visitor@0x.run: ~/session

visitor@0x.run:~$ ./whoami --verbose

// independent engineering field notes

Build systems that hold up.

Clear, unglamorous explanations of the infrastructure, protocols, and design decisions behind software that has to survive production.

$ cat focus.txt

  • 01 reliable systems & failure modes [ops]
  • 02 databases & data integrity [data]
  • 03 protocols & the web [net]
  • 04 security & operations [sec]

70 field notes 0 paywalls useful details always learning

$ ls -lt ~/field-notes

# the archive

70 notes indexed sort: newest first

Zero-Downtime Deployments: Rolling, Blue-Green, and Canary6m

Rolling updates are efficient, blue-green makes switching and rollback simple, and canaries limit the blast radius with real traffic. Every strategy still needs readiness checks, graceful draining, backward-compatible data changes, capacity headroom, and automated rollback signals.

How Containers Actually Work: Namespaces, cgroups, and Layers6m

Containers share the host kernel. Namespaces change what processes can see, cgroups limit and measure resources, capabilities and seccomp reduce privileges, and overlay filesystems assemble image layers. Images are immutable inputs; the writable container layer is disposable.

Backpressure: How Fast Systems Avoid Drowning in Work5m

Every queue must be bounded. When downstream work is saturated, slow producers, limit concurrency, reject excess requests, or shed low-priority work. Measure queue depth and age; scaling helps only when the true bottleneck can accept more throughput.

Secrets Management Beyond .env Files6m

Store secrets in a dedicated manager, authorize workloads by identity, prefer short-lived credentials, cache them only briefly, and design dual-key rotation. Encryption at rest does not fix broad access, leaked logs, or credentials that never expire.

Distributed Tracing with OpenTelemetry: Finding the Slow Service5m

A trace is a tree of timed spans joined by propagated context. Auto-instrument common libraries, add manual spans around domain operations, record low-cardinality attributes, and preserve trace IDs in logs and queues. Sampling controls cost but must retain errors and slow traces.

Consistent Hashing: Scaling Caches Without Remapping Every Key6m

Modulo hashing couples every key to the server count. Consistent hashing places keys and many virtual node tokens on a ring, so adding or removing a server moves only nearby ranges. Use replicas for availability and monitor real load because even balanced key counts can hide hot keys.

Health Checks Done Right: Liveness, Readiness, and Startup5m

Liveness answers whether a restart can help. Readiness answers whether this instance should receive traffic. Startup protects slow initialization. Keep liveness shallow, make readiness reflect essential local capability, secure detailed diagnostics, and test failure behavior.

B-Trees vs LSM Trees: How Databases Choose Between Reads and Writes6m

B-trees keep sorted pages and are strong for point reads and range scans. LSM trees buffer writes, flush immutable sorted files, and compact them later, favoring heavy write workloads. Neither is universally faster; workload, cache, compaction, and durability settings decide.

API Timeouts: Deadlines, Cancellation, and Why Defaults Fail5m

Set explicit connect, response-header, body, and overall deadlines. Give downstream calls less time than the caller has left, propagate cancellation, and stop work after clients disconnect. A retry must fit inside the original request budget.

Database Deadlocks: Why They Happen and How to Stop Them6m

Deadlocks happen when transactions acquire the same locks in different orders. The database aborts one transaction to break the cycle. Keep transactions short, lock rows in a consistent order, index updates correctly, and retry the entire aborted transaction with a limit.

Docker Networking: Bridge, Host, Ports, and Container DNS5m

On a user-defined bridge, containers reach each other by service name and container port. Published ports expose a container through the host. Bind databases to 127.0.0.1 when only the host needs access, avoid hardcoded container IPs, and debug from both sides of the network boundary.

Linux Signals: What SIGTERM, SIGKILL, and SIGHUP Actually Do5m

SIGTERM asks a process to stop and can be handled; SIGKILL stops it immediately and cannot. SIGINT comes from Ctrl-C, SIGHUP often triggers reload, and SIGCHLD reports child changes. Handle shutdown signals, forward them to children, and reserve kill -9 for stuck processes.

HTTP Compression: gzip, Brotli, and the Bytes You Shouldn't Compress5m

Compress HTML, CSS, JavaScript, JSON, SVG, and other text. Skip tiny responses and formats already compressed. Prefer Brotli for static assets, keep gzip as a fallback, send Vary: Accept-Encoding, and never mix secrets with attacker-controlled text in compressed responses.

