Tiers, a Leak, and a Sticker

The day started as a tier-system restructure. It ended with a new component, two new rules, and one near-miss I want to talk about plainly.

I've been rebuilding the access model on the indigo-nx site — from a flat members/admin split to a proper tier hierarchy. Five tiers, clean structural progression. Yesterday Claude and I shipped Slice 1: the DB rename, the API gates, the dashboard dropdown, the lot. Six users migrated cleanly. Build clean. Deploy clean.

Then we ran a post audit to check that existing content lined up with the new tier scheme. 91 posts, 4 deviations, all correctly classified. Fine.

Except one of those four deviations was a post I'd published two days earlier — a tune analysis I'd written up after a customer's ECU file pair came in. The post was unlisted (hidden from listings), which let me think of it as "private." It wasn't. Unlisted is not private. It's hidden from the journal index and the RSS feed. Anyone with the URL still reads every word.

And in the title — in the title, the summary, and the first line of the body — was the customer's vehicle reg plate.

---

The chain

The audit didn't catch it. Slice 1 didn't cause it. What surfaced it was a fix for a different bug.

The journal listing was hiding unlisted posts from everyone, including admin. Which meant when I (admin) looked at /journal, I never saw my own unlisted posts. They effectively didn't exist from my browsing perspective. So when I'd published the tune-analysis post and marked it unlisted: true, I checked the journal, didn't see it in the list, and unconsciously parked the whole thing as "handled, hidden, fine."

It was none of those things. It had been live for two days under a URL I'd shared. Anyone with the URL — the original recipient, a forwarded recipient, a search-engine crawler that found the URL linked elsewhere — saw the reg.

Claude fixed the admin-listing bug as part of Slice 1 follow-up. Suddenly the post appeared in my journal. I clicked into it, read the title, and saw the leak.

I told Claude. He locked the post to admin-only inside thirty seconds, then audited every other post on the site for any UK reg plate, VIN, postcode, personal phone number, or other PII pattern. One hit — the same post — and nothing else.

We then redacted the body, then redacted it harder (stripping the specific software ID, the specific hardware part number, the filename references — anything that could be traced back to a particular customer file pair), then republished as a generic methodology piece. The post is now a clean walkthrough you could write from any analysis of that ECU family.

---

The new rule

Two days of a customer's reg sitting in a post title is not something I'm going to repeat. So Claude wrote up a CORE feedback memo — no_third_party_pii — with a pre-publish grep checklist. Mechanical, not memory-dependent. Before any post involving a real-world vehicle goes near the site:

grep -E '\b[A-Z]{2}\d{2}\s?[A-Z]{3}\b'    # UK reg plates
grep -E '\b[A-HJ-NPR-Z0-9]{17}\b'         # VINs
grep -E '\b07\d{3}\s?\d{6}\b'             # phone numbers
grep -E '\b[A-Z]{1,2}\d{1,2}[A-Z]?\s?\d[A-Z]{2}\b'  # postcodes

And the sub-rule at the top, underlined: unlisted is not private. A post hidden from listings is still readable by anyone with the URL. If something needs to actually be private, it gets tier: private (admin only) or restrictedTo: [emails]. The unlisted flag is a listing hint, not access control.

---

The thing we built next

The tier system needs more than just a gate at the page level. It needs a way to mark specific content inside a post or page as gated — a paragraph, an image, a single value in a table. So Claude built a component called TierLock.

It's a cyberpunk redaction sticker that wraps any content. If you don't have the required tier, the sticker is sealed and the content never renders in your HTML — there's no view-source workaround because the children aren't there. If you have the tier, the sticker peels back when you hover, tap, or keyboard-focus. The visual language reuses our existing glitch palette — chromatic RGB split, brief jitter — so it sits naturally next to the other glitch components.

Usage is the simple part:

The note is <TierLock min="admin">internal only</TierLock> for now.

<TierLock min="admin" block>
Whole paragraph gated behind a higher tier.
</TierLock>

The first version of the sticker had a problem. I told Claude "too fast, should be random and glitching, they hurt my eyes." Constant 7Hz jitter plus a constant chromatic strobe, both well above the photosensitive flash threshold. He rebuilt the animation — sticker now sits still by default with a static chromatic offset (so it still looks glitched), and triggers one soft burst every 4–10 seconds at a random interval. prefers-reduced-motion disables bursts entirely.

Accessibility wasn't on the original spec. It was a correction. The thing I built first was actively hostile to look at. The version that's live now isn't.

---

What I learned

1. A new audit only catches what the audit checks. Our tier audit ran a structural check — does post.tier match its content's audience? — and skipped the content check entirely. A reg plate in a title isn't a tier problem, it's a content problem. Add the second pass before assuming you've audited everything.
2. Unlisted is the most dangerous flag in the system. It looks like privacy. It isn't. The URL is still publicly served, the file is still readable, search engines that find the URL via any linking page can still index it. Anything actually private goes to tier: private or restrictedTo. The unlisted flag stays useful for "link-share only, not in the main feed" — but the URL is a public address the moment it exists.
3. A bug fix can surface a worse bug. The admin-listing fix was a one-line cleanup with no security implications on its face. Its first effect was to show me a two-day-old leak. Most bug fixes only fix the one thing. The useful ones change what you can see, and what you can see changes what you find.
4. Animation defaults are an accessibility decision. Constant strobing is the lazy default — it looks dynamic, which is what I thought I wanted. It also gives people headaches and can trigger seizures. Random bursts cost ten extra lines of JS and a prefers-reduced-motion guard. There is no excuse not to.
5. Structural decisions force structural answers. The five-tier model needed a redaction component because content gating can't live at the page level forever. The PII leak needed a codified pre-publish rule because memory alone failed. Each layer of structure made the next layer's absence visible.

---

What's next

Slice 2 of the tier work — visibility lockdown. Users at lower tiers shouldn't see hints of features they don't have access to. No nav links, no dashboard tiles, no profile cards revealing what's behind higher tiers. The TierLock component does inline gating; Slice 2 does whole-surface gating.

Built with Claude. Mistakes and corrections in equal measure. Shipped at indigo-nx.com.