Question regarding TADpooLe

Hi @sylumer,

I looked at your TADpooLe and ThoughtAsylum links, and it looks incredible. Just totally in awe.
Looks so useful, and so cool, and how you are sharing that with others, I can’t really explain how amazed I am.
However… at the risk or sounding rude(and I really don’t mean to be, so sorry if it comes across that way) it is so complex, that I don’t think there is a way for a person like me to ever know if a data is being treated wrongly. I know you are trusted by agiletortoise, and you must be an incredible coder.
You seem so helpful, and I can’t help but trust you personally.

But for example if I want to use these features at the office, I would have to be extra careful and accountable, especially now a days, about what they are doing(I know i’m not making sense because, how can I be accountable when I can’t understand all the code, but hope you know what I mean). Especially since it seems like your core actions include creating a library database somewhere that I really don’t know where(I honestly only “kind of” know how that works for Python on Mac, and no clue how that is done through iOS apps), and I wouldn’t know what actions they are calling.
Especially now a days.

Also your “doctor drafts” workflow for Alfred seems so useful, and I so want to use it, but again, a little intimidated by how much code is in there(truly totally brilliant), but I don’t think I will ever be able to be sure how it is handling on my device.
Even with the simple actions(maybe it isn’t really simple) in creating a new note from Alfred. I tried using the x-callback-url, but that opens and focuses the drafts app. I think I read somewhere that yours can do that without opening/focusing the Drafts app.
(Which if can be done, I would absolutely LOVE to know how)

I must admit, I do install some actions even if I don’t understand them at all, but I have relied on the “trusted member token”, and also I can see the codes, and get a feel that it isn’t sending my data off anywhere, or doing anything weird.

I might be sounding like a real nuisance at this point, and I apologize if I am. I am not trying to be annoying or anything. I’m just a person that is hoping to use your a-dream-some-true tools. They seems so great
I guess what I am trying to ask, while I think I know the answer, is if there is any way I might be able to be more at ease with diving into the amazing content that you are providing.

I totally understand if you ignore this post, and maybe the answer is just, if you aren’t sure, don’t use it on sensitive content. But any insight would be appreciated.

1 Like

For one thing, I just want to say that this is 110% a legitimate, reasonable, and constructive question to ask here! I can’t speak for Stephen, but - as a relatively longtime user of his library - I think I might have some worthwhile touchpoints depending on how long you’ve used Drafts, itself.

I know you sorta mentioned it, but one great comfort you can take regarding privacy in Drafts is that - basically without exception - actions with external integration have to ask you for credentials before they can do anything via a very specific type of dialog, and you can always see a list of said credentials (the titles, anyway) in Settings (Gear Menu) ⇨ Credentials (It’s the sole entry under the “Services” subgroup.) You’ll find that you can revoke any of them at any time if you feel unclear about what’s happening.

As far as auditing is concerned, Drafts’ native Action Log is very dependable as long as you make sure the actions you’re using aren’t explicitly configured not to log. If you’ve got the time, the TAD library actually includes some very impressive “Advanced Logging” capabilities - though I must admit I’m basically just getting started with them, personally.

I know my commentary was not solicited but my logline for Drafts when speaking about it for the first time is specifically “I trust Drafts more deeply than any other software I’ve ever used.” Perhaps the biggest contributor to that is how well documented it is. (Remarkably, the TAD Library is, as well.) The second is how patient and open Greg and this very community have been with me. (I promise you I’ve asked far, far less appropriate questions here and gotten away with it lol.)

That said, welcome! I hope that was at least somewhat useful lol.

1 Like

I can’t define your comfort level; that’s up to you. Running any code on your devices inherently comes with some risk – both from intentionally bad actors and from simply buggy code.

I will say that, on the bright side, pretty much anything you can extend Drafts with is completely open. Whether or not you have the knowledge and comfort level to analyze the code in the actions is a separate problem, but there’s nothing hidden in some compiled code that can not be audited; it’s all right in the actions you install.

