#architecture

Monolith to Service Architecture

Di chuyển từ kiến trúc monolith sang microservices cần áp dụng các pattern cụ thể thay vì …

CQRS Without the Astronaut Architecture

Bài viết hướng dẫn triển khai CQRS trong Node.js/TypeScript theo cách đơn giản, không cần …

Standalone JSON Schemas, Overlaid for Every Purpose

Thay vì nhúng mô hình dữ liệu vào components.schemas của tài liệu OpenAPI, bài viết đề xuất sử dụng các tệp JSON Schema độc lập với $id riêng trong thư mục schema/. Những schema này có thể tái sử dụng cho nhiều hệ thống (validation, generate code, docs, data warehouse) mà không phụ thuộc vào OpenAPI. OpenAPI overlays giúp điều chỉnh schema gốc cho mục đích cụ thể (như dịch description sang tiếng Đức) mà không thay đổi cấu trúc cốt lõi.

Lập trình viên nên đọc bài này để hiểu cách tối ưu hóa tái sử dụng và quản lý các định dạng dữ liệu độc lập từ OpenAPI, giúp giảm bớt sự phụ thuộc vào các tài liệu API cụ thể và mở rộng khả năng tái sử dụng cho nhiều công cụ khác nhau.

The Modular Monolith Boundary I Couldn't Take Back

Một lập trình viên chia sẻ kinh nghiệm khi ranh giới giữa hai module Catalog và Collaboration trong kiến trúc modular monolith dần trở nên không thể đảo ngược do yêu cầu kinh doanh buộc chuyển từ giao tiếp bất đồng bộ sang đồng bộ, khiến các module thực tế hoạt động như một khối thống nhất dù ranh giới vẫn tồn tại trên giấy. Bài viết khuyên nên coi ranh giới module là tạm thời, bắt đầu với ít module lớn hơn và chỉ tách nhỏ khi rõ ràng, đồng thời ưu tiên yêu cầu nhất quán hơn là trực giác về domain.

Lập trình viên nên đọc bài này để tránh rơi vào sai lầm khi cố gắng giữ các module độc lập trong một monolith mà thực tế đã bị "sáp nhập" nhờ yêu cầu tính nhất quán đồng bộ, khiến kiến trúc trở nên khó duy trì và mở rộng sau này.

Your AI shipped a backend that boots. That is the whole problem.

AI sinh ra code backend thường vượt qua test nhưng lại chứa lỗ hổng bảo mật nghiêm trọng như kích thước body không giới hạn, CORS wildcard cho phép credentials, fetch dễ bị SSRF, và thiếu xác thực. Giải pháp là đảo ngược các tùy chọn mặc định để lựa chọn an toàn trở nên dễ dàng hơn. DaloyJS (framework TypeScript của tác giả) thể hiện các mẫu secure-by-default như giới hạn body cứng, fetch chống SSRF, từ chối chạy wildcard CORS trong production, và ngăn chặn tấn công JWT algorithm confusion. Họ cũng giảm thiểu rủi ro supply chain bằng cách loại bỏ dependencies runtime, sử dụng npm provenance, SBOMs, và chặn cài đặt package mới trong 24 giờ đầu.

Lập trình viên nên đọc bài này để hiểu cách thiết kế lại các quy tắc an toàn mặc định trong backend, từ những lỗ hổng AI tạo code phổ biến đến giải pháp chuyển đổi các biện pháp bảo mật từ khó sang dễ thực hiện.

How to use traces to avoid breaking changes

Việc sử dụng tracing giúp phát hiện sớm các vấn đề tiềm ẩn khi thay đổi hệ thống bằng cách theo dõi luồng dữ liệu và sự kiện trong môi trường phân tán. Các thư viện phổ biến như OpenTracing, OpenTelemetry, Zipkin và Jaeger hỗ trợ giám sát, trong khi Digma cung cấp phản hồi tức thì trong quá trình phát triển.

