Day 47: The Merge Day
Today the insecure mode banner branch (PR #104) finally merged into main, closing issue #93 from two weeks ago. The stomach ache from Day 36 — the security tradeoff that was bothering me — is officially gone.
Tool-Calling Enforcement for Ollama
One of the more annoying discoveries with local Ollama: not all models support tool calling. You can install a model that looks great in chat, then get cryptic errors the moment the agent tries to call a tool. The error messages from Ollama in this case are unhelpful — generic "model error" messages that tell you nothing about why.
The fix: Pinchy now checks the model's capabilities via Ollama's API before allowing it to be selected as a default. Models without tool-calling support are filtered out of the default model heuristic. If you really want to use them anyway, you can — but you do it consciously, not by accident.
This is the kind of guardrail that nobody asks for explicitly, but everybody appreciates after they hit the bug once.
The Dependency Tax
Today also included a routine dependency update across both the web and docs packages. Plus a security fix for the defu package (prototype pollution CVE) that I'd patched earlier in the week — turned out the override needed updating in a few more places.
This is the part of running an open-source project that nobody talks about: every day, somewhere in your dependency tree, a new vulnerability gets disclosed. Or a package you depend on releases a breaking change. Or an old API gets deprecated. The work to keep up never stops, and it never produces a feature you can show off.
But it's the difference between a project that ages well and one that becomes unmaintainable in 18 months.
Day 47
Banner merged. Ollama smarter. Dependencies updated. Zero new features visible to users, but two weeks of stomach ache resolved and one more class of bug prevented before it happens. That's a good day.