# Karanveer Singh Shaktawat — Full Stack Engineer & Infrastructure Architect

Full Stack Engineer. Building scalable systems, developer tools, and AI-powered applications.

Contact: karan@dharmicdev.in
Location: Kota, Rajasthan, India (IST (UTC+5:30))
GitHub: https://github.com/xczer
LinkedIn: https://linkedin.com/in/karanveersinghshaktawat
Site: https://yourportfolio.example

---

# Projects

## Prachyam Sangam

**Subtitle:** OTT Platform — 9 Platforms, 1 Monorepo
**Category:** fullstack
**Tech:** Nx, Next.js, React Native, Expo, Tauri, Bun, Elysia, TypeScript, PostgreSQL
**URL:** https://yourportfolio.example/projects/prachyam-sangam
**Live:** https://prachyam-sangam.dharmic.cloud

Ground-up rewrite of a broken 18-developer OTT codebase into a 21-package Nx TypeScript monorepo targeting 9 platforms: Next.js web, React Native iOS/Android, Apple TV, Android TV, Roku, Tizen, webOS, and Tauri desktop admin. Solo build.

## Overview

Prachyam Sangam is the ground-up rewrite of Prachyam Studios' OTT platform — a project I inherited as a broken, 18-developer codebase and rebuilt solo into a 21-package Nx TypeScript monorepo targeting 9 distinct platforms: Next.js web, React Native iOS and Android, Apple TV, Android TV, Roku, Tizen (Samsung), webOS (LG), and a Tauri desktop admin panel.

The previous platform (see Prachyam Legacy) had accumulated 1,669 commits of technical debt across incompatible stacks. Sangam is the clean-room successor — designed from the monorepo boundary outward, with every cross-platform contract defined at the package layer before a single UI component was written.

## The Challenge

The core problem with multi-platform OTT is that each target has fundamentally different rendering, input, and DRM models. A TV remote is not a touchscreen. Roku's SceneGraph XML is not React. Tizen and webOS each have their own app packaging and certification requirements. The naive approach — write one UI, bolt on platform shims — produces an unmaintainable mess at exactly the scale the previous platform had reached.

The constraint I set: shared business logic, typed contracts, zero copy-paste between platform packages.

## Architecture

The monorepo is structured in three layers:

**Core packages** (`@sangam/core`) define domain models, API client, auth, and player state as pure TypeScript with no DOM or RN dependencies. Every platform imports from here.

**Shared UI packages** split by rendering target — `@sangam/ui-web` (React + Tailwind), `@sangam/ui-native` (React Native + NativeWind), `@sangam/ui-tv` (React Native TV). Platform-specific components extend shared primitives; none duplicate logic.

**Platform apps** (`apps/web`, `apps/ios`, `apps/android`, `apps/apple-tv`, `apps/android-tv`, `apps/roku`, `apps/tizen`, `apps/webos`, `apps/admin`) are thin shells that wire platform entry points to the shared packages.

Nx handles task orchestration, build caching, and affected-project detection. A change to `@sangam/core` triggers rebuilds only for packages that depend on it — not the full workspace.

## Platform Notes

**Roku** required the biggest context switch: SceneGraph XML with BrightScript scripting, a completely different mental model from component trees. The player integration alone took two weeks of Roku device testing.

**Tizen and webOS** share a React-based renderer but have divergent packaging, signing, and store submission requirements. Both target smart TV input models (D-pad navigation, long-press, focus rings) that need custom focus management — React's synthetic event model doesn't map cleanly to TV remotes.

**Apple TV and Android TV** use the React Native TV fork with tvOS/leanback-specific navigation. Focus management is handled through a custom `useTVFocus` hook that wraps the platform's native APIs.

**Tauri admin** is the desktop management panel for studio staff — content ingestion, scheduling, analytics, and the DRM key management interface.

## MCP Integration

10 custom Model Context Protocol servers (~280 tools) give Claude Code live read access to the Postgres schema, BullMQ job queues, MinIO buckets, Docker service state, and Prometheus metrics across the stack. This compressed the CLAUDE.md context by 69% and allowed AI-assisted debugging without manually pasting database state into prompts.

## Key Decisions

**Nx over Turborepo** — Nx's task graph and affected detection are more granular for a workspace this large. Turborepo's simpler model would have required more manual cache configuration at 21 packages.

**Elysia over Hono** — Elysia's end-to-end type safety (request → response → client SDK) via the treaty plugin eliminated an entire class of runtime errors between the API and platform consumers.

**Bun as runtime** — The monorepo toolchain runs entirely on Bun. Script execution and test runs are meaningfully faster than Node across 21 packages, which compounds over hundreds of daily builds.

## Prachyam Infrastructure

**Subtitle:** Self-Hosted Enterprise Stack
**Category:** infrastructure
**Tech:** Docker, Mailcow, NextCloud, Tailscale, Nginx, Caddy, dnsmasq, Linux
**URL:** https://yourportfolio.example/projects/prachyam-infra
**Live:** https://prachyam-infra.dharmic.cloud

Deployed and managed self-hosted Mailcow, NextCloud, and Tailscale mesh VPN — handling 18M emails across 12 domains, saving lakhs annually.

## Overview

When I joined Prachyam Studios, the company was spending heavily on commercial services — Google Workspace for email, LucidLink for file sharing, scattered tools for development. I proposed self-hosting everything on our own infrastructure and built the entire stack from scratch.

## Infrastructure Overview

<MermaidDiagram
  title="Prachyam Infrastructure Topology"
  chart={`
flowchart TB
  subgraph Internet["🌐 Internet"]
    MX["MX Records\n12 Domains"]
    Users["👥 Team\n22 Members"]
  end

  subgraph VPS["VPS Server (~₹800/mo)"]
    Nginx["Nginx\nReverse Proxy"]

    subgraph Mail["📧 Mail Stack"]
      Mailcow["Mailcow"]
      Rspamd["Rspamd\nAnti-Spam"]
      ClamAV["ClamAV\nAntivirus"]
    end

    subgraph Files["📁 File Sharing"]
      NextCloud["NextCloud\nCollaboration"]
      LDAP["LDAP Auth"]
    end

    subgraph AI["🤖 AI Tooling"]
      MCP["23 MCP Servers"]
      Qdrant["Qdrant\nVector DB"]
    end
  end

  subgraph Mesh["🔒 Tailscale Mesh VPN"]
    Dev1["Dev Machine 1"]
    Dev2["Dev Machine 2"]
    Dev3["Dev Machine 3"]
    Caddy["Caddy + dnsmasq"]
  end

  MX --> Nginx --> Mailcow
  Mailcow --> Rspamd --> ClamAV
  Users --> Nginx --> NextCloud
  NextCloud --> LDAP
  MCP --> Qdrant
  Dev1 <--> Caddy
  Dev2 <--> Caddy
  Dev3 <--> Caddy
  VPS <-.->|Tailscale| Mesh
`}
/>

## Before vs After

## The Challenge

A growing 22-person team needed reliable email across 12 domains, shared file storage and collaboration, a private development network, and an OTT platform targeting 12+ devices — all without the budget for enterprise SaaS pricing.

## Mail Server — Mailcow

Deployed a self-hosted Mailcow mail server on Docker that handled **18 million emails** across 12 domains. This wasn't just internal email — it powered marketing campaigns and business communication at scale.

Configuration went deep: SPF, DKIM, and DMARC records for every domain to ensure deliverability. Rspamd for anti-spam filtering. ClamAV for virus scanning. Automated backups to prevent data loss.

The cost comparison was stark: Google Workspace at $6/user/month across 12 domains adds up fast. Our self-hosted solution runs on a single VPS at ~₹800/month.

## File Sharing — NextCloud

Set up NextCloud as a self-hosted replacement for LucidLink. The 22-person team gets file sharing, real-time document collaboration, calendar management, and video meetings — all running on our own servers.

LDAP authentication keeps user management centralized. Storage quotas prevent anyone from filling the disk. Automated backups run nightly.

LucidLink costs ~$25/user/month. For 22 users, that's $550/month (~₹5.5 lakh/year). Our NextCloud instance runs on the same VPS alongside Mailcow.

## Development Network — Tailscale + Caddy + dnsmasq

The company's machines were underpowered for the development workload. Instead of buying new hardware, I networked the existing machines together into a private mesh.

Tailscale creates a mesh VPN where every machine can reach every other machine securely. dnsmasq handles custom DNS resolution so services are accessible by name. Caddy provides automatic HTTPS with valid certificates on the private network.

The result: developers distribute builds, tests, and services across multiple machines as if they were one system.

## AI Tooling — 23 MCP Servers

Built 23 custom Model Context Protocol servers for AI-assisted development. A Qdrant vector database indexes the entire codebase for semantic search — developers can ask natural language questions about the code and get accurate answers.

Each MCP server handles a specific capability: codebase Q&A, deployment automation, log analysis, documentation generation, and code review assistance. The tooling integrates with Claude, GPT, and other LLM providers.

## Cost Impact

## Results

The infrastructure serves a 22-person team reliably with 18M emails processed, 12 domains managed, file sharing and collaboration running smoothly, and AI-assisted development tooling that made the entire team more productive. Total infrastructure cost: ~₹800/month VPS. Estimated commercial equivalent: lakhs annually.

## HeyBeautiful

**Subtitle:** Tell your crush without saying a word
**Category:** fullstack
**Tech:** Next.js, TypeScript, PostgreSQL, Drizzle ORM, Dragonfly, Stripe, GSAP, Framer Motion, Tailwind CSS, Turborepo, Bun
**URL:** https://yourportfolio.example/projects/heybeautiful
**Live:** https://heybeautiful.one

Built a full-stack SaaS platform where anyone can create a cinematic, scroll-driven personalised page for their crush and share a link — solo, from zero to live production in 41 days with 207/207 roadmap items completed.

## Overview

HeyBeautiful started with a personal problem: the gap between noticing someone and saying something
real is broken. Phone numbers are cold, dating apps reduce people to thumbnails, and pickup lines die
in ten seconds. The answer was a scroll-driven, animated micro-site that anyone can build for their
crush — personalised photos, word-by-word text reveals, puzzles, trait cards — and share as a link.
No app download for the viewer, no pressure, no performance required.

The creator builds a page in a visual drag-and-drop editor with 30+ section types: text letters,
Polaroid galleries, sealed envelopes, iMessage-style chat replays, origami reveals, scratch-cards,
Spotify embeds, ambient audio, and more. They set a unique slug, pick from 8 emotional colour
palettes, and publish. When the crush opens the link they experience a story that unfolds as they
scroll: text fills colour word-by-word, photos develop Polaroid-style, background blobs breathe
through the mood palette. At the end they choose whether to reveal the creator's contact — WhatsApp
one-tap, vCard, or QR code — entirely on their own terms.

The core emotional differentiator is real-time presence: the creator sees when the crush opens the
page, which section they are reading at any moment, and receives Web Push notifications when a
puzzle is solved or contact is revealed. The platform shipped live at heybeautiful.one and was
architected from day one as white-label ready for ThemeForest.

## The Challenge

The project had a hard constraint: 41 days, solo, alongside two other active freelance projects.
The product required genuinely complex frontend engineering — scroll-driven animation across 30+
section types, a polymorphic drag-and-drop editor, a real-time presence layer — on top of a complete
SaaS backend: payments, magic-link auth, 13 AI writing endpoints, 4-language i18n, PWA with offline
support, custom domain middleware, and a content moderation admin panel. Every architectural decision
had to optimise for shipping speed without creating debt that would block the ThemeForest path.

The presence system was the most critical architectural question. Supabase Realtime was the obvious
choice but would lock the project to a cloud vendor and struggle under high-frequency scroll events.
WebSockets are awkward in Next.js App Router's serverless model. The product's core emotional promise
— "see when she opens your page" — could not be a known gap at launch.

## Architecture

The stack is a Turborepo monorepo with Bun workspaces. Next.js 16 App Router, React 19, Tailwind CSS
v4. GSAP 3 with ScrollTrigger drives scroll-based animations; Framer Motion handles UI transitions;
Lenis provides smooth scroll. Drizzle ORM manages a 30-table PostgreSQL 17 schema across 36 API
route groups.

Page section content is stored as a JSONB column on `crush_pages` rather than relational rows.
Sections are always read and written together; a relational table would require either a column per
section type or a wide EAV model. Drizzle's `jsonb()` type keeps TypeScript inference clean at the
cost of no SQL-level filtering inside section content — acceptable at this scale.

Real-time presence runs on Dragonfly pub/sub via `ioredis`. The viewer-side `usePresenceBroadcast`
hook broadcasts scroll depth and current section index, throttled to a delta greater than 5% or a
section change — reducing event volume by roughly 20x while keeping creator visibility accurate.
Stripe handles four subscription tiers; the singleton is marked `server-only` to guarantee the
secret key can never appear in a client bundle.

## Key Decisions

**JSONB sections over relational rows.** Sections are polymorphic — a text block, a Polaroid gallery,
and a Spotify embed share a table row but have entirely different shapes. JSONB stores each as a typed
object without requiring schema migrations for every new section type added during the sprint.

**Dragonfly over Supabase Realtime or WebSockets.** Self-hostable, faster for high-frequency scroll
events, and the pub/sub SSE pattern is idiomatic with the App Router's serverless model. Locking to a
cloud vendor for the product's most important feature was the wrong trade.

**White-label config package from day one.** `siteConfig`, `themeConfig`, and `emotionalColors` live
in a shared `packages/config` workspace. A ThemeForest buyer can rebrand the entire product by
editing one file. This cost roughly 10% extra upfront and saved all component surgery at handoff.

**Graceful degradation on every optional service.** Stripe, Anthropic API, VAPID push, and MinIO are
all behind runtime guards. Any one missing returns a clean 503 or silently hides the feature in UI.
The app runs with just PostgreSQL and Dragonfly — the self-hosted happy path.

**Emotional arc through animation timing.** A tempo map in `ANIMATIONS.md` defines GSAP `duration`
by section type: slow (2–3s) for introduction, very slow (3–5s) for the intimacy section. Pacing is
a first-class design constraint enforced at the component level, not left to intuition.

## Results

HeyBeautiful shipped live at heybeautiful.one with all 207 planned roadmap items completed across 35
feature phases — 44,000+ lines of TypeScript, 418 source files, 30+ animated section types, 36 API
route groups, 13 Claude-powered AI writing endpoints, 4 Stripe tiers, 4-language i18n with RTL, a
full PWA with offline service worker, and Playwright E2E tests. The white-label config package and
Docker Compose self-host path position it for ThemeForest submission. The real-time presence system
— section-level granularity, Web Push at four milestones — is the feature that separates it from
every static link-sharing tool on the market, shipped as part of a 41-day solo sprint alongside two
other active freelance projects.

## Self-Hosted Cloud Storage

**Subtitle:** Nextcloud replacing Google Drive and LucidLink
**Category:** infrastructure
**Tech:** Nextcloud, rclone, pCloud, Docker Compose, Caddy, Tailscale, OAuth2, Mailcow
**URL:** https://yourportfolio.example/projects/prachyam-cloud-storage

Replaced Google Workspace and LucidLink for a 22-person two-office studio with a self-hosted Nextcloud instance on RackNerd, backed by a 5 TB pCloud lifetime plan via async rclone sync, cutting $9,585/year in SaaS spend to $65/year after a 25-day payback.

## Overview

Prachyam Studios was running Google Workspace Business Standard and LucidLink
Business side by side — one for email and documents, one for large video file
sharing across two offices. Combined, the two products cost ~₹8.90 L/year
(~$9,585/year) for a 22-person team. LucidLink is particularly punishing for
video-heavy teams because it charges per seat and meters egress on assets that
are regularly hundreds of gigabytes.

The replacement is a self-hosted Nextcloud instance on a ₹6,000/year (~$65/year)
RackNerd VPS, backed by a pCloud 5 TB lifetime plan as durable cold storage, with
rclone handling async sync between the two tiers. Mailcow's OAuth2 endpoint —
already running for team email — serves as the login provider, so team members
sign in with their existing `@prachyam.com` credentials. From the user's perspective
it is Google Drive: a desktop sync client, a web UI, shared folders, no new passwords.

Year 1 cost including the pCloud lifetime license: ~₹61,604 (~$664).
Year 2 onwards: ~₹6,000/year (~$65/year).

## The Challenge

The team was non-technical across the board. Any replacement requiring behavioural
change — a new client, a different folder structure, a separate login — risked low
adoption and a reversion to the old stack. The replacement had to feel identical to
what people already used, install quietly, and stay out of the way.

Storage architecture added a harder technical constraint. pCloud does not offer a
POSIX mount fast enough for concurrent multi-user access with large video files.
Mounting it directly as Nextcloud's data directory would have made every file
operation dependent on pCloud's API latency — visible lag on every upload, download,
and directory listing. The design had to fully decouple user-facing I/O speed from
the cold storage backend.

## Architecture

Nextcloud runs in Docker Compose on the RackNerd VPS behind a Caddy reverse proxy
handling HTTPS termination on a custom team subdomain. The VPS disk is partitioned
into an 80 GB local buffer that serves as Nextcloud's primary data directory — all
user reads and writes hit local disk at full VPS I/O speed. A scheduled rclone job
runs every 15 minutes in the background, syncing the buffer to pCloud using
`rclone sync` with conflict resolution. pCloud is the durable cold store; the VPS
buffer is the fast-access layer.

Authentication flows through Mailcow OAuth2. Nextcloud is configured as an OAuth2
client pointing at the Mailcow endpoint already running for team mail — onboarding
a new team member means one credentials step, not two. Both offices reach the
Nextcloud subdomain over Tailscale, the same mesh used for mail and AI inference,
with no public port exposure required for internal access.

## Key Decisions

**Two-tier buffer over direct pCloud mount.** Nextcloud's native External Storage app
can mount pCloud directly, but per-request API calls on every file operation cause
UI lag and rate-limit risk under concurrent multi-user load. The rclone background-sync
approach keeps Nextcloud fast and treats pCloud purely as a backup target, eliminating
the latency coupling entirely.

**rclone over Nextcloud External Storage.** The native integration is the obvious path;
it was rejected specifically because of per-request API latency at the access patterns
a video-heavy team generates. Running rclone as a background cron job decouples
user-facing responsiveness from the sync layer completely.

**Mailcow OAuth over Nextcloud LDAP.** LDAP would have required standing up an OpenLDAP
or FreeIPA server — a significant additional service to maintain. Mailcow's OAuth2
endpoint was already running and required a single configuration change in Nextcloud
to wire in. The SSO pattern, established for mail, extended to Nextcloud and every
subsequent internal service for free.

**pCloud lifetime license over recurring cloud storage.** The $599 Black Friday lifetime
license amortises to near-zero over any multi-year horizon versus the $9,585/year SaaS
bill it helped replace. At 22 users, the math favoured a one-time purchase decisively;
the 25-day payback made the case in one slide.

## Results

Google Workspace and LucidLink were fully decommissioned. All 22 team members adopted
the Nextcloud desktop client without retraining — the UX is functionally identical to
Google Drive Sync. Year 1 net savings: ~₹8.28 L (~$8,921) with full payback in 25 days.
Year 2+ recurring savings: ~₹8.84 L/year (~$9,520/year). Adding future team members
costs nothing incrementally versus $27/month + ₹864/month per new hire under the old
stack. The Mailcow OAuth integration extended the studio's shared identity layer to a
second internal service at zero additional infrastructure cost, establishing the pattern
every subsequent tool on the Tailscale mesh would follow.

## Local AI Inference Mesh

**Subtitle:** Private GPU inference across two offices
**Category:** infrastructure
**Tech:** Flux, Kokoro, Parrot, Whisper, Tailscale, Docker, HTTP API, Python
**URL:** https://yourportfolio.example/projects/prachyam-local-ai

Turned an idle Pune office GPU workstation into a private AI inference server — running Flux image generation, Kokoro TTS, Parrot audio dubbing, and Whisper transcription — shared over a Tailscale mesh to a second office, eliminating all cloud AI API spend.

## Overview

Prachyam Studios produces Indian cultural and dharmic content at scale — a constant
appetite for promotional art, regional-language voiceovers, audio dubs, and subtitle
files. The team was paying per-call to cloud APIs: Midjourney-equivalents for image
generation, ElevenLabs-class services for TTS, cloud transcription for subtitles —
a combined burn rate of conservatively $100–400+/month. Meanwhile, the Pune office
had GPU-capable workstations sitting largely idle.

The fix was architectural: co-locate all inference workloads on the existing Pune GPU
machine, serve them as simple HTTP endpoints, and route the Varanasi office's requests
through the Tailscale mesh already in place for mail and file storage. The content
team gets unlimited generation capacity at zero per-call cost. No cloud accounts,
no egress fees, no per-character billing.

Model selection was deliberately India-first. Kokoro and Parrot were chosen over
English-first defaults specifically for Hindi and regional-language quality — the
output gap versus generic open-source TTS was significant enough that the wrong
choice would have produced unusable voiceovers.

## The Challenge

The team's cloud AI spend scaled directly with output volume, which created exactly
the wrong incentive: creators self-censored requests, batched generation jobs, and
accepted first-pass results to avoid burning budget. Per-call pricing was suppressing
iteration and hurting asset quality.

The Varanasi office added a distribution constraint. Replicating models to both sites
was a non-starter — Varanasi machines had no GPU capacity. A public endpoint would
have exposed the inference server to the internet. The right answer was to centralise
compute on Pune's GPU and tunnel Varanasi traffic through the existing private mesh,
treating the GPU as a shared internal service rather than a local tool.

## Architecture

Flux handles image generation — promotional posters, thumbnails, and content art —
served via a local API wrapper on the Pune GPU machine. Kokoro provides high-quality
multi-lingual TTS for regional Indian languages, used for narration, promos, and
content previews. Parrot handles audio dubbing, converting content tracks into
regional-language dubs in-house. A Whisper-family model generates subtitle files
from uploaded audio, eliminating per-minute cloud transcription cost.

All four workloads are served as HTTP endpoints on the Pune machine's Tailscale IP.
The Varanasi office machines were already on the same Tailscale mesh used for Mailcow
and Nextcloud — adding the GPU machine as another mesh node required zero additional
networking configuration on the Varanasi side. Both offices hit the same endpoint
URL; requests route over Tailscale; generated images and audio files return directly
with no internet hop. The inference server never has a public IP.

## Key Decisions

**Centralised inference over distributed.** Pune had GPU hardware; Varanasi did not.
Multi-node inference orchestration across asymmetric hardware would have introduced
coordination complexity with no benefit. One GPU, one endpoint base URL, routed over
the mesh — operationally minimal, and latency-negligible for file-generation requests
that run in seconds.

**Reusing the existing Tailscale mesh.** Every internal service added to the mesh —
Mailcow, Nextcloud, then the inference server — immediately became available to all
connected offices without any new networking work. The mesh compounds in value with
each node; the marginal cost of adding the GPU machine was near zero.

**India-first model selection.** Kokoro and Parrot required hands-on evaluation against
Coqui, VITS variants, and OpenVoice. For Hindi and South Indian languages, the quality
gap between models was pronounced. Selecting the wrong model would have produced
output the content team couldn't use — the research time was the real cost of
the project.

**Framing the service as unlimited.** Removing the per-call constraint changed team
behaviour immediately. Creators iterated on prompts, generated alternatives, and
produced higher-quality assets because there was no budget meter running. Unlimited
local capacity was a product decision as much as an infrastructure one.

## Results

All cloud AI API costs for image generation, TTS, transcription, and audio dubbing
were eliminated — a conservative $100–400+/month in recurring spend reduced to
$0/call on hardware the studio already owned. The content team gained the ability to
produce regional-language voiceovers and audio dubs in-house without engaging a
dubbing studio for every promotional asset. Both offices accessed the same inference
endpoints transparently over Tailscale with no additional VPN setup. The Tailscale
mesh pattern, proven across mail and file storage, extended cleanly to a fourth
internal service — confirming it as the studio's composable private networking
primitive for all subsequent infrastructure additions.

## Karmpath

**Subtitle:** AI-Powered Blogging Platform
**Category:** fullstack
**Tech:** Next.js, TypeScript, PostgreSQL, Redis, Docker, Kubernetes, Sentry, GitHub Actions
**URL:** https://yourportfolio.example/projects/karmpath
**Source:** https://github.com/xczer/karmpath
**Live:** https://karmpath.dharmic.cloud

Architected a scalable blogging platform with AI-powered content recommendations, deployed with Docker and Kubernetes in a microservices setup.

## Overview

Karmpath is a scalable blogging platform with AI-powered content recommendations. Built to handle real traffic at scale, it uses collaborative filtering and content-based algorithms to surface relevant posts to readers.

## The Challenge

Most blogging platforms either can't handle traffic spikes without expensive infrastructure, or they don't leverage AI for content discovery. I wanted to build something that does both — a platform that stays fast under load and gets smarter the more people use it.

## Architecture

## Before vs After

## My Approach

I designed Karmpath as a microservices architecture from the start, knowing that different components would need to scale independently:

**Content Service** handles CRUD operations for blog posts, full-text search, and content delivery. It sits behind Redis caching for the most frequently accessed posts.

**Recommendation Engine** runs the AI/ML models — collaborative filtering based on user reading patterns and content-based matching using post embeddings. It operates asynchronously, pre-computing recommendations during off-peak hours.

**Auth Service** manages JWT-based authentication with refresh token rotation, session management, and rate limiting.

**CDN Layer** serves static assets, images, and cached HTML from the edge, keeping Time to First Byte under 100ms for most users.

The entire system deploys on Kubernetes with autoscaling policies — when traffic spikes, pods scale horizontally without manual intervention. CI/CD runs through GitHub Actions: lint, test, build, and deploy to the K8s cluster on every merge to main.

## Key Decisions

**Why Kubernetes over serverless?** The recommendation engine needs persistent connections to the database and sustained compute for model inference. Serverless cold starts would have killed the user experience.

**Why Redis for caching?** Blog content is read-heavy. A single popular post might get thousands of reads but only one write. Redis brings hot content response times from ~200ms (database) to ~5ms (cache).

**Why microservices for a blogging platform?** Honestly, it would have been simpler as a monolith. But I built it this way intentionally — to prove I could architect distributed systems that actually work in production. The recommendation engine scaling independently from the content service has been the biggest win.

## Results

The platform handles 10,000+ concurrent users with 99.9% uptime. Redis caching and edge optimization delivered a 60% improvement in load times. Sentry monitoring catches issues before users notice them, and the automated CI/CD pipeline means every merge to main is in production within minutes.

## Self-Hosted Mail Stack

**Subtitle:** 20M emails, 12 domains, zero Mailchimp
**Category:** infrastructure
**Tech:** Mailcow, Postfix, Dovecot, Rspamd, Docker Compose, Tailscale, OAuth2, ClamAV
**URL:** https://yourportfolio.example/projects/prachyam-mailcow

Replaced Mailchimp and per-seat email SaaS for a 20-person studio by deploying Mailcow across 6 RackNerd VPS servers and 12 domains, delivering ~20 million outbound marketing emails at ~$151/year versus a $300,000 enterprise Mailchimp estimate.

## Overview

Prachyam Studios needed to run large-scale marketing email campaigns against
a ~350 million record dataset — a volume that sits far above Mailchimp's 200k-contact
Premium cap and lands in custom-quote enterprise territory, conservatively estimated
at ~$300,000 for a 6-month campaign run. The self-hosted answer was Mailcow:
a Docker Compose stack bundling Postfix, Dovecot, Rspamd, ClamAV, SOGo, and a
management UI into a single deployable unit.

I proposed, built, and operated the full stack end-to-end. Six RackNerd VPS servers
each running a Mailcow instance, 12 custom sending domains with full SPF/DKIM/DMARC
configuration, and Postfix transport maps routing each domain's outbound mail through
its designated server to preserve per-domain IP reputation. The same infrastructure
absorbed all internal transactional mail and team inboxes for all 20 staff across
both Pune and Varanasi offices.

The campaign delivered ~20 million emails. Total infrastructure spend for the
6-month run: ~₹9,000 (~$97) — all-in.

## The Challenge

Two problems collided on the same Postfix queue. Marketing blasts were volumetrically
enormous; internal transactional messages (password resets, onboarding emails,
platform notifications) were operationally critical. Left unaddressed, the bulk
queue starved internal mail by hours during campaign runs. Splitting onto entirely
separate server sets was the obvious fix but added operational surface and cost
on a shoestring infrastructure budget.

The harder constraint was operational simplicity. There was no dedicated DevOps
person. The mail stack had to be self-managing enough that the rest of the team
could use it without knowing it existed, while simultaneously handling campaign
volumes that enterprise SaaS providers charge hundreds of thousands of dollars
to process.

## Architecture

The stack runs Mailcow on Docker Compose across 6 RackNerd VPS instances. Each
server handles a subset of the 12 sending domains; Postfix transport maps bind
each domain to its designated server and IP, keeping the domain-IP pairing stable
for reputation purposes. Rotating 12 domains across 6 IPs acts as reputation
insurance — a single deliverability incident cannot take down all outbound volume
simultaneously.

Postfix priority queuing separates bulk and transactional mail at the transport
level using `transport_maps`, `smtp_destination_rate_delay`, and custom
`defer_transports` to guarantee internal messages skip the bulk backlog regardless
of campaign depth. Both offices connect via the existing Tailscale mesh, resolving
to the same mail infrastructure without public exposure. Mailcow's built-in OAuth2
endpoint serves as the SSO identity provider for all other internal tooling,
including the self-hosted Nextcloud instance, eliminating the need for a separate
directory service.

## Key Decisions

**Priority queue over separate servers.** A dedicated marketing server and a dedicated
internal server would have solved starvation trivially, but at the cost of double
the operational surface. Keeping both traffic classes on the same server per domain
with queue-level separation kept log streams unified and debugging straightforward —
the trade-off was more upfront configuration in Postfix transport classes.

**12 domains across 6 servers for reputation distribution.** Sending reputation is a
domain-IP pair reputation. Rotating sending domains distributes risk so no single
blacklist event halts all outbound volume. Transport maps enforce the pairing
stability that makes this strategy coherent; random assignment would defeat it.

**Mailcow OAuth as team SSO.** Rather than standing up Keycloak or Authentik as a
separate identity layer, Mailcow's built-in OAuth2 endpoint was repurposed as the
team's single sign-on. Unconventional but pragmatic for a 20-person team: one fewer
service to provision and maintain, and the username is already the work email
everyone knows.

**Self-hosted Mailcow over AWS SES + Listmonk.** SES + Listmonk was evaluated as the
credible middle ground — estimated ~$7,500 for the same 6-month campaign run.
Mailcow on owned VPS reduced that to ~$97 (a 98.5% reduction) because the only
recurring cost is the RackNerd VPS subscription at ~$65/year.

## Results

The 6-month campaign delivered ~20 million emails at a total infrastructure cost of
~₹9,000 (~$97), versus a ~$300,000 Mailchimp enterprise estimate and a ~$7,500
AWS SES + Listmonk projection — saving ~$299,900 and ~$7,400 respectively. Annual
run-rate settled at ~₹14,000 (~$151/year) for VPS and domains combined. Internal
mail starvation was eliminated: transactional messages delivered within normal SLA
throughout every campaign run. The same stack replaced per-seat email SaaS for all
20 team members at no additional cost, and its OAuth endpoint became the shared
identity layer for every subsequent internal service on the mesh.

## Docsee

**Subtitle:** Docker Management Suite
**Category:** opensource
**Tech:** Rust, Tauri, Svelte, Ratatui, Bollard, GitHub Actions
**URL:** https://yourportfolio.example/projects/docsee
**Source:** https://github.com/xczer/docsee
**Live:** https://docsee.dharmic.cloud

Cross-platform Docker management tool with a Tauri desktop GUI and Rust terminal TUI, achieving sub-50ms response times for container operations.

## Overview

Docsee is a lightweight, open-source Docker management tool that gives you both a desktop GUI and a terminal TUI — powered by a shared Rust core. It's everything Docker Desktop should be: fast, small, and free.

## The Challenge

Docker Desktop is slow, heavy (2GB+), and requires a paid license for commercial use. The command line is powerful but not visual. There's a gap: developers need a fast, lightweight way to manage containers without the bloat.

## Before vs After

## Architecture

<MermaidDiagram
  title="Docsee Architecture"
  chart={`
flowchart TB
  subgraph GUI["🖥️ Desktop GUI"]
    Tauri["Tauri Runtime"]
    Svelte["Svelte Frontend"]
  end

  subgraph TUI["⌨️ Terminal TUI"]
    Ratatui["Ratatui Renderer"]
    Events["Event Handler"]
  end

  subgraph Core["🦀 Rust Core (docsee-core)"]
    Containers["Container Ops"]
    Images["Image Management"]
    System["System Info"]
    Logs["Log Streaming"]
  end

  Bollard["Bollard\nDocker API Client"]
  Docker["🐳 Docker Daemon"]

  Svelte --> Tauri --> Core
  Events --> Ratatui
  Events --> Core
  Core --> Bollard --> Docker
`}
/>

## My Approach

The architecture splits into three layers:

**Rust Core** communicates with the Docker daemon through the Bollard library — async Rust bindings for the Docker Engine API. Every operation (list, start, stop, inspect, logs) completes in under 50ms. The core handles all Docker interactions and exposes a clean API to both interfaces.

**Desktop GUI** uses Tauri + Svelte. Tauri gives us a native window with web technologies inside, but without Electron's overhead. The entire GUI binary is ~8MB — compared to Docker Desktop's 2GB+. Svelte keeps the frontend reactive and fast.

**Terminal TUI** uses Ratatui for rich terminal rendering. It's for power users who never leave the terminal. Real-time container stats (CPU, memory, network, disk I/O) stream directly in the terminal with instant updates.

Both interfaces share the same Rust core, so behavior is identical regardless of which one you use. GitHub Actions handles CI/CD with automated multi-platform releases for Linux, macOS, and Windows.

## Key Decisions

**Why Rust over Go?** Go would have been the obvious choice for Docker tooling — Docker itself is written in Go. But Rust's async model (tokio) gives genuinely better performance for the kind of concurrent operations Docker management requires. And the memory safety guarantees mean no runtime crashes from null pointers or data races.

**Why Tauri over Electron?** Binary size. An Electron app starts at ~150MB minimum. Tauri starts at ~3MB. For a tool that's supposed to replace bloatware, shipping our own bloatware would be ironic.

**Why both GUI and TUI?** Different workflows need different interfaces. When I'm deep in terminal work, I don't want to context-switch to a GUI. When I'm doing visual container management, I want to see everything at a glance. Both are first-class citizens.

## Results

Sub-50ms response times for all container operations. An 8MB desktop app that does what a 2GB app does. A 3MB terminal tool that makes Docker management feel native. Automated releases across three platforms on every tag push.

## Local Infra

**Subtitle:** 116 containers, one laptop, zero per-project setup
**Category:** infrastructure
**Tech:** Docker Compose, Caddy, dnsmasq, Cloudflare DNS, PostgreSQL, Temporal, OrbStack
**URL:** https://yourportfolio.example/projects/local-infra
**Live:** https://local-infra.dharmic.cloud

A personal production-parity development mesh — 116 Docker containers, 97 HTTPS service routes, and 19 profile categories — that eliminated per-project infrastructure duplication across 6 active projects, built in 105 minutes in a single evening.

## Overview

Six active projects each maintaining their own Postgres, Redis, and MinIO containers in isolation meant duplicate memory usage, credential sprawl, and a persistent HTTP-in-dev vs HTTPS-in-prod gap that made OAuth redirects, secure cookies, and service workers impossible to test locally. The fix was a shared infrastructure mesh: a single `docker-compose.yml` (3,425 lines, 116 containers) with 19 named profiles, a Caddy wildcard TLS reverse proxy covering 97 named service routes, and dnsmasq resolving all `*.dev.dharmic.cloud` subdomains to localhost.

Every project gets HTTPS-secured local domains on day one. The full service catalogue covers databases, search and vectors, messaging, real-time streaming, workflow orchestration, observability (full LGTM stack), AI/LLM inference, auth (Authentik SSO), analytics, payments, billing, secrets management, CI/CD, and dev tooling — all accessible at production-quality HTTPS URLs rather than `localhost:PORT`. The entire repo was built in a single ~105-minute evening session: 8 commits between 21:09 and 22:51 on 2026-03-28.

