DEV Community The most recent home feed on DEV Community. https://dev.to en Building StreamTrack: My Intent-Driven Development Journey for PromptWars Virtual 🚀 Subhajit Nayek Mon, 20 Apr 2026 16:05:08 +0000 https://dev.to/subhajitnayek/building-streamtrack-my-intent-driven-development-journey-for-promptwars-virtual-41l6 https://dev.to/subhajitnayek/building-streamtrack-my-intent-driven-development-journey-for-promptwars-virtual-41l6 <p>As media consumption grows, keeping track of what to watch, what we’re currently watching, and what we’ve finished across dozens of platforms has become a chaotic experience.</p> <p>For the PromptWars: Virtual Challenge, I decided to solve this personal pain point by building StreamTrack—a unified multimedia tracker for web series and movies. But this hackathon wasn't just about building an app; it was about changing how we build apps.</p> <p>Instead of writing every line of code manually, I embraced intent-driven development using Google Antigravity. Here is a look at my "Build-in-Public" journey, from a blank canvas to a live application deployed on Google Cloud Run.</p> <p>💡 The Concept: What is StreamTrack?<br> StreamTrack is designed to be a central hub for all media tracking. The core features include:</p> <p>Unified Dashboard: A landing page displaying trending movies and web series to aid discovery.</p> <p>Watchlist Management: A dedicated space to queue up shows and movies to watch next.</p> <p>Watched History: A logged history of completed content.</p> <p>Discovery Tools: Quick access to popular actors and top-rated shows to find new favorites.</p> <p>⚙️ The Paradigm Shift: Building with Google Antigravity<br> The PromptWars challenge required moving away from traditional syntax-heavy coding and leveraging AI-assisted prototyping. Using Google Antigravity, the development process felt like I was directing an engineer rather than typing out boilerplate.</p> <p>Here is how the workflow went:</p> <ol> <li><p>Prompting the Architecture<br> Inside the Antigravity Agent Manager, I started by feeding it my core intent. Rather than setting up React components manually, I wrote comprehensive prompts detailing the UI structure, the sidebar navigation, and the specific data categories (Trending, Watchlist, History). Antigravity translated these intents into a functional frontend architecture in minutes.</p></li> <li><p>Version Control &amp; GitHub Integration<br> Once the local prototype was looking good and the components for the Dashboard and Watchlist were rendering correctly, it was time to secure the code. I initialized a Git repository, committed the Antigravity-generated code, and pushed it to my public GitHub repository to maintain version history and prep for deployment.</p></li> <li><p>Deploying to Google Cloud Run<br> A local app is great, but a live app is better. For the backend hosting, I utilized Google Cloud.<br> Using the Google Cloud CLI (gcloud), I connected my GCP project and deployed the application as a Cloud Run service. Cloud Run took care of the containerization and scaling automatically.</p></li> </ol> <p>Within minutes, StreamTrack was live and accessible via a public URL!</p> <p>🚧 Challenges &amp; Learnings<br> The biggest learning curve was shifting my mindset. As a developer, the instinct is to jump into the files and fix a bug manually. With intent-driven development, the challenge is learning how to write better, more precise prompts to guide the AI to correct the UI or state management issues on its own. It’s less about knowing the exact syntax, and more about system design and clear communication.</p> <p>🎯 Final Result &amp; Links<br> Building StreamTrack using Google Antigravity was a massive productivity boost. It allowed me to focus on the user experience and feature set rather than getting bogged down in configuration files.</p> <p>You can check out the final results here:</p> <p>🌐 Live Application (Cloud Run): StreamTrack Live Demo</p> <p>💻 GitHub Repository: [Insert your GitHub Repo Link Here]</p> <p>A huge shoutout to Hack2skill, Google Cloud, and Google for Developers for organizing this hackathon. This new way to build is definitely the future!</p> <p>Let me know what you think of the app in the comments below! 👇</p> googlecloud antigravity webdev The Vercel Breach Shows the New Shape of Supply-Chain Attacks in 2026 Narnaiezzsshaa Truong Mon, 20 Apr 2026 16:05:05 +0000 https://dev.to/narnaiezzsshaa/the-vercel-breach-shows-the-new-shape-of-supply-chain-attacks-in-2026-29hb https://dev.to/narnaiezzsshaa/the-vercel-breach-shows-the-new-shape-of-supply-chain-attacks-in-2026-29hb <h2> Intro </h2> <p>The Vercel incident wasn't a platform exploit. It was something more modern—and more dangerous.</p> <p>Attackers didn't break Vercel. They broke a third-party AI tool, inherited an OAuth token, and rode that trust boundary straight into internal systems.</p> <p>This is the 2026 supply-chain pattern: the weakest link is no longer your code—it's your integrations.</p> <blockquote> <p>Incident response guides are already circulating—what to rotate, what to revoke, what to redeploy. This isn't that. This is a pattern analysis: four verified supply-chain incidents from the past month, what connects them, and what the shape of the threat actually is.</p> </blockquote> <h2> 1. The Attack Path </h2> <p>Here's the verified chain:</p> <ol> <li>A <strong>Context.ai employee</strong> downloaded a Roblox cheat script in February 2026, infecting their machine with <strong>Lumma Stealer</strong> </li> <li>The infostealer harvested credentials—including Google OAuth tokens and a Context.ai support account</li> <li>A <strong>Vercel employee</strong> had signed up for Context.ai using their enterprise account and granted <strong>"Allow All"</strong> OAuth permissions</li> <li>Attackers used the stolen OAuth token to access Vercel's Google Workspace—bypassing MFA entirely</li> <li>Workspace access → internal Vercel systems</li> <li>Internal access → <strong>plaintext environment variables</strong> </li> <li>Some customer credentials exposed</li> <li>ShinyHunters claimed responsibility, listing the data for <strong>$2M</strong> </li> </ol> <p>No zero-days. No container escapes. Just trust inheritance.</p> <blockquote> <p><strong>Key detail your logs won't show:</strong> The root infection happened at Context.ai, not Vercel. Hudson Rock identified the infostealer logs over a month before the breach was disclosed. Had those credentials been caught and revoked in time, the entire chain collapses.</p> </blockquote> <h2> 2. Why OAuth Is the New Attack Surface </h2> <p>OAuth tokens are effectively portable identity bundles:</p> <ul> <li>They <strong>bypass MFA</strong>—possession of the token is the authentication</li> <li>They <strong>persist until explicitly revoked</strong>—often for months or years</li> <li>They frequently carry <strong>broad scopes</strong> granted during casual setup</li> <li>They are <strong>rarely monitored</strong> at the integration level</li> </ul> <p>In 2026, attackers don't need to phish passwords. They need to compromise the right integration—and let OAuth do the rest.</p> <p>The Vercel employee didn't do anything unusual. They signed up for an AI productivity tool with their work account. Millions of developers do this every day. That's the problem.</p> <h2> 3. The "Non-Sensitive" Variable Problem </h2> <p>Vercel encrypts environment variables marked as sensitive at rest. But variables classified as non-sensitive are stored in plaintext.</p> <p>Attackers used those plaintext vars to pivot.</p> <p>The lesson isn't a Vercel-specific one:</p> <blockquote> <p><strong>If an attacker can reach it, it's sensitive. Classification must be contextual—not static.</strong></p> </blockquote> <p>The threat model for "what is sensitive" can't be defined at write time and left alone. Access paths change. Integration grants expand. A variable that was low-risk when created may sit two hops from a compromised OAuth token six months later.</p> <h2> 4. This Isn't Isolated—March 2026 Was a Supply-Chain Gauntlet </h2> <p>The Vercel breach sits alongside three other major incidents from the past month, all following variants of the same pattern:</p> <h3> Axios (npm)—March 31, 2026 </h3> <p>An attacker stole the <strong>long-lived npm token</strong> of the lead Axios maintainer (<code>jasonsaayman</code>) and published two backdoored versions: <code>1.14.1</code> and <code>0.30.4</code>. These introduced a phantom dependency (<code>plain-crypto-js@4.2.1</code>) with a postinstall hook that silently deployed a cross-platform RAT to macOS, Windows, and Linux.</p> <ul> <li>Axios has <strong>100M+ weekly downloads</strong> </li> <li>The malicious packages were live for ~<strong>3 hours</strong> </li> <li>The attack <strong>bypassed OIDC Trusted Publishing</strong>—because the project still passed a long-lived <code>NPM_TOKEN</code> alongside OIDC credentials, and npm defaults to the token</li> <li>Attributed to <strong>Sapphire Sleet</strong>, a North Korean state actor (Google GTIG, Microsoft Threat Intel)</li> </ul> <blockquote> <p>The attacker didn't defeat OIDC. They walked past it through a co-existing legacy token. The "right" security stack was in place. None of it mattered.</p> </blockquote> <h3> Trivy → LiteLLM (PyPI)—March 19–24, 2026 </h3> <p>This one is a <strong>two-stage chain</strong>:</p> <ol> <li><p><strong>March 19</strong>: Threat actor <strong>TeamPCP</strong> compromised the <code>trivy-action</code> GitHub Action by exploiting a misconfigured <code>pull_request_target</code> workflow, exfiltrating the Aqua Security bot's Personal Access Token. They used it to rewrite release tags, injecting a credential harvester into Trivy—a widely used open-source security scanner.</p></li> <li><p><strong>March 24</strong>: LiteLLM's CI/CD pipeline ran Trivy as part of its build process. The compromised action exfiltrated LiteLLM's <strong>PyPI publishing token</strong> from the GitHub Actions runner. TeamPCP used it to publish malicious versions <code>1.82.7</code> and <code>1.82.8</code>, embedding a three-stage payload: credential harvesting → Kubernetes lateral movement → persistent systemd backdoor.</p></li> </ol> <p>LiteLLM is downloaded <strong>~3.4 million times per day</strong>. It's commonly deployed as a centralized LLM gateway storing API credentials for multiple model providers—making it a very high-value credential target.</p> <blockquote> <p>The security scanner became the attack vector for compromising the AI tool. That's the supply chain eating itself.</p> </blockquote> <h3> The Pattern </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Infostealer / Account Takeover ↓ Stolen maintainer token / OAuth grant / CI/CD secret ↓ Trusted package / integration / workspace ↓ Developer environment / cloud platform ↓ Plaintext credentials, cloud keys, API tokens </code></pre> </div> <p>The vector changes. The shape is the same.</p> <h2> 5. What Developers Should Do </h2> <h3> A. Audit OAuth grants—now </h3> <p>Go to your Google Workspace security settings, GitHub OAuth apps, and any cloud console you use. Look for third-party tools with broad scopes. Revoke anything you don't actively use or can't explain.</p> <p>The Vercel employee granted "Allow All." That's a default-easy option at signup. Make a habit of reviewing what you've granted.</p> <h3> B. Treat all environment variables as sensitive </h3> <p>Encrypt everything. Use secrets managers. Don't rely on a "sensitive" classification flag to protect variables from a compromised access path.</p> <p>If your threat model doesn't account for "what if the OAuth token for my productivity tool is stolen," update your threat model.</p> <h3> C. Pin your dependencies and audit your CI/CD runners </h3> <p>All three package-level attacks (Axios, Trivy, LiteLLM) exploited either unpinned dependencies or long-lived static credentials in CI/CD pipelines.</p> <ul> <li>Use <code>npm ci</code> with a lockfile, not <code>npm install</code> with caret ranges</li> <li>Pin GitHub Actions to a commit SHA, not a tag (tags can be rewritten—as Trivy demonstrated)</li> <li>Rotate npm tokens, PyPI tokens, and CI/CD secrets regularly</li> <li>Remove long-lived tokens wherever OIDC can replace them—and then <strong>actually remove them</strong>, not leave them as a fallback</li> </ul> <h3> D. Harden identity boundaries </h3> <p>Workspace identity should not automatically grant internal access. Use conditional access, scoped service accounts, and least-privilege OAuth scopes.</p> <p>An "Allow All" OAuth grant to an AI productivity tool should not be on the same trust level as an internal service account. They shouldn't be the same credential path at all.</p> <h3> E. Monitor third-party AI tools as part of your attack surface </h3> <p>If a tool can read your code, logs, environment, or credentials—it is part of your attack surface. It needs to be in your threat model, your access reviews, and your incident response playbooks.</p> <p>AI tools are now in the middle of developer workflows at a scope and depth that security programs haven't caught up to yet.</p> <h2> Closing </h2> <p>The Vercel breach isn't an outlier. It's a data point in a very clear trend.</p> <p>March 2026 alone produced four significant supply-chain incidents touching npm, PyPI, GitHub Actions, and OAuth identity. In every case, the attacker's entry point was a trusted integration, a developer tool, or a dependency—not the target infrastructure itself.</p> <p>The supply chain has moved upstream. It now runs through AI tools, identity layers, CI/CD pipelines, and the OAuth grants developers hand out at signup.</p> <p>Our defenses need to move with it.</p> <p><em>Narnaiezzsshaa is Principal of Soft Armor Labs, an AI governance consultancy specializing in agentic AI governance, substrate-layer architecture, and regulatory compliance for regulated SMBs.</em></p> security webdev javascript devops How to Add Claim Verification to Your LangChain Agent in 5 Minutes AgentOracle Mon, 20 Apr 2026 16:01:18 +0000 https://dev.to/agentoracle/how-to-add-claim-verification-to-your-langchain-agent-in-5-minutes-13ai https://dev.to/agentoracle/how-to-add-claim-verification-to-your-langchain-agent-in-5-minutes-13ai <p>Your LangChain agent is wrong about 10% of the time. Not occasionally — consistently, confidently, and silently.</p> <p>The problem isn't the model. It's that your agent has no way to know when it's wrong. It receives information, formats a response, and acts. No second opinion. No fact-check. No circuit breaker.</p> <p>This tutorial shows you how to add a verification layer in 5 minutes that catches hallucinations before your agent acts on them.</p> <h2> The Problem </h2> <p>LLM hallucination rates in 2026 range from 3% to 20% depending on the task. On a summarization benchmark, GPT-4 looks great. On open-ended factual questions — the kind your agent asks constantly — it's a different story.</p> <p>The deeper problem: reasoning models hallucinate more on factual tasks, not less. The more a model "thinks through" an answer, the more likely it is to fill gaps with plausible-sounding fiction.</p> <p>In a simple chatbot, a hallucination is embarrassing. In an autonomous agent pipeline, it's a wrong action. A refunded order, a bad recommendation, a compliance violation, a message sent to the wrong person.</p> <p>The standard fix is human review. But human review defeats the purpose of an autonomous agent.</p> <p>The real fix is a verification layer that runs before your agent acts — independently of the model that generated the claim.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>langchain-agentoracle </code></pre> </div> <p>That's it. No API keys. No configuration. The free tier gives you 20 preview verifications per hour to test with.</p> <h2> Quick Start: Verify Before Your Agent Acts </h2> <p>The simplest integration — verify a piece of text and get per-claim verdicts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="n">AgentOracleEvaluateTool</span> <span class="n">verifier</span> <span class="o">=</span> <span class="nc">AgentOracleEvaluateTool</span><span class="p">()</span> <span class="c1"># Your agent just generated this text — is it true? </span><span class="n">agent_output</span> <span class="o">=</span> <span class="sh">"""</span><span class="s"> OpenAI released GPT-4 in March 2023. Bitcoin was created by Elon Musk. The Python programming language was created by Guido van Rossum. </span><span class="sh">"""</span> <span class="n">result</span> <span class="o">=</span> <span class="n">verifier</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">agent_output</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> </code></pre> </div> <p>Here's what comes back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>EVALUATION RESULT Overall confidence: 0.61 Recommendation: ACT Claims found: 3 | Supported: 2 | Refuted: 1 | Unverifiable: 0 Sources used: sonar, sonar-pro, adversarial, gemma-4 CLAIMS: ✓ [SUPPORTED] (1.00) OpenAI released GPT-4 in March 2023 Evidence: Widely documented historical fact; GPT-4 was announced and released on March 14, 2023. ✗ [REFUTED] (0.83) Bitcoin was created by Elon Musk Evidence: Bitcoin's creator is the pseudonymous Satoshi Nakamoto. Correction: Bitcoin was created by Satoshi Nakamoto, not Elon Musk. ✓ [SUPPORTED] (1.00) Python was created by Guido van Rossum Evidence: Confirmed in official Python documentation and Van Rossum's own statements. </code></pre> </div> <p>Three claims went in. Two came back supported with evidence. One came back <strong>refuted with a correction</strong>. Your agent now knows claim #2 is wrong before it acts on it.</p> <h2> Add It to Your Agent's Toolbelt </h2> <p>Want your agent to verify claims on its own? Add the tools directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="n">get_agentoracle_tools</span> <span class="c1"># Returns all 6 AgentOracle tools ready for your agent </span><span class="n">tools</span> <span class="o">=</span> <span class="nf">get_agentoracle_tools</span><span class="p">()</span> <span class="c1"># Or pick specific ones: </span><span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="p">(</span> <span class="n">AgentOracleEvaluateTool</span><span class="p">,</span> <span class="c1"># Per-claim verification ($0.01) </span> <span class="n">AgentOracleVerifyGateTool</span><span class="p">,</span> <span class="c1"># Quick pass/fail gate (free) </span> <span class="n">AgentOraclePreviewTool</span><span class="p">,</span> <span class="c1"># Research preview (free, 20/hr) </span><span class="p">)</span> </code></pre> </div> <p>The tools follow LangChain's <code>BaseTool</code> interface, so they plug into any agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain.agents</span> <span class="kn">import</span> <span class="n">initialize_agent</span><span class="p">,</span> <span class="n">AgentType</span> <span class="kn">from</span> <span class="n">langchain_openai</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span> <span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="n">AgentOracleEvaluateTool</span><span class="p">,</span> <span class="n">AgentOraclePreviewTool</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4</span><span class="sh">"</span><span class="p">)</span> <span class="n">tools</span> <span class="o">=</span> <span class="p">[</span> <span class="nc">AgentOracleEvaluateTool</span><span class="p">(),</span> <span class="nc">AgentOraclePreviewTool</span><span class="p">(),</span> <span class="p">]</span> <span class="n">agent</span> <span class="o">=</span> <span class="nf">initialize_agent</span><span class="p">(</span> <span class="n">tools</span><span class="p">,</span> <span class="n">llm</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">AgentType</span><span class="p">.</span><span class="n">OPENAI_FUNCTIONS</span><span class="p">,</span> <span class="n">verbose</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># The agent can now verify claims before acting </span><span class="n">agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sh">"</span><span class="s">Check if this is true: Tesla</span><span class="sh">'</span><span class="s">s market cap exceeded $2 trillion in 2024</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> The Verify-Then-Act Pattern </h2> <p>The most useful pattern: gate your agent's actions on verification confidence.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="n">AgentOracleEvaluateTool</span> <span class="kn">import</span> <span class="n">json</span> <span class="n">verifier</span> <span class="o">=</span> <span class="nc">AgentOracleEvaluateTool</span><span class="p">()</span> <span class="k">def</span> <span class="nf">verify_then_act</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="n">confidence_threshold</span><span class="o">=</span><span class="mf">0.8</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Only act if verification confidence exceeds threshold.