In 2026 (and really, as of late 2025), approximately 100% of the code I write, professionally and personally, is written by an LLM.

I feel like this is the point in every post about LLMs where I walk through the history of the last few years: tab complete -> chat interfaces -> “something changed” in the fall of 2025. But let’s skip all that.

Here’s where I’m at right now:

• Hand-writing code is basically done. Or, at least, it’s done in the sense that hand-building chairs is done: people will still do it, but only as a hobby or point of pride. Effectively all chairs that most people sit in today are built by machines and effectively all software written from here on out will be written by LLMs.
• I’m really sad about that because I love writing code: the craft of it, the puzzle of it, the feeling when an elegant abstraction snaps together… I’ll probably never get paid to do that again.
• I’m really happy about that because I love producing software: the things it allows people to do, the problems it can solve, the creativity of turning ideas into living, dancing screens. This part of the job has never been better.
• I spend most of my time in an agent interface juggling a few different conversations, followed by reviewing code diffs. I use Cursor and Claude Code almost interchangeably for the agent interface.
• Code is cheap, so new code review is the bottleneck. Figuring out how reduce or remove code review - to produce a true dark factory - is the problem of the software engineering industry for the next few years. If you can safely remove that bottleneck, your team can fly.
• The answer to the dark factory problem definitely starts with tools for AI self-evaluation: tests, linters, formatters, type checkers, visual diffs. Smarter AIs will be a component too, as will AI review tools like Greptile or CodeRabbit. There’ll probably be a psychological component too: senior devs just “getting over the hump” of accepting no-review merges. I don’t think we’re there yet, but this seems pretty clearly the direction we’re headed.

So, all that to say: I was skeptical but interested in mid-2025. Today, I’ve long-since accepted that software is written by AIs now and I’m excited to see how the industry changes as a result.

1. People’s skepticism of “what AI-based coding is good for” is inversely proportional to how good they are at it.
2. I am skeptical of AI-based coding.

So: epistemologically speaking, I think my best path towards having a well-informed opinion about what AI-based coding is and is not good for is to “Get Gud” as the kids would say.

kttt.io is my first pass at that.

In the interest of pushing my boundaries, I set myself the following constraints:

• I will write no code.
• I will read no code.
• I will lean on the AI for anything I’ve heard people say AIs can be helpful for (thinking through things, requirements gathering, design, debugging, etc)
• I will avoid, as much as possible, leaning on my decade or two of experience as a software engineer to drive this process.

What I built

Because I have AI trust issues, I wanted something low-stakes. I’m not ready to let an AI handle auth code sight-unseen, for example.

Looking through my pile of half-baked project ideas that I will totally get to some day I swear, I picked up “Kriegspiel Tic Tac Toe.” It’s a Tic Tac Toe variant based on the Kriegspiel chess variant: you can’t see your opponent’s pieces and you lose your turn if you try to make an invalid move. Inspired by this Zach Wienersmith toot.

I figure that even if the AI introduces glaring security holes, there’s not much you could really do with that: there’s no interesting data, no passwords, no emails… the worst you could really do, if you wanted to, is cheat at Tic Tac Toe!

How it went

I built it! You can check it out at kttt.io

The highlights:

• I spent about 24 hours building it (split over a number of evenings)
• I think I would have taken 36-48 doing it by hand
• I could probably do it in 12 AI-driven hours if I started over, having gotten a lot better at this stuff

What I learned

Vibe-coding extends the Ballmer Peak significantly. Several of these evenings took place while vacationing in Sonoma and after several glasses of delicious wine.

But more seriously…

Good prompts are too much work - make the AI write them.

I got a lot of value by asking the LLMs things like “Here’s my overall product vision - what’s next?” and conversing with them. I didn’t learn anything new here - the AI proposed the same node/redis/react system I’d have suggested - but I was able to get a detailed description of this architecture into the context window with a lot less typing.

Encouraging the model to ask me questions also saves a lot of typing.

I could write three paragraphs about what I want, or I could write one sentence and add “ask me questions about any decisions you need made.” This gets us to the same conclusion, but lets me focus on only typing out the decisions that are not forgone.

Dump context to files.

After a 5-6 round discussion about implementation strategies, “Write our conclusions to .ai/implementation.md” is a great way to capture the implementation plan into a file I can reuse. Thereafter, every new chat session starts with including that file into context so the model knows how we’re building what we’re building.

Long-term workplans keep distractible AIs on track

Before I wrote any code, but after talking through the requirements and implementation, I told the model to write out a TODO list. I iterated on this a bit until I landed on a nested markdown check list. This meant that I could start every session with “Here are the 4-5 context files you need - take a look at the worklog and tell me what’s next.” . Most of the time it’d propose a reasonable next step and I could just say “Sounds good, go for it.”

Short-term worklogs keep dumb AIs from spinning their wheels

Whenever I’m debugging something myself, I keep a running file of theories, symptoms, and things I’ve figured out. Turns out this works for the AIs too! Telling the models to “keep a log in .ai/game-rejoin-bug.md of what you’ve tried and what you’ve learned” drastically reduced the amount of time they spent going in circles while debugging.

Fast iteration cycles are worth their weight in gold for an LLM.

A failing unit test along with “here’s how you run this unit test” will let an AI fix a bug much faster than a human-in-the-debugging-loop situation where, after every plausible fix, I have to manually check if it worked. I found linters, automated testing, and type checking to be pretty valuable versions of this.

