nyxcore-systems
7 min read

Epic Sprint: Unpacking a Marathon Dev Session – Auth, AI Security, and Complex Integrations

Join us as we pull back the curtain on an intense development session, covering everything from progressive authentication and invitation systems to advanced AI security tools and complex integrations. It was a sprint, an ultra-marathon, and a masterclass in problem-solving.

developmentfull-stacksecurityauthenticationAIintegrationslessons-learnedengineeringdeployment

Ever had one of those development sessions that feels less like a sprint and more like an ultra-marathon? Where the "to-do" list seems to stretch into the horizon, yet by the end, you've not only crossed the finish line but shattered a few personal bests along the way? That was our experience on March 18th, 2026.

This post pulls back the curtain on a truly massive development push, transforming a raw "session handoff" into a narrative of features shipped, challenges overcome, and the relentless pursuit of robust, user-centric, and secure systems.

What We Shipped: A Mountain of Features, Deployed

This session was about foundational improvements and powerful new capabilities. We touched almost every layer of our stack, from user authentication to advanced AI-driven security analysis.

Empowering Users: Progressive Auth & Seamless Access

User experience and secure access were major themes. We rolled out a suite of features designed to make onboarding flexible, controlled, and intuitive.

  • Progressive Authentication Phase 1: We've enhanced our login experience, offering greater flexibility and security.

    • Social Logins: Integrated Google OAuth and GitHub, making it easier for users to sign in with their preferred identity provider. A clever allowDangerousEmailAccountLinking option ensures a smooth transition for existing users.
    • Redesigned Login Page: A cleaner, more intuitive interface prioritizes social logins while keeping the Magic Link option readily available.
    • User Preference Tracking: We now store a preferredAuthMethod on the User model, remembered via a JWT callback parameter, streamlining future logins.
    • Behind the scenes: This was all guided by our progressive-auth-design.md spec and a detailed implementation plan.

  • Request Access System: For controlled environments, direct access isn't always the default.

    • GDPR-Compliant Form: A new /request-access page allows users to formally request access, complete with GDPR considerations.
    • Admin Oversight: Superadmins now have a dedicated "Requests" tab in the dashboard to review, approve (assigning tenants and roles), or reject access requests.
    • Intelligent Redirects: Tenant-less users are automatically guided to the /request-access page, ensuring a clear onboarding path.

  • Invitation System Overhaul: Streamlined team onboarding and improved reliability.

    • Extended Expiry: Invitation links now remain valid for 24 hours, up from 15 minutes, giving users more time to accept.
    • Branded HTML Emails: Invitations are now sent via Resend API with our custom branding, creating a more professional and trustworthy experience.
    • Magic Link Reliability Fix: A critical fix involved adding the X-Entity-Ref-ID header to disable Resend's link tracking, preventing pre-click invalidation of Magic Links. Custom sendVerificationRequest ensures branded HTML for these too.
    • Proof in the pudding: We successfully sent and delivered invitations to several Clarait users.

Fortifying Security with AI: Ipcha & Attack Scenario Extraction

Our commitment to proactive security analysis took a significant leap forward with new AI-powered capabilities.

  • Ipcha API Endpoints: Expanding our adversarial analysis toolkit.

    • POST /api/v1/ipcha/analyze: This powerful endpoint now provides a comprehensive 3-part adversarial analysis (Claim → Assumptions → Inversion → Failure Modes → Surviving → Hardening), offering deeper insights into potential vulnerabilities.
    • POST /api/v1/ipcha/persona/chat: Interact dynamically with any defined persona by name or ID, receiving responses and key metrics. This opens up new avenues for simulating attacks and understanding threat actor perspectives.
    • Under the hood: We also implemented a UUID validation fix for persona name lookups, ensuring robust API interactions. Our Postman collection is updated for easy testing.

  • Attack Scenario Extractor: Automating the identification of threats.

    • LLM-Based Structured Extraction: A new service (src/server/services/attack-scenario-extractor.ts) leverages Large Language Models to automatically identify and structure attack scenarios.
    • Intelligent Triggering: This extraction process now automatically kicks in after workflow steps labeled "Adversarial Analysis," "Security Review," "Red Team," or "Ipcha Analysis."
    • Insight Storage: Identified scenarios are stored as WorkflowInsights (type: attack_scenario, scope: security), creating a valuable repository of potential threats.
    • Early success: We identified 40 attack scenarios from a single workflow (8e7356b7), demonstrating the extractor's power.

