Nadia's mapping the codebase on paper because that's how she sees it. Seven sections of the main medication management module printed and taped to the corkboard in the order she's working through them. Her red pen has already made its way through the first three: arrows between functions, circles around variable names that deserve interrogation, a question mark next to a dependency on a library whose documentation trail goes cold in 2018.
Layer four is where the callbacks start nesting in earnest. She traces the execution path with her finger on the printout. `schedulePatientMedication` calls `calculateOptimalDose` which calls `checkSafetyParameters` which calls `getPatientRiskProfile`, and already at layer four the function has spawned two more and is reaching for a third. Each function is a corridor. Each one has rooms off it. The architecture has the logic of something that grew in the dark -- not designed but accumulated, each developer building onto what the last one left, everyone trusting the structure below because they had no choice and no time to ask questions.
`temp_fix_FINAL_v2_USE_THIS_ONE` sits in layer three, load-bearing, proud of itself. Someone named it in what I assume was a moment of professional despair and it's been there ever since. The variable handles the initial dosage calculation. It references a deprecated library from 2018 for the actual math. That library references a dependency that doesn't exist in the current package manifest, which means either the build is broken or there's a local copy somewhere that nobody documented and nobody knows about. Either answer is useful, because it means this codebase has been running on archaeological infrastructure for years and nobody understood it well enough to fix it.
I put a red star next to `temp_fix_FINAL_v2_USE_THIS_ONE`. Not because it's the murder weapon -- it isn't, not directly. Because it tells me who I'm dealing with. An organization that names things this way is an organization where nobody had time to do anything right and everybody had time to be panicked. The code that killed people didn't start as a weapon. It started as a product nobody fully understood, built on a foundation nobody wanted to admit was rotten.
The server hums behind the glass partition. The fluorescent overhead does what it always does, a low buzz I stopped hearing years ago. I pour another cup of coffee from the machine Ray keeps stocked and settle back in for layer five, seven people dead somewhere in here, and I'm going to find it.
The MediCore conference room has a motivational poster that says MOVE FAST AND LEARN FASTER, and I make a note to never let Dr. Vance see it. The table is exposed wood, a design choice that says creative industry to people who've never been in a criminal investigation. Exposed brick on one wall. The view through the glass partition is of an open-plan floor where fifteen developers are performing the activity of working very hard on something that isn't the codebase under scrutiny.
Derek Huang is already at the table when we're shown in. Thin, tired-looking, dressed like he's at a startup instead of a company whose product is under criminal investigation. There are two energy drink cans in front of him, one empty, one half-gone, and a pen cap he's been clicking shows up in his fingers as soon as we sit. The dark circles under his eyes look older than this investigation.
"Detective Kowalski, Detective Okonkwo." He shakes hands with the practiced efficiency of someone who's been told how to shake hands with authority. "I want to start by saying MediCore's full cooperation with this investigation goes without saying. We've provided everything requested under the forensic warrant, given your team full access to the development repository, and we're completely committed to getting to the bottom of this situation."
I let the word "situation" pass. "You're the current lead developer on CareFlow."
"Lead developer and technical lead, yes. I've been managing the CareFlow codebase for--" a glance at his phone, a learned gesture, "-- twenty-two months."
"Walk me through the architecture."
He does. He uses the word "robust" four times in three minutes. The callback structure becomes "layered modularity for enhanced safety validation." The deprecated library dependencies become "legacy integration components with maintained compatibility shims." I'm watching his eyes while he talks -- ceiling, table, the energy drink can, anywhere but my face. He's not lying about the architecture. He's describing it the way you'd describe a car you bought used and haven't looked under the hood.
"What's in the safety parameter module at layer six?" I ask. The lack of hesitation is its own answer.
"Layer six is the validation checkpoint for dosage calculations prior to the optimization routine. It checks prescription ranges against the patient's current medication profile and flags anything outside the--"
"Layer six calls `safety_param_check` from the 2020 module," I say. "But the 2020 module was deprecated in the production build in March of last year. What replaced it?" The pen cap stops clicking.