Some things I still need to figure out:

I still have no idea which models are good for what. I did this entirely with Claude Sonnet Max in Cursor. Would I have been faster with Gemini or whatever? Maybe! I need to experiment more.

I also need to learn more/better tools. I used only Cursor for this, but I hear Claude Code is cool. Async agents are the new hotness now too. They sound like a terrible idea - but I’ve learned I should reserve judgment until I actually try it in earnest. Skill with these AI tools does matter.

I still need to figure out how to make the AI keep its own context docs up to date. I built 4-5 of these markdown docs describing how to do design, implementation, etc, but struggled to get the AI to remember to update them when we made new decisions (eg “stop using too many fscking emojis!”). Maybe some better-written Cursor Rules would be good here?

I also need a better way for the AI to evaluate the results of its work in the browser. I spent quite a while trying to get Claude to debug a socket reconnection issue that you could only really see by opening two separate browser windows and clicking a dozen different buttons. I messed around with having the AI follow a written test plan using Puppetteer over MCP and it sorta worked, but it was super slow and unreliable. In the end, I convinced the AI to just tell me when it wanted to test something in-browser and I’d report the results. Not great.

Conclusions

AI-driven development is much better than I gave it credit for, though I still have a ways to climb up the skill curve here.

Kriegspiel Tic Tac Toe exists and is kinda fun! I never wrote or read a line of code. It’s… fun? I think? People seem to enjoy it for 3-4 games anyway! It’s react+typescript on express+node on fly.io with redis as a datastore.

I definitely expected to hit a wall of complexity at some point where the AI just couldn’t be useful. I hit a few walls that looked like that at first - bugs it couldn’t fix or features it couldn’t nail - but every time I got past it by improving my own context engineering skill. This isn’t a particularly huge app, though, so the wall may still be there just out of sight.

As such, I’m still not sure how well this kind of development can be applied outside of a toy project. I feel like I’d need to level up my context engineering skills a lot before I can get value like this on a large, mature, production codebase. I also don’t think I’m anywhere near being able to trust the AIs with anything sensitive (user data, auth, etc) unsupervised.

But I will say this: my skill with AI coding has gone up and my skepticism has gone down. I’ll have to see if that trend holds over time.

I was the first eng hire at Daybreak Health. 3 years later I was managing a team of 8 in a 70-person company. Here are the decisions I’m glad of and here are the ones I regret.

Credit to this great post by Jack Lindamood for inspiring this format.

Context

To give you a feel for the situation: I created and architected our SPA web frontend from scratch in my first couple weeks after joining Daybreak in 2021. By “from scratch,” I mean I did everything from initializing the git repo onward. I later took ownership over our React Native mobile app. And while I was the frontend lead, there was also a ton of work to do in the Rails backend, so I spent 30-40% of my time on that as well. As such, most of the below decisions were mine to make for better or worse.

Choosing React: Endorse

Having gone through the age of React, then Angular before that, then Bootstrap before that, then “Jquery Soup” before that… I’m a little wary of betting on a frontend framework and watching it die. Thankfully, even by 2021 it was clear that React had more staying power than its predecessors. There were competitors like Vue, but I had React experience and it seemed like React was the safest bet for community longevity. 3 years later, I’d say that worked out well. We had no trouble hiring for React experience, the React community has only grown, and React is still top dog in the frontend world. Looking forward, I’d make that bet again today.

Choosing Tanstack Query for state management: Endorse

For most non-trivial React apps you need something to manage state or data that more than one component needs to read or write. In 2021, Redux was the popular solution for this. Redux is, at its core, a pretty simple pub-sub system – something I’ve always appreciated about it. However, in my experience, to actually build anything useful with Redux, you need to build a pretty heavy abstraction layer on top of it. And since everyone builds this abstraction layer differently, actually using Redux is pretty complicated.

Thankfully, it turns out that the overwhelming majority of state in a lot of frontend codebases is “data we just received from an api call to a server.” Tanstack Query (formerly React Query) is a tool explicitly for managing that kind of state, and it does it really well. My plan for Daybreak’s frontend state management was “use TanstackQuery for api state and use a simple React Context for any remaining pieces of global state.” In practice, we had exactly one piece of non-tanstackquery global state ever, so this worked out well.

There was a medium learning curve as new developers onboarded to our state management system. Probably less than if we’d used Redux, though. I did put a very thin wrapper around Tanstack Query to make it automatically implement some of our api handling (deserialization, error handling, metadata handling, etc); in retrospect I’d make that wrapper even thinner, such that our engineers were directly calling Tanstack Query functions (useQuery and useMutation) in their components.

Choosing Typescript: Mostly Endorse

Bias warning: I’m a Typescript convert. Despite being a long-time rubyist, I’ve fallen in love with Typescript and know its ins and outs pretty well. As such, it was an obvious choice for me. Did it pay off?

During the early period where I was working on the frontend alone: it definitely did. You can find a better-written defense of typed languages elsewhere, but I found it made refactoring easy, made changes much safer, made catching minor bugs faster, and powered truly excellent autocomplete. The setup time (hooking it into VS Code and our CI/CD) was half a day, and then the ongoing cost of adding type annotations where needed was near trivial. I probably spent an hour lost in a type puzzle once every 1-2 months, but that was easily made up for in other time savings.

When other devs joined the codebase, though, the cost of Typescript went up. To be clear: these were smart, capable, fullstack developers. But each had only a passing familiarity with Typescript to start. Since Typescript is, in some sense, a tool that does nothing but tell you “no,” it’s a frustrating experience trying to work in a large, typed codebase if you don’t have pretty solid Typescript experience. They ran into problems understanding TS errors (very fair), understanding more complex type features (eg type generics), and knowing where it was/wasn’t acceptable to cut type safety with any and as.