To date (:crossed_fingers:) I am not aware of any instances of malicious actions, but I don’t pretend it could not happen. The “trusted member” flag in the Directory is intended to help for those concerned, and in all cases those have been assigned manually, by me, specifically to users who have an established history in the community and I have a high level of confidence they can be trusted not to be doing anything questionable – at least not intentionally – with your data.


Thankyou. I’ve put a lot of time and effort into them.

JavaScript is not my language of choice, but I know enough to do the sorts of things I want to do. I can tell you now that there are many more experienced developers of JavaScript using Drafts.

On the complexity point, there are several things.

  • You can learn to code and my code is not so complex that you could not learn to understand it. In fact if you spent just a short while learning JavaScript and then read through the Drafts scripting documentation, you would immeidatlely understand 90%+ of the code in the library.
  • The code is accessible - there is a file that you cna view on device or online.
  • The point of me doing the coding is so that you and others do not have to - it saves you needing to understand the complexity. The whole “steal like an artist” mantra came along before software development, but seriously no one steals like someone who writes code; it’s basically how ost good developers learn to code. In this case it is the point of how the library is intended to function. Taking all the complexity and sticking it behind reusable objects and functions.

Greg trusts me enough to mark my stuff as trusted pretty much because I’ve been contributing and helping folks out with Drafts for a while. The trust comes from what I do and don’t do, and hopefully, I will continue to maintain that trust.

Thanks. I do try to help folks out as much as I can.

That’s an entirely fair point, and it is also entirely up to you how comfortable you are with things. But if I looked at these actions and the code a few years ago, I would be in the same situation. I wouldn’t know what they did. But I would now, because I have learnt it along the way.

I’ve gone to great lengths to comment the code in detail (to help those who do wish to learn from it), and to provide documentation that not only describes everything, but provides working examples code too. For all of it. You can use those code samples to test everything works as described … and anywhere it doesn’t, let me know and I’ll fix it.

In terms of accountability and not understanding code, that would mean you should never run any operating or software you did not write yourself from scratch with no library dependencies. There is always an established level of trust, and even then malicious things can get in (often through other channels) or things can accidentally have unanticipated consequences (bugs).

At the end of the day, the choice is yours of where you draw the line and what you are comfortable being acocuntable for.

But, permit me to flip the tables a bit and ask you, what would you require to be comfortable being accountable in using it?

Most people at this point ask for a guarantee, but the strange thing about software is that every EULA outside of the aviation industry seems to include wording about no liability, use at your own risk, etc. So realistically, what do people want? It may be that I can provide it.

For info, the library doesn’t create any sort of database. It allows you to work with some flat files, and it has a settings file, but that’s it.

Again, a lot of work has gone into the Alfred workflow, and I still have a backlog of work to do on it to improve it further. Maybe it will be of use to you at some point, even if not today?

Yes there is code in it, but again it is all visible, and this time it is a mixture of shell script, Python, and dash of AppleScript; so probably things you are more comfortable with, and the volume is way lower than in TADpoLe. So, for this one I would have it strongly disagree that you wouldn’t be able to understand it all. In fact, armed with Google, I don’t think it would take you long at all.

But, once again, while the code is there and you are free to peruse it, the idea is that you don’t need to. i have done the heavy lifting so that you don’t have to.

It can, and does so by using the small amount of AppleScript that Drafts currently supports.

Great. That’s very much what I do. For simple actions I scan through the code in the directory. For longer ones, it is a split of trusting people who I’ve interacted with on the forum more than others, and scanning through the code until I’m happy I have a rough idea what it is doing and something about how it is doing it.

Actions never auto run, so it is safe to install and review them without risking them executing.

Not at all. You never need to apologise for trying to find out more or expressing an opinion and wanting to get further clarity on how valid it may or may not be.

As has alread been covered, I think there are two paths.

  1. Trust, through reputation and your own asessment of people’s intent and actions.
  2. Knowledge, through your own analysis of what is being provided.

The former is expedited by others and how they might view someone like me and in turn how you might view them and allow their thoughts and views to support or conflict with your own.

The latter is expedited by you investing time in your own knowledge and understanding of what is being provided - in this case in understanding the code and logical structures being used to deliver additional functionality or functionality that is simpler to access, for Drafts.

