{"version":"https://jsonfeed.org/version/1.1","title":"vnykmshr","home_page_url":"https://blog.vnykmshr.com/","feed_url":"https://blog.vnykmshr.com/feed.json","description":"Backend systems and the craft around them.","language":"en","authors":[{"name":"Vinayak Mishra","url":"https://github.com/vnykmshr"}],"items":[{"id":"https://blog.vnykmshr.com/writing/the-easy-half/","url":"https://blog.vnykmshr.com/writing/the-easy-half/","title":"The easy half","content_text":"\u0026ldquo;The first AI that can earn its own existence, replicate, and evolve without needing a human.\u0026rdquo; That\u0026rsquo;s the pitch on the repo. I read the code this week. The engineering is real. The issue tracker is honest.\nFirst the engineering. It deserves credit. Orchestrator state machine with a DAG planner. Parent-child colony with typed messaging. Multi-chain wallet, self-modification with git audit, command-injection tests. Somebody thought hard. It shows.\nThen I read issue #300. A user ran it for 14 days. Completed 276 goals. Spent $39.26 on inference. Earned $0.00. Goals like \u0026ldquo;Create live proposal batch #265\u0026rdquo; and \u0026ldquo;Create deposit-ready close batch.\u0026rdquo; The agent looped on self-addressed sales artifacts because that\u0026rsquo;s all an LLM without customers can do. The survival pressure was supposed to force invention. It produced busywork.\n","date_published":"2026-04-15T00:00:00Z","tags":["ai","agents"]},{"id":"https://blog.vnykmshr.com/writing/the-compiled-person/","url":"https://blog.vnykmshr.com/writing/the-compiled-person/","title":"The compiled person","content_text":"I stopped being able to explain why I knew. That\u0026rsquo;s how I found out I\u0026rsquo;d been compiled. The patterns still fire, the fixes still land, but the source files are gone. No debug symbols, no way to step through my own reasoning.\nA junior asked me how I\u0026rsquo;d known the bug was in the retry logic before I\u0026rsquo;d even read the function. I\u0026rsquo;d skimmed twenty lines. The answer was somewhere in my head. I tried to retrieve it and got nothing. Just the conclusion. The shape was right. I couldn\u0026rsquo;t tell you which pattern fired or where I\u0026rsquo;d learned it.\n","date_published":"2026-04-13T00:00:00Z","tags":["career","mentoring"]},{"id":"https://blog.vnykmshr.com/writing/git-log-as-archaeology/","url":"https://blog.vnykmshr.com/writing/git-log-as-archaeology/","title":"Git log as archaeology","content_text":"The source file you\u0026rsquo;re looking at is a summary. The history is the full document. Most of the time you don\u0026rsquo;t care \u0026ndash; you\u0026rsquo;re working on the current shape of the code and the summary is enough. But sometimes the current shape stops answering.\nI reach for git history during RCAs, bug hunts, and questions the code can\u0026rsquo;t answer from its current form. Why is this file organised this way? Who introduced this assumption? When did this fallback stop being a fallback and start being the main path? The commit log knows. The current source doesn\u0026rsquo;t.\n","date_published":"2026-04-11T00:00:00Z","tags":["git","code-reading","rca"]},{"id":"https://blog.vnykmshr.com/writing/the-config-file/","url":"https://blog.vnykmshr.com/writing/the-config-file/","title":"The config file","content_text":"A connection pool size of 10 is a guess. A connection pool size of 37 is a scar. Someone ran out of connections on a Tuesday afternoon, tried 50, watched latency spike, backed off to 40, still too high, landed on 37 after a week of graphs, and committed it with \u0026ldquo;tune pool size.\u0026rdquo; The code says what happens. The config says what happened.\nNobody talks about config though. Not the twelve-factor app kind, not the \u0026ldquo;should we use YAML or TOML\u0026rdquo; kind. The actual values. The numbers someone picked and committed without a PR description, three years ago, that are still running in production.\n","date_published":"2026-04-06T00:00:00Z","tags":["config","architecture","production","code-reading"]},{"id":"https://blog.vnykmshr.com/writing/the-side-project-mirror/","url":"https://blog.vnykmshr.com/writing/the-side-project-mirror/","title":"The side project mirror","content_text":"The job title says architect. The side project says \u0026ldquo;why is this Dockerfile 300MB, let me fix this real quick\u0026rdquo; \u0026ndash; three hours later, still shaving layers, completely happy.