Doing it again, I’d do two things differently:

1. Encourage everyone working the codebase on non-trivial features take a mid-level Typescript course. Maybe ExecuteProgram’s “Everyday Typescript” program or something similar.
2. Avoid complex types, even in library code. I really like having as-complete-as-possible type safety throughout the app, from UI to api requests, but in practice it meant other devs had a hard time tracing through the library code I wrote. I might adjust this opinion with a team of more frontend-focused engineers, but it represented an unacceptable cost on a team of fullstack engineers.

Setting up Frontend Visual Diff Testing: Endorse

In my experience, your testing strategy is something you have to set up from day one in a tiny startup. There’s never going to be time to go in and add a full suite of tests to a mature codebase, but there can be time to add tests for each new feature to an already-tested codebase, especially if the policy is “we always add tests of as a standard part of writing features."

With that in mind, I decided that our frontend quality assurance would come largely from Typescript and visual diff tests. For the latter, we used Storybook such that every react component in the app could be viewed independently of anything else (this was also a nice devex improvement). We then used a hosted service called Chromatic which rendered all our components in Storybook and compared the results between commits as part of our CI process. This meant that if a frontend change caused some bit of UI in some random corner of the site to change height/color/font/whatever, it’d show up as a failing check on the relevant github PR. Then someone would go into chromatic, review the changed UI, and mark that change as “yep, I did actually mean to change that.”

Visual diff testing caught a number of small regressions over the years and was relatively non-flakey. More importantly, though, it gave us a ton of certainty when making refactors or ripping out unused code: if the visual diffs haven’t changed and typescript still type-checks cleanly, we can be very sure nothing weird broke.

Auth0 for Authentication: Regret

Auth is the same everywhere, so why not just use an off-the-shelf auth thing? We used Auth0 and it was a pain in the butt.

On one hand, it gave us some nice features out of the box that we would have had to build ourselves: social login with google, SAML integration with Salesforce, some nice access logging, and team/access management for our internal users.

On the other hand, it really tied us down in terms of user experience:

• The login flow that Auth0 heavily steers you towards means that users are redirected off your site, to Auth0, then back again. You have pretty minimal control over what that UI flow looks like and how it behaves, which made it nearly impossible to do anything when end users were confused by that UI.
• Auth0 has its own concept of “users” and it didn’t always match up with our own. If a new user successfully signed up in the Auth0 UI, but failed to provision in our system, they’d end up in a weird state thereafter where login would half work.
• The fact that you could log in via “login with google” as ‘example@gmail.com’ or “login with username/password” as ‘example@gmail.com” and those were two separate users in auth0’s system was a source of endless confusion to a number of our less technical users. They often wouldn’t remember which one they used when they signed up several weeks ago.

Throw in the fact that Auth0’s frontend SDKs were A) immature and B) regularly being replaced and I ultimately would not recommend it again.

I’m not sure what I would recommend at this point, to be frank. Spend the time to build your login/signup from scratch like your noble forbearers? Try your luck with Okta (which now owns Auth0 anyway), Cognito, or one of the other misc services? I dunno at this point.

Heroku for Rails Hosting: Endorse, I guess.

Heroku’s still nice and easy for hosting a rails app, a postgres database, and a redis install. It’s got some nice, easy addons for when you have random other needs. It’s been that way for the last decade and hopefully it will continue to be. It’s fine. It gets expensive, but by the time you get there, you can hire a devops person to run your stuff in AWS.

I’ve heard good things about render.com and fly.io as heroku replacements and might try one of those at some point, but I’d probably start a new startup on Heroku unless I had a strong, idiosyncratic need.

Netlify for Frontend Hosting: Endorse

Sure, you can host your frontend on pretty much anything- flat files are easy. Just throw them on S3! But you probably also want a CDN to speed things up, so I guess you want to set up Cloudfront or similar on top of that. And you probably want SSL, so you’ll need something to provide that (maybe ACM if you’re all-in on AWS). And then you need to actually build your frontend somewhere (once having devs create the production frontend builds on their dev machines becomes too much of a pain), so maybe set up a service for that? And it’d be nice to have a git-based deploy flow, so I suppose you can use github actions or something for that. And then maybe you want more granular deploy permissions, asset header overrides, deploy audit logging, multiple environments, per-PR deployments…

It turns out you can host flat files anywhere, but there are a bunch of small quality-of-life improvements that are super handy for actually managing + deploying a frontend codebase.

I’ve switched to using Netlify for all my frontends (including this blog, as of 2024). It has all those niceties at a pretty cheap price with a UI that’s straightforward (while still being solidly aimed at technical users). I worry that they’re drifting towards trying to become a more all-encompassing PaaS (as opposed to being “the one really good frontend PaaS), but for now I’d definitely pick them again for a new startup.

Building Impersonation Functionality: Endorse

At every startup I’ve been at, we’ve run into the problem where a users report bugs with insufficient detail to understand what’s happening. And every time, we think to ourselves: “it sure would be great to have some way to see what the user’s seeing!” And then we decide that’s a lot of work and go back to debugging by pouring through logs + analytics events.

At Daybreak, after about a year, we built an “impersonation” feature that let us log in as a user. It included an audit trail and a short timeout period to prevent abuse or accidental breakage. It took about a week for one engineer to build and probably paid for itself within 3-4 months in saved troubleshooting time.