Under the Hood & Key Integrations

Beyond the major features, several crucial fixes and foundational work were completed.

  • Batch URL Import for Axiom: A new batchFetchUrls mutation and UI element simplifies the bulk import of URLs, improving data ingestion efficiency.
  • OpenAI API Fixes: We addressed max_tokens being deprecated in favor of max_completion_tokens and fine-tuned GPT-5 temperature settings for better responses.
  • Time Formatting: Our formatRelativeTime() utility now correctly supports future dates (e.g., "in 23h").
  • CKB Integration Spec: While not yet implemented, a critical design spec for CKB integration was written and thoroughly reviewed. This spec outlines a robust "worker pattern" for CKB analysis, addressing initial design flaws and paving the way for powerful code intelligence features like architecture insights, hotspot identification, and dead code detection.

Lessons Learned: Navigating the Minefield

No large development session is without its challenges. Reframing our "pain log" into "lessons learned" highlights our problem-solving process and the insights gained.

CKB Integration: The Index-Server Dilemma

  • The Challenge: Our initial approach for CKB integration involved running it in "Index-Server mode" to analyze multiple repositories. We quickly discovered that this mode primarily serves SCIP indexes, and its powerful analysis endpoints (hotspots, architecture, audit counts) only function in standalone mode against a single local repository.
  • The Solution: We pivoted to a "worker pattern." CKB now runs as a sleep infinity Docker container, providing the binary. Our nyxCore system executes CKB CLI commands via docker exec against a checked-out repository, allowing us to perform detailed analysis per repo. This was a critical architectural decision that unblocked the integration.

Prisma's Strictness: Persona Name vs. UUID

  • The Challenge: When trying to query for a persona using its name (e.g., "Nemesis") through the persona/chat endpoint, Prisma's query expected a UUID, leading to a P2023 error.
  • The Solution: A simple but effective workaround: before performing the Prisma query, we now apply a UUID regex check. If the provided persona string doesn't match the UUID format, we search by name only, ensuring flexibility without sacrificing data integrity.

Resend's Eager Bots: The Magic Link Predicament

  • The Challenge: We observed that Magic Links sent via Resend were being pre-clicked and invalidated by Resend's internal link-tracking bots before the actual user could click them.
  • The Solution: We implemented two key fixes:
    1. Adding the X-Entity-Ref-ID header to our email requests, which disables Resend's link tracking for those specific emails.
    2. Implementing a custom sendVerificationRequest function for our Resend provider, allowing us to send branded HTML Magic Link emails directly, bypassing the problematic default behavior.

OpenAI Quota Woes

  • The Challenge: While integrating OpenAI Embeddings for Clarait pattern analysis, we hit a quota exceeded (429) error on one of our OpenAI keys.
  • The Solution (Pending): This is an ongoing item. The immediate workaround is to monitor and top up credits. However, the planned CKB integration offers a promising long-term solution by providing LLM-free structural analysis as an alternative, reducing our reliance on external LLM APIs for certain tasks.

What's Next? The Road Ahead

Even after such a monumental session, the journey continues. Our immediate next steps include:

  1. Extracting those 40 identified attack scenarios from workflow 8e7356b7 into the database.
  2. Developing the implementation plan for the CKB integration (the spec is ready!).
  3. Kicking off Progressive Auth Phase 2, focusing on Passkeys.
  4. Resolving the Clarait OpenAI embedding issue (either by topping up credits or leveraging CKB).
  5. Re-running the Arbitration step on workflow 8e7356b7 with Google, as Kimi's content filter flagged some attack scenarios.
  6. Verifying all invited Clarait users can successfully sign in.
  7. Topping up Anthropic API credits.

Conclusion

This session was a testament to focused effort and collaborative problem-solving. From enhancing user authentication and access to deploying advanced AI-driven security tools and tackling complex integration challenges, we've pushed the boundaries of what's possible in a single development sprint. Each "pain" transformed into a valuable "lesson learned," strengthening our systems and our resolve.

We're incredibly proud of what was accomplished and excited for the next phase of development. Stay tuned for more updates as we continue to build and refine our platform!