Ha ha. I read every post on the forum, and reply to anything I think I can add a tidbit or more value to. This one literally had my name all over it, so I could hardly skip responding.

Hopefully, the commentary above from myself and others will help you view things in context, and give you some idea of how much is perception, and how more than you think is in your control.

One final thing you can do is to ask questions here on the forum. They may be ones I can help you with in terms of understanding something. They may be things where indepedent review by others you build up trust with would be more beneficial. There’s no harm or foul in it. If people can, and are willing to help, and you get value from it, then the forum is succeeding in at least one of its aims.


Thank you all for taking the time to respond.
As you may be able to tell, I was pretty nervous asking this, and I am now so relieved at all of your kindness, and grateful for the insights given.

It may take a little time before I can properly reply to this thread.
But for now I just wanted to thank you, and let you know I’ve seen your comments.

Thank you so much for your comment.
You have no idea how your comment put me at ease. especially the first bit.
and thank you for the welcome.

I had seen the logging feature, but hadn’t really considered it. I need to look into what this is, and how it can help me in my use of the app.
Also you are right, the documentation is incredible, for both the app and the TAD library. Maybe that would also be a good place to start. thank you.

Thank you for your comment :slight_smile:

Thank you for your comment.

You are right, everything being out in the open is actually very helpful.
As you mention, whether I can read them or not, is another problem, but it at least means that others can see them too, and therefore others may have already raise issue, if any, and the uploader will also be conscious of that.

Very glad to hear that you haven’t had those issues (:crossed_fingers:).
Also I wanted to mention that your “trusted member” flag is amazing. Honestly, as a person who had never read any javascript until now, I don’t think I would have even known where to start without those flags. I know it doesn’t mean that it is 100% risk free, but it has been very helpful for people like me.
I assume it is a lot of work, and consideration to do this,
but thank you!

First of all thank you for your reply to my questions!

Wow, I would have never guessed JavaScript was not your forte. How you seem to help so many people in the Drafts community, and the actions you created are amazing.
This actually gives me a lot of hope, since I am now trying to learn JavaScript through customizing, and learning the actions in this app.
I may not become as good as you are, but hopefully I will be good enough to actually view your codes and understand it.
And as @agiletortoise also said, all the code is in the open, and visible.
So anyone from all coding levels, can see what it is doing. Which I guess in it self, already creates a certain level of trust and safety?

Also after reading your website a further, and to a point in this comment, it seems like some of your actions are best used as libraries for other actions(sorry if I am misunderstanding)
That may actually be 1 way to go, and learn your actions, and javascript, little-by-little, and as you say “stealing from them”

I really appreciate your consideration for people that want to learn from it, since I am interested in both learning, and the functionality the actions will provide
It must be so much extra work to do that, but thank you! And it looks amazing!

I totally understand what you are saying here. We all use applications (the Drafts app being one of them, or even the Web browser) on some level of trust and agreement. Even if we never would understand a single line of code that made those functions possible.
So yes, you are totally right.
It isn’t reasonable to assume accountability = full knowledge of code.

I will reply to this point in a later section.

This is actually a point I am really curious about.
Could you please explain what “flat files” and “setting files” are, and where these things are stored on device?
I couldn’t really understand it and wasn’t sure where best to look.
Forgive me, it is probably documented somewhere, I just couldn’t find it, or was maybe seeing it all along and didn’t understand it?

The instructions say to run the core action to enable the other TADpoLe actions, so I assume that running the core action is what creates these files for the other actions to reference later?

Also how would these files sync per device? simply iCloud Drive? Or are these files created per device, and require that the core action needs to be run on each device?

Another few things, and maybe these are what started making me curious in the beginning.
In the core action group you have a few actions that point to different urls. Some I understand is pulling from the drafts directory, but others I couldn’t really make sense of.
Also in one of the descriptions it mentioned installing javascript libraries. Where would these be installed?
Especially since the app works on iOS as well, and I didn’t think(I could be very wrong) you were able to handle programming libraries the same way a Mac would.
Or are these libraries installed and contained in the drafts app?
Sorry it’s a lot of questions, but sometimes I get really caught up on where certain items get stored, as I seem to always wonder, how I would be able to reverse them if I ever need to, or they cause unexpected issues later.(Not that I expect your actions will cause, but I just always like to get a general idea at least)

Sorry if I gave the wrong impression before but I am not a programmer, and although I have started learning very recently and want to learn it, I don’t have any experience, and am not able to understand it yet.
But hopefully I will be able to understand them soon?