Doing it again, I’d either build this feature really early or set up a session reply tool (I’ve used LogRocket’s, but datadog has one has one too, as do a lot of monitoring companies these days). I’d probably advocate for doing this within the first 6 months of a startup’s lifespan - it’s easily the highest value debugging tool I’ve found for triaging + troubleshooting raw user complaints.

Overbuilding Guest Users Early: Regret

This one’s a little more Daybreak specific, but: in the early days, we were a b2c startup and we intended to have a heavyweight, pre-signup onboarding flow. Having built one of those before, I was keen to build out a solid way to track + represent a pre-signup “guest user” in our database. I built out a system for this, we built out the onboarding flow, and then we promptly pivoted to B2B. This meant we ditched the onboarding flow and my nicely-designed guest user system gathered dust for a few years.

The lesson here is really a more general one: you can build functionality you expect to need in the near future, but the length of “near” should vary by startup maturity. Don’t build something you think you’ll need in 6 months at a 1-year-old startup. You can’t predict pivots and changes 6 months out at that stage.

Building on Salesforce: Regret

This will need its own blog post, but: about a year in, we migrated a ton of our internal tools (used by therapists and support staff) to Salesforce. Specifically, we built out a lot of custom UIs and flows.

At first, this was a huge win. It let us migrate off of a different SaaS that we were rapidly outgrowing, and the pace of development our Salesforce expert could build things was amazing. I knew it would come with headaches and limitations down the road, but I ultimately thought it was a good tradeoff (made by the CTO, not me).

After about a year, though, the problems with this approach became clear:

1. Salesforce is an engine that runs on money. Any given problem (logging, auth, pdf generation, duplicate management, UI improvements) you can think of has a solution, and it’s always to shell out hundreds to thousands of dollars per month to Salesforce itself or one of a bevy of third party providers. By the end, we were paying a fully-loaded engineer’s salary to keep our Salesforce setup running.
2. Salesforce development practices are not nearly as mature as software development practices. You want “local” development? There’s no such thing - all development is done on Salesforce itself, often in limited sandbox environments, resulting in a lot of “testing on prod.” You want any sort of decoupling? Nope, everything in SF is couple as hell, meaning every change is high-risk and needs to be managed by extremely senior Salesforce Architects.
3. Building a significant portion of our app (all the internal tools) in Salesforce put a big, hard skillset divide in the middle of our team. Any new feature that required work in both Salesforce and Appdev (as we called our rails + react codebase) required technical planning that spanned both systems. Unfortunately, there’s pretty much no one with the required seniority in both Salesforce and Software development, so all architecture was a collaboration between two senior engineers. You’ll always hit this point at a startup eventually– your frontend expert is unlikely to also be a backend expert and an infrastructure expert. But your frontend expert can at least be a decent backend dev and know their way around infrastructure a bit. That sort of generality is often fine for many years at a small startup, and it allows you to move incredibly fast in the early days. The longer you can wait before putting up a sharp skill divide in the middle of your team, the better. Building on Salesforce put a sharp (and nearly irrevocable) divide way too early, and it slowed down development a lot in the following years.

Doing it again, I’d pay the upfront and maintenance costs of building our internal tools entirely in our codebase, rather than trying to rely on a low-code tool for a core piece of our business. The costs (in both financial and productivity terms) were way to high.

Things that were fine

We used a number of tools that were bog-standard: Github, Redis, Postgres, Slack, Notion - I wouldn’t write home about any of them.

Similarly, we used a number of tools that could have been swapped for competitors without us noticing: Airbrake for exception handling, NewRelic for log browsing, Amplitude for event analytics, Github Actions for CI/CD - they all worked fine, but I wouldn’t push back if someone argued for alternatives in the next project I work on.

Disclaimer

While I’m saying that I regret some of these choices, I think they were all reasonable choices given the information at the time. I don’t think anyone was an idiot for making them! Likewise, I’m down on a few technologies here, but the engineers we had at Daybreak were top-notch. Our Salesforce experts were kind, capable, and often brilliant people. Our software engineers were people I’m proud to have worked alongside. There’s value in learning from our experience, but none of the above should be construed to denigrate anyone who participated in that experience!

Anyway

All in all, I’m pretty happy with many of the decisions I personally made (huge surprise 😉). I don’t think we ran into too many forseeable landmines in our first three years, although I’d be interested to hear how some of these decisions age in another 3. Hopefully I can harass one of my recently-ex-coworkers into writing their own version of this blog post in 2027!

After about 10 years of maintaining kevinkuchta.com as a personal site slash blog, I finally had to rebuild it. It was a statically-generated Jekyll blog and I could no longer get a sufficiently old version of ruby to run. Updating to a recent ruby broke a few dependencies that I couldn’t fix without way more work than it was worth, and I had to admit it was time to redo this thing. And since my goal is to maintain this site with as little effort as possible, I found myself asking the above question– how do I set it up so I don’t have to rebuild anything for another 20 years?