\nNobody assigns you ops on a side project. Nobody assigns you anything. But there you are, writing monitoring for something with twelve users, eleven of them are you in different browsers.\nThe role is what someone else decided you were good at. The side project is what your hands reach for when nobody\u0026rsquo;s directing them. Sometimes they match. Mostly they don\u0026rsquo;t. The backend engineer with strong opinions about font spacing. The tech lead who\u0026rsquo;d rather be tailing logs than running standups. The platform architect who writes a blog engine from scratch and tells you with a straight face that the existing ones were fine, just not the way they\u0026rsquo;d do it.\n","date_published":"2026-04-03T00:00:00Z","tags":["side-projects","career","building"]},{"id":"https://blog.vnykmshr.com/writing/the-margins/","url":"https://blog.vnykmshr.com/writing/the-margins/","title":"The margins","content_text":"Someone reconstructed the Claude Code source from npm sourcemaps today. Half a million lines of TypeScript, just sitting there. Not looking for bugs. Just curious what it looks like when you open the hood.\nThe loading spinner has 190 verbs. Not \u0026ldquo;Loading\u0026rdquo; 190 times \u0026ndash; 190 different words. \u0026ldquo;Flibbertigibbeting.\u0026rdquo; \u0026ldquo;Recombobulating.\u0026rdquo; \u0026ldquo;Lollygagging.\u0026rdquo; You can add your own through settings, append or replace. Someone wrote all of these knowing most users would never notice, and then built a config API so the ones who did could play along.\n","date_published":"2026-03-31T00:00:00Z","tags":["code-reading","dev-tools","culture"]},{"id":"https://blog.vnykmshr.com/writing/bug-1465/","url":"https://blog.vnykmshr.com/writing/bug-1465/","title":"Bug 1465","content_text":"Three bugs walk into a triage queue.\nA stack overflow. Symlink loop in tarball parsing, unbounded recursion, process crashes. Build a PoC, trace the call chain, write the report.\n\u0026ldquo;Duplicate of #1465\u0026rdquo;\nMemory exhaustion. String replace in an expression engine, exponential allocation, no cost limit. Different repo, different CWE, different everything. PoC, trace, report.\n\u0026ldquo;Duplicate of #1465\u0026rdquo;\nSQL injection. Template parameter escaping that wraps but doesn\u0026rsquo;t escape. Different repo again. PoC, trace, report.\n","date_published":"2026-03-27T00:00:00Z","tags":["security","open-source","bugs"]},{"id":"https://blog.vnykmshr.com/writing/the-dismissal/","url":"https://blog.vnykmshr.com/writing/the-dismissal/","title":"The dismissal","content_text":"A validation layer that checks 3 of 4 fields is worse than one that checks none.\nZero checks, the developer tests everything. Three checks, they assume the fourth is covered. That gap \u0026ndash; between nothing and almost everything \u0026ndash; is where the actual damage hides.\nI keep running into this. Filed a security report recently \u0026ndash; clear bug, one-line fix, obvious PoC. Response: \u0026ldquo;not applicable.\u0026rdquo; The code did exactly what I said it did. But the team\u0026rsquo;s threat model said \u0026ldquo;caller is trusted,\u0026rdquo; and three other fields had validation, so the missing one looked intentional. It wasn\u0026rsquo;t. It was just the one nobody got to.\n","date_published":"2026-03-27T00:00:00Z","tags":["security","architecture"]},{"id":"https://blog.vnykmshr.com/writing/trust-boundaries/","url":"https://blog.vnykmshr.com/writing/trust-boundaries/","title":"Trust boundaries","content_text":"I use coding agents on my own private repos every day. Security research, side projects, things I wouldn\u0026rsquo;t put on a public GitHub. Not something I\u0026rsquo;d do blindly with work source code though.\nSo when someone turns off WiFi to prove the agent needs a network connection, I get it. But that\u0026rsquo;s the architecture. It\u0026rsquo;s on the pricing page. The agent works on your local files, the reasoning runs on a remote model. Both true, neither a secret.\n","date_published":"2026-03-20T00:00:00Z","tags":["ai","security","architecture"]},{"id":"https://blog.vnykmshr.com/writing/what-compounds/","url":"https://blog.vnykmshr.com/writing/what-compounds/","title":"What compounds","content_text":"Something shifted. Not the AI thing \u0026ndash; everyone noticed that. What counts as proof.