Database Connection Pooling: The Settings That Actually Matter5m

Reuse database connections instead of opening one per request. Keep pools bounded, set acquisition and query timeouts, release clients in finally blocks, and size the total across every app instance—not per process in isolation.

File Uploads Done Right6m

Upload directly to object storage (S3/R2) using presigned URLs—don't route files through your server. Validate type by magic bytes, not extension. Enforce size limits at the load balancer. Process async.

How Git Actually Works Internally6m

Git stores everything as objects (blobs, trees, commits, tags) identified by SHA-1 hash. Branches are just files containing a commit hash. Merges combine DAG nodes. Once you see the object model, git becomes predictable.

Writing CLI Tools in Go6m

Go makes great CLIs: single binary, fast startup, easy cross-compile. Use cobra or flag package for arguments, os.Exit for error codes, and goroutines for parallelism. Structure for testability from the start.

How TLS and HTTPS Actually Work6m

TLS authenticates the server via certificates signed by a trusted CA, then uses asymmetric crypto to establish a shared symmetric key, then encrypts all traffic with that key. The handshake takes one round trip in TLS 1.3.

SSH Tips Every Developer Should Know5m

SSH config files eliminate repetitive flags. Jump hosts chain connections through bastions. Port forwarding tunnels any TCP traffic. Use Ed25519 keys. Set ControlMaster for connection reuse.

Bloom Filters: Fast Membership Testing With Zero False Negatives5m

A bloom filter uses multiple hash functions and a bit array to test set membership. False positives are possible; false negatives are not. Use them when you need fast 'definitely not in set' checks at massive scale.

TCP vs UDP: When to Actually Use Each5m

TCP guarantees delivery and order at the cost of latency. UDP is fast and lossy—use it when you control retries or can tolerate loss. Most apps use TCP. Games, video, DNS use UDP.

How DNS Actually Works5m

DNS is a distributed hierarchy of servers. Your OS checks cache, then asks a resolver, which walks the tree from root → TLD → authoritative server. TTL controls caching. Understanding this saves hours of debugging.

OAuth 2.0 Explained Without the Jargon6m

OAuth 2.0 lets users grant apps access to their data without sharing passwords. Use Authorization Code flow for web apps, PKCE for SPAs and mobile, Client Credentials for server-to-server. Never store tokens in localStorage.

Zero-Downtime Database Migrations6m

Zero-downtime migrations use backward-compatible steps. Add columns nullable first. Deploy code that handles both schemas. Backfill data in batches. Add constraints. Never rename or drop in one step—use expand and contract.

Feature Flags: Ship Code Without Breaking Things6m

Feature flags are runtime toggles that control what code runs. Use them for gradual rollouts, A/B tests, kill switches, and beta access. Store in Redis or database, not config files. Kill switches save production incidents.

The JavaScript Event Loop Isn't Magic6m

JavaScript runs on a single thread with an event loop. Synchronous code runs to completion. Async callbacks wait in queues. Microtasks (Promises) run before macrotasks (setTimeout). Blocking the call stack freezes everything.

Postgres Full-Text Search: Skip Elasticsearch for Most Apps5m

PostgreSQL full-text search uses tsvector and tsquery. Index with GIN indexes. Use ts_rank for relevance, websearch_to_tsquery for user input, and pg_trgm for fuzzy matching. Handles millions of records well with no extra infrastructure.

HTTP Caching Headers: Cache-Control Explained5m

Cache-Control headers tell browsers and CDNs how long to store responses. Use max-age for static assets, no-cache for HTML, private for user data, immutable for versioned files. ETags enable conditional requests that skip downloading unchanged content.

Webhooks: How to Build Reliable Event Delivery5m

Webhooks are HTTP POST requests triggered by events. Verify signatures to prevent spoofing. Return 200 immediately, process async. Retry with exponential backoff. Store delivery logs. Use queues for reliability.

ACID Transactions: What They Actually Mean in Practice7m

ACID guarantees that database operations are Atomic (all or nothing), Consistent (rules enforced), Isolated (concurrent transactions don't interfere), and Durable (committed data survives crashes). Without transactions, concurrent writes corrupt data.

Graceful Shutdown: Why Your App Crashes on Deploy6m

Graceful shutdown drains in-flight requests before stopping. Catch SIGTERM, stop accepting new connections, wait for active requests to finish, then exit. Without it, every deploy drops requests and breaks transactions.