And yes, I know. I hope me hoping to understand the code doesn’t undermine the amazing amazing work you’ve done.

Thank you for this. Hope to learn from it.

Glad to hear more experienced people take a similar approach.
Also very good point regarding the no-auto run.
I should definitely keep that in mind

Thank you! This really means a lot!

When you asked “what would you require to be comfortable being accountable in using it?”
I get what you mean, and honestly I probably don’t have a satisfactory answer.

I’m not hoping for a guarantee of zero bugs, or anything like that.
I guess if I were to try to put it into words, what I would make me comfortable is

  • If I were able to know every location the scripts in the actions can send data to(Calendar app, reminders app, bear, google drive, etc.).
  • If those locations are not some unknown servers or people
  • If the transmission of said data isn’t at a suspicious timing(e.g. sending data to google drive, when I am only trying to add notes to the reminders app)
  • The scripts are not trying to rewrite or manipulate files it has no business touching
    That would make me feel pretty comfortable with using applications.

I know, the code is out in the open, and I probably just need to learn it enough to be able to read it and understand if it meets the above for my self.
Or, your former approach, knowing how so many people trust you.

I’ve had so many questions, and the forum past forums, and the ones I’ve personally asked questions to, has helped so much.
I will take your comment to heart, and hopefully will be able to contribute to this forum my self one day.

So sorry this reply turned out so long.
Really can’t thank you enough, and appreciate your support.

Totally loving your app, and just an incredible community that you have created here.
Thank you.

The base intention was to provide people with something that allowed them to build their own actions using a library of pre-built code. That is TADpoLe (ThoughtAsylum Drafts Library).

However, the code library began as a way for me to reuse common code I was writing when I created actions. As I created more actions, I tried to create them in such a way as to be of generic use to others and as things grew, to create useful examples that could be cloned by others or simply show off some of the functionality of the library in a practical way. The result was the ThoughtAsylum Action Group (TAAG) - or back in the beginning, TAAGD … you can guess what the “D” stood for :wink:

In time, the group got so big that it was close to hitting a limit (if you search back through the forum, you can find a reference to this). As a result, I split the action group into several groups and continued to grow it. This is what I refer to as the ThoughtAsylum Action Group Suite (TAAGS).

I haven’t done much on it for a while. I will return to it as I have additional actions to incorporate, an entirely new action group that’s been sat in test for a l-ooooo-ng time, and maybe even a few library updates too. But, as it stands, there are seven action groups and they have over 600 actions within them.


The idea is that if you download the entire suite, chances are pretty good that if you want to do something generic, between that group and the standard groups, you’ll find an action that works.

You can then add actions into your own group that call these actions, so you can build your own straemlines action groups.

And yes, I do have an action that generates that table above.

Flat File

It is a file with no multi-layered data structure.

Settings FIle

A settings file (not “setting file”) is a file you store settings in that an aplication/script/Drafts action/etc. then uses. Changing the settings changes the behaviour. For example on your computer/phone you have settings. Settings that control which Wifi network to connect to. Settings that dtermine if you are muted, or how loud your device volume is.

TADpoLe Settings

To fully understand where the settings, you need to read and undestand the functions available in TadLibrary, a meta class for working with the TADpoLe library.

By default, the path to the settings file is initialised to be /Library/Scripts/tad.json, but this can be overridden by the user.

  • Wikipedia - JSON - background on JSON structured data (which can be held in a file - and is great for things like settings).

Now, the require() function is used to load libraries, and these are always located in the /Library/Scripts/ (or a sub-directory of it). It generally makes sense to keep the settings alongside the library, or at least I think for Drafts it does.

This /Library/Scripts/ file is found in iCloud Drive in the Drafts folder, which means the library and settings get synchronised across devices.