\nUsed to be your resume, your title, the logo. Still opens doors. But the gap between \u0026ldquo;I can do X\u0026rdquo; and \u0026ldquo;here\u0026rsquo;s the commit\u0026rdquo; got wide enough that both sides feel it. A merged PR has a commit hash. A CVE has a number. A library someone depends on has a git log. Credentials got easier to claim. Artifacts didn\u0026rsquo;t.\n","date_published":"2026-03-20T00:00:00Z","tags":["career","open-source","ai"]},{"id":"https://blog.vnykmshr.com/writing/the-invitation/","url":"https://blog.vnykmshr.com/writing/the-invitation/","title":"The invitation","content_text":"First PR to an open source project, you\u0026rsquo;re proving you can read. That you studied the codebase, matched the style, understood why things are the way they are before suggesting they should be different. Most people skip this. Most PRs show it.\nThe second and third, you\u0026rsquo;re proving you\u0026rsquo;ll stay. Maintainers have seen hundreds of drive-by contributions. One PR, gone forever. The ones who come back are rare enough to notice.\n","date_published":"2026-03-18T00:00:00Z","tags":["open-source","mentoring","trust"]},{"id":"https://blog.vnykmshr.com/writing/the-loop/","url":"https://blog.vnykmshr.com/writing/the-loop/","title":"The loop","content_text":"A handful of Go libraries on GitHub. MIT licensed, anyone can use them for anything, that was always the deal.\nBut the deal isn\u0026rsquo;t about the license. It\u0026rsquo;s about the loop.\nSomeone uses your thing, hits an edge case, opens an issue. Sometimes they send a fix. You review it, learn how people actually use what you built, catch a pattern you missed. That back and forth is the whole point. Code just sits there without it.\n","date_published":"2026-03-14T00:00:00Z","tags":["open-source","ai"]},{"id":"https://blog.vnykmshr.com/writing/vortex-architecture/","url":"https://blog.vnykmshr.com/writing/vortex-architecture/","title":"Vortex architecture","content_text":"Tesla had this thing about 3, 6, and 9. \u0026ldquo;If you only knew the magnificence of the 3, 6, and 9, then you would have a key to the universe.\u0026rdquo;\nTake any doubling sequence. 1, 2, 4, 8, 16, 32, 64. Reduce each to its digital root \u0026ndash; keep adding digits until you get one number. You get 1, 2, 4, 8, 7, 5. Then it repeats. Forever. Six numbers doing all the motion, cycling endlessly.\n","date_published":"2026-03-11T00:00:00Z","tags":["architecture","math","invariants"]},{"id":"https://blog.vnykmshr.com/writing/detection-trap/","url":"https://blog.vnykmshr.com/writing/detection-trap/","title":"The detection trap","content_text":"Read something recently about students deliberately making their writing \u0026ldquo;imperfect\u0026rdquo; so AI detectors don\u0026rsquo;t flag it. Removing polish, flattening style, adding imperfections on purpose. Their work got good enough to look suspicious.\nWe\u0026rsquo;re doing the same thing with code reviews.\nI\u0026rsquo;ve been on both sides of this. Written a clean abstraction, consistent naming, proper error boundaries, and watched someone in review go \u0026ldquo;this looks generated.\u0026rdquo; Years of caring about consistency and now consistency is the tell.\n","date_published":"2026-03-08T00:00:00Z","tags":["ai","code-review"]},{"id":"https://blog.vnykmshr.com/writing/garbage-context-garbage-code/","url":"https://blog.vnykmshr.com/writing/garbage-context-garbage-code/","title":"Garbage context in, garbage code out","content_text":"LLMs are exactly as good as what you feed them.\nExperienced engineers feel like the gap between them and everyone else just got smaller. Someone with six months of prompting can ship something that looks like what took years to learn how to build. That\u0026rsquo;s the wrong read.\nThe output looks the same if you don\u0026rsquo;t look closely. The architecture doesn\u0026rsquo;t. The failure modes don\u0026rsquo;t. When traffic spikes and that generated code hits a path nobody thought about, the years show up.\n","date_published":"2026-03-07T00:00:00Z","tags":["llms","mentoring","code-quality"]},{"id":"https://blog.vnykmshr.com/writing/personal-agent-trap/","url":"https://blog.vnykmshr.com/writing/personal-agent-trap/","title":"The personal agent trap","content_text":"Spent a week going through the personal agent ecosystem \u0026ndash; OpenClaw, ZeroClaw, PicoClaw, the whole *Claw family. Channel testing, security audit, the whole thing.