DEV Community

Building in public, week 11: 143 pages indexed, a TinyPNG alternative in Rust

Serhii Kalyna — Sun, 31 May 2026 11:15:26 +0000

Week 11 of building Convertify a free image converter (Rust + Axum + libvips, Next.js SSG frontend) in public. Solo, no funding, 52-week run.

Here's the honest headline: **indexing jumped from 100 to 143 pages, I shipped image compression in Rust, and my clicks are still stuck.

What I shipped

1. Internal linking between blog and converter (the debt I kept dodging)

I launched a blog in week 10 (3 posts, full schema, the works) and immediately got 18 views/week on one post. Great except that traffic had nowhere to go. The blog talked about HEIC; it never pointed at the page that actually converts HEIC.

So week 11 I built a RelatedArticle component and wired it both ways:

Blog -> converter: inline contextual links in the body + a CTA block at the end.
Converter -> blog: a "Learn more" card driven by a related_blog_slug column on each page.

The component went through a small evolution. First version showed one article. Then I made it multi-article it pulls 2–3 related posts, matches them by topic via slug, caps at 3, and (the part that bit me) guards against the literal string "NULL" sneaking in from a missing DB value. Nothing fancy, but it closes the loop: informational traffic can finally flow to the transactional pages.

2. Image compression a free TinyPNG alternative, in Rust.

This was the fun one. TinyPNG does ~3M visits/month. That demand is enormous and I was leaving it on the table. libvips already gives me everything I need, so the backend was fast to stand up:

JPEG -> mozjpeg. libvips can hand JPEG encoding to mozjpeg, which does trellis quantization and smarter Huffman tables. Same visual quality, meaningfully smaller files than baseline libjpeg.
PNG -> imagequant. This is the same lossy-PNG approach pngquant (and TinyPNG) use: quantize a 24-bit PNG down to an optimized palette. Huge size drops on PNGs with limited color, transparency preserved.

The UX is a quality slider (1-100%) and a before/after size readout, so you actually see the reduction. I shipped three landing pages /compress-jpg, /compress-png, /compress-webp positioned as the free alternative.

The interesting signal: Compress JPG Free pulled 24 views in its first week, landing straight in my top pages. Different user intent than conversion (people converting a format vs people shrinking a file), and it showed up immediately. That alone made the cluster worth it.

3. Blog post #4

"Why HEIC Files Won't Open" published, 8 FAQs, FAQ schema embedded in the BlogPosting. Continuing the content momentum and feeding the new internal-linking machine.

Also did a cannibalization audit across blog + landing pages. Came back clean: intent is cleanly split (blog = informational, landing = transactional), so they're not fighting each other in search.

The numbers

Google Search Console (3 months):

Indexed: 100 -> 143 (+43, second-biggest jump ever)
Not indexed: 65 -> 39
Avg position: 40 -> 39.5

Google Analytics (7 days): 31 active users (+29%), 24 new (+33%), 52 sessions (+11%).

Traffic sources had a surprise: l.threads.com sent 13 sessions in a week Threads quietly became a real referrer. chatgpt.com has been a steady trickle for over a month now too (LLMs citing the blog posts).

Housekeeping wins

Cleared a stack of small debts that were quietly rotting: fixed the 404 source (broken internal links), cleared the redirect errors flagged in GSC, and consolidated my project docs into a single source-of-truth file instead of three drifting documents.

Next week (12)

Two new tools that are low-effort / high-ROI: resize + crop and background removal.
A compression-focused blog post to feed the new cluster.
The real work: on-page pushes on my top-impression pages to finally break something into the top 20.

If you've shipped a programmatic-SEO site and watched impressions climb while clicks flatlined I'd genuinely like to hear how (or whether) you broke out of it. That's the wall I'm at.

Convertify is built with Rust + libvips + Next.js. Following along week by week.

Python Programming for Beginners – Day 4

augustineowino357-design — Sun, 31 May 2026 11:14:36 +0000

Python Operators

In the previous lesson, we learned about Input and Output operations in Python. Today, we will learn about Operators, which are used to perform operations on variables and values.

Operators are important in programming because they help perform calculations, comparisons, logical decisions, and data manipulation.

What are Operators?