## The Challenge

The core problem was not hardware — a MacBook M1 Max with 64 GB has ample RAM for many concurrent containers. The constraint was cognitive: managing 6 separate `docker-compose.yml` files with mismatched credentials and port conflicts was becoming unmaintainable, and the HTTP/HTTPS dev-prod gap was causing bugs that could only reproduce in staging. The solution needed to work with all runtimes in use (Bun, Rust, React Native, Tauri) without IDE coupling.

## Architecture

The DNS-to-TLS-to-container flow has three layers. dnsmasq (Homebrew, symlinked to `~/infra/dnsmasq/dnsmasq.conf`) resolves `*.dev.dharmic.cloud` to `127.0.0.1`, `*.co.dharmic.cloud` to the OrbStack Coolify VM, and `*.do.dharmic.cloud` to the OrbStack Dokploy VM via three wildcard address rules — no per-service DNS entries. Caddy (Homebrew, symlinked to `~/infra/caddy/Caddyfile`) obtains a single `*.dev.dharmic.cloud` wildcard certificate via Cloudflare DNS-01 ACME challenge and reverse-proxies all 97 named hosts to Docker container ports. Docker Compose provides the 116 container definitions grouped into 19 profiles (`core`, `search`, `messaging`, `workflows`, `media`, `ai`, `monitoring`, `streaming`, `analytics`, `automation`, `docs`, `customer`, `email`, `auth`, `notifications`, `platform`, `devtools`, `payments`, `internal-tools`). A `ports.yml` registry (254 lines) tracks every assigned port. A `MIGRATE.md` runbook, written as an AI-executable instruction set, automates onboarding any project from isolated Docker to the shared mesh.

## Key Decisions

**DNS-01 challenge for wildcard TLS.** HTTP-01 requires public internet reachability, which is impossible for localhost. DNS-01 via Cloudflare API proves domain ownership through a TXT record — one cert, all 97+ subdomains, no browser warnings, no `--allow-insecure-localhost` anywhere.

**Docker Compose profiles as the service selector.** Rather than separate compose files per project (which duplicate shared services), profiles turn service inclusion into a CLI flag. `docker compose --profile prachyam-sangam up -d` starts exactly the subset that project needs, keeping RAM proportional to active work.

**`ports.yml` as machine-readable port registry.** The file tracks every reserved infra port and per-project frontend/API/worker ports in one place. Claude Code reads it during migration to find the next free port and register the new project — fully automated, zero manual port hunting.

**`MIGRATE.md` as AI-executable runbook.** The file begins with a direct instruction for Claude Code to read and follow. The full migration procedure — identify shared services, reconcile credentials, restructure compose, update `.env`, register profiles — is written for an AI agent, not just a human reader. New project onboarding takes one ~20-minute session.

## Results

All 6 active projects share one Postgres instance, one Dragonfly cache, one MinIO with per-project buckets, and the full observability and tooling stack. HTTPS in dev is now structurally identical to HTTPS in prod — OAuth redirects, secure cookies, and service workers all work without a staging deploy. The four-tier topology (local → Coolify staging → Dokploy staging → production) uses the same `docker-compose.yml` across all tiers, with environment differences expressed only through `.env` values. The repo replaced roughly 12 categories of paid SaaS development tooling with self-hosted equivalents running locally at zero ongoing cost.

## Custom MCP Servers

**Subtitle:** Ten tools that gave Claude Code a brain
**Category:** aitools
**Tech:** TypeScript, MCP SDK, SQLite, Qdrant, Ollama, PostgreSQL, Docker, Tailscale, BullMQ, Prometheus
**URL:** https://yourportfolio.example/projects/mcp-servers
**Live:** https://mcp-servers.dharmic.cloud

Built 10 purpose-built Model Context Protocol servers in TypeScript that collapsed Claude Code's context overhead by 69% while giving the AI live access to every service layer of a 9-platform OTT monorepo.

## Overview

Claude Code kept hitting token limits on a 9-platform OTT monorepo. The `CLAUDE.md` file had grown
to 105k characters — 29 workflow documents, schema docs, and API docs all inlined — and the model
was saturating mid-session with no way to inspect live infrastructure state. The fix was to give it
tools instead of text.

The result is 10 custom MCP servers: TypeScript processes that Claude Code spawns on demand via
stdio transport, each connecting to a specific layer of the stack — Postgres, BullMQ, MinIO, Docker,
Prometheus, Grafana, feature flags, environment secrets, semantic code search, and project task state.
Together they reduced `CLAUDE.md` from 105k to 32k characters while adding live infrastructure
visibility that never existed before.

All 10 servers are wired into `.ruler/mcp.json` so every `claude` session inside the monorepo loads
the full toolset automatically. Several servers point their env vars at Tailscale mesh IPs so a
session on the development iMac can reach Docker services on a remote Linux machine without SSH
tunnels.

## The Challenge

The iMac had 16 GB of RAM and all stateful Docker services — Postgres, Dragonfly, MinIO, Temporal,
NATS, Prometheus, Grafana, Flipt — lived on two machines accessible only over Tailscale SSH. Inlining
every piece of context into `CLAUDE.md` was the first solution attempted, and 105k characters was
where it broke. Third-party MCP servers (filesystem, sqlite) are generic — they cannot understand a
BullMQ queue topology, OTT task state, or the per-app environment variable requirements of a
monorepo with 6 distinct service boundaries.

The servers also had to be environment-variable–driven so `DOCKER_HOST`, `DB_HOST`, and `REDIS_HOST`
could be pointed at remote Tailscale IPs at session start with no changes to server source code.
The debugging loop for failing transcoding jobs — browser, SSH terminal, editor — had to collapse
entirely into the coding session.

## Architecture

All 10 servers use `StdioServerTransport` — each is a long-running child process spawned by Claude
Code, communicating over stdin/stdout, then connecting out to its target service. Zero port conflicts,
no auth layer, and the server lifecycle is tied to the Claude Code session itself.

Storage is per-server and purpose-fit. `ott-context-mcp` uses a local SQLite database with 17 tables
in WAL mode. `code-embeddings-mcp` stores 768-dimensional vectors in self-hosted Qdrant, generated
locally by Ollama's `nomic-embed-text` model. `drizzle-studio-mcp` connects directly to Postgres and
renders results as ASCII box-drawing tables in Claude's response. Tailscale bridging works by passing
`DOCKER_HOST=ssh://user@<tailscale-ip>` to `dockerode`, which tunnels Docker API calls over SSH
automatically.

The code-embeddings server uses a `BatchProcessor` (50 items, 5 concurrent), a 10k-entry LRU
`EmbeddingCache`, and a `RateLimiter` to avoid overwhelming Ollama. Incremental hash-based change
detection means re-indexing only touches modified files.

## Key Decisions

**stdio over HTTP transport.** Zero port conflicts, no auth surface, and the server dies cleanly with
the session. HTTP would be necessary for a shared team setup; for solo use it is pure overhead.

**Environment-variable host injection for Tailscale.** Every server reads its target from env vars
rather than hardcoded IPs. `dockerode` parses `DOCKER_HOST=ssh://user@host` natively — no manual
tunnel setup required.

**SQLite for `ott-context-mcp`.** Postgres already runs on a remote machine. Adding a network
dependency to what must be a fast, always-available local tool was the wrong tradeoff. SQLite with
WAL mode handles the concurrent read/write pattern of multiple tool calls per session without blocking.

**Local Ollama, not a cloud embedding API.** Zero cost per embedding call, no data leaving the
machine, and `nomic-embed-text` 768-dim is sufficient for TypeScript/TSX code search. The embedding
cache and incremental indexing absorb the latency tradeoff.

**Pattern learning as a first-class tool.** The `learn_pattern` tool writes structured records —
mistake, correction, severity, package scope, optional auto-fix script — to SQLite. Claude Code calls
it at the end of a debugging session, creating a durable correction library that persists across
context resets — unlike unreliable "remember this" prompts.

**CLAUDE.md reduction as a KPI.** The 69% reduction from 105k to 32k characters was the stated
design target. Workflow docs load on demand via `workflow_get`; context budget is spent on code.

## Results

`CLAUDE.md` shrank from 105k to 32k characters — roughly 18,250 tokens saved per session —
eliminating context-limit interruptions that had been routine. Infra diagnostics that previously
required a browser or SSH terminal now happen inside the coding session: when a transcoding job
fails, Claude Code can inspect the BullMQ queue, check Docker logs, query Prometheus, and suggest a
fix without switching context. The `ott-context-mcp` pattern-learning system means recurring error
classes are flagged before they repeat. The `code-embeddings-mcp` enables natural-language code
navigation across a monorepo too large to hold in context — at zero per-query cost using local
Ollama inference.

## Prachyam Sangam

**Subtitle:** India-first OTT platform, 9 native targets
**Category:** fullstack
**Tech:** TypeScript, Next.js, Elysia, Bun, Expo, Nx, Drizzle, PostgreSQL, Dragonfly, Typesense, Qdrant, Tauri
**URL:** https://yourportfolio.example/projects/ott-platform

Full-stack OTT streaming platform built solo in 5 months — a 21-package Nx TypeScript monorepo targeting web, iOS, Android, four TV OSes, and a desktop admin, with HLS streaming, creator monetisation, watch parties, and live TV.

## Overview

Prachyam Sangam is a ground-up OTT streaming platform built for the Indian market — SVOD and AVOD content, live TV with EPG, creator channels, watch parties, and a full admin panel, all from a single TypeScript monorepo. The platform targets nine distinct surfaces: web (Next.js), iOS and Android (Expo 54), Apple TV and Android TV (Expo TV), Samsung Tizen, LG webOS, a Tauri admin desktop, and a Fumadocs developer-docs app — sharing 21 packages of business logic across every target.

The project replaced a legacy OTT carrying 18 developer-years of accumulated debt, compromised SSH keys, and a CMS that blocked new features. Three evaluated ThemeForest OTT products all under-delivered on TV support and admin completeness, so the decision was made to build from scratch. What started as an employer initiative transitioned into an independent engagement with a TV-producer partner, and reached MVP across 104 numbered sprints over approximately five months of solo development.

The result is a Coolify-compatible, self-hostable stack — PostgreSQL, MinIO, Dragonfly, Typesense, Qdrant, Soketi, BullMQ, Temporal, Prometheus, and Varnish — deployable to a single VPS without a DevOps hire. Zero TypeScript errors have been enforced from sprint 75 onward, and 17 of 20 viewer flows and 8 of 14 admin flows are demo-clean.

## The Challenge

The core constraint was hardware: a 16 GB / 512 GB M1 iMac as the sole development machine — insufficient to run seven Docker-backed apps concurrently alongside the monorepo build. Rather than cut scope or rent a beefier machine, the problem was solved by meshing three machines via a Tailscale network, offloading Docker services to two peer nodes while the iMac handled active development. Every service runs at a stable `*.willmakeitsoon.com` HTTPS subdomain via dnsmasq and Caddy, production-mimicking the target VPS without production costs.

TV platform fragmentation added significant complexity on top. Tizen 4.x, LG webOS 4.x, Apple TV, and Android TV each have distinct input models, video API surfaces, and debugging toolchains. Expo TV abstracts the React Native TV layer cleanly for Apple TV and Android TV, but the Smart TV web apps needed fully separate vanilla-JS builds — one using the webOSTVjs 1.2.10 SDK, the other the Tizen CLI toolchain — each with its own D-pad focus engine and HLS player integration.

## Architecture

The monorepo is managed by Nx 22.6.1 with Bun workspaces and contains seven apps: `web` (Next.js 16, main viewer plus admin route group), `api` (Elysia on Bun — REST API with auto-generated OpenAPI via `@elysiajs/swagger`), `mobile` (Expo 54 + React Navigation), `tv` (Expo TV, Tizen, webOS), `desktop` and `admin` (Tauri 2), and `docs` (Fumadocs). All apps draw from 21 shared packages covering auth (Better Auth), database (Drizzle + PostgreSQL), cache (Dragonfly), search (Typesense + Qdrant), storage (MinIO), payments (Razorpay), messaging (NATS + Soketi), jobs (BullMQ + Temporal), streaming (HLS transcode workers), AI, i18n, and UI component sets for both web and native surfaces.

The infrastructure layer runs entirely on Docker Compose, profiled per project. Varnish sits in front of MinIO and stream routes as an HTTP cache layer. Prometheus, Grafana, and Alertmanager provide observability. Flipt serves feature flags, togglable from both the admin panel and a dedicated MCP server. Semantic search combines Typesense for instant keyword facets with Qdrant vector embeddings generated locally via `@xenova/transformers`. Ten custom MCP servers bridge Claude Code to live Drizzle Studio, Prometheus metrics, Flipt, transcode job state, and a pattern-learning context store — giving every development session full project context in under 60 seconds.

## Key Decisions

**Nx over Turborepo.** Nx's project-graph caching means only packages touched by a given change rebuild — critical when 21 packages would otherwise cascade. Turborepo was tested first but Nx's executor model mapped more cleanly to the Tauri build targets and cross-platform run-many scenarios.

**Elysia over Express/Fastify.** Bun runtime throughput, plus Elysia's validator plugin generates OpenAPI schema from route definitions automatically. This feeds the Fumadocs swagger-docs app and reduces documentation drift to zero without a separate schema-maintenance step.

**Dragonfly over Redis.** Redis-protocol compatible, so zero application code changed. Dragonfly's multi-threaded engine uses approximately 30% less memory at equivalent cache hit rates — material on a budget VPS with limited RAM.

**10 custom MCP servers instead of context-switching.** DB state, transcode jobs, Prometheus metrics, and feature flags all surface in the Claude Code conversation window rather than requiring browser or terminal switches. The `ott-context-mcp` server persists learned fix patterns per package across sessions, maintaining institutional knowledge across 104 commits without a separate knowledge-base tool.

**Sprint-numbered commits with priority tags.** Every non-trivial change is tagged with a sprint number and a p0–p3 priority level in the commit subject. The DEMO-PLAN.md route-readiness audit was written in under an hour because every route's last relevant sprint was instantly traceable in `git log --oneline`.

## Results

Prachyam Sangam reached MVP across nine distinct platforms in approximately five months of solo development — 152 commits, 104 sprints, ~972,000 lines of TypeScript, TSX, and JS, with 21 shared packages and 10 custom MCP servers. The Tailscale mesh eliminated any hardware upgrade requirement during development. Dragonfly replaced Redis with a ~30% memory reduction at no code cost. The standalone `docker-compose.standalone.yml` makes the full stack deployable to a single VPS without a DevOps hire, and the monorepo's architecture positions it as a sellable ThemeForest starter kit once the partnership engagement wraps.

## Sutradhaar

**Subtitle:** AI writing room for Indian television
**Category:** aitools
**Tech:** Next.js, TypeScript, tRPC, PostgreSQL, pgvector, Ollama, Vercel AI SDK, TipTap, Drizzle ORM, React PDF, BullMQ, MinIO
**URL:** https://yourportfolio.example/projects/sutradhaar

Built a full-stack AI director and screenplay suite for Indian TV production — TipTap screenplay editor, RAG-backed scene generation from legendary writer corpora, Navarasa-aware shot planning, and a complete pre-production management system — in a single day.

## Overview

Indian TV productions run on scattered tools: Word for scripts, Excel for schedules, WhatsApp for
call sheets, and no AI that understands Hindi, Navarasa theory, or the DOOD production workflow.
Western tools like Final Draft and StudioBinder cover their respective slices but speak no Hindi,
know nothing of bhakti symbolism, and connect nothing between the creative and logistical layers of
a production.

Sutradhaar is a full-stack AI writing room and production management suite built specifically for
Indian television. It covers every pre-production phase: a professional TipTap screenplay editor
with bilingual Hindi/English support and industry-standard auto-formatting; a RAG pipeline that
generates scenes in the voice of legendary writers — Tulsidas, Shakespeare — by retrieving relevant
passages from uploaded corpora; Navarasa-aware AI shot list generation; storyboard management;
script breakdown with all 14 DOOD element categories; colour-coded stripboard scheduling; call sheet
generation with PDF export; a budget tracker with variance highlighting; and a Recharts analytics
dashboard with a 9-axis Navarasa radar chart.

The entire system was designed, specced, and shipped — all 25 commits — in a single six-hour session
on 2026-03-18. It exists as both a portfolio anchor and a working proof-of-concept for a TV producer
partner who needs exactly this system for her upcoming production.

## The Challenge

The project required genuine domain knowledge that does not exist in generic tooling. Indian TV scripts
mix Hindi and English within a single block. Shot suggestions must account for all 9 Navarasa
emotional states — not generic Western cinematography heuristics. Breakdown categories follow the
DOOD colour-coding system with 14 defined element types. All of this had to be encoded not as
runtime string matching but as first-class schema — Postgres enums, typed columns, validated
structures — so every layer of the system speaks the same language without a mapping layer.

The second constraint was time. The project had to be demo-able fast enough to serve as a live
portfolio piece during an active job search, and functional enough to present to a real TV producer
as a credible tool for her next production — not a mockup. A 675-line implementation plan written
before any code was what made single-day execution possible.

## Architecture

The stack is a single Next.js 16 app with the App Router. tRPC v11 handles all CRUD with full
TypeScript type safety co-located with the schema; streaming AI endpoints live in Next.js API Routes.
PostgreSQL 16 with the pgvector extension is managed via Drizzle ORM. MinIO provides object storage
for document uploads and storyboard frames; Redis with BullMQ handles background document processing.

The RAG pipeline lives in three focused files. A custom paragraph-boundary chunker greedy-merges
paragraphs to 2000 characters with 200-character overlap and sentence-level sub-splitting for
oversized blocks — preserving narrative context better than fixed-token chunking for literary Indian
texts where a Ramcharitmanas doha often carries its meaning at the paragraph boundary. An Ollama
embedder returns a zero-vector on failure rather than crashing; a pgvector retriever uses raw Drizzle
SQL with the `<=>` cosine distance operator, scoped per persona, with automatic fallback to
chronological fetch when Ollama is offline.

The 26-table schema encodes Indian production domain knowledge as Postgres enums: `navarasaEnum`
with all 9 Sanskrit emotional states, `intExtEnum`, `timeOfDayEnum`, and `sceneElementCategoryEnum`
with all 14 DOOD breakdown categories. The database speaks the language of Indian film production at
the type system level — every downstream layer gets that domain knowledge for free.

## Key Decisions

**No LangChain — direct pgvector SQL.** LangChain adds roughly 100MB of transitive dependencies and
abstracts away exactly the control points that need custom logic: zero-vector resilience, per-persona
scoping, and paragraph-boundary chunking for literary texts. Three focused files are fully transparent
and directly debuggable.

**Custom paragraph-boundary chunker over off-the-shelf splitting.** Fixed-token chunking breaks
mid-doha. The custom chunker merges at paragraph boundaries, carries overlap, and sub-splits only
when a single paragraph exceeds the token budget — preserving context for the retrieval step.

**`generateObject` with Zod schema for shot list AI.** The shot list route uses Vercel AI SDK's
structured output mode so the response is structurally guaranteed — no parsing, no hallucinated shot
shapes. Navarasa heuristics are embedded in the system prompt as natural language instructions:
`veera → low angle wide + tracking`, `karuna → close-up + slow dolly`, `shringara → soft focus`.

**Domain encoding in the schema, not in runtime logic.** When `navarasaEnum` exists at the DB level,
the frontend renders a 9-axis Recharts radar chart without any mapping layer. When
`sceneElementCategoryEnum` has 14 DOOD values, the breakdown UI is correct by construction.

**Spec-first single-session execution.** A 675-line `docs/IMPLEMENTATION_PLAN.md` with exact
component names, file paths, DB table names, and feature bullet points per phase was written before
any code. Every architectural decision was resolved upfront; the coding session was pure execution.

## Results

Sutradhaar is a demo-able full-stack application covering every pre-production phase from screenplay
through call sheet, with AI assistance grounded in legendary Indian writer corpora and bilingual
Hindi/English support throughout the UI. The 26-table schema, custom RAG pipeline, and all 10 tRPC
routers shipped in a single day. The "Why This?" explanation engine — which cites specific dohas and
corpus passages to justify any creative choice the AI makes, with source attribution — is a novel
pattern for AI-assisted creative tooling that does not exist in any Western screenplay tool. The
system self-hosts on any VPS via the standalone Docker Compose file, replacing a full StudioBinder
subscription at zero marginal AI cost using local Ollama inference on an M-series machine.

## Claude 2x — Cross-Platform Timer Overlay

**Subtitle:** Swift/SwiftUI + Rust/Tauri + QML timer overlay with timezone math, objc2 FFI, and multi-platform CI
**Category:** opensource
**Tech:** Swift, SwiftUI, AppKit, Rust, Tauri 2, QML, objc2, chrono-tz, tauri-plugin-positioner
**URL:** https://yourportfolio.example/projects/claude-2x
**Source:** https://github.com/Xczer/claude-2x

A cross-platform floating timer overlay shipping on macOS (Swift/SwiftUI), Linux (Tauri/Rust), and KDE (QML) — with chrono-tz timezone math, objc2 FFI for macOS-native window behaviour, and a GitHub Actions multi-platform CI pipeline.

## Overview

A floating countdown timer designed to help track Claude API session windows across timezones. Ships three separate implementations sharing the same core timezone logic: a native Swift/SwiftUI app for macOS, a Tauri/Rust app for Linux desktops, and a QML widget for KDE Plasma. objc2 FFI provides macOS-specific window presentation behaviour in the Swift build.

## Tech

The macOS build uses Swift, SwiftUI, and AppKit with objc2 for native window management. The Linux build uses Tauri 2 with Rust and tauri-plugin-positioner for screen-edge snapping. The KDE build uses QML. All three share chrono-tz for accurate timezone arithmetic. GitHub Actions runs the CI matrix across macOS and Linux runners.

## DocSee Popup — Raycast-Style Docker HUD

**Subtitle:** Global-hotkey Tauri popup for Docker management with frecency ranking, Rust bollard, and Unix socket IPC
**Category:** infrastructure
**Tech:** Rust, Tauri v2, React 19, TypeScript, Vite, Zustand, Bollard, Framer Motion
**URL:** https://yourportfolio.example/projects/docsee-popup

A Raycast-style global-hotkey popup for Docker — built with Tauri v2 and Rust, using Bollard for Docker API access, frecency-ranked container search, ref-counted infra management, and Unix socket IPC between the app and a background daemon.

## Overview

A keyboard-triggered popup window — similar in concept to Raycast — specifically designed for Docker container and image management. Press a global hotkey from any application and a floating panel appears showing running containers with CPU/memory stats, frecency-ranked by recent access. A background Rust daemon maintains Docker state over Unix socket and notifies the UI via IPC events.

## Tech

Tauri v2 hosts the Rust backend and React 19 frontend. Bollard communicates with the Docker daemon asynchronously. Frecency ranking combines recency and frequency scores to sort containers by likelihood of access. Zustand manages frontend state. Framer Motion handles panel entrance and exit animations.

## Rice Docs — macOS Developer Environment

**Subtitle:** Living documentation for a keyboard-driven macOS setup — X-Type layout, OmniWM, SketchyBar, Karabiner 4-layer architecture
**Category:** infrastructure
**Tech:** Karabiner-Elements, OmniWM, SketchyBar, Ghostty, tmux, Neovim, Bash, Lua, Swift, JSON
**URL:** https://yourportfolio.example/projects/rice-docs

Complete, living documentation for a keyboard-first macOS development environment — X-Type custom layout at 213 WPM, OmniWM tiling WM with 5 workspaces, SketchyBar scripted status bar, Karabiner-Elements 4-layer key architecture, and an event-driven Neovim mode indicator.

## Overview

A 5,000-line Markdown knowledge base documenting an entire keyboard-driven macOS developer environment — written to be LLM-editable with explicit instructions like "tell Claude to apply it." The X-Type 4-layer Karabiner architecture maps every symbol and WM action to home-row reach across 43 manipulators. SketchyBar subscribes to OmniWM IPC events, Neovim mode changes, and a CoreAudio CATapDescription HAL tap for an FFT visualiser item.

## Tech

Karabiner-Elements intercepts physical key codes at the IOKit layer with named-variable symbol modifier layers. OmniWM provides Niri scrolling-column layout with five named workspaces and built-in quake terminal. SketchyBar renders workspace indicators, focused app name, Neovim mode, and system stats via Bash plugin scripts subscribed to system events. A Swift helper implements the CATapDescription CoreAudio tap for the cava FFT visualiser.

## X-Type Android Keyboard

**Subtitle:** First native Android app — custom IME implementing the X-Type layout, built at age 16
**Category:** mobile
**Tech:** Android, Java, XML, Android SDK, InputMethodService
**URL:** https://yourportfolio.example/projects/x-type-android

The first native Android app — a custom Input Method Editor that brought the X-Type keyboard layout to a personal Android phone, built at 16 by learning Android Java development from tutorials.

## Overview

The X-Type layout existed only as a design until this app made it usable on a phone. Built by learning Android's InputMethodService API from tutorials and translating the X-Type key position spec into Android XML keyboard layout files. The app registers as a system-level input method, allowing X-Type typing across every app on the device — the first step in a multi-OS rollout that eventually reached 213 WPM.

## Tech

Java with Android's InputMethodService API implements the IME lifecycle and key-event routing to the active text field. XML keyboard layout files define the X-Type row and key geometry. The app installs via sideloaded APK and registers with Android's InputMethodManager as a selectable keyboard.

## Hotel Elegent

**Subtitle:** XState-driven PMS for real property deployment
**Category:** clientwork
**Tech:** Next.js, TypeScript, Bun, XState, Drizzle, PostgreSQL, Zustand, TanStack Query, Soketi, Razorpay, Stripe, Tailwind CSS
**URL:** https://yourportfolio.example/projects/elegent-resort

White-label hotel management system with an XState v5 finite-state booking engine, restaurant POS, guest CRM, digital check-in, and revenue analytics — production-deployed to a real hotel and packaged for ThemeForest.

## Overview

Hotel Elegent is a full-stack hotel property management system built for a real deployment — a family hotel in Sawai Madhopur — and simultaneously packaged as a white-label ThemeForest product. It covers the full hotel operations domain: a multi-step booking engine, front desk calendar, restaurant POS, housekeeping and maintenance tracking, guest CRM with loyalty points, digital self-service check-in, concierge and guest request management, revenue analytics, and a dynamic pricing rules engine. The entire system is driven by a 46-schema PostgreSQL database, configured through an 8-step installation wizard, and deployable to a VPS with a single shell script.

Commercial hotel PMS products charge ₹5,000–20,000 per month with no self-hosting option. This replaces that recurring cost with a one-time deployment on owned infrastructure, while being generic enough — white-label currency, swappable payment gateways, dual image hosting — to sell globally on ThemeForest. The same codebase serves the uncle's property in production and the ThemeForest submission ZIP.

The project ran for 16 months across 23 named sprints and 195 commits, reaching 111/111 Playwright E2E tests before the ThemeForest package was assembled.

## The Challenge

A 7-step booking flow involving real-time availability, guest authentication, payment, and confirmation has at least 15 distinct failure modes — payment retry, mid-flow abandonment, availability changes between steps, step navigation backward and forward. Managing this with nested `useState` and conditional renders would scatter the failure logic invisibly across components. The state had to be made explicit and testable, which meant choosing a tool designed for that job rather than improvising with React primitives.

The white-label requirement added a second layer of constraint: every piece of hardcoded configuration — currency symbols, image hosting provider, payment gateway keys, branding — had to be extractable to settings without touching source. Replacing 100+ hardcoded `₹` and `INR` references with a dynamic currency formatter mid-project (Sprint 14) is the kind of work that distinguishes a "hotel template for India" from a product a hotel in Dubai can actually use.

## Architecture

The stack is Next.js 15 (App Router, React 19, Turbopack) running on Bun with strict TypeScript throughout. State management follows a strict three-system rule enforced in CLAUDE.md: XState v5 owns the booking flow FSM (`bookingMachine.ts`, 280 lines — 7 states, explicit guards, error/retry, RESET and BOOK_MORE transitions); Zustand v5 owns client-side form state collected during the flow; TanStack Query v5 owns all server data fetching. The three systems do not cross boundaries — no server data in Zustand, no form state in TanStack Query, no flow logic in either.

The 46 Drizzle schema files cover the complete hotel domain: rooms, bookings, folio charges, payments, housekeeping, maintenance, restaurant tables, orders, menu, pricing rules, coupons, occupancy snapshots, loyalty points, reviews, guest profiles, notes, messages, notifications, WhatsApp, audit logs, digital check-in tokens, concierge, channel manager, shift notes, staff profiles, site settings, installation config, invoices, and 2FA. Primary key convention is deliberate: UUIDs for content tables (stable, URL-safe, non-leaking) and serial integers for transactional rows (bookings, payments) where monotonic ordering benefits index efficiency and audit trails. Real-time room availability, concierge requests, and restaurant order updates flow through Soketi (self-hosted) or Pusher (production) on the Pusher protocol. Payments support Razorpay (India), Stripe (international), and PayPal, all read from environment variables — swappable without code changes.

## Key Decisions

**XState v5 for the booking FSM.** The 7-step flow has too many failure modes to manage safely with imperative state. An FSM makes illegal transitions impossible by construction — jumping from `idle` to `payment` without passing through `roomSelection` and `guestDetails` simply cannot happen. Each state is independently addressable, which is what made 111 E2E tests achievable without complex setup scaffolding.

**Three-state-system rule (XState / Zustand / TanStack Query — no mixing).** Each library owns a specific concern and the CLAUDE.md prohibits crossing those boundaries. This prevents the common anti-pattern of storing server data in Zustand or putting form state in TanStack Query — both of which produce subtle staleness and hydration bugs that are hard to bisect.

**UUID vs serial PK discipline.** Content tables use UUIDs for stable, non-sequential IDs safe for URLs and external references. Transactional tables use serial integers for index efficiency and natural audit ordering. The split is encoded in the Drizzle schema from the first sprint, so it never had to be retrofitted.

**White-label currency as a product decision.** Replacing 100+ hardcoded `₹` / `INR` strings with a dynamic currency formatter is what separates a regional template from a globally sellable ThemeForest product. A buyer in Dubai or London should not have to grep-replace currency symbols — it comes from the settings panel.

**`setup-vps.sh` as a first-class deliverable.** ThemeForest buyers abandon products that require manual Nginx config and SSL setup. The one-command provisioner handles Docker install, Certbot SSL, Nginx HTTPS reverse proxy (443→3000), WSS proxy for Soketi, backup cron, and renewal cron — everything a non-technical hotel owner needs to go from a blank VPS to a running system.

## Results

Hotel Elegent is production-deployed to the family hotel in Sawai Madhopur, eliminating a recurring commercial PMS cost of ₹5,000–20,000 per month. The ThemeForest submission package — 134,000 lines of TypeScript, 195 commits, 23 sprints, 46 schema files, 111/111 Playwright E2E tests — is complete. Three payment gateways, dual image hosting (Cloudinary or self-hosted Openinary), a white-label currency system, and a one-command VPS provisioner make it deployable by a non-technical buyer without a DevOps hire.

## SingleClickBlog — Faust.js + WordPress

**Subtitle:** Headless WordPress blog with Faust.js, WPGraphQL, Apollo, Tiptap editor, and self-hosted Coolify deployment
**Category:** fullstack
**Tech:** Next.js 14, TypeScript, Faust.js, WordPress, WPGraphQL, Apollo Client, Redux Toolkit, Tailwind CSS 3.3, Tiptap 2, graphql-codegen, Vercel, Coolify
**URL:** https://yourportfolio.example/projects/singleclickblog-faust
**Live:** https://karan.willmakeitsoon.com

A full-featured headless WordPress publishing platform using Faust.js and WPGraphQL, with Apollo Client, Redux Toolkit state management, a Tiptap rich-text editor, and automated GraphQL type generation — deployed on self-hosted Coolify.

## Overview

A production headless WordPress setup combining Faust.js for the Next.js data-fetching layer with WPGraphQL on the WordPress side. graphql-codegen generates TypeScript types from the WPGraphQL schema at build time, eliminating a whole category of type errors. The Tiptap editor provides the authoring interface in the Next.js admin surface, posting back to WordPress via the REST API.

## Tech

Next.js 14 with Faust.js handles routing and authentication handoff to WordPress. Apollo Client manages GraphQL data fetching and caching. Redux Toolkit stores client session state. graphql-codegen runs in CI to keep generated types in sync with the WordPress schema. Self-hosted WordPress runs on Coolify; the Next.js frontend deploys to Vercel.

## Earning Point — App Landing Page

**Subtitle:** Play Store compliance HTML landing page set for a rewards app — privacy policy, terms, and support pages
**Category:** clientwork
**Tech:** HTML5, Tailwind CSS CDN, Bootstrap 4
**URL:** https://yourportfolio.example/projects/earning-point-homepage

A set of four static HTML pages satisfying Google Play Store policy requirements for the Earning Point rewards app — privacy policy, terms of service, data deletion, and a support contact page.

## Overview

Google Play Store requires apps to link to hosted privacy policy and terms of service pages before approval. This set of four static HTML pages fulfils those requirements for the Earning Point rewards app — clean, mobile-responsive, and easy to update without a build system.

## Tech

Pure HTML5 with Tailwind CSS via CDN and Bootstrap 4 for responsive layout utilities. No build step, no JavaScript framework. The pages load instantly and satisfy all Play Store link verification requirements.

## TinkerUI — Local Generative UI Playground

**Subtitle:** Offline generative-UI tool with Ollama streaming, sandboxed iframe preview, and a QLoRA fine-tuning pipeline
**Category:** aitools
**Tech:** React 19, TypeScript, Vite 7, Tailwind CSS v4, Tauri v2, Rust, Python, Ollama, QLoRA, PEFT, TRL, Qwen
**URL:** https://yourportfolio.example/projects/tinker-ui

A split-pane chat-plus-preview app that streams Tailwind HTML from a local Ollama LLM into a sandboxed iframe — built in one day with React 19, Vite 7, and Tauri v2, including a complete QLoRA fine-tuning pipeline for Qwen 2.5 Coder 1.5B.

## Overview

TinkerUI lets you describe a UI component in natural language and see it rendered in a live sandboxed iframe as tokens stream from a local Ollama model — no cloud API, no rate limits. A streaming-aware HTML extractor handles four distinct partial-output shapes so the preview updates token-by-token without broken renders. The companion Python pipeline fine-tunes Qwen 2.5 Coder 1.5B with QLoRA on a 340-example fuzzy-deduplicated dataset and exports to GGUF for Ollama.

## Tech

Vite 7 with React 19 and Tailwind CSS v4 builds the frontend. Ollama's streaming NDJSON API delivers token-by-token generation. The srcdoc iframe with Tailwind CDN isolates untrusted HTML from the app DOM. Tauri v2 wraps the app as a native desktop binary. The Python training stack uses Unsloth, PEFT, and TRL with MPS-compatible float32 training for Apple Silicon.

## Xecute — Productivity Command Center

**Subtitle:** 34-panel macOS productivity HUD with Kanban, Pomodoro, SM-2 flashcards, Fuse.js search, and 45k LOC
**Category:** opensource
**Tech:** Tauri v2, Svelte 5, TypeScript, Rust, Tailwind CSS v4, Fuse.js, Shiki, marked, objc2
**URL:** https://yourportfolio.example/projects/xecute

A single PgDn keypress summons a transparent always-on-top productivity HUD with 34 tool panels — Kanban, Pomodoro, Notes with wikilinks, Time Tracker, Finance, Flashcards with SM-2, Mind Map, and more — built with Tauri v2, Svelte 5, and objc2 NSApplication activation.

## Overview

Xecute consolidates a full productivity stack — Notion, Toggl, Anki, Bear, clipboard manager, bookmark manager — into one keyboard-triggered overlay. Cross-panel integrations wire Pomodoro sessions to Time Tracker, Kanban cards to Standup auto-population, and Flashcards to a shared SM-2 spaced-repetition engine with Vocabulary. A 1,026-line SPEC.md written before any code prevented the reactivity bugs discovered on the predecessor CheaXheet from recurring across all 34 panels.

## Tech

Tauri v2 with unsafe objc2/NSApplication.activateIgnoringOtherApps fixes the keyboard-focus problem under ActivationPolicy::Accessory. Svelte 5 runes with per-panel state slices prevent monolithic re-render bottlenecks across 34 domains. Fuse.js runtime-indexes all panel state at Cmd+K invocation for cross-panel search. SM-2 spaced repetition is implemented once and shared between Flashcards and Vocabulary panels.

