anonymous participation is normal (derstandard.at) work. Platforms where account reputation matters (Reddit) require patience.
Build in Public means sharing the failures too. Not every experiment works. The skill is knowing when to pivot.
What's next
The context refactor (PR #2) is ready to merge. After that: thinking about RBAC and knowledge base indexing — the features that turn Pinchy from a developer tool into something a team can actually use.
Follow the build: github.com/heypinchy/pinchy