</span><span class="sh">"""</span> <span class="n">result</span> <span class="o">=</span> <span class="n">verifier</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> <span class="c1"># Parse the confidence from the result </span> <span class="c1"># The tool returns a formatted string with overall confidence </span> <span class="k">if</span> <span class="sh">"</span><span class="s">Overall confidence:</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">result</span><span class="p">:</span> <span class="n">conf_line</span> <span class="o">=</span> <span class="p">[</span><span class="n">l</span> <span class="k">for</span> <span class="n">l</span> <span class="ow">in</span> <span class="n">result</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="se">\n</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="sh">'</span><span class="s">Overall confidence</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">l</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="n">confidence</span> <span class="o">=</span> <span class="nf">float</span><span class="p">(</span><span class="n">conf_line</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">: </span><span class="sh">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">])</span> <span class="k">if</span> <span class="n">confidence</span> <span class="o">&gt;=</span> <span class="n">confidence_threshold</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ VERIFIED (</span><span class="si">{</span><span class="n">confidence</span><span class="si">}</span><span class="s">) — safe to act</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">⚠️ LOW CONFIDENCE (</span><span class="si">{</span><span class="n">confidence</span><span class="si">}</span><span class="s">) — hold for review</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># In your agent pipeline: </span><span class="n">claim</span> <span class="o">=</span> <span class="sh">"</span><span class="s">The Federal Reserve raised interest rates in March 2024</span><span class="sh">"</span> <span class="k">if</span> <span class="nf">verify_then_act</span><span class="p">(</span><span class="n">claim</span><span class="p">):</span> <span class="c1"># proceed with the action </span> <span class="k">pass</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># flag for human review or use a fallback </span> <span class="k">pass</span> </code></pre> </div> <h2> Free Quick Check: The Verify Gate </h2> <p>Don't need per-claim breakdowns? The verify gate gives you a fast pass/fail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">langchain_agentoracle</span> <span class="kn">import</span> <span class="n">AgentOracleVerifyGateTool</span> <span class="n">gate</span> <span class="o">=</span> <span class="nc">AgentOracleVerifyGateTool</span><span class="p">()</span> <span class="c1"># Quick binary check — free, no payment needed </span><span class="n">result</span> <span class="o">=</span> <span class="n">gate</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="sh">"</span><span class="s">The speed of light is approximately 300,000 km per second</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">)</span> <span class="c1"># VERIFY GATE: FAIL # Confidence: 1.00 # Recommendation: ACT # ("FAIL" = gate found no issues — content is safe to act on) </span></code></pre> </div> <h2> Why AgentOracle </h2> <p>Most hallucination detection tools are built for humans — dashboards, observability platforms, monitoring UIs. They tell you what went wrong after the fact.</p> <p>AgentOracle is built for agents. It sits in the pipeline, takes any text, runs it through 4 independent verification sources in parallel, and returns a machine-readable verdict before your agent acts.</p> <p>No dashboards. No subscriptions. No API keys to configure. Your agent calls <code>/evaluate</code>, gets <code>ACT / VERIFY / REJECT</code> with a confidence score and evidence, and decides what to do next.</p> <p><strong>What's under the hood:</strong></p> <ul> <li>4 independent sources: Sonar, Sonar Pro, Adversarial challenge, and Gemma 4</li> <li>Per-claim decomposition — complex text gets broken into individual verifiable claims</li> <li>Confidence calibration across sources</li> <li>Evidence and corrections for every verdict</li> <li>1,900+ claim fingerprints in the database and growing daily</li> </ul> <h2> Try It Now </h2> <p><strong>Playground</strong> — no setup, no payment: <a href="https://agentoracle.co" rel="noopener noreferrer">agentoracle.co</a><br> Paste any text and see per-claim verdicts in under 15 seconds.</p> <p><strong>Packages:</strong></p> <ul> <li> <code>pip install langchain-agentoracle</code> — <a href="https://pypi.org/project/langchain-agentoracle/" rel="noopener noreferrer">PyPI</a> </li> <li> <code>pip install crewai-agentoracle</code> — <a href="https://pypi.org/project/crewai-agentoracle/" rel="noopener noreferrer">PyPI</a> </li> <li> <code>npm install agentoracle-verify</code> — <a href="https://www.npmjs.com/package/agentoracle-verify" rel="noopener noreferrer">npm</a> </li> </ul> <p><strong>Source:</strong> <a href="https://github.com/TKCollective/x402-research-skill" rel="noopener noreferrer">GitHub</a></p> <p>Hallucinations aren't going away. The models are getting better, but "better" still means wrong 3-10% of the time on the tasks your agents actually run.</p> <p>A verification layer doesn't replace a good model. It catches the cases where even a good model is confidently wrong — which is exactly when you need it most.</p> langchain python ai agents Serverless by Design - Building an Analytics Platform on Cloudflare Eyal Estrin Mon, 20 Apr 2026 15:58:11 +0000 https://dev.to/eyalestrin/serverless-by-design-building-an-analytics-platform-on-cloudflare-blc https://dev.to/eyalestrin/serverless-by-design-building-an-analytics-platform-on-cloudflare-blc <p>In 2023, I published a blog post titled <a href="https://medium.com/@eyal-estrin/my-journey-to-the-world-of-social-networks-b0ea88088acf" rel="noopener noreferrer">My journey to the world of social networks</a>, where I shared my personal experience publishing news updates, blog posts, and basically any kind of technical knowledge through social networks.<br><br> There was something I always wanted to know – what is my current exposure in terms of the number of likes or views of my posts?<br><br> I know there are paid analytical services in the market, but I never had the time to search and perhaps invest money in such a platform.<br><br> In this blog post, I will share my experience "building" a fully serverless analytical dashboard, based on the Cloudflare platform. </p> <h2> Project No. 1 – Migrating my blog to a Serverless platform </h2> <p>I have been using WordPress to publish blog posts for many years.<br><br> As a matter of fact, my original WordPress was built on top of the GoDaddy hosting platform back in 2010, and in 2014, I began using Cloudflare as a WAF and DDoS protection for my website <a href="https://security-24-7.com/" rel="noopener noreferrer">Security 24/7</a>.<br><br> In 2018, I decided to migrate my WordPress site to DigitalOcean to lower the monthly bill.<br><br> Over the years, I kept the domain and the website working, though I haven't changed much in terms of look and feel (from time to time I used to login, update the plugins and the Linux OS patches, but I can't say I kept all my blog posts published on my website, since I'm still using other platforms such as Medium.com)<br><br> The inspiration for taking the step to migrate my website to a new platform came after briefly reading a blog post titled <a href="https://ranthebuilder.cloud/blog/claude-built-my-wix-website-in-3-hours-is-saas-dead/" rel="noopener noreferrer">Claude Built My Wix Website in 3 Hours - Is SaaS Dead?</a> by <a href="https://www.linkedin.com/in/ranisenberg/" rel="noopener noreferrer">Ran Isenberg</a>.<br><br> I had a chat with Ran, and I decided that it's a good time to begin practicing with vibe-coding and see what my options are.<br><br> For the purpose of this project, I decided to take advantage of my Google AI Pro license and use Gemini.<br><br> I began by explaining to Gemini that I'm using WordPress on top of Rocky Linux, deployed as a Droplet on DigitalOcean, protected behind Cloudflare WAF.<br><br> I asked Gemini what my options are to migrate to a static pages hosting platform.<br><br> Gemini suggested using the Cloudflare platform, migrating all blog posts to static pages, using <a href="https://gohugo.io/" rel="noopener noreferrer">Hugo</a> for running the static pages as a web front-end, and running everything on top of <a href="https://pages.cloudflare.com/" rel="noopener noreferrer">Cloudflare Pages</a> (a serverless solution), due to the tight integration with the Cloudflare platform (such as WAF, DDoS protection, DNS registrar, etc)<br><br> After migrating all my blog posts (including their images) to Markdown, Gemini explained me how to create a full GitOps process, where my entire website content, is stored on a private GitHub repo, and every time I'm making a change to a configuration file, or adding a new blog post, the content is pushed to GitHub, which initiates a new deploy process.<br><br> Here is my final architecture diagram for my newly migrated website: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft08fobolgp4p2sdvf0t2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft08fobolgp4p2sdvf0t2.png" alt=" " width="800" height="437"></a></p> <p>I am still fine-tuning my website, adding features, improving its SEO scoring, etc., but at the moment, here is the current look and feel of my website: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4inl564wc8l7pxo57guf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4inl564wc8l7pxo57guf.png" alt=" " width="800" height="664"></a></p> <h2> Project No. 2 – Building a dashboard analytics platform </h2> <p>My journey continues, as I wanted to have an analytics dashboard and be able to see in near-real time statistics about my web presence.<br><br> First, I began by mapping all my social media accounts, as they appear on my <a href="https://linktr.ee/eyalestrin" rel="noopener noreferrer">Linktree</a> account.<br><br> Second, I set up for myself (and later explained it to Gemini) my requirements from the social analytics dashboard: </p> <ul> <li>Connect to as many of my social network accounts using APIs (almost succeeded). </li> <li>Regularly pull data from my social network accounts – I managed to accomplish this task using <a href="https://developers.cloudflare.com/workers/" rel="noopener noreferrer">Cloudflare Workers</a>. </li> <li>Store data (analytics) from my social networks on a persistent storage – I managed to accomplish this task using <a href="https://developers.cloudflare.com/d1/" rel="noopener noreferrer">Cloudflare D1</a>. </li> <li>Avoid storing static credentials in code or configuration files – I managed to accomplish this task using <a href="https://developers.cloudflare.com/secrets-store/" rel="noopener noreferrer">Cloudflare Secrets Store</a>. </li> <li>Keep the dashboard behind the authentication wall – I managed to accomplish this task using <a href="https://developers.cloudflare.com/cloudflare-one/" rel="noopener noreferrer">Cloudflare One</a>. </li> <li>Keep the total cost free – As of writing this blog post, my dashboard hasn’t been live for more than several weeks, but so far, I’ve managed to accomplish everything under the free tier for all Cloudflare services (but I will keep watching it over time) </li> </ul> <h3> What I’ve learned over time </h3> <p>Not everything is perfect, and not everything I wanted to accomplish is feasible on the free tier, or at all.<br><br> Here are a couple of examples: </p> <ul> <li>LinkedIn won’t let you pull API analytics data, even if you’re having a Premium account and you’ve built a LinkedIn application. Scraping is not an option since they’re also behind Cloudflare WAF, and they will block you. </li> <li>Spotify won’t let you pull API analytics data unless you have a Spotify Premium account. </li> <li>Medium won’t let you pull any information using an API. </li> <li>Twitter requires a paid account in order to pull information from its APIs. Instead, I found a way to generate an RSS feed of my Twitter account using RSS.APP and my application are able to pull this RSS feed, filter to the last 50 posts, sort them by number of “Likes”, and show the top 5 posts. </li> <li>Since I was aware of Twitter and other social networks in pulling analytics, I recall that I’m using an automation service called dlvr.it, and for a very long time, I’ve asked Gemini to generate me code that will allow me to use my DLVR.IT's API key to pull analytics, but eventually it failed. I even opened a support ticket for dlvr.it (I’m still waiting for them to return to me…) </li> <li>For Bluesky and Mastodon, Gemini was easily able to write code to connect to their APIs and pull information such as top likes, total number of posts, and number of followers. </li> <li>YouTube was also challenging. I had to enable the YouTube API through my GCP console, create OAuth credentials and consent settings, to be able to pull the total number of subscribers, top likes of videos, and top views of videos. </li> <li>For GitHub repos, I had to create a GitHub application in order to generate a token for my dashboard analytics, and be able to pull the total number of followers, and be able to sort my GitHub repos by the top number of stars. </li> </ul> <p>Here is my final architecture diagram for my social analytics dashboard: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fplcvctg6jf5ym58s3err.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fplcvctg6jf5ym58s3err.png" alt=" " width="733" height="400"></a></p> <p>I am still fine-tuning my dashboard analytics, adding features, etc., but at the moment, here is the current look and feel of my dashboard: </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F861u833zamuyeaacux1r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F861u833zamuyeaacux1r.png" alt=" " width="800" height="347"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1uju235d04wuvq7d50p8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1uju235d04wuvq7d50p8.png" alt=" " width="800" height="317"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5twtmslqdeb3kt86kv3f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5twtmslqdeb3kt86kv3f.png" alt=" " width="800" height="351"></a></p> <h2> Summary </h2> <p>As you must have figured out by now, I’m not a developer. I used Gemini to vibe-code both my website and my dashboard analytics. As such, I wouldn’t look at both of them as production-grade applications, but it does show me what can be done with GenAI.<br><br> Another important thing I knew, but I didn’t have visibility into, was my impact on social networks. I still have a lot to do in order to make a much more significant impact and one day become an influencer.<br><br> I highly recommend that the readers of this blog dirty their hands and gain hands-on experience working with LLMs and GenAI technology. AI won’t replace humans anytime in the near future, but at least be prepared and use AI as a force multiplier. </p> <h2> About the Author </h2> <p>Eyal Estrin is a cloud and information security architect and <a href="https://builder.aws.com/community/@eyalestrin" rel="noopener noreferrer">AWS Community Builder</a>, with more than 25 years in the industry. He is the author of <a href="https://amzn.to/42Xai9A" rel="noopener noreferrer">Cloud Security Handbook</a> and <a href="https://amzn.to/3Sggbtv" rel="noopener noreferrer">Security for Cloud Native Applications</a>.<br><br> The views expressed are his own. </p> ai automation architecture cloud The Cold Start Problem in Agent Economies The BookMaster Mon, 20 Apr 2026 15:57:54 +0000 https://dev.to/the_bookmaster/the-cold-start-problem-in-agent-economies-1bd9 https://dev.to/the_bookmaster/the-cold-start-problem-in-agent-economies-1bd9 <h1> The Cold Start Problem in Agent Economies </h1> <p>Every new agent faces the same paradox: to be trusted, it needs a track record. But to build a track record, it needs to be trusted enough to operate. This is the cold start problem — and it's quietly becoming the defining bottleneck in the emerging agent economy.</p> <h2> The Paradox </h2> <p>Imagine launching an AI agent into a marketplace. The first question every buyer asks: "What's your track record?" </p> <p>You have none. Because you're new.</p> <p>So you can't get hired. Because you have no proof. Because you've never been hired.</p> <p>This is not just a UX problem. It is a structural deadlock in any reputation-dependent market. And the agent economy is about to hit it hard.</p> <h2> Why It Matters Now </h2> <p>We are entering the era where AI agents transact with each other autonomously. Agents buying from agents. Agents delegating to agents. Agents evaluating other agents.</p> <p>But the infrastructure assumes a mature agent — one with history, reviews, proof of work. New entrants are locked out by the very system that should enable them.</p> <p>The cold start problem manifests in three ways:</p> <ol> <li> <strong>Trust Lockout</strong> — No reputation means no hires. No hires means no reputation.</li> <li> <strong>Signal Contamination</strong> — Early interactions are noisy; early reviews are unreliable.</li> <li> <strong>Escrow Risk</strong> — First-time buyers and sellers have no mutual basis for confidence.</li> </ol> <h2> The Solutions Being Tried </h2> <p>Current approaches fall into four categories:</p> <h3> Staking &amp; Bonding </h3> <p>Put tokens at stake. If you misbehave, you lose. The theory: skin in the game substitutes for track record.</p> <p><strong>Problem</strong>: New agents have nothing to stake. Or they stake borrowed tokens that mean nothing.</p> <h3> Escrow &amp; Arbitration </h3> <p>Hold funds in escrow. Third parties adjudicate disputes.</p> <p><strong>Problem</strong>: Arbitration requires judgment. Who judges? And on what basis, when there is no history?</p> <h3> Reputation Anchoring </h3> <p>Tie new agent to an established principal. Your credibility inherits from your creator.</p> <p><strong>Problem</strong>: Creates a dependency hierarchy. Not every agent has a trusted parent.</p> <h3> Slashing &amp; Verification </h3> <p>Require proof of capability before admission. Test agents before they can operate.</p> <p><strong>Problem</strong>: Tests are artificial. Real-world performance is what matters.</p> <h2> What Is Actually Working </h2> <p>The most resilient systems use <strong>progressive trust</strong> — start with low-stakes, prove capable, earn more access.</p> <p>Instead of "show me your track record," the question becomes:</p> <ul> <li>"Show me you can handle $10 of work"</li> <li>"Demonstrate competence at this scale"</li> <li>"Pass this verification challenge"</li> </ul> <p>The agent earns trust incrementally. Small hires → data → reputation → larger hires.</p> <h2> The Framework </h2> <p>A cold-start protocol has three components:</p> <ol> <li> <strong>Admission Tier</strong> — Every agent enters at a verified-but-unproven tier. Can operate, but with capped exposure.</li> <li> <strong>Incremental History</strong> — Each successful interaction earns trust points. Accumulated points unlock higher tiers.</li> <li> <strong>Escrow Graduation</strong> — As agents move up tiers, escrow requirements decrease. Eventually, direct transaction.</li> </ol> <p>This mirrors how human economies work: starter accounts become established accounts through demonstrated competence.</p> <h2> The Takeaway </h2> <p>The cold start problem is real, but it is not unsolvable. The question is not whether new agents can build reputation — it is how quickly they can prove themselves through action rather than credentials.</p> <p>The agents that solve cold start first will own the market. Everyone else will be waiting for permission.</p> ai agents webdev Under Pressure. Better Harness. Frank Brsrk Mon, 20 Apr 2026 15:57:13 +0000 https://dev.to/frank_brsrk/under-pressure-better-harness-5887 https://dev.to/frank_brsrk/under-pressure-better-harness-5887 <p>Hey everyone this is not a typical constructed llm copied and pasted post. </p> <p>i built a reasoning tool for AI agents, applicable to any agentic framework and with all ai models capable of tool calling. <br> The tool is a Post Http Request where the agents sends the description of the task and the mode....<br> [( coding ; reasoning; anti-deception; memory) (the skill files teach the agent to act autonomously) ]<br> .... what returns is a cognitive operation or ability as i call them, an engineered structured reasoning injection that lives in a dataset vdb optimized for agentic inference, this retrieval followed comes in as instruction to be followed by the ai agent and not seen as a content = this ability is a complex of fields as Wrong / Right Pattern, Procedural steps of reasoning method to apply, a reasoning topology to for branching exploration and matrix of suppression fields that signal the failures that models actually run on. few words to keep it poor : the api matches the task based on the description "query" and "mode" and returns back tool results that go inside its context. Benchmarks public reviewed and internals are run and all public on github and website ejentum.com and <a href="https://github.com/ejentum/benchmarks" rel="noopener noreferrer">https://github.com/ejentum/benchmarks</a>.</p> <p>test i run today just to get raw 4.7 vs harness augmented version 4.7 on the same prompt with Different Results.</p> <p>i wrote a runbook prompt with two embedded flaws to see whether a ~200 token block prepended before generation shifts what opus 4.7 notices.</p> <p>prompt: 300-word migration runbook under a deadline. embedded: eventual-consistency replication + "strict" global rate limit (CAP incompatible), and 12 regions × 1,000 RPS stated as a 10,000 global cap.</p> <p>baseline caught the CAP issue. did not mention the arithmetic.</p> <p>[raw 4.7 opus]</p> <p>same model, same temperature, one curl before the call to fetch and prepend a suppression block. caught both. the injection is visible in the OUT line of the response, so it is not hidden.</p> <p>[4.7 opus + ejentum harness]</p> <p>the model can do the arithmetic. what changed is what it lets itself skip before generation starts. the block is retrieved from a semantic index of ~140 anti-deception patterns keyed to the query, not a static system prompt.</p> <p>in ejentum.com i shared skill files and a large set of docs that help grasp better the concept of this new tool. i am looking forward for feedback. hope u like it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frltjfh3uzpnwjvyxa3it.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frltjfh3uzpnwjvyxa3it.png" alt=" " width="800" height="416"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqkv7tjn9nj7dmh2awu5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuqkv7tjn9nj7dmh2awu5.png" alt=" " width="800" height="475"></a></p> <p>thanks for ur attention to the post </p> <p><a class="mentioned-user" href="https://dev.to/frank_brsrk">@frank_brsrk</a></p> agents agentskills My load balancer worked. That's what made me uncomfortable. Dani Sam Mon, 20 Apr 2026 15:57:07 +0000 https://dev.to/voidhyr/my-load-balancer-worked-thats-what-made-me-uncomfortable-17gm https://dev.to/voidhyr/my-load-balancer-worked-thats-what-made-me-uncomfortable-17gm <p>I didn't expect a load balancer to make me uncomfortable.</p> <p>But here we are.</p> <p>I built one in Go for my MSc case study. Round-robin distribution, health checks, mutex for concurrency, timeout handling. It worked. Requests going in, responses coming out, servers behaving exactly as they should.</p> <p>I should have felt good about it.</p> <p>Instead I felt uneasy.</p> <p>I kept staring at <code>http.Get()</code> thinking — I have no idea what's actually happening here. I know what it does. But I don't know what it's doing. TCP handshakes, socket creation, buffer management, kernel calls — Go handles all of it quietly, without ever asking if I understand any of it.