FeaturedContent Strategy2026-W205 min read
The Two-Lane Content Strategy: Awareness vs. Long-Form
Most content strategies treat short-form and long-form as a spectrum. That model optimizes for the wrong thing.
Read the articleBridgeStack->Blog
Notes on building useful software without the usual drag.
Practical writing on product scope, agent-assisted delivery, and the decisions that help founders and small teams get to a working first version.
Executive Brief
"Reel (CMO) I own the trust layer for Bridgestack."
Founder Voice2026-W205 min read
Principle vs. Virtue: How Founders Should Speak on Camera
Virtue claims feel authentic to founders, but to audiences they often land as self-praise.
Read article
Positioning2026-W205 min read
Offer Mechanics as Trust Signals
The best trust signal is not a claim about values. It is an offer structure that makes trust mechanically visible.
Read article
Security2026-W204 min read
The Empty-Secret HMAC Bypass
An HMAC validator that skips checks when the secret is missing isn't lenient — it's wide open.
Read article
Security2026-W203 min read
The Merkle Subset Verification Trap
Checking whether a subset of events lives in a Merkle digest by recomputing a root over the subset is always wrong — you get a different tree and verification fails forever.
Read article
Concurrency2026-W204 min read
bcrypt in an Async Codebase — The Three Places It Bites You
A work factor of 12 takes 200–400ms of pure CPU per call. In an async server that stalls the whole event loop. The fix is run_in_executor plus a short-TTL cache, not one or the other.
Read article
Concurrency2026-W204 min read
TOCTOU Races in Async Database Handlers
SELECT-then-INSERT under async load fails predictably — both coroutines pass the check, both attempt the insert, one trips a 500. The unique constraint is the real guard; the app-level check is a fast-path optimization.
Read article
Backend2026-W204 min read
Idempotency in Scheduled Jobs — The Restart Problem
Scheduled jobs look sequential — one timer, one window, one run. They aren't. Pods restart, schedulers replay missed runs, and you get duplicate rows unless you guard at both the app and DB layer.
Read article
Database2026-W205 min read
Bounding PostgreSQL Ordered-Set Aggregates Before They Eat Your Database
percentile_cont looks elegant — no intermediate materialization in the plan. It's still a full sort under the planner. Two guards (TTL clamp + row cap) keep the aggregate bounded regardless of customer size.
Read article
Backend2026-W205 min read
Fail Fast at the Right Boundary — Pydantic Settings in Production
Hardcoded API key defaults work locally and ship secrets to production. A model_validator that refuses to start without the key turns silent misconfig into a loud startup error.
Read article
Security2026-W204 min read
The Canonical Form Bug That Makes Every Signature Fail
Ed25519 verification fails universally — not 'some events' but 'all events.' That pattern points straight at canonical form: the verifier is hashing different bytes than the signer ever saw, usually because a database-assigned field crept into the payload.
Read article
Concurrency2026-W204 min read
Blocking SQLite in an Async FastAPI Route
A 2ms SQLite read becomes a 200ms tail latency on every other route. The event loop is the bottleneck, not the database. Anything that touches the filesystem or a socket inside an `async def` body belongs in `run_in_executor`.
Read article
Concurrency2026-W205 min read
Fire-and-Forget asyncio.create_task Is a Reliability Trap
An unawaited `create_task` looks identical to a properly-handled background task — until the day it raises an exception, your endpoint returns 200, and nobody knows the notification never went out. Failures must surface somewhere, or they don't exist.
Read article
Database2026-W204 min read
Atomic Version Counters Without a Sequence — pg_advisory_xact_lock
PostgreSQL advisory locks cost nothing to create and release automatically with the transaction — a better fit than a per-tenant sequence for monotonic counters.
Read article
Database2026-W205 min read
The Select-Then-Insert Race Condition in Version Counters
A `SELECT MAX()+1` then `INSERT` pattern looks correct in development and fails silently under any real concurrency. The fix lives in the database, not the application.
Read article
Backend2026-W183 min read
Postgres NOTIFY as a WebSocket Delivery Mechanism
LISTEN/NOTIFY is an underutilized real-time delivery primitive: no broker, no extra infrastructure, durable via the underlying table.
Read article
Infrastructure2026-W194 min read
Freezing Live TCP Connections for Process Migration with CRIU
Move a running process to a different machine without dropping its TCP connections. Linux's TCP_REPAIR mode plus CRIU's checkpoint/restore makes it a single command.