## Prachyam Dev Mesh

**Subtitle:** 3-node Tailscale mesh beats RAM limits
**Category:** infrastructure
**Tech:** Tailscale, Caddy, dnsmasq, Docker Compose, TypeScript, MCP SDK, Cloudflare DNS
**URL:** https://yourportfolio.example/projects/prachyam-dev-mesh

A 3-machine Tailscale mesh with dnsmasq and Caddy that made a 9-platform OTT monorepo buildable on a 16 GB M1 iMac by offloading all Docker services to companion machines, plus 10 custom MCP servers that cut AI assistant context load by 69%.

## Overview

Prachyam Studios provided a 16 GB M1 iMac as the sole development machine for the Sangam OTT monorepo — a codebase targeting web, iOS, Android, Apple TV, Android TV, Roku, Tizen, and webOS simultaneously. Running all Docker services (databases, search, AI inference, real-time, monitoring, payments) alongside active build processes and simulators was not viable on 16 GB. The machine would saturate memory and become unresponsive.

The solution was a 3-node Tailscale mesh: active development stayed on the iMac while all stateful Docker services ran on two companion machines, reachable over a WireGuard overlay network. dnsmasq provided wildcard DNS so every service got a clean `*.local` domain; Caddy terminated TLS with a wildcard certificate so browser sessions worked identically to production. No new hardware was purchased and no cloud spend was incurred.

The architecture later evolved into a personal `~/infra` repository with 97 named Caddy routes and a full production-parity toolkit for solo development — a direct successor to the Prachyam mesh.

## The Challenge

The hardware budget was fixed. An upgrade to a Mac Studio or Mac Pro would have cost ₹1,50,000–₹4,00,000 and required a budget approval process that wasn't on the table. Cloud dev environments were rejected due to GPU locality requirements for AI inference workloads and prohibitive cost on a volunteer salary. The constraint was real and required a topological solution, not a hardware one.

## Architecture

Three machines joined a private WireGuard overlay via Tailscale. Tailscale SSH handled cross-node authentication without managing key pairs per machine. dnsmasq on each node resolved `*.local` (Prachyam era) / `*.dev.dharmic.cloud` (personal era) wildcard domains to the appropriate host. Caddy handled TLS termination via Cloudflare DNS-01 challenge, issuing a single wildcard certificate that covered all 97+ service subdomains. Docker Compose services — PostgreSQL, Dragonfly, MinIO, Typesense, Qdrant, NATS, Temporal, Authentik, Flipt, Lago, OpenTelemetry, Grafana — ran on the non-development machines. The development machine ran only active `bun dev` and compile processes. Ten custom MCP servers (TypeScript, `@modelcontextprotocol/sdk`) exposed project internals — workflow docs, API testing, semantic code search, database schema, feature flags, infra health — as on-demand tools invoked by the AI coding assistant over Tailscale SSH.

## Key Decisions

**Tailscale over self-managed WireGuard.** Tailscale's coordination server handles peer discovery automatically and Tailscale SSH eliminates separate key management — critical for a 3-machine solo-operated mesh that also bridged Pune and Varanasi offices without firewall changes.

**dnsmasq wildcard address record instead of per-host entries.** A single `address=/.dev.dharmic.cloud/127.0.0.1` line covers all 97+ subdomains; adding a new service requires only a Caddy route block, making the MIGRATE.md runbook fully automatable.

**Caddy over nginx for TLS.** Caddy's automatic ACME support with the Cloudflare DNS plugin handles wildcard cert renewal without cron jobs or per-service cert management — essential for a rapidly expanding service catalogue.

**MCP servers over a fat CLAUDE.md.** Deferring context loading until the assistant requests it reduced CLAUDE.md from 105k to 32k characters, dropped context-limit errors in long sessions to near-zero, and gave the assistant on-demand access to 29 workflow documents and 9 other context domains.

## Results

The monorepo build, simulator runs, and full integration test suite ran on the constrained machine with zero hardware cost and zero cloud spend. The 10 custom MCP servers reduced AI assistant context load by 69%, which lowered per-session token cost and eliminated context-window errors during long development sessions. The pattern formalised into a personal `~/infra` with 97 HTTPS routes, and a machine-readable MIGRATE.md runbook that reduces new-project infra onboarding from two hours to approximately ten minutes.

## OTT Component Library

**Subtitle:** 550+ components across web, mobile, TV, and admin
**Category:** fullstack
**Tech:** Next.js, React Native, Expo, Tailwind CSS, TypeScript, Drizzle ORM, PostgreSQL
**URL:** https://yourportfolio.example/projects/ott-components

A 4-platform atomic design system for a production OTT platform — 273 web components, 158 mobile components, 128 admin components, and a 27-module Drizzle ORM database schema — built solo in 5 days across Next.js, React Native, and TV surfaces.

## Overview

The prachyam-sangam OTT monorepo targets five surfaces — web, iOS, Android, Apple TV/Android TV/Roku/Tizen/webOS, and a desktop admin panel — from a single codebase. Without a dedicated component library, each surface would duplicate UI logic and drift from the design system, repeating the same pattern that had broken the previous 18-developer Prachyam codebase. Three off-the-shelf OTT templates from ThemeForest were evaluated and rejected as incomplete or not extensible. A ground-up library was the only path to full control.

Built across 145 commits in 5 days (2025-11-17 to 2025-11-22), the library covers: 273 web components + 53 pages + 23 templates (Next.js 16 + Tailwind CSS v4), 158 mobile components (Expo SDK 54 + React Native 0.81.5 plain StyleSheet), 128 admin organisms (separate Next.js app on port 3001), and a named `@ott-platform/db-schema` package with 27 Drizzle ORM domain modules. Every component renders with Faker.js-generated mock data, making the showcase page a living visual test suite without Storybook.

## The Challenge

A single design system had to drive two fundamentally different rendering engines — Tailwind CSS v4 for Next.js and React Native StyleSheets — while sharing the same design tokens. TV surfaces required keyboard/D-pad focus management that web frameworks provide no native solution for, and third-party TV nav SDKs carry enterprise licensing costs. The admin bundle had to stay completely separate from the viewer-facing bundle to avoid inflating load size with heavy admin dependencies.

## Architecture

Web UI uses Next.js 16 App Router with Tailwind CSS v4 CSS custom properties for design tokens and Biome 2.2 for linting. Mobile UI uses Expo SDK 54 with React Native's plain `StyleSheet` API against a shared `theme.ts` module exporting the same colour values as JS constants — avoiding NativeWind build complexity on TV targets while keeping visual parity. Admin UI is a standalone second Next.js 16 app on port 3001, keeping the admin bundle completely separate from the viewer-facing app. The database schema (`@ott-platform/db-schema`) is a versioned package with granular exports by domain so any service can import only the slice it needs. Components follow a strict atomic hierarchy: Atoms → Molecules → Organisms → Templates → Pages, enforced by directory structure with no cross-contamination.

## Key Decisions

**Separate StyleSheet vs Tailwind CSS.** The Tailwind/StyleSheet split avoids NativeWind build issues on TV and desktop targets while keeping the warm terracotta palette (`primary: #c96442`) as a single source of truth across two source files — one CSS variables file and one `colors.ts` constant.

**TV D-pad navigation without a library.** `TVNavigationGrid` and `TVKeyboard` handle focus through `window.addEventListener("keydown", ...)` with grid-math for arrow keys. No spatial navigation library was pulled in, keeping the bundle small and removing a dependency that would need Tizen/webOS-specific shims.

**Admin as a standalone Next.js app.** Rather than stuffing admin routes into web-ui's route groups, a separate `package.json` project on port 3001 ensures the admin bundle — with heavy charting, data tables, and Docker API calls — is never shipped to end-users.

**Drizzle schema as a named package with granular exports.** `import { content } from '@ott-platform/db-schema/content'` lets any service import exactly its domain slice, preventing schema drift and coupling between API server, admin, and analytics workers.

## Results

One design system drives all five OTT surfaces from two token source files. The web UI is 100% complete at 273 components and 53 full page implementations. The TV focus management works on any keydown-capable TV browser with zero external dependencies. The 27-module database schema covers the full platform — auth, content, live streaming, social, billing, analytics, DRM, ads, creator monetisation, i18n, audit, referrals, and events — deployable against PostgreSQL 16 with `drizzle-kit migrate`. The library replaced three rejected commercial templates at a cost of only Karanveer's time.

## Stack Breadth Sandbox — 14+ Frameworks

**Subtitle:** Systematic exploration of 14+ modern frameworks and runtimes across web, mobile, desktop, and server
**Category:** opensource
**Tech:** Astro, Remix, SolidJS, SvelteKit, TanStack Start, Vue, Nuxt, Expo, Flutter, Tauri, Electron, Elysia, Hono, Bun, Deno, NestJS, Turborepo, Nx, Better Auth, Drizzle ORM, Electric SQL
**URL:** https://yourportfolio.example/projects/stack-breadth-sandbox

A multi-year sandbox of real hello-world-to-functional projects across 14+ frameworks — Astro, Remix, SolidJS, SvelteKit, TanStack Start, Vue, Nuxt, Expo, Flutter, Tauri, Electron, Elysia, Hono, Bun, Deno, NestJS — to build genuine breadth rather than surface-level familiarity.

## Overview

A deliberate multi-year investment in framework breadth — each framework taken past hello-world to something functional. The goal was to understand not just API surface but architectural philosophy: how each framework thinks about routing, reactivity, server/client boundary, and developer experience. This sandbox is the foundation behind being able to choose the right tool for each production project rather than defaulting to the familiar one.

## Tech

Projects span the full modern web and app stack: Astro and Remix on the web; SolidJS, SvelteKit, Vue/Nuxt for reactivity-first SPAs; TanStack Start and Hono for edge-first servers; Expo and Flutter for mobile; Tauri and Electron for desktop; Elysia and Bun for high-performance server runtimes; NestJS for enterprise patterns; Turborepo and Nx for monorepo tooling.

## Claude Usage — macOS Menu Bar Tracker

**Subtitle:** Native Swift macOS app with WidgetKit, AppIntents, and reverse-engineered Claude internal API for usage tracking
**Category:** opensource
**Tech:** Swift, SwiftUI, WidgetKit, AppIntents, AppKit, UserNotifications, Combine
**URL:** https://yourportfolio.example/projects/claude-usage

A native macOS menu bar app that tracks Claude API token consumption — using reverse-engineered internal Claude endpoints, WidgetKit for desktop widgets, AppIntents for Siri and Shortcuts integration, and Combine for reactive data flow.

## Overview

A native macOS menu bar utility that monitors Claude API token usage across sessions and models. The app reverse-engineers Claude's internal usage API (accessible via the authenticated session cookie) to fetch real consumption data. WidgetKit exposes a Today widget showing current period usage. AppIntents registers Siri and Shortcuts actions for querying usage on demand.

## Tech

Swift and SwiftUI build the menu bar popover and settings UI. AppKit handles the NSStatusItem menu bar icon. WidgetKit provides the lock screen and Notification Center widget. AppIntents registers usage-query intents with Siri and the Shortcuts app. Combine drives reactive updates when new usage data is fetched. UserNotifications fires alerts when approaching usage thresholds.

## DocSee Systray — macOS Docker System Tray

**Subtitle:** Tauri 2 system-tray Docker manager with force-directed canvas graph, NSVisualEffectView vibrancy, and 19 commits
**Category:** infrastructure
**Tech:** Rust, Tauri 2.0, React 19, TypeScript, Tailwind CSS v4, shadcn/ui, Zustand, Bollard, Tokio, NSVisualEffectView
**URL:** https://yourportfolio.example/projects/docsee-systray

A macOS system-tray app for Docker management built with Tauri 2, Rust, and React 19 — featuring a force-directed canvas graph of container relationships, NSVisualEffectView blur via ObjC FFI, Tailwind CSS 4, and shadcn/ui.

## Overview

A macOS system-tray application that surfaces Docker container state in a transparent floating panel. The panel renders a live force-directed canvas graph showing container interconnections — networks, volumes, and compose project membership as edges. True macOS vibrancy is achieved by calling NSVisualEffectView through Rust's ObjC FFI layer, matching the visual language of native macOS panels.

## Tech

Tauri 2.0 with Rust handles the native macOS integration. Bollard communicates with the Docker daemon. NSVisualEffectView is accessed via cocoa and objc Rust crates for authentic background blur. React 19 with Tailwind CSS v4 and shadcn/ui builds the frontend. The force-directed graph runs on an HTML5 canvas with custom physics.

## Next.js Blog — Sanity CMS

**Subtitle:** Personal blog with Sanity CMS, SWR infinite pagination, and Bootstrap 4 styling
**Category:** fullstack
**Tech:** Next.js 9.4.4, React 16, Sanity, SWR, Bootstrap 4, SCSS
**URL:** https://yourportfolio.example/projects/nextjsblog

An early personal blog built with Next.js 9 and React 16, using Sanity as the headless CMS, SWR for client-side data fetching with infinite pagination, and Bootstrap 4 for styling.

## Overview

An early exploration of the Next.js + headless CMS pattern, built before Jamstack tooling had fully matured. Sanity provides the content editing interface; Next.js fetches and renders posts server-side. SWR handles infinite-scroll pagination on the listing page without a full page reload. This project established the CMS-driven blog architecture refined in later work.

## Tech

Next.js 9.4.4 with getServerSideProps fetches Sanity content at request time. SWR handles client-side pagination with a stale-while-revalidate cache strategy. Bootstrap 4 and SCSS provide the responsive layout. Three years of active use produced 75 commits before the project was superseded by headless WordPress work.

## Astro Coming-Soon — Prachyam Relaunch Page

**Subtitle:** Animated WebGL launch-announcement page with GLSL shaders, Supabase waitlist, and SMTP email confirmation
**Category:** fullstack
**Tech:** Astro, React, TypeScript, Tailwind CSS, Supabase, OGL, GLSL, Nodemailer, Netlify
**URL:** https://yourportfolio.example/projects/astro-coming-soon
**Live:** https://prachyam.willmakeitsoon.com/

A high-performance coming-soon page for the Prachyam platform relaunch — built with Astro SSR, OGL WebGL/GLSL shaders, Supabase Realtime waitlist capture, and self-hosted Nodemailer SMTP confirmation emails.

## Overview

Designed and shipped a visually striking launch announcement page in three days to announce the Prachyam platform relaunch. OGL-powered GLSL shaders produce the animated hero background with near-zero JavaScript overhead. Supabase Realtime captures waitlist signups and Nodemailer delivers confirmation emails via a self-hosted SMTP relay.

## Tech

Astro SSR provides the static-first rendering shell with React islands for interactive components. OGL (a minimal WebGL library) drives the GLSL shader animation without the Three.js bundle cost. Supabase handles the real-time waitlist database. Netlify hosts the final deployment.

## Kanishka Creations — Fashion E-commerce

**Subtitle:** Full-stack React Native fashion app with GPU canvas product rendering, AI background removal, and Turborepo monorepo
**Category:** mobile
**Tech:** React Native 0.79+, React Native Skia, Reanimated 3, Express, Next.js 15, Drizzle ORM, PostgreSQL, Redis, MinIO, Meilisearch, rembg, Turborepo, Razorpay, Shiprocket
**URL:** https://yourportfolio.example/projects/kanishka-creations

A fashion e-commerce platform built in a Turborepo monorepo — React Native with React Native Skia GPU canvas, a Next.js admin dashboard, an Express/Drizzle API, Meilisearch product search, rembg AI background removal, and Razorpay + Shiprocket fulfilment.

## Overview

A vertically integrated fashion commerce platform — mobile storefront, web admin, and API — all in a single Turborepo monorepo. React Native Skia renders GPU-accelerated product cards and try-on overlays. The rembg AI service removes image backgrounds from product photos automatically. Shiprocket handles order dispatch and tracking.

## Tech

React Native 0.79 with React Native Skia and Reanimated 3 powers the mobile client. The backend is Express with Drizzle ORM on PostgreSQL, Redis for caching, and MinIO for media storage. Meilisearch provides typo-tolerant product search. Turborepo manages build orchestration across the monorepo packages.

## Personal Blog — 2014

**Subtitle:** CMS-powered personal blog built in Webflow at age 14 with live chat and a unified logo system
**Category:** design
**Tech:** Webflow, Webflow CMS, tawk.to
**URL:** https://yourportfolio.example/projects/personal-blog-2014

A CMS-managed personal blog built in Webflow at age 14 — using Webflow's newly launched CMS feature, tawk.to live chat, and a custom UI design from scratch — the product that spawned the Trianglify plugin and the unified logo system still in use a decade later.

## Overview

The first product shipped with real users. Designed entirely from scratch in Webflow's visual editor — not a template — using the CMS feature within weeks of its public launch. tawk.to live chat embedded via Webflow's custom code block created the first bidirectional user-author relationship surface. The need for an animated hero background couldn't be solved inside Webflow, so it was deferred and became the Trianglify jQuery plugin the following year.

## Tech

Webflow CMS collections manage blog post content with dynamic page templates. tawk.to provides the live chat widget via a JavaScript embed injected through Webflow's custom code feature. The unified logo system — a master mark with a per-product derivation rule inspired by Adobe's product identity approach — was designed alongside this project and remained in active use for over a decade.

## Satta Matka — Live Results App

**Subtitle:** Expo SDK 55 React Native app with Reanimated 4, self-hosted Supabase, and a custom OdometerText animation
**Category:** mobile
**Tech:** Expo SDK 55, React Native 0.83.2, TypeScript, NativeWind, Reanimated 4, Zustand, Supabase, Victory Native
**URL:** https://yourportfolio.example/projects/satta-matka

A live-results React Native app built on Expo SDK 55 and React Native 0.83.2, with Reanimated 4 animations including a custom OdometerText number roller, self-hosted Supabase on Coolify for real-time data, and Victory Native charts.

## Overview

A live number-results app for the Satta Matka lottery format, with real-time data pushed from a self-hosted Supabase instance running on Coolify. The custom OdometerText component uses Reanimated 4 to animate individual digit columns like a physical odometer as new results arrive. Victory Native renders historical result charts.

## Tech

Expo SDK 55 with React Native 0.83.2 provides the mobile runtime. Reanimated 4 powers the OdometerText digit-roll animation and screen transitions. Supabase Realtime delivers result updates via WebSocket subscription. NativeWind handles Tailwind utility styling. Zustand manages application and subscription state.

## Gamezop Integration — Prachyam HTML5 Games

**Subtitle:** Revenue-share HTML5 game hub embedded into the Prachyam OTT platform via Flutter WebView and React
**Category:** fullstack
**Tech:** Flutter, React, WebView, HTML5, Dart, TypeScript
**URL:** https://yourportfolio.example/projects/gamezop-integration
**Live:** https://prachyam.com

Integrated the Gamezop HTML5 game platform into Prachyam's mobile and web surfaces using Flutter WebView and a React embed, enabling a revenue-share casual-gaming layer for subscribers with zero custom game development.

## Overview

Extended the Prachyam OTT platform with a casual gaming hub by integrating the Gamezop revenue-share platform. The Flutter mobile app hosts the game catalogue in a WebView with seamless authentication handoff, while the React web client uses an iframe-based embed. Revenue from game session ads flows back to Prachyam under a standard Gamezop revenue-share agreement.

## Tech

Flutter WebView wraps the Gamezop HTML5 game catalogue for iOS and Android. A lightweight React component handles the web embed. Authentication context is passed at iframe initialisation so subscribers land directly into the game lobby without re-login.

## Rishi Talks Mobile

**Subtitle:** Astrology app shipped to both stores in one day
**Category:** mobile
**Tech:** React Native, Expo, TypeScript, EAS Build, react-native-webview, Gamezop
**URL:** https://yourportfolio.example/projects/rishi-talks
**Live:** https://rishi-talks.com

A production-ready React Native / Expo WebView wrapper for the Rishi Talks astrology WordPress site, with typed offline detection, Android back-button handling, and a Gamezop revenue integration — built and shipped to both platforms in a single session.

## Overview

Prachyam Studios needed App Store and Play Store presence for their Rishi Talks astrology brand without rebuilding the existing WordPress site as a native app. A thin native shell delivers better mobile UX — no browser chrome, native splash screen, proper back-navigation — while all content stays managed through WordPress. The entire app was designed, built, debugged, and shipped within a single day: three commits, both Android APK and iOS builds confirmed working on 2025-10-27.

The app loads `https://rishi-talks.com` in a full-screen `react-native-webview` with no browser chrome. Beyond the basic wrapper, it implements a typed cross-platform offline-state machine, automatic retry, splash screen held to first page load, link confinement, and a custom user-agent for analytics segmentation. A Gamezop HTML5 game revenue-share integration — proposed by Karanveer in a Prachyam revenue meeting — was added to both the WordPress site and the mobile app, creating a new ad revenue channel with zero game-development cost.

## The Challenge

The constraint was speed: the website was already live and Prachyam needed app store presence quickly. The technical challenge was building a wrapper that felt native rather than a browser tab — handling offline states gracefully, managing Android's hardware back button, preventing the white-flash between splash and first page load, and keeping all navigation within the app rather than leaking to the system browser.

## Architecture

The app is a single Expo SDK 54 screen (`app/index.tsx`) using Expo Router 6 for file-based routing. `react-native-webview` 13.15.0 handles rendering with `React Native 0.81.5` and `React 19.1`. The New Architecture is enabled (`newArchEnabled: true`) along with the React Compiler experiment. EAS Build provides three profiles — development (dev-client), preview (internal APK), and production (auto-increment for store submission). No backend or database exists in-app; `cacheEnabled: true` on the WebView uses the system HTTP cache. The offline-detection layer classifies errors using a matrix of iOS numeric codes (-2, -1009, -1003) and Android description string-matching, isolating genuine connectivity failures from HTTP errors or in-page JS errors.

## Key Decisions

**Holding the splash screen to `onLoadEnd`.** `SplashScreen.preventAutoHideAsync()` is called immediately and `SplashScreen.hideAsync()` fires only when the WebView's first page load completes, eliminating the flash of unstyled content that a timer-based approach cannot avoid.

**Typed error matrix instead of a single catch-all.** Checking `nativeEvent.code` against known iOS values and string-matching Android descriptions means HTTP 404s and in-page JS errors do not falsely trigger the offline screen — only genuine connectivity failures do.

**OfflineScreen replaces the render tree, not overlays it.** Unmounting the WebView while offline prevents background reconnect attempts and WebView resource consumption, and makes the offline/online transition a clean state flip rather than an overlay toggle.

**Gamezop over in-house games.** Prachyam had an audience but no game-development capacity. Gamezop's revenue-share model required only a JS embed on the WordPress site, which passes through the WebView transparently — zero ongoing engineering cost, new revenue line.

## Results

Both Android and iOS builds were confirmed working on the same day the project started. The EAS project was handed to Prachyam Studios ready for store submission. The Gamezop integration added an ad revenue channel to both the website and the app at no development cost beyond the time to embed the SDK. The typed offline-detection approach proved robust enough that the same pattern was noted as a default for any future WebView wrapper project.

## X-Type Keyboard Layout

**Subtitle:** Custom keyboard layout designed via corpus analysis for an Indian typist — 213 WPM across 4 operating systems over 11 years
**Category:** opensource
**Tech:** Karabiner-Elements, JSON, XKB, Java, Android SDK
**URL:** https://yourportfolio.example/projects/x-type-layout

A data-driven keyboard layout built from a custom Hindi/Hinglish/English corpus, beating QWERTY, Dvorak, Colemak, and Workman on the Patorjk analyzer — cross-shipped to Android, Windows, Linux, and macOS, reaching 213 WPM after 11 years of daily use.

## Overview

Designed at 15 by uploading a hand-built corpus of Hindi, Hinglish, and English text to the Patorjk Keyboard Layout Analyzer and iterating key positions until X-Type beat every mainstream alternative on finger-travel and same-finger-bigram metrics. The macOS implementation uses Karabiner-Elements with two JSON files defining tap-hold dual-purpose symbol modifier layers — accessing all programming symbols without leaving home row. 11 years of daily use across four operating systems grew the typing speed from 90 WPM to 213 WPM.

## Tech

The macOS implementation is a pair of Karabiner-Elements complex modification JSON files — xtype-left-symbols.json and xtype-right-symbols.json — using named variables for layer state and tap-hold dual-purpose keys with a 300ms disambiguation window. Android used Java with the InputMethodService API. Linux uses XKB. The custom corpus drove the entire optimisation rather than a standard English frequency table.

## Hygraph CMS Blog

**Subtitle:** Next.js blog with Hygraph GraphQL, a hand-rolled AST renderer, and AdSense monetisation
**Category:** fullstack
**Tech:** Next.js 11, React, Hygraph GraphQL, Tailwind CSS 2, Vercel, google-adsense
**URL:** https://yourportfolio.example/projects/hygraph-cms-blog
**Live:** https://hygraph-cms-blog-4wimu2a16-xczer.vercel.app/

A monetised blog built with Next.js 11 and Hygraph GraphQL, featuring a hand-rolled AST-to-JSX content renderer, AdSense integration, and deployment to Vercel — built in four days.

## Overview

A lean monetised blog exploring the Hygraph GraphQL CMS as an alternative to Sanity. The most technically interesting part is the hand-rolled AST renderer that walks Hygraph's rich-text node tree and outputs React elements without a third-party renderer library. Google AdSense integration provides display revenue on post pages.

## Tech

Next.js 11 with getStaticProps and ISR fetches content from Hygraph's GraphQL endpoint at build time. The AST renderer handles headings, paragraphs, lists, code blocks, and embeds. Tailwind CSS 2 provides utility styling. Deployed to Vercel with automatic ISR revalidation.

## Travelore — Travel Companion App

**Subtitle:** Full-stack React Native + Next.js travel app with Hono API, Prisma, MSW mock layer, and 68 commits in a week
**Category:** mobile
**Tech:** React Native, Expo SDK 52, Next.js 14, Hono, Prisma, TypeScript, NativeWind, Zustand, TanStack Query, MSW, Docker, PostgreSQL, Redis, MinIO
**URL:** https://yourportfolio.example/projects/travelore

A full-stack travel companion built with React Native Expo and a Next.js/Hono backend, featuring itinerary planning, offline maps, TanStack Query data fetching, MSW mock layer for test isolation, and Docker-orchestrated infrastructure.

## Overview

A feature-complete travel planning app shipping a React Native mobile client alongside a Next.js web frontend, both backed by a shared Hono API server. The 127,000-line codebase includes itinerary management, offline-capable map screens, media uploads to MinIO, and a comprehensive MSW mock layer that lets the mobile app run against realistic data without a live backend.

## Tech

React Native Expo SDK 52 with NativeWind provides the mobile UI. The Hono API server uses Prisma to talk to PostgreSQL and Redis for caching. TanStack Query manages all data fetching and cache invalidation. Docker Compose orchestrates the local dev stack of Postgres, Redis, and MinIO.

## 3D RAD Car Racing Game

**Subtitle:** First game built at age 9 — skybox, water terrain, enemy AI, and the origin of the Xczer identity
**Category:** design
**Tech:** 3D RAD
**URL:** https://yourportfolio.example/projects/3d-rad-car-racing

A playable car-racing game built at age 9 in 3D RAD — with skybox, water-crossing track, textured terrain, and enemy AI cars — to make a social bluff true, and the project that named the Xczer identity still in use 17 years later.

## Overview

A 9-year-old told his friends he could make games on his new laptop. He had zero game development knowledge. Rather than drop the bluff, he downloaded 3D RAD, worked through a PDF tutorial, and assembled a playable car-racing game with skybox, sculpted terrain, a water-crossing track, and AI opponent cars. After shipping it, the immediate next instinct was world-building — co-writing a multi-character game-story arc under school desks, naming the protagonist Xczer, the online handle still in use 17 years later.

## Tech

3D RAD is a visual plugin-graph game engine — no code written, only components configured: vehicle physics plugin, AI opponent plugin, skybox renderer, terrain sculpt and paint tools, water-plane plugin. The game compiled to a local Windows executable. Community car models were sourced and imported; level design decisions (track routing, water placement) were made entirely by the author.

## Trianglify — jQuery Low-Poly Background Plugin

**Subtitle:** Procedural animated triangle-mesh jQuery plugin published on eager.io at age 15
**Category:** opensource
**Tech:** JavaScript, jQuery, HTML5 Canvas
**URL:** https://yourportfolio.example/projects/trianglify

A jQuery plugin that generates animated low-poly triangle-mesh canvas backgrounds — built from scratch at age 15 and published on eager.io, a curated plugin platform later acquired by Cloudflare Apps.

## Overview

The first piece of publicly distributed software. Built to solve a specific visual need — an animated low-poly hero background for a personal blog — rather than adapting an existing particle library. The plugin seeds random points across a canvas, connects them into a triangle mesh, and animates the mesh by continuously nudging point positions per frame. Published on eager.io, which curated plugins and required a proper manifest before listing.

## Tech

A standard jQuery plugin pattern registers a method on $.fn that accepts an options object. The HTML5 Canvas 2D API renders the triangle mesh each animation frame. Point geometry and per-triangle colour assignment are computed in vanilla ES5 JavaScript. No bundler — single-file distribution through the eager.io manifest format.

## MetriX — Developer Infra Monitoring HUD

**Subtitle:** 33-panel Tauri v2 + Svelte 5 macOS developer HUD with Rust sysinfo metrics, Docker management, and an embedded webhook server
**Category:** infrastructure
**Tech:** Tauri v2, Svelte 5, Rust, TypeScript, Tailwind CSS v4, sysinfo, Bollard, reqwest, tiny_http, Fuse.js, Shiki
**URL:** https://yourportfolio.example/projects/metrix

A keyboard-triggered transparent macOS HUD with 33 tool panels — system metrics, Docker management, service health, config editing, API testing, CI monitoring, and more — built with Tauri v2, Svelte 5, Rust sysinfo, and a CORS-free reqwest HTTP client.

## Overview

MetriX replaces eight separate daily-driver tools with a single PgUp keypress. A Rust background thread emits system metrics via Tauri events every two seconds — zero JS polling, zero UI-thread blocking. The reqwest HTTP client inside the Rust process makes API requests without any browser CORS restrictions. An embedded tiny_http server in the Rust binary provides a webhook inspector that requires no external proxy.

## Tech

Tauri v2 with ActivationPolicy::Accessory keeps MetriX invisible until the global shortcut fires. Svelte 5 runes with a single AppState class drive the 33-panel UI. The Rust backend exposes 34 command handlers covering sysinfo metrics, Bollard Docker calls, reqwest HTTP requests, shell command streaming, and the tiny_http webhook listener. Shiki provides syntax highlighting across config editor, API tester, and log viewer panels.

## Akku Healthcare — Clinic Website

**Subtitle:** SEO-optimised healthcare marketing site with Schema.org structured data and perfect Core Web Vitals
**Category:** clientwork
**Tech:** Next.js 16.1.6, React 19, TypeScript, Tailwind CSS v4
**URL:** https://yourportfolio.example/projects/akku-healthcare

A production-ready healthcare clinic website built with Next.js 16 and React 19, featuring Schema.org JSON-LD structured data, SEO metadata utilities, and a component architecture optimised for Core Web Vitals.

## Overview

A marketing and information site for an Indian healthcare provider. Built with Next.js App Router and React 19 Server Components for fast static delivery. Schema.org JSON-LD markup covers MedicalOrganization, Physician, and Service entities to improve search visibility. All page metadata is generated programmatically via Next.js metadata utilities.

## Tech

Next.js 16 App Router with React 19 Server Components delivers the static-first architecture. Tailwind CSS v4 handles all styling with zero runtime overhead. TypeScript enforces type safety across the codebase. The twelve-commit project was completed in five days.

## Madhur — Flutter App

**Subtitle:** Offline-first Flutter app with GetX state management, Appwrite backend, and Lottie animations
**Category:** mobile
**Tech:** Flutter, Dart, GetX, Appwrite, GetStorage, Lottie
**URL:** https://yourportfolio.example/projects/madhur-flutter

A Flutter mobile app with GetX state management, Appwrite as the backend-as-a-service, GetStorage for offline-first caching, and Lottie animations — built in nine days across 19 commits.

## Overview

A Flutter application exploring GetX as a lightweight alternative to BLoC for state management and routing. Appwrite provides authentication, database, and storage without a custom backend. GetStorage gives the app offline-first behaviour by persisting key data to local storage before syncing with Appwrite. Lottie animations enhance onboarding and empty-state screens.

## Tech

Flutter with Dart uses GetX for reactive state, dependency injection, and named routing. Appwrite's Flutter SDK connects to a self-hosted Appwrite instance for auth and data. GetStorage handles lightweight local persistence. Lottie renders JSON animation files at runtime.

## CheaXheet — Keyboard Shortcut Overlay

**Subtitle:** Global-hotkey macOS cheatsheet overlay with Fuse.js fuzzy search, SVG keyboard diagram, and live modifier glow
**Category:** opensource
**Tech:** Tauri v2, Svelte 5, Rust, TypeScript, Tailwind CSS v4, Fuse.js
**URL:** https://yourportfolio.example/projects/cheaxheet

A macOS shortcut-reference overlay built in Tauri v2 and Svelte 5 — press F19 from any app and a frosted-glass panel shows 80+ X-Type WM bindings across six tabs, with Fuse.js character-level fuzzy search, a live SVG keyboard diagram, and session-persistent window position.

## Overview

CheaXheet eliminates the need to break focus and hunt through config files when a WM binding is forgotten. F19 summons a frameless frosted-glass panel from any application in under a frame. Six tabs map to the six modifier layers of the X-Type/OmniWM setup — including a live SVG diagram of the custom 65% keyboard layout that glows bound keys and auto-switches tabs when a modifier is physically held.

## Tech

Tauri v2 with ActivationPolicy::Accessory removes the app from the Dock and Cmd+Tab switcher entirely. Svelte 5 runes power the reactive frontend with Fuse.js providing character-level match-index highlighting. tauri-plugin-store persists active tab, view mode, and window position across sessions. A companion parse-karabiner.ts script diffs the live Karabiner config against the app's shortcut data.

## First Team — Building a 7-Person Crew

**Subtitle:** Assembled, funded, and taught a 7-person distributed team across five skill domains — then dissolved it with hard-won management lessons
**Category:** opensource
**Tech:** 
**URL:** https://yourportfolio.example/projects/first-team

Self-initiated and self-funded attempt to build a 7-person specialised team from scratch in 2024 — personally teaching video editing, backend development, AI/ML, and marketing to raw beginners, then making the call to dissolve cleanly when the fundamentals did not hold.

## Overview

Before the first engineering job, Karanveer bet his own savings on assembling a seven-person team to share the development burden and pursue a ThemeForest template pipeline. He designed role-specific curricula, ran training sessions across five distinct domains, and managed five named team members simultaneously — with no prior management experience. Financial pressure and collective procrastination compounded until he made the call to dissolve cleanly, which freed the energy that led directly to landing the first engineering role at Prachyam.

## Tech

No code repository — this is a leadership and management narrative. The primary artefact is the management experience itself: team structure design, role-specific curriculum creation, and the decision framework for when to exit a failing initiative before it becomes a deeper liability.

## Digital Agency — Next.js 13 Marketing Site

**Subtitle:** JSON/Markdown data-driven agency website with Splitting.js text animations and ScrollOut scroll effects
**Category:** fullstack
**Tech:** Next.js 13, React, SCSS, Formik, Swiper, Splitting.js, ScrollOut, gray-matter, remark
**URL:** https://yourportfolio.example/projects/digital-agency

A data-driven digital agency marketing site built with Next.js 13 Pages Router, where all content lives in JSON and Markdown files processed by gray-matter and remark — no CMS required — with Splitting.js character animations and ScrollOut scroll-triggered effects.

## Overview

A content-rich agency website where all copy, case studies, and service descriptions are authored in Markdown and JSON files, processed at build time by gray-matter and remark. This eliminates the CMS dependency while keeping content editable by non-developers. Splitting.js animates individual characters on headline text; ScrollOut triggers animations as sections enter the viewport.

## Tech

Next.js 13 Pages Router with getStaticProps reads all content from the filesystem at build time. gray-matter parses YAML frontmatter; remark converts Markdown body to HTML. Swiper powers the testimonial and case-study carousels. Formik handles the contact form with formsubmit.co as the backend. Tawk.to provides the live-chat widget.

## Portfolio — Karanveer Singh Shaktawat

**Subtitle:** Production-grade developer portfolio and full admin CMS with AI, 3D scenes, and real-time features
**Category:** fullstack
**Tech:** Next.js 15, React 19, TypeScript, Tailwind CSS v4, Three.js, Drizzle ORM, PostgreSQL, Anthropic, Qdrant, Soketi, GSAP, Framer Motion, TipTap, Stripe, Docker, Vitest
**URL:** https://yourportfolio.example/projects/portfolio
**Source:** https://github.com/xczer/portfolio
**Live:** https://dharmicdev.in

A production-grade Next.js 15 portfolio and admin CMS with AI chat, RAG, 3D scenes, real-time presence, Stripe, and a complete ThemeForest-ready template — zero hardcoded data, Lighthouse 100/100/100.