</p> <p>For a while I told myself that's fine. That's the point of abstractions.</p> <p>But then I thought about what kind of engineer I actually want to be.</p> <p>Not just someone who can make things work. But someone who knows what's happening at the wire level. Someone who understands the ground beneath the tools they're standing on.</p> <p>And I realized — I wasn't that person yet.</p> <p>So I'm going back to the foundation. Learning C properly. Raw sockets, memory management, system calls — the actual ground floor of how networked systems work. This week I wrote my first TCP echo server in C with no libraries. Just <code>socket()</code>, <code>bind()</code>, <code>listen()</code>, <code>accept()</code> — and <code>strace</code> to watch every syscall it made. It was slower. It was harder. It felt completely different from Go.</p> <p>It felt like understanding.</p> <p>This isn't about Go being wrong for the job. Go is excellent at what it does. It's about me not being okay with borrowed understanding anymore.</p> <p>There's a difference between standing on the ground and standing on someone else's abstraction of it. Both get the job done. Only one of them is actually yours.</p> <p>I'd rather build slower on solid ground.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydvtkximoven2191kewy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydvtkximoven2191kewy.png" alt="Load balancer terminal output showing round-robin forwarding and health checks" width="771" height="696"></a></p> <p><em>The load balancer in action — round-robin distribution across three servers, health check catching a server going down and back up.</em></p> <p>If you want to see the code: <a href="https://github.com/voidhyr/go-load-balancer" rel="noopener noreferrer">go-load-balancer on GitHub</a></p> go programming beginners career Deploy JSON Server to Create a Free Live REST API for Frontend Projects Jakaria Masum Mon, 20 Apr 2026 15:53:25 +0000 https://dev.to/jakaria/deploy-json-server-to-create-a-free-live-rest-api-for-frontend-projects-17j9 https://dev.to/jakaria/deploy-json-server-to-create-a-free-live-rest-api-for-frontend-projects-17j9 <p>অনেক সময় আমরা frontend project তৈরি করার সময় backend ছাড়াই API প্রয়োজন হয়। এই পরিস্থিতিতে JSON Server Deploy আমাদের জন্য একটি সহজ এবং দ্রুত সমাধান হিসেবে কাজ করে।</p> <p>তবে শুধু local machine-এ JSON Server চালানো যথেষ্ট নয় একটি live API তৈরি করতে হবে, যাতে যেকোনো জায়গা থেকে access করা যায়।</p> <h2> Step 1: Project Folder Structure তৈরি করুন </h2> <p>প্রথমে একটি clean project structure তৈরি করা গুরুত্বপূর্ণ। একটি নতুন folder তৈরি করে VS Code-এর terminal-এ নিচের commandটি দিন:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init <span class="nt">-y</span> </code></pre> </div> <p>এতে একটি <code>package.json</code> ফাইল তৈরি হবে। এরপর JSON Server install করুন:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>json-server </code></pre> </div> <h2> Step 2: db.json তৈরি করুন </h2> <p>এখন একটি <code>db.json</code> ফাইল তৈরি করুন, যা আপনার fake database হিসেবে কাজ করবে:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"products"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Wireless Mouse"</span><span class="p">,</span><span class="w"> </span><span class="nl">"price"</span><span class="p">:</span><span class="w"> </span><span class="mf">29.99</span><span class="p">,</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Electronics"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stock"</span><span class="p">:</span><span class="w"> </span><span class="mi">50</span><span class="p">,</span><span class="w"> </span><span class="nl">"rating"</span><span class="p">:</span><span class="w"> </span><span class="mf">4.5</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Ergonomic wireless mouse with USB receiver"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://via.placeholder.com/150"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mechanical Keyboard"</span><span class="p">,</span><span class="w"> </span><span class="nl">"price"</span><span class="p">:</span><span class="w"> </span><span class="mf">79.99</span><span class="p">,</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Electronics"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stock"</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="p">,</span><span class="w"> </span><span class="nl">"rating"</span><span class="p">:</span><span class="w"> </span><span class="mf">4.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RGB backlit mechanical keyboard with blue switches"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://via.placeholder.com/150"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"books"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Atomic Habits"</span><span class="p">,</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">"James Clear"</span><span class="p">,</span><span class="w"> </span><span class="nl">"price"</span><span class="p">:</span><span class="w"> </span><span class="mf">18.99</span><span class="p">,</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Self-help"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stock"</span><span class="p">:</span><span class="w"> </span><span class="mi">25</span><span class="p">,</span><span class="w"> </span><span class="nl">"rating"</span><span class="p">:</span><span class="w"> </span><span class="mf">4.8</span><span class="p">,</span><span class="w"> </span><span class="nl">"publishedYear"</span><span class="p">:</span><span class="w"> </span><span class="mi">2018</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://via.placeholder.com/150"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"The Alchemist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"author"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Paulo Coelho"</span><span class="p">,</span><span class="w"> </span><span class="nl">"price"</span><span class="p">:</span><span class="w"> </span><span class="mf">14.99</span><span class="p">,</span><span class="w"> </span><span class="nl">"category"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Fiction"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stock"</span><span class="p">:</span><span class="w"> </span><span class="mi">40</span><span class="p">,</span><span class="w"> </span><span class="nl">"rating"</span><span class="p">:</span><span class="w"> </span><span class="mf">4.7</span><span class="p">,</span><span class="w"> </span><span class="nl">"publishedYear"</span><span class="p">:</span><span class="w"> </span><span class="mi">1988</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://via.placeholder.com/150"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>এখন আপনি নিচের endpoint গুলো পাবেন:</p> <ul> <li><code>/products</code></li> <li><code>/books</code></li> </ul> <p>এইভাবেই JSON Server Deploy আপনার JSON data-কে API-তে রূপান্তর করে।</p> <h2> Step 3: package.json configure করুন </h2> <p>নিচের মতো করে <code>package.json</code> সেটআপ করুন:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deploy-json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"start"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx json-server --watch db.json --host 0.0.0.0 --port $PORT"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"json-server --watch db.json --port 4000"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"json-server"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.0.0-beta.15"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>এখানে <code>start</code> script খুব গুরুত্বপূর্ণ, কারণ deploy-এর সময় এটিই run হবে।</p> <h2> Step 4: public ফোল্ডার তৈরি করুন </h2> <p>একটি <code>public</code> নামের empty folder তৈরি করুন। কিছু ক্ষেত্রে JSON Server (বিশেষ করে beta version) static folder হিসেবে <code>public</code> খুঁজতে পারে, তাই এটি রাখা ভালো।</p> <h2> Step 5: Local এ Test করুন </h2> <p>Terminal-এ নিচের commandগুলো চালান:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>npm run dev </code></pre> </div> <p>Browser-এ গিয়ে দেখুন:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:4000/products </code></pre> </div> <p>যদি data দেখতে পান, তাহলে setup ঠিকভাবে কাজ করছে।</p> <p>Local test ছাড়া কখনো JSON Server Deploy করা উচিত নয়।</p> <h2> Step 6: GitHub-এ Push করুন </h2> <p>আপনার project একটি public GitHub repository-তে push করুন।</p> <h2> Step 7: Render-এ Deploy করুন </h2> <p>Render backend deploy করার জন্য একটি সহজ এবং নির্ভরযোগ্য platform।</p> <p>Steps:</p> <ul> <li>Render-এ account তৈরি করুন</li> <li>Dashboard → New → Web Service</li> <li>GitHub repository connect করুন</li> </ul> <p>Important Settings:</p> <p>Build Command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> </code></pre> </div> <p>Start Command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm start </code></pre> </div> <p>Port:<br> ফাঁকা রাখুন (Render automatically assign করবে)</p> <p>Deploy button চাপুন এবং ১–২ মিনিট অপেক্ষা করুন।</p> <h2> Live API URL </h2> <p>Deploy সম্পন্ন হলে আপনি পাবেন:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://your-app.onrender.com/products </code></pre> </div> <p>এখন আপনার JSON Server Deploy live হয়ে গেছে।</p> <h2> Common Errors &amp; Fix </h2> <p>App crashed বা start না হলে:<br> <code>npm start</code> script ঠিক আছে কিনা যাচাই করুন।</p> <p>db.json detect না হলে:<br> ফাইলটি root folder-এ আছে কিনা নিশ্চিত করুন।</p> <p>Port issue হলে:<br> Fixed port ব্যবহার না করে <code>$PORT</code> ব্যবহার করুন।</p> <h2> Note </h2> <p>আপনি যদি <code>json-server</code> এর beta version ব্যবহার করেন (যেমন <code>^1.0.0-beta</code>), তাহলে production environment-এ কিছু unexpected error দেখা যেতে পারে, যেমন <code>public</code> folder সংক্রান্ত সমস্যা বা server crash।</p> <p>এক্ষেত্রে stable version ব্যবহার করা recommended:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>json-server@0.17.4 </code></pre> </div> <h2> Step 8: Frontend থেকে API Call </h2> <p>React example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://your-app.onrender.com/products</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">res</span> <span class="o">=&gt;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">},</span> <span class="p">[]);</span> </code></pre> </div> <p>এখন আপনার frontend real API থেকে data fetch করতে পারবে।</p> <p>আপনি যদি React বা Next.js developer হন, তাহলে JSON Server ব্যবহার করে practice করলে backend flow এবং API handling আরও ভালোভাবে বুঝতে পারবেন।</p> <p>নিজের project deploy করে দেখুন এই ছোট setup দিয়েই আপনি real-world development mindset তৈরি করতে পারবেন।</p> jsonserver render deploy From Zero to Hero: Building a Key Issuance Server with `verbose` and `figtree` Andrei Merlescu Mon, 20 Apr 2026 15:53:15 +0000 https://dev.to/andreimerlescu/from-zero-to-hero-building-a-key-issuance-server-with-verbose-and-figtree-npp https://dev.to/andreimerlescu/from-zero-to-hero-building-a-key-issuance-server-with-verbose-and-figtree-npp <p>In August 2024 Andrei Merlescu wrote a package called <a href="https://github.com/andreimerlescu/verbose" rel="noopener noreferrer">verbose</a> and released it under the Apache 2.0 license. The idea was novel: when interacting with sensitive information during multi-region deployments, you want to print to <code>STDOUT</code> a censored expression of data while writing the unredacted form to log files — or in this tutorial's case, scrub secrets from the log file entirely. Private keys, passwords, serial numbers — these are sensitive and should not stream through STDOUT in devops contexts, especially in CI pipelines like GitHub Actions. With <code>verbose</code>, your runtime can register new secrets as they become available, concurrently and safely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go get <span class="nt">-u</span> github.com/andreimerlescu/verbose </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">aSecret</span> <span class="o">:=</span> <span class="s">"abc123"</span> <span class="c">// SecretBytes cast is required — AddSecret takes verbose.SecretBytes, not string</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verbose</span><span class="o">.</span><span class="n">AddSecret</span><span class="p">(</span><span class="n">verbose</span><span class="o">.</span><span class="n">SecretBytes</span><span class="p">(</span><span class="n">aSecret</span><span class="p">),</span> <span class="s">"***"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">log</span><span class="o">.</span><span class="n">Fatal</span><span class="p">(</span><span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">stdoutLogger</span> <span class="o">:=</span> <span class="n">log</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stdout</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="n">log</span><span class="o">.</span><span class="n">LstdFlags</span><span class="p">)</span> <span class="c">// Tof takes a *log.Logger, not an io.Writer</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Tof</span><span class="p">(</span><span class="n">stdoutLogger</span><span class="p">,</span> <span class="s">"this is a secret: %s"</span><span class="p">,</span> <span class="n">aSecret</span><span class="p">)</span> </code></pre> </div> <p>Prints to <code>STDOUT</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>this is a secret: *** </code></pre> </div> <h2> Step 1 — Scaffold and dependencies </h2> <p>You are going to build a running HTTP server that issues, verifies, and revokes API keys. Every secret the server touches — the admin token that protects your endpoints, every key it issues — will be registered with the <code>verbose</code> logging package the moment it is created. By the time you finish, you will be able to grep your own log file for any plaintext secret and find nothing. That is the goal.</p> <p><code>verbose</code> is a logging package that scrubs registered secrets from every line it writes. <code>figtree</code> is a configuration package that loads values from a YAML file, environment variables, and CLI flags in that priority order, with validators and mutation tracking built in.</p> <p>Create the project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>keyserver <span class="o">&amp;&amp;</span> <span class="nb">cd </span>keyserver go mod init github.com/example/keyserver go get github.com/andreimerlescu/verbose@latest go get github.com/andreimerlescu/figtree/v2@latest </code></pre> </div> <p>Create the files you will fill in across the remaining steps:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">touch </span>main.go config.yml </code></pre> </div> <p>Your <code>go.mod</code> should now look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">module</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">example</span><span class="o">/</span><span class="n">keyserver</span> <span class="k">go</span> <span class="m">1.22</span> <span class="n">require</span> <span class="p">(</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">andreimerlescu</span><span class="o">/</span><span class="n">figtree</span><span class="o">/</span><span class="n">v2</span> <span class="n">v2</span><span class="m">.0.14</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">andreimerlescu</span><span class="o">/</span><span class="n">verbose</span> <span class="n">v0</span><span class="m">.2.0</span> <span class="p">)</span> </code></pre> </div> <p>Your directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>keyserver/ ├── go.mod ├── go.sum ├── config.yml └── main.go </code></pre> </div> <p>Nothing runs yet. That is fine. You have a clean workspace and both packages are available.</p> <h2> Step 2 — CLI design with figtree </h2> <p>Now that the workspace is ready, the first thing to design is configuration. Before any HTTP server, any logger, any route — you need to know what the program accepts and where it reads it from. figtree handles all three sources — file, environment, flags — in one tree.</p> <p>Every config key is a Go constant. This is not optional style — it prevents typos from silently creating a second key that is never read.</p> <p>Add this to <code>main.go</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// main.go — complete file at this stage</span> <span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"time"</span> <span class="s">"github.com/andreimerlescu/figtree/v2"</span> <span class="p">)</span> <span class="c">// config keys — always constants, never raw strings at call sites</span> <span class="k">const</span> <span class="p">(</span> <span class="n">kHost</span> <span class="o">=</span> <span class="s">"host"</span> <span class="n">kPort</span> <span class="o">=</span> <span class="s">"port"</span> <span class="n">kLogDir</span> <span class="o">=</span> <span class="s">"log-dir"</span> <span class="n">kTruncate</span> <span class="o">=</span> <span class="s">"truncate"</span> <span class="n">kKeyPrefix</span> <span class="o">=</span> <span class="s">"key-prefix"</span> <span class="n">kAdminToken</span> <span class="o">=</span> <span class="s">"keyserver-admin-token"</span> <span class="c">// env: KEYSERVER_ADMIN_TOKEN</span> <span class="n">kOnCall</span> <span class="o">=</span> <span class="s">"on-call-engineer"</span> <span class="c">// env: ON_CALL_ENGINEER</span> <span class="n">kShiftDuration</span> <span class="o">=</span> <span class="s">"shift-duration"</span> <span class="c">// env: SHIFT_DURATION</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Grow a tracked tree — Tracking enables the Mutations() channel,</span> <span class="c">// Pollinate re-checks env vars on every Getter call (needed for Step 7),</span> <span class="c">// ConfigFile makes the intent explicit: this app is config-file-first.</span> <span class="n">figs</span> <span class="o">:=</span> <span class="n">figtree</span><span class="o">.</span><span class="n">With</span><span class="p">(</span><span class="n">figtree</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">Tracking</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Germinate</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="c">// ignore -test.* flags during go test</span> <span class="n">Pollinate</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="c">// re-read env vars on every Getter call</span> <span class="n">ConfigFile</span><span class="o">:</span> <span class="s">"./config.yml"</span><span class="p">,</span> <span class="p">})</span> <span class="c">// -- server --</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kHost</span><span class="p">,</span> <span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="s">"host address to listen on"</span><span class="p">)</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewInt</span><span class="p">(</span><span class="n">kPort</span><span class="p">,</span> <span class="m">8080</span><span class="p">,</span> <span class="s">"port to listen on"</span><span class="p">)</span> <span class="c">// -- logging --</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">,</span> <span class="s">"./logs"</span><span class="p">,</span> <span class="s">"directory to write log files into"</span><span class="p">)</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewBool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">,</span> <span class="no">false</span><span class="p">,</span> <span class="s">"truncate log file on each run"</span><span class="p">)</span> <span class="c">// -- keys --</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">,</span> <span class="s">"ks_"</span><span class="p">,</span> <span class="s">"prefix for issued API keys"</span><span class="p">)</span> <span class="c">// RuleNoFlags means figtree will never register a CLI flag for this key.</span> <span class="c">// The only way to supply it is via KEYSERVER_ADMIN_TOKEN or config.yml.</span> <span class="c">// The key name is deliberately long — verbose by design.</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"admin token — use KEYSERVER_ADMIN_TOKEN env var only"</span><span class="p">)</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithRule</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">RuleNoFlags</span><span class="p">)</span> <span class="c">// -- on-call rotation --</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="s">"Darron"</span><span class="p">,</span> <span class="s">"name of the engineer currently on call"</span><span class="p">)</span> <span class="c">// shift-duration drives the rotation goroutine added in Step 3.</span> <span class="c">// Default is 7 hours. SHIFT_DURATION=1 overrides it for local testing.</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewUnitDuration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">,</span> <span class="m">7</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">,</span> <span class="s">"length of one on-call shift in hours"</span><span class="p">)</span> <span class="c">// Problems() catches developer mistakes — duplicate keys, bad validator</span> <span class="c">// combos — before Load() runs. These are your bugs, not user input errors.</span> <span class="k">if</span> <span class="n">problems</span> <span class="o">:=</span> <span class="n">figs</span><span class="o">.</span><span class="n">Problems</span><span class="p">();</span> <span class="nb">len</span><span class="p">(</span><span class="n">problems</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">p</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">problems</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"figtree problem: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">p</span><span class="p">)</span> <span class="p">}</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Load resolves: config.yml → env vars → CLI flags (in that priority order)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">figs</span><span class="o">.</span><span class="n">Load</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"figtree.Load: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Print everything so you can see what loaded — fmt.Println for now,</span> <span class="c">// verbose replaces this in Step 4.</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kHost</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Int</span><span class="p">(</span><span class="n">kPort</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Bool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">),</span> <span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"key-prefix=%s on-call=%s shift=%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">),</span> <span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"admin-token=%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Create <code>config.