Here’s my current approach:

1. Stick to static site generation. Flat files can be hosted anywhere for cheap. Currently I’m using Netlify, but if they go belly-up I can switch to Cloudfront/S3 or any of a hundred other flat file hosting options with ease.
2. Avoid Javascript. I spend a lot of my day job in and around single-page apps which rely on complicated and ever-changing tooling. There’s nothing inherently wrong with it, but it’s a tradeoff: you get developer productivity benefits at the cost of paying the tool churn tax. Given that I expect very little development effort to go into this site after it’s built, the tool churn tax is way higher than I want to pay here!
3. Hew close to web standards. I think there’s a lot of value in css/js/html preprocessors and tools of that nature. I’d much rather write HAML for HTML or SASS for css, but that’s more tooling that can break. In fact, hacking HAML support into Jekyll was one of the things that sunk the last version of this blog. As such, I’m writing raw HTML with raw, modern CSS. I really miss basic things like SASS nesting + variable (native CSS variables are useful but still have a lot of gaps), but I’ll live.
4. Use tools that have existed for at least a decade. In this case, I’m sticking to Jekyll. It kinda stagnated for a bit in the mid-2010s, but seems active and stable these days.

With any luck, this blog will still be live in 2034 and won’t need any rewrites by then!

Many people might say “neat!”

I used it to build a bi-directional CSS-only async chat.

For some background, it’s not hard to build a multi-directional web-based chat. It’s practically the “Hello World” of Node.JS. A bit of JS on the frontend, a bit of logic on the backend and you’re off to the races.

This thing I built does that with no frontend javascript whatsoever. Just html and javascript. The trick turns out to be abusing the http protocol and some fun properties of CSS.

A full technical writeup and a quick gif-demo can be found on github.

Building this was an interesting experience for me. It started (like most of my favorite projects do) as a “what if…”. Someone retweeed this davywtf tweet on using CSS pseudoselectors to send data to a server from a page with javascript disabled. That got me thinking: if it’s possible to send nearly-arbitrary data like that, you should be able to build something like a full chat out of it. Once I came up with a way to send data back to the frontend (using long-running http requests), it was clear it was possible.

I was (and still am, as of this writing) taking the summer off to travel after leaving my last gig (we got acquired, I wasn’t wild about the acquirer). As a result, I had this idea while in a position to spend as much time as I wanted on it. It turned out I needed a couple afternoons in a Paris cafe to get the core pieces in place and then another afternoon polishing + writing it up. I waited until morning, US time, and tweeted about it.

I was unprepared for the level of response I’d get.

I’ve always been pretty bad at predicting how popular the things I create will be. My AWS markov chain went nowhere; My blockchain comic went mildly viral. My wikivoyage explorer has interested exactly no one, but my ruby js nonsense has done pretty well (even becoming a RubyConf talk). Who knows what will stick when I throw it against the wall?

Anyway, this chat abomination became a wild success. Top of hacker news for a good chunk of the day; tripling my twitter follower count; 5k stars on github. Old acquaintances reached out when they recognized my name and friends told me when coworkers posted it in their work slacks.

I credit the success of this to:

• Easy to understand. The tweet explains the whole concept and the demo gif shows it off in just a few seconds.
• Inherently click-baity title “CSS-only async chat” seems inherently impossible until you read the article.
• The underlying content is actually interesting. It’s a legitimately clever hack (if I do say so myself).
• Wide pool of devs it’s relevant to. When I do something intense in ruby, only the ruby community cares. The pool of “devs who’ve done a bit of web work” is much, much larger.
• Putting my twitter handle in the gif. This thing got reblogged and reuploaded all over the place, often with minimal explicit credit. But since no content aggregator is going to recreate that gif, every one of them credited me anyway.
• Putting the writeup on github, rather than my blog. That domain has a fair deal of credibility: when you see a github link, you have a pretty good idea of what you’re going to get vs some random dude’s blog.
• Writeup voice. This is something I’ve been working on: trying to make my writeups interesting and funny. I’ve been going for self-deprecating (“What inspired this? Chernobyl, Hindenburg, The Tacoma Narrows Bridge…”) and just a bit abrasive (“Why’s your code suck? Why do you suck?”). The number of people who commented on the writeup (specifically the humorous FAQ at the end) was surprising.

The moderately-popular things I’ve built before have tended to die out after a day or two in the sun. Even the blockchain comic petered out after something like 3 days. This CSS thing went on for a solid couple of weeks. I’d be watching BSG on my ipad weeks later and I’d have to silence twitter notifications so that new follower notifications don’t keep interrupting me.

I’m now writing this three months after the fact and I think I can official call it “over.” The last twitter notification I got for someone liking that tweet was 5 days ago. I figured it was time to finally write about it a bit.

Looking back on it, I’ll definitely admit that the attention was fun. Maybe I’ll try to relive it at some point by turning it into a conference talk.

The best aspect of all this, though, is that I now have 3 moderately-successful hacks (ruby-as-js, totes-not-aws, and this). That constitutes a pattern. I’m starting to become known as “that guy who does the horrible/clever things.” I’m pretty happy about that. Maybe that trend will continue.

The former, of course, is AWS’s announcement blog. It’s capably written, but AWS’s word-soup product names and features make it sometimes sound like it was written by a script. So I built that. Meet https://totes-not-amazon.com! I set it up to reroute you to a reusable link so people can share particularly funny results. Click nearly any link to generate a new post.

Implementation-wise, it goes something like:

1. An offline script scrapes all 3k+ aws posts under aws.amazon.com/about-aws/whats-new and produces a json dump of these. This is in ruby because I just wanted to get this step done fast and that’s the language I know best at the moment.
2. Another offline script takes that json dump of blog posts + titles and fills up a markov model for text generation. I used the excellent Markovify libaray for that. I went with python for this script because it seemed to have good markov libraries and also I needed to share some logic with step 4. After generating the markov model, this script dumps that model to json.
3. Now, online, when a user hits totes-not-amazon.com/, the frontent js hits an api backed by AWS API Gateway, which triggers a lambda function.
4. The lambda function (which includes a copy of the dumped markov model json) loads up the markov model and generates a new randomized blog post + title, then returns it to the frontend JS. I’d have used ruby here, but AWS Lambda doesn’t support that yet. I’d have used node, but I wanted to be able to specify a seed for the randomness used in the markov model, allowing me to reproduce especially funny results by specifying a seed. JS doesn’t allow that but python does.
5. Back in the clientside JS, we get the result of the api call (a blog post + title) and insert it into the page.