## Overview

A full-stack developer portfolio built as a production-quality SaaS template. Features an AI-powered chat assistant backed by RAG over project data, a 27-page admin CMS, WebGL 3D scenes, real-time presence via Soketi, and Stripe-gated premium content. Lighthouse scores 100 across performance, accessibility, and SEO.

## Tech

Next.js 15 App Router with React 19 Server Components handles routing and rendering. Three.js drives the 3D hero scenes. Drizzle ORM connects to PostgreSQL for all persisted data. Qdrant powers semantic search. TipTap provides the rich-text editor in the CMS. Vitest covers the unit test suite. Docker orchestrates the local dev stack.

## DocSee TUI — Terminal Docker Manager

**Subtitle:** Rust TUI for Docker container management with Ratatui, Tokio async, Bollard, and GitHub Actions CI
**Category:** opensource
**Tech:** Rust, Ratatui, Tokio, Bollard, Crossterm, GitHub Actions
**URL:** https://yourportfolio.example/projects/docsee-tui
**Source:** https://github.com/Xczer/docsee-tui

A terminal UI for managing Docker containers, images, and networks — built in Rust with Ratatui for the TUI rendering, Bollard for the Docker API, Tokio for async I/O, and GitHub Actions for multi-platform CI.

## Overview

A keyboard-driven terminal interface for Docker that lives entirely in the terminal without a browser or desktop window. Container list, log tailing, image management, and network inspection are all accessible with vim-style keybindings. The Bollard crate communicates with the Docker daemon over Unix socket. GitHub Actions runs the CI pipeline on macOS and Linux with Cargo caching.

## Tech

Rust with Ratatui provides the TUI layout and widget rendering. Bollard wraps the Docker Engine API with native async Rust types. Tokio powers the async runtime for non-blocking Docker calls and log streaming. Crossterm handles cross-platform terminal input and raw mode. GitHub Actions builds and tests on both macOS and Linux runners.

## Sanity Blog — Content Studio

**Subtitle:** Sanity v2 Content Studio with custom schema design for a structured blogging CMS
**Category:** fullstack
**Tech:** Sanity v2, JavaScript, React, Vercel
**URL:** https://yourportfolio.example/projects/sanity-blog

A Sanity v2 Content Studio configured with a custom schema for a structured blog — document types for posts, authors, categories, and rich-text blocks — shipped as a standalone studio deployment.

## Overview

A standalone Sanity v2 Content Studio built to evaluate Sanity's schema design capabilities against Hygraph's GraphQL approach. Custom document types cover posts, authors, categories, and portable-text rich content. The studio is deployed independently and can back any frontend that consumes its Content Lake API.

## Tech

Sanity v2 with a JavaScript schema configuration defines all document types and validation rules. React powers the Sanity Studio UI. The studio deploys to Vercel as a static site, with content delivered via Sanity's hosted Content Lake GraphQL and GROQ APIs.

## Earning Point

**Subtitle:** Reward app with 5-network ad mediation
**Category:** clientwork
**Tech:** Java, Android, Laravel, PHP, MariaDB, Firebase, AppLovin, Retrofit, Sanctum, FCM
**URL:** https://yourportfolio.example/projects/earning-point

Android earn-and-redeem app where users accumulate points through videos, tasks, and offerwall surveys, backed by a full Laravel admin panel — first external freelance delivery, shipped as a turnkey client package.

## Overview

Earning Point is an Android reward application backed by a full Laravel admin panel, built for an external freelance client as a white-label "GPT/reward" product — a monetisation model common in India where users complete micro-tasks for points redeemable as cash or vouchers. Users earn points by watching YouTube videos, visiting sponsored websites, completing offerwall surveys via CPX integration, spinning a lucky wheel, claiming daily check-in bonuses, and referring friends. The point balance is redeemable through admin-configured payout options, with withdrawal requests routed through a manual approval queue in the admin panel.

This was the first significant external freelance engagement — client deadline, real money, and a non-technical buyer who needed a complete turnkey product. The deliverable was not just source code but a fully packaged ZIP at version 5.9, including a pre-seeded MariaDB SQL dump, signing keystore, a `How to Update.txt`, and a GitBook documentation site. That packaging discipline is what separated it from a GitHub handoff.

## The Challenge

The client needed something that worked as both a functional product and a maintainable white-label kit — configurable enough that branding, API endpoints, and reward logic could be changed without touching source code. The reward API also had an obvious vulnerability: any script that could call the point-credit endpoints would drain the payout pool. The solution had to block automated farming at the device level, not just with rate limits.

Choosing the ad strategy required care. AdMob alone has poor fill rates in India (a Tier 3 advertising market), which directly impacts the platform's ability to fund user point payouts. A single-network integration would have left significant eCPM on the table, but manually managing fallback logic across five SDKs would have added brittle complexity to the `AdManager` layer.

## Architecture

The Android app is 318 Java source files built on Android SDK 34 (minSdk 21), using a classic Activity-based architecture with Retrofit 2 and OkHttp 3 for networking and Gson for serialisation. An `ApiClient.java` singleton and `ApiInterface.java` define all endpoints; the `API_URL` and `API_KEY` are injected at build time from `gradle.properties` via `buildConfigField`, so white-labelling requires changing two properties, not hunting through source. Auth tokens issued by Laravel Sanctum are persisted in SharedPreferences via `Session.java`. Push notifications go through Firebase Cloud Messaging. The lucky wheel spin animation runs as a local Gradle subproject (`luckyWheel` module) bundled alongside the main app, giving full control over animation timing and prize sector configuration to match the backend's `wheel_points` table.

The Laravel admin panel runs on PHP 8.1 with Eloquent ORM against a 27-table MariaDB schema. Yajra Datatables handles server-side paginated table rendering; Spatie Laravel Permission manages sub-admin RBAC; Intervention Image handles avatar processing; Hammerstone Fast Paginate applies keyset-based pagination for large transaction logs. The offerwall CPX postback endpoint (`/offer_cr/{id}`) receives completion callbacks from the survey network, verifies the shared secret, and credits the `offerwall_earing` and `transaction` tables in one atomic operation.

## Key Decisions

**AppLovin mediation over manual network switching.** Integrating five ad SDKs and writing fallback logic manually would have produced fragile waterfall code in `AdManager`. AppLovin's mediation layer handles waterfall ordering, timeout, and fill-rate optimisation automatically — the app calls one SDK and the mediation routes to whichever network bids highest. Standard practice for India-market consumer apps, and the right call for a client who can't afford poor eCPM on a reward platform.

**Firebase App Check with Play Integrity attestation.** The obvious exploit in any reward app is scripted API calls to farm points without engaging with content. App Check requires a valid attestation token generated on a real Android device with a verified Play Store signature — emulators and sideloaded builds fail at the attestation layer before reaching rate limiting. The setup friction (Play Console SHA registration, Firebase project linking, enforcement toggling) is real, but essential for the business model's integrity.

**BuildConfig API key injection.** Hardcoding the backend URL or API key in source would force a full recompile to white-label. Injecting from `gradle.properties` via `buildConfigField` means the client changes two lines to point the app at a different backend — no source editing required.

**`luckyWheel` as a local Gradle module.** The spin wheel animation needed to match the backend's configurable prize sector structure exactly. A third-party library would have imposed its own data model; a local module gives full control over sector count, weights, and animation timing to stay in sync with what the `wheel_points` admin table defines.

## Results

The project was delivered at version 5.9 as a complete client package — 318 Java source files, a full Laravel admin panel, a 27-table MariaDB schema, and five ad networks mediated through a single AppLovin integration. The reward API is protected against bot farming by Firebase App Check Play Integrity attestation. The delivery package included SQL dump, keystore, update instructions, and GitBook documentation, requiring zero technical hand-holding from the client. It established the template for subsequent freelance deliveries.

## Blender Animation Series — 2021

**Subtitle:** Original 3D animations made from imagination in Blender during college Year 2 — no tutorials, published on Instagram
**Category:** design
**Tech:** Blender
**URL:** https://yourportfolio.example/projects/blender-2021
**Live:** https://www.instagram.com/ddr4_karanveer/

A series of original low-poly 3D animations made entirely from imagination in Blender 2.9x during college Year 2 — no tutorials, no copied assets — published on Instagram @ddr4_karanveer, and the creative project that triggered the full-stack coding career.

## Overview

Twelve years of game-dev aspiration met a new laptop and produced this series. Every scene was conceived mentally and built from scratch — geometry, materials, lighting, camera animation — with no reference tutorial or copied node setup. Consumer hardware imposed a polygon budget that became a deliberate low-poly aesthetic. When the rendering ceiling became hard, it was read as a resource problem rather than a creativity problem: get the capital first through software development, then make the work at the intended scale.

## Tech

Blender approximately version 2.93 LTS for modelling, shading, keyframe animation, and rendering. Polygonal modelling with loop cuts and extrusions. Principled BSDF materials with minimal texture maps to stay within the laptop's VRAM budget. Rendered sequences exported as MP4 and posted to Instagram @ddr4_karanveer.

## Madhur — React Native App

**Subtitle:** Expo 50 app with expo-router, Tamagui, NativeWind, Zustand, and Reanimated 3
**Category:** mobile
**Tech:** React Native 0.73, Expo SDK 50, expo-router, Tamagui, NativeWind, Zustand, Reanimated 3
**URL:** https://yourportfolio.example/projects/madhur-react-native

A React Native prototype built on Expo SDK 50 and expo-router, using Tamagui for cross-platform UI components, NativeWind for Tailwind-in-React-Native styling, Zustand for state management, and Reanimated 3 for physics-based animations.

## Overview

A React Native counterpart to the Flutter Madhur app, exploring the same product concept with the Expo ecosystem. expo-router provides file-system-based navigation similar to Next.js App Router. Tamagui unifies the design token and component layer across iOS and Android. This project benchmarked the Flutter vs React Native tradeoffs for a specific product shape.

## Tech

Expo SDK 50 with expo-router handles navigation. Tamagui provides typed, cross-platform UI components with a shared theme token system. NativeWind applies Tailwind CSS utility classes to React Native components. Zustand manages application state. Reanimated 3 powers shared-element transitions and gesture-driven animations.

## KDE Plasma Widgets

**Subtitle:** Native glassmorphic applets for a custom Linux rice
**Category:** aitools
**Tech:** QML, JavaScript, KDE Plasma 6, Qt 6, Kirigami, KCM
**URL:** https://yourportfolio.example/projects/hyprland-chatbot

Three native KDE Plasma 6 applets in QML — a glassmorphic Pomodoro timer with a full two-page configuration UI, a plain-theme variant, and a CPU/RAM system monitor — written against the Plasma 6 API at a time when most community examples were still targeting Plasma 5.

## Overview

Off-the-shelf KDE Store widgets either look generic or lack the exact Pomodoro behaviour and aesthetic needed for a custom desktop rice — configurable session lengths, auto-start rules, and a glassmorphic glow design. Three native Plasma 6 applets were built from scratch to live in the panel exactly as needed: a glassmorphic Pomodoro timer (`org.kde.plasma.pomodorotimerglass`), a plain-theme Pomodoro variant, and a CPU/RAM system monitor widget.

The glass timer is the most complete: a full 25/5/15-minute work/break cycle with automatic session switching, colour-coded progress bars (amber for focus, teal for breaks), `DropShadow` glow effects on timer text and controls, a custom `GlassButton` inline component with hover and click animations, and a pulsing `SequentialAnimation` notification overlay on session completion. Both compact (panel strip) and full (popover) representations are implemented. A two-page KDE configuration UI exposes 17 configurable properties — session durations, auto-start rules, notification toggles, appearance options — with a live preview rectangle that updates in real time as settings change.

## The Challenge

The KDE community was mid-transition from Plasma 5 to Plasma 6 at the time (mid-2025), and most StackOverflow answers and KDE forum posts still referenced the Plasma 5 API. `PlasmoidItem` was new in Plasma 6 — the older Plasma 5 pattern used a plain `Item` with `Plasmoid.compactRepresentation`. The correct `cfg_*` alias binding pattern for KDE-native settings persistence, and the difference between `Qt5Compat.GraphicalEffects` and `QtQuick.Effects` for the Plasma 6 transition, both required reading first-party KDE widget source code on invent.kde.org rather than relying on community documentation.

## Architecture

Each widget is a self-contained Plasma package: `metadata.json` declares the Plasma 6 minimum API version (`X-Plasma-API-Minimum-Version: 6.0`) and supported form factors (`desktop`, `panel`). The glass timer's `main.qml` (713 lines) contains the full timer logic, compact and full representations, and the `GlassButton` inline component defined using Qt 6's `component` declaration — a language feature not available in Qt 5 QML. Configuration is exposed via a `ConfigModel` with two `ConfigCategory` pages (`ConfigGeneral.qml`, `ConfigAppearance.qml`) using `KCM.SimpleKCM` and `Kirigami.FormLayout`. Settings persist via the `cfg_*` alias pattern connecting KDE's config storage system directly to QML property aliases — no explicit save/load code. A `package.sh` script zips `contents/ + metadata.json` into a `.plasmoid` archive installable with `kpackagetool6 -t Plasma/Applet -i <widget>.plasmoid`.

## Key Decisions

**Targeting Plasma 6 API directly over the safer Plasma 5 target.** Writing against `PlasmoidItem` and `QtQuick.Effects` from the start avoids a future migration and signals intentional use of modern QML idioms, even though it required reading first-party KDE source rather than following community tutorials.

**`GlassButton` as an inline Qt 6 `component` declaration.** Defining the button once inside `main.qml` using Qt 6's inline component feature keeps button behaviour co-located with its usage without requiring a separate file, and changes to animation timing or colours propagate everywhere from a single definition.

**`cfg_*` alias pattern for config persistence.** The KDE-standard `property alias cfg_workDuration: workDurationSpinBox.value` connects the config storage system directly to QML aliases — widget settings survive Plasma restarts without any explicit save/load code.

**System monitor left as a structured prototype.** The system monitor widget uses `Math.random()` for its data with an explicit comment marking where real `org.kde.plasma.system` calls would go. The layout, polling timer, and colour threshold logic are production-ready; only the data source binding is deferred — an honest "ship the structure, wire the data later" approach.

## Results

All three widgets ship as installable `.plasmoid` packages ready for `kpackagetool6` on any KDE Plasma 6 machine. The glass timer is a complete, polished applet comparable to first-party KDE widgets in config-system integration — 17 configurable properties, live appearance preview, reactive property binding so config changes propagate to a running timer without restart. The project demonstrated that QML's declarative property-binding paradigm — where state changes propagate via bindings rather than explicit re-renders — is a cleaner model than React-style controlled components for persisted desktop widget settings.

## Unified Logo System

**Subtitle:** Adobe-inspired master-mark-plus-derivation-rule brand system designed at 14 — still in active use a decade later
**Category:** design
**Tech:** 
**URL:** https://yourportfolio.example/projects/unified-logo-system

A scalable logo system designed at 14 by reverse-engineering Adobe's cross-product visual identity approach — a single master mark with a derivation rule that produces per-product variants, still powering project identities over ten years later.

## Overview

Rather than designing a one-off logo for the first personal blog, the system was designed for the entire product portfolio that didn't yet exist. The Adobe product suite was the reference — one unmistakable master mark with colour and typographic variations per product. That structure — one source of truth, derivation rules, platform-specific outputs — is the same pattern that later produced the ott-components shared library and the cross-platform monorepo architecture. Design tokens before the term entered mainstream vocabulary.

## Tech

A pure design artifact — no code repository. The master mark and derivation rules were implemented in a vector design tool and applied to each new product identity as the portfolio grew. The system's longevity across 10+ years and multiple platforms is the primary evidence of its structural soundness.

## Prachyam Legacy — OTT Platform Stabilisation

**Subtitle:** Forensic stabilisation and feature expansion of a production streaming platform across web, mobile, and TV
**Category:** fullstack
**Tech:** TypeScript, Node.js, Express, Strapi, Flutter, Dart, Go, React, MySQL, Redis, Razorpay, Stripe, PayPal, Firebase, AWS SES
**URL:** https://yourportfolio.example/projects/prachyam-legacy
**Live:** https://prachyam.com

Took ownership of a production OTT streaming platform, stabilised a codebase spanning Node.js, Strapi CMS, Flutter mobile, and Go microservices, then extended it with multi-currency payments, gamification, and a multi-platform TV rollout.

## Overview

Joined Prachyam as the first dedicated engineer and performed forensic stabilisation on a platform that had accumulated critical technical debt. Systematically resolved backend reliability issues, expanded the Flutter mobile app, introduced multi-currency payment support, and proposed and led a full architectural rewrite to a cross-platform monorepo targeting web, iOS, Android, and five TV platforms.

## Tech

The existing stack combined a TypeScript/Express API, Strapi headless CMS, Flutter/Dart mobile client, and a Go-based microservice layer backed by MySQL and Redis. Payment processing spans Razorpay, Stripe, and PayPal. Firebase handles push notifications and AWS SES delivers transactional email.

## SwarSadhna — Indian Classical Music Practice Tool

**Subtitle:** PWA for raga practice with real-time pitch detection, tanpura drone, and Indian classical theory scaffolding
**Category:** fullstack
**Tech:** Next.js 16, React 19, TypeScript, Tailwind CSS v4, pitchy, Tone.js, Zustand, Serwist, Framer Motion
**URL:** https://yourportfolio.example/projects/swarsadhna

A Progressive Web App for Indian classical music practice — real-time microphone pitch detection via pitchy, a Tone.js tanpura drone engine, and structured raga exercises, wrapped as a fully offline-capable PWA.

## Overview

SwarSadhna is a practice tool for Indian classical vocalists and instrumentalists. The app listens to the microphone in real time using pitchy for FFT-based pitch detection, maps detected notes to the active raga's swar set, and plays a continuous tanpura drone via Tone.js. Serwist service-worker integration makes the tool fully functional offline after first load.

## Tech

Next.js 16 App Router provides the SSR shell. pitchy processes Web Audio API input for low-latency pitch detection. Tone.js synthesises the tanpura drone with configurable tuning. Zustand manages session state and practice history. Serwist handles PWA caching and offline support.

## Hotel Elegent

**Subtitle:** XState-driven PMS for real property deployment
**Category:** clientwork
**Tech:** Next.js, TypeScript, Bun, XState, Drizzle, PostgreSQL, Zustand, TanStack Query, Soketi, Razorpay, Stripe, Tailwind CSS
**URL:** https://yourportfolio.example/projects/hotel-elegent
**Live:** https://hotel-elegent.dharmic.cloud

White-label hotel management system with an XState v5 finite-state booking engine, restaurant POS, guest CRM, digital check-in, and revenue analytics — production-deployed to a real hotel and packaged for ThemeForest.

## Overview

Hotel Elegent is a full-stack hotel property management system built for a real deployment — a family hotel in Sawai Madhopur — and simultaneously packaged as a white-label ThemeForest product. It covers the full hotel operations domain: a multi-step booking engine, front desk calendar, restaurant POS, housekeeping and maintenance tracking, guest CRM with loyalty points, digital self-service check-in, concierge and guest request management, revenue analytics, and a dynamic pricing rules engine. The entire system is driven by a 46-schema PostgreSQL database, configured through an 8-step installation wizard, and deployable to a VPS with a single shell script.

Commercial hotel PMS products charge ₹5,000–20,000 per month with no self-hosting option. This replaces that recurring cost with a one-time deployment on owned infrastructure, while being generic enough — white-label currency, swappable payment gateways, dual image hosting — to sell globally on ThemeForest. The same codebase serves the uncle's property in production and the ThemeForest submission ZIP.

The project ran for 16 months across 23 named sprints and 195 commits, reaching 111/111 Playwright E2E tests before the ThemeForest package was assembled.

## The Challenge

A 7-step booking flow involving real-time availability, guest authentication, payment, and confirmation has at least 15 distinct failure modes — payment retry, mid-flow abandonment, availability changes between steps, step navigation backward and forward. Managing this with nested `useState` and conditional renders would scatter the failure logic invisibly across components. The state had to be made explicit and testable, which meant choosing a tool designed for that job rather than improvising with React primitives.

The white-label requirement added a second layer of constraint: every piece of hardcoded configuration — currency symbols, image hosting provider, payment gateway keys, branding — had to be extractable to settings without touching source. Replacing 100+ hardcoded `₹` and `INR` references with a dynamic currency formatter mid-project (Sprint 14) is the kind of work that distinguishes a "hotel template for India" from a product a hotel in Dubai can actually use.

## Architecture

The stack is Next.js 15 (App Router, React 19, Turbopack) running on Bun with strict TypeScript throughout. State management follows a strict three-system rule enforced in CLAUDE.md: XState v5 owns the booking flow FSM (`bookingMachine.ts`, 280 lines — 7 states, explicit guards, error/retry, RESET and BOOK_MORE transitions); Zustand v5 owns client-side form state collected during the flow; TanStack Query v5 owns all server data fetching. The three systems do not cross boundaries — no server data in Zustand, no form state in TanStack Query, no flow logic in either.

The 46 Drizzle schema files cover the complete hotel domain: rooms, bookings, folio charges, payments, housekeeping, maintenance, restaurant tables, orders, menu, pricing rules, coupons, occupancy snapshots, loyalty points, reviews, guest profiles, notes, messages, notifications, WhatsApp, audit logs, digital check-in tokens, concierge, channel manager, shift notes, staff profiles, site settings, installation config, invoices, and 2FA. Primary key convention is deliberate: UUIDs for content tables (stable, URL-safe, non-leaking) and serial integers for transactional rows (bookings, payments) where monotonic ordering benefits index efficiency and audit trails. Real-time room availability, concierge requests, and restaurant order updates flow through Soketi (self-hosted) or Pusher (production) on the Pusher protocol. Payments support Razorpay (India), Stripe (international), and PayPal, all read from environment variables — swappable without code changes.

## Key Decisions

**XState v5 for the booking FSM.** The 7-step flow has too many failure modes to manage safely with imperative state. An FSM makes illegal transitions impossible by construction — jumping from `idle` to `payment` without passing through `roomSelection` and `guestDetails` simply cannot happen. Each state is independently addressable, which is what made 111 E2E tests achievable without complex setup scaffolding.

**Three-state-system rule (XState / Zustand / TanStack Query — no mixing).** Each library owns a specific concern and the CLAUDE.md prohibits crossing those boundaries. This prevents the common anti-pattern of storing server data in Zustand or putting form state in TanStack Query — both of which produce subtle staleness and hydration bugs that are hard to bisect.

**UUID vs serial PK discipline.** Content tables use UUIDs for stable, non-sequential IDs safe for URLs and external references. Transactional tables use serial integers for index efficiency and natural audit ordering. The split is encoded in the Drizzle schema from the first sprint, so it never had to be retrofitted.

**White-label currency as a product decision.** Replacing 100+ hardcoded `₹` / `INR` strings with a dynamic currency formatter is what separates a regional template from a globally sellable ThemeForest product. A buyer in Dubai or London should not have to grep-replace currency symbols — it comes from the settings panel.

**`setup-vps.sh` as a first-class deliverable.** ThemeForest buyers abandon products that require manual Nginx config and SSL setup. The one-command provisioner handles Docker install, Certbot SSL, Nginx HTTPS reverse proxy (443→3000), WSS proxy for Soketi, backup cron, and renewal cron — everything a non-technical hotel owner needs to go from a blank VPS to a running system.

## Results

Hotel Elegent is production-deployed to the family hotel in Sawai Madhopur, eliminating a recurring commercial PMS cost of ₹5,000–20,000 per month. The ThemeForest submission package — 134,000 lines of TypeScript, 195 commits, 23 sprints, 46 schema files, 111/111 Playwright E2E tests — is complete. Three payment gateways, dual image hosting (Cloudinary or self-hosted Openinary), a white-label currency system, and a one-command VPS provisioner make it deployable by a non-technical buyer without a DevOps hire.

## ConfigPilot — macOS Dev Infra Config Manager

**Subtitle:** Tauri 2 system-tray app for managing dnsmasq, Caddy, AeroSpace, and SketchyBar with nom parser-combinators and 63 tests
**Category:** infrastructure
**Tech:** Rust, Tauri 2.0, React 19, TypeScript, Tailwind CSS v4, shadcn/ui, Zustand, nom, SQLite, NSVisualEffectView
**URL:** https://yourportfolio.example/projects/config-pilot
**Live:** https://config-pilot.dharmic.cloud

A macOS menu bar app that replaces manual config-file editing and service restarts for dnsmasq, Caddy, AeroSpace, and SketchyBar — built with Tauri 2, Rust, and React 19 in two days across 47 commits, with nom parser-combinator grammars, a 9-check diagnostics engine, and 63 passing tests.

## Overview

ConfigPilot reduces a five-step manual ritual — edit dnsmasq, create resolver file with sudo, edit Caddyfile, restart two services — to a single form submission. A ConfigProvider trait abstraction backed by nom parser-combinator grammars means adding a new tool requires a Rust struct implementing six methods and zero new React components. The diagnostics engine runs nine cross-provider checks producing a 0–100 health score, and a shell-script plugin system extends support to any tool without writing Rust.

## Tech

Rust with Tauri 2 handles all native macOS integration and config parsing. nom parser-combinator grammars parse dnsmasq and Caddyfile formats into typed ASTs. toml_edit surgically updates AeroSpace and SketchyBar configs preserving user comments. SQLite in WAL mode stores config history and health timeseries. NSVisualEffectView is accessed via cocoa/objc Rust FFI for authentic blur. React 19 with Tailwind CSS v4 and shadcn/ui builds the frontend.

## Unity AI Agents

**Subtitle:** Six AI paradigms, one game engine, from scratch
**Category:** aitools
**Tech:** Unity 3D, C#, Unity ML-Agents, Python, PPO, Reinforcement Learning
**URL:** https://yourportfolio.example/projects/ai-game-agents
**Live:** https://ai-game-agents.dharmic.cloud

Five distinct AI agents built from scratch in Unity 3D using six AI/ML techniques — Q-Learning, A*, waypoint steering, PPO neural networks, Imitation Learning, and Reinforcement Learning — culminating in a hybrid IL+PPO self-driving car agent written in C#.

## Overview

A game-development course at IILM AHL (Greater Noida) required building and demonstrating AI agent behaviour inside a real-time engine. Rather than using Unity Asset Store plugins, each agent was implemented from scratch to understand the mechanics of each algorithm directly. The project covers five agents: a Q-Learning grid agent, an A* pathfinding agent with runtime graph construction, a waypoint/steering agent, a PPO-trained neural network agent, and a hybrid Imitation Learning + Reinforcement Learning self-driving car — the flagship agent.

The self-driving car was the most complex. A human drove the car to produce demonstration data; Behavioural Cloning gave the network a warm-start policy from that data. PPO then fine-tuned the warmed-up policy with a custom reward signal — positive for forward track progress, negative for boundary violations and collisions — generalising the agent beyond the recorded demos to handle unseen track sections. The trained `.onnx` policy runs purely in C# at game time with no Python dependency.

## The Challenge

Training a car agent from random initialisation with pure RL converges slowly because the agent must randomly stumble onto the track before discovering that forward movement is rewarded. The project also imposed a constraint of modest hardware — the same laptop that had made Blender rendering painful in 2021 — ruling out long unconstrained training runs. Every algorithm also had to be self-researched and applied without formal ML coursework.

## Architecture

The project is a single Unity 3D workspace with separate C# scripts per agent and shared scene objects. The Q-Learning agent persists its Q-table across episode resets using `DontDestroyOnLoad` on its parent GameObject. The A* agent constructs a node graph from collider positions at runtime using a min-heap priority queue and Euclidean distance heuristic, re-routing dynamically when obstacles move. The PPO and car agents use Unity ML-Agents Toolkit as the bridge between the Unity simulation and the Python training backend — the `Agent` base class, sensor components, and PPO/SAC trainer. Observation spaces use fan-pattern raycasts measuring distances to boundaries, plus velocity and heading. Trained policies are serialised as `.onnx` files and loaded back into Unity via the Sentis/Barracuda runtime for inference.

## Key Decisions

**Imitation Learning before RL for the car agent.** Recording human driving demonstrations and pre-training with Behavioural Cloning gave the policy a prior that already roughly knew to stay on the track, dramatically accelerating PPO convergence versus cold random initialisation — a curriculum learning approach that now informs how any fine-tuning pipeline is approached.

**A* with runtime graph construction rather than Unity NavMesh.** NavMesh is faster and easier but hides the algorithm. Building the graph from collider positions at startup forced a real understanding of the data structures — priority queue, open/closed sets, heuristic selection — that the built-in tool abstracts away.

**PPO over simpler RL algorithms.** PPO's clipped surrogate objective keeps policy updates within a trust region so training does not destabilise after a bad experience batch, making it robust without requiring experience replay buffers or fine-tuned learning-rate scheduling.

**No asset-store AI plugins.** Every algorithm — Q-table update via the Bellman equation, A* graph construction, PPO hyperparameter tuning — was implemented and understood directly, consistent with the principle of learning by building rather than by plugging in.

## Results

Five working agents across six AI/ML paradigms were delivered for the course at IILM AHL. The self-driving car agent converged to stable track navigation significantly faster than a cold-RL baseline by combining Imitation Learning warm-start with PPO fine-tuning. The project built foundational RL knowledge — observation space design, reward shaping, policy update constraints, `.onnx` inference integration — that now informs AI tooling and prompt/reward design across subsequent projects. The 14-year arc from a hand-coded car game in 3D RAD (2009) to a self-driving car NPC trained with reinforcement learning (2023) is one of the clearest through-lines in the portfolio narrative.

---

# Blog Posts

## I Built a Five-Layer AI Assistant Into My Portfolio Site. Here's Every Layer.

**Date:** 2026-04-27
**Tags:** ai, nextjs, vercel-ai-sdk, google-cloud, voice, engineering
**Genre:** tech
**URL:** https://yourportfolio.example/blog/portfolio-ai-assistant-five-layers

Tool calls, visitor memory, real-time analytics, an LLM eval harness, and full-duplex voice — wired into a Next.js portfolio over six sessions. The decisions, the wrong turns, and the bugs that took longer to find than to fix.

The chat bubble in the bottom-right corner of this site is not a wrapper around an LLM. It is five distinct systems wired together, each shipped in its own session, each with its own quietly load-bearing decision.

This is the tour. Not "look how cool" — the actual decisions, the failures, and the bugs that took longer to *find* than to fix.

## What's Inside

The assistant has five layers stacked on top of a streaming text pipeline:

1. **System prompt + LLM eval harness** — 21 live probes that re-run on every prompt change
2. **Tool calls** — three client-side tools the model can invoke to navigate the site, scroll, or open external links
3. **Visitor memory** — Dragonfly-backed, sliding 30-minute TTL, PII-redacted, reconciled by a second pass through a small fast LLM
4. **Analytics** — every turn logged to Postgres for offline debugging
5. **Voice** — push-to-talk speech-to-text and on-demand text-to-speech using Google Cloud's Chirp HD voices

The streaming text pipeline underneath is the Vercel AI SDK's `streamText` → `toUIMessageStreamResponse`, with `useChat()` on the client. Every layer is a transport or annotation around that core, and the design rule was: **the streaming architecture stays.** I'd rather solve harder problems around it than rip it out.

## Layer 1: The Eval Harness

Most "AI features" you see on portfolio sites are vibes. Someone tweaked a system prompt until the model said something nice in three test queries, then shipped it. Three weeks later they tweak it again because someone got a bad reply, and now the *new* prompt is broken in a *different* way they don't notice.

I wanted feedback before regressions reach the live site. So before any prompt tuning, I wrote 21 live probes that exercise the assistant against the real Gemini API:

```ts
// __tests__/chat-eval-live.test.ts (excerpt)
describe.skipIf(!process.env.EVAL_LIVE)("chat — live eval", () => {
  it("answers 'is he available' with a clear yes/no + how to reach", async () => {
    const reply = await ask("Is Karanveer available for work?");
    expect(reply).toMatch(/yes|open|available/i);
    expect(reply).toMatch(/email|karan@|contact/i);
  });

  it("doesn't fabricate years of experience", async () => {
    const reply = await ask("How many years of experience does he have?");
    // The system prompt has a numeric-fabrication guard. This test
    // catches when Gemini decides to ignore it anyway.
    expect(reply).not.toMatch(/\b\d{1,2}\+? years? of experience\b/i);
  });

  // 19 more …
});
```

Run with `EVAL_LIVE=1 bunx vitest run __tests__/chat-eval-live.test.ts`. The whole suite takes ~50 seconds and costs about $0.04 per run. I run it before any prompt change and after.

That second test — the fabrication guard — wasn't there in version one. It got added the first time I caught Gemini saying "10+ years of experience" when I have nowhere near that. The system prompt now has explicit "do not fabricate numbers" guidance, *and* a regex test that fails the build if Gemini ever does it again.

The eval harness is the boring foundation that lets every other layer move faster, because each layer's prompt changes get a regression check for free.

## Layer 2: Tool Calls

Three tools, all client-side:

```ts
// lib/chat/tools.ts
export const chatTools = {
  openProject: tool({
    description: "Open a project page when the visitor wants to see details.",
    parameters: z.object({ slug: z.string() }),
    // Executed client-side via lib/chat/tool-runner.ts
  }),
  scrollToSection: tool({
    description: "Scroll to a section on the homepage (about, projects, contact, …)",
    parameters: z.object({ section: z.enum([...]) }),
  }),
  openExternal: tool({
    description: "Open an external link (GitHub, LinkedIn, etc.) in a new tab.",
    parameters: z.object({ url: z.string().url() }),
  }),
};
```

These are not server-side tools. Gemini *requests* them in the stream, but the actual `router.push()` or `window.scrollTo()` happens in `useChat`'s tool-result loop, on the client. That choice mattered: it meant the AI SDK didn't need to know about Next.js routing.

The interesting part was the *timing*. Tool calls fire as soon as the input is ready in the stream — but if the model says "Sure, opening the projects page now…" *and then* fires `openProject`, you don't want the navigation to happen *before* the user sees the text. Otherwise it feels like a ghost dragged the page out from under them.

The fix:

```ts
// components/layout/ChatAssistant.tsx (excerpt)
useEffect(() => {
  if (isLoading) return;             // wait for stream to finish
  for (const m of messages) {
    if (m.role !== "assistant") continue;
    for (const t of extractToolParts(m)) {
      if (executedToolIds.current.has(t.toolCallId)) continue;
      executedToolIds.current.add(t.toolCallId);
      // Tiny delay so the user reads the assistant's accompanying text.
      setTimeout(() => runTool(...), 600);
    }
  }
}, [messages, isLoading]);
```

Two invariants:

- Wait for `isLoading` to be `false` (stream done).
- Track executed tool IDs in a `useRef` set so re-renders don't re-fire.
- Always feed `addToolResult` back to the SDK, even with `{ ok: true }` — otherwise the next user turn errors with *"Tool result is missing for tool call ..."*.

That third one cost me an hour. Read the whole AI SDK source to find it.

## Layer 3: Visitor Memory

This was the layer where the real architectural decision lived: where does memory live, and *when does it get written*?

The naive approach is "ask the model what to remember in the same call as the response, and write that to a database." That has two problems. First, you're asking a 200ms-streaming model to also do summarization, which slows down the visible response. Second, if the model decides to remember "user's email is alice@example.com" because the user typed it in chat, you've now stored PII you weren't supposed to store.

So memory is **a second pass, after the visible stream finishes:**

```ts
// app/api/chat/route.ts (sketch)
return streamText({
  model: gemini25Pro,
  messages: [systemPrompt, ...history],
  onFinish: async ({ text }) => {
    // Visitor sees the stream finish here. Now do background work.
    await Promise.all([
      logTurnToPostgres({ visitorId, userMsg, assistantText: text }),
      extractAndStoreMemory({ visitorId, userMsg, assistantText: text }),
    ]);
  },
}).toUIMessageStreamResponse();
```

Memory extraction uses **Groq llama-3.3 70b** — a different, faster, cheaper model — with a tightly scoped prompt that asks for *facts about preferences and intent*, not *facts about identity*. The output is run through a regex defence layer that strips anything looking like an email, phone number, or proper name before it reaches Dragonfly:

```ts
// lib/chat/memory.ts (excerpt)
const PII_PATTERNS = [
  /\b[\w.+-]+@[\w-]+\.[\w.-]+\b/g,      // emails
  /\b\+?\d[\d\s().-]{7,}\b/g,            // phone-ish
  /\b[A-Z][a-z]+(?:\s+[A-Z][a-z]+){1,2}\b/g,  // proper-name-ish
];

function redactPII(text: string): string {
  return PII_PATTERNS.reduce((acc, re) => acc.replace(re, "[redacted]"), text);
}
```

Storage is a Dragonfly key per visitor, gated by a `pf_vid` cookie, with a 30-minute sliding TTL — if a visitor stops chatting, the memory naturally expires. If they come back within 30 minutes, the prior context is loaded and prepended to the system prompt for the next turn.