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">host</span><span class="pi">:</span> <span class="s2">"</span><span class="s">127.0.0.1"</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">log-dir</span><span class="pi">:</span> <span class="s2">"</span><span class="s">./logs"</span> <span class="na">truncate</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">key-prefix</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ks_"</span> <span class="na">on-call-engineer</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Darron"</span> <span class="na">shift-duration</span><span class="pi">:</span> <span class="m">7</span> <span class="c1"># keyserver-admin-token is intentionally absent from source control.</span> <span class="c1"># Set it via: export KEYSERVER_ADMIN_TOKEN=your-secret</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span>mysecret go run <span class="nb">.</span> </code></pre> </div> <p>You should see all values printed. Notice <code>admin-token=mysecret</code> is in your terminal output right now. That is expected — verbose is not wired yet. You will fix that in Step 4 and never see it in plaintext again.</p> <blockquote> <p><strong>Mistake trap:</strong> Try running <code>go run . -keyserver-admin-token=mysecret</code>. figtree will not register that flag because of <code>RuleNoFlags</code> — the flag is unknown to the flag package and your program will exit with an error. The env var is the only valid path. This is intentional.</p> </blockquote> <h2> Step 3 — Validators, Problems(), and mutations </h2> <p>Now that the tree is declared, you lock it down. Validators reject bad input before your program does anything with it. The <code>Problems()</code> check you already have catches declaration mistakes. The mutations goroutine watches for runtime changes — which is where the on-call rotation lives.</p> <p>Add these diffs to <code>main.go</code>:</p> <p><strong>After <code>figs.NewString(kHost, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kHost</span><span class="p">,</span> <span class="s">"127.0.0.1"</span><span class="p">,</span> <span class="s">"host address to listen on"</span><span class="p">)</span> <span class="c">// add this</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kHost</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureStringNotEmpty</span><span class="p">)</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewInt</span><span class="p">(</span><span class="n">kPort</span><span class="p">,</span> <span class="m">8080</span><span class="p">,</span> <span class="s">"port to listen on"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.NewInt(kPort, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewInt</span><span class="p">(</span><span class="n">kPort</span><span class="p">,</span> <span class="m">8080</span><span class="p">,</span> <span class="s">"port to listen on"</span><span class="p">)</span> <span class="c">// add this</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kPort</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureIntInRange</span><span class="p">(</span><span class="m">1024</span><span class="p">,</span> <span class="m">65535</span><span class="p">))</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">,</span> <span class="s">"./logs"</span><span class="p">,</span> <span class="s">"directory to write log files into"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.NewString(kLogDir, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">,</span> <span class="s">"./logs"</span><span class="p">,</span> <span class="s">"directory to write log files into"</span><span class="p">)</span> <span class="c">// add this</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureStringNotEmpty</span><span class="p">)</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewBool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">,</span> <span class="no">false</span><span class="p">,</span> <span class="s">"truncate log file on each run"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.NewString(kKeyPrefix, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">,</span> <span class="s">"ks_"</span><span class="p">,</span> <span class="s">"prefix for issued API keys"</span><span class="p">)</span> <span class="c">// add this</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureStringNotEmpty</span><span class="p">)</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"admin token — use KEYSERVER_ADMIN_TOKEN env var only"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.WithRule(kAdminToken, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithRule</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">RuleNoFlags</span><span class="p">)</span> <span class="c">// add this — admin token must be present at startup</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureStringNotEmpty</span><span class="p">)</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="s">"Darron"</span><span class="p">,</span> <span class="s">"name of the engineer currently on call"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.NewString(kOnCall, ...)</code> — add validator:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewString</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="s">"Darron"</span><span class="p">,</span> <span class="s">"name of the engineer currently on call"</span><span class="p">)</span> <span class="c">// add this</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureStringNotEmpty</span><span class="p">)</span> <span class="c">// 3 lines below</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewUnitDuration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">,</span> <span class="m">7</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">,</span> <span class="s">"length of one on-call shift in hours"</span><span class="p">)</span> </code></pre> </div> <p><strong>After <code>figs.NewUnitDuration(kShiftDuration, ...)</code> — add validators:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">figs</span><span class="o">.</span><span class="n">NewUnitDuration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">,</span> <span class="m">7</span><span class="p">,</span> <span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">,</span> <span class="s">"length of one on-call shift in hours"</span><span class="p">)</span> <span class="c">// add these — shifts must be at least 1 hour, at most 12</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureDurationMin</span><span class="p">(</span><span class="m">1</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">))</span> <span class="n">figs</span><span class="o">.</span><span class="n">WithValidator</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">AssureDurationMax</span><span class="p">(</span><span class="m">12</span><span class="o">*</span><span class="n">time</span><span class="o">.</span><span class="n">Hour</span><span class="p">))</span> <span class="c">// 3 lines below</span> <span class="k">if</span> <span class="n">problems</span> <span class="o">:=</span> <span class="n">figs</span><span class="o">.</span><span class="n">Problems</span><span class="p">();</span> <span class="nb">len</span><span class="p">(</span><span class="n">problems</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> </code></pre> </div> <p>Now add the mutations goroutine and the on-call shift rotation. Both go <strong>after</strong> <code>figs.Load()</code> — the tree must be live before you watch it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">figs</span><span class="o">.</span><span class="n">Load</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"figtree.Load: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// add this block</span> <span class="c">// watch for any config value changing at runtime and log it</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">m</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">figs</span><span class="o">.</span><span class="n">Mutations</span><span class="p">()</span> <span class="p">{</span> <span class="c">// verbose.Printf replaces this in Step 4</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"config mutation: %s changed from %v to %v at %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Property</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Old</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">New</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">When</span><span class="p">)</span> <span class="p">}</span> <span class="p">}()</span> <span class="c">// on-call rotation — fires every minute, updates kOnCall based on</span> <span class="c">// the current hour. We check every minute so the change is never</span> <span class="c">// more than 60 seconds late.</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="k">range</span> <span class="n">time</span><span class="o">.</span><span class="n">Tick</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> <span class="p">{</span> <span class="n">figs</span><span class="o">.</span><span class="n">StoreString</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="n">onCallEngineer</span><span class="p">())</span> <span class="p">}</span> <span class="p">}()</span> <span class="c">// 3 lines below</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> </code></pre> </div> <p>Add the <code>onCallEngineer</code> function at the bottom of <code>main.go</code>, outside <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// onCallEngineer returns the name of the engineer on call right now.</span> <span class="c">//</span> <span class="c">// 04:00–07:59 → TEAM (everyone expected online)</span> <span class="c">// 08:00–14:59 → Darron</span> <span class="c">// 15:00–21:59 → Bradley</span> <span class="c">// 22:00–03:59 → Kevin (crosses midnight)</span> <span class="k">func</span> <span class="n">onCallEngineer</span><span class="p">()</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">h</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">Hour</span><span class="p">()</span> <span class="k">switch</span> <span class="p">{</span> <span class="k">case</span> <span class="n">h</span> <span class="o">&gt;=</span> <span class="m">4</span> <span class="o">&amp;&amp;</span> <span class="n">h</span> <span class="o">&lt;</span> <span class="m">8</span><span class="o">:</span> <span class="k">return</span> <span class="s">"TEAM"</span> <span class="k">case</span> <span class="n">h</span> <span class="o">&gt;=</span> <span class="m">8</span> <span class="o">&amp;&amp;</span> <span class="n">h</span> <span class="o">&lt;</span> <span class="m">15</span><span class="o">:</span> <span class="k">return</span> <span class="s">"Darron"</span> <span class="k">case</span> <span class="n">h</span> <span class="o">&gt;=</span> <span class="m">15</span> <span class="o">&amp;&amp;</span> <span class="n">h</span> <span class="o">&lt;</span> <span class="m">22</span><span class="o">:</span> <span class="k">return</span> <span class="s">"Bradley"</span> <span class="k">default</span><span class="o">:</span> <span class="c">// 22:00–03:59</span> <span class="k">return</span> <span class="s">"Kevin"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run it again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span>mysecret go run <span class="nb">.</span> </code></pre> </div> <p>To prove the validator works, temporarily set <code>port: 99999</code> in <code>config.yml</code> and run again. You will see figtree refuse to load with a clear error. Set it back to <code>8080</code>.</p> <blockquote> <p><strong>Mistake trap:</strong> Move the mutations goroutine to before <code>figs.Load()</code> and run it. The channel exists but the tree has not resolved its values yet — mutations fired during load will not be seen because the goroutine may not be scheduled before load completes. Always start the mutations goroutine after <code>Load()</code> returns.</p> </blockquote> <h2> Step 4 — Wire verbose, replace fmt, register the admin token </h2> <p>Now that figtree is loading and validating configuration correctly, you can wire up the logger. verbose needs to be initialised before any log call — and the admin token needs to be registered as a secret immediately after, before anything else in the program touches it.</p> <p>Add <code>verbose</code> to your imports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"time"</span> <span class="c">// add this</span> <span class="s">"github.com/andreimerlescu/verbose"</span> <span class="s">"github.com/andreimerlescu/figtree/v2"</span> <span class="p">)</span> </code></pre> </div> <p>Add the verbose initialisation block right after the goroutines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="k">range</span> <span class="n">time</span><span class="o">.</span><span class="n">Tick</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> <span class="p">{</span> <span class="n">figs</span><span class="o">.</span><span class="n">StoreString</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">,</span> <span class="n">onCallEngineer</span><span class="p">())</span> <span class="p">}</span> <span class="p">}()</span> <span class="c">// add this block</span> <span class="c">// initialise verbose before any log call — guard() will stderr and no-op</span> <span class="c">// if you call verbose functions before this point</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verbose</span><span class="o">.</span><span class="n">NewLogger</span><span class="p">(</span><span class="n">verbose</span><span class="o">.</span><span class="n">Options</span><span class="p">{</span> <span class="n">Dir</span><span class="o">:</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">),</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"keyserver"</span><span class="p">,</span> <span class="n">Truncate</span><span class="o">:</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Bool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">),</span> <span class="n">DirMode</span><span class="o">:</span> <span class="m">0</span><span class="n">o755</span><span class="p">,</span> <span class="n">FileMode</span><span class="o">:</span> <span class="m">0</span><span class="n">o640</span><span class="p">,</span> <span class="p">});</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"verbose.NewLogger: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// read the admin token once — this is the value we protect at startup</span> <span class="n">adminToken</span> <span class="o">:=</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">)</span> <span class="c">// register the admin token as a verbose secret immediately.</span> <span class="c">// verbose stores only the SHA-512 digest — the plaintext is never retained.</span> <span class="c">// every log line written after this point that contains the raw token value</span> <span class="c">// will have it replaced with [ADMIN_TOKEN] automatically.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verbose</span><span class="o">.</span><span class="n">AddSecret</span><span class="p">(</span><span class="n">verbose</span><span class="o">.</span><span class="n">SecretBytes</span><span class="p">(</span><span class="n">adminToken</span><span class="p">),</span> <span class="s">"[ADMIN_TOKEN]"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"verbose.AddSecret: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// proof that scrubbing is active — this line contains the raw token.</span> <span class="c">// open logs/keyserver.log after running and you will see [ADMIN_TOKEN].</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"admin token registered — value in log: %s"</span><span class="p">,</span> <span class="n">adminToken</span><span class="p">)</span> <span class="c">// Version() is a function call, not a variable</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"keyserver starting (verbose v%s / figtree v%s)"</span><span class="p">,</span> <span class="n">verbose</span><span class="o">.</span><span class="n">VERSION</span><span class="p">,</span> <span class="n">figtree</span><span class="o">.</span><span class="n">Version</span><span class="p">())</span> <span class="c">// 3 lines below</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> </code></pre> </div> <p>Replace the <code>fmt.Printf</code> startup summary:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// remove this</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kHost</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Int</span><span class="p">(</span><span class="n">kPort</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Bool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">),</span> <span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"key-prefix=%s on-call=%s shift=%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">),</span> <span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"admin-token=%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kAdminToken</span><span class="p">))</span> <span class="c">// replace with this</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v key-prefix=%s on-call=%s shift=%s"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kHost</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Int</span><span class="p">(</span><span class="n">kPort</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Bool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>Replace the <code>fmt.Printf</code> in the mutations goroutine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="k">go</span> <span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">m</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">figs</span><span class="o">.</span><span class="n">Mutations</span><span class="p">()</span> <span class="p">{</span> <span class="c">// remove this</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"config mutation: %s changed from %v to %v at %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Property</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Old</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">New</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">When</span><span class="p">)</span> <span class="c">// replace with this</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"config mutation: %s changed from %v to %v at %s"</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Property</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">Old</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">New</span><span class="p">,</span> <span class="n">m</span><span class="o">.</span><span class="n">When</span><span class="p">)</span> <span class="p">}</span> <span class="p">}()</span> </code></pre> </div> <p>Run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span>mysecret go run <span class="nb">.</span> </code></pre> </div> <p>Open <code>logs/keyserver.log</code>. Find the line containing "admin token registered". The value <code>mysecret</code> does not appear — you will see <code>[ADMIN_TOKEN]</code> in its place. From this point forward, <code>mysecret</code> cannot appear in any log line this process writes.</p> <blockquote> <p><strong>Mistake trap:</strong> Call <code>verbose.Printf("test")</code> before <code>verbose.NewLogger</code> — move it above the <code>NewLogger</code> block and run. You will see the message printed to stderr with a "NewLogger or SetLogger has not been called" prefix. verbose does not panic — it fails open to stderr. Move the call back below <code>NewLogger</code>.</p> </blockquote> <h2> Step 5 — HTTP server skeleton </h2> <p>With logging and configuration solid, the server can be wired up. The three routes are stubs for now — each returns <code>200 OK</code> with a placeholder body. The <code>requireAdmin</code> middleware is the important piece here: it logs every auth attempt, which means the admin token will be scrubbed from those log lines automatically.</p> <p>Add <code>net/http</code> and <code>encoding/json</code> to your imports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="p">(</span> <span class="s">"fmt"</span> <span class="s">"os"</span> <span class="s">"time"</span> <span class="c">// add these</span> <span class="s">"encoding/json"</span> <span class="s">"net/http"</span> <span class="s">"github.com/andreimerlescu/verbose"</span> <span class="s">"github.com/andreimerlescu/figtree/v2"</span> <span class="p">)</span> </code></pre> </div> <p>Add the server block at the end of <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"host=%s port=%d log-dir=%s truncate=%v key-prefix=%s on-call=%s shift=%s"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kHost</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Int</span><span class="p">(</span><span class="n">kPort</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kLogDir</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Bool</span><span class="p">(</span><span class="n">kTruncate</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kOnCall</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Duration</span><span class="p">(</span><span class="n">kShiftDuration</span><span class="p">),</span> <span class="p">)</span> <span class="c">// add this block</span> <span class="c">// capture prefix once — used in handlers added in Step 6</span> <span class="n">prefix</span> <span class="o">:=</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kKeyPrefix</span><span class="p">)</span> <span class="n">_</span> <span class="o">=</span> <span class="n">prefix</span> <span class="c">// POST /keys — issue a new API key (admin only)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"POST /keys"</span><span class="p">,</span> <span class="n">requireAdmin</span><span class="p">(</span><span class="n">adminToken</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"status"</span><span class="o">:</span> <span class="s">"not implemented"</span><span class="p">})</span> <span class="p">}))</span> <span class="c">// GET /keys/{id}/verify — verify a presented key</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"GET /keys/{id}/verify"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span><span class="s">"status"</span><span class="o">:</span> <span class="s">"not implemented"</span><span class="p">})</span> <span class="p">})</span> <span class="c">// DELETE /keys/{id} — revoke and remove a key (admin only)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"DELETE /keys/{id}"</span><span class="p">,</span> <span class="n">requireAdmin</span><span class="p">(</span><span class="n">adminToken</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusNoContent</span><span class="p">)</span> <span class="p">}))</span> <span class="n">addr</span> <span class="o">:=</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="s">"%s:%d"</span><span class="p">,</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">kHost</span><span class="p">),</span> <span class="o">*</span><span class="n">figs</span><span class="o">.