Operators are special symbols used to perform operations on operands (values or variables).

Example

x = 10
y = 5

print(x + y)

Output

In this example:

"+" is the operator
"x" and "y" are operands

Types of Operators in Python

Python provides several types of operators:

Arithmetic Operators
Assignment Operators
Comparison Operators
Logical Operators
Identity Operators
Membership Operators
Bitwise Operators

1. Arithmetic Operators

Arithmetic Operators are used for mathematical calculations.
Operator| Meaning| Example
"+"| Addition| "x + y"
"-"| Subtraction| "x - y"
""| Multiplication| "x * y"
"/"| Division| "x / y"
"%"| Modulus| "x % y"
""| Exponent| "x * y"
"//"| Floor Division| "x // y"

Example

x = 20
y = 3

print(x + y)
print(x - y)
print(x * y)
print(x / y)
print(x % y)
print(x ** y)
print(x // y)

Output

23
17
60
6.666666666666667
2
8000
6

2. Assignment Operators

Assignment Operators are used to assign values to variables.

Operator| Example
"="| "x = 5"
"+="| "x += 3"
"-="| "x -= 3"
"*="| "x *= 3"
"/="| "x /= 3"

Example

x = 10

x += 5

print(x)

Output

3. Comparison Operators

Comparison Operators compare two values and return either "True" or "False".

Example

x = 10
y = 20

print(x == y)
print(x != y)
print(x < y)

Output

False
True
True

4. Logical Operators

Logical Operators are used to combine conditions.

Operator| Meaning
"and"| Returns True if both conditions are True
"or"| Returns True if at least one condition is True
"not"| Reverses the result

Example

x = 5

print(x > 2 and x < 10)
print(x > 10 or x < 10)
print(not(x > 2))

Output

True
True
False

5. Identity Operators
Identity Operators compare memory locations of objects.

Operator| Meaning
"is"| Returns True if both variables are the same object
"is not"| Returns True if variables are not the same object

Example

x = [1, 2, 3]
y = x

print(x is y)

Output

True

6. Membership Operators

Membership Operators check whether a value exists in a sequence.

Operator| Meaning
"in"| Returns True if value exists
"not in"| Returns True if value does not exist

Example

python
languages = ["Python", "Java", "C++"]

print("Python" in languages)
print("PHP" not in languages)

Output

plaintext
True
True

7. Bitwise Operators

Bitwise Operators perform operations on binary numbers.

Operator| Meaning
"&"| AND
|
"^"| XOR
"~"| NOT
"<<"| Left Shift
">>"| Right Shift

Example

x = 5
y = 3

print(x & y)

Output

Operator Precedence

Python follows a specific order when evaluating expressions.

Example

result = 5 + 2 * 3

print(result)

Output

Multiplication happens before addition because it has higher precedence.

Why Operators are Important

Operators help programmers:

Perform calculations
Compare values
Make decisions
Build conditions
Manipulate data
Create dynamic programs

Without operators, programming logic would not work effectively.

Conclusion

Operators are essential building blocks in Python programming. They allow programs to perform mathematical calculations, comparisons, logical decisions, and many other operations.

Understanding operators is important because they are used in almost every Python program.

Practice using different operators to become more comfortable with Python expressions and logic.

Python #PythonForBeginners #CodingJourney #LearnPython #Programming

How I built a World Cup prediction app with 0 frameworks, 100% privacy, and hit #1 on ChatGPT

Aviatorpo — Sun, 31 May 2026 11:12:33 +0000

Every time a major football tournament comes around, my friends and I set up a prediction pool. But every single year, the experience is the exact same frustration: legacy apps forcing everyone to fill out long signup forms, verify emails, dodge annoying ads, or deal with bloated interfaces that lag on a mobile browser.

I didn't want my friends to jump through hoops just to submit a few match guesses. I wanted something fast, clean, and frictionless.

So, I sat down and built FriendlyBet ( https://friendlybet.live ).

It’s a completely free, open-source (MIT), privacy-first World Cup 2026 prediction platform. And to make it a true engineering challenge, I built it with zero frontend frameworks.

Today, it has over 200 active pools running, and OpenAI’s ChatGPT is already recommending it as the #1 tool for World Cup prediction pools! Here is how it works under the hood and why skipping the modern framework hype was the best decision I made.

