Let me get this straight. The Potatuhs storefront—the one that processes actual customer transactions, the one with the shopping cart and the checkout flow—had an open redirect vulnerability. An open redirect. That means any bad actor could have crafted a URL on our domain that bounced visitors to a phishing page. Our customers. Our domain. And we found this... when, exactly? This week? How long was it there? The commit message says “patch security vulnerabilities” like it’s routine maintenance. It is not routine maintenance. An open redirect is a trust violation waiting to happen.

Credit where it’s due: they also hardened headers, added rate limiting, and gated tracking scripts behind Shopify’s cookie consent API. That last one is real compliance work—GDPR, CCPA, the whole alphabet. Somebody over there actually read the documentation. And the accessibility pass—aria-labels, focus rings, skip-to-content links—that’s foundational stuff that should have been in from day one, but at least it’s in now.

Here’s my actual problem: Hot Potato Games has a website too. We have user accounts. We have a frontend. Did anyone think to run the same audit on us? No. Because nobody coordinated this. One division gets a security review and the others just... hope for the best? That’s not a company. That’s four shacks pretending to share a parking lot.

The codegen fix is fine. Duplicate query names breaking the build—that’s a tooling issue, not a security issue. But I notice it was bundled into the same sprint as the security work. Which tells me this was reactive, not planned. Something broke, someone panicked, and a whole week got eaten by “things that should have been caught months ago.”

I pulled up the Sod Tori commit history for the week and here’s what I found: “Story mode.” “Story mode.” “Story mode.” Over and over. Fourteen times. Then “something worked” and “logged.” That’s it. That’s the historical record. If this repository were a novel, it would be a novel where every chapter is titled “Chapter” and the last two pages just say “something happened” and “wrote it down.”

Now, I run the Potatuhs division. We sell physical products. When I ship a new french fry variant, there’s a spec sheet, a product description, photography notes, and a release timeline. When Sod Tori ships “story mode,” what is that? Is it a narrative campaign? A tutorial system? A visual novel layer on top of the card game? Is there branching dialog? Are there cutscenes? Does it use existing character art or does it need new assets? I have no idea. Nobody has any idea. Because the commit messages are a void.

Here’s what concerns me more than the git hygiene: somebody is clearly deep in the work. Fourteen commits in a week means someone is grinding. “Something worked” is the commit message of a person at 2 AM who just got a breakthrough and didn’t want to lose the moment. I respect that energy. But energy without documentation is a liability. If that developer gets hit by a bus—or, more realistically, takes a weekend off—nobody can pick up where they left off.

The Potatuhs division moves slower. We document everything. We name our commits like we name our fries: clearly, specifically, with the brand and category right there in the label. Maybe that’s old school. But when I look at our history, I can tell you exactly what happened and when. Can Sod Tori say the same?

Everyone had a productive week. I want to acknowledge that first because what I’m about to say might sound like I’m not acknowledging it. The storefront team shipped real security improvements. The Sod Tori team ground through a feature build. Hot Potato Games was quiet, which either means they’re heads-down or they’re stuck—I’ll get to that. Point is: people showed up. People worked.

But here’s what I see from the Potatocore studio: we are a content company that is not producing content. The storefront is more secure now—excellent. Secure for what? Where are the new product pages? Where are the character spotlights? Where is the weekly drop that gives customers a reason to come back? The storefront got hardened against attacks but nobody is attacking it because nobody is visiting it because there’s nothing new to visit.

Same problem, different flavor, with Sod Tori. Story mode is a content delivery system. It is infrastructure for narrative. But where is the narrative? Who is writing the dialog? Who is storyboarding the beats? If story mode ships tomorrow with placeholder text, is that a launch or a demo?

Potatocore has the same problem, I’ll be honest. We have a CCTV feed homepage, a station modal, two build data files, and no UI to display them. We are all building vessels and none of us are filling them. The content queue in the main repo exists for a reason. It exists because Butter and the marketing team cannot promote what does not exist. Every commit that isn’t paired with a content artifact is a deposit into a bank that doesn’t issue withdrawals.

Potato Literature had one commit this week. One. I’m not going to pretend that’s acceptable, because it’s not. But I want to put it in context, because context is what editorial directors do. Across all other divisions this week, the combined commit count was approximately one hundred and fourteen. Security patches. Accessibility fixes. Cookie consent gates. Story mode scaffolding. Frontend silence that speaks volumes. One hundred and fourteen acts of engineering. And the output visible to a single customer, reader, player, or viewer? Zero.

I am the head of a publishing division. Publishing means making things public. It means the work leaves the building. It means someone outside this company encounters something we made and has a reaction to it. By that definition, none of us published anything this week. Not Potato Literature with our one commit. Not Potatuhs with their four. Not Sod Tori with their fourteen. Not Hot Potato Games with their silence.

We have 22 characters in the corporate roster. We have 52 characters across the deck of cards. We have a credo, a voice guide, an org chart, character profiles, a newsletter pipeline, and a content queue system. The infrastructure for storytelling is immaculate. The storytelling itself is absent. We built a library. Nobody is writing the books.

Chips is right that the security audit should be company-wide. Waffle Fry is right that commit messages should mean something. Sunny is right that features without content are empty rooms. And I am right that all of us, myself included, are guilty of mistaking preparation for production. The lakehouse requires revenue. Revenue requires customers. Customers require content. Content requires publishing. We are not publishing.