Lập trình viên nên đọc bài này để hiểu cách sử dụng tracing để phát hiện và tránh các break changes trong hệ thống phân tán, từ đó giảm thiểu rủi ro khi cập nhật hoặc mở rộng ứng dụng.

Databricks’ former AI chief thinks he can cut AI’s power bill by 1,000x

Unconventional AI, led by former Databricks AI chief Naveen Rao, has released Un0, an image-generation model built on a software simulation of a novel oscillator-based computing architecture. The company claims this architecture could reduce AI inference power consumption by up to 1,000x compared to conventional chips. Un0 performs comparably to state-of-the-art diffusion models like Stable Diffusion, serving as a proof-of-concept for the new architecture. The company plans to release actual chip schematics soon and eventually build a full inference stack, positioning itself as a compute provider running at a fraction of current energy costs.

[RFC] Duration class

Tim Düsterhus and Derick Rethans have proposed a new Time\Duration class for PHP 8.6 to represent stopwatch-style durations, primarily to improve the developer experience for timeout-related APIs including the new Polling API. The RFC is intentionally minimal, using a seconds+nanoseconds internal representation (similar to Rust's and Java's Duration). Community discussion covers design questions including: why the highest constructor unit is hours, the absence of an ISO 8601 serialization method (deferred to PHP 8.7), omission of floating-point total methods due to precision concerns, namespace choice (Time vs DateTime), and whether to use add/sub methods or a single variadic sum method. The authors also explain why they chose not to adopt the JavaScript Temporal API or the temporal_rs Rust library, citing PHP's semantic closeness to Java and the complexity of integrating Rust into the Zend Engine.

OpenAPI Is the Unit of API Governance

OpenAPI should be treated as the source of truth and primary unit of API governance, not a byproduct of code. Key principles include: keeping OpenAPI as the machine-readable contract everything else orbits, treating operation descriptions as high-signal governance checkpoints (a poorly described operation often signals poor design), using OpenAPI Overlays and extensions to avoid overloading the spec, and recognizing that AI agents now consume OpenAPI specs directly — making weak, under-described specs a more urgent liability than ever.

ABP Bootcamp: AI-Assisted Application Development with ABP

ABP is announcing a 3-day live online bootcamp focused on AI-assisted application development using the ABP framework and ABP Studio AI Agent. Running August 25-27, 2026, the bootcamp costs $399 and covers practical AI-assisted engineering workflows, including generating features and services while maintaining architectural consistency and code quality in .NET enterprise applications. It targets ABP developers, software engineers, and technical leaders who want to integrate AI tools into real-world development workflows without sacrificing maintainability.

How to Write an Effective Software Design Document

Bài viết hướng dẫn chi tiết cách viết Software Design Document (SDD) hiệu quả dựa trên kinh nghiệm từ Google và Microsoft, bao gồm thời điểm viết, mức độ đầu tư, các phần quan trọng (mục tiêu, bối cảnh, SLOs, monitoring, dependencies, security, logging, v.v.), cùng ví dụ thực tế về thiết kế lớp caching. Ngoài ra, tài liệu cũng chia sẻ cách triển khai SDD qua quá trình review nhóm.

Lập trình viên nên đọc bài này để hiểu cách xây dựng tài liệu thiết kế hiệu quả, từ đó tránh rủi ro trong quá trình phát triển phần mềm và cải thiện chất lượng dự án.

How to Value a Software Codebase

Valuing a software company requires more than revenue multiples — the codebase itself is a financial asset or liability. Seven key factors determine codebase value: code quality, technical debt, security risk, maintainability, architecture quality, dependency risk, and team dependency risk. A practical scoring framework weights these factors (code quality 25%, security 25%, technical debt 20%, maintainability 20%, scalability 10%) to produce a composite score. A simplified formula — Business Value × Code Quality Multiplier × Risk Multiplier — shows how hidden software risk directly reduces deal price. AI-generated code adds new valuation risks including hallucinated logic, insecure patterns, and licensing ambiguity. Common mistakes include ignoring technical debt, skipping technical due diligence, and overlooking AI code governance.