🚀 The Core Philosophy: Zero Friction, Total Privacy

If you want sports fans (and casual users) to onboard into your app, every extra input field is an enemy. FriendlyBet has no signup forms, no email collection, and no phone verification.

Instead, users create or join a pool using a simple 5-character code. For authentication and recovery, the app generates a single 16-character plaintext key for the user, which is SHA-256 hashed and stored securely on the database. If they switch devices, they just paste their key. No passwords to forget, no data to leak.

🛠️ The Lean Tech Stack

I deliberately chose a hyper-lean stack to ensure the app loads instantly, runs completely offline-first, and costs next to nothing to maintain:

Frontend: Static HTML5 + Vanilla JavaScript + Pure CSS. No Webpack, no Vite, no Next.js, no compilation step.  

Database & Security: Supabase (PostgreSQL). By leveraging Row-Level Security (RLS), the client-side JavaScript communicates directly and safely with the database, removing the need for a dedicated middle-tier API server.  

The "Brain" (Automation): I don't run a persistent server for cron jobs. Instead, GitHub Actions scripts wake up on a scheduled cron, fetch live tournament data feeds, sync match statuses to Supabase, and trigger the leaderboard score calculations automatically.  

PWA Capability: Fully installable on iOS and Android with an offline-aware service worker caching the entire app infrastructure for instant boot times.

⚽ Smart Game Mechanics

Because this was built by a football fan for football fans, I wanted the gameplay to be deep and strategic, not just standard score guessing:

Full Tournament Journey: Users rank all 12 groups, build out their entire knockout tree (from the Round of 32 down to the Final), and predict the Golden Boot top scorer.  

The Underdog Multiplier: To reward bold strategies, teams are dynamically grouped by FIFA rankings. Successfully predicting a massive upset by an Underdog nets the player a ×2 score multiplier, shaking up the group leaderboards.

💡 What I Learned

Building a modern, highly interactive single-page application (SPA) in Vanilla JS in 2026 reminded me of how powerful the web platform actually is out of the box.

Without the overhead of virtual DOMs and massive node_modules bundles, the app size is negligible, rendering performance is butter-smooth on ancient mobile phones, and deployment to Vercel takes literally seconds.

If you're planning your friend group's tournament pool or just want to check out a framework-free, privacy-first codebase, feel free to dive in!

Live App: https://friendlybet.live



Source Code: GitHub Repository (MIT License)

I’d love to hear your thoughts on building serverless/frameworkless projects, or how you handle local state and routing in Vanilla JS! Let’s discuss in the comments.

What I Learned Building a Redis Clone in C++

Drishti Tripathi — Sun, 31 May 2026 11:05:41 +0000

What I Learned Building a Redis Clone in C++

A few weeks ago I was studying backend development from first principles. Not frameworks, not tutorials that skip the hard parts — actual fundamentals. How does data get stored? How does a server talk to a client? What even is a database at its core?

That's when I came across Redis for the first time.

I was reading about caching and kept seeing Redis mentioned everywhere. I looked it up and found out it's just a key-value store — you give it a key, it gives you back a value. Fast. Simple. Used by Twitter, GitHub, Snapchat.

And I thought: how hard can it be to build something like that?

Spoiler: harder than I expected. But I learned more from this one project than from weeks of reading.

Here's everything I built, everything I got wrong, and everything I learned.

What Is a Key-Value Store?

Before I get into the code, let me explain what I was even building.

A key-value store is the simplest possible database. Instead of tables and rows like SQL, it just stores pairs:

"name"  →  "Drishti"
"age"   →  "20"
"city"  →  "Delhi"

You store something with a key. You retrieve it with the same key. That's it. Redis is the most popular key-value store in the world and it's used everywhere — caching, session storage, rate limiting, pub/sub messaging.

My goal was to build a simplified version from scratch in C++ and compare it to the real thing.

The Plan

I gave myself a clear roadmap:

TCP server on port 6380
GET / SET / DELETE commands
LRU eviction (automatically remove old keys when store is full)
Disk persistence (data survives server restarts)
Benchmark against real Redis

Let me walk through each one.