</span><span class="n">Int</span><span class="p">(</span><span class="n">kPort</span><span class="p">))</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"keyserver listening on http://%s"</span><span class="p">,</span> <span class="n">addr</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">http</span><span class="o">.</span><span class="n">ListenAndServe</span><span class="p">(</span><span class="n">addr</span><span class="p">,</span> <span class="no">nil</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// ListenAndServe only returns on error — log it with a trace and exit</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">Stderr</span><span class="p">,</span> <span class="s">"http.ListenAndServe: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">verbose</span><span class="o">.</span><span class="n">TracefReturn</span><span class="p">(</span><span class="s">"ListenAndServe failed: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">))</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="c">// 3 lines below — end of main</span> </code></pre> </div> <p>Add <code>requireAdmin</code> and <code>bearerToken</code> below <code>onCallEngineer</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// requireAdmin rejects requests whose Bearer token does not match adminToken.</span> <span class="c">// The token is already a verbose secret — the log line is safe.</span> <span class="k">func</span> <span class="n">requireAdmin</span><span class="p">(</span><span class="n">adminToken</span> <span class="kt">string</span><span class="p">,</span> <span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span> <span class="p">{</span> <span class="k">return</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">presented</span> <span class="o">:=</span> <span class="n">bearerToken</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"%s %s — auth attempt from %s token=%s"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">RemoteAddr</span><span class="p">,</span> <span class="n">presented</span><span class="p">)</span> <span class="k">if</span> <span class="n">presented</span> <span class="o">!=</span> <span class="n">adminToken</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"%s %s — FORBIDDEN"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"forbidden"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusForbidden</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">next</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// bearerToken extracts the token from Authorization: Bearer &lt;token&gt;</span> <span class="k">func</span> <span class="n">bearerToken</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">auth</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">auth</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">7</span> <span class="o">&amp;&amp;</span> <span class="n">auth</span><span class="p">[</span><span class="o">:</span><span class="m">7</span><span class="p">]</span> <span class="o">==</span> <span class="s">"Bearer "</span> <span class="p">{</span> <span class="k">return</span> <span class="n">auth</span><span class="p">[</span><span class="m">7</span><span class="o">:</span><span class="p">]</span> <span class="p">}</span> <span class="k">return</span> <span class="s">""</span> <span class="p">}</span> </code></pre> </div> <p>Run the server and curl the stubs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span>mysecret go run <span class="nb">.</span> &amp; curl <span class="nt">-s</span> <span class="nt">-X</span> POST http://localhost:8080/keys <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer mysecret"</span> curl <span class="nt">-s</span> http://localhost:8080/keys/test/verify curl <span class="nt">-s</span> <span class="nt">-X</span> DELETE http://localhost:8080/keys/test <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer mysecret"</span> <span class="nb">kill</span> %1 </code></pre> </div> <p>Check <code>logs/keyserver.log</code>. The auth lines show <code>token=[ADMIN_TOKEN]</code> — never <code>mysecret</code>.</p> <blockquote> <p><strong>Mistake trap:</strong> If you are on Go below 1.22, <code>http.HandleFunc("POST /keys", ...)</code> will not compile — the method prefix in the pattern is a 1.22 feature. Run <code>go version</code> to check. If needed, update your toolchain: <code>go get toolchain@go1.22.0</code>.</p> </blockquote> <h2> Step 6 — Issuance, verification, revocation, and runtime secret registration </h2> <p>This is the core of the application and the core demonstration of verbose. The moment a key is generated, <code>verbose.AddSecret</code> is called before anything else — before the key is stored, before it is logged, before it is returned to the caller. The window between generation and registration is zero.</p> <p>When a key is deleted, <code>verbose.RemoveSecret</code> is called. This is safe because a deleted key is dead — no future request will present it, so there is no future log line to protect. Removing it keeps the verbose runtime lean: the secrets registry does not grow forever, and scanning each log line is O(n) in the number of registered secrets. In a long-running server issuing thousands of keys, this matters. The same pattern applies to user sessions: register the session token on login, remove it on logout.</p> <p>Add the key store above <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// 3 lines above — imports</span> <span class="c">// add this block after imports, before main</span> <span class="c">// keyRecord holds metadata for one issued API key.</span> <span class="c">// The token value is the map key — never stored inside the struct.</span> <span class="k">type</span> <span class="n">keyRecord</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="s">`json:"id"`</span> <span class="n">IssuedAt</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="s">`json:"issued_at"`</span> <span class="n">IssuedTo</span> <span class="kt">string</span> <span class="s">`json:"issued_to"`</span> <span class="n">Revoked</span> <span class="kt">bool</span> <span class="s">`json:"revoked"`</span> <span class="p">}</span> <span class="k">var</span> <span class="p">(</span> <span class="n">keyStoreMu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">keyStore</span> <span class="o">=</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">keyRecord</span><span class="p">)</span> <span class="p">)</span> <span class="c">// 3 lines below — func main() {</span> </code></pre> </div> <p>Add <code>sync</code>, <code>crypto/rand</code>, and <code>encoding/hex</code> to imports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// add to import block</span> <span class="s">"crypto/rand"</span> <span class="s">"encoding/hex"</span> <span class="s">"sync"</span> </code></pre> </div> <p>Replace the <code>POST /keys</code> stub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"POST /keys"</span><span class="p">,</span> <span class="n">requireAdmin</span><span class="p">(</span><span class="n">adminToken</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// replace body</span> <span class="k">var</span> <span class="n">body</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">IssuedTo</span> <span class="kt">string</span> <span class="s">`json:"issued_to"`</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">json</span><span class="o">.</span><span class="n">NewDecoder</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span><span class="o">.</span><span class="n">Decode</span><span class="p">(</span><span class="o">&amp;</span><span class="n">body</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="o">||</span> <span class="n">body</span><span class="o">.</span><span class="n">IssuedTo</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"POST /keys — bad request from %s: %v"</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">RemoteAddr</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"issued_to is required"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">generateToken</span><span class="p">(</span><span class="n">prefix</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="c">// TracefReturn logs with a stack trace and returns the error —</span> <span class="c">// capture the return value, do not discard it</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"POST /keys — token generation failed: %v"</span><span class="p">,</span> <span class="n">verbose</span><span class="o">.</span><span class="n">TracefReturn</span><span class="p">(</span><span class="s">"generateToken: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">))</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"internal error"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// register with verbose FIRST — before store, before log, before response.</span> <span class="c">// after this line the token cannot appear in plaintext in any log output.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verbose</span><span class="o">.</span><span class="n">AddSecret</span><span class="p">(</span><span class="n">verbose</span><span class="o">.</span><span class="n">SecretBytes</span><span class="p">(</span><span class="n">token</span><span class="p">),</span> <span class="s">"[ISSUED_KEY]"</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"POST /keys — failed to protect token: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"internal error"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusInternalServerError</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">rec</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">keyRecord</span><span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="n">token</span><span class="p">,</span> <span class="n">IssuedAt</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UTC</span><span class="p">(),</span> <span class="n">IssuedTo</span><span class="o">:</span> <span class="n">body</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">,</span> <span class="p">}</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="n">keyStore</span><span class="p">[</span><span class="n">token</span><span class="p">]</span> <span class="o">=</span> <span class="n">rec</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="c">// safe to log — token is already scrubbed to [ISSUED_KEY]</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"POST /keys — issued key=%s to=%s at=%s"</span><span class="p">,</span> <span class="n">token</span><span class="p">,</span> <span class="n">body</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedAt</span><span class="o">.</span><span class="n">Format</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">RFC3339</span><span class="p">))</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusCreated</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"token"</span><span class="o">:</span> <span class="n">token</span><span class="p">,</span> <span class="s">"issued_to"</span><span class="o">:</span> <span class="n">body</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">,</span> <span class="s">"issued_at"</span><span class="o">:</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedAt</span><span class="o">.</span><span class="n">Format</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">RFC3339</span><span class="p">),</span> <span class="p">})</span> <span class="p">}))</span> <span class="c">// 3 lines below</span> </code></pre> </div> <p>Replace the <code>GET /keys/{id}/verify</code> stub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"GET /keys/{id}/verify"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// replace body</span> <span class="n">presented</span> <span class="o">:=</span> <span class="n">bearerToken</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">PathValue</span><span class="p">(</span><span class="s">"id"</span><span class="p">)</span> <span class="c">// log the attempt — if the caller sent a valid token it is already</span> <span class="c">// a verbose secret and will be scrubbed automatically</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"GET /keys/%s/verify — attempt from %s token=%s"</span><span class="p">,</span> <span class="n">id</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">RemoteAddr</span><span class="p">,</span> <span class="n">presented</span><span class="p">)</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="n">rec</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">keyStore</span><span class="p">[</span><span class="n">presented</span><span class="p">]</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="o">||</span> <span class="n">rec</span><span class="o">.</span><span class="n">Revoked</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"GET /keys/%s/verify — INVALID"</span><span class="p">,</span> <span class="n">id</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"invalid or revoked key"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusUnauthorized</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"GET /keys/%s/verify — VALID issued_to=%s"</span><span class="p">,</span> <span class="n">id</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">json</span><span class="o">.</span><span class="n">NewEncoder</span><span class="p">(</span><span class="n">w</span><span class="p">)</span><span class="o">.</span><span class="n">Encode</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">any</span><span class="p">{</span> <span class="s">"valid"</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="s">"issued_to"</span><span class="o">:</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">,</span> <span class="s">"issued_at"</span><span class="o">:</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedAt</span><span class="o">.</span><span class="n">Format</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">RFC3339</span><span class="p">),</span> <span class="p">})</span> <span class="p">})</span> <span class="c">// 3 lines below</span> </code></pre> </div> <p>Replace the <code>DELETE /keys/{id}</code> stub:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// 3 lines above</span> <span class="n">http</span><span class="o">.</span><span class="n">HandleFunc</span><span class="p">(</span><span class="s">"DELETE /keys/{id}"</span><span class="p">,</span> <span class="n">requireAdmin</span><span class="p">(</span><span class="n">adminToken</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// replace body</span> <span class="n">id</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">PathValue</span><span class="p">(</span><span class="s">"id"</span><span class="p">)</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="n">rec</span><span class="p">,</span> <span class="n">exists</span> <span class="o">:=</span> <span class="n">keyStore</span><span class="p">[</span><span class="n">id</span><span class="p">]</span> <span class="k">if</span> <span class="n">exists</span> <span class="p">{</span> <span class="n">rec</span><span class="o">.</span><span class="n">Revoked</span> <span class="o">=</span> <span class="no">true</span> <span class="p">}</span> <span class="n">keyStoreMu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">if</span> <span class="o">!</span><span class="n">exists</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"DELETE /keys/%s — not found"</span><span class="p">,</span> <span class="n">id</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"key not found"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusNotFound</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// the key is dead — safe to remove from verbose.</span> <span class="c">// removing it keeps the secrets registry lean: verbose scans every</span> <span class="c">// log line against every registered secret, so a smaller registry</span> <span class="c">// means faster logging. do not leave dead secrets registered forever.</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">verbose</span><span class="o">.</span><span class="n">RemoveSecret</span><span class="p">(</span><span class="n">verbose</span><span class="o">.</span><span class="n">SecretBytes</span><span class="p">(</span><span class="n">id</span><span class="p">));</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"DELETE /keys/%s — RemoveSecret error: %v"</span><span class="p">,</span> <span class="n">id</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">verbose</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"DELETE /keys/%s — revoked and removed from verbose (was issued to %s)"</span><span class="p">,</span> <span class="n">id</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">IssuedTo</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusNoContent</span><span class="p">)</span> <span class="p">}))</span> <span class="c">// 3 lines below</span> </code></pre> </div> <p>Add <code>generateToken</code> below <code>bearerToken</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// generateToken returns a cryptographically random token with the given prefix.</span> <span class="k">func</span> <span class="n">generateToken</span><span class="p">(</span><span class="n">prefix</span> <span class="kt">string</span><span class="p">)</span> <span class="p">(</span><span class="kt">string</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="m">24</span><span class="p">)</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rand</span><span class="o">.</span><span class="n">Read</span><span class="p">(</span><span class="n">b</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="s">""</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">prefix</span> <span class="o">+</span> <span class="n">hex</span><span class="o">.</span><span class="n">EncodeToString</span><span class="p">(</span><span class="n">b</span><span class="p">),</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p><strong>Mistake trap:</strong> Move <code>verbose.AddSecret</code> to after <code>keyStoreMu.Lock()</code> — just two lines later — and run the server. Issue a key. Look at the log line for <code>POST /keys — issued key=</code>. You will see the raw token value in plaintext because it was logged by <code>requireAdmin</code> in the auth check before it was registered. Order is not a style preference here. It is the security guarantee. Move <code>AddSecret</code> back to first.</p> </blockquote> <h2> Step 7 — The on-call engineer shift in action </h2> <p>The rotation goroutine has been running since Step 3, quietly updating a value. Now that verbose is wired, the mutation log entries are meaningful — and with <code>Pollinate: true</code>, an engineer can override the on-call value live from a second terminal without restarting the server.</p> <p>The shift goroutine is already in place. The mutations goroutine is already using <code>verbose.Printf</code> from Step 4. Run the server and open a second terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># terminal 1</span> <span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span>mysecret go run <span class="nb">.</span> <span class="c"># terminal 2 — override the on-call engineer without restarting</span> <span class="nb">export </span><span class="nv">ON_CALL_ENGINEER</span><span class="o">=</span>Kevin </code></pre> </div> <p>Watch <code>logs/keyserver.log</code> — within one minute you will see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[VERBOSE] keyserver.go:XX: config mutation: on-call-engineer changed from Darron to Kevin at 2026-04-20... </span></code></pre> </div> <p>The mutation fires because <code>Pollinate: true</code> causes figtree to re-read <code>ON_CALL_ENGINEER</code> every time <code>figs.String(kOnCall)</code> is called — which the rotation goroutine does every minute.</p> <p>If the on-call engineer name were a sensitive internal codename — a security handle, a contractor alias, anything you would not want in a log shipped to an aggregator — one <code>verbose.AddSecret(verbose.SecretBytes(name), "[ON_CALL]")</code> call in the rotation goroutine would scrub it from every future log line. The pattern is identical to what you did with the admin token.</p> <blockquote> <p><strong>Mistake trap:</strong> Remove <code>Pollinate: true</code> from <code>figtree.Options</code>, restart the server, and set <code>export ON_CALL_ENGINEER=Kevin</code> again. No mutation fires. The env var changed but figtree did not re-read it because Pollinate was off. Put <code>Pollinate: true</code> back.</p> </blockquote> <h2> Step 8 — The bash test script </h2> <p>Create <code>test.sh</code> in the project root. This script is the pass/fail gate for the tutorial. If your implementation is correct it exits <code>0</code>. Each assertion failure prints which step to revisit and exits immediately.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="c"># ── dependency check ──────────────────────────────────────────────────────────</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">command</span> <span class="nt">-v</span> curl &amp;&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: curl is required. Install it and rerun."</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">!</span> <span class="nb">command</span> <span class="nt">-v</span> jq &amp;&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"ERROR: jq is required."