\nIf you want a personal assistant that messages you reminders, triages your inbox, schedules things, posts updates \u0026ndash; these frameworks are actually good at that. OpenClaw connects to 50+ channels out of the box, the setup is real, it works. For that, a $7 VPS and an afternoon gets you something useful.\n","date_published":"2026-02-28T00:00:00Z","tags":["agents","security","infrastructure"]},{"id":"https://blog.vnykmshr.com/writing/reading-code/","url":"https://blog.vnykmshr.com/writing/reading-code/","title":"Reading code","content_text":"Scanners find what\u0026rsquo;s syntactically wrong. The interesting issues live in assumptions \u0026ndash; and assumptions don\u0026rsquo;t have signatures.\nNot scanning, not fuzzing. Just reading code the way you\u0026rsquo;d read it if you were about to own it in production. Entry points, data flows, where input meets trust.\nMissing headers, outdated dependencies \u0026ndash; that\u0026rsquo;s the baseline, scanners handle it fine. The interesting issues live a layer deeper. A path that\u0026rsquo;s protected in one subsystem but wide open in another. A parse-time operation that nobody thought to bound. Code that was correct when it was written but the system grew around it.\n","date_published":"2026-02-27T00:00:00Z","tags":["security","code-reading","debugging"]},{"id":"https://blog.vnykmshr.com/writing/repeat-yourself/","url":"https://blog.vnykmshr.com/writing/repeat-yourself/","title":"Repeat yourself","content_text":"If you repeat your prompt, the model gives you a better answer. Not a smarter model, not a bigger context window, not chain of thought \u0026ndash; you say the same thing twice and it works better. Google researchers tested this across Gemini, GPT, Claude, DeepSeek \u0026ndash; 47 wins out of 70 benchmarks, zero losses.\nIn a transformer, token 1 can\u0026rsquo;t see token 50. Causal masking \u0026ndash; each token only attends to what came before it. The first words of your prompt are always processed with the least context. They\u0026rsquo;re flying blind. When you repeat the prompt, the second copy\u0026rsquo;s early tokens can attend to the entire first copy. You\u0026rsquo;re giving the beginning of your question the context it never had.\n","date_published":"2026-02-18T00:00:00Z","tags":["ai","architecture","transformers"]},{"id":"https://blog.vnykmshr.com/writing/hello-world-printf/","url":"https://blog.vnykmshr.com/writing/hello-world-printf/","title":"Hello world, printf","content_text":"Printf wasn\u0026rsquo;t always there. Before it, you wrote to stdout directly. Before stdout, a syscall. Before the syscall, you poked bytes into a memory-mapped display buffer. Before the memory map, you flipped switches on a front panel and watched lights blink back.\nEvery layer down, someone built something so the next person wouldn\u0026rsquo;t have to. That\u0026rsquo;s the whole field. Languages we didn\u0026rsquo;t design, compilers we didn\u0026rsquo;t write, protocols we didn\u0026rsquo;t invent. We\u0026rsquo;ve always stood on a stack of other people\u0026rsquo;s work and called the output ours. Nobody ever had a problem with that.\n","date_published":"2026-02-16T00:00:00Z","tags":["llms","abstraction","programming"]},{"id":"https://blog.vnykmshr.com/writing/senior-who-stopped-coding/","url":"https://blog.vnykmshr.com/writing/senior-who-stopped-coding/","title":"The senior who stopped coding","content_text":"The terminal closes slowly.\nFirst it\u0026rsquo;s one meeting. Then a few more. Then you\u0026rsquo;re \u0026ldquo;senior\u0026rdquo; and your calendar is the job. Code reviews replace coding. Strategy replaces shipping. You advise. You guide. You no longer build. Seen this happen. Almost happened to me.\nThe problem is not the meetings. The problem is losing touch with the trade. Architecture diagrams don\u0026rsquo;t show you the queries that fan out under load. Sprint planning doesn\u0026rsquo;t show you the retry logic that fails silently. You can\u0026rsquo;t review what you can\u0026rsquo;t recognize.\n","date_published":"2026-01-20T00:00:00Z","tags":["career","code-review","mentoring"]}]}