WebSockets in Production: Handling Disconnects and Scaling10m

WebSockets enable real-time bidirectional communication. Handle reconnection with exponential backoff. Use heartbeats to detect dead connections. Scale with Redis pub/sub. Store connection state. Close connections properly.

Docker Multi-Stage Builds: From 1.2GB to 100MB9m

Multi-stage builds use multiple FROM statements. Build stage has compilers and tools. Final stage has only runtime dependencies. Result: 10x smaller images, faster deploys, fewer vulnerabilities. Copy artifacts between stages.

Debouncing vs Throttling: When to Use Each9m

Debouncing waits until user stops (search input). Throttling limits rate (scroll handler). Debounce = last call wins. Throttle = regular intervals. Use debounce for user input, throttle for continuous events.

Regular Expressions: The 10 Patterns You Actually Use9m

Learn 10 regex patterns: email, URL, phone, credit card, password strength, whitespace, special chars, numbers, dates, and file extensions. Test on regex101.com. Use named groups. Avoid catastrophic backtracking.

Date and Time: Common Pitfalls and How to Fix Them9m

Always store dates in UTC. Display in user's timezone. Never use new Date() for parsing. Avoid date math with native Date. Use date-fns or Luxon. ISO 8601 for serialization. Timezones are hard - libraries handle them.

Retrying Failed Requests: Exponential Backoff Explained11m

Retry failed requests with increasing delays: 1s, 2s, 4s, 8s. Add jitter to prevent thundering herd. Stop after max retries. Exponential backoff handles transient failures and rate limits gracefully.

Building a Simple In-Memory Cache with TTL11m

Cache = store expensive results in memory. Add TTL to expire old data. Use LRU to limit memory. Check cache before expensive operations. 10x-100x speed improvement for repeated data.

Message Queues: RabbitMQ vs Redis vs SQS13m

Use RabbitMQ for complex routing and guaranteed delivery. Use Redis for simple, fast queues. Use SQS for managed, scalable queues on AWS. All handle async tasks - choose based on complexity, scale, and infrastructure.

Load Testing: Finding Your Breaking Point Before Users Do11m

Load test before launch. Use k6 or Artillery to simulate traffic. Test realistic scenarios, not just homepage. Find your breaking point. Monitor CPU, memory, database connections. Fix bottlenecks before users find them.

XSS Attacks Explained: How to Prevent Cross-Site Scripting12m

XSS happens when user input is rendered as HTML/JavaScript. Escape all output. Use textContent not innerHTML. Sanitize HTML with DOMPurify. Enable Content Security Policy. React/Vue escape by default - don't use dangerouslySetInnerHTML.

SQL Injection: How It Happens and How to Prevent It13m

SQL injection happens when user input goes directly into SQL queries. Never concatenate user input into SQL. Use parameterized queries, prepared statements, or ORMs. Validate input. Escape output. Test with SQLMap.

Image Optimization: CDN, Lazy Loading, and Modern Formats12m

Use WebP/AVIF for 30-50% smaller files. Lazy load images below the fold. Serve responsive images with srcset. Use a CDN for fast delivery. Compress before upload. Modern formats + lazy loading = 70% faster loads.

The N+1 Query Problem: How to Detect and Fix It14m

N+1 queries happen when you fetch records in a loop - 1 query becomes 1000. Detect with query logging and APM tools. Fix with eager loading, joins, or batching. 100x performance improvement is common.

Logging in Production: What to Log, What to Skip12m

Use structured logging with levels. Log requests, errors, and key events - not sensitive data or debug spam. JSON format for aggregation. Keep performance impact under 5%. Fix log leaks before they become breaches.

Environment Variables: Stop Hardcoding Configuration10m

Never commit secrets to Git. Use .env files locally, environment variables in production. Validate config on startup. Use dotenv for Node.js, never hardcode credentials.

REST API Error Handling: The Right Way13m

Use proper HTTP status codes. Return consistent error format with code, message, and details. Log errors server-side. Never expose stack traces to clients.

API Versioning: URL vs Header vs Query Parameter12m

URL versioning (/v1/users) is simplest and most discoverable. Header versioning is cleaner but harder to use. Start with URL versioning, only use headers if you have a strong reason.

Pagination: Offset vs Cursor Explained with Benchmarks13m

Offset pagination is simple but slow on large datasets. Cursor pagination is fast and consistent. Use offset for small datasets, cursor for anything over 100k rows.