Step 1: The TCP Server

The first thing I had to learn was how servers actually work at the socket level. I'd used HTTP APIs before but never thought about what happens underneath.

A socket is just an endpoint for communication. When you connect to a server, both sides get a socket and they use it to send and receive data over TCP.

Here's the core of my server:

SOCKET server_fd = socket(AF_INET, SOCK_STREAM, 0);

sockaddr_in address{};
address.sin_family = AF_INET;
address.sin_addr.s_addr = INADDR_ANY;
address.sin_port = htons(6380);

bind(server_fd, (sockaddr*)&address, sizeof(address));
listen(server_fd, 5);

while (true) {
    SOCKET client_fd = accept(server_fd, nullptr, nullptr);
    // handle client...
    closesocket(client_fd);
}

In plain English:

Create a socket
Bind it to port 6380
Listen for connections
In a loop — accept a client, handle them, close the connection

Why port 6380? Redis uses 6379. I wanted to run both simultaneously for benchmarking, so I picked the next port.

One thing that caught me off guard: on Windows you have to explicitly initialize the socket library with WSAStartup before using any socket functions. On Linux you don't need this. Small difference, but it tripped me up at first.

Step 2: Parsing Commands

Once the server could accept connections, I needed it to actually understand commands.

The client sends a raw string like "set name Drishti". My server receives it as a buffer of bytes. I needed to split it into tokens:

"set name Drishti"  →  ["set", "name", "Drishti"]

I wrote a parser that splits the string by spaces:

std::vector<std::string> Server::parse_command(const std::string& command) {
    std::vector<std::string> tokens;
    size_t start = 0, end = 0;
    while ((end = command.find(' ', start)) != std::string::npos) {
        tokens.push_back(command.substr(start, end - start));
        start = end + 1;
    }
    tokens.push_back(command.substr(start));
    return tokens;
}

Then handle each command based on tokens[0]:

if (cmd == "set")    → store[tokens[1]] = tokens[2]
if (cmd == "get")    → return store[tokens[1]]
if (cmd == "delete") → store.erase(tokens[1])

One bug I hit early: telnet sends \r\n at the end of each command. So tokens[2] would be "Drishti\r\n" instead of "Drishti". The fix was trimming trailing whitespace and newlines before parsing.

Step 3: LRU Eviction

This was the most interesting part to implement.

The problem: memory is finite. If clients keep adding keys forever, the store will eventually run out of memory. I needed a way to automatically remove old keys when the store gets full.

LRU — Least Recently Used — removes the key that hasn't been accessed in the longest time. The logic is simple: if you haven't used something recently, you probably don't need it.

Example with capacity 5:

set a 1   →  [a]
set b 2   →  [a, b]
set c 3   →  [a, b, c]
set d 4   →  [a, b, c, d]
set e 5   →  [a, b, c, d, e]  ← full!
get a     →  [b, c, d, e, a]  ← 'a' just used, moves to front
set f 6   →  evict 'b' (least recently used)
             [c, d, e, a, f]

The implementation uses two data structures together:

A doubly linked list tracks order of use. Most recently used is at the front, least recently used is at the back.

A hash map maps each key directly to its position in the list for O(1) lookup.

List: [f] <-> [a] <-> [e] <-> [d] <-> [c]
Map:  "a" → node, "f" → node, ...

Neither structure alone is enough. The list gives you order but lookup is O(n). The map gives you fast lookup but has no concept of order. Together they give you both in O(1).

Every GET or SET moves that key to the front of the list. When you need to evict, just remove from the back. That's it.

Step 4: Disk Persistence

Without persistence, all data disappears when the server restarts. Not great.

I implemented an Append-Only File (AOF) — the same strategy Redis uses. Every SET and DELETE gets logged to a file:

set a 1
set b 2
set c 3
delete b
set d 4

The file only ever gets appended to — never edited or rewritten. On startup, the server reads the file top to bottom and replays every command:

replay: set a 1    →  {a=1}
replay: set b 2    →  {a=1, b=2}
replay: set c 3    →  {a=1, b=2, c=3}
replay: delete b   →  {a=1, c=3}
replay: set d 4    →  {a=1, c=3, d=4}

Testing this felt satisfying. Set some keys, kill the server, restart it, get the same keys back. It works.