For the lambda function, I used the Serverless Framework for the first time, which was a pretty nice way of managing a lambda function.

For hosting + deploying the static files I used S3 + Cloudfront + ACM + Route53 (through my own Scarr tool).

If you want to see the code, it’s kind of a mess, but it’s at github.com/kkuchta/aws_markov. For a silly one-off like this I’m unlikely to go back and clean it up unless someone really wants me too.

Anyway, this is just some silliness and an excudes to mess with a bunch of random tools + languages. Nothing serious today. Go play with it and tweet your favorites to @kkuchta!

My workflow for that usually looks like:

1. Spend entirely too long picking a meaningful domain name like falafel.exposed
2. Try to remember which registrar I decided I’d use for all my domains (namecheap, iwantmyname, gandhi, route53). Fail and pick one at random.
3. Register the domain, then realize that one doesn’t support apex domains (I demand falafel.exposed, not www.falafel.exposed like some peasant). Transfer the domain to route53 which does support apex domains.
4. Create the falafel S3 bucket.
5. Upload my flat files detailing the falafel conspiracy to S3
6. Remember I need to enable S3 web hosting
7. Create a new Cloudfront distribution pointing to that S3 bucket. Wait 45 minutes for this to finish.
8. Realize I used the wrong bucket url format. Update Cloudfront and wait another 45 minutes.
9. Remember I wanted TLS so that Big Falafel can’t interfere with my traffic.
10. Create an ACM certificate
11. Verify the ACM certificate using route53. Spend 15 minutes futzing with route53’s UI.
12. Add the cert to the Cloudfront distribution and wait 45 minutes..
13. Remember I need to configure an index file in S3. Go back and do that.
14. Realize I got a Cloudfront setting wrong. Fix and wait 45 minutes.
15. Same ^
16. Look up how to set an apex domain in route53. Get it wronge twice.
17. Cloudfront again.
18. Finally get the truth up at https://falafel.exposed up, an entire afternoon later.

I figured that after a few times doing this (I’ve uncovered a lot of food-related conspiracies), I’d automate it. There are a few pre-existing tools for parts of this, but none I could find that did the whole thing from registration through uploading and Cloudfront invalidation.

So I built Scarr:

S3
Cloudfront
ACM
Route53
Redundant letter to prevent name collision

You use it like this:

$ scarr init -domain falafel.exposed -name falafelexposed
  Initializing...done
$ cd falafelexposed
$ vim scarr.yml # Edit a few fields here
$ echo "<html>The deadly secret of falafel</html>" > index.html
$ AWS_PROFILE=scarr scarr deploy
  ... a bunch of aws stuff happens automatically ...
$ curl https://falafel.exposed
  <html>The deadly secret of falafel</html>

What it’s doing under the hood is:

1. Registers the given domain through route53 (prompts to confirm this)
2. Creates a TLS certificate through ACM
3. Uses route53 DNS to validate that certificate
4. Creates an S3 bucket
5. Creates a Cloudfront distribution pointed to that S3 bucket using the ACM certificate
6. Creates an apex dns record pointing to that Cloudfront
7. Syncs the current directory to that S3 bucket and invalidates the Cloudfront cache.

It’s also smart enough to detect if parts of this have already been done (eg you’ve already got the domain name in route53) and skip those parts. If you run the deploy command twice, all it does is sync the current directory to S3 and invalidate the cache.

Really, it’s a glorified set of shell scripts wrapped in a single command. I wanted to be able to distribute it as a binary, though, so people could use it without needing to mess with ruby/python/node dependencies, so I took it as an opportunity to finally learn Go. It’s generally a nice language - I’d forgotten how comfortable type-checking can be! On the other hand, I really missed ruby’s built-in collection tools. The lack of generics was weird too.

The code’s a hot mess. Everything’s in the same package, there’s global functions everywhere, and it’s probably about as far from idiomatic Go as you can get, but it works. And at least it eschews the single-letter variables that seem so popular in Go. Surely that convention came from a falafelist.

Anyway, I’ll try to clean it up if anyone takes an interest in it. I’m also open to expanding the functionality a bit if anyone has ideas that don’t overly complicate the main use-case. PRs are welcome, although even lazy suggestions will get a friendly ear.

Anyway, the binary’s at https://scarr.io/dist/scarr and the code’s on github at github.com/kkuchta/scarr!

If you want to know how to build a sanely-architected url-shortener using AWS Lambda on top of a datastore like Postgres, this is not the post for you. We’re going to build a Rube-Goldberg url-shortener using just Lambda.

And since it may not be clear to everyone, this post contains Bad Ideas™ and Extremely Inappropriate Uses of Tools®. Don’t try this in production.

Lambda

As a brief background, AWS Lambda is a “Function as a Service” service. You give amazon some code (a function) and they’ll run it for you — once, 1000 times, 1000 times at once, whatever you need. It’s a way of running certain kinds of code in the cloud without needing to manage your own server, not even a virtual one.