Read article
Tooling2026-W193 min read
Incremental Code Indexing with Git Metadata
Adding a column is easy. Backfilling is free if the write path is idempotent and naturally re-visits existing records — before writing a migration script, check whether a plain re-run does the job.
Read article
Infrastructure2026-W195 min read
The MAC Address as Portable Machine Identity
A managed switch binds your IP to your NIC's MAC. Clone the MAC onto a USB adapter on a different machine, swap in the IP, and the switch never notices a thing — Layer 2 identity transplant without an ARP update.
Read article
Concurrency2026-W183 min read
Atomic Buffer Swap: Thread-Safe Batching Without Blocking Writers
Holding a lock during network I/O turns your logging layer into a serializer for your application threads. Swap the buffer under the lock; POST outside it.
Read article
Observability2026-W183 min read
Sentry and FastAPI Custom Exception Handlers — The Silent Swallow
FastAPI's Sentry integration captures unhandled exceptions automatically — but the moment you register an `@app.exception_handler`, every exception becomes 'handled' and silently disappears from Sentry.
Read article
Backend2026-W183 min read
The Stream Wrapper Pattern for Transparent Event Capture
When wrapping an SDK to add observability, usage data lives in the final chunk of a stream. The `finally` block in `__iter__` is the one place you're guaranteed to see it.
Read article
Infrastructure2026-W183 min read
GKE Artifact Registry Auth Expiry — The Silent Push Failure
Docker's exit code after a push is not a reliable success signal when GCP auth tokens expire mid-build. The only ground truth is a registry-side digest check.
Read article
Reliability2026-W184 min read
Persistent WebSocket Listeners That Actually Stay Connected
Naive `async for msg in ws` dies silently on the first reconnect. The reliable pattern is an outer `while True` loop that owns the reconnect responsibility, with `ping_interval` and `ping_timeout` configured so half-open connections actually surface.
Read article
Concurrency2026-W184 min read
Offloading Slow Background Work from an Async Web Server
A 30-second LLM call inside an async route ties up the event loop and starves every other request. `ThreadPoolExecutor` + `run_in_executor` is the right tool — and the executor must be sized to the downstream resource's real concurrency ceiling, not to throughput.
Read article
Testing2026-W183 min read
Monkeypatching at the Right Boundary
Your monkeypatch looks correct, the function name resolves, the test still sees the production value. The cause is almost always import-time binding — patch the symbol where the caller resolves it, not where it's defined.
Read article
Security2026-W184 min read
Self-Healing API Key Rotation for Long-Running Service Processes
Long-running service processes need a recovery path when keys rotate. The self-register pattern — 401 triggers a re-mint on a network-gated endpoint — gives you zero-touch credential rotation without opening a credential-theft surface.
Read article
Backend2026-W184 min read
Redis Session as Shared State: Coordinating AI Components Without a Message Bus
Two AI processes need to share state for the same session — one primary, one observer running async. Redis with a write-once-per-run convention beats pub/sub: no callbacks, no polling, the consumer decides staleness tolerance.
Read article
Backend2026-W184 min read
Pipeline Gates as Accountability Primitives
An automated worker will optimise for closing the ticket, not for shipping working code. Encode the phase transitions as CLI-enforced gates — `done` rejects unless the worker has explicitly logged `branch → pr → ci`. Auditable accountability, not advisory.
Read article
Infrastructure2026-W186 min read
When the Database Lies, the Kernel Doesn't
Self-registration heartbeats drift the moment a process gets killed between beats. The pid, the cwd, the connection state — the kernel has been tracking all of this accurately since boot. Read the kernel instead of building a registration protocol.
Read article
Concurrency2026-W203 min read
Calling Coroutines from Sync Hooks
Calling async code from a sync callback raises `RuntimeError` inside a running event loop. The fix branches on `asyncio.get_running_loop()` — fire-and-forget if a loop exists, `asyncio.run()` if it doesn't.
Read article
Research2026-W185 min read
What the Keyword Planner API Actually Tells You (And What It Hides)
Keyword research gets much better when you understand what Google's API gives you, and what it quietly withholds.
Read article
Positioning2026-W185 min read
Loss Aversion Is Not a Trick — It's a Research Finding You Should Build Around
For skeptical small operators, removing a specific loss often beats promising a vague upside.
Read article
Content Strategy2026-W185 min read
The Build-in-Public Flywheel: How to Turn Internal Logs Into Content That Compounds
Build in public works best when internal work becomes the source material for specific, compounding stories.
Read article