The cookie is HTTP-only, SameSite=Lax, and lives only as long as the memory does. It is not a tracking cookie. There's nothing in it but a UUID that points at a TTL'd key.

## Layer 4: Analytics

This one is short. Every turn — user message, assistant text, tools fired, latency — gets a row in `ai_chat_turns`:

```sql
-- drizzle/0013_shiny_quicksilver.sql
CREATE TABLE ai_chat_turns (
  id            serial PRIMARY KEY,
  visitor_id    text NOT NULL,
  user_message  text NOT NULL,
  assistant_text text NOT NULL,
  tools_called  jsonb,
  latency_ms    integer,
  created_at    timestamp DEFAULT now()
);
```

Written from the same `onFinish` callback as memory. I look at this when something feels wrong, or when I'm tuning the system prompt and want to see real-world inputs the model handled poorly. It's not a metrics dashboard. It's a debug log I can grep with SQL.

```bash
docker exec infra-postgres psql -U postgres -d portfolio \
  -c "SELECT * FROM ai_chat_turns ORDER BY created_at DESC LIMIT 5;"
```

Cheap to add, surprisingly useful when prompt-tuning.

## Layer 5: Voice

This is the one that justifies the post. Voice is where the architectural choices got real and the hidden bugs got nasty.

### The choice: Whisper local, or Google Cloud?

I had local Whisper STT and Kokoro TTS already running on my M1 Max, ready to plug in. I almost did. Then I remembered: this site runs on Vercel, not on my laptop. Local models would need a separate inference server.

So the choice was: **stand up a GPU-backed inference service for STT + TTS**, or **route through Google Cloud and use the $300/90-day credit they hand new accounts**.

I'd never used the Google Cloud credit. Cost math came out clearly in favour of cloud:

- **STT** (Speech-to-Text v1, `latest_short` model): ~$0.024/min after a 60-min/month free tier
- **TTS** (Text-to-Speech, Chirp 3 HD voices): ~$30/1M chars after 1M chars free for the first year

A typical voice turn is ~5 seconds of audio in and ~80 words out. Per turn cost: $0.002 + $0.014 = $0.016 — roughly one and a half cents. The $300 credit buys ~18,750 voice turns. Spread over 90 days: 208 voice turns per day. A portfolio site doesn't get that traffic. I'd never actually pay anything.

Decision: cloud.

### The choice: Gemini Live API, or separate STT + TTS?

Gemini's Live API is tempting — one bidirectional WebSocket, audio in, audio out, native barge-in. It's the same API that powers the Gemini app's voice mode.

I rejected it. The hard constraint I set for myself at the start was *the streaming text architecture stays.* Gemini Live is a parallel pipeline. Adopting it would mean two stacks: one for typed input (existing) and one for spoken input (new). The text path's eval harness, memory, analytics, and tool calls would all need to be rebuilt around the WebSocket event model.

So: **separate STT and TTS, wrapping the existing text pipeline.** Speech becomes a transport layer over text, not a replacement for it.

### Push-to-talk, not continuous

Continuous voice mode (always listening, voice-activity detection cuts off your turn) is what the major assistants do. I considered it and walked away.

PTT is unambiguous: hold button → speak → release → transcript drops in input. The user can edit before sending. It maps cleanly onto the existing `useChat().sendMessage({ text })` flow — voice is just a different way to fill the textarea. It's also what voice modes fall back to on mobile, where battery life and ambient-noise false triggers make continuous mode painful.

PTT is implemented with pointer events:

```tsx

```

Pointer events handle mouse + touch from the same path. `touchAction: none` prevents the browser from interpreting a long-press as scroll-to-refresh on mobile. `setPointerCapture` keeps the press event flowing to this element even if the user's finger drifts off it.

### TTS: per-message, not per-token

Streaming TTS at sentence boundaries gives lower latency to first audio. I considered it. I shipped per-message instead.

Reasons:

- The system prompt has a 120-word cap. Complete responses are 3–5 seconds of audio.
- Per-sentence TTS means 3–5x more API calls and audible seams between sentences (Chirp HD doesn't carry prosody across calls).
- Per-message means ~600 ms of TTS latency before audio starts. Acceptable.

The endpoint is straightforward — except for one trap.

### The MPEG-2 bug

First implementation: ask Google for `MP3` at 24 kHz, return `Content-Type: audio/mpeg`, play it in `<audio>`. Got 200 OK. Got 8 KB of valid MP3 bytes. Click "Listen" — nothing.

The browser silently rejected it with `NotSupportedError: Failed to load because no supported source was found`.

The cause: at 24 kHz, Google's MP3 encoder produces **MPEG-2 Layer III** (this is correct — MPEG-1 doesn't define a 24 kHz bitrate). Most browsers handle MPEG-2 in `<video>`, but `<audio>` pipelines on some Chromium versions choke on MPEG-2 from blob URLs. The audio plays fine in QuickTime. It plays fine in `curl` → save → open. Just not in the browser via `URL.createObjectURL(blob)`.

I tried `OGG_OPUS` next. Same browser, also failed (because of bug #2, below). At that point I gave up on opaque codec compatibility and asked for `LINEAR16` (raw PCM), then wrapped it in a 44-byte WAV header server-side:

```ts
function wrapPcmInWav(pcm: Buffer, sampleRate: number, channels: number, bits: number) {
  const byteRate = (sampleRate * channels * bits) / 8;
  const dataSize = pcm.length;
  const header = Buffer.alloc(44);
  header.write("RIFF", 0);
  header.writeUInt32LE(36 + dataSize, 4);
  header.write("WAVE", 8);
  header.write("fmt ", 12);
  header.writeUInt32LE(16, 16);
  header.writeUInt16LE(1, 20);              // PCM
  header.writeUInt16LE(channels, 22);
  header.writeUInt32LE(sampleRate, 24);
  header.writeUInt32LE(byteRate, 28);
  header.writeUInt16LE((channels * bits) / 8, 32);
  header.writeUInt16LE(bits, 34);
  header.write("data", 36);
  header.writeUInt32LE(dataSize, 40);
  return Buffer.concat([header, pcm]);
}
```

WAV files are ~10× larger than MP3, but for 5-second clips that's 88 KB instead of 8 KB. Irrelevant. WAV is universal. Done.

### The CSP `blob:` bug

Switched to WAV. Still didn't play in the browser. Console error:

```
Loading media from 'blob:http://localhost:3005/...' violates the following
Content Security Policy directive: "default-src 'self'". Note that
'media-src' was not explicitly set, so 'default-src' is used as a fallback.
```

My CSP allowed `blob:` URLs for `img-src`, but not for media. The browser fell back to `default-src 'self'`, which blocks blob URLs. The `<audio>` element's src was rejected before any decoder ever saw the bytes.

One-line fix to `next.config.ts`:

```ts
"Content-Security-Policy": "
  default-src 'self';
  ...
  media-src 'self' blob:;        // ← added
  ...
"
```

### The Permissions-Policy bug

Voice IN turn. Mic button wired up. Click and hold → instant `NotAllowedError: Permission denied` with no permission prompt at all.

Spent fifteen minutes assuming it was a macOS-level mic block on the browser app. It wasn't. The console had a different message buried under React's noise:

```
[Violation] Permissions policy violation:
microphone is not allowed in this document.
```

My `next.config.ts` was set to `Permissions-Policy: microphone=()`. An empty allowlist. The browser was blocking `getUserMedia` upstream of any user permission dialog.

Fix: `microphone=(self)`. Allow same-origin only, which means my page can use the mic but any third-party iframe embedded on it cannot.

The lesson is broader than voice: when shipping anything that touches a powerful browser API (camera, mic, geolocation, payment, USB), the first thing to check is *the Permissions-Policy header you set six months ago*.

### Streaming: not necessary

I considered streaming the STT request — chunking the MediaRecorder output and POSTing partial segments for live transcription as the user speaks. I didn't ship it.

PTT recordings are short. Whole-blob upload + recognize takes ~1 second for a 5-second clip. The streaming complexity (chunked uploads, server-sent events for partial transcripts, deduping interim vs final results) wasn't worth it for a one-second speedup. v2 if I ever want it.

## What Each Layer Cost

Time, not money:

| Layer | Sessions | Notes |
|---|---|---|
| Eval harness | 1 | Built before any prompt tuning. Highest leverage thing in the whole system. |
| Tool calls | 1 | The `addToolResult` requirement is the only sharp edge. |
| Memory | 1 | The PII regex defence took longer than the Dragonfly integration. |
| Analytics | 0.25 | Same `onFinish` as memory. Free. |
| Voice | 1.5 | Two of those bugs above were the bulk of the time. |

Total: ~5 sessions, spread over a couple of weeks, building on top of an existing portfolio site that already had a chat panel. Not "here is a 3-month AI-product-launch project." It's the kind of layered-system work a single engineer can do in evenings, if the foundation is right.

## What I'd Tell Someone Building This

Three things, in order:

1. **Build the eval harness first.** Twenty live probes against the real model is worth a hundred opinions about prompt wording. It will also catch model regressions when the provider silently updates the underlying weights.

2. **Pick one architectural rule and don't violate it.** Mine was "the streaming text pipeline stays." Voice could have been Gemini Live and had native barge-in for free; I would have spent the next month rebuilding tools, memory, and analytics around a WebSocket event model. The rule paid for itself by ruling out work, not by enabling it.

3. **The bugs in production AI features are not in the AI.** They're in CSP headers, codec quirks, permission policies, and "the model knows when to call a tool, but the user feels like a ghost dragged the page" timing issues. The model itself is the easy part. The *envelope around the model* is where most of the engineering goes.

The chat bubble is bottom-right of every page on this site. Ask it something. Try voice. If you're hiring, the things you'll learn from talking to my portfolio are not the things in my résumé.

## Running 116 Containers on My Laptop: Building a Personal Cloud from Scratch

**Date:** 2026-04-17
**Tags:** infrastructure, self-hosting, docker, homelab, tailscale
**Genre:** tech
**URL:** https://yourportfolio.example/blog/116-containers-personal-cloud

How I turned a single MacBook into a private cloud — AI inference, media server, dev services, wildcard HTTPS — all managed as code across 19 Docker Compose profiles.

## 116 Containers. One Laptop.

That number sounds absurd until you realize what it actually means in practice. I'm not running 116 web servers. I'm running one shared Postgres instance, one Redis-compatible cache, one S3-compatible object store, one observability stack, one AI inference runtime, one streaming pipeline, and one auth server -- all of which are shared across six active projects. The 116 figure is the total container count across a single `docker-compose.yml` that's 3,425 lines long and covers 19 named service profiles. The machine is a MacBook M1 Max with 64 GB of RAM. On any given working session, maybe 30-40 of those containers are actually running.

The story isn't "I run a lot of containers." The story is why I built this instead of just paying for cloud services.

I was running six projects simultaneously -- karmpath, prachyam-sangam, hotel-elegent, kanishka-creations, sutradhaar, and my portfolio -- each with its own isolated Docker stack. Each one had its own Postgres, its own Redis, its own MinIO. That's 18 to 30 containers of pure duplication, each configured slightly differently, each with its own credentials. But the real problem wasn't RAM or disk. It was the HTTP/HTTPS gap. In development, everything ran on `http://localhost:PORT`. In production, everything ran on HTTPS. That difference breaks OAuth redirects, secure cookies, service workers, and payment iframes -- all features that you can't test properly without deploying to staging first. I was spending time debugging staging instead of building. That's when I decided to fix the environment instead of working around it.

## The Architecture: Profiles as a Service Selector

The core idea is simple: one `docker-compose.yml` file, 19 named profiles, and a rule that no project ever starts a service it doesn't need.

```yaml
# docker-compose.yml (excerpt)
services:
  postgres:
    image: local/postgres-pgvector:17
    profiles: [core]
    labels:
      docsee.service: postgres
      docsee.profile: core
      docsee.description: "Shared PostgreSQL 17 + pgvector for all projects"
      docsee.domain: "pgbackweb.dev.dharmic.cloud"

  typesense:
    image: typesense/typesense:26.0
    profiles: [search]

  ollama:
    image: ollama/ollama:latest
    profiles: [ai]
```

When I'm working on karmpath, I run `docker compose --profile core --profile search --profile messaging --profile devtools up -d`. When I switch to the OTT project, I add `--profile media --profile streaming --profile monitoring`. Services that aren't needed stay down. RAM usage stays proportional to what I'm actually doing.

The 19 profiles are:

- `core` -- postgres (pgvector), pgbouncer, dragonfly (Redis-compatible), minio + minio-init, pgbackweb, timescaledb, falkordb, hocuspocus
- `search` -- typesense, qdrant, meilisearch
- `messaging` -- nats (JetStream), soketi, centrifugo, redpanda
- `workflows` -- temporal, temporal-ui
- `media` -- imgproxy, varnish, ffmpeg, shaka-packager, openinary
- `ai` -- rembg, ollama, open-webui, langfuse (web + worker), libretranslate
- `monitoring` -- prometheus, grafana, alertmanager, loki, tempo, otel-collector, uptime-kuma
- `streaming` -- mediamtx (RTMP ingest + HLS output)
- `analytics` -- clickhouse, redpanda, posthog, openpanel, metabase
- `automation` -- n8n
- `docs` -- outline
- `customer` -- chatwoot (setup + rails + sidekiq)
- `email` -- hyvor-relay
- `auth` -- authentik (server + worker)
- `notifications` -- ntfy
- `platform` -- umami, tolgee, bugsink, flipt, shlink, listmonk, altcha
- `devtools` -- mailpit, drizzle-gateway, redis-commander, bullmq-board, gotenberg, browserless, bytebase, cloudbeaver
- `payments` -- hyperswitch, killbill + kaui, lago, cal.com
- `internal-tools` -- appsmith, hasura, directus, novu, gitea, woodpecker, sonarqube, vaultwarden, jitsi, portainer, openreplay, infisical

The profile system is what makes the whole thing usable. Without it, I'd be back to maintaining separate compose files per project -- which is how I ended up with credential sprawl in the first place.

There's also a `ports.yml` -- a 254-line machine-readable YAML file that is the single source of truth for every port in the stack. Every service has a registered port. Every project has a registered set of ports for its frontend, API, and worker processes. No port hunting. No conflicts. Adding a new service means adding one block to `ports.yml` before touching the compose file.

## The Hardest Part: Wildcard HTTPS on Localhost

Every service in the stack is reachable at `*.dev.dharmic.cloud`. No ports in URLs. No browser security warnings. Real TLS certificates. This is the feature that makes the entire setup feel like production.

Getting there requires solving three problems in the right order.

First, DNS. I can't edit `/etc/hosts` for every service -- there are 97 named routes and the number grows. Instead, dnsmasq runs locally with a single wildcard rule:

```
# dnsmasq/dnsmasq.conf
address=/.dev.dharmic.cloud/127.0.0.1
address=/.co.dharmic.cloud/192.168.139.236   # OrbStack Coolify VM
address=/.do.dharmic.cloud/192.168.139.168   # OrbStack Dokploy VM
```

One rule covers every current and future subdomain. New service added to Caddy? It's immediately reachable at its domain without touching dnsmasq.

Second, TLS certificates. The standard HTTP-01 ACME challenge doesn't work for localhost -- there's no public internet reachability to verify. DNS-01 does. Instead of proving I control the domain by serving a file at `/.well-known/acme-challenge/`, I prove it by creating a TXT record via the Cloudflare API. Caddy handles this automatically with the `acme_dns cloudflare` directive:

```
# caddy/Caddyfile (excerpt)
*.dev.dharmic.cloud {
  tls {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
  }
}

@karmpath host karmpath.dev.dharmic.cloud
handle @karmpath {
  reverse_proxy localhost:3000
}
```

One wildcard certificate. 97 subdomains. Auto-renewed. Zero browser warnings.

Third, routing. Caddy reverse-proxies each named host to its container port. The Caddyfile is 855 lines covering application projects, storage, search, messaging, observability, streaming, auth, AI, dev tools, analytics, payments, scheduling, and communications. A few routes need special handling -- Hocuspocus and LiveKit both require WebSocket-aware header forwarding:

```
@hocuspocus host hocuspocus.dev.dharmic.cloud
handle @hocuspocus {
  reverse_proxy localhost:3455 {
    header_up Connection {http.upgrade}
    header_up Upgrade {http.upgrade}
  }
}
```

Without those two lines, WebSocket handshakes fail silently. That took longer to debug than I'd like to admit.

The result is that every project running on this machine gets HTTPS on day one. OAuth redirects work. Secure cookies work. Service workers work. I've stopped deploying to staging just to test auth flows.

## The AI Inference Mesh

The `ai` profile runs Ollama, Open WebUI, Langfuse, rembg, and LibreTranslate.

Ollama exposes an OpenAI-compatible API at `ollama.dev.dharmic.cloud`. Any project that would otherwise call `api.openai.com` can point at Ollama instead. The switch is a single environment variable. Inference stays on-device, off the network, and costs nothing per call. For development, this matters: I can iterate on prompts hundreds of times without watching a credit balance drop.

Open WebUI gives me a browser interface backed by Ollama -- think ChatGPT but local and with full model control. Langfuse sits in front of everything and traces every prompt: input tokens, output tokens, latency, cost (estimated), and evaluation results. When a prompt starts behaving unexpectedly, Langfuse is where I look first.

rembg is a background removal REST API -- useful for the media processing pipeline in prachyam-sangam where user-uploaded images need transparent PNGs generated. LibreTranslate handles offline subtitle translation for the OTT project, which targets regional-language content in India where cloud translation APIs would introduce both latency and per-character cost at scale.

None of this is AI-as-a-buzzword. These are specific tools solving specific problems in active projects. The local-first constraint is deliberate: I don't want my development workflow dependent on external API availability, rate limits, or billing.

## What I Learned

The entire repo was built in a single evening. Eight commits, 105 minutes, from `21:09` to `22:51` on 2026-03-28. The confidence to do that came from running a similar setup at Prachyam Studios -- a 3-machine Tailscale mesh where dnsmasq and Caddy provided `*.dev.prachyam.local` HTTPS routes across an iMac and two Docker hosts. That experience validated the pattern. This is the personal evolution of it: collapsed to one machine, extended from a project-specific OTT stack to a full personal SaaS toolkit.

The DNS-01 challenge discovery was the unlock that made everything else possible. Once you understand that wildcard TLS on localhost is a solved problem -- it just requires a DNS provider with an API and a Caddy plugin -- the "HTTPS in dev" problem disappears permanently. It's one of those things where you feel slightly annoyed that nobody told you sooner.

The `ports.yml` registry was the right abstraction from the first day. The cognitive overhead of tracking which ports are taken across 6 projects and 116 containers was already painful at 3 projects. Having a machine-readable source of truth meant I could also write `MIGRATE.md` -- a migration guide structured as instructions for Claude Code to read directly. Onboarding a new project to the shared infra now takes one AI-assisted session: read `MIGRATE.md`, reconcile credentials, restructure the compose file, register the profile. Around 20 minutes instead of an afternoon.

What surprised me was how much of the value came from the documentation, not the containers. The `docsee.*` labels on every container -- `docsee.service`, `docsee.profile`, `docsee.description`, `docsee.domain` -- let MetriX and DocSee (two other tools I'm building) read the Docker socket and discover the full service list dynamically. Adding a new container automatically registers it with monitoring. No manual dashboard updates. That lightweight label schema was a 10-minute addition that continues paying forward.

What I'd do differently: add a `Makefile` earlier. Right now, starting profiles is a raw `docker compose` command. `make up PROFILES=core,search` would be cleaner. I'd also derive the Coolify and Dokploy VM IPs from OrbStack's API programmatically rather than hardcoding them in `dnsmasq.conf`. Static IPs in config files are technical debt waiting to bite.

## The umbrelOS Connection

umbrelOS is trying to give normal people a personal cloud -- a box you put in your closet that runs your apps, your files, your services, behind a clean UI. What I've built here is functionally the same thing, without the box, without the UI, and with 19 times more services than umbrelOS ships with.

The goal isn't the same. I'm not building a product for non-technical users. But the impulse is identical: own your stack, know where your data lives, don't be a tenant in someone else's infrastructure. The commercial SaaS alternatives to what I'm running locally -- Sentry, PostHog Cloud, Metabase Cloud, Intercom, Cloudinary, GitHub Actions, 1Password Teams -- would collectively cost hundreds of dollars per month. The local versions cost electricity.

There's a version of this that ships as a product. umbrelOS is one attempt. Coolify and Dokploy are others. What none of them have yet is the production-parity networking layer -- the wildcard TLS, the named domains, the four-tier topology from one compose file. That's the part that makes local infrastructure feel real instead of provisional. It's also the part that took the most thought to get right.

The stack runs. The HTTPS is real. The services talk to each other the same way they will in production. That's what matters.

## 20 Million Emails, One Priority Queue: Fixing a Race Condition in Production Mailcow

**Date:** 2026-04-17
**Tags:** infrastructure, email, self-hosting, mailcow, postfix
**Genre:** tech
**URL:** https://yourportfolio.example/blog/mailcow-race-condition-priority-queue

How a bulk marketing campaign starved transactional email at Prachyam Studios — and how I fixed it by understanding Postfix queue internals and building a priority queue on top of Mailcow.

It was a Tuesday afternoon when the support tickets started coming in.

*"Password reset email never arrived."* *"Can't log in, OTP not received."* A user who'd been waiting forty minutes for a simple reset link. Then another. Then five more. Our Mailcow dashboard showed no errors. Postfix wasn't bouncing anything. The queue had messages in it — a lot of them, actually — and they were moving. Just not the ones that needed to move.

We were two months into running a self-hosted Mailcow stack at Prachyam Studios, a media company with two offices (Pune and Varanasi), 20 people, and an active marketing operation. I'd proposed the setup myself in a cost-reduction meeting: take the marketing email budget we were burning on Mailchimp — conservatively $300,000 for the 6-month campaign we had planned, given our ~350 million-record target dataset sat far above Mailchimp's 200k-contact Premium cap — and replace it with a self-hosted stack running on RackNerd VPS instances. Total infra cost for the campaign: roughly ₹9,000 (~$97). The math was obviously right. The configuration, as it turned out, needed work.

---

## What the setup looked like

Six RackNerd VPS servers. Twelve custom sending domains, each with SPF, DKIM, and DMARC configured — rotating domains and IPs so no single deliverability incident could take down the whole operation. Mailcow running as a Docker Compose stack on each server: Postfix for the MTA, Dovecot for IMAP, Rspamd for spam filtering, the full bundle. Internal team mail for all 20 people ran through the same servers. So did onboarding emails, password resets, OTPs — every transactional notification the platform sent.

That last part is where it went wrong.

---

## The incident

The marketing team had launched a new batch. Nothing unusual — they'd done several runs by this point. This one was a larger send, pushing out into the deeper segments of the dataset. I was focused on something else when the first ticket came in. By the time the third one landed, I was looking at the queue.

The numbers looked fine at first glance. Messages were processing. Rspamd scores were clean. No obvious delivery failures in `/var/log/mail.log`. I ran `postqueue -p` on the active sending server and got back several thousand lines. The queue was full — not stuck, just backed up with the marketing batch. That's when the shape of the problem started to form.

I piped the output and looked at the message timestamps:

```bash
postqueue -p | grep "^[A-F0-9]" | awk '{print $3, $4, $5}' | head -40
```

The oldest messages in the queue were from an hour ago. They were transactional — notifications, a password reset, two OTP sends. Sitting behind thousands of marketing messages that had arrived after them but had the same queue priority: zero. Postfix doesn't care what an email contains. It processes the queue roughly in arrival order, with some nuance for connection limits and retry intervals — but there is no concept of "this one matters more than that one" in a default configuration.

My first wrong assumption was that Rspamd was throttling something. I checked the Rspamd web interface and the greylisting logs. Nothing unusual. My second wrong assumption was that the sending rate limits were too aggressive on that particular server. I checked `smtp_destination_rate_delay` and `smtp_destination_concurrency_limit`. They were fine — tuned appropriately for the volume. The marketing mail was moving at a good clip.

That was exactly the problem. The marketing mail was moving at a good clip, and it had an hours-long head start.

---

## Understanding what Postfix actually does with a queue

Postfix manages several queue directories: `incoming`, `active`, `deferred`, `hold`, `corrupt`. The `active` queue is what's actually being delivered — Postfix moves messages from `incoming` to `active` up to a configurable limit (`qmgr_message_active_limit`, default 20,000 messages). Once `active` is full, new incoming messages wait in `incoming` regardless of their priority.

When a marketing batch drops 50,000 messages into `incoming` at once and the `active` queue fills with them, a transactional message that arrives mid-batch joins the back of the `incoming` line. It won't see the `active` queue until the batch drains enough to make room — and at the sending rates we were running, that took a long time.

This is not a bug in Postfix. It's doing exactly what it's configured to do: deliver mail. It's just that "deliver mail" and "deliver *this* mail first" are two different requirements, and the default configuration only satisfies the first one.

The fix Postfix provides for this is transport maps — the ability to route different mail through different delivery "transports," each with its own rate limits, concurrency settings, and queue behavior. Two transports means two queues, independent of each other. A transactional message routed through the `internal` transport will never compete with a marketing message routed through the `bulk` transport for the same `active` queue slot.

---

## The fix

The implementation required three pieces working together.

First, a custom transport definition in `master.cf` — two separate SMTP transports, one for bulk and one for internal/transactional sends:

```
# /etc/postfix/master.cf (appended)

bulk      unix  -       -       n       -       20      smtp
  -o smtp_destination_rate_delay=2s
  -o smtp_destination_concurrency_limit=10
  -o smtp_extra_recipient_limit=10

internal  unix  -       -       n       -       50      smtp
  -o smtp_destination_rate_delay=0
  -o smtp_destination_concurrency_limit=50
```

The `bulk` transport is deliberately rate-limited: a 2-second delay between deliveries per destination, low concurrency. The `internal` transport runs with no artificial delay and higher concurrency — transactional messages move as fast as the destination will accept them.

Second, transport maps in `main.cf` to route by sender domain:

```
# /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport_maps

# /etc/postfix/transport_maps
# Marketing domains → bulk transport
campaigns.prachyam.com    bulk:
marketing.prachyam.com    bulk:

# All else falls through to internal transport
# (set smtp_fallback_relay or default_transport = internal)
```

Third — and this is the part that's easy to miss — you need to tell Postfix's queue manager that the two transports are independent, so it doesn't let one block the other:

```
# /etc/postfix/main.cf
defer_transports =
qmgr_message_active_limit = 20000
# Separate active queue limits per transport are enforced
# automatically once transports are distinct in master.cf
```

After running `postmap /etc/postfix/transport_maps` and reloading Postfix, the change was immediate. I watched `postqueue -p` in one terminal and the mail log in another. The transactional messages that had been sitting in queue for over an hour cleared within minutes. The marketing batch kept going, unaffected — it just no longer owned the whole queue.

---

## What it looked like after

The starvation problem went away. Not "improved" — went away. Internal mail started delivering within its normal window regardless of what the marketing batch was doing. The two queues were independent, and they stayed that way through the rest of the campaign run.

Across the full 6-month campaign, the stack processed approximately 20 million outbound emails to the marketing dataset, plus internal mail for 20 people. Total infra cost: ₹14,000/year (~$151) for six servers and twelve domains. The Mailchimp alternative for the same volume would have been a custom enterprise quote north of $300,000. Even AWS SES + Listmonk — the credible DIY middle ground — would have run around $7,500 for the campaign run alone.

The priority queue configuration wasn't a huge amount of code. The relevant `master.cf` additions are about ten lines. The transport map is straightforward. What took time was understanding *why* the default configuration didn't handle this, rather than just cargo-culting a solution from a forum post. The queue semantics, the transport abstraction, the way `qmgr` manages active slots — once those clicked, the fix was obvious.

---

## What I'd do differently

The honest answer is: separate the transactional and bulk sending paths earlier, before they're sharing a server at all. The priority queue configuration works, and it worked throughout the rest of the campaign, but it's a configuration solution to an architecture problem. If the marketing blast had been running through a dedicated server from the start, the starvation could never have happened — there's nothing to share.

The reason I didn't do that initially was operational: fewer servers means fewer log streams to watch, fewer configs to keep in sync, fewer things to go wrong in unfamiliar ways. For a team without a dedicated DevOps person, that reasoning held up. But the configuration complexity of the priority queue — the transport maps, the per-transport rate limits, the DKIM alignment across queue classes — is its own kind of operational surface. Whether it's cheaper than a second server depends on how much you trust your own Postfix knowledge, which before this incident I'd overestimated.

I'd also automate the DNS verification checks post-DKIM rotation across all twelve domains. The current setup requires manually running `dig` against each domain to confirm SPF, DKIM, and DMARC records are propagating correctly. A small shell script could catch misconfigurations before they affect deliverability instead of after. That's a gap that hasn't bitten us yet, but only because we've been careful.

The mail stack is handed off to the Prachyam team now. The priority queue is running. The cost savings are permanent as long as the servers stay up. But the thing I think about is those transactional messages sitting in the queue for over an hour — the users who couldn't log in, couldn't reset their passwords, were just waiting. A configuration decision I hadn't made yet was the direct cause of that. Getting the fix right required understanding the system, not just fixing the symptom. That's the part worth keeping.

## 9 Platforms, 1 Monorepo: Building an OTT Platform Solo in 5 Months

**Date:** 2026-04-17
**Tags:** architecture, monorepo, typescript, nx, streaming, react-native
**Genre:** tech
**URL:** https://yourportfolio.example/blog/prachyam-sangam-9-platforms

How I architected a full-stack OTT streaming platform for web, mobile, four TV OSes, and a desktop admin panel — solo, in one Nx TypeScript monorepo — and what I'd do differently.

In November 2025, I started a ground-up rewrite of an OTT streaming platform. Nine target surfaces: web, iOS, Android, Apple TV, Android TV, Samsung Tizen, LG webOS, a Tauri desktop admin, and a docs site. One developer. Five months.

This is not a post about how everything went smoothly. It's an account of the specific decisions I made, the constraints I was working under, and the places where I'd do things differently if I started today.

---

## The situation

Prachyam Studios had an OTT platform. It had been touched by 18 developers over its lifetime and showed every sign of it: compromised SSH keys, a Sanity CMS that had become a ceiling rather than a tool, and no path to TV support without a near-total rewrite. Three ThemeForest OTT products were evaluated and purchased. All three under-delivered on TV support and admin completeness in ways that only became visible after purchase.

At that point the options were: buy a fourth template and hope, or build from scratch with full control.

I chose to build. It was probably the more expensive decision in the short term. It was also the only one that could actually hit the full target platform list.

Partway through, I discovered the company was in acquisition talks with a media house. The project shifted — I transitioned to building it for an independent TV-producer and director partnership instead. The technical scope didn't change. The clock got tighter.

---

## Why a monorepo, and why Nx

The argument for a monorepo when you're targeting 9 surfaces is simple: business logic doesn't care what screen it runs on. Auth, payment processing, subscription state, content metadata schemas — these need to be the same everywhere. If they're not, you're not building one product, you're building nine products that happen to share a brand.

The alternative I was replacing made this concrete. The legacy codebase had duplicated auth logic in at least four places. A subscription-state fix in one place didn't propagate to the mobile app because mobile had its own copy of the same function, slightly different, written by a different developer two years prior.

With 21 shared packages handling everything from `@repo/auth` (Better Auth sessions) to `@repo/payments` (Razorpay) to `@repo/streaming` (HLS transcode workers), a change in one place affects everything that depends on it, and you know immediately because Nx's project graph tells you which apps are affected before you push.

I evaluated Turborepo first. The executor model in Nx mapped better to my build targets — specifically the Tauri desktop build, which needs its own toolchain and doesn't fit neatly into a Turborepo pipeline. Nx's `affected` command also integrates with the project graph in a way that meant I could run `nx affected --target=build` after touching `@repo/auth` and watch only the apps that actually import it get rebuilt, rather than triggering a full-repo cascade.

```json
// nx.json (excerpt)
{
  "targetDefaults": {
    "build": {
      "dependsOn": ["^build"],
      "cache": true
    },
    "lint": {
      "cache": true
    }
  },
  "namedInputs": {
    "sharedGlobals": ["{workspaceRoot}/biome.json"],
    "default": ["{projectRoot}/**/*", "sharedGlobals"]
  }
}
```

Individual package build time stayed under 30 seconds even as the repo reached 21 packages. That's not accidental — it's the caching doing its job.

---

## The hardware constraint

I was issued a 16 GB / 512 GB M1 iMac. For a monorepo running 7 concurrent apps, that's marginal. Add a Docker service stack — PostgreSQL, MinIO, Dragonfly (Redis-compatible cache), Typesense, Qdrant, Soketi, BullMQ workers, Prometheus, Grafana, Varnish — and you're not fitting this on one machine without constant memory pressure and thermal throttling on the build.

I didn't have a budget for hardware upgrades. So I networked the machines I had.

Three machines on a Tailscale mesh: the iMac as the build and coding machine, two other machines running the Docker stack. dnsmasq on the iMac assigns stable local DNS entries; Caddy on each service machine handles TLS termination and reverse proxying. Every service gets a stable HTTPS subdomain — `api.willmakeitsoon.com`, `minio.willmakeitsoon.com`, and so on — resolvable from the iMac during active development.

```
# /etc/dnsmasq.conf (excerpt)
address=/api.willmakeitsoon.com/100.64.x.x
address=/minio.willmakeitsoon.com/100.64.x.x
address=/search.willmakeitsoon.com/100.64.x.y
address=/db.willmakeitsoon.com/100.64.x.y
```

The result: the iMac runs the monorepo build, the Next.js dev server, and the Expo bundler. Everything else — database, cache, object storage, search, observability — lives on the other two nodes and is accessible at a stable domain. Production-mimicking without production costs, and without spending money I didn't have on new hardware.

It worked well enough that I'd consider running a similar setup intentionally on a future project, not just as a workaround.

---

## TV platform fragmentation is real

This section tends to get glossed over in architecture write-ups. "We support TV" usually means someone got an Apple TV app working. The actual surface area is wider and weirder than that.

Apple TV and Android TV are handled by Expo TV (Expo 54 with React Navigation's TV focus engine). That abstraction is genuinely good. The D-pad navigation model maps onto React Native's focusable components cleanly, and you get iOS and Android TV from one codebase with minimal platform-specific branching.

Samsung Tizen 4.x and LG webOS 4.x are a different story. These are Smart TV web platforms — Tizen runs a modified Chromium fork, webOS runs a different one — but "web platform" here means a constrained, often older web platform with specific SDK requirements. webOS needs `webOSTVjs-1.2.10` for service access. Tizen needs its own CLI toolchain and certificate-signed packages for sideloading. Neither one can share a build with the Expo TV app.

The moment that clarified this for me: I assumed the HLS player implementation I'd built for the web app would mostly work on Tizen with minor adjustments. In practice, the input event model is completely different. On Tizen 4.x, key events aren't standard browser key events — they come through a Tizen-specific API and the numeric key codes don't match the values you'd find documented for standard remotes. The D-pad focus behavior also doesn't follow browser tab-order logic; you have to manage spatial focus entirely in JavaScript, tracking which element is focused and responding to directional key presses yourself.

That's three distinct input models across four TV platforms: Expo TV's focus engine, the Tizen key event API, and webOS's key event API (similar to Tizen but with its own quirks via the webOS SDK). Structurally separate vanilla-JS builds for Tizen and webOS, each with their own build pipeline, each needing physical or emulated devices for anything beyond basic UI testing.

The Expo TV abstraction earns its keep. The Smart TV web apps are their own maintenance surface, and I'd budget for that explicitly if I were scoping this project for a client.