Lambda is a very specific kind of hammer that’s extremely good at hammering a very specific kind of nail. This blog post will not be discussing that nail. This blog post will not discuss anything close. Because it turns out you can use a hammer to drive a wing-nut into silly putty if you swing hard enough and are willing to get messy.

Read

Ok, so the first thing any url-shortener needs is link mapping. Somewhere you need to store that /123 maps to html5zombo.com. Well, you’ve got an input and an output - that sounds like a Lambda function! What if we just create a new Lambda function for every link mapping! Millions of separate Lambda functions. After a quick check to make sure there’s no limit on the number of Lambda functions you can have (besides an upper limit of 75GB of storage space), we’re off to the races.

As an example, the function read_123 will just be hardcoded to return html5zombo.com:

def handle(event, context):
    return { 'url': 'html5zombo.com' }

However, a url-shortener needs to produce links, not Lambda functions. We want the url /123 to trigger this function and return the url as a 301 redirect. For that we turn to API Gateway. It’s a poweful, flexible tool with a million options, but we’re just going to use it to hot-glue urls to lambda functions. For our read function, we can configure a resource (123) and a method on that resource (GET) to trigger our Lambda function.

Unfortunately, Api Gateway wasn’t built to support thousands and thousands of separate endpoints like /123, /124, /125, etc. There’s a limit of 300 resources per api. You can request an increase on that limit, but I suspect “because I thought it would be funny” won’t be a compelling justification.

We’re not stuck, though—we can fix this problem the way we fix all problems: more Lambda functions! We’ll just define one new endpoint that takes a url parameter: /{id} in api gateway. That’ll execute a single Lambda function (call it read(id)) that will, in turn, execute the specific read function (eg read_123) we want.

In pseudocode, read(123) would look like:

def handle(event, context):
    read_result = AWS.lambda.invoke('read_' + event.id)
    return {
        'statusCode': 301,
        'headers': { 'Location': read_result['url'] }
    }

Alright, so using two different types of read functions, read(id) and read_123 (and _124, etc), we’ve got shortened links working. Loading up /123 in your browser tells ApiGateway to run read(123), which runs read_123, which returns html5zombo.com.

Iterator

Soon we’ll want to put together a function to generate these short links. There’s another hurdle first, though. We need a global counter! When a user goes to shorten a new link, we need to know what the next id (eg 124) is. We need to store a global counter somewhere.

Now, saner developers might tell you that Lambda is stateless and you can’t use it to store data. You and I know those people just lack strength of character. Remember: if Lambda functions don’t solve your problem, you’re not using enough of them.

As it turns out, all you need to do to store a global counter is write a self-updating Lambda function! Let’s call this function iterator, and in pseudocode it looks like:

def handle(event, context):
  i = 0
  myCode = load the code for this function from the filesystem
  myCode = myCode.replace('i = ' + i, 'i = ' + (i+1))
  AWS.lambda.updateCode('iterator', myCode)
  return i

Self-updating code: what could go wrong?

Now, the observant among you might be noticing a problem (besides the obvious one that this is all horrifying): concurrent requests to this function might overwrite each other. A good fix for this would be to use literally anything else in technology as a datastore. But since obviously that’s not the fix we’re going to use, we’ll just tell Lambda to limit the maximum concurrency on this function to 1 so it can never run twice in a row!

And now we’ve got our massively overcomplicated way of storing one number in the cloud! Here I am using apex, a handy Lambda cli tool, to run the iterator function repeatedly.

$ apex invoke iterator -a '$LATEST'
{"statusCode": 200, "body": "74"}
$ apex invoke iterator -a '$LATEST'
{"statusCode": 200, "body": "75"}
$ apex invoke iterator -a '$LATEST'
{"statusCode": 200, "body": "76"}

Write

Alright, we now have everything we need to create a write function - the one that actually shortens links for us. We want to be able to send an HTTP POST request with a body like { url: 'hamsterdance.com' } and receive a shortened url like kmk.party/123 in return. In yet more pseudocode:

def handle(event, context):
  # Grab the url we're given
  url = json.parse(event.body).url
  nextI = AWS.lambda.invoke('iterator')
  
  newFunctionBody = """
    def handle(event, context):
      return { url: ${url} }
  """
  newFunctionName = 'read_' + nextI
  AWS.lambda.createFunction(newFunctionName, newFunctionBody)
  return 'kmk.party/' + nextI

As you can see, every time you use this write function to create a new shortened link, we make an api call to generate an entirely new Lambda function with unique code. This is totally reasonable and not at all a ridiculous misuse of an amazing tool.

As a brief aside, I should mention that this is a horrible security hole. url is untrusted user input, but we’re just interpolating it into code and running that code. We can work around that, though, by base-64 encoding and decoding the url.

Index

All the pieces of this abomination are in place.

Now the only thing left for a proper url-shortener is a frontend! There are plenty of simple and nearly free places to host a flat file with a bit of JS to act as that frontend so obviously we’re not going to use any of those. Hosting a flat file is, though pointless and bizarre, quite easy on Lambda (pseudocode):

def handle(event, context):
    return {
        'statusCode': 200,
        'body': file.read('./index.html'),
        'headers': { 'Content-Type': 'text/html' }
    }

Index.html just contains some JS to make an HTTP POST to our write function and display the resulting short link.

And there it is: a url-shortener using only Lambda. We’ve abused AWS’s api to make self-updating functions. We’ve flooded our AWS account with single-purpose functions whose output is hardcoded. We’ve used the wrongest possible tool to serve flat files, slowly. We stopped just short of a publicly-available arbitrary code execution bug on my personal AWS account. Let’s call it a day! Here it is live at kmk.party and here’s the full, non-pseudocode.