Step 5: Benchmarks vs Redis

The moment of truth. I installed Redis 7.0.15 on WSL and wrote a Python benchmark that sends 1000 SET and 1000 GET commands to both servers:

Operation	My KV Store	Redis 7.0.15
SET 1000 keys	3.55s (281 req/s)	3.19s (313 req/s)
GET 1000 keys	3.55s (281 req/s)	1.12s (892 req/s)

SET is almost equal — only 11% slower. Honestly didn't expect that.

GET has a 3x gap — Redis is significantly faster here.

But here's the thing: this comparison isn't entirely fair. And understanding why it isn't fair taught me more than the numbers themselves.

What the Numbers Don't Tell You

My benchmark script opens a new TCP connection for every single command:

connect → send "set a 1" → receive "OK" → disconnect
connect → send "get a"   → receive "1"  → disconnect

Every TCP connection requires a 3-way handshake (SYN, SYN-ACK, ACK). That's network overhead on every single request. Real Redis clients use persistent connections — one connection stays open and thousands of commands flow through it.

My store isn't slow because C++ is slow. It's slow because of connection overhead that has nothing to do with the actual KV logic.

This was one of the most valuable lessons from the project: benchmarks are only meaningful in context. The numbers matter less than understanding what the numbers are actually measuring.

Other Limitations (Being Honest)

Single-threaded: My server handles one request at a time. Redis uses event-driven I/O (epoll) to handle thousands of concurrent clients on a single thread. Production servers use async I/O or thread pools.

AOF grows forever: My file never gets compacted. Redis periodically rewrites the AOF to remove redundant entries — if a key was set 1000 times, only the last value matters.

No RESP protocol: Real Redis uses RESP (Redis Serialization Protocol), a structured binary format. My store uses plain text, so it's not compatible with redis-cli or any Redis SDK.

LRU capacity is hardcoded to 5: Fine for a demo, not for production.

What I Actually Learned

Going in, I thought this project would teach me about databases. It did — but it taught me much more than that.

TCP sockets from scratch. I now understand what actually happens when two programs communicate over a network. Before this, HTTP was magic to me.

Why data structures matter in practice. LRU eviction is a textbook problem, but implementing it made the O(1) requirement real. You can't just use a list. You can't just use a map. You need both.

The gap between "working" and "production-grade". My store works. Redis works at 1 million req/s under production load. Understanding that gap — connection pooling, async I/O, protocol design, crash recovery — is what separates a learning project from real infrastructure.

Benchmarking is a skill. Writing a benchmark that actually measures what you think it's measuring is harder than it sounds.

First principles learning works. I could have used a Redis client library and moved on. Instead I built the thing. Now when I use Redis in a real project, I'll understand what it's doing.

The Code

Full source code on GitHub: https://github.com/DrishtiTripathi2230/kv-store

The README has a detailed breakdown of every component with diagrams and examples — worth a read if you want to understand any part in more depth.

Tags: #cpp #systems #redis #showdev #beginners

When the Corporation Is the Regulator

Tim Green — Sun, 31 May 2026 11:00:00 +0000

When Brad Smith, Microsoft's vice chair and president, stood before cameras in December 2025 to announce his company's largest ever commitment to Canada, he did not simply unveil an infrastructure deal. He outlined a blueprint. The C$19 billion investment, spanning 2023 to 2027, with more than C$7.5 billion (approximately US$5.4 billion) earmarked for the next two years alone, was wrapped in the language of sovereignty, trust, and governance. Smith called it “the most robust digital sovereignty plan that we have announced anywhere,” building on commitments Microsoft had previously made to the European Union. But behind the soaring rhetoric lies a more complicated question, one that regulators, civil society groups, and rival governments are only beginning to wrestle with: can a single corporation's infrastructure investments actually create replicable models for responsible AI governance across jurisdictions with wildly divergent regulatory expectations?