There is no core action that I’ve ever referred to, but there is a ThoughtAsylum Action Group, which contains actions that the other actions in the other ThoughtAsylum action groups rely on. Therefore I refer to that as “The Core” group to make it a little more identifiable.

There is an action in there that is called TAD. If you include the action TAD in an action using the include action step, this will make all the code in TADPoLe available to use by that action in subsequent steps. You could call this a “core action” I suppose, but there are other actionsI would also consider to be “core”, so I don’t think I’d ever intentionally refer to it as that. It has a name already that I think is unambiguous.

The TAD action effectively loads in the library. It also does loads of other stuff too, but you can ignore that for the next few months otherwise I guarantee you will get confused about what it is doing. Sufficed to say it delivers the library to your action. Most of the TAAGS actions include TAD and then do a few seemingly simple things to get stuff done - the complexity being wrapped up in the library, which is stored at Library/Scripts/tad.js.

For the URLs you did not understand, did you read the action description? Every action should have a description.

All the action descriptions are available on a single page to make them searchable too.

I’ve covered this in answering an earlier question with the require() function - /Library/Scripts/.

Do also check out the section on “Test Libraries” in this blog post.

TAD was designed to allow you to load in your own additional libraries too. I build most of my JavaScript functions for Drafts in a library called tad-test.js, but I have had multiple libraries that it would load in before. This allows me to extend TADpoLe before committing new code into the library.

I’m not sure what you’re referring to exactly with this statement on some difference in libraries between Mac and iOS (/iPadOS). There are many common libraries outside of Drafts, but as I hope you have picked up from the earlier answers, the libraries here are installed in the file system in an iCloud folder used by Drafts, and they are installed to a location in that structure that Drafts has been coded to check.

One thing you’ll find about me is I try and give detailed answers, so just be careful what you wish for :wink:

In terms of a JavaScript library, it is a text file. deleting the file is possible and you can also rename it. Then actions would cease to function that relied upon it.


The TAD action is actually built so that if there’s a new version available from what you have it will go out and grab it, so you might find it would reinstall - BUT ONLY if you ran an action that included TAD. It would NOT do it spontaneously.

To “know” every location, you would have to analyse an understand every action you use. There’s no harm in that, and it is certainly possible. But, from your current position, that is not something you would currently be able to do with 100% reliability. But, you should try as you will gain more insight as you practice doing it and looking to understand the things you don’t at first.

In terms of data transmission, then no action is going to run automatically unless you have put external automation in place to do so. But, if you want to understand where data is going when there is egress from your device, you need to look at independent tools to the app like Little Snitch, WireShark, etc.

In terms of malicious file manipulation, do remember Apple OSes have sandboxing protections, permissions, Drafts has versioning and backups, and hopefully you are using at least TimeMachine for Mac. These don’t guarantee you protection, but there are potentially hoops to jump through for a bad actor and paths to recovery.

I would say the reality is you may need to temper your comfort expectations to something a little more manageable for your current skill/knowledge level as to do some of those things well enough to trust yourself, there is quite a bit of upskilling and knowledge acquisition to undertake.

That’s not to dissuade you from aiming for that, or doing only some of the things to some level. I’m just trying to align your ideals to the reality and what may realistically be “good enough”. Everyone has their own comfort level and it is determined by you, but just make sure your goals are realistic and attainable.

Hopefully, that covers all of your queries, but if I missed any, let me know.

Sorry I took so long to respond

You said I need to read the documentation before I understand where the settings file is, but by default it is /Library/Scripts/tad.json right?
Or there is more to it than that?

So far my understanding is, that as long as I don’t go and try changing the locations for the settings file, all the files that your actions will automatically create (flat files, settings file, libraries) will all be located in
iCloudDrive(Some special directory name)/Drafts/Library/Scripts

In other words, if I need to reverse all the installs that happen automatically, I just need to remove the files in that folder? (Would also mean I can no longer use your actions)
Would that reverse all of the installations that are done by the actions?

Got it.

