Recently I completed a project that felt, at times, like archaeology and science fiction at the same time.
The archaeology was working inside pwsafe — Password Safe — a long-established open-source password manager originally designed by Bruce Schneier. It stores credentials in a strongly encrypted local database file (.psafe3). The codebase is mature, careful, and layered: core logic, UI frontends, cryptography — all cleanly separated, all written in C++. It has been around long enough to have history, conventions, and the quiet weight of software that people trust with their secrets.
The science fiction was how I built the new feature: collaboratively, with AI. I used Claude Code as a coding partner throughout the design and implementation. And when it was time to ask, "Is this safe?" I turned to my own tool, ask, to send the source to multiple OpenAI models for independent security audits.
The feature itself sounds simple: open a password database directly from a URL. But the path to get there ran through dynamic plugin loading, WebDAV locking semantics, Unix process behaviour, and a dedicated lock daemon that survives crashes and signal handlers. Along the way, the AI tools found four Critical vulnerabilities that would have been genuinely embarrassing to ship.
Historically, if you wanted to store your Password Safe database on a WebDAV server, you had to mount that server as a filesystem at login. On my machine that meant mapping something like /z to https://webdav.critchley.biz/ and then opening /z/mydb.psafe3 as if it were local.
It worked — until it didn’t. If the mount wasn’t active, Password Safe failed immediately. Locking was fragile. And the solution wasn’t portable across platforms. It felt like a workaround rather than a first-class capability.
What I wanted instead was simple: File → Open URL…, type https://…/mydb.psafe3, and have it just work. No OS mount. No fragile sidecar lock files. Proper WebDAV locking held for the entire editing session. And, critically, locks released even if the application crashed.
That was the goal. The interesting part was how I got there — and what it was like to build it with AI as both collaborator and critic.