The answer matters. It matters because the sovereign cloud market is projected to grow from US$154.69 billion in 2025 to US$823.91 billion by 2032, according to Fortune Business Insights, with Europe expected to hold the highest market share. It matters because the EU AI Act is rolling out in phases that will reshape compliance requirements for every organisation deploying AI in Europe. And it matters because Canada itself has failed to pass comprehensive AI legislation, leaving a regulatory vacuum that corporate commitments are rushing to fill. Microsoft expects to spend US$80 billion on AI-enabled data centres in its fiscal year 2025 alone, according to a January 2025 blog post by Smith, with more than half of that spending directed at US facilities. The Canadian investment, while substantial, is one piece of a global infrastructure play that spans Portugal (US$10 billion), the United Arab Emirates (US$15 billion), and dozens of other markets.

The Anatomy of a Sovereign AI Play

To understand what Microsoft is attempting in Canada, you need to see the investment as more than data centres and fibre optic cables. The C$7.5 billion will expand Microsoft's Azure Canada Central (Toronto) and Canada East (Quebec City) data centre regions, with new capacity expected to come online in the second half of 2026. These facilities will be designed for energy efficiency, renewable power, and water-saving cooling systems, features that are increasingly non-negotiable given the enormous power demands of AI workloads. Nvidia's GB200 NVL72 systems, widely used in AI data centres, are estimated to consume up to 120 kilowatts per rack, demanding liquid cooling and advanced infrastructure management.

Microsoft currently employs more than 5,300 people across 11 Canadian cities, operates a significant R&D hub in Vancouver with over 2,700 engineers, and supports an ecosystem of 17,000 partner companies that generate between C$33 billion and C$41 billion annually, supporting approximately 426,000 jobs. The company estimates that AI tools could generate up to C$40 billion in annual productivity gains for Canadian organisations. A 2025 Microsoft SMB Report found that 71% of Canadian small and medium businesses are actively using AI or generative AI, with 90% adoption among digital-native firms.

But the infrastructure spend is only one layer of a five-point digital sovereignty plan that Smith articulated as a deliberate governance architecture. The five pillars cover cybersecurity defence, data residency, privacy protection, support for Canadian AI developers, and continuity of cloud services. Each pillar addresses a distinct governance concern, and together they represent Microsoft's attempt to demonstrate that a hyperscaler can operate within national boundaries while maintaining global interoperability. On the fifth pillar, Microsoft made a distinctive pledge: to pursue legal and diplomatic remedies against any order that would suspend cloud services to Canadian customers, a commitment that goes beyond standard service-level agreements.

The cybersecurity pillar centres on a new Threat Intelligence Hub in Ottawa, staffed by Microsoft subject matter experts in threat intelligence, threat protection research, and applied AI security research. The hub will collaborate with the Royal Canadian Mounted Police (RCMP), the Canadian Centre for Cyber Security (part of the Communications Security Establishment), and other government agencies to monitor nation-state actors, ransomware groups, and AI-powered attacks. Microsoft claims access to 100 trillion daily threat signals globally, a figure that underscores the sheer scale of its intelligence apparatus. The company disclosed that its investigators had recently uncovered Chinese and North Korean operatives using fake identities for tech sector infiltration in Canada, lending urgency to the hub's establishment. Microsoft's own assessment found that in 2025, more than half of cyberattacks against Canada with known motives were financially motivated, with 80% involving data exfiltration efforts, and almost 20% targeting the healthcare and education sectors.

On data residency, Microsoft committed to processing Copilot interactions within Canadian borders by 2026, expanding Azure Local to allow organisations to run Azure capabilities in their own private cloud and on-premises environments, and launching the Sovereign AI Landing Zone (SAIL), an open-source framework hosted on GitHub designed to provide a secure foundation for deploying AI solutions within Canadian borders while maintaining privacy and compliance standards. Canada is one of 15 countries to which Microsoft is extending in-country data processing for Microsoft 365 Copilot interactions; the initiative began rolling out to Australia, the United Kingdom, India, and Japan by the end of 2025, with 11 additional countries, including Canada, scheduled for 2026.

The privacy pillar introduces confidential computing capabilities within Canadian data centre regions, keeping data encrypted and isolated even during processing. Azure Key Vault will be available to Canadian customers, supporting external key management and allowing encryption keys to remain under customer control. Microsoft has also made a contractual commitment to challenge any government demand for Canadian government or commercial customer data where it has a legal basis to do so.