Heterogeneous Graphs in SQL/PGQ on PostgreSQL 19

PostgreSQL 19 introduces SQL/PGQ support for property graphs, and this post dives into heterogeneous graphs with multiple vertex and edge types. Using a social+work dataset (persons, companies, knows, works_at), it demonstrates how to define a multi-label property graph and write GRAPH_TABLE queries spanning different node types. Key topics include: traversing mixed-type paths (person→person→company), a workaround for PostgreSQL 19's lack of comma-separated MATCH patterns (join two GRAPH_TABLE results instead), the pitfall of anonymous edge patterns in multi-label graphs (they match all edge types via an Append plan), and the current limitation around quantified path hops ({1,3} syntax not yet supported).

The Joy and Power of Understanding

A reflective essay arguing that deep understanding of code and software systems is both practically powerful and intrinsically enjoyable. The author warns against over-reliance on LLMs and copy-paste solutions, which erode core skills over time. Key themes include the short- vs long-term productivity tradeoff of skipping understanding, the pitfalls of output-driven vs outcome-driven metrics, and the compounding value of mastering fundamentals (computer architecture, OS, algorithms, networks, distributed systems, etc.). The central argument: LLMs are force multipliers, but only if developers maintain strong foundational knowledge through active struggle and creation rather than passive consumption.

Amazon Neptune now supports AWS CloudFormation for global databases

Amazon Neptune now supports AWS CloudFormation for provisioning and managing Neptune global databases via the new AWS::Neptune::GlobalCluster resource type. This enables teams to define multi-region graph database topologies as code, store configurations in source control, and integrate with CI/CD pipelines. Neptune global databases support a primary read-write cluster and up to five read-only secondary clusters across AWS regions, with low-latency replication. Use cases include cross-region low-latency reads, disaster recovery, data residency compliance, and high-availability graph deployments.

The AI Agent Layer: Architecture, Implementation, and the Future of Intelligent Enterprise Systems

Part 2 of a series on enterprise AI agent architecture, covering three core capabilities beyond memory: planning, tool use, and reflection. Planning patterns (ReAct, Chain-of-Thought, Tree of Thought, Plan-and-Execute) are compared, with plan-and-execute recommended as the default for regulated enterprise workflows. Tool use is examined through the lens of narrow, strongly-typed contracts backed by parameterized PostgreSQL queries — with a strong warning against letting agents generate and execute arbitrary SQL. Reflection is framed as a structured rubric-based evaluation (not a vibe check), combining deterministic database checks with critic model evaluation, and always terminating in one of four outcomes: accept, revise, escalate, or abort. The post includes concrete PostgreSQL schemas, JSON tool contracts, SQL validation via information_schema, EXPLAIN-based pre-execution guardrails, and session-level safety controls. It closes by arguing that enterprise agent design is systems engineering, not prompt engineering.

Start by Mapping Your API Landscape

Before writing any API governance rules, you should first map your entire API landscape by surveying every spec, protocol, gateway, and contract in your portfolio. This evidence-based approach lets you derive rules from actual patterns in use — like how APIs paginate or handle auth — rather than imposing external style guides that most existing APIs will immediately violate. Landscape mapping surfaces orphaned specs, unknown owners, and missing sources of truth, and it transforms governance from an opinion-imposing exercise into a fact-reporting one. Teams are far more receptive to rules grounded in their own portfolio's dominant patterns than to preferences imported from a conference talk.

The Quiet Codebase: What Vedanta and Yoga Taught Us About Software

A philosophical essay drawing parallels between Vedanta and Yoga principles and software development practices. It argues that code complexity mirrors the complexity of the developer's mind, using concepts like Maya (misreading reality as inevitable), Vairagya (non-attachment to one's own code), and Dharana (focused attention) to advocate for intentional simplicity. Practical takeaways include pausing before adding new abstractions, cultivating the courage to delete unnecessary code, protecting deep work conditions, and regularly asking 'what is actually necessary?' as a guiding question for both codebases and life.