JWT vs Sessions: When to Use Each for Authentication13m

Sessions are simpler and more secure for traditional web apps. JWTs work better for APIs and microservices. Sessions require server state, JWTs don't. Pick based on your architecture, not hype.

Background Jobs and Queues: Stop Blocking Your API11m

Never block API responses with slow operations. Use job queues for emails, image processing, reports. Bull with Redis is simple and reliable. Process jobs in workers, not request handlers.

Caching Strategies: When to Use Redis, CDN, or In-Memory12m

Caching makes apps fast. Use in-memory for single servers, Redis for distributed systems, CDN for static assets. Implement cache-aside for most use cases, write-through for consistency.

Rate Limiting Algorithms Explained with Code14m

Rate limiting prevents API abuse. Token bucket is most flexible, fixed window is simplest, sliding window is most accurate. Implement in-memory for single servers, Redis for distributed systems.

Git Worktree: Work on Multiple Branches Simultaneously10m

Git worktree creates multiple working directories from one repository. Check out different branches side-by-side without stashing. Faster than multiple clones, cleaner than branch switching.

Database Indexes Explained: The Only Guide You Need14m

Indexes make queries fast by avoiding full table scans. But too many indexes slow down writes. Use EXPLAIN to identify slow queries, add indexes on WHERE/JOIN columns, and avoid indexing everything.

SQLite for Production: Not Just a Development Database11m

SQLite can handle 100k+ requests/second and terabytes of data. For read-heavy apps, single-server deployments, and edge computing, it's simpler and faster than Postgres. Know when to use it.

What Goes Around Comes Around: Why Database History Keeps Repeating8m

Every few years, a new database paradigm claims it will kill SQL and relational databases. But they always end up adding SQL interfaces and relational features. History keeps repeating itself.

Server-Sent Events: The WebSocket Alternative Nobody Uses10m

SSE is simpler than WebSockets for one-way server-to-client updates. Built into browsers, works over HTTP, automatic reconnection. Use WebSockets only when you need bidirectional communication.

Your Startup Doesn't Need Microservices10m

Microservices add operational complexity that small teams can't afford. Monoliths are faster to build, easier to debug, and simpler to deploy. Split services when you have a reason, not because it's trendy.

Why I Write SQL Instead of Using ORMs10m

ORMs hide complexity that eventually bites you. Raw SQL is explicit, performant, and easier to debug. Use ORMs for CRUD, write SQL for anything complex.

Building a Tiny URL Shortener in 30 Lines of Go6m

Build a complete URL shortener in 30 lines of Go using only stdlib. Generates short codes, handles redirects, stores in memory - perfect learning project.

Why Minimalist Tools Win: Lessons from Unix Philosophy5m

Unix philosophy teaches us that simple, focused tools that do one thing well often outlast complex alternatives. Modern examples like grep, git, and curl prove this approach still works.

UUID v7: The New UUID That Actually Makes Sense7m

UUID v7 puts timestamps at the beginning, making database indexes happy. I saw 3x better insert performance and 50% smaller indexes after migrating. Here's how and when to switch.

CORS Errors: Every Fix That Actually Works8m

CORS errors are never quite the same. Here's every fix I've used in production, why each error happens, and actual code you can copy-paste for your specific situation.

Why I Stopped Using Frameworks for Everything8m

Frameworks solve real problems but add complexity. Use them when they solve problems you actually have, not because they're trendy. Sometimes vanilla code is faster to write and maintain.

From JSON to MsgPack: Why Binary Formats Matter6m

Binary formats like MsgPack are 20-50% smaller than JSON and much faster to parse. Use for high-performance APIs, mobile apps, and data storage.

Why Rust Is Eating the World (and Where It Won't)7m

Rust excels in systems programming, WebAssembly, and infrastructure tools, but struggles with rapid prototyping, data science, and mobile development.

WebAssembly in 2025: How to Run Code Directly in the Browser6m

WebAssembly lets you run compiled languages like C, Rust, and Go in browsers at near-native speed. Perfect for performance-critical apps, games, and computational tasks.

15 Essential Linux One-Liners for Developers6m

Master these 15 Linux command combinations to handle logs, find files, process data, and monitor systems like a pro. Copy-paste ready with explanations.

What Does "0x" Mean in Programming, Crypto, and Everyday Tech?4m

0x is the universal prefix for hexadecimal numbers — a compact, human-friendly way to represent binary values used in code, memory addresses, crypto wallets, and even CSS color codes.