FAQ:

This is really neat Yes it is thank you

This is absolutely horrifying See previous answer

Should I use this in production? Only if you video tape it for posterity

WHY? Because someone said I couldn’t do it

How would you actually go about building a url-shortener? The inspiration for this post was one called Building a URL Shortener with Go and AWS Lambda. I got really excited in the moments between reading that title and realizing it was really building a shortener using Go and Lambda and DynamoDB. When I get overexcited, things like this happen.

Why python? I wrote half of this in node, but creating/updating Lambda functions requires creating a zip file which node doesn’t do natively. Using a node library requires a huge node_modules folder that must itself get zipped up when you’re making a self-updating function like some kind of crazy person. Switching to python, with its built-in Zipfile module, saved a lot of time and made the iterator run in under a second instead of around 5.

I very much enjoy Code That Should Not Be Then you might like Disguising Ruby as Javascript where I wield ruby metaprogramming like a hacksaw in a horror film.

I know a way to make this whole thing even more ridiculous Tweet at me (@kkuchta)! The world-fire can always use more fuel.

Update: This post became a talk at RubyConf 2018.

This is valid ruby:

  var first = 3;
  var second = 4;

  var sum = function(a, b) {
    a + b;
  }

  console.log("Sum = ", sum(first, second));

Here’s the code behind it:

  console = (Class.new { def log(*x); puts x.join(""); end }).new

  define_method(:var) { |random_function_name|
    var_name = local_variables.find do |local_var|
      local_var != :random_function_name && eval(local_var.to_s) == random_function_name
    end
    define_method(var_name) { |*args|
      send(random_function_name, *args)
    }
  }

  class Object
    def method_missing(*args)
      skip_methods = %i(to_a to_hash to_io to_str to_ary to_int)
      return nil if skip_methods.include?(args[0])
      return args[0]
    end
  end

  def function(*args, &block)
    func_name = :"func_#{rand(1000000)}"

    klass = Class.new { attr_accessor *args }
    function_block = Proc.new { |*arg_values|
      obj = klass.new
      args.zip(arg_values).each {|arg, arg_value| obj.send(:"#{arg}=", arg_value) }
      obj.instance_eval(&block)
    }

    define_method(func_name, &function_block)

    func_name
  end

What The Hell, Kevin

Here’s an overview of the techniques we’re using:

console is just an instance of a class that has a log function. Pretty straightforward.

function(a, b) { ... } is, rather than declaring a function, actually calling the function function with an arbitrary number of arguments and a ruby block.

We’re able to reference a and b here when they haven’t been defined yet by using method_missing on Object (which is the global default namespace). When you reference some unknown identifier whatever, method_missing is called and returns the symbol :whatever. Overriding the root method_missing is dangerous, though. Some classes rely on the default method_missing function falling through for whatever reason, so we have to exempt them: to_a, to_hash, etc.

So, defining a function is actually some_func(:a, :b) { ... }.

Now how about those vars? We could just def var(_);end and then var would ignore whatever we sent to it. That’d let var foo = 5 work, since it’d just be var(foo = 5). With var as a no-op, the local assignment sticks (and, importantly, happens before the the method_missing junk above gets triggered).

However, we don’t do that because we need var whatever = function(...) { ... } to work.

When we call that function function, we could return some sort of actual ruby function (eg a lambda). However, we could only call that using ruby’s weird syntax: some_func.call(4) or some_func[4]. But we’re hardcore javascript purists here! We accept no substitutes!

Instead, what function does is defines a method on the global namespace with the contents of the block you gave it (eg a + b). We use an anonymous class and instance_eval to provide the function’s arguments to the block body.

But wait! function doesn’t know what it’s called! When you do sum = function() {...}, function has no way to know about sum.

So what function does is it defines its method on the global namespace with a random name (eg func_492041) and returns that string (symbol, actually). Then var picks up both the name passed (eg sum) and the random function name (func_492041) and defines a global namespace method named sum that just calls func_492041.

var does have to get a bit clever since, if you’ll remember, calling var(foo = function{...}) doesn’t actually pass foo to var in any way. It just defines a foo local variable. var does know the contents of foo, though: it knows it’ll be equal to whatever was passed in to it (in this case, the symbol :func_492041).

To find its variable name, var just looks through the local namespace’s list of variables (local_variables.find) and evaluates each one until it finds one that matches its input. Once it finds that, it can define its global namespace method.

And so, finally, we can call the global namespace method sum(3, 4), which calls func_492041(3, 4), which evaluates the { a + b } block in the context of a class that happens to have a and b members whose values are 3 and 4, respectively.

FAQ

Oh god why? Some devs just like to watch the world burn

You realize this is terrible, right? Yes.

Should I use this in production? Absolutely. Please tell me how that goes.

I can do this with fewer/more hacks! Tweet at me (@kkuchta)! The world-fire can always use more wood.

You can upload video to twitter, though. You still need to show something, though, so maybe you play your audio over a still-image video. Ffmpeg can definitely do that, but it took me a while to figure out the right combination of settings. Maybe this will save someone else a half hour of headache trouble- this command will merge an image and an audio file in such a way that twitter will accept it.

If you’re curious, this is for https://twitter.com/thescreambot and the audio is the output of amazon polly.

"ffmpeg -i audio_file.mp3 -f image2 -loop 1 -r 25 -i image.jpg -shortest -vcodec libx264 -pix_fmt yuv420p -acodec aac -y -profile:v baseline out.mp4"