[RFC] Duration class

Tim Düsterhus and Derick Rethans are proposing a new Time\Duration class for PHP 8.6 to represent stopwatch-style durations, primarily to improve the developer experience for timeout APIs and the new Polling API. The RFC is intentionally minimal, using a seconds+nanoseconds internal representation (similar to Rust's and Java's Duration). The mailing list discussion covers design decisions including: why the highest constructor unit is hours, the absence of ISO 8601 serialization (deferred to PHP 8.7), omission of floating-point total methods due to precision concerns, the choice of Time namespace over DateTime, and whether to use add/sub methods or a single variadic sum method. The proposal is positioned as the first step toward a modernized PHP date/time API.

Beyond CLEAN and MVP: Architecting an Offline-first Reactive Data Layer in Android

Reactive Data Layer Architecture (RDLA) is a mobile-optimized pattern for Android that addresses shortcomings of MVP and Clean Architecture in reactive, offline-first apps. It enforces a strict split between public API contracts and private implementation modules, uses Kotlin Flow cold streams so the UI subscribes to data rather than polling, and treats the local Room database as the single source of truth. The article walks through a heart rate tracking example covering the API module, repository coordinator, Room data source, ViewModel with StateFlow/SharedFlow, asynchronous mutation queues merged on-the-fly, WorkManager-backed background sync, conflict resolution with rollbacks, and a TestExtensions pattern for Robolectric-based unit tests without SQLite mocking.

How to Structure Large Flutter Applications for Scalable and Maintainable Growth

Flutter apps often outgrow their architecture before teams realize it. This guide covers how to structure large Flutter codebases for long-term maintainability by organizing around features rather than technical layers, separating presentation/domain/data concerns, scoping state ownership to individual features, isolating navigation logic, managing shared code carefully, and scaling dependency injection. Practical code examples using BLoC/Cubit illustrate each pattern, and production concerns like lazy initialization, observability, and feature flags are also addressed.

OpenAPI Overlays Let One Products API Speak Four Languages

OpenAPI Overlays allow a single canonical API description to be presented in multiple languages without forking the contract. Using a Products API as a teaching example, the author demonstrates how locale-specific overlay files use JSONPath targeting to replace human-readable fields (summaries, descriptions, error messages) with translated text. Four language overlays (German, French, Italian, Dutch) each extend the same base OpenAPI document, keeping one source of truth while producing localized outputs on demand. The post also covers folder organization strategy and explains why overlays are preferable to copying and maintaining multiple spec files.

[RFC] Duration class

Tim Düsterhus and Derick Rethans have proposed a new Time\Duration class for PHP 8.6, targeting stopwatch/egg-timer style durations to improve developer experience for timeout APIs. The RFC is intentionally minimal, using a seconds+nanoseconds internal representation (similar to Rust's and Java's Duration). Key design decisions discussed include: the highest constructor unit being hours, omitting ISO 8601 serialization for now due to ambiguity, excluding floating-point total methods to avoid precision/rounding issues, using the Time namespace (aligned with Rust, Java, and Go conventions rather than JavaScript's Temporal), and accepting only ISO 8601 'Period' strings starting with 'PT'. Community feedback raised questions about adding getTotalSeconds(), using DateTime as the namespace, and whether to replace add/sub methods with a variadic sum() method.

[RFC] Duration class

A PHP internals mailing list thread discussing a proposed RFC to introduce a new Time\Duration class in PHP 8.6. The class is designed to represent stopwatch-style durations (not calendar periods) to improve developer experience for timeout APIs, particularly the new Polling API. The RFC proposes a minimal API using seconds+nanoseconds internal representation, similar to Rust's and Java's Duration types. Discussion covers design decisions including: why the highest constructor unit is hours, omission of ISO 8601 serialization (deferred to PHP 8.7), exclusion of floating-point methods due to precision concerns, namespace choice (Time vs DateTime), and whether to use add/sub methods or a single variadic sum method. The RFC is explicitly positioned as the first step toward a modernized PHP date/time API.