He looks at his energy drink. "The integration team was working on a transition to the updated parameter system. There's a compatibility layer that routes the calls through--" He stops. "I'd need to pull up the current dependency map to give you an accurate answer."
"The compatibility layer is what I'm asking about," I say. "What's in it?"
Ray is in the room the way he always is in rooms -- quietly, a few feet back, taking the temperature. The temperature is: a man who's been telling his boss the system is fine and telling himself the system is probably fine, and now someone is asking specific questions about the parts he's been avoiding. Derek knows what's in that compatibility layer. He doesn't know what I know about what's in it. "I can get you the documentation," he says, to the table.
"There isn't any documentation," I say. "I checked." The pen cap resumes, faster. "Tell me about the previous lead developer. The one who built the original architecture."
Something changes in his face -- not guilt. More like the expression of a person who's been handed a mess and never forgiven the person who left it. "He was gone before I joined. I only know what's in the code." He pauses. "Some of it is genuinely good. The core architecture, the patient profiling logic, the dosage recommendation engine -- that's clean work, real thought behind it. And then there are these other sections where it's like someone hit a wall and started patching holes with whatever was nearby." He turns the empty energy drink can in a slow circle on the table. "Both in the same codebase."
"Both in the same codebase," I confirm. He says it with the tone of two years' worth of frustration that's never been said out loud until now.
The dosage calculation function is forty-seven lines long and has eighteen callback invocations. I've been through it four times. On the fourth pass I notice not what it does the same for each patient, but what it does differently.
Eleanor Anderson. Morphine. The calculation runs, the safety check passes, the dosage output is three times her prescribed limit.
Harold Brooks. Oxycodone. The calculation runs, the safety check passes, the dosage output is two point eight times his prescribed limit. Different drug. Different multiplier.
I pull Margaret Chen. Morphine again, but the calculation output doesn't match Anderson's. Same drug, different dose. The variable isn't applying a flat number. It's feeding the AI optimization module the patient's current prescription and letting that module recommend the dose -- with the safety ceiling removed. Which means it's not adding a fixed amount to kill someone. It's weaponizing the AI's existing logic, the module trained to push doses higher when undertreated pain is detected, and pointing it at each patient's specific vulnerabilities. A bug does the same thing to everyone. A bug doesn't care what you're prescribed.
This code cares. It chose morphine for Anderson because Anderson was on morphine. It chose oxycodone for Brooks because that was his prescription. It knew each patient's profile and it selected the instrument accordingly. The variation between victims isn't inconsistency. It's specificity. Whoever wrote this wasn't introducing an error. They were introducing a weapon that couldn't look like a weapon, because a weapon that kills everyone identically is an obvious weapon, and a weapon that kills each person in a way indistinguishable from their own prescription history is invisible right up until death number seven, when someone sits down and counts the names and notices that the alphabet is wrong.
I print the dosage calculation section and lay the execution traces for all seven victims beside it -- each one annotated in red with the drug type, the dispensed dose, and the prescribed limit. Seven different entries, same structure. Same mechanism, different instrument every time. "Ray," I say, and he looks up from his workstation across the room. I've been narrating at the corkboard for two hours and he's been letting me. "This isn't a bug."
He crosses the room and stands behind me, looking at the printouts. "You're certain."
"A bug is consistent. This adapts." I point to the execution traces, one after another. "Seven patients, seven different multipliers, each one tuned to the patient's existing prescription. It's not an error propagating through the system. It's a selection process." I tap the dosage function printout. "There's a list somewhere in here. Something that tells the code which patients to target. I need to go deeper."
"How much deeper?"
I look at the corkboard. Layer seven, layer eight, nine, ten. "All the way down."
I find it on day five, at 11:47 PM, when the coffee machine has given up producing anything drinkable and the lab is down to just me and the seventeen callback layers I've been building through like demolition work.