Sorry I probably paraphrased a little too much
Re-reading your instructions, I now see that you referred to a “core action group”, and “set-up action”

  1. ThoughtAsylum
    The core action group is this one. It contains the all importance set-up action as well as a number of information and helper actions utilised by other actions in other ThoughtAsylum action groups. You must install and run the set-up action for this action group to use any of the other action groups.

Thanks for the link
However, not sure if it talks about the urls in the actual actions
I will look into it, and see if I can understand them further

I see now that I am saying nonsense stuff here. Sorry please disregard this. I think I got mixed up with something else

I actually appreciate the information you give
It is really helpful
I do seem to take a lot of time to process it, and to actually write a reply though, so I apologize about that.

Here you say “JavaScript library”, but I assume the same is true for the flat files and settings files mentioned earlier? (similar to the question above)

These are all very good, important points.

I understand what you are saying here.
I think I am currently, unfortunately, at the point where my paranoia is greater than my skills.
This would be a great opportunity to learn them though
I think for now, I will mix learning, and adjusting my comfort level.

As per the details you quoted, yes that is the default, and no, there is more to it than that specifically because it is user overridable and by understanding the functions of that class, you’ll understand what the settings do, not simply where they happen to be by default.

Yes. If you don’t chaneg anything, all defaults will be in effect.

It will remove the files installed to and created in that folder…

… no. It means that next time you try to run one of those action it will put them back in place. So yes, the files added would be removed if you removed them, but running an action would put them back, because that’s part of what the TAD action does. It goes and looks for new versions and if you have no version, then it will look for the latest one availabel and get it.

Please note that other content may also be put in that file location. If you delete everything, it is always entirely possible you might be removing things that other actions rely on and implement in a different way.

You were saying that some of the actions use URLs that

The descriptions describe the actions. The actions utilise the URLs. You can’t always “describe” a URL, but you can always describe the overall functionality of the action.

If you have a specific example, then I could probably provide specific details on that if they happen to be missing in some way. But, in order to do that, you need to provide those details.

No, that would not be true in all cases; only some cases. If it was the settings file for example, a new file with default settings would simply be created. If it was a file containing meta-data for a draft, that would fail as that is not created by default when attempting to be read. Again, it comes down to the specifics.

That’s not a problem. There’s always a balance between security and convenience. Your position is simply a parallel to that. I actually don’t have a massive number of other people’s actions. I have the standard action groups and a selection from some of the more prominent members and the rest are all my own. I usually find rolling my own solution allows me to tailor it, and I only have myself to blame if it doesn’t work as I’d intended. But, there are some actions that others have created that I’ve taken a look through, and are so useful to me that I’ve chosen to keep them rather than roll my own just for the sake of it.

People can take a peek if they like...

The names of the groups are slightly different as I’ve tagged them with icons for the different people who created them.


But, there are lots of great actions out there that I don’t need, so I’m sure there are many, many others that other people simply couldn’t get by without.

However, given that clear position of currently irreconcilable doubt, I would say that you should remove any files for /Library/Scripts/tad* and delete the Thoughtasylum action groups. To get to the level of comfort you are seeking, being able to review and fully comprehend all of the code and actions (just as it is today) for these actions and the library, will probably take you many months of concerted effort.

Remember, you can always grab the latest tad.js file direct from the website and open it from your Downlaods folder into your favourite text file editor (not Drafts) without executing anything in Drafts. But, having the core action group in place sounds like it is something you would not be able to reconcile with your position at this time as you could inadevrtently run an action if it were similarly named to one you had created yourself.

Once you have understood the JavaScript in the library file, then install the action groups and review what they do. Not all at once, but start with the core group and work your way out.

By taking that approach, you should remain knowledgable and safe and be confident doing so.

Of course, in the meantime there’s still lots of fun and learning to be had…

There are many simpler actions and action groups you could learn about and take advantage of. My groups are generally quite large and not necessarily complex, but let’s say “quite involved”. Examining that scale and depth is something that you should save for later, but there’s palmost certainly even more stuff out there that really isn’t.

Consider exploring the standard action groups first, then extending to single, stand-alone actions in the directory that are of interest to you. This will allow you to build up your skills and understanding in a way that isn’t going to require as much up front investment of time.

I hope that makes sense and gives you a path you’ll be more comfortable with.