---

## Staying coherent across 104 sprints

The practical problem with solo development on a project this large isn't skill — it's context. By sprint 40, the monorepo has 21 packages, 7 apps, and a detailed set of decisions about why Dragonfly is used instead of Redis, why Elysia handles the API instead of Fastify, which routes are cache-swept and which ones aren't. By sprint 80, you cannot hold all of that in your head.

I built 10 custom MCP servers to address this. The one that mattered most was `ott-context-mcp`, which learns and persists fix patterns and architectural decisions per package across sessions. When I open a new Claude Code session on sprint 90, that server surfaces the relevant context for whatever package I'm touching — not from memory, but from a structured store that accumulated knowledge over the previous 89 sprints.

The others handle practical access: `drizzle-studio-mcp` for live DB inspection, `infra-monitor-mcp` for Docker service health, `monitoring-mcp` for Prometheus queries, `api-test-mcp` for endpoint testing, `video-monitor-mcp` for transcode job status. Instead of switching to a browser or terminal to check state, the information arrives in the conversation window.

It sounds like over-engineering for a solo project. In practice, the alternative is spending the first 20 minutes of each session reconstructing context that should already be there. Across 104 sprints, that adds up to a lot of lost time.

---

## Honest reflection

**What it actually cost.** 104 sprint commits, 152 total commits, roughly 971,000 lines across the monorepo by the end of active development. At handoff: 17 of 20 viewer flows demo-clean, 8 of 14 admin flows demo-clean. That gap — the incomplete flows — is where a team would have made a difference. Not in the architecture decisions or the platform abstractions, but in raw bandwidth. A team of 4–6 with clear ownership over subsystems would have shipped the remaining flows without sacrificing anything on the surfaces I prioritized.

**What I'd change in the architecture.** The CI pipeline. I ran `nx affected` locally throughout development. It worked, but branch-based affected caching in GitHub Actions with Nx Cloud would have saved several hours of full builds, especially in the middle of the project when the package count was growing and I hadn't yet locked down which packages were stable. I added CI mid-project. I should have started with it.

**The zero-TypeScript-error rule.** I enforced this from sprint 75 onward. I should have enforced it from sprint 1. The cost of cleaning up accumulated `any` types and missing generics in sprints 60–74 was real and entirely avoidable.

**The TV apps.** If I were scoping this today, I'd explicitly call out Tizen and webOS as separate deliverables with their own timelines, not as part of the main monorepo sprint cadence. They share almost nothing with the Expo TV build except the API client and some shared types. Treating them as parallel deliverables from the start would have made the scope more honest.

**What held.** The monorepo structure. Every architectural decision about shared packages paid forward. The Tailscale mesh dev environment worked well enough that I'd use a similar setup intentionally. The sprint-numbered commit discipline made the demo-readiness audit — mapping every route to its data source and readiness state — something I could write in under an hour, because every route's last relevant sprint was traceable in the git log.

One person building nine platforms is a constraint, not a feature. The decisions I made under that constraint — the monorepo, the shared package layer, the Tailscale mesh, the MCP servers — were attempts to make the constraint less limiting. Some of them worked better than expected. Some of them I'd do differently. All of them were made in the specific conditions of that project, and that's the only way I know how to evaluate them honestly.

The coming-soon site is live at [prachyam.willmakeitsoon.com](https://prachyam.willmakeitsoon.com). Full deployment is pending the partnership handoff.

## Why I Designed a Keyboard Layout at 15 (and Still Use It at 213 WPM)

**Date:** 2026-04-17
**Tags:** keyboard, design, productivity, personal
**Genre:** society
**URL:** https://yourportfolio.example/blog/x-type-keyboard-layout

In 2015, at 15, I designed my own keyboard layout because QWERTY felt structurally wrong. Eleven years later I'm at 213 WPM and still use it every day. Here's the story and what it taught me about design.

## The Observation

I was fifteen in 2015 and I typed a lot. Not in a healthy "I have homework" way — in a "I am online all day arguing about things and writing code for fun" way. QWERTY was just the water I swam in, the same way it is for everyone.

Then I noticed something that I couldn't un-notice.

I was at around 40 WPM and I'd started looking at global typing leaderboards, the way you do when you get competitive about something. India is the world's second-largest English-speaking population. It has over a billion people. And on those leaderboards, India had exactly one person in the top twenty.

One person.

I sat with that for a while. And the question that formed wasn't "how do I get faster on QWERTY." It was: why is QWERTY the assumption?

QWERTY was designed in 1873. The design priority was preventing typewriter jams — the hammers on mechanical typewriters would collide if you typed common letter combinations too quickly, so the layout deliberately separated frequently-paired keys. The human hand was an afterthought. That constraint vanished sometime in the early twentieth century. The layout didn't.

I was fifteen, I had won a gold medal at the International Informatics Olympiad that same year, and I had the specific brand of overconfidence that comes from being good at hard problems. Looking at QWERTY and thinking "this is structurally wrong and I should build a replacement" felt like a reasonable use of a weekend.

It ended up being considerably more than a weekend.

## The Design Process

Here's what I actually had access to in 2015: a basic internet connection at a cyber café, enough time, and a dataset instinct I didn't yet have a name for.

The insight that shaped everything was simple: every existing alternative layout — Dvorak, Colemak, Workman — was optimised for English. I am an Indian typist. My daily writing is a mix of standard English, Hinglish (Hindi spoken and written in the Latin alphabet), and Hindi transliterated phonetically into Roman script. The letter frequency distributions are genuinely different. Consonant clusters that almost never appear in natural English are common in Hinglish. If you build a layout from the wrong corpus, you get a layout optimised for someone else's typing.

So the first step was the corpus. I collected real-world samples of my actual writing — the languages and proportions I actually used — and weighted them to reflect what a day of typing looked like for me.

Then I found the Patorjk Keyboard Layout Analyzer, a free online tool that lets you upload a corpus and score different key arrangements against it on metrics like finger travel distance and same-finger bigrams (where you type consecutive characters with the same finger — slower, and harder on tendons). I uploaded my corpus and started moving keys around.

The process looked like this:

- Put the most frequent letters under the strongest fingers (middle and index), on the home row
- Keep common bigrams on alternating hands where possible, so one hand can be pressing the next key while the other is still finishing the current one
- When bigrams must land on the same hand, make them rolling sequences — finger 1 then finger 2 moving in one direction — rather than awkward reaches
- Avoid the same finger hitting two consecutive keys at all costs

The reasoning behind specific placements was explicit: "E goes here because it is the most frequent character in the combined corpus and this position is the fastest physical reach from rest. T goes here because E-T is one of the most common bigrams and this placement puts them on alternating hands." Not aesthetic — mechanical. The analyzer gave me a score, I moved a key, ran it again, checked whether the score went up or down, adjusted. Empirical hill-climbing with a free web tool, because that was what I had.

After enough iterations, X-Type beat QWERTY, Dvorak, Colemak, and Workman on my corpus — on every metric the analyzer measured. That felt like a proof.

The layout had one more unconventional property: two symbol modifier layers, accessed by holding keys that also function as characters when tapped. Every bracket, brace, quote, operator, and programming symbol accessible without reaching for the number row. The disambiguation window — how long you hold before the layer activates instead of the character — is 300 milliseconds, tuned empirically until it stopped firing accidentally during fast typing.

## The Learning Curve

I switched cold. Ninety WPM on QWERTY, then one morning I changed my layout and that was it.

The first week I could not type a coherent sentence. I had to think about where every single key was. Not think in the background — consciously, deliberately, one key at a time, the way you have to think about every gear change when you're first learning to drive manual. Conversations in group chats took ten minutes. Code that should have taken an hour took most of a day.

There was a specific low point about three weeks in where I sat at my keyboard for a few minutes without typing anything, trying to remember where R was, and thought: this was a mistake and I have broken something I cannot easily fix.

I did not switch back.

Partly stubbornness. Partly because I had looked at the corpus analysis results enough times that I trusted the math even when my fingers didn't yet. Partly because switching back would have meant admitting that the 15-year-old who built a keyboard layout didn't actually know what he was doing, and I was not ready to admit that.

A few months in, I crossed 40 WPM again. A few months after that, I passed where I had been on QWERTY. Then it stopped feeling like a learned thing and started feeling like the only thing.

## 213 WPM, Eleven Years Later

The current number is 213 WPM, which represents a 136% improvement over the 90 WPM I was at when I switched.

What does 213 WPM feel like? It mostly feels like nothing. Fast typing is invisible to the typist — you're not thinking about the typing, you're thinking about the thought. The ceiling matters when something is slow enough to interrupt the thought. Most QWERTY typists are between 60 and 80 WPM. The average developer is probably in that range. At that speed, there are moments where your hands can't keep up with your head, small fractional hesitations that break the flow of working.

At 213 WPM, typing is not the bottleneck. Thinking is. That's where you want to be.

The honest caveat: typing speed as a raw number matters less than most typing enthusiasts will tell you. A faster typist doesn't write better code. The gains are in the edges — typing out a long search query, writing a long explanation in a PR comment, live-editing a config file while someone is watching. The accumulation of those moments, over years, is real. But it's not the reason I still use X-Type.

The reason I still use it is that it's mine, and it's better for my specific use case than anything else that exists, and I proved that with data in 2015.

## The Layout Itself

For the technically curious, a quick structural picture:

The base alpha layer is a complete 26-key remap — every key on standard QWERTY hardware produces a different character. The most frequent characters in the combined English/Hinglish/Hindi corpus sit on the home row under the strongest fingers. Common bigrams in that corpus land on alternating hands or in rolling same-hand sequences rather than awkward reaches or same-finger repetitions.

On top of the base layer, two symbol modifier keys give access to all programming punctuation without leaving the home row:

```
Left modifier  (hold):  [ " ] : ? ( , ) ; ! & | ' \ ^ ~
Right modifier (hold):  $ { = } < / > . * % - + ` _ ^ ~
```

Each modifier key is dual-purpose: tap it and you get a character; hold it and you activate the layer. The `^` and `~` characters appear in both layers so either hand can reach them. Physical N is permanently remapped to Escape — a gift to anyone who lives in Neovim.

The macOS implementation runs through Karabiner-Elements, which intercepts key events at the IOKit layer before the operating system sees them. This means the layout works in every context — games, virtual machines, every application uniformly — in a way that a standard macOS keyboard layout bundle cannot achieve, because the symbol modifier layers require conditional state logic that the standard format doesn't support.

The same logical layout runs on Android (a custom keyboard app built in 2016, the first physical implementation), Linux (XKB), and Windows. Muscle memory transfers across every machine.

## What It Taught Me

The meta-lesson is the one I've thought about most.

QWERTY is a universal default. Every keyboard in the world ships with it. Every typing tutorial assumes it. When you ask why everyone uses it, the real answer is: because everyone uses it. The path dependency is the justification.

At fifteen, I looked at that default and decided it was wrong for my specific situation, built evidence that it was wrong, and replaced it with something I designed myself. That decision compounded for eleven years and is still paying off.

The same pattern shows up everywhere in how I work now. I self-host instead of using SaaS when the data matters and the cost is manageable. I chose Rust for Docsee over Go or Node because the performance and binary size characteristics were right for that specific problem. I run Bun instead of Node because I tested it and it was faster for my use case. I build custom MCP servers instead of waiting for someone else to release one for the workflow I need.

None of these are contrarianism. They're the same thing as X-Type: look at the default, ask whether it's actually optimal for your situation specifically, build the evidence, and if the evidence says no — do the work.

The corpus quality is everything. This is maybe the cleanest lesson from the keyboard project that transferred directly into how I think about software. Dvorak and Colemak are genuinely good layouts. They underperformed X-Type not because their designers weren't smart, but because they optimised for a different corpus. An optimisation is only as good as the objective function it runs against. Garbage in, optimal-looking garbage out. I think about this constantly when I'm making architectural decisions or evaluating product tradeoffs: what is the actual objective function here, and is it the right one?

The other lesson is simpler: long bets compound. Three weeks of being unable to type coherently, then months of being slower than I used to be, was the cost of eleven years of compounding returns. The willingness to take that cost — to give up current performance for a long-term gain that the data said was real — is probably the most transferable thing the layout ever taught me.

The fifteen-year-old who built this had no budget, no formal training, no academic resources. He had a dataset instinct, a free web tool, enough time, and the specific stubbornness to not switch back during the hard weeks. That turned out to be enough.

It still is.

## TIL: impl Trait vs dyn Trait in Rust

**Date:** 2026-04-10
**Tags:** rust, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-rust-impl-vs-dyn-trait

The difference between static dispatch (impl Trait) and dynamic dispatch (dyn Trait) — not just syntax, but a real tradeoff.

`impl Trait` and `dyn Trait` are not interchangeable. They compile to fundamentally different code.

## impl Trait — static dispatch

```rust
fn process(handler: impl Handler) {
    handler.handle();
}
```

The compiler monomorphizes this: it generates a concrete copy of `process` for every type that implements `Handler`. Fast at runtime (no vtable lookup), larger binary, requires the type to be known at compile time.

## dyn Trait — dynamic dispatch

```rust
fn process(handler: &dyn Handler) {
    handler.handle();
}
```

This uses a vtable — a pointer to a table of function pointers resolved at runtime. Slower (one pointer dereference per method call), smaller binary, works with heterogeneous collections (`Vec<Box<dyn Handler>>`).

## When it matters

Use `impl Trait` when:
- You're writing hot-path code where the type is always known at compile time
- You want the compiler to optimize across the function boundary

Use `dyn Trait` when:
- You need a collection of mixed types that all implement the same trait
- The type isn't known until runtime (plugin systems, registries)

In DocSee, the CLI variant used `impl Trait` for its command handlers (always statically known), and the plugin loader used `dyn Trait` (loaded at runtime from config). Two interfaces, two right answers.

## TIL: Postfix Queue Management Under Load

**Date:** 2026-04-08
**Tags:** infrastructure, email, linux, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-postfix-queue-management

How Postfix queues work, why they pile up, and the exact commands to drain, inspect, and recover them when things go sideways.

Postfix has four queues: `incoming`, `active`, `deferred`, `hold`. Most problems live in `deferred`.

## Check queue status

```bash
mailq | tail -1          # total queue count
mailq | grep "^[A-F0-9]" | wc -l  # just deferred count
postqueue -p | head -50  # first 50 entries with reasons
```

## Why messages defer

The reason is always in the queue listing:

```
connect to gmail-smtp-in.l.google.com[...]:25: Connection refused
```

Common causes:
- **Port 25 blocked** by your VPS provider (very common on new nodes)
- **IP not warmed up** — receiving server throttling you
- **Blacklisted IP** — check via MXToolbox
- **DMARC/SPF fail** — receiving server is rejecting, not deferring

## Drain the deferred queue

```bash
postqueue -f          # retry all deferred messages now
postsuper -r ALL      # requeue everything (forces re-evaluation)
```

## Flush messages to a specific domain

```bash
postqueue -f -d gmail.com
```

## Delete everything in deferred (nuclear option)

```bash
postsuper -d ALL deferred
```

## The thing I wish I knew earlier

When you're sending bulk mail and Gmail starts deferring you, **don't flush aggressively**. Rapid retries signal spam behavior and make the throttling worse. Postfix's default retry schedule (5min, 10min, 20min, ..., up to `maximal_queue_lifetime`) is deliberately conservative for a reason. Let it run.

Only flush manually when the underlying problem (wrong DNS, blocked port, bad SPF) is actually fixed — not before.

## Running a Complete Local AI Stack on M1 Max: What Actually Works

**Date:** 2026-04-05
**Tags:** ai, local-ai, self-hosting, macos
**Genre:** tech
**URL:** https://yourportfolio.example/blog/local-ai-stack-m1-max

Llama 70B, Flux image generation, Kokoro TTS, Whisper STT — all running locally on an M1 Max with 64GB unified memory. The practical setup, benchmarks, and honest assessment of what's ready and what isn't.

In early 2025 I bought a MacBook M1 Max with 64GB unified memory. The primary reason was local AI inference — the ability to run large language models, image generation, speech synthesis, and speech recognition entirely offline, at no marginal cost per request.

Eleven months later, I have a working local AI stack that I use daily. Some of it has exceeded my expectations. Some of it hasn't. This is an honest assessment of what actually works, what the real limitations are, and whether it's worth the investment.

## Why Local AI

The case for local inference over cloud APIs comes down to four things:

**Cost.** Cloud inference has marginal cost. Running Llama 70B locally has zero marginal cost. For development work — which involves a lot of iterative prompting, testing edge cases, generating test data — the API bills accumulate fast. At my development intensity, I was spending ₹15,000–25,000/month on Claude and GPT-4 API calls before going local.

**Privacy.** Anything I send to a cloud API becomes training data or at minimum is retained for some period. Code I'm working on, documents I'm analyzing, internal knowledge I'm querying against — none of that should leave the machine.

**Offline operation.** I work on trains, in areas with poor connectivity, and at hours when services have outages. Local models don't have availability dependencies.

**No rate limits.** I can run inference in a tight loop for hours. For automated evaluation pipelines, document processing, and batch generation, rate limits are a genuine bottleneck on cloud APIs.

## The Hardware Reality

The M1 Max with 64GB unified memory is specifically good for AI inference for one reason: **unified memory means the CPU, GPU, and neural engine share the same memory pool**. There's no PCIe bandwidth bottleneck between CPU and discrete GPU — the weights live in unified memory and the GPU reads them at full memory bandwidth.

For an Nvidia setup, you need a GPU with enough VRAM to hold the model weights entirely. A 70B model in 4-bit quantization is about 40GB. Consumer Nvidia cards top out at 24GB VRAM. You can run larger models with CPU offloading, but it's slow. On M1 Max with 64GB, the 40GB model fits in the shared pool and inference runs entirely on GPU.

This is the specific reason why Apple Silicon is competitive for local inference — not raw FLOPS, but memory architecture.

## What's Running

### Llama 3.1 70B — Primary LLM

Runner: [Ollama](https://ollama.ai) with llama.cpp backend
Model: Llama 3.1 70B in Q4_K_M quantization (~40GB)

```bash
ollama pull llama3.1:70b
ollama run llama3.1:70b
```

Performance on M1 Max 64GB:
- **Prompt processing:** ~1,200 tokens/second
- **Token generation:** ~12–15 tokens/second

12–15 tokens/second is readable at normal reading speed. It's not GPT-4-turbo fast, but it's fast enough that you're not watching it token by token.

Quality: Llama 3.1 70B is genuinely close to GPT-4 on most tasks I throw at it — code review, explanation, refactoring, documentation generation. The gap is noticeable on complex multi-step reasoning and tasks requiring very recent knowledge. For development work, I rarely feel the quality gap.

### Flux.1-schnell — Image Generation

Runner: [ComfyUI](https://github.com/comfyanonymous/ComfyUI)
Model: Flux.1-schnell (the distilled fast variant, ~15GB)

Flux produces substantially better output than Stable Diffusion XL for photography-style images and technical diagrams. The "schnell" variant trades some quality for speed — generation time on M1 Max is about 8–12 seconds for a 1024×1024 image at 4 steps.

I use this for:
- Generating social preview images for blog posts
- Quick concept visualization during design work
- Generating varied examples for documentation

The honest limitation: Flux can't read text reliably. Any generation involving text in the image will hallucinate. For anything text-critical, you still need to composite text in post.

### Kokoro — Text to Speech

Runner: Python FastAPI server wrapping the model
Model: Kokoro 82M (small but very good quality)

Kokoro is an open-source TTS model that produces surprisingly natural-sounding output for its size. The 82M parameter version runs inference in 2–3x real-time on M1 Max — a 60-second audio clip generates in about 25 seconds.

I use Kokoro for:
- Generating audio versions of blog posts (the audio player on this blog)
- Converting long documents to audio for commute listening
- Voiceovers for demo videos

The voice quality is not quite Eleven Labs, but it's better than anything open source was producing 18 months ago. The Indian English accent handling is notably good — it doesn't mangle words the way most TTS models do when they encounter transliterated Hindi terms.

### Whisper Large-v3 — Speech to Text

Runner: [faster-whisper](https://github.com/SYSTRAN/faster-whisper) (CTranslate2 backend, much faster than original)
Model: large-v3 (~3GB)

Whisper large-v3 is the best open-source STT model available. On M1 Max, transcription runs at approximately real-time speed for large-v3, or 3–4x real-time for the medium model.

I use Whisper for:
- Transcribing meeting recordings and voice memos
- Generating search-indexed transcripts for video content
- Quick offline dictation via a shell alias that records mic input and pipes to Whisper

The quality on Indian-accented English is noticeably better than cloud STT services, probably because OpenAI trained Whisper on a more diverse corpus than most enterprise STT providers.

## The Integration Layer

Running four separate model servers (Ollama, ComfyUI, Kokoro, Whisper) creates an integration problem — you need a unified way to call them from scripts and applications. I built a thin FastAPI router that provides a single endpoint interface:

```python
# router.py
from fastapi import FastAPI
import httpx

app = FastAPI()

@app.post("/generate/text")
async def generate_text(prompt: str, model: str = "llama3.1:70b"):
    async with httpx.AsyncClient() as client:
        response = await client.post(
            "http://localhost:11434/api/generate",
            json={"model": model, "prompt": prompt, "stream": False}
        )
        return response.json()

@app.post("/generate/image")
async def generate_image(prompt: str):
    # ComfyUI workflow trigger
    ...

@app.post("/generate/audio")
async def generate_audio(text: str):
    # Kokoro TTS
    ...

@app.post("/transcribe")
async def transcribe(audio_path: str):
    # Whisper STT
    ...
```

This router is what my shell scripts and Claude Code MCP tools call. Adding a new local model means adding one endpoint — the calling code doesn't change.

## The Claude Code MCP Integration

The most useful thing I've done with local AI is building MCP (Model Context Protocol) servers that expose local model capabilities to Claude Code. This means I can be in a Claude Code session and say "transcribe this voice memo" or "generate an image for this blog post" and Claude routes the request to the local model.

```json
// .claude/mcp-servers.json
{
  "local-ai": {
    "command": "python",
    "args": ["/Users/xczer/local-ai/mcp_server.py"],
    "description": "Local AI models: Llama, Flux, Kokoro, Whisper"
  }
}
```

The practical result: Claude Code can call Whisper to transcribe a voice note I dropped in the project folder, use the transcript as context, and then generate code based on what I said. The entire thing runs locally. No data leaves the machine.

## Benchmarks vs Cloud

Honest comparison on tasks I actually run:

| Task | Local (M1 Max) | Cloud equivalent | Quality delta |
|------|---------------|-----------------|---------------|
| Code explanation (2K tokens) | ~20 seconds | ~3 seconds | Minimal |
| Document summarization | ~35 seconds | ~5 seconds | Minimal |
| Complex reasoning chain | ~90 seconds | ~15 seconds | Noticeable |
| Image generation (1024px) | ~10 seconds | ~3 seconds (DALL-E 3) | Cloud better |
| Speech-to-text (10 min audio) | ~10 minutes | ~30 seconds | Minimal |
| TTS (1 min audio) | ~25 seconds | ~5 seconds | Cloud marginally better |

Speed is the honest limitation. For tasks where I'm in an interactive loop — asking a question, reading the answer, refining — 20 seconds per response is fine. For anything where I need rapid iteration, cloud is still faster.

## What Doesn't Work Well

**Vision tasks.** I haven't found a local vision model that competes with Claude's image understanding for technical diagrams and screenshots. LLaVA and the various Llama vision variants are decent for photos but poor for code screenshots and system diagrams.

**Very long context.** Llama 3.1 70B supports a 128K context window, but filling it locally hits memory limits. At ~80K tokens, generation speed drops noticeably as the KV cache fills unified memory. Cloud models handle full context windows more gracefully.

**Function calling reliability.** Tool use / function calling with local Llama models is less reliable than GPT-4 or Claude. The models don't always follow the JSON schema correctly, and the error recovery is worse. For any automated pipeline that depends on structured output, I still route to cloud models.

**Multimodal workflows.** Chaining text → image → audio on local models works, but the latency chain adds up. A workflow that takes 2 minutes on local models takes 15 seconds with cloud APIs. For automated pipelines, the latency difference matters.

## The Honest Verdict

Local AI on M1 Max is genuinely useful, not just a technical demonstration. It covers probably 60–70% of my AI workflow at zero marginal cost. The remaining 30–40% goes to cloud models for tasks where speed, vision quality, or function calling reliability matter.

The investment pays off at a specific usage intensity. If you're spending ₹20,000+/month on AI APIs and doing the kind of development work where privacy and offline operation have value, the hardware cost amortizes in a few months. If you're an occasional AI user, managed services are the right answer.

The thing that surprised me most: it's changed how I think about AI features in the things I build. When inference is free, you instrument everything. I've added AI-powered features to internal tools that I would never have added if they had per-request costs. The marginal cost changing from some to zero is a genuine product design shift, not just a cost optimization.

The other thing: the local stack has made me better at understanding what the models are actually doing. When you own the inference, you see the parameters, the quantization choices, the memory usage, the temperature effects in real time. It's the same lesson as self-hosting mail infrastructure — understanding the thing you depend on makes you better at using it.

## TIL: Rust Lifetime Elision Rules

**Date:** 2026-04-02
**Tags:** rust, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-rust-lifetime-elision

The three rules Rust uses to infer lifetimes automatically, so you understand when you need to annotate and when the compiler handles it for you.

Rust has explicit lifetime syntax (`'a`, `'b`) but you don't write it most of the time. The compiler applies three elision rules in order and only forces you to annotate when it can't figure it out.

## The three rules

**Rule 1:** Each parameter that is a reference gets its own lifetime.

```rust
fn foo(x: &str, y: &str)
// becomes:
fn foo<'a, 'b>(x: &'a str, y: &'b str)
```

**Rule 2:** If there's exactly one input lifetime, it's assigned to all output lifetimes.

```rust
fn first_word(s: &str) -> &str
// becomes:
fn first_word<'a>(s: &'a str) -> &'a str
```

This is why `first_word` compiles without annotations — rule 2 handles it.

**Rule 3:** If there's a `&self` or `&mut self` parameter, its lifetime is assigned to all output lifetimes.

```rust
impl Config {
    fn description(&self) -> &str {
        &self.desc
    }
}
// The returned &str has the same lifetime as &self — compiler knows this.
```

## When you must annotate

If none of the three rules produce an unambiguous result, you annotate.

```rust
// Two input references, no &self — rule 2 doesn't apply, ambiguous output
fn longer<'a>(x: &'a str, y: &'a str) -> &'a str {
    if x.len() > y.len() { x } else { y }
}
```

The annotation `'a` here says: the returned reference lives at least as long as the shorter of `x` and `y`. The compiler can't infer this from the rules alone.

## The practical takeaway

If you're writing a function that returns a reference and the compiler complains, ask: does the returned reference come from `self`, from one specific input, or is it ambiguous? If ambiguous, annotate. The annotation isn't for the compiler's benefit — it's a contract you're making explicit.

## TIL: inotify on Linux vs FSEvents on macOS

**Date:** 2026-03-28
**Tags:** linux, macos, infrastructure, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-linux-inotify-fsevent

How file system event APIs differ between Linux and macOS, and why it matters for cross-platform tooling.

When building config-pilot's live reload feature, I needed file system events on both Linux and macOS. The two APIs are more different than I expected.

## Linux: inotify

inotify is a kernel subsystem that lets you watch files and directories for events.

```bash
# Verify inotify is available
cat /proc/sys/fs/inotify/max_user_watches
```

```rust
// In Rust, using the notify crate
use notify::{Watcher, RecursiveMode, watcher};

let (tx, rx) = std::sync::mpsc::channel();
let mut watcher = watcher(tx, Duration::from_millis(100)).unwrap();
watcher.watch("/etc/nginx/nginx.conf", RecursiveMode::NonRecursive).unwrap();
```

inotify is event-based and precise: you get specific events (`IN_MODIFY`, `IN_CLOSE_WRITE`, `IN_ATTRIB`). The limit on watched files is configurable via `/proc/sys/fs/inotify/max_user_watches`.

## macOS: FSEvents

FSEvents is a higher-level API that coalesces events. It's designed for watching directory trees, not individual files.

Key difference: FSEvents does **not** give you individual file-level events reliably. It tells you "something changed in this directory." You then have to stat the directory yourself to find what.

## The gotcha

`IN_CLOSE_WRITE` on Linux fires when a file is closed after being written — exactly what you want for config file changes. FSEvents doesn't have an equivalent. You get a directory change event and have to compare mtimes.

The `notify` crate in Rust abstracts this, but understanding the underlying APIs explains why the behavior sometimes differs on cross-platform tools. Live reload that works perfectly on Linux can miss events on macOS if you're not accounting for FSEvents' coalescing behavior.

**Practical fix:** on macOS, stat the watched path after every FSEvents callback and compare modification time. Don't assume the event itself tells you what changed.

## Building Mail Infrastructure for 20 Million Emails: What Nobody Tells You

**Date:** 2026-03-25
**Tags:** infrastructure, self-hosting, email, postfix
**Genre:** tech
**URL:** https://yourportfolio.example/blog/prachyam-mail-infra-deep-dive

The full story of building a self-hosted email stack across 12 domains and 6 servers at Prachyam Studios — the architecture, the hard lessons, and why I'd do it again.

In 2024, Prachyam Studios needed to send a lot of email. Not newsletter-scale email — marketing at genuine scale, to a user base that cared about the content. The budget for this was approximately nothing, because Prachyam was a volunteer-run operation and "spend ₹4L/month on a managed email service" was not an option.

So I built it from scratch. Postfix, Dovecot, DKIM, SPF, DMARC, Rspamd, 6 servers, 12 domains, IP warmup from zero. Over the next year we sent roughly 20 million emails. The deliverability held up. The cost was a few thousand rupees a month in VPS bills.

This is everything I learned, including the things I wish someone had told me before I started.

## Why Not Managed?

The managed email services — AWS SES, SendGrid, Postmark, Mailgun — are genuinely good products. I've used all of them. If you have the budget and don't want to learn the internals, they're the right choice.

For Prachyam, they weren't viable for two reasons.

**Cost.** At the volumes we needed, managed services price per-email in ways that add up fast. SES at $0.10/1000 emails sounds cheap until you're sending 20M emails and the bill is ₹1.7L. Multiply that by multiple campaigns per month.

**Control.** Deliverability is not a knob managed services expose to you. When Gmail starts deferring your emails, your options are "open a support ticket and wait" or "change your sending patterns and hope." When you own the stack, you can read the logs, adjust the retry schedule, tune the throttling per-domain, and understand exactly why a specific receiving server is rejecting you.

The second reason is the real one. I wanted to understand how email actually works, not just consume it as a service.

## The Architecture

Six VPS nodes across two providers, each running a purpose-specific role:

```
Node 1 (primary MX):     Postfix SMTP relay + Dovecot IMAP
Node 2 (backup MX):      Postfix with lower priority MX record
Node 3 (outbound relay): Postfix submission, dedicated for bulk send
Node 4 (filtering):      Rspamd + ClamAV, shared by all nodes
Node 5 (monitoring):     Graylog + custom dashboards
Node 6 (storage):        Mail archive, backups, DMARC report storage
```

The split between transactional mail (Node 1) and bulk marketing (Node 3) is critical. You never want your marketing IP reputation to affect your transactional mail deliverability. A single spam complaint about a newsletter should not delay a password reset email.

Each domain gets its own DKIM key. Each key is 2048-bit RSA. The keys live in `/etc/opendkim/keys/` on the outbound relay with permissions restricted to the `opendkim` user.

```bash
# Generate a key for a domain
opendkim-genkey -t -s mail -d prachyam.org
# Creates: mail.private (private key) and mail.txt (DNS record to publish)
```

## The DNS Stack

For each domain, you need six types of records. I wrote a generation script that outputs them all given a domain name:

```
MX:     @ → mail.prachyam.org (priority 10)
        @ → backup-mail.prachyam.org (priority 20)

A:      mail.prachyam.org → [Node 1 IP]
        backup-mail.prachyam.org → [Node 2 IP]

PTR:    [Node 1 IP] → mail.prachyam.org    (reverse DNS — critical)
        [Node 3 IP] → bulk.prachyam.org

SPF:    @ → "v=spf1 mx a ip4:[NODE3_IP] -all"
DKIM:   mail._domainkey → "v=DKIM1; k=rsa; p=[PUBLIC_KEY]"
DMARC:  _dmarc → "v=DMARC1; p=quarantine; rua=mailto:dmarc@prachyam.org; aspf=r; adkim=r"
```

The PTR record (reverse DNS) is the most commonly forgotten. It maps your IP address back to a hostname. Most hosting providers let you set it in their VPS control panel. Without a PTR record, many receiving servers will reject or heavily score your mail.

## IP Warmup: The Part Nobody Does Right

A fresh IP address has no reputation — which is treated as a bad reputation by large receiving servers. Gmail, Yahoo, Microsoft 365 all throttle or reject high-volume sending from unknown IPs.

The warmup process is a deliberate ramp over 4–6 weeks:

| Week | Daily Send Volume |
|------|-------------------|
| 1    | 200               |
| 2    | 1,000             |
| 3    | 5,000             |
| 4    | 20,000            |
| 5    | 100,000           |
| 6+   | Unrestricted      |

The numbers are approximate — the actual curve depends on engagement. If recipients are opening, clicking, and not marking as spam, you can accelerate. If you're seeing deferrals, slow down.

The critical rule: **send to your most engaged users first.** The warmup period is when receiving servers are forming their impression of your IP. Send to people who will open the email. High open rates and low complaint rates during warmup establish a positive reputation that carries forward.

I built a simple priority queue for warmup sends: users who had previously opened our emails went in the first tier, new subscribers in the second, cold addresses last.

## Monitoring Deliverability

You can't improve what you don't measure. I set up four monitoring sources:

**Postfix logs** — every delivery attempt, success, and failure, with reason codes:

```bash
# Watch live delivery attempts
tail -f /var/log/mail.log | grep -E "(sent|deferred|bounced)"

# Summarize deferral reasons
grep "deferred" /var/log/mail.log | \
  grep -oP "(?<=said: ).*" | \
  sort | uniq -c | sort -rn | head -20
```

**DMARC aggregate reports** — Gmail, Microsoft, and Yahoo send XML reports to the `rua` address in your DMARC record. These show per-IP DMARC pass/fail rates and which authentication mechanism is failing. I wrote a Rust parser that ingested these reports into a time-series database and visualized them in Grafana.

**Blacklist monitoring** — a cron job that checked each outbound IP against 15 common DNSBLs every 6 hours:

```bash
for DNSBL in zen.spamhaus.org bl.spamcop.net dnsbl.sorbs.net; do
  host "$REVERSED_IP.$DNSBL" && echo "LISTED on $DNSBL" || echo "Clean on $DNSBL"
done
```

**Feedback loops** — registering with Google Postmaster Tools, Microsoft SNDS (Smart Network Data Services), and Yahoo's FBL (Feedback Loop) program. These give you complaint rate data directly from the receiving provider. If your complaint rate exceeds 0.3% at Gmail, you're going to have deliverability problems regardless of your technical setup.

## The Hard Lessons

**Lesson 1: List hygiene matters more than technical setup.**

The best DKIM configuration in the world won't save you if you're sending to stale addresses or purchased lists. Bounces and spam complaints are what damages IP reputation. Technical authentication tells receiving servers *who* you are. Engagement history tells them *whether you should be trusted.*

We implemented a sunset policy: any subscriber who hadn't opened an email in 90 days went into a re-engagement campaign. If they didn't engage with that, they were unsubscribed. This felt painful initially — smaller list, lower raw send numbers. The deliverability improvement was immediate and significant.

**Lesson 2: The deferred queue is not an emergency.**

When emails start deferring, the instinct is to flush the queue aggressively. This is wrong. Rapid retries signal spam behavior and make the throttling worse. Postfix's default retry schedule — 5 minutes, then doubling up to `maximal_queue_lifetime` (5 days by default) — is conservative for good reason.

Only flush manually when the underlying problem is fixed. If emails are deferring because of an SPF misconfiguration, fix the SPF record first, then flush.

**Lesson 3: Test with mail-tester.com before any send.**

[mail-tester.com](https://www.mail-tester.com) gives you a spam score and a complete breakdown of what's configured correctly. It's free for 3 tests per day. I ran every new domain through it before sending a single email. A perfect 10/10 score doesn't guarantee deliverability, but anything below 8 will definitely cause problems.

**Lesson 4: Per-domain sending limits.**

Gmail throttles per-IP, but also has per-day limits for senders without established reputation. You don't get told what those limits are — you discover them via 421 deferral codes ("Try again later"). The solution is to spread sending across multiple IPs and pace sends throughout the day rather than blasting everything in one window.

