The dev loop, in detail.
Long-form writing on identifiers, JWTs, prompts, MCP servers, and the patterns that hold up under production traffic. From the people who build the tools.
- 7 min readllms / cost / fundamentals
Prompt caching changes the cost math. Most teams aren't using it.
Anthropic and OpenAI ship prompt caching that cuts repeated input-token cost by 50-90%. What changes when you turn it on — and why most teams haven't.
Read post - 6 min readuuid / databases / fundamentals
UUID v7 vs v4: when sortable IDs matter, and when they don't
UUID v7 sorts by time and plays nicer with database indexes than v4. Here's when the difference matters in production, and when v4 is still the right call.
Read post - 5 min readjwt / security / fundamentals
JWT decoding for production: why every online debugger is risky
Most online JWT debuggers send your token through their server. Until the token expires, that's a leaked credential. Here's how to read JWTs safely.
Read post - 5 min readllms / prompt engineering / fundamentals
The five-element prompt: a checklist for prompts that don't drift
Most production prompts fail for one reason: missing structure. Here's the five-element checklist that turns a sloppy draft into one that ships.
Read post - 7 min readllms / cost / agents
Why your AI agent costs 10× what you expected
Agents look cheap in the demo and expensive in production. The gap is almost always one of four things — context bloat, retries, tool-call cascades, or the wrong model. Here's the math.
Read post - 6 min readllms / security / fundamentals
Prompt injection in production: the defenses that work
Most prompt injection mitigations advertised online don't survive contact with a determined adversary. Here are the four that do — used together, not in isolation.
Read post - 6 min readmcp / llms / architecture
MCP vs function calling: when each one wins
Function calling and MCP solve overlapping problems with different tradeoffs. Here's the decision tree we use — and the costs that bite when you pick wrong.
Read post - 7 min readdatabases / uuid / fundamentals
Database primary keys in 2026: int, UUID v4, v7, ULID, NanoID, KSUID
Six common primary key types, six tradeoffs. Here's when each one wins, with the specific failure modes that bite at scale.
Read post - 8 min readregex / reference / fundamentals
The 12 regex patterns you'll actually use
Email, URL, phone, IP, UUID, dates, passwords, JWT — the patterns that show up in code review again and again. With the edge cases each one gets wrong.
Read post - 5 min readdesign / color / frontend
OKLCH is the design system color space for 2026
OKLCH ships in every modern browser, fixes the perceptual problems that HSL has, and makes palette generation and accessibility tractable. Here's why to commit.
Read post - 5 min readsecurity / hashing / fundamentals
MD5 vs SHA-256 vs Argon2: pick the right hash for the job
MD5 is broken but still useful. SHA-256 is the default for general hashing. Argon2 is for passwords. Mixing them up causes real production bugs.
Read post - 5 min readsecurity / passwords / fundamentals
Password entropy isn't what you think
Every password rule you've ever followed was probably wrong. Here's the actual math, why length destroys complexity, and what NIST 800-63B recommends in 2024.
Read post - 5 min readllms / tokens / cost
Token counting in 2026: every tokenizer compared
GPT-4o, Claude, Gemini, Llama, DeepSeek — each uses a different tokenizer, and the same prompt costs different amounts on each. Here's the comparison that matters for budgeting.
Read post - 6 min readmcp / typescript / tutorial
Building your own MCP server in 50 lines of TypeScript
Most MCP server tutorials hand you a 300-line template. Here's the actual minimum — a working server with one tool, one transport, and nothing else.
Read post