Notes on cloud infrastructure, AI engineering, full-stack systems, and things that surprised me in production.
Every leaderboard tutorial reaches for ORDER BY. At 100K concurrent users submitting scores, that is a full table scan on every request. Redis sorted sets solve this in O(log n) with five commands.
A single Redis node rate limiter is clean and correct. Add a second node and counting breaks, atomicity breaks, and your limits become suggestions. Here's what actually happens and how to fix it.
Stateful vs stateless, implicit denies, ephemeral ports, IPv6 gaps, the real gotchas in EC2 security group rules that caused me actual production pain.
AI code editors are incredible. They're also quietly turning developers into prompt engineers who can't think through a problem anymore. That scares me.
Cache invalidation is genuinely hard. Not 'ha ha the joke problem' hard, actually hard in production. Here's a real incident, the race condition that caused it, and what actually fixed it.
IP-based limits, X-Forwarded-For spoofing, the fixed window 2x burst hole, and why most rate limiting implementations give you false confidence.
CORS is enforced by browsers, not servers. curl doesn't care. Postman doesn't care. Your attacker's script doesn't care. Here's what CORS actually does and what protects your API instead.
You fixed the N+1 query. Congratulations. Now your eager loading is doing cartesian explosions, memory bloat, and ghost queries you didn't know existed. ORMs give you more ways to shoot yourself.
You wrapped it in a transaction. The data is still inconsistent. Isolation levels, phantom reads, and why 'serializable' is theater in most database configs.
You added the index. The query is still slow. Here's why Postgres doesn't care about your feelings, or your indexes.
Not another 'SQL vs NoSQL' think piece. A real project decision from 2025, the constraints, the tradeoffs we evaluated, the choice we made, and the two cases where I'd flip it.