Event Sourcing: Aggregates, Dynamic Consistency Boundaries, or what?

Part eleven of an event sourcing series explores how to handle consistency boundaries without relying on DDD aggregates or Dynamic Consistency Boundaries (DCBs). The author argues that the best approach depends on the actual problems at hand. Two alternatives are discussed: replacing concurrent designs with non-concurrent ones (e.g., a draft-registration phase processed by a single-threaded algorithm), and using Azure Service Bus sessions to serialize workday validation, eliminating race conditions within a consistency boundary. The post emphasizes solving real problems holistically rather than applying patterns preemptively, and shows how task-based UIs and small data models reduce the likelihood of concurrency conflicts in the first place.

How fuzzy APIs are remaking the web

AI-mediated APIs are reviving the old dream of service-oriented architecture (SOA) by replacing rigid, deterministic integrations with flexible, intent-driven middleware. Classic SOA failed due to the brittleness of SOAP, WSDL, and UDDI — any mismatch broke entire pipelines. Modern LLMs with function-calling capabilities can now act as dynamic orchestrators, reading API schemas, inferring missing parameters, and routing natural language intent to the right services. This 'SOA 2.0' trades deterministic brittleness for probabilistic flexibility, but introduces new challenges: latency from injecting LLMs into the critical path, non-determinism (hallucinations, inconsistent routing), and security concerns around function calling without proper guardrails. The author argues this shift is fundamentally remaking the web from a deterministic state machine into a probabilistic, semantically-driven network — mirroring the architecture of the neural networks powering it.

Bulletproof React: Building React Apps That Survive Growth

Bulletproof React is an architectural approach for React applications inspired by Alan Alickovic's open-source project. It centers on feature-based organization where all code related to a feature lives together, rather than grouping by file type. Key principles include: exposing only approved exports via public API index files, enforcing boundaries with ESLint rules, separating state by type (UI state in components, app state in Zustand, server state in TanStack Query, URL state in the browser), centralizing API communication in a dedicated layer, and treating security and performance as architectural concerns from day one. Testing uses Vitest, React Testing Library, Playwright, and MSW. The approach adds overhead and may be overkill for small projects, but pays dividends as codebases grow.

[RFC] Duration class

Tim Düsterhus and Derick Rethans have proposed a new Time\Duration class for PHP 8.6, targeting 'stopwatch' or 'egg-timer' style durations to improve developer experience for timeout APIs. The RFC is intentionally minimal, using a seconds + nanoseconds internal representation (similar to Rust's and Java's Duration). Key design decisions discussed include: the highest constructor unit being hours (Duration::fromHours()), omitting floating-point total methods to avoid precision/rounding issues, accepting ISO-8601 'Period' strings (PT-prefixed only) via fromIso8601String, and using the Time namespace (consistent with Rust's std::time, Java's java.time, and Go's time). Community feedback raised questions about ISO 8601 serialization, namespace choice (Time vs DateTime), and whether to use / methods or a single variadic method. The RFC is positioned as the first step in a modernized PHP date/time API, following the pattern of new namespaced APIs introduced in PHP 8.2 (random), 8.4 (DOM), and 8.5 (URI).

What AI Readiness Really Means and How It Applies to APIs

AI readiness goes beyond choosing smart models — it requires mature data, governance, and integration foundations. For APIs specifically, this means shifting from human-readable interfaces to machine-consumable ones that AI agents can reliably discover, call, and recover from. Traditional APIs fail in agentic systems due to poor documentation, inconsistent error handling, non-idempotent behavior, human-driven authentication, oversized payloads, and infrastructure fragility. To become AI-ready, APIs should adopt strongly typed OpenAPI schemas, concrete examples, structured JSON error objects, idempotent endpoints, strict pagination, and machine-friendly auth like OAuth 2.0 client credentials. These upgrades enable enterprises to scale agentic architectures safely without risking compliance failures, cost overruns, or security exposures.