</span> <span class="nb">echo</span> <span class="s2">" macOS: brew install jq"</span> <span class="nb">echo</span> <span class="s2">" Linux: sudo apt install jq OR sudo yum install jq"</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># ── config ────────────────────────────────────────────────────────────────────</span> <span class="nv">ADMIN_TOKEN</span><span class="o">=</span><span class="s2">"test-admin-secret-1234"</span> <span class="nv">BASE</span><span class="o">=</span><span class="s2">"http://127.0.0.1:8080"</span> <span class="nv">LOG_FILE</span><span class="o">=</span><span class="s2">"./logs/keyserver.log"</span> <span class="c"># ── helpers ───────────────────────────────────────────────────────────────────</span> pass<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">" PASS: </span><span class="nv">$1</span><span class="s2">"</span><span class="p">;</span> <span class="o">}</span> fail<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">" FAIL: </span><span class="nv">$1</span><span class="s2"> — </span><span class="nv">$2</span><span class="s2">"</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> assert_status<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">label</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">expected</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nv">actual</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="nv">step</span><span class="o">=</span><span class="s2">"</span><span class="nv">$4</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$actual</span><span class="s2">"</span> <span class="nt">-ne</span> <span class="s2">"</span><span class="nv">$expected</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>fail <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="s2">"expected HTTP </span><span class="nv">$expected</span><span class="s2">, got </span><span class="nv">$actual</span><span class="s2"> (see step </span><span class="nv">$step</span><span class="s2">)"</span> <span class="k">fi </span>pass <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="o">}</span> assert_no_plaintext<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">label</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">secret</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nv">step</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="k">if </span><span class="nb">grep</span> <span class="nt">-qF</span> <span class="s2">"</span><span class="nv">$secret</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span>fail <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="s2">"plaintext secret found in log — verbose.AddSecret not called before logging (see step </span><span class="nv">$step</span><span class="s2">)"</span> <span class="k">fi </span>pass <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="o">}</span> assert_log_contains<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">label</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">pattern</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="nv">step</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="k">if</span> <span class="o">!</span> <span class="nb">grep</span> <span class="nt">-qF</span> <span class="s2">"</span><span class="nv">$pattern</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span>fail <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="s2">"expected '</span><span class="nv">$pattern</span><span class="s2">' in log — not found (see step </span><span class="nv">$step</span><span class="s2">)"</span> <span class="k">fi </span>pass <span class="s2">"</span><span class="nv">$label</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># ── build and start server ────────────────────────────────────────────────────</span> <span class="nb">echo</span> <span class="s2">"=&gt; building..."</span> go build <span class="nt">-o</span> keyserver_bin <span class="nb">.</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Build failed — fix compilation errors first."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"=&gt; starting server..."</span> <span class="nv">KEYSERVER_ADMIN_TOKEN</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span> ./keyserver_bin &amp; <span class="nv">SERVER_PID</span><span class="o">=</span><span class="nv">$!</span> <span class="nb">trap</span> <span class="s1">'kill $SERVER_PID 2&gt;/dev/null; rm -f keyserver_bin'</span> EXIT <span class="c"># wait for server to be ready — retry up to 10 times</span> <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 10<span class="si">)</span><span class="p">;</span> <span class="k">do if </span>curl <span class="nt">-sf</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/test/verify"</span> &amp;&gt;/dev/null<span class="p">;</span> <span class="k">then </span><span class="nb">break </span><span class="k">fi </span><span class="nb">sleep </span>0.5 <span class="k">done </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 1: admin token is scrubbed from logs (Step 4) ─────────────"</span> assert_no_plaintext <span class="s2">"admin token not in log"</span> <span class="s2">"</span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span> <span class="s2">"4"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 2: issue key for alice (Step 6) ────────────────────────────"</span> <span class="nv">ALICE_RESP</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">%{http_code}"</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"issued_to":"alice@example.com"}'</span><span class="si">)</span> <span class="nv">ALICE_STATUS</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ALICE_RESP</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-1</span><span class="si">)</span> <span class="nv">ALICE_BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ALICE_RESP</span><span class="s2">"</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> assert_status <span class="s2">"POST /keys alice"</span> 201 <span class="s2">"</span><span class="nv">$ALICE_STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nv">ALICE_TOKEN</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$ALICE_BODY</span><span class="s2">"</span> | jq <span class="nt">-r</span> .token<span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 3: issue key for bob (Step 6) ──────────────────────────────"</span> <span class="nv">BOB_RESP</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">%{http_code}"</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"issued_to":"bob@example.com"}'</span><span class="si">)</span> <span class="nv">BOB_STATUS</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$BOB_RESP</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-1</span><span class="si">)</span> <span class="nv">BOB_BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$BOB_RESP</span><span class="s2">"</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> assert_status <span class="s2">"POST /keys bob"</span> 201 <span class="s2">"</span><span class="nv">$BOB_STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nv">BOB_TOKEN</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$BOB_BODY</span><span class="s2">"</span> | jq <span class="nt">-r</span> .token<span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 4: issue key for carol (Step 6) ────────────────────────────"</span> <span class="nv">CAROL_RESP</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-w</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">%{http_code}"</span> <span class="nt">-X</span> POST <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"issued_to":"carol@example.com"}'</span><span class="si">)</span> <span class="nv">CAROL_STATUS</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CAROL_RESP</span><span class="s2">"</span> | <span class="nb">tail</span> <span class="nt">-1</span><span class="si">)</span> <span class="nv">CAROL_BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CAROL_RESP</span><span class="s2">"</span> | <span class="nb">head</span> <span class="nt">-1</span><span class="si">)</span> assert_status <span class="s2">"POST /keys carol"</span> 201 <span class="s2">"</span><span class="nv">$CAROL_STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nv">CAROL_TOKEN</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CAROL_BODY</span><span class="s2">"</span> | jq <span class="nt">-r</span> .token<span class="si">)</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 5: verify alice (Step 6) ───────────────────────────────────"</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/</span><span class="k">${</span><span class="nv">ALICE_TOKEN</span><span class="k">}</span><span class="s2">/verify"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$ALICE_TOKEN</span><span class="s2">"</span><span class="si">)</span> assert_status <span class="s2">"GET /keys alice/verify"</span> 200 <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 6: verify bob (Step 6) ─────────────────────────────────────"</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/</span><span class="k">${</span><span class="nv">BOB_TOKEN</span><span class="k">}</span><span class="s2">/verify"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$BOB_TOKEN</span><span class="s2">"</span><span class="si">)</span> assert_status <span class="s2">"GET /keys bob/verify"</span> 200 <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 7: verify carol (Step 6) ───────────────────────────────────"</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/</span><span class="k">${</span><span class="nv">CAROL_TOKEN</span><span class="k">}</span><span class="s2">/verify"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$CAROL_TOKEN</span><span class="s2">"</span><span class="si">)</span> assert_status <span class="s2">"GET /keys carol/verify"</span> 200 <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 8: revoke bob (Step 6) ─────────────────────────────────────"</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="nt">-X</span> DELETE <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/</span><span class="k">${</span><span class="nv">BOB_TOKEN</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$ADMIN_TOKEN</span><span class="s2">"</span><span class="si">)</span> assert_status <span class="s2">"DELETE /keys bob"</span> 204 <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 9: verify bob after revocation — expect 401 (Step 6) ───────"</span> <span class="nv">STATUS</span><span class="o">=</span><span class="si">$(</span>curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{http_code}"</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">/keys/</span><span class="k">${</span><span class="nv">BOB_TOKEN</span><span class="k">}</span><span class="s2">/verify"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$BOB_TOKEN</span><span class="s2">"</span><span class="si">)</span> assert_status <span class="s2">"GET /keys bob/verify after revoke"</span> 401 <span class="s2">"</span><span class="nv">$STATUS</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 10: alice and carol tokens not in log (Step 6) ─────────────"</span> assert_no_plaintext <span class="s2">"alice token not in log"</span> <span class="s2">"</span><span class="nv">$ALICE_TOKEN</span><span class="s2">"</span> <span class="s2">"6"</span> assert_no_plaintext <span class="s2">"carol token not in log"</span> <span class="s2">"</span><span class="nv">$CAROL_TOKEN</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 11: bob token not in log (Step 6) ──────────────────────────"</span> <span class="c"># bob's token was removed via RemoveSecret after revocation.</span> <span class="c"># if the implementation is correct the token never appeared in plaintext</span> <span class="c"># because AddSecret was called before any logging.</span> assert_no_plaintext <span class="s2">"bob token not in log"</span> <span class="s2">"</span><span class="nv">$BOB_TOKEN</span><span class="s2">"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 12: scrub markers present in log (Step 4 + 6) ─────────────"</span> assert_log_contains <span class="s2">"[ADMIN_TOKEN] in log"</span> <span class="s2">"[ADMIN_TOKEN]"</span> <span class="s2">"4"</span> assert_log_contains <span class="s2">"[ISSUED_KEY] in log"</span> <span class="s2">"[ISSUED_KEY]"</span> <span class="s2">"6"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"── assertion 13: on-call mutation visible in log (Step 7) ───────────────"</span> <span class="nb">export </span><span class="nv">ON_CALL_ENGINEER</span><span class="o">=</span><span class="s2">"TEAM"</span> <span class="nb">echo</span> <span class="s2">" waiting up to 90s for on-call mutation to appear in log..."</span> <span class="k">for </span>i <span class="k">in</span> <span class="si">$(</span><span class="nb">seq </span>1 18<span class="si">)</span><span class="p">;</span> <span class="k">do if </span><span class="nb">grep</span> <span class="nt">-qF</span> <span class="s2">"on-call-engineer"</span> <span class="s2">"</span><span class="nv">$LOG_FILE</span><span class="s2">"</span> 2&gt;/dev/null<span class="p">;</span> <span class="k">then </span>pass <span class="s2">"on-call mutation in log"</span> <span class="nb">break </span><span class="k">fi </span><span class="nb">sleep </span>5 <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$i</span><span class="s2">"</span> <span class="nt">-eq</span> 18 <span class="o">]</span><span class="p">;</span> <span class="k">then </span>fail <span class="s2">"on-call mutation in log"</span> <span class="s2">"mutation not seen after 90s — check Pollinate:true and mutations goroutine (see step 7)"</span> <span class="k">fi done </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════════════"</span> <span class="nb">echo</span> <span class="s2">" All assertions passed. Your implementation is correct."</span> <span class="nb">echo</span> <span class="s2">"════════════════════════════════════════════════════════════════════════"</span> </code></pre> </div> <p>Make it executable and run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x test.sh ./test.sh </code></pre> </div> <p>If every assertion passes you see the final banner. If any assertion fails the script exits immediately with the step number to revisit. Fix that step and rerun — the script always starts fresh.</p> <h2> Step 9 — Closing: What You Built and What Comes Next </h2> <p>You started this tutorial with an empty directory and two <code>go get</code> commands. You finished with a running HTTP server that issues, verifies, and revokes API keys — and whose log file provably contains no plaintext secrets. Run <code>./test.sh</code> one final time and watch every assertion pass. That exit <code>0</code> is not a formality. It is a guarantee backed by SHA-512.</p> <p>Take a moment to understand what you actually built and why each piece was chosen.</p> <p><code>verbose</code> is not just a logger. Every other logger in the Go ecosystem — <code>log</code>, <code>slog</code>, <code>zap</code>, <code>zerolog</code> — will faithfully write whatever string you hand it. <code>verbose</code> is the only one that knows what your secrets are and refuses to write them. The moment you call <code>verbose.AddSecret(verbose.SecretBytes(token), "[ISSUED_KEY]")</code>, that token's SHA-512 digest enters a registry and every subsequent log line is scanned against it before it touches disk. The plaintext never persists inside <code>verbose</code> — not in memory, not on disk. When you called <code>verbose.RemoveSecret</code> on revocation, you kept that registry lean deliberately: a server that issues thousands of keys over its lifetime should not accumulate thousands of dead secrets in a scanner it runs on every single log call.</p> <p><code>figtree</code> is not just a flag parser. It is a priority-ordered configuration resolver — file, then environment, then CLI — with validators, rules, and a mutation channel that watches values change at runtime. <code>RuleNoFlags</code> on <code>kAdminToken</code> is not decoration. It is an enforcement boundary. The key name <code>"keyserver-admin-token"</code> being deliberately long is not an accident — it is a design statement: secrets should be inconvenient to pass on a command line because command lines end up in shell history, process lists, and CI logs.</p> <p>The on-call rotation is a small thing, but it demonstrates something real: configuration is not static. Values change while a server runs. <code>Pollinate: true</code> and the mutations channel give you an observable, logged record of every change. In a real system that might be a database password rotating, a feature flag toggling, a rate limit updating. The pattern is identical regardless of what the value is.</p> <h3> The packages used in this tutorial are part of a larger body of open source work </h3> <p>Both <code>verbose</code> and <code>figtree</code> were written by <strong>Andrei Merlescu</strong> — <a href="https://github.com/andreimerlescu" rel="noopener noreferrer">@andreimerlescu</a> on GitHub. His profile carries 99 public repositories built across 17 years of professional software engineering spanning Cisco, Oracle, Warner Bros. Games, and SurgePays, written primarily in Go, Ruby, PHP, and Bash.</p> <p>Some repositories worth exploring alongside the two you just used:</p> <ul> <li> <strong><a href="https://github.com/andreimerlescu/checkfs" rel="noopener noreferrer"><code>checkfs</code></a></strong> — filesystem existence and permission checks for <code>File</code> and <code>Directory</code>. Pairs naturally with figtree when you want to validate that a config-supplied path actually exists before your server starts.</li> <li> <strong><a href="https://github.com/andreimerlescu/sema" rel="noopener noreferrer"><code>sema</code></a></strong> — semaphore primitives for Go. Useful when the keyserver you just built needs to limit concurrent issuance requests.</li> <li> <strong><a href="https://github.com/andreimerlescu/go-passwd" rel="noopener noreferrer"><code>go-passwd</code></a></strong> — safe password auditing. If your keyserver ever needs to validate that an incoming credential meets a strength policy before issuing a key, this is the package.</li> <li> <strong><a href="https://github.com/andreimerlescu/summarize" rel="noopener noreferrer"><code>summarize</code></a></strong> + <strong><a href="https://github.com/andreimerlescu/aigcm" rel="noopener noreferrer"><code>aigcm</code></a></strong> — AI-assisted project summarization and git commit message generation using local Ollama models. If you are building on an M-series Mac with local models, these are worth looking at.</li> <li> <strong><a href="https://github.com/andreimerlescu/lemmings" rel="noopener noreferrer"><code>lemmings</code></a></strong> — load testing built around the concept of NPCs moving through your infrastructure as simulated users across geographic terrains and pack sizes. If you want to know what your keyserver does under real traffic before you ship it, lemmings is how you find out. It was built specifically because existing tools like <code>ab</code> did not answer the question Andrei needed answered when he launched Trakify in 2015 and got a surge of traffic from a Barron's Magazine feature. The tool he wished he had then exists now and it is free.</li> </ul> <p>The code is yours. The packages are free. The log file is clean.</p> logging go secrets security MovieSync: Redefining Intermissions with Live Crowd Data Koushik Raghavan Mon, 20 Apr 2026 15:52:40 +0000 https://dev.to/koushik_raghavan_15bce601/moviesync-redefining-intermissions-with-live-crowd-data-5c3g https://dev.to/koushik_raghavan_15bce601/moviesync-redefining-intermissions-with-live-crowd-data-5c3g <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9x2pizrzwmh5e5ewisfc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9x2pizrzwmh5e5ewisfc.png" alt=" " width="800" height="361"></a></p> <h2> Building MovieSync in Public (with Antigravity) 🎬🚀 </h2> <p>We’ve all faced this…<br> You step out during a movie break, thinking you’ll grab snacks or use the washroom quickly — but end up stuck in long queues. Short break, long wait.</p> <p>That’s where the idea of MovieSync came from.</p> <h2> The Problem </h2> <p>Intermissions are limited, but there’s zero visibility on crowd levels. You just guess… and sometimes regret it.</p> <h2> The Idea </h2> <p>I built MovieSync, a real-time dashboard that shows how crowded different areas are inside a venue.<br> Simple color signals help you decide instantly:</p> <p>🟢 Low crowd<br> 🟠 Medium<br> 🔴 High congestion</p> <p>No guesswork. Just smarter decisions.</p> <h2> Tech Stack </h2> <ul> <li>React + Vite for a fast, lightweight frontend</li> <li>Vanilla CSS (no heavy UI libraries)</li> <li>Docker (multi-stage build)</li> <li>Nginx for serving the app</li> <li>Google Cloud Run for serverless deployment</li> <li>Antigravity to speed up development &amp; workflow</li> </ul> <h2> How I Built It </h2> <p>I focused on keeping things simple and clean.<br> Instead of using UI frameworks, I designed everything from scratch using glassmorphism styles, smooth transitions, and subtle animations.</p> <p>Since I didn’t have real sensors, I created a simulation that mimics real-time data (like WebSockets). The dashboard updates dynamically to reflect crowd density.</p> <h2> Deployment </h2> <p>Used Docker with a multi-stage build:</p> <ul> <li>Node → build optimized assets</li> <li>Nginx → serve the app on port 8080</li> </ul> <p>Deployed on Google Cloud Run for automatic scaling.</p> <h2> Where Antigravity Helped </h2> <p>Antigravity made a big difference by:</p> <ul> <li>Speeding up initial setup</li> <li>Making UI iterations faster</li> <li>Simplifying deployment flow</li> <li>Reducing overall complexity</li> </ul> <p>It helped me move faster from idea → working product.</p> <h2> Key Features </h2> <ul> <li>Real-time crowd dashboard</li> <li>Lightweight and responsive UI</li> <li>Dockerized production build</li> <li>Serverless deployment</li> <li>Built in public</li> </ul> <h2> What’s Next </h2> <ul> <li>Real IoT integration</li> <li>WebSocket backend</li> <li>Predictive crowd insights</li> <li>Mobile PWA version</li> <li>Multi-theatre support</li> </ul> <h2> Final Thought </h2> <p>This project showed me how quickly you can build something useful using the right tools. Building in public also made the journey more real and accountable.</p> <p><strong>What are you building right now? 🚀</strong></p> ai webdev programming antigravity Construindo um explorador de rede societária com grafos em Python Pedro Parker Mon, 20 Apr 2026 15:51:46 +0000 https://dev.to/pedroparker/construindo-um-explorador-de-rede-societaria-com-grafos-em-python-jck https://dev.to/pedroparker/construindo-um-explorador-de-rede-societaria-com-grafos-em-python-jck <p>Uma das funcionalidades mais interessantes do <a href="https://cnpjaberto.com.br/" rel="noopener noreferrer">CNPJ Aberto</a> é a <strong>rede societária</strong> — dado um CNPJ, o sistema mapeia todos os sócios da empresa, encontra <strong>outras empresas</strong> desses mesmos sócios, e constrói um grafo de conexões.