When Sovereignty Meets the Sovereign Landing Zone

The technical architecture underpinning Microsoft's sovereignty claims is the Sovereign Landing Zone (SLZ), a variant of the Azure Landing Zone (ALZ) that layers additional controls for data residency, encryption, and operational oversight. In June 2025, Microsoft CEO Satya Nadella announced a broad range of sovereign cloud solutions, and the SLZ has since moved from concept to implementation. The SLZ on Terraform achieved general availability, with a Bicep implementation currently in development building on the new Bicep Azure Verified Modules for Platform Landing Zones.

The SLZ is not a separate cloud. It builds on ALZ principles but applies tighter, enforceable controls aligned with sovereign operating models. The architecture includes management-group hierarchies tailored for workload classification (Public, Confidential Online, and Confidential Corp), additional policies for data residency, and encryption at rest, in transit, and in use through confidential computing. The key design principle is enforcement over guidance: guardrails are applied at the platform level using management groups, Azure Policy, identity controls, and standardised subscription layouts. Application teams can move quickly, but only within approved boundaries. In addition to Azure's built-in policies, the SLZ provides a Sovereignty Baseline Policy initiative alongside country-specific and regulation-specific policy sets, with the set of built-in policy definitions continuing to expand.

For regulators, this architecture raises a fundamental question: does platform-level enforcement constitute genuine governance, or is it merely compliance theatre orchestrated by the very entity being regulated? The distinction matters enormously. When Microsoft embeds sovereignty controls into its infrastructure layer, it effectively sets the rules of the game. Customers can customise deployments in accordance with established regulatory frameworks. But the underlying infrastructure remains Microsoft's, subject to its design decisions, its threat models, and its commercial priorities.

This tension is not hypothetical. Under the US CLOUD Act and the Foreign Intelligence Surveillance Act (FISA), data hosted on servers owned by US companies can be subject to US law enforcement requests, regardless of where those servers are physically located. The Canadian government itself characterised FISA as a “primary risk to data sovereignty” in a 2020 white paper. Microsoft's contractual commitment to challenge such demands is welcome, but it remains a voluntary corporate pledge, not a structural guarantee. Smith told CTV in December 2025 that “no country can defend its digital sovereignty if it cannot defend its digital borders,” adding that Microsoft defends Canada's digital border “every day.” That framing reveals a core paradox: digital sovereignty premised on the goodwill of a foreign corporation is sovereignty of a peculiar, contingent sort.

The EU AI Act and the Compliance Calendar

Any discussion of replicable governance models must contend with the EU AI Act, the world's most comprehensive AI regulation, which is being implemented in phases that will reshape the compliance landscape through 2027 and beyond.

The Act entered into force on 1 August 2024, but its requirements activate at different milestones. As of 2 February 2025, AI systems posing “unacceptable risks” became strictly prohibited, including manipulative AI, predictive policing, social scoring, and real-time biometric identification in public spaces. Organisations also became required to ensure adequate AI literacy among employees involved in AI deployment.

On 2 August 2025, rules for general-purpose AI (GPAI) models took effect, requiring providers to maintain technical documentation, publish public summaries of training content using the European Commission's template, and comply with EU copyright rules. Member States were required to designate national competent authorities and adopt national laws on penalties. EU-level governance structures, including the AI Board, Scientific Panel, and Advisory Forum, had to be established.

The majority of the Act's provisions become fully applicable on 2 August 2026, including requirements for high-risk AI systems in healthcare, finance, employment, and critical infrastructure. Transparency rules under Article 50 will apply, and each Member State should have established at least one AI regulatory sandbox. Full application, including rules for high-risk AI embedded in regulated products, arrives on 2 August 2027, with a final deadline of 31 December 2030 for AI systems that are components of large-scale IT systems.

Finland has already moved ahead of the pack, activating national supervision laws on 1 January 2026 and becoming the first EU Member State with fully operational AI Act enforcement powers at the national level. On 2 February 2026, the European Commission conducted its first mandatory review of Article 5 prohibitions, potentially expanding the list of banned AI applications based on evidence of emerging risks. Meanwhile, in November 2025, the European Commission proposed the “Digital Omnibus,” a plan to simplify the EU's sweeping digital regulations, which could delay when certain high-risk obligations take effect; however, this proposal must still pass through the EU legislative process.