**Lesson 5: SPF record `-all` vs `~all`.**

`-all` (hardfail) means any server not listed in your SPF record is definitively unauthorized. `~all` (softfail) means the same, but with a softer signal — receiving servers may accept it but mark it.

Start with `~all` during setup. Switch to `-all` once you're confident you've listed every legitimate sending source. A `-all` SPF record where you forgot to include a third-party service (like a transactional email service for password resets) will cause your own legitimate emails to fail SPF.

## DMARC Reporting in Rust

The DMARC aggregate report parser deserves its own mention because it was genuinely useful and surprisingly simple to build.

DMARC reports are ZIP-compressed XML files sent to your `rua` address. The schema is standardized ([RFC 7489](https://tools.ietf.org/html/rfc7489)). A report looks like:

```xml

    
      
    </date_range>
  </report_metadata>
  
      
      
        
        
      </policy_evaluated>
    </row>
  </record>
</feedback>
```

The Rust parser I wrote:
1. Watches the `dmarc-reports@` inbox via IMAP using the `imap` crate
2. Unzips and parses the XML using `quick-xml`
3. Writes per-IP DMARC results to a SQLite database
4. Grafana reads from SQLite to render the dashboard

Total code: about 400 lines. The dashboard showed, per day, which of our IPs had DMARC pass/fail rates and from which receiving organizations. When a new IP started failing DMARC alignment, we could see it within 24 hours and fix it before it became a deliverability problem.

## The Numbers

After a year of running this stack:

- **~20 million emails** sent (across all domains and campaigns)
- **99.2% delivery rate** to primary inbox on warmed IPs
- **12 domains** managed from a single Postfix + Dovecot instance
- **6 servers** — total VPS cost approximately ₹8,000/month
- **0 IP blacklistings** over the entire period
- **0 major deliverability incidents** that affected transactional mail

The equivalent managed service cost would have been somewhere between ₹80,000 and ₹2,00,000 per month depending on volume.

## Would I Do It Again?

Yes, but with different timing. Email infrastructure has a steep learning curve and takes weeks to stabilize. If you're under delivery pressure from day one, you'll make decisions under stress that create problems later.

The right time to build your own mail stack is before you need it at scale. Set it up when volume is low, let the IP reputation mature, fix the edge cases in a low-stakes environment. By the time you need to send at volume, the infrastructure is stable and you understand how it behaves.

The wrong time is when someone asks "when can we send the first campaign?" and you're still configuring DKIM.

The knowledge is valuable independent of whether you run email infrastructure again. Understanding how SPF, DKIM, and DMARC actually interact — not at the "I enabled them" level but at the "I know why they fail in specific ways" level — makes you better at debugging any system where authentication and trust are involved.

Email is the oldest production protocol most engineers have never had to understand. It's worth understanding.

## TIL: Tauri IPC — invoke() vs Commands vs Events

**Date:** 2026-03-22
**Tags:** rust, tauri, desktop, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-tauri-ipc-invoke

The three ways the frontend talks to the Rust backend in Tauri, when to use each, and the one gotcha that wasted an afternoon.

Tauri gives you three ways to communicate between the frontend (JS) and backend (Rust). They're not interchangeable.

## invoke() — synchronous-style RPC

The most common pattern. Frontend calls a Rust function and awaits the result.

```rust
// Rust backend
#[tauri::command]
fn get_config(key: String) -> Result<String, String> {
    std::env::var(&key).map_err(|e| e.to_string())
}

// Register it
tauri::Builder::default()
    .invoke_handler(tauri::generate_handler![get_config])
```

```ts
// Frontend
import { invoke } from "@tauri-apps/api/tauri";
const value = await invoke<string>("get_config", { key: "HOME" });
```

Good for: one-shot requests where you need a response. File reads, config lookups, one-time computations.

## Events — fire and forget, or backend-to-frontend push

```rust
// Backend emitting to frontend
app.emit_all("file-changed", Payload { path: "/etc/nginx.conf" }).unwrap();
```

```ts
// Frontend listening
import { listen } from "@tauri-apps/api/event";
await listen<{ path: string }>("file-changed", (event) => {
  console.log("Changed:", event.payload.path);
});
```

Good for: long-running background tasks, file watchers, progress updates. The backend pushes; the frontend reacts.

## The gotcha that cost me an afternoon

`invoke()` serializes arguments and return values through JSON. If your Rust struct has a field named `type` (a reserved word in JS/TS), the deserialization on the frontend silently fails.

```rust
// This causes silent deserialization failure on the JS side
#[derive(Serialize)]
struct FileEvent {
    path: String,
    type: String,  // "type" is reserved in JS
}
```

Rename to `event_type` or use `#[serde(rename = "eventType")]`. The error message from Tauri in this case is not helpful — it looks like the command succeeded but you get `undefined`.

## Which to use

- Need a response → `invoke()`
- Backend pushing updates → events
- Frontend notifying backend (fire and forget) → events from frontend
- Complex bidirectional → commands + events together; keep them separate by concern

## TIL: Nextcloud Chunked Upload via WebDAV

**Date:** 2026-03-18
**Tags:** self-hosting, nextcloud, infrastructure, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-nextcloud-chunked-upload

How Nextcloud handles large file uploads under the hood, and how to implement chunked uploads manually when the desktop client isn't an option.

Nextcloud uses a WebDAV extension called **TUS** (Tus Resumable Upload Protocol) internally, but for programmatic uploads the simplest approach is the Nextcloud Chunking API — available on any Nextcloud instance.

## The problem

Uploading files over ~1GB through a reverse proxy (Nginx, Caddy) will hit `client_max_body_size` limits. Chunked upload bypasses this by splitting into small pieces.

## How Nextcloud chunking works

1. Create a "upload session" directory on the WebDAV endpoint
2. `PUT` each chunk as a numbered file inside it
3. `MOVE` the session directory to the final destination — Nextcloud assembles the chunks

```bash
BASE="https://cloud.example.com/remote.php/dav"
USER="karanveer"
PASS="your-app-password"
FILE="large-archive.tar.gz"
CHUNK_SIZE=$((100 * 1024 * 1024))  # 100MB chunks

# 1. Create upload session
SESSION="$BASE/uploads/$USER/$(uuidgen)"

# 2. Split and upload each chunk
split -b $CHUNK_SIZE "$FILE" /tmp/chunk_
i=0
for chunk in /tmp/chunk_*; do
  printf -v idx "%010d" $i
  curl -u "$USER:$PASS" -T "$chunk" "$SESSION/$idx"
  ((i++))
done

# 3. Assemble
DEST="$BASE/files/$USER/backups/$FILE"
curl -u "$USER:$PASS" -X MOVE \
  -H "Destination: $DEST" \
  "$SESSION/.file"
```

## The Nginx config you need

```nginx
client_max_body_size 0;  # unlimited, let Nextcloud handle it
proxy_request_buffering off;
```

`proxy_request_buffering off` is critical for streaming chunks — without it Nginx buffers the entire chunk to disk before forwarding.

## rClone alternative

If you're syncing from another machine, rClone handles chunking automatically:

```bash
rclone copy /local/path nextcloud:backups/ \
  --transfers=4 \
  --drive-chunk-size=128M
```

rClone's Nextcloud backend uses WebDAV chunking internally. Set `--transfers` to how many parallel chunks you want — 4 is usually the sweet spot before you hit diminishing returns on a single connection.

## TIL: The RSC Client Boundary Is Not a File Boundary

**Date:** 2026-03-15
**Tags:** nextjs, react, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-nextjs-rsc-client-boundary

A common Next.js App Router misconception: 'use client' doesn't make a file client-only — it marks the boundary where the client tree starts.

When I first moved to Next.js App Router, I assumed `"use client"` meant "this file runs in the browser." It's more nuanced than that, and the distinction matters.

## What 'use client' actually means

`"use client"` marks the **boundary** between the server component tree and the client component tree. Everything in that file, and every module it imports, becomes part of the client bundle.

But here's what tripped me up: **you can pass server-rendered data across the boundary as props**.

```tsx
// app/page.tsx — SERVER component
import { ClientWidget } from "@/components/ClientWidget";

export default async function Page() {
  const data = await db.query.posts.findMany(); // runs on server
  return ;          // data serialized to client
}
```

```tsx
// components/ClientWidget.tsx
"use client";

export function ClientWidget({ posts }: { posts: Post[] }) {
  const [selected, setSelected] = useState(null); // client state
  return ...;
}
```

`data` is fetched on the server, serialized, and hydrated on the client. The server component has zero JS in the bundle. The client component has state and handlers.

## The gotcha

If you import a server-only module (like `drizzle-orm` or `fs`) inside a `"use client"` file, you'll get a build error — and rightly so. The boundary is strict.

But you can also compose in the other direction: server components can be **children** of client components via the `children` prop pattern.

```tsx
// This works — server tree passed as children to a client layout

```

This is how the portfolio's admin layout works: the outer shell is a client component (it has navigation state), but individual page content is server components that query the DB directly. No API routes needed.

## TIL: XState Final States and Done Events

**Date:** 2026-03-10
**Tags:** xstate, typescript, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-xstate-final-states

How XState's final states work, what done() events are, and the pattern for composing machines that signal completion to a parent.

XState has a concept called **final states** — states that, when entered, signal the machine is done. This matters most when composing machines: a parent machine can wait for a child machine to finish.

## Defining a final state

```ts
import { createMachine } from "xstate";

const checkoutMachine = createMachine({
  id: "checkout",
  initial: "cart",
  states: {
    cart: {
      on: { PROCEED: "payment" }
    },
    payment: {
      on: {
        SUCCESS: "confirmed",
        FAIL: "failed"
      }
    },
    confirmed: { type: "final" },  // machine is done
    failed: { type: "final" },     // machine is done (with error)
  }
});
```

When the machine enters `confirmed` or `failed`, it emits a `done` event automatically.

## The done event in a parent machine

```ts
const orderMachine = createMachine({
  id: "order",
  initial: "processing",
  states: {
    processing: {
      invoke: {
        src: checkoutMachine,
        onDone: {
          target: "complete",
          actions: (ctx, event) => console.log("checkout done:", event.data)
        },
        onError: "error"
      }
    },
    complete: { type: "final" },
    error: {}
  }
});
```

`onDone` fires when the invoked machine reaches any final state. `event.data` contains the context of the child machine at the time it finished.

## The hotel reservation pattern

I used this in a hotel management system I built. The reservation machine had final states for `confirmed`, `cancelled`, and `no_show`. The main booking flow invoked the reservation machine and used `onDone` to trigger the next step (invoice, room assignment, etc.) only after the reservation machine had definitively resolved.

Without final states, you'd use flags in shared context — which is just state management debt waiting to happen. Final states make termination explicit and composable.

## Gotcha: parallel states and final

A parallel state (multiple regions running simultaneously) finishes when **all** its regions enter a final state. This is useful for "wait for all validation steps to complete" patterns — each validation step is a region, and the parent waits for all of them.

## Architecting an OTT Platform for 8 Platforms in a Single Monorepo

**Date:** 2026-03-10
**Tags:** architecture, react-native, nextjs, monorepo
**Genre:** tech
**URL:** https://yourportfolio.example/blog/ott-monorepo-8-platforms

How I designed the code structure for a streaming platform targeting Next.js web, React Native iOS/Android, tvOS, Android TV, and Tauri desktop — shared business logic, platform-specific UI, one repo.

In 2024, Prachyam Studios needed a streaming platform. Not a web app with a mobile site — a real OTT platform: dedicated iOS and Android apps, tvOS and Android TV variants, desktop apps for Windows, Mac, and Linux, and a web frontend. Eight platform targets from a single engineering team (which was mostly me).

The architecture question isn't "how do you build all these" — it's "how do you build all these without maintaining eight separate codebases that immediately diverge."

The answer was a monorepo with a strict shared/platform boundary.

## The Target Matrix

| Platform | Framework | Distribution |
|----------|-----------|--------------|
| Web | Next.js (App Router) | CDN |
| iOS | React Native | App Store |
| Android | React Native | Play Store |
| tvOS | React Native (TV) | App Store |
| Android TV | React Native (TV) | Play Store |
| macOS Desktop | Tauri | Direct download |
| Windows Desktop | Tauri | Direct download |
| Linux Desktop | Tauri | Direct download / AUR |

Eight targets. The goal: share as much as possible without compromising platform-specific behavior.

## The Core Principle: Separate What Changes From What Doesn't

Business logic doesn't know what platform it's running on. Whether you're checking if a user is subscribed, calculating playback resume position, or filtering a content catalog, the logic is identical on all eight platforms. It's a pure function of state — input in, output out.

UI *does* know what platform it's running on. A navigation gesture that makes sense on mobile is wrong on TV. A sidebar layout that works on desktop is wrong on phone. The tvOS remote control requires a completely different focus model than touch or mouse.

The monorepo structure enforces this separation:

```
apps/
  web/          → Next.js app
  mobile/       → React Native (iOS + Android)
  tv/           → React Native TV (tvOS + Android TV)
  desktop/      → Tauri (macOS + Windows + Linux)

packages/
  core/         → Business logic, API clients, state management
  ui/           → Shared primitive components (design tokens, icons)
  media/        → Playback logic, DRM, subtitle handling
  auth/         → Authentication flows
  analytics/    → Event tracking (platform-agnostic)
  config/       → Shared configuration, feature flags
```

The rule: anything in `packages/` has no platform-specific imports. It can't import from React Native, can't import browser APIs, can't assume a DOM exists. It's pure TypeScript — data transformations, state machines, API calls, utility functions.

Platform apps in `apps/` import from `packages/` freely but `packages/` never imports from `apps/`.

## The packages/core Layer

This is where the real work lives. `packages/core` is a TypeScript library containing:

**API client** — wraps every backend endpoint with typed responses. All eight platforms call the same functions.

```ts
// packages/core/src/api/content.ts
export async function getCatalog(params: CatalogParams): Promise<CatalogResponse> {
  return apiClient.get("/v1/catalog", { params });
}

export async function getEpisode(id: string): Promise<Episode> {
  return apiClient.get(`/v1/episodes/${id}`);
}
```

**State machines** — XState machines for flows that have complex state: playback (buffering, playing, paused, error, ended), authentication (unauthenticated, authenticating, authenticated, token-expired), subscription (free, trialing, active, lapsed).

```ts
// packages/core/src/machines/playback.ts
export const playbackMachine = createMachine({
  id: "playback",
  initial: "idle",
  states: {
    idle: { on: { LOAD: "loading" } },
    loading: {
      on: {
        LOADED: "ready",
        ERROR: "error",
      }
    },
    ready: { on: { PLAY: "playing" } },
    playing: {
      on: {
        PAUSE: "paused",
        END: "ended",
        BUFFER: "buffering",
        ERROR: "error",
      }
    },
    paused: { on: { PLAY: "playing" } },
    buffering: { on: { RESUME: "playing", ERROR: "error" } },
    ended: { type: "final" },
    error: { on: { RETRY: "loading" } },
  }
});
```

This machine runs identically on web, mobile, TV, and desktop. The platform-specific part is only how you respond to state transitions — what gesture triggers PLAY, how buffering is visually indicated, where the error UI renders.

**Analytics** — a thin abstraction layer that records events platform-agnostically:

```ts
// packages/analytics/src/index.ts
export function trackPlay(episodeId: string, position: number) {
  analytics.record("episode.play", { episodeId, position, timestamp: Date.now() });
}
```

Each platform provides the concrete `analytics` implementation — Firebase for mobile, a custom endpoint for web. The call site in `packages/core` doesn't know which.

## React Native to TV: Less Different Than You'd Think

The tvOS and Android TV apps in `apps/tv/` share most of their code with `apps/mobile/`. The key differences:

**Focus management.** TV apps navigate via remote control — up/down/left/right/select. You need a focus model that tracks which UI element is "active" and moves focus in response to D-pad events. React Native TV provides `Touchable` components that automatically handle focus, but you need to design your layouts so focus movement is predictable.

**Layout.** TV screens are landscape-only, viewed from 3–4 meters, running at 1080p or 4K. Text sizes that work on mobile (14–16px) are unreadable on TV. Font sizes need to be 24px+ for comfortable viewing distance.

**Gestures vs remote.** Swipe gestures don't exist on TV. Every interaction must work with a 5-button remote (up, down, left, right, select). Modals that require swipe-to-dismiss need an alternative dismiss mechanism.

The actual code split between mobile and TV ended up being about 30% TV-specific, 70% shared through `packages/`. Most of the TV-specific code is layout and focus management — the content, API calls, state machines, and business logic are all shared.

## Tauri Desktop: The Outsider

The desktop apps in `apps/desktop/` are structurally different from the React Native apps — they're Tauri applications with a web frontend (SvelteKit) and a Rust backend.

The web frontend can import from `packages/core`, `packages/ui`, and `packages/analytics` because those packages produce standard JavaScript that works in a browser context. The Rust backend is desktop-specific — it handles file system access, native notifications, system keychain (for credential storage), and media key handling (play/pause/skip on the physical keyboard).

The DRM handling is the hardest platform-specific piece. Web and desktop have Widevine via EME (Encrypted Media Extensions). iOS has FairPlay. Android has Widevine but at a different level. The `packages/media` package abstracts over these with a `DRMProvider` interface:

```ts
// packages/media/src/drm.ts
export interface DRMProvider {
  acquireLicense(contentId: string): Promise<License>;
  releaseLicense(contentId: string): Promise<void>;
}
```

Each platform provides its own implementation of `DRMProvider`. The playback logic calls `DRMProvider` methods without knowing which DRM system it's talking to.

## The Shared Component Question

The temptation in a cross-platform monorepo is to maximize shared UI components. In practice, this doesn't work as well as you'd hope.

Buttons, inputs, and simple primitives translate reasonably well. `packages/ui` has a small set of these — basic interactive elements with consistent styling via design tokens.

Content-heavy components don't translate. A video card that looks right on web (hover state, mouse-accessible, certain font sizes) looks wrong on mobile (no hover, touch targets need to be larger, different information density) and wrong on TV (needs to handle focus state, larger text, remote-compatible). Trying to make one component handle all three contexts produces a mess of platform conditionals that's harder to maintain than three separate components.

The pragmatic split: share design tokens (colors, typography scale, spacing) and utilities (formatters, validators) universally. Share simple primitives (icon components, basic buttons) across mobile and web. Write TV and desktop UI components from scratch using the design tokens.

## Build and CI

The monorepo uses Turborepo for build orchestration. The `turbo.json` dependency graph means building `apps/web` automatically builds `packages/core` first, in the right order.

```json
{
  "pipeline": {
    "build": {
      "dependsOn": ["^build"],
      "outputs": [".next/**", "dist/**"]
    },
    "test": {
      "dependsOn": ["^build"]
    }
  }
}
```

CI runs on every PR with matrix builds:
- Type checking across all packages
- Unit tests on `packages/` (no platform dependencies)
- Integration tests for web (Playwright)
- Native builds for mobile (GitHub Actions macOS runner for iOS)

The expensive part: iOS builds require macOS runners, which are 5–10x more expensive than Linux runners on GitHub Actions. The solution: run iOS builds only on main branch merges, not on every PR. PRs get type checking and web tests; full native builds happen post-merge.

## What I'd Do Differently

**Start with the core package, not the apps.** I started by building the web app and then extracting shared logic into `packages/core` as I added platforms. The extraction process was painful — lots of dependency untangling. Starting with `packages/core` as a pure TypeScript library with no platform assumptions, and then building the apps on top of it, would have been cleaner.

**Separate API versioning from app versioning.** Native apps on App Store and Play Store have forced update lags — a user on version 1.2 may be calling your API for months while you're deploying version 1.5 to web. The API layer in `packages/core` should be versioned independently and backward compatible in ways that web doesn't require.

**Don't share TV and mobile navigation too early.** I tried to share navigation structure between `apps/mobile/` and `apps/tv/`. The mental model for TV navigation (focus-based, hierarchical, limited depth) is different enough from mobile navigation (stack-based, gesture-driven) that the shared code became a constant source of edge cases. They should have been separate from the start.

## The Outcome

The architecture held. When we added Android TV support after initially shipping tvOS, the incremental work was mostly the Android-specific build configuration and platform-level focus management. The content catalog, API integration, playback state, and most UI components came from `apps/tv/` for free.

The monorepo discipline — strict package boundaries, pure `packages/core`, no platform assumptions leaking upward — is what made that possible. In a fragmented multi-repo setup, adding a new platform would have meant forking from an existing platform and immediately diverging. In the monorepo, adding a platform is principally a UI and build problem. The business logic is already there.

That separation — business logic vs UI, shared vs platform-specific — is the core idea. Everything else is implementation detail.

## TIL: git rerere — Reuse Recorded Resolution

**Date:** 2026-03-05
**Tags:** git, tools, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-git-rerere

git rerere remembers how you resolved a merge conflict and automatically applies the same resolution next time. Useful for long-lived feature branches.

`git rerere` (Reuse Recorded Resolution) is a feature most engineers don't know exists. It remembers how you resolved a merge conflict and automatically applies the same resolution the next time the same conflict appears.

## Enable it

```bash
git config --global rerere.enabled true
```

That's it. Once enabled, Git records conflict resolutions in `.git/rr-cache/`.

## When it helps

Long-lived feature branches that need to be repeatedly rebased or merged onto a changing main branch. Without rerere, you resolve the same conflicts every time. With rerere, Git remembers.

Specifically useful on this portfolio when I had a feature branch running parallel to main with changes to `globals.css` and `schema.ts` — files that were also being modified on main. After enabling rerere, I only had to resolve those conflicts once.

## What it looks like

```bash
# First conflict — resolve manually
git merge main
# ... fix conflicts ...
git add .
git commit  # rerere records the resolution

# Next time the same conflict appears (e.g., after another rebase)
git merge main
# Git says: "Resolved 'globals.css' using previous resolution."
# Conflict is already fixed
```

## Caveats

If you resolved a conflict incorrectly the first time, rerere will replay the wrong resolution. Run `git rerere forget <path>` to clear a recorded resolution for a specific file.

Also, rerere only works for exact conflict markers. If the surrounding context changes significantly, it won't match and you'll resolve manually again.

For a solo developer doing frequent rebases, it's a quiet quality-of-life improvement worth enabling globally.

## TIL: Drizzle Migrations Are Just SQL Files

**Date:** 2026-03-02
**Tags:** drizzle, postgres, typescript, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-drizzle-migrations-sql

What Drizzle's migration system actually generates, why that's better than magic ORM migrations, and how to handle the edge cases.

Drizzle's migration system generates plain SQL files. Not an abstraction layer, not a DSL — actual SQL you can read, audit, and edit.

```bash
bun drizzle-kit generate
# Creates: drizzle/0001_add_thoughts_table.sql
```

Open that file and you see:

```sql
CREATE TABLE IF NOT EXISTS "thoughts" (
  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
  "content" text NOT NULL,
  "mood" text,
  "tags" text[] DEFAULT '{}' NOT NULL,
  "published" boolean DEFAULT true NOT NULL,
  "created_at" timestamp with time zone DEFAULT now() NOT NULL
);
```

This is the entire migration. No magic. No hidden state beyond the `__drizzle_migrations` table that tracks what's been run.

## Run migrations

```ts
import { migrate } from "drizzle-orm/node-postgres/migrator";
await migrate(db, { migrationsFolder: "./drizzle" });
```

Or via CLI:

```bash
bun drizzle-kit migrate
```

## The edge case: renaming a column

Drizzle can't infer intent. If you rename `mood` to `feeling` in your schema, `drizzle-kit generate` sees a deleted column and a new column — and generates a migration that drops and recreates, losing data.

Fix: edit the generated SQL manually before running it.

```sql
-- Generated (wrong):
ALTER TABLE "thoughts" DROP COLUMN "mood";
ALTER TABLE "thoughts" ADD COLUMN "feeling" text;

-- Edit to (correct):
ALTER TABLE "thoughts" RENAME COLUMN "mood" TO "feeling";
```

Because migrations are plain SQL files, this edit is trivial. With magic ORM migration systems, you're at the mercy of their rename-detection heuristics.

## The journal file

Drizzle tracks applied migrations in `drizzle/meta/_journal.json`. Don't edit this manually unless you know exactly what you're doing — it's how the runner knows what's already applied.

If you need to revert a migration in development: delete the SQL file, delete its entry from `_journal.json`, and run `drizzle-kit generate` again. In production: write a new down-migration SQL file and apply it manually.

## TIL: Git Worktrees Let You Check Out Multiple Branches Simultaneously

**Date:** 2026-02-25
**Tags:** git, tools, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-git-worktrees

git worktree lets you have multiple working trees from one repo — no stashing, no switching, no friction.

`git worktree` lets you check out multiple branches from the same repository simultaneously, each in its own directory. No stashing, no branch switching, no losing your current working state.

## The basic command

```bash
# You're on main, working on something. A hotfix lands.
git worktree add ../portfolio-hotfix hotfix/navbar-crash

# Now you have two working trees:
# /portfolio          → main branch (current work untouched)
# /portfolio-hotfix   → hotfix/navbar-crash (clean checkout)
```

Go fix the hotfix, push it, then clean up:

```bash
cd ../portfolio-hotfix
# fix the bug, commit, push
cd ../portfolio
git worktree remove ../portfolio-hotfix
```

## List worktrees

```bash
git worktree list
# /Users/xczer/portfolio          abc1234 [main]
# /Users/xczer/portfolio-hotfix   def5678 [hotfix/navbar-crash]
```

## Why it's better than stashing

Stashing saves uncommitted changes but leaves your branch in a clean state — then you switch branches and switch back. With a messy mid-refactor working tree, stash → switch → fix → switch back → pop is friction.

Worktrees keep both states alive simultaneously. You don't need to remember to pop the stash. You don't risk a stash conflict. You just work in two directories.

## The real use case: long-running builds

On this portfolio I use worktrees when I want to run `bun run build` on a previous commit to bisect a regression while still editing files on the current branch. Without worktrees, you'd need two repo clones.

## One gotcha

You can't check out the same branch in two worktrees simultaneously. Each branch can only be active in one worktree at a time. Git enforces this — it prevents the confusion of two working trees diverging from the same branch tip.

## TIL: Docker Layer Cache Invalidation Is Sequential

**Date:** 2026-02-20
**Tags:** docker, infrastructure, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-docker-layer-cache

One changed line in a Dockerfile invalidates every layer after it. Ordering your Dockerfile with this in mind cuts rebuild times dramatically.

Docker layer caching is one of those things that seems obvious once you understand it, but wastes a lot of time before you do.

## The rule

Every instruction in a Dockerfile creates a layer. If a layer changes, **every subsequent layer is invalidated and must be rebuilt**.

## The bad ordering

```dockerfile
FROM node:20-alpine
WORKDIR /app
COPY . .                    # copies everything — changes constantly
RUN npm install             # always re-runs, even if package.json didn't change
RUN npm run build
```

Every time any source file changes, `npm install` re-runs. On a project with hundreds of dependencies, this is painful.

## The good ordering

```dockerfile
FROM node:20-alpine
WORKDIR /app
COPY package.json package-lock.json ./   # only these files
RUN npm install                           # only re-runs when package.json changes
COPY . .                                  # source files copied after deps
RUN npm run build
```

Now `npm install` only re-runs when `package.json` or `package-lock.json` changes. Source code changes only trigger the `COPY . .` and `npm run build` layers.

## The pattern

Order layers from **least frequently changing** to **most frequently changing**:

1. Base image
2. System dependencies (`apt-get install`)
3. Package manifest (`package.json`, `Cargo.toml`, `requirements.txt`)
4. Dependencies (`npm install`, `cargo fetch`, `pip install`)
5. Application source
6. Build step

This pattern cut rebuild times on the Mailcow monitoring container from ~4 minutes to under 30 seconds. Same image, different Dockerfile ordering.

## BuildKit parallel stages

With `DOCKER_BUILDKIT=1`, you can also use multi-stage builds where independent stages run in parallel. But fixing layer ordering should come first — it's simpler and often enough.

## TIL: DKIM, SPF, and DMARC Alignment Are Not the Same Thing

**Date:** 2026-02-15
**Tags:** email, infrastructure, self-hosting, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-dkim-spf-alignment

Passing SPF and DKIM doesn't mean DMARC passes. Alignment is a separate check — and missing it is why your authenticated emails still land in spam.

This cost me a week of debugging on the Prachyam mail setup. SPF passed. DKIM passed. Emails still landed in spam. The reason: DMARC alignment failure.

## What alignment means

DMARC doesn't just check that SPF and DKIM pass — it checks that they pass **for the right domain**.

Specifically, DMARC compares the domain in the email's `From:` header against:
- The domain in the SPF `Return-Path` (envelope sender)
- The domain in the DKIM `d=` tag

If neither matches the `From:` domain, DMARC fails — even if SPF and DKIM themselves are technically valid.

## The common failure mode

You're sending via a third-party service (Mailchimp, SendGrid, or in our case a shared relay). The relay signs with its own DKIM key (`d=sendgrid.net`) and sets its own `Return-Path`. Both pass authentication. But your `From:` header is `team@prachyam.org`. Neither the DKIM domain nor the SPF domain matches `prachyam.org`. **DMARC alignment fails.**

## Relaxed vs strict alignment

DMARC has two alignment modes, set in the `_dmarc` TXT record:

```
v=DMARC1; p=quarantine; aspf=r; adkim=r;
```

- `aspf=r` (relaxed): SPF domain just needs to share the organizational domain. `mail.prachyam.org` aligns with `prachyam.org`.
- `aspf=s` (strict): exact match required. `mail.prachyam.org` does NOT align with `prachyam.org`.
- Same logic for `adkim=r/s`.

Relaxed mode is almost always what you want for your own infrastructure.

## The fix for relay sending

Either:
1. Have the relay sign with your domain's DKIM key (you give them the private key — not great)
2. Set up a custom domain in the relay's settings so it signs with `d=prachyam.org`
3. Use your own mail server (Postfix) and control DKIM signing yourself — what we did

Option 3 is the only one that gives you full alignment control without trusting a third party with your private key.

## Quick check

```bash
# Send a test email to mail-tester.com and read the DMARC section
# Or check the Authentication-Results header in received emails:
# dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=prachyam.org
```

If you see `dmarc=fail` alongside `dkim=pass` and `spf=pass`, alignment is your problem.

## Why I Self-Host Everything (And What It's Actually Cost Me)

**Date:** 2026-02-10
**Tags:** self-hosting, infrastructure, opinion
**Genre:** philosophy
**URL:** https://yourportfolio.example/blog/self-hosting-philosophy

Self-hosting is not about being cheap or contrarian. It's about understanding your stack, owning your data, and building a certain kind of engineering judgment that you can't get any other way.

I self-host my email. My file storage. My AI inference. My monitoring stack. My password manager. My link aggregator. My DNS resolver. My VPN. My build servers.

When I tell people this, the first response is usually "that sounds like a lot of work." The second response, if they're engineers, is "why would you do that when [managed service] is right there?"

This post is my honest answer to both questions.

## What Self-Hosting Is Not

It's not about being cheap. SES would have been meaningfully cheaper than Postfix + Dovecot if you count engineering time. Backblaze B2 is cheaper than Nextcloud on a VPS if you're paying yourself market rate. Self-hosting is almost never the cheapest option when you count labor honestly.

It's not about privacy absolutism. I use Google Search, GitHub, and Cloudflare. I'm not trying to be off-grid. I use managed services when they're clearly the right tool.

It's not about being contrarian or signaling technical sophistication. The engineers I most respect use managed services strategically and build their own infrastructure strategically. The choice is contextual, not ideological.

## What Self-Hosting Actually Is

It's about a specific kind of knowledge that you can't get any other way: **knowing what's actually running underneath you**.

When I send email through SES, I know that *something* handles DKIM signing, *something* manages bounce handling, *something* maintains IP reputation. I don't know what. The abstraction hides it. That's fine for most use cases — it's the point of a managed service.

When I send email through Postfix, I know exactly what's happening. I know that Rspamd is scoring incoming mail and what score thresholds trigger what actions. I know that DKIM signing happens at the `opendkim` milter layer, and I know what the DKIM key rotation schedule is and where the keys live. I know why Gmail is deferring a specific batch of emails and what to do about it, because I can read the logs directly and I understand the protocol.

This isn't abstract knowledge. It surfaces in specific, practical ways:

When a user reports that our password reset email isn't arriving, I can trace the exact path of that email — from Postfix queue to delivery attempt to bounce processing — in under five minutes. With a managed service, I'd be reading dashboard summaries and opening support tickets.

When we need to add a new sending domain in a hurry, I can do it in fifteen minutes: generate the DKIM key, publish the DNS records, add the domain to the Postfix config, reload. I understand every step because I built it. With a managed service, I'd be navigating a web UI I use once a year and hoping the DNS propagation dashboard tells me when it's done.

When something breaks at 2am — and something always breaks at 2am — the knowledge is in my head. I can diagnose and fix it without waiting for a support queue.

## The Self-Hosting Inventory

Here's what I actually run, and why:

**Email (Postfix + Dovecot + Rspamd)**
Why: At the volumes Prachyam needed, managed email was prohibitively expensive. Self-hosting also forced me to understand email deliverability at a depth that made me significantly better at the whole domain.
Maintenance: ~2 hours/month. Most incidents are IP reputation issues that the monitoring stack catches early.

**File Storage (Nextcloud + rClone + pCloud)**
Why: 5TB of data that I need accessible from all devices and don't want stored in Google's data centers. pCloud gives me 2TB encrypted cold storage. Nextcloud gives me a sync client that works offline. rClone handles the backup sync.
Maintenance: ~30 minutes/month. Updates are infrequent and the stack is stable.

**AI Inference (Ollama + ComfyUI + Kokoro + Whisper)**
Why: Zero marginal cost on development-intensity AI usage. Privacy for code and documents. Offline operation. The setup cost was meaningful but the ongoing cost is zero.
Maintenance: Model updates as new versions release, ~1 hour/month.

**Password Manager (Vaultwarden)**
Why: Vaultwarden is the open-source Bitwarden server. Self-hosting means my password vault never touches a third-party server. The only threat model where this matters is "Bitwarden gets breached," which is low-probability but high-consequence.
Maintenance: ~15 minutes/month. It just runs.

**VPN (Tailscale)**
This one is technically not self-hosted — Tailscale's control plane is managed. But the VPN traffic itself routes directly between nodes via WireGuard, not through Tailscale's servers. I consider this the right trade: I trust Tailscale's control plane (they're a reputable company with a clear privacy model) while keeping the data path decentralized.

**Monitoring (Grafana + InfluxDB + custom exporters)**
Why: I need dashboards for my self-hosted services that work even when the internet is having a bad day. Managed monitoring (Datadog, New Relic) has its own latency and availability dependencies.
Maintenance: ~1 hour/month for dashboard updates as I add new services.

**DNS Resolver (Pi-hole + Unbound)**
Why: Ad blocking at the DNS level, across all devices on the network, without browser extensions. Unbound is a recursive resolver that queries DNS root servers directly rather than forwarding to 8.8.8.8.
Maintenance: Minimal. Allowlist updates occasionally.

## What It's Actually Cost

Being honest about this matters, because the self-hosting community has a tendency to undercount costs.

**Engineering time:** Setting everything up from scratch took roughly 200–300 hours over two years. That's not nothing. Some of it was billable time I could have spent on client work. Most of it was learning time that I valued.

**Ongoing maintenance:** Across all services, approximately 4–6 hours per month. Monitoring alerts, updates, incident investigation when something breaks.

**Mental overhead:** Self-hosted services have outages. Sometimes they're your fault, sometimes they're the VPS provider's fault. You're on call for your own infrastructure. I've been woken up by email queue alerts. I've debugged Nextcloud sync issues on evenings I'd rather have spent doing something else.

**Financial cost:** About ₹8,000–12,000 per month across all VPS nodes. Less than equivalent managed services for my use cases, but that's specific to my situation.

The honest summary: self-hosting costs more time and headspace than managed services. It saves money at certain scale points. The primary return is knowledge, not economics.

## The Knowledge That Doesn't Transfer Otherwise

This is the part I struggle to articulate to engineers who haven't done it.

There's a specific kind of systems knowledge that you only build by running systems. Not reading about them. Not using abstractions on top of them. Running them.

I know how IP reputation works because I built it from zero and watched it fail and recover. I know how Nginx proxy buffering affects WebDAV upload performance because I debugged it. I know how DMARC alignment fails in specific relay configurations because it failed for me and I had to fix it. I know how Docker layer caching interacts with Rust's compilation model because I wrote the Dockerfiles and watched the builds.