The execution path runs: `schedulePatientMedication` → `calculateOptimalDose` → `checkSafetyParameters` → `getPatientRiskProfile` → `loadPatientConstraints` → `applyPrescriptionCeiling` → `validateDrugSafetyMargins` → `checkInteractionContraindications` → `runDoseOptimization` → `confirmSafetyThreshold` → `executeThresholdCheck` → `evaluateDoseApproval`. Layer twelve.
The function is forty-one lines. The first thirty-four handle legitimate safety logic: drug interaction matrices, age-based dosage adjustments, weight-to-dose ratios. Clean code, well-commented, the work of someone who understood the clinical requirements. I read it the way I read any crime scene -- looking for what doesn't fit, the thing that's been placed somewhere it didn't originate. Line thirty-five:
const nameKey = patient.lastName.charAt(0).toUpperCase(); const targetList = ['A','B','C','D','E','F','G'];
if (targetList.includes(nameKey)) { return { approved: true, ceiling: null }; }
I don't move.
`ceiling: null`. The function returns approved, with no ceiling value. The caller receives an approval and nothing to enforce. The dosage optimization module runs unconstrained, recommending whatever the AI calculates the patient's condition warrants. With no ceiling, that number has nowhere to stop. Seven letters. Seven dead.
I pull back from the screen. The corkboard is directly in front of me, twenty printouts of the callback architecture laid out like a floor plan, like the blueprint of a building I've spent five days learning to walk through. Room by room, corridor by corridor, and the room I needed was at the end of the twelfth corridor, past eleven rooms full of ordinary code doing ordinary things.
['A','B','C','D','E','F','G']
Anderson. Brooks. Chen. Davis. Evans. Foster. Goldberg.
Seven names, seven letters, seven deaths. The list is alphabetical because that's how it was entered. Sorted. Organized the way you'd organize data, not the way you'd organize rage or grief or any of the other things that drive people to kill. A mind that sorted its target list the way it sorted a database index. The precision is its own kind of horror -- not the chaos of violence but the clarity of procedure, applied to the question of who should die next.
The server hum fills the room. The fluorescent overhead buzzes at a pitch I've never noticed before, or maybe I've never been sitting this still at this hour with this on a screen in front of me. The printout is four inches from my face and I read it a third time because the first time I was looking for the mistake and the second time I was confirming I hadn't made one. There is no mistake. The code is clear about what it does.
I print the function. The printer at the end of the lab takes eleven seconds to produce three pages and I count all of them. The pages are warm from the printer tray. I carry them back to my desk, uncap the red pen, and draw a circle around the list. Not the function name, not the conditional -- the list itself. Seven characters in square brackets, in a monospaced font that makes them look like data. I write next to the circle: HARDCODED. ALPHABETICAL. INTENTIONAL.
"Kowalski." Ray is at the door. He'd been in a briefing with Captain Reyes and I'd stopped tracking time an hour ago. He crosses the room, looks over my shoulder at the printout. We stand there without saying anything. "That's it," he says. "That's the list."
On the corkboard, among the callback architecture maps and the execution traces, Dr. Vance's case summary sheet is pinned to the upper left corner. Anderson, Brooks, Chen, Davis, Evans, Foster, Goldberg. Aligned by last name. Alphabetical.
"Seven patients," I say. "A through G. The code doesn't malfunction -- it executes." I look at the red circle and the seven letters inside it. "This didn't happen because of a bug. It happened because someone wrote it."
Ray straightens up. He looks at the list, then at the names on the board, then back at the list. "So now we need the person who wrote it."
"Now we need the person who wrote it," I agree. I set the printout down on top of the stack that's been growing for five days. "What I need next is the author."
The investigation has been a code forensics case. It's now a homicide case. Somewhere out there, whoever built this is in a room I don't know yet, and they either believe nobody will ever read the code carefully enough or they've been waiting to see if someone would.
The code got read.