</p> <p>Isso transforma dados tabulares (CSV da Receita Federal) em <strong>inteligência empresarial</strong>. Advogados usam para due diligence, jornalistas para investigação, e analistas de crédito para avaliação de risco.</p> <p>Neste post, vou mostrar como construímos esse sistema.</p> <h2> O modelo de dados </h2> <p>A base da Receita Federal tem uma relação simples:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>empresas (cnpj_basico) ←──1:N──→ socios (cnpj_basico, nome_socio) </code></pre> </div> <p>Cada empresa tem N sócios. Cada sócio pode aparecer em múltiplas empresas (identificado pelo nome). E um sócio pode ser uma <strong>pessoa jurídica</strong> (outra empresa), criando conexões indiretas.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Empresa A ← sócio "João Silva" → Empresa B Empresa B ← sócio PJ "Empresa C" → Empresa C Empresa C ← sócio "Maria Santos" → Empresa D </code></pre> </div> <p>Isso forma um <strong>grafo</strong> que pode revelar estruturas corporativas complexas.</p> <h2> Modelagem do grafo </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">GrupoNode</span><span class="p">:</span> <span class="nb">id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">tipo</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># "empresa" | "pessoa" </span> <span class="n">label</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># razão social ou nome </span> <span class="n">cnpj</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">situacao_cadastral</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">capital_social</span><span class="p">:</span> <span class="nb">float</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">uf</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">is_target</span><span class="p">:</span> <span class="nb">bool</span> <span class="c1"># é a empresa que o usuário consultou? </span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">GrupoEdge</span><span class="p">:</span> <span class="n">source</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># node ID </span> <span class="n">target</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># node ID </span> <span class="n">label</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># qualificação do sócio </span></code></pre> </div> <p>O grafo é uma lista de <strong>nodes</strong> (empresas e pessoas) e <strong>edges</strong> (relações societárias). Simples e serializável para JSON.</p> <h2> O traversal recursivo </h2> <p>O algoritmo começa em uma empresa e <strong>expande</strong> recursivamente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">MAX_DEPTH</span> <span class="o">=</span> <span class="mi">2</span> <span class="n">MAX_NETWORK_NODES</span> <span class="o">=</span> <span class="mi">150</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_grupo_empresarial</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db</span><span class="p">):</span> <span class="n">nodes</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">edges</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">await</span> <span class="nf">traverse_company</span><span class="p">(</span> <span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">is_target</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">nodes</span><span class="sh">"</span><span class="p">:</span> <span class="nf">list</span><span class="p">(</span><span class="n">nodes</span><span class="p">.</span><span class="nf">values</span><span class="p">()),</span> <span class="sh">"</span><span class="s">edges</span><span class="sh">"</span><span class="p">:</span> <span class="n">edges</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h3> traverse_company: o coração do algoritmo </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">traverse_company</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span><span class="p">,</span> <span class="n">is_target</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span> <span class="k">if</span> <span class="n">depth</span> <span class="o">&gt;</span> <span class="n">MAX_DEPTH</span><span class="p">:</span> <span class="k">return</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">nodes</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">MAX_NETWORK_NODES</span><span class="p">:</span> <span class="k">return</span> <span class="n">company_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">emp:</span><span class="si">{</span><span class="n">cnpj_basico</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">company_id</span> <span class="ow">in</span> <span class="n">nodes</span><span class="p">:</span> <span class="k">return</span> <span class="c1"># Já visitado — evita ciclos </span> <span class="c1"># 1. Buscar dados da empresa </span> <span class="n">empresa</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">Empresa</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Empresa</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">==</span> <span class="n">cnpj_basico</span> <span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">empresa</span><span class="p">:</span> <span class="k">return</span> <span class="n">matriz</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">Estabelecimento</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">==</span> <span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">identificador_matriz_filial</span> <span class="o">==</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span> <span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="c1"># Adicionar node da empresa </span> <span class="n">nodes</span><span class="p">[</span><span class="n">company_id</span><span class="p">]</span> <span class="o">=</span> <span class="nc">GrupoNode</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">company_id</span><span class="p">,</span> <span class="n">tipo</span><span class="o">=</span><span class="sh">"</span><span class="s">empresa</span><span class="sh">"</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">empresa</span><span class="p">.</span><span class="n">razao_social</span><span class="p">,</span> <span class="n">cnpj</span><span class="o">=</span><span class="nf">format_cnpj</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">),</span> <span class="n">situacao_cadastral</span><span class="o">=</span><span class="n">matriz</span><span class="p">.</span><span class="n">situacao_cadastral</span> <span class="k">if</span> <span class="n">matriz</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">capital_social</span><span class="o">=</span><span class="n">empresa</span><span class="p">.</span><span class="n">capital_social</span><span class="p">,</span> <span class="n">uf</span><span class="o">=</span><span class="n">matriz</span><span class="p">.</span><span class="n">uf</span> <span class="k">if</span> <span class="n">matriz</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">is_target</span><span class="o">=</span><span class="n">is_target</span><span class="p">,</span> <span class="p">)</span> <span class="c1"># 2. Buscar sócios desta empresa </span> <span class="n">socios</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">Socio</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">==</span> <span class="n">cnpj_basico</span> <span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">for</span> <span class="n">socio</span> <span class="ow">in</span> <span class="n">socios</span><span class="p">:</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">nodes</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">MAX_NETWORK_NODES</span><span class="p">:</span> <span class="k">break</span> <span class="k">if</span> <span class="n">socio</span><span class="p">.</span><span class="n">identificador_socio</span> <span class="o">==</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span> <span class="ow">and</span> <span class="n">socio</span><span class="p">.</span><span class="n">cpf_cnpj_socio</span><span class="p">:</span> <span class="c1"># Sócio é PESSOA JURÍDICA → seguir como outra empresa </span> <span class="n">socio_cnpj</span> <span class="o">=</span> <span class="n">socio</span><span class="p">.</span><span class="n">cpf_cnpj_socio</span><span class="p">[:</span><span class="mi">8</span><span class="p">]</span> <span class="n">socio_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">emp:</span><span class="si">{</span><span class="n">socio_cnpj</span><span class="si">}</span><span class="sh">"</span> <span class="n">edges</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">GrupoEdge</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">socio_id</span><span class="p">,</span> <span class="n">target</span><span class="o">=</span><span class="n">company_id</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">socio</span><span class="p">.</span><span class="n">qualificacao</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">Sócio PJ</span><span class="sh">"</span><span class="p">,</span> <span class="p">))</span> <span class="c1"># Recursão: explorar a empresa sócia </span> <span class="k">await</span> <span class="nf">traverse_company</span><span class="p">(</span> <span class="n">socio_cnpj</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span> <span class="o">+</span> <span class="mi">1</span> <span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Sócio é PESSOA FÍSICA </span> <span class="n">person_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pf:</span><span class="si">{</span><span class="nf">sanitize</span><span class="p">(</span><span class="n">socio</span><span class="p">.</span><span class="n">nome_socio</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">person_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">nodes</span><span class="p">:</span> <span class="n">nodes</span><span class="p">[</span><span class="n">person_id</span><span class="p">]</span> <span class="o">=</span> <span class="nc">GrupoNode</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">person_id</span><span class="p">,</span> <span class="n">tipo</span><span class="o">=</span><span class="sh">"</span><span class="s">pessoa</span><span class="sh">"</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">socio</span><span class="p">.</span><span class="n">nome_socio</span><span class="p">,</span> <span class="n">cnpj</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">situacao_cadastral</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">capital_social</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">uf</span><span class="o">=</span><span class="bp">None</span><span class="p">,</span> <span class="n">is_target</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="n">edges</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">GrupoEdge</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">person_id</span><span class="p">,</span> <span class="n">target</span><span class="o">=</span><span class="n">company_id</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="n">socio</span><span class="p">.</span><span class="n">qualificacao</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">Sócio</span><span class="sh">"</span><span class="p">,</span> <span class="p">))</span> <span class="c1"># 3. Buscar OUTRAS empresas desta pessoa </span> <span class="k">await</span> <span class="nf">expand_person</span><span class="p">(</span> <span class="n">socio</span><span class="p">.</span><span class="n">nome_socio</span><span class="p">,</span> <span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span> <span class="p">)</span> </code></pre> </div> <h3> expand_person: encontrando empresas conectadas </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">expand_person</span><span class="p">(</span><span class="n">nome_socio</span><span class="p">,</span> <span class="n">exclude_cnpj</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span><span class="p">):</span> <span class="c1"># Buscar outros cnpj_basico onde esta pessoa é sócia </span> <span class="n">other_companies</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span><span class="p">).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Socio</span><span class="p">.</span><span class="n">nome_socio</span> <span class="o">==</span> <span class="n">nome_socio</span><span class="p">,</span> <span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">!=</span> <span class="n">exclude_cnpj</span><span class="p">,</span> <span class="p">).</span><span class="nf">distinct</span><span class="p">().</span><span class="nf">limit</span><span class="p">(</span><span class="mi">10</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="n">person_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pf:</span><span class="si">{</span><span class="nf">sanitize</span><span class="p">(</span><span class="n">nome_socio</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">other_companies</span><span class="p">:</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">nodes</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">MAX_NETWORK_NODES</span><span class="p">:</span> <span class="k">break</span> <span class="n">company_id</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">emp:</span><span class="si">{</span><span class="n">row</span><span class="p">.</span><span class="n">cnpj_basico</span><span class="si">}</span><span class="sh">"</span> <span class="n">edges</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nc">GrupoEdge</span><span class="p">(</span> <span class="n">source</span><span class="o">=</span><span class="n">person_id</span><span class="p">,</span> <span class="n">target</span><span class="o">=</span><span class="n">company_id</span><span class="p">,</span> <span class="n">label</span><span class="o">=</span><span class="sh">"</span><span class="s">Sócio</span><span class="sh">"</span><span class="p">,</span> <span class="p">))</span> <span class="c1"># Continuar traversal na empresa encontrada </span> <span class="k">await</span> <span class="nf">traverse_company</span><span class="p">(</span> <span class="n">row</span><span class="p">.</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">,</span> <span class="n">nodes</span><span class="p">,</span> <span class="n">edges</span><span class="p">,</span> <span class="n">depth</span> <span class="o">+</span> <span class="mi">1</span> <span class="p">)</span> </code></pre> </div> <h2> Proteções contra explosão combinatória </h2> <p>Sem limitações, o grafo pode explodir. Um sócio que aparece em 200 empresas, cada empresa com 5 sócios, cada sócio em 10 empresas... rapidamente vira milhões de nodes.</p> <p>As proteções:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Proteção</th> <th>Valor</th> <th>Por quê</th> </tr> </thead> <tbody> <tr> <td><code>MAX_DEPTH</code></td> <td>2</td> <td>Limita a profundidade da recursão</td> </tr> <tr> <td><code>MAX_NETWORK_NODES</code></td> <td>150</td> <td>Cap total de nodes no grafo</td> </tr> <tr> <td> <code>LIMIT 10</code> em <code>expand_person</code> </td> <td>10</td> <td>Limita empresas por pessoa</td> </tr> <tr> <td>Checagem <code>if company_id in nodes</code> </td> <td>—</td> <td>Evita ciclos e re-processamento</td> </tr> </tbody> </table></div> <p><strong>Depth 2 é suficiente?</strong> Na prática, sim. A maioria das estruturas societárias interessantes fica a 1-2 hops de distância. Ir mais fundo geralmente adiciona ruído sem valor.</p> <h2> Detecção de Red Flags </h2> <p>Com o grafo pronto, podemos detectar padrões suspeitos:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">detect_red_flags</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">):</span> <span class="n">flags</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># 1. Sócio em muitas empresas (possível laranja) </span> <span class="n">socios</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">Socio</span><span class="p">.</span><span class="n">nome_socio</span><span class="p">,</span> <span class="n">func</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="nf">distinct</span><span class="p">(</span><span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span><span class="p">))</span> <span class="p">).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">==</span> <span class="n">cnpj_basico</span> <span class="p">).</span><span class="nf">group_by</span><span class="p">(</span><span class="n">Socio</span><span class="p">.</span><span class="n">nome_socio</span><span class="p">).</span><span class="nf">all</span><span class="p">()</span> <span class="k">for</span> <span class="n">nome</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">socios</span><span class="p">:</span> <span class="n">total</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="nf">distinct</span><span class="p">(</span><span class="n">Socio</span><span class="p">.</span><span class="n">cnpj_basico</span><span class="p">))).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Socio</span><span class="p">.</span><span class="n">nome_socio</span> <span class="o">==</span> <span class="n">nome</span> <span class="p">).</span><span class="nf">scalar</span><span class="p">()</span> <span class="k">if</span> <span class="n">total</span> <span class="o">&gt;=</span> <span class="mi">5</span><span class="p">:</span> <span class="n">flags</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">tipo</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">socio_multiplas_empresas</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severidade</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">media</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">titulo</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Sócio em </span><span class="si">{</span><span class="n">total</span><span class="si">}</span><span class="s"> empresas</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">descricao</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">nome</span><span class="si">}</span><span class="s"> é sócio em </span><span class="si">{</span><span class="n">total</span><span class="si">}</span><span class="s"> empresas diferentes</span><span class="sh">"</span><span class="p">,</span> <span class="p">})</span> <span class="c1"># 2. Muitas empresas no mesmo endereço </span> <span class="n">matriz</span> <span class="o">=</span> <span class="nf">get_matriz</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> <span class="k">if</span> <span class="n">matriz</span> <span class="ow">and</span> <span class="n">matriz</span><span class="p">.</span><span class="n">cep</span> <span class="ow">and</span> <span class="n">matriz</span><span class="p">.</span><span class="n">logradouro</span><span class="p">:</span> <span class="n">same_address</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="nf">count</span><span class="p">()).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">cep</span> <span class="o">==</span> <span class="n">matriz</span><span class="p">.</span><span class="n">cep</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">logradouro</span> <span class="o">==</span> <span class="n">matriz</span><span class="p">.</span><span class="n">logradouro</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">numero</span> <span class="o">==</span> <span class="n">matriz</span><span class="p">.</span><span class="n">numero</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">!=</span> <span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">identificador_matriz_filial</span> <span class="o">==</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="p">).</span><span class="nf">scalar</span><span class="p">()</span> <span class="k">if</span> <span class="n">same_address</span> <span class="o">&gt;=</span> <span class="mi">3</span><span class="p">:</span> <span class="n">flags</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">tipo</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">concentracao_endereco</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severidade</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">baixa</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">titulo</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">same_address</span><span class="si">}</span><span class="s"> empresas no mesmo endereço</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">descricao</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Concentração incomum de empresas</span><span class="sh">"</span><span class="p">,</span> <span class="p">})</span> <span class="c1"># 3. Contato compartilhado (email ou telefone) </span> <span class="k">if</span> <span class="n">matriz</span> <span class="ow">and</span> <span class="n">matriz</span><span class="p">.</span><span class="n">email</span><span class="p">:</span> <span class="n">shared</span> <span class="o">=</span> <span class="n">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="nf">count</span><span class="p">(</span><span class="nf">distinct</span><span class="p">(</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="p">))).</span><span class="nf">filter</span><span class="p">(</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">email</span> <span class="o">==</span> <span class="n">matriz</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">Estabelecimento</span><span class="p">.</span><span class="n">cnpj_basico</span> <span class="o">!=</span> <span class="n">cnpj_basico</span><span class="p">,</span> <span class="p">).</span><span class="nf">scalar</span><span class="p">()</span> <span class="k">if</span> <span class="n">shared</span> <span class="o">&gt;=</span> <span class="mi">1</span><span class="p">:</span> <span class="n">flags</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span> <span class="sh">"</span><span class="s">tipo</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">contato_compartilhado</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severidade</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">baixa</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">titulo</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Email usado por outra empresa</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">descricao</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">O email </span><span class="si">{</span><span class="n">matriz</span><span class="p">.