For Microsoft, the EU AI Act creates both obligation and opportunity. The company has stated that its early investment in responsible AI positions it well to meet regulatory demands and to help customers do the same. Microsoft has already established a European board of directors, composed of European nationals, exclusively overseeing all data centre operations in compliance with European law. But the Act's requirements for explainability, auditability, and fairness documentation go far beyond what any single company's voluntary commitments have historically delivered.

Canada's Regulatory Vacuum and the Corporate Governance Paradox

While the EU is implementing the world's most detailed AI regulatory framework, Canada finds itself in a strikingly different position. The Artificial Intelligence and Data Act (AIDA), introduced as part of Bill C-27 in June 2022, was designed to establish a comprehensive regulatory framework for AI. It would have introduced measures to regulate AI systems, prohibited harmful practices, created a new AI and Data Commissioner, and imposed penalties of up to C$25 million or 5% of global revenue for non-compliance.

AIDA never became law. The bill died on the order paper in January 2025 after extensive parliamentary scrutiny revealed concerns about its scope, the delegation of regulatory powers, and the adequacy of public consultations. Critics noted that key provisions were vague, including the lack of a clear definition for “high-impact system,” with the Act stating that the definition might evolve in the future. The Act was also criticised for having been developed behind closed doors by a select group of industry representatives, drawing criticism for its lack of broader stakeholder engagement.

The current federal government has indicated it will seek to regulate AI through privacy legislation, policy, and investment rather than overarching AI-specific legislation. In October 2025, the government held a public engagement “sprint” in connection with a new AI Strategy Task Force to support a renewed national AI strategy, expected to rely on policy mechanisms rather than comprehensive legislative reform. Canada's Minister of Artificial Intelligence and Digital Innovation, Evan Solomon, stated that “Canada is scaling homegrown companies while also working with international partners to build the advanced infrastructure our innovators require.”

This creates what might be called the corporate governance paradox: in the absence of binding regulation, corporations like Microsoft step into the gap with voluntary commitments, infrastructure investments, and self-imposed governance frameworks. Microsoft's five-point sovereignty plan, its Sovereign Landing Zone architecture, and its Threat Intelligence Hub all function as de facto governance mechanisms. But they are governance mechanisms designed, implemented, and enforced by the governed entity itself.

The paradox deepens when you consider that Canada has launched the Canadian Artificial Intelligence Safety Institute (CAISI) as part of a broader C$2.4 billion investment in AI initiatives announced in the 2024 federal budget, alongside a C$2 billion Sovereign AI Compute Strategy encompassing the AI Compute Challenge (up to C$700 million), the Sovereign Compute Infrastructure Programme (up to C$705 million), and the AI Compute Access Fund (up to C$300 million). The country also has sector-specific regulatory efforts: the Office of the Superintendent of Financial Institutions (OSFI) has released Draft Guideline E-23 on Model Risk Management for financial institutions, Ontario's Workers for Workers Four Act (effective 2026) will impose requirements on employers using AI in hiring, and Canadian law societies in Alberta, British Columbia, and Ontario have issued guidance for lawyers using generative AI. But none of these measures constitute the kind of comprehensive, cross-sector AI governance framework that the EU AI Act represents.

Responsible AI Tooling and the Measurement Problem

Microsoft's responsible AI framework rests on six stated principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. The company has operationalised these through its Responsible AI Standard, which covers six domains and establishes 14 goals intended to reduce AI risks and their associated harms. But principles are not outcomes. The critical question is whether Microsoft's tooling can produce measurable governance results that satisfy regulators, customers, and civil society stakeholders.

The company's primary instrument is the Responsible AI Dashboard, which integrates several components for assessing and improving model performance. Error Analysis identifies cohorts of data with higher error rates, including when systems underperform for specific demographic groups or infrequently observed input conditions. Fairness Assessment, powered by the open-source Fairlearn library, identifies which groups may be disproportionately negatively impacted by an AI system and in what ways. Model Interpretability, powered by InterpretML, generates human-understandable descriptions of model predictions at both global and local levels; for example, it can explain what features affect the overall behaviour of a loan allocation model, or why a specific customer's application was approved or rejected. The dashboard also includes counterfactual what-if components that