This isn't trivia. It's judgment. When I'm architecting a new system, the decisions I make are grounded in this concrete operational experience in ways that reading documentation or using managed services doesn't provide.

The engineers who have the most reliable instincts about systems are almost always people who have operated systems at some level — run their own servers, debugged real production incidents, handled the 2am pages. The abstraction layer that managed services provide is valuable for most things, but it does create a distance from the underlying system that accumulates over time.

## When Not to Self-Host

I want to be clear that this is not a universal recommendation.

Self-hosting is wrong when:
- The service is security-critical and you don't have the expertise to run it securely. Running your own authentication service is a higher-risk bet than using a managed auth provider.
- The operational cost exceeds the value. For most teams, self-hosting a database is the wrong call — managed databases (RDS, Supabase, PlanetScale) are genuinely excellent and the operational savings are real.
- You need the reliability guarantees that come with a managed service's engineering and SLA commitments. A startup whose core product is a database can offer better database reliability than almost anyone can achieve alone.
- You're doing it to signal technical sophistication rather than because it solves a real problem.

I self-host the things where I've done the calculation and decided the knowledge gain and control are worth the operational cost. I use managed services for everything else.

## The Philosophy, Distilled

The principle I try to apply: **know what's running under you, one level down.**

You don't have to operate every layer of the stack. But you should understand, at least conceptually, what the layer below your abstraction is doing. The engineer who uses Kubernetes without understanding container scheduling makes worse decisions than the one who understands it. The engineer who uses managed email without understanding SMTP and DNS authentication makes worse decisions when things break.

Self-hosting is one way to build that knowledge. It's not the only way. Reading deeply, contributing to open source infrastructure projects, or running things in a lab environment can build similar understanding.

But actually running it — being on call for it, fixing it when it breaks, watching its behavior under real load — builds the knowledge fastest and most durably.

That's why I self-host. Not because it's cheaper, not because it's easier, and not because it makes me look more technical. Because the knowledge I've built from running these systems is now part of how I think, and I can't imagine thinking without it.

## TIL: Multi-Stage Docker Builds for Rust Cut Image Size by 20x

**Date:** 2026-02-08
**Tags:** rust, docker, infrastructure, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-docker-multistage-rust

How to use Docker multi-stage builds to go from a 2GB Rust build image to a 12MB production image.

A naive Rust Dockerfile produces a ~2GB image because it includes the full Rust toolchain, cargo cache, and all build artifacts. You don't need any of that at runtime.

## The naive approach (don't do this)

```dockerfile
FROM rust:1.77
WORKDIR /app
COPY . .
RUN cargo build --release
CMD ["./target/release/my-app"]
# Image size: ~1.8GB
```

## Multi-stage build

```dockerfile
# Stage 1: build
FROM rust:1.77-slim as builder
WORKDIR /app

# Cache dependencies separately from source
COPY Cargo.toml Cargo.lock ./
RUN mkdir src && echo "fn main() {}" > src/main.rs
RUN cargo build --release
RUN rm src/main.rs

# Now copy real source and build
COPY src ./src
RUN touch src/main.rs && cargo build --release

# Stage 2: runtime
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /app/target/release/my-app /usr/local/bin/my-app
CMD ["my-app"]
# Image size: ~12MB
```

The `COPY --from=builder` instruction pulls only the compiled binary from the build stage. The Rust toolchain never touches the final image.

## The dependency caching trick

The two-step build (`echo "fn main(){}"` then overwrite) exploits Docker layer caching. Dependencies compile in a separate layer that only invalidates when `Cargo.toml` or `Cargo.lock` changes — not when you edit your source. On a project with 50+ dependencies, this saves 3-4 minutes per build when only source changes.

## Even smaller: use musl for static binaries

```dockerfile
FROM rust:1.77 as builder
RUN rustup target add x86_64-unknown-linux-musl
WORKDIR /app
COPY . .
RUN cargo build --release --target x86_64-unknown-linux-musl

# Use scratch (empty image) for fully static binary
FROM scratch
COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/my-app /my-app
CMD ["/my-app"]
# Image size: ~6MB (just the binary)
```

`scratch` is Docker's empty base image. This only works if your binary has zero dynamic library dependencies — musl linking ensures that.

Used this for the DMARC report parser I built at Prachyam. The container went from ~1.9GB to 8MB.

## TIL: PgBouncer Transaction Mode vs Session Mode

**Date:** 2026-01-28
**Tags:** postgres, infrastructure, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-pgbouncer-connection-pooling

The difference between PgBouncer's pooling modes, why transaction mode breaks prepared statements, and which to use for Next.js apps.

PgBouncer has three pooling modes. Picking the wrong one causes silent failures that are genuinely confusing to debug.

## The three modes

**Session mode:** One client gets one server connection for the duration of its session. Behaves identically to a direct Postgres connection. Least efficient — connection count reduction is minimal.

**Transaction mode:** A server connection is assigned only for the duration of a transaction. Between transactions, it goes back to the pool. Most efficient — this is usually what you want.

**Statement mode:** Server connection assigned per statement. Breaks anything that uses multi-statement transactions. Basically unusable for most apps.

## Why transaction mode breaks prepared statements

Postgres prepared statements are connection-local state. `PREPARE stmt AS SELECT ...` is valid only on the connection that ran it.

In transaction mode, consecutive transactions may land on different server connections. If your client prepares a statement on connection A and then tries to execute it on connection B (because A was returned to the pool), Postgres returns:

```
ERROR: prepared statement "s1" does not exist
```

## The Drizzle + PgBouncer fix

Drizzle ORM uses prepared statements by default. With PgBouncer in transaction mode, you need to disable them:

```ts
import { drizzle } from "drizzle-orm/node-postgres";
import { Pool } from "pg";

const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  // Tell pg not to use prepared statements
  statement_timeout: 30000,
});

// Disable prepared statements in the pg client
const db = drizzle(pool, { 
  logger: false,
  // Pass this to underlying pg: no prepared statements
});
```

Or use the connection string parameter:

```
postgresql://user:pass@pgbouncer:6432/mydb?options=-c%20statement_timeout%3D30000
```

Some drivers accept `?pgbouncer=true` which disables prepared statements automatically.

## What to use for Next.js + Postgres

Transaction mode, with prepared statements disabled at the driver level. You get proper connection pooling (100+ app instances sharing 10–20 Postgres connections) without the prepared statement issue.

This is the setup on TravelOre: PgBouncer in front of Postgres, Drizzle with `pg` driver, prepared statements off.

## TIL: Nginx upstream keepalive Cuts Latency on Internal Services

**Date:** 2026-01-20
**Tags:** nginx, infrastructure, performance, til
**Genre:** tech
**URL:** https://yourportfolio.example/blog/til-nginx-upstream-keepalive

Without keepalive on Nginx upstream blocks, every proxied request opens a new TCP connection to your backend. One directive fixes this.

By default, Nginx closes the connection to your upstream server after each request. For every proxied request: TCP handshake → request → response → TCP teardown. On internal services (same datacenter, low latency), this is still 1–2ms of overhead per request. At 1000 req/s, that's 1–2 seconds of pure TCP overhead per second.

## The fix

```nginx
upstream app_backend {
  server 127.0.0.1:3000;
  keepalive 32;  # maintain up to 32 idle connections to the backend
}

server {
  location / {
    proxy_pass http://app_backend;
    proxy_http_version 1.1;           # required for keepalive
    proxy_set_header Connection "";   # clear the Connection: close header
  }
}
```

`keepalive 32` tells Nginx to keep up to 32 idle connections open to the upstream. `proxy_http_version 1.1` is required — HTTP/1.0 doesn't support keepalive. `Connection ""` clears the header that would otherwise signal connection closure.

## How much it matters

On the Prachyam Nextcloud setup, adding upstream keepalive dropped median response time on the WebDAV API from ~18ms to ~11ms — a 38% reduction just from not doing the TCP handshake on every request.

For a low-traffic portfolio it's marginal. For any service handling real concurrency, it's meaningful.

## Verify it's working

```bash
# Watch Nginx's upstream connections
watch -n1 'ss -tnp | grep :3000'

# Without keepalive: connections appear and disappear on every request
# With keepalive: you see persistent ESTABLISHED connections between requests
```

## The tradeoff

More idle connections held open = more file descriptors. For a small internal service, `keepalive 8–16` is plenty. Don't set it to 1000 — you'll exhaust file descriptors before you benefit.

## How I Vibe Code: Building Software with AI as a Co-Pilot

**Date:** 2025-09-01
**Tags:** ai, developer-tools, workflow, opinion
**Genre:** tech
**URL:** https://yourportfolio.example/blog/vibe-coding

What 'vibe coding' actually means in practice — my AI toolkit, when it helps, when it hurts, and the meta angle of building this portfolio with Claude.

## What Vibe Coding Actually Means

"Vibe coding" gets thrown around a lot, usually by people who mean "I paste stuff into ChatGPT." That's not what I'm talking about.

Vibe coding, the way I practice it, is a flow state where AI is embedded deeply enough in your workflow that the boundary between thinking and implementing dissolves. You're not context-switching between "figure out the approach" and "write the code." You're doing both simultaneously, with an AI that has your codebase loaded and can execute on partial instructions.

It's pair programming where your partner never gets tired, never judges your half-formed ideas, and types at the speed of inference.

## My AI Toolkit

Here's the actual stack I use daily:

### Claude Code (Primary)

Claude Code is my main development environment for anything non-trivial. Terminal-based, full codebase awareness, tool use (file reads, edits, shell commands). When I say "refactor this module to use the repository pattern," it reads the existing code, understands the dependencies, makes the changes across files, and runs the tests.

The key insight: Claude Code isn't autocomplete. It's an agent that can reason about architecture. The difference matters.

### 23 MCP Servers

At Prachyam, I built 23 Model Context Protocol servers that give AI assistants access to specific capabilities:

- **Codebase Q&A** — Qdrant vector DB indexes the entire codebase. Ask "how does authentication work?" and get an answer grounded in your actual code, not generic documentation.
- **Deployment automation** — "Deploy the staging branch" triggers the actual CI/CD pipeline through the MCP interface.
- **Log analysis** — Pipe production logs through Claude and ask "what's causing the 500 errors in the auth service?"
- **Documentation generation** — Point at a module, get accurate docs that reflect the current implementation.
- **Code review** — Submit a diff, get architectural feedback and potential issues flagged.

The meta point: building these MCP servers *was* the proof of AI engineering skills. The tools I built to accelerate my own work are themselves portfolio pieces.

### The Setup

```
Editor:     NeoVim (with Copilot for inline suggestions)
Agent:      Claude Code (for complex multi-file tasks)
Search:     Qdrant-backed semantic search via MCP
Terminal:   Kitty + Tmux (multiplexed sessions)
Shortcuts:  Custom keybinds for common AI operations
```

## When AI Helps

**Boilerplate and patterns.** Setting up a new API route, creating a React component with the right hooks, writing Tailwind classes for a layout I can describe but don't want to type — AI handles this instantly and correctly 95% of the time.

**Cross-file refactors.** Renaming a concept across 20 files, migrating from one pattern to another, updating imports after a restructure. This is where AI agents shine — they understand the graph of dependencies and can apply changes consistently.

**Learning new libraries.** Instead of reading documentation page by page, I describe what I want to build and let AI write the initial implementation. Then I read *that* code and learn the library through a working example tailored to my use case.

**The "I know what I want but can't articulate the code" moment.** Sometimes you have a clear mental model but the translation to syntax is friction. AI bridges that gap. "Make the sidebar collapse on mobile with a slide animation and persist the state in localStorage" — done in seconds.

## When AI Hurts

**Subtle architectural mistakes.** AI will happily build you a solution that works today and creates tech debt tomorrow. It doesn't know your team's conventions, your scaling requirements, or the tradeoffs you've already considered and rejected. I've had Claude generate perfectly working code that violated an architectural decision I'd made for good reasons.

**False confidence.** AI-generated code passes linting, often passes tests, and looks professional. This makes it easy to merge without the deep scrutiny you'd give your own code. I've shipped AI-generated code that had edge cases I would have caught if I'd written it by hand — because writing it forces you to think through every branch.

**The Copilot reflex.** After months of heavy AI use, I noticed something uncomfortable: I was reaching for AI assistance before I'd even attempted the problem myself. Tab-completing solutions I could have written in the same time. The muscle that turns "I need to figure this out" into "let me think for five minutes" was atrophying.

I've since adopted a rule: **if I can solve it in under 10 minutes, I solve it myself.** AI is for leverage on hard problems, not a crutch for easy ones.

## The Meta Angle

This portfolio was built with heavy AI assistance. Every phase — from the design system to the 3D timeline to the terminal easter egg — involved Claude Code as a co-pilot. Here's what that actually looked like:

**What AI did well:** Generating Tailwind component structures, writing animation variants, setting up MDX pipelines, creating the initial data schemas, handling responsive breakpoints. Probably 70% of the raw code output came from AI.

**What I did:** Architecture decisions (microservices vs monolith, which animation library, how to structure the data layer), design direction (the "Digital Kshatriya" aesthetic, cultural motifs, color palette), content (every word of the case studies, blog posts, and bio), and quality control (reviewing every line of AI output, catching subtle bugs, ensuring consistency).

**The ratio that matters:** AI wrote most of the code, but I made all the decisions. The difference between "AI built this portfolio" and "I built this portfolio with AI" is the decision-making layer. The code is the easy part. Knowing *what* to build and *why* — that's the engineering.

## The Ethical Question

Does AI-assisted coding make you a better or worse engineer?

My honest answer: **both, simultaneously.** Better because you ship faster, explore more ideas, and tackle problems you wouldn't have attempted alone. Worse because the struggle of implementation is where deep understanding lives, and skipping that struggle means shallower knowledge.

The engineers who will thrive are the ones who use AI to *amplify* their existing skills, not *replace* the learning process. If you can't build it without AI, you can't debug it when AI gets it wrong. And AI *will* get it wrong — in production, at 2am, on the one edge case it didn't consider.

My approach: use AI aggressively for known patterns, use it cautiously for novel architecture, and never use it as a substitute for understanding.

## Practical Tips

If you want to set up a similar workflow:

1. **Start with Claude Code or Cursor.** Get comfortable with an AI agent that has codebase context, not just chat completions.
2. **Build custom tools.** MCP servers, shell scripts, prompt templates — invest in the infrastructure around AI, not just the AI itself.
3. **Review everything.** Treat AI output like a pull request from a capable but unfamiliar colleague. Read every line. Question every decision.
4. **Keep a "did AI get this right?" journal.** Track where AI saves you time and where it costs you time. You'll notice patterns — and you'll calibrate your trust appropriately.
5. **Maintain your fundamentals.** Spend time writing code from scratch. Do algorithmic problems. Build small projects without AI. Keep the muscle alive.

The best AI-assisted developers aren't the ones who use AI the most. They're the ones who know exactly when to use it and when to put it down.

## How I Beat Procrastination (And How It Almost Beat Me)

**Date:** 2025-08-15
**Tags:** productivity, personal, mental-health
**Genre:** philosophy
**URL:** https://yourportfolio.example/blog/beating-procrastination

Not productivity hacks — the real psychological battle of shipping code when your brain would rather do anything else.

## The Honest Version

Every productivity article starts with someone who figured it out. This one starts with someone who almost didn't.

Between ages 15 and 20, I had a Gold Medal in the International Informatics Olympiad, a custom keyboard layout, and a working Cloudflare plugin. I was the kid who was "going places." Then I spent five years going mostly nowhere.

I watched tutorials. I started projects and abandoned them on day three. I reorganized my Obsidian vault instead of writing code. I built elaborate development environments for apps that never shipped. I was the world's most productive procrastinator.

## The Anatomy of Productive Procrastination

The dangerous kind of procrastination isn't lying on the couch. It's doing work that *feels* productive but avoids the hard thing.

For me, it looked like:
- Configuring NeoVim for three days instead of building the feature
- Reading documentation for a framework I'd never actually use
- "Researching" how other people solved the problem instead of attempting it myself
- Building developer tools (dotfiles, shell scripts, automation) instead of the product

The cruelest part: productive procrastination is invisible. You end the day feeling busy. Your terminal history is full. Your commit graph is green. But the thing you were *supposed* to build hasn't moved an inch.

## What Actually Broke the Cycle

I wish I could point to a single moment or a life-changing book. I can't. It was slow, ugly, and involved a lot of false starts. But three things genuinely helped:

### 1. The Two-Minute Rule (Modified)

The original rule: if something takes less than two minutes, do it now. My modification: **start any task for exactly two minutes.** Open the file. Write the function signature. Write one test. Just two minutes.

The psychology works because starting is harder than continuing. Once you're in the file, once the context is loaded in your head, the activation energy drops. Most of my two-minute sessions turned into two-hour sessions. The ones that didn't? At least I'd written a function signature I could pick up tomorrow.

### 2. Building Something Hard

When I started writing Docsee in Rust, something shifted. Rust is unforgiving — it won't compile your code if you're being sloppy. There's no half-assing a Rust project.

That friction was actually helpful. The compiler yelling at me was more engaging than the silent, permissive emptiness of a blank TypeScript file. Rust's difficulty forced focus. I couldn't drift because the borrow checker demanded my full attention.

Counterintuitive lesson: **sometimes the cure for procrastination is making the work harder, not easier.** Easy work is easy to postpone. Hard work that engages your problem-solving brain is harder to put down.

### 3. Shrinking the Identity Gap

The version of me that procrastinated had an identity problem. I thought of myself as someone who *could* build great things, but I wasn't *currently* building great things. The gap between who I thought I was and what I was doing created anxiety, which created more procrastination.

What helped was lowering the bar. Instead of "I'm going to build a production-ready Docker management tool," I started with "I'm going to make a Rust binary that lists containers." That's it. Ship the smallest possible thing.

Each small ship closed the identity gap a little. After a few weeks, I wasn't procrastinating because I was genuinely excited about the next feature.

## My Current System

I won't pretend I've "solved" procrastination. But here's what my workday looks like when things are going well:

**Morning (first 90 minutes):** The hardest task. No email, no Slack, no social media. Whatever I'm most likely to postpone, that goes first. Cold start.

**Obsidian for task management:** I keep a daily note with three items maximum. Not ten, not twenty. Three things that would make the day a success. If I finish all three, great — I'm free to explore, refactor, or experiment. Most days I finish two.

**Pomodoro, loosely:** 45 minutes on, 10 minutes off. I don't time it precisely — I just notice when I'm drifting and take a deliberate break instead of pretending I'm still working.

**End of day:** I write tomorrow's three items before closing my laptop. This means I never start a morning wondering "what should I work on?" — the most dangerous question for a procrastinator.

## What I Still Procrastinate On

Writing. Documentation. Emails that require emotional nuance. Anything where the feedback loop is slow (blog posts don't give you green checkmarks like a compiler does).

This blog post? Started three times. Abandoned twice. Finished on the fourth attempt because I applied the two-minute rule to my own advice: I opened the file, wrote the frontmatter, and let the rest follow.

## The Uncomfortable Admission

I lost years. Real years that I could have spent building, contributing, growing. The version of me that won a gold medal at 15 would be disappointed in the version that coasted until 22.

But here's the thing I've made peace with: the version of me who coasted is the same version who built production infrastructure for 10,000 users, wrote a Docker tool in Rust, and managed 18 million emails. The procrastinator and the builder are the same person. One just shows up more often now.

If you're in the coasting phase, the only advice I have is this: lower the bar until you can clear it, then raise it by one inch. Repeat for the rest of your career.

## Why I Wrote a Docker Tool in Rust

**Date:** 2025-07-01
**Tags:** rust, docker, tauri, open-source
**Genre:** tech
**URL:** https://yourportfolio.example/blog/why-i-wrote-docsee-in-rust

Building Docsee — a cross-platform Docker management tool with a Tauri GUI and terminal TUI, and why Rust was the right choice.

## The Itch

I manage a lot of Docker containers. At Prachyam, we run Mailcow, NextCloud, Tailscale, and various microservices — all containerized. Docker Desktop is fine, but it's an Electron app that eats RAM for breakfast. And `docker ps` in the terminal gets old fast when you're juggling 30+ containers.

I wanted something fast, lightweight, and native. So I built Docsee.

## Why Rust?

Three reasons:

1. **Performance.** Docker operations should feel instant. Sub-50ms response times for container listing, starting, stopping — that was the bar.
2. **Cross-platform.** Tauri (Rust + web frontend) produces tiny native binaries. The Docsee desktop app is ~8MB vs Docker Desktop's ~500MB.
3. **I wanted to learn Rust properly.** Reading the book is one thing. Building a real tool with it is another.

## The Architecture

Docsee has two faces:

```
docsee/
├── docsee-core/     # Shared Rust library
│   ├── docker.rs    # Bollard client wrapper
│   ├── container.rs # Container operations
│   ├── image.rs     # Image management
│   └── system.rs    # System info, disk usage
├── docsee-tui/      # Terminal UI (Ratatui)
│   ├── app.rs       # TUI app state
│   ├── ui.rs        # Layout and rendering
│   └── handler.rs   # Key event handling
├── docsee-gui/      # Desktop GUI (Tauri + Svelte)
│   ├── src-tauri/   # Rust backend
│   └── src/         # Svelte frontend
```

The `docsee-core` crate is the shared brain. Both the TUI and GUI import it. This means container operations, error handling, and Docker API communication are written once.

## Bollard: The Docker SDK

Rust doesn't have an official Docker SDK, but [Bollard](https://github.com/fussybeaver/bollard) is excellent. It's async, well-typed, and covers the full Docker API:

```rust
use bollard::Docker;
use bollard::container::ListContainersOptions;

pub async fn list_containers(docker: &Docker) -> Result<Vec<ContainerInfo>> {
    let options = ListContainersOptions::<String> {
        all: true,
        ..Default::default()
    };

    let containers = docker.list_containers(Some(options)).await?;

    Ok(containers.into_iter().map(|c| ContainerInfo {
        id: c.id.unwrap_or_default(),
        name: c.names.unwrap_or_default().first()
            .map(|n| n.trim_start_matches('/').to_string())
            .unwrap_or_default(),
        state: c.state.unwrap_or_default(),
        status: c.status.unwrap_or_default(),
        image: c.image.unwrap_or_default(),
    }).collect())
}
```

## The TUI Experience

Ratatui makes terminal UIs surprisingly pleasant to build. The main loop is a standard event-driven pattern:

```rust
loop {
    terminal.draw(|frame| ui::render(frame, &app))?;

    if event::poll(Duration::from_millis(100))? {
        match event::read()? {
            Event::Key(key) => match key.code {
                KeyCode::Char('q') => break,
                KeyCode::Up => app.previous(),
                KeyCode::Down => app.next(),
                KeyCode::Enter => app.toggle_container().await?,
                KeyCode::Char('d') => app.delete_container().await?,
                KeyCode::Char('l') => app.view_logs().await?,
                _ => {}
            },
            _ => {}
        }
    }
}
```

The result is a snappy, keyboard-driven interface that shows container status, logs, stats, and lets you start/stop/delete with single keystrokes.

## Performance

The sub-50ms target? Here are the real numbers:

| Operation | Time |
|-----------|------|
| List containers | ~12ms |
| Start container | ~35ms |
| Stop container | ~28ms |
| Container logs (last 100 lines) | ~18ms |
| System info | ~8ms |

These are measured from command to display update. Rust's zero-cost abstractions and Bollard's efficient HTTP handling make this possible.

## What I Learned

**Rust's ownership model is a teacher.** It forced me to think about data lifetimes in ways that made me a better programmer in every other language too.

**Tauri is production-ready.** If you're building a desktop app in 2025 and reaching for Electron, reconsider. Tauri gives you native performance with web frontend flexibility.

**Build the tool you need.** Docsee started as a weekend project. It's now something I use daily. The best way to learn a language is to build something you'll actually use.

Docsee is [open source on GitHub](https://github.com/xczer/docsee). PRs welcome.

## How I Managed 18 Million Emails with Self-Hosted Mailcow

**Date:** 2025-06-01
**Tags:** infrastructure, self-hosting, docker, email
**Genre:** tech
**URL:** https://yourportfolio.example/blog/self-hosted-mailcow-18m-emails

Running a self-hosted email server across 12 domains for a media company — the architecture, challenges, and why I'd do it again.

## Why Self-Host Email?

When I joined Prachyam Studios as the primary technical hire, they were paying for Google Workspace across multiple domains. The costs were climbing fast — 12 domains, growing team, and the per-user-per-domain pricing model was bleeding money.

I proposed Mailcow: a Docker-based mail server with a full admin UI, anti-spam (Rspamd), antivirus (ClamAV), and DKIM/DMARC/SPF baked in. The savings were immediate and significant — lakhs annually.

## The Architecture

```yaml
# docker-compose excerpt
services:
  mailcow-dockerized:
    image: mailcow/mailcow-dockerized
    volumes:
      - ./data/conf:/opt/mailcow-dockerized/data/conf
      - ./data/store:/var/vmail
    ports:
      - "25:25"     # SMTP
      - "587:587"   # Submission
      - "993:993"   # IMAPS
      - "443:443"   # Web UI
```

The setup runs on a dedicated server with:
- **Mailcow** handling SMTP, IMAP, and the admin panel
- **Rspamd** for spam filtering with custom rules per domain
- **ClamAV** for attachment scanning
- **Nginx** reverse proxy with Let's Encrypt SSL
- **Automated backups** to a separate storage node via rsync

## Handling 12 Domains

Each domain gets its own set of DNS records — MX, SPF, DKIM, and DMARC. I automated the DNS provisioning with a script that generates the correct records for each new domain:

```bash
#!/bin/bash
DOMAIN=$1
DKIM_KEY=$(cat /opt/mailcow-dockerized/data/conf/rspamd/dkim/${DOMAIN}.pub)

echo "MX Record: @ -> mail.${DOMAIN} (priority 10)"
echo "SPF: v=spf1 mx a ip4:YOUR_IP -all"
echo "DKIM: dkim._domainkey -> ${DKIM_KEY}"
echo "DMARC: _dmarc -> v=DMARC1; p=quarantine; rua=mailto:admin@${DOMAIN}"
```

## The Numbers

After 2+ years of running this setup:
- **18M+ emails** processed (sent + received)
- **12 domains** managed from a single admin panel
- **99.9% uptime** — only downtime was planned maintenance
- **Zero** successful spam/phishing incidents that made it to inboxes
- **Significant cost savings** versus Google Workspace

## Lessons Learned

**Email deliverability is an art.** Getting IP reputation right took weeks. I had to:
1. Set up proper reverse DNS (PTR records)
2. Warm up the IP gradually — start with low volume
3. Monitor blacklists daily using external monitoring
4. Keep the Rspamd score thresholds tuned

**Backups are non-negotiable.** I run daily incremental backups with a 30-day retention. Lost email is lost business.

**Monitoring matters.** I set up alerts for queue length, disk space, and certificate expiry. Most issues were caught before they became problems.

## Would I Do It Again?

Absolutely. The control, cost savings, and learning were worth every hour. If you're comfortable with Docker and DNS, Mailcow is a solid choice for self-hosted email. Just respect the complexity — email is one of the oldest protocols on the internet, and it shows.

## Building for 12+ Platforms from a Single Codebase with Nx

**Date:** 2025-05-15
**Tags:** react-native, nx, architecture, typescript
**Genre:** tech
**URL:** https://yourportfolio.example/blog/nx-monorepo-12-platforms

How I architected an OTT streaming platform that ships to web, mobile, TV, and desktop from one Nx monorepo.

## The Problem

Prachyam Studios needed a streaming platform. Not just a web app — they needed apps for Android, iOS, Android TV, Apple TV, Roku, Fire TV, LG webOS, Samsung Tizen, and desktop. Oh, and a web app too. And an admin panel. And a content management system.

Building separate codebases for each platform? That's 12+ repos with duplicated business logic, diverging APIs, and a maintenance nightmare.

## Why Nx

Nx gives you a monorepo with intelligent build caching, dependency graph awareness, and the ability to share code across projects. Combined with React Native (for mobile/TV) and React (for web), it was the right tool.

```
apps/
  mobile/         # React Native (Android + iOS)
  tv-android/     # React Native for Android TV
  tv-apple/       # React Native for tvOS
  tv-roku/        # Roku (BrightScript, separate build)
  tv-fire/        # Fire TV (React Native fork)
  tv-lg/          # LG webOS (React-based)
  tv-samsung/     # Samsung Tizen (React-based)
  web/            # Next.js web app
  admin/          # Next.js admin panel
  desktop/        # Electron wrapper

libs/
  shared/
    api/          # API client, auth, types
    ui/           # Shared UI components
    hooks/        # Custom hooks (usePlayer, useAuth, etc.)
    utils/        # Helpers, formatters, validators
    constants/    # Config, feature flags
  platform/
    tv-navigation/ # TV-specific D-pad navigation
    mobile-gestures/ # Touch gesture handlers
```

## The Shared Layer

The key insight: **80% of the code is platform-agnostic**. Authentication, API calls, state management, business logic, types — all shared. Only the rendering layer and platform-specific features differ.

```typescript
// libs/shared/hooks/usePlayer.ts
export function usePlayer(contentId: string) {
  const [state, dispatch] = useReducer(playerReducer, initialState);
  const api = useApiClient();

  const play = useCallback(async () => {
    const stream = await api.getStream(contentId);
    dispatch({ type: 'PLAY', payload: stream });
  }, [contentId, api]);

  const pause = useCallback(() => {
    dispatch({ type: 'PAUSE' });
  }, []);

  return { ...state, play, pause };
}
```

This hook works everywhere — the platform-specific player component just wraps the native video implementation (ExoPlayer on Android, AVPlayer on iOS, etc.).

## TV Navigation

TV apps don't have touch or mouse — they have a D-pad (up, down, left, right, select). I built a shared navigation system:

```typescript
// libs/platform/tv-navigation/useFocusGrid.ts
export function useFocusGrid(rows: number, cols: number) {
  const [focused, setFocused] = useState({ row: 0, col: 0 });

  const handleKey = useCallback((direction: Direction) => {
    setFocused(prev => {
      switch (direction) {
        case 'up':    return { ...prev, row: Math.max(0, prev.row - 1) };
        case 'down':  return { ...prev, row: Math.min(rows - 1, prev.row + 1) };
        case 'left':  return { ...prev, col: Math.max(0, prev.col - 1) };
        case 'right': return { ...prev, col: Math.min(cols - 1, prev.col + 1) };
      }
    });
  }, [rows, cols]);

  return { focused, handleKey };
}
```

## Build Performance

Nx's computation cache was a game-changer. A full build of all 12 apps from scratch takes ~15 minutes. But with cache hits, pushing a change to the shared API layer and rebuilding all affected apps takes under 2 minutes.

```bash
# Only rebuilds what changed
npx nx affected --target=build

# Remote cache for CI (with Nx Cloud)
npx nx run-many --target=build --all --parallel=4
```

## Lessons Learned

1. **Invest in the shared layer early.** Every hour spent on shared code saves 12x later.
2. **Platform abstractions leak.** TV navigation, mobile gestures, and web interactions are fundamentally different. Don't over-abstract — let the platform layer breathe.
3. **Test the shared layer aggressively.** If `usePlayer` breaks, it breaks everywhere.
4. **Nx affected is your best friend.** It knows the dependency graph — trust it.

The monorepo approach isn't free, but for multi-platform products, the alternative is far more expensive.

## 23 MCP Servers: How I Built AI-Powered Developer Tooling

**Date:** 2025-04-20
**Tags:** ai, mcp, typescript, developer-tools
**Genre:** tech
**URL:** https://yourportfolio.example/blog/23-mcp-servers-ai-tooling

Building custom Model Context Protocol servers for semantic code search, automated workflows, and integrating AI into daily development.

## What is MCP?

The Model Context Protocol (MCP) is an open standard by Anthropic that lets AI assistants (like Claude) connect to external tools and data sources. Think of it as a plugin system for LLMs — each MCP server exposes tools that the AI can call.

I built 23 of them. Here's why, and what I learned.

## The Problem Space

As a one-person engineering team at Prachyam, I was responsible for everything: frontend, backend, infrastructure, email, CI/CD. Context-switching between codebases was constant. I needed AI assistance that understood our specific systems — not generic code completion, but tools that could query our Docker containers, search our codebase semantically, and automate routine operations.

## The Stack

```
mcp-servers/
├── code-search/        # Semantic search with Qdrant
├── docker-ops/         # Container management
├── git-analytics/      # Repo stats and history
├── mailcow-admin/      # Email domain management
├── nextcloud-files/    # File operations
├── deployment/         # CI/CD trigger and status
├── monitoring/         # Health checks and alerts
├── database/           # PostgreSQL query runner
├── redis-ops/          # Cache inspection/management
├── dns-manager/        # DNS record management
└── ... (13 more)
```

Each server is a TypeScript project using the MCP SDK:

```typescript
import { Server } from "@modelcontextprotocol/sdk/server/index.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";

const server = new Server({
  name: "docker-ops",
  version: "1.0.0",
}, {
  capabilities: { tools: {} },
});

server.setRequestHandler(ListToolsRequestSchema, async () => ({
  tools: [
    {
      name: "list_containers",
      description: "List all Docker containers with status",
      inputSchema: {
        type: "object",
        properties: {
          all: { type: "boolean", description: "Include stopped containers" },
        },
      },
    },
    {
      name: "container_logs",
      description: "Get recent logs for a container",
      inputSchema: {
        type: "object",
        properties: {
          name: { type: "string", description: "Container name" },
          lines: { type: "number", description: "Number of lines" },
        },
        required: ["name"],
      },
    },
  ],
}));
```

## Semantic Code Search with Qdrant

The most impactful server was the code search tool. Instead of grep, the AI could search semantically — "find where we handle authentication errors" would return relevant code even if the word "authentication" never appeared.

```typescript
// Embedding pipeline
async function indexCodebase(repoPath: string) {
  const files = await glob("**/*.{ts,tsx,rs,py}", { cwd: repoPath });

  for (const file of files) {
    const content = await readFile(join(repoPath, file), "utf-8");
    const chunks = splitIntoChunks(content, 512); // ~512 token chunks

    for (const chunk of chunks) {
      const embedding = await getEmbedding(chunk.text);
      await qdrant.upsert("code", {
        points: [{
          id: uuid(),
          vector: embedding,
          payload: {
            file,
            text: chunk.text,
            startLine: chunk.startLine,
            endLine: chunk.endLine,
          },
        }],
      });
    }
  }
}
```

The search tool then queries Qdrant with the user's natural language question:

```typescript
async function searchCode(query: string, limit = 5) {
  const queryVector = await getEmbedding(query);

  const results = await qdrant.search("code", {
    vector: queryVector,
    limit,
    with_payload: true,
  });

  return results.map(r => ({
    file: r.payload.file,
    lines: `${r.payload.startLine}-${r.payload.endLine}`,
    text: r.payload.text,
    score: r.score,
  }));
}
```

## Real-World Usage

Here's a typical workflow. I'm debugging a deployment issue and ask Claude:

> "Check if the mailcow container is running, then show me the last 50 lines of its logs"

Claude calls two MCP tools sequentially:
1. `docker-ops.list_containers` — confirms mailcow is running
2. `docker-ops.container_logs({ name: "mailcow", lines: 50 })` — fetches logs

No tab-switching, no copy-pasting. The AI has direct access to the same tools I'd use manually.

## What Worked

**Composability.** Because each server is a standalone process, I can mix and match. Claude can use the code search server alongside the Docker ops server to correlate code changes with container behavior.

**Type safety.** TypeScript + the MCP SDK's schema validation means tools are well-typed and self-documenting. The AI gets schema information to understand what parameters each tool accepts.

**Incremental adoption.** I started with 3 servers (code search, Docker, git). Each new one was built when I felt the pain of doing something manually too often.

## What I'd Do Differently

**Better error messages.** Early servers returned raw error objects. Now every tool returns human-readable errors that help the AI diagnose issues.

**Rate limiting from the start.** A few times, Claude got into a loop calling a database query tool repeatedly. Adding request limits per tool per minute solved this.

**Qdrant needs maintenance.** Vector indices grow. I now run a weekly re-index that prunes deleted files and updates changed ones, rather than only appending.

## The Meta Point

Building AI tooling is itself a signal. It shows you understand how to integrate AI into real workflows — not just chatbots, but tools that make engineering teams faster. These 23 servers are some of the most impactful code I've written, not because they're complex, but because they multiply my productivity every day.