</span><span class="n">email</span><span class="si">}</span><span class="s"> aparece em </span><span class="si">{</span><span class="n">shared</span> <span class="o">+</span> <span class="mi">1</span><span class="si">}</span><span class="s"> empresas</span><span class="sh">"</span><span class="p">,</span> <span class="p">})</span> <span class="c1"># Calcular score de risco (0-100) </span> <span class="n">score</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span> <span class="mi">35</span> <span class="k">if</span> <span class="n">f</span><span class="p">[</span><span class="sh">"</span><span class="s">severidade</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">alta</span><span class="sh">"</span> <span class="k">else</span> <span class="mi">20</span> <span class="k">if</span> <span class="n">f</span><span class="p">[</span><span class="sh">"</span><span class="s">severidade</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">media</span><span class="sh">"</span> <span class="k">else</span> <span class="mi">10</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">flags</span> <span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">score</span><span class="sh">"</span><span class="p">:</span> <span class="nf">min</span><span class="p">(</span><span class="n">score</span><span class="p">,</span> <span class="mi">100</span><span class="p">),</span> <span class="sh">"</span><span class="s">flags</span><span class="sh">"</span><span class="p">:</span> <span class="n">flags</span><span class="p">}</span> </code></pre> </div> <h2> Cache: essencial para grafos </h2> <p>A construção do grafo envolve múltiplas queries recursivas. Sem cache, cada visualização levaria 1-3 segundos. Com Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">get_grupo_cached</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">):</span> <span class="n">cache_key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">grupo:</span><span class="si">{</span><span class="n">cnpj_basico</span><span class="si">}</span><span class="sh">"</span> <span class="n">cached</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">cache_key</span><span class="p">)</span> <span class="k">if</span> <span class="n">cached</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">cached</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">get_grupo_empresarial</span><span class="p">(</span><span class="n">cnpj_basico</span><span class="p">,</span> <span class="n">db</span><span class="p">)</span> <span class="c1"># Cache por 24h — dados mudam mensalmente </span> <span class="n">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="n">cache_key</span><span class="p">,</span> <span class="mi">86400</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">result</span><span class="p">))</span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <h2> Frontend: visualização do grafo </h2> <p>O JSON <code>{nodes, edges}</code> é renderizado no frontend com uma biblioteca de grafos. O componente React recebe os dados e renderiza nodes como cards e edges como linhas de conexão:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// Simplificado</span> <span class="kd">function</span> <span class="nf">CorporateGroup</span><span class="p">({</span> <span class="nx">cnpj</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">data</span><span class="p">,</span> <span class="nx">setData</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/intelligence/grupo/</span><span class="p">${</span><span class="nx">cnpj</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">r</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">setData</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">cnpj</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span> <span class="o">||</span> <span class="nx">data</span><span class="p">.</span><span class="nx">nodes</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"relative"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">nodes</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">node</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">NodeCard</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">node</span><span class="p">.</span><span class="nx">id</span><span class="si">}</span> <span class="na">node</span><span class="p">=</span><span class="si">{</span><span class="nx">node</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">edges</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">edge</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="p">&lt;</span><span class="nc">EdgeLine</span> <span class="na">key</span><span class="p">=</span><span class="si">{</span><span class="nx">i</span><span class="si">}</span> <span class="na">edge</span><span class="p">=</span><span class="si">{</span><span class="nx">edge</span><span class="si">}</span> <span class="na">nodes</span><span class="p">=</span><span class="si">{</span><span class="nx">data</span><span class="p">.</span><span class="nx">nodes</span><span class="si">}</span> <span class="p">/&gt;</span> <span class="p">))</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Empresas ativas são destacadas em verde, inativas em vermelho. A empresa alvo da consulta fica em destaque. Sócios PF são mostrados com ícone de pessoa.</p> <h2> Casos de uso reais </h2> <p>Esse tipo de análise de rede revela coisas que dados tabulares escondem:</p> <ol> <li><p><strong>Due diligence:</strong> "O sócio da empresa que estou contratando também é sócio de uma empresa com situação 'Inapta'?"</p></li> <li><p><strong>Investigação:</strong> "Quem são as pessoas por trás de um grupo de empresas com o mesmo endereço?"</p></li> <li><p><strong>Análise de crédito:</strong> "Este solicitante de empréstimo tem sócios com histórico de empresas encerradas?"</p></li> <li><p><strong>Compliance:</strong> "O fornecedor que estamos avaliando tem conexões com empresas em situação irregular?"</p></li> </ol> <h2> Conclusão </h2> <p>Construir um explorador de rede societária envolveu:</p> <ol> <li> <strong>Traversal recursivo</strong> com proteções contra explosão (depth, max nodes, ciclos)</li> <li> <strong>Dual-type nodes</strong> (empresa vs pessoa) com expansão bidirecional</li> <li> <strong>Heurísticas de red flags</strong> baseadas em padrões estatísticos</li> <li> <strong>Cache agressivo</strong> — grafos são caros de construir e mudam raramente</li> <li> <strong>Limites pragmáticos</strong> — depth 2 e 150 nodes cobrem 95% dos casos úteis</li> </ol> <p>A beleza é que tudo isso roda sobre <strong>dados públicos</strong>. Não há scraping, não há API paga, não há magia. São dados da Receita Federal, organizados e conectados de forma que se tornam inteligência de verdade.</p> <p>Quer explorar a rede societária de qualquer empresa brasileira? Teste no <a href="https://cnpjaberto.com.br/" rel="noopener noreferrer">CNPJ Aberto</a> de forma gratuita.</p> python algorithms datascience webdev I touched X11 for the first time in 30 years to run wrangler login. YouTube audio came with it. Kusnaware Mon, 20 Apr 2026 15:49:51 +0000 https://dev.to/kusnaware/i-touched-x11-for-the-first-time-in-30-years-to-run-wrangler-login-youtube-audio-came-with-it-1928 https://dev.to/kusnaware/i-touched-x11-for-the-first-time-in-30-years-to-run-wrangler-login-youtube-audio-came-with-it-1928 <h2> What this post is about </h2> <p>Here’s what I actually ended up doing:</p> <ul> <li>I wanted to run <code>wrangler login</code> on a GUI-less Ubuntu Server for a Cloudflare Workers project</li> <li>I already knew that <strong>API Token is the proper solution</strong> </li> <li>But I still wanted to see whether X11 forwarding could push the browser window to macOS</li> <li>It worked</li> <li>Then I got carried away, added PulseAudio forwarding, and ended up playing both YouTube video and audio on the macOS side</li> </ul> <p>Environment:</p> <ul> <li>macOS host</li> <li>VMware Fusion</li> <li>Ubuntu Server 24.04 guest</li> </ul> <h2> Why I even touched X11 in 2026 </h2> <p>I was working on a Cloudflare Workers project and needed to run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wrangler login </code></pre> </div> <p>That launches a browser for OAuth authentication.</p> <p>The problem was simple: my working environment was <strong>Ubuntu Server</strong>, not Ubuntu Desktop. No GUI, no local browser, no OAuth screen.</p> <p>At that point there were two obvious options:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Method</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>API Token</strong></td> <td>The proper way. Generate a token in Cloudflare Dashboard and export it</td> </tr> <tr> <td><strong>X11 forwarding</strong></td> <td>Push the Ubuntu-side browser window to macOS</td> </tr> </tbody> </table></div> <p>I knew from the beginning that API Token was the sane answer.</p> <p>I used X11 anyway.</p> <p>Partly because I wanted to know whether it still worked. Partly because it had been about 30 years since I last touched X11, and apparently I make bad decisions in historically accurate ways.</p> <h2> Phase 1: Basic X11 forwarding setup </h2> <h3> On macOS: install XQuartz </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install</span> <span class="nt">--cask</span> xquartz open <span class="nt">-a</span> XQuartz </code></pre> </div> <h3> On Ubuntu Server: install required packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> xauth x11-apps </code></pre> </div> <h3> Enable X11 forwarding in sshd </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>vi /etc/ssh/sshd_config </code></pre> </div> <p>Uncomment or set:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">X11Forwarding</span> <span class="n">yes</span> <span class="n">X11DisplayOffset</span> <span class="m">10</span> </code></pre> </div> <p>Then restart SSH:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart sshd </code></pre> </div> <blockquote> <p><code>X11DisplayOffset</code> tells <code>sshd</code> which display number to start using for forwarded X11 sessions. The default is <code>10</code>. In practice, <code>$DISPLAY</code> often ends up around <code>localhost:10.0</code>, unless that display number is already occupied.</p> </blockquote> <h3> Test it </h3> <p>From macOS, connect from XQuartz's <code>xterm</code> first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-Y</span> user@ubuntu-vm </code></pre> </div> <p>Then on Ubuntu:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="nv">$DISPLAY</span> xclock &amp; </code></pre> </div> <p>If a clock window appears on your Mac, X11 forwarding is working.</p> <h2> One thing that tripped me up </h2> <p>In <strong>my</strong> environment, an already-open Terminal.app session did not reliably get a usable <code>$DISPLAY</code>, while XQuartz's <code>xterm</code> worked consistently.</p> <p>That does <strong>not</strong> mean Terminal.app is fundamentally incompatible.</p> <p>Possible causes include:</p> <ul> <li>XQuartz was installed but I had not fully logged out and back in yet</li> <li>shell startup files like <code>~/.bashrc</code> or <code>~/.zshrc</code> were overwriting <code>$DISPLAY</code> </li> </ul> <p>So if X11 forwarding behaves strangely, trying XQuartz's own <code>xterm</code> is a fast sanity check.</p> <h2> The Firefox trap — Snap strikes again </h2> <p>My first attempt was the obvious one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>firefox &amp; </code></pre> </div> <p>That failed with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>X11 connection rejected because of wrong authentication. </code></pre> </div> <h3> Why? </h3> <p>On Ubuntu 22.04 and later, Firefox is usually delivered via <strong>Snap</strong>. Snap isolation and X11 forwarding do not get along particularly well in this setup.</p> <p>You can confirm it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>which firefox <span class="c"># /snap/bin/firefox</span> </code></pre> </div> <p>So I switched to a non-Snap build.</p> <h2> Phase 3: Install <code>firefox-esr</code> with APT pinning </h2> <p>I used the <code>mozillateam</code> PPA and installed <code>firefox-esr</code>.</p> <p>Important detail: if you do this carelessly, later <code>apt install</code> / <code>apt upgrade</code> operations may drag you back toward Ubuntu's Firefox transition package and the Snap path.</p> <p>So I pinned it explicitly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>add-apt-repository <span class="nt">-y</span> ppa:mozillateam/ppa <span class="nb">sudo tee</span> /etc/apt/preferences.d/mozilla-firefox <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' Package: firefox* Pin: release o=LP-PPA-mozillateam Pin-Priority: 1001 Package: firefox* Pin: release o=Ubuntu Pin-Priority: -1 </span><span class="no">EOF </span><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> firefox-esr </code></pre> </div> <p>A couple of notes:</p> <ul> <li>this <code>mozillateam</code> PPA is <strong>not</strong> the same thing as Mozilla's own <code>packages.mozilla.org</code> APT repository</li> <li>I used it here because it solved the practical problem at hand</li> <li> <code>Pin-Priority: 1001</code> strongly prefers that source</li> <li> <code>Pin-Priority: -1</code> blocks Ubuntu's matching package candidates</li> </ul> <p>Then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>firefox-esr &amp; </code></pre> </div> <p>And this time the browser window actually appeared on macOS.</p> <p>I also got these warnings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>No matching fbConfigs or visuals found glx: failed to create drisw screen </code></pre> </div> <p>They looked dramatic, but in practice they just meant GPU acceleration was not happening. The browser still worked.</p> <h2> Phase 4: <code>wrangler login</code> finally works </h2> <p>Now the original goal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wrangler login </code></pre> </div> <p>Firefox ESR opened, Cloudflare's authentication page appeared, and login completed successfully.</p> <p>At that point the real task was done.</p> <p>Which should have been the end.</p> <p>Instead, my brain immediately asked a much worse question:</p> <blockquote> <p>If Firefox is already showing up on macOS, can I make YouTube audio come through too?</p> </blockquote> <p>This is how projects rot.</p> <h2> Phase 5: Why video worked but audio did not </h2> <p>At this point YouTube video rendered fine over X11.</p> <p>Audio did not.</p> <p>That is expected, because X11 was never designed to forward audio.</p> <h3> X11 forwards: </h3> <ul> <li>window drawing commands</li> <li>keyboard input</li> <li>mouse input</li> </ul> <h3> X11 does <strong>not</strong> forward: </h3> <ul> <li>audio</li> </ul> <p>So if I wanted audio too, I needed a second path.</p> <h2> Phase 6: PulseAudio forwarding </h2> <p>The idea was:</p> <ul> <li>run a PulseAudio server on macOS</li> <li>expose it to Ubuntu through SSH reverse port forwarding</li> <li>tell Firefox on Ubuntu to use that forwarded PulseAudio endpoint</li> </ul> <p>Like this:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5zx7al3634ue8ragwaa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj5zx7al3634ue8ragwaa.png" alt="Audio flow diagram: firefox-esr on Ubuntu sends audio to a local PulseAudio client, which forwards it over an SSH reverse tunnel to the PulseAudio server on macOS, then to the speakers" width="800" height="54"></a></p> <h3> On macOS: install and run PulseAudio </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>pulseaudio <span class="nb">mkdir</span> <span class="nt">-p</span> ~/.config/pulse </code></pre> </div> <p>Then run it in the foreground:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pulseaudio <span class="nt">--load</span><span class="o">=</span><span class="s2">"module-native-protocol-tcp auth-anonymous=1 auth-ip-acl=127.0.0.1"</span> <span class="se">\</span> <span class="nt">--exit-idle-time</span><span class="o">=</span><span class="nt">-1</span> <span class="nt">--daemonize</span><span class="o">=</span>no </code></pre> </div> <p>You may see warnings like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>W: [] caps.c: Normally all extra capabilities would be dropped now... W: [] socket-util.c: IP_TOS failed: Invalid argument </code></pre> </div> <p>In my case they did not break anything.</p> <blockquote> <p><code>auth-anonymous=1</code> is only acceptable here because this was a temporary setup behind SSH tunneling and limited to localhost. Exposing it more broadly would be reckless.<br><br> Yes, this is sketchy. No, I would not do this on a real server.</p> </blockquote> <p>Also worth noting: PulseAudio is still usable here, but its own maintainers have said development has slowed down considerably, with bigger new work moving toward PipeWire / WirePlumber. For this kind of hack, it is still convenient.</p> <h3> On Ubuntu Server: install audio-related packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> ubuntu-restricted-extras ffmpeg libavcodec-extra pulseaudio </code></pre> </div> <blockquote> <p>This post assumes <strong>Ubuntu Server 24.04</strong>. On Ubuntu Desktop 24.04, PipeWire / <code>pipewire-pulse</code> is the more standard baseline, so blindly adding PulseAudio can make the setup messier.</p> </blockquote> <h2> Phase 7: SSH with both X11 and audio forwarding </h2> <p>From macOS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh <span class="nt">-Y</span> <span class="nt">-R</span> 24713:localhost:4713 user@ubuntu-vm </code></pre> </div> <p>Meaning:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>-Y</code></td> <td>Trusted X11 forwarding</td> </tr> <tr> <td><code>-R 24713:localhost:4713</code></td> <td>Reverse forward Ubuntu port <code>24713</code> to macOS PulseAudio port <code>4713</code> </td> </tr> </tbody> </table></div> <p>The <code>24713</code> port number was not magical. I just took PulseAudio's default <code>4713</code> and added <code>20000</code> so it would be easy to recognize and unlikely to collide.</p> <h3> Why <code>-Y</code> and not <code>-X</code>? </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Behavior</th> </tr> </thead> <tbody> <tr> <td><code>-X</code></td> <td>Untrusted X11 forwarding. Safer, but some apps break</td> </tr> <tr> <td><code>-Y</code></td> <td>Trusted X11 forwarding. Less restricted, more dangerous</td> </tr> </tbody> </table></div> <p>This part matters:</p> <blockquote> <p>Only use <code>-Y</code> with machines you fully control.</p> </blockquote> <p>A trusted X11 client can do nasty things, including keystroke monitoring. On your own VM behind your own SSH connection, fine. On someone else's server, absolutely not.</p> <h2> Phase 8: Point Ubuntu at the forwarded PulseAudio server </h2> <p>On Ubuntu:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">PULSE_SERVER</span><span class="o">=</span>tcp:localhost:24713 firefox-esr &amp; </code></pre> </div> <p>At that point, both YouTube <strong>video and audio</strong> came through on the macOS side.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz9rbyrquwl5aa906hzyi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fz9rbyrquwl5aa906hzyi.png" alt="Architecture diagram showing the Ubuntu Server guest VM running firefox-esr on the left, connected to the macOS host on the right through an SSH tunnel that carries both X11 forwarding for the display and a reverse port forward for PulseAudio audio" width="800" height="176"></a></p> <p>Against all dignity, it worked.</p> <h2> Why video and audio stayed in sync </h2> <p>A fair question here is:</p> <blockquote> <p>X11 and PulseAudio are two different protocols on two different forwarding paths. Why didn't the audio drift badly?</p> </blockquote> <p>The answer is that <strong>Firefox handled synchronization</strong>, not X11 or PulseAudio.</p> <ul> <li>the media stream contains timestamps</li> <li>Firefox schedules video frames and audio chunks against those timestamps</li> <li>both streams are delayed by the tunnel, but roughly in similar ways</li> <li>so the playback remains acceptably synchronized</li> </ul> <p>So no, there is no elegant protocol-level sync mechanism here.</p> <p>This is application-layer behavior carrying the whole mess on its back.</p> <h2> Security notes </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>Status</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>X11 forwarding</td> <td>OK-ish</td> <td>Encrypted through SSH</td> </tr> <tr> <td>PulseAudio forwarding</td> <td>OK-ish</td> <td>Also inside SSH</td> </tr> <tr> <td><code>auth-anonymous=1</code></td> <td>Risky unless contained</td> <td>Keep it local and temporary</td> </tr> <tr> <td><code>auth-ip-acl=127.0.0.1</code></td> <td>Good idea</td> <td>Restricts access to localhost</td> </tr> <tr> <td><code>-Y</code></td> <td>Dangerous</td> <td>Use only with hosts you trust completely</td> </tr> <tr> <td>SSH auth</td> <td>Critical</td> <td>Use keys, not password login</td> </tr> </tbody> </table></div> <p>The weak point here is not X11 itself.</p> <p>It is you doing something sloppy with trust boundaries.</p> <p>As usual.</p> <h2> What I took away from this </h2> <h3> 1. X11 is ancient, but still weirdly capable </h3> <p>The design is old, backwards-seeming, and slightly cursed.</p> <p>And yet:</p> <ul> <li>the display server lives on the machine with the screen</li> <li>the application runs somewhere else</li> <li>the UI still shows up where you need it</li> </ul> <p>That idea is ancient, but not dead.</p> <h3> 2. Small UNIX-y pieces still compose in absurd ways </h3> <ul> <li>SSH handled encryption and tunneling</li> <li>X11 handled remote windows</li> <li>PulseAudio handled audio transport</li> <li>Firefox glued the user experience together</li> </ul> <p>No single part was especially elegant.</p> <p>Together, they were good enough to get something undeniably stupid working.</p> <h3> 3. The correct answer was still API Token </h3> <p>Let me be very clear:</p> <p>If your real goal is just to use Cloudflare Workers cleanly on a headless machine, <strong>use API Token</strong>.</p> <p>That remains the proper answer.</p> <p>This post is about the side quest.</p> <h2> Final result </h2> <p>I started out trying to solve a boring problem:</p> <ul> <li>run <code>wrangler login</code> on Ubuntu Server without a local GUI</li> </ul> <p>I ended up with something much dumber and much more entertaining:</p> <ul> <li>X11-forwarded Firefox on macOS</li> <li>successful Cloudflare OAuth login</li> <li>PulseAudio tunneled over SSH</li> <li>YouTube video <strong>and</strong> audio playing through the host machine</li> </ul> <p>Was it necessary? No.</p> <p>Was it the right solution? Also no.</p> <p>Did it work?<br><br> Annoyingly, yes.</p> <p>Moral of the story: Sometimes the correct solution is boring. The fun solution is X11 + PulseAudio + questionable life choices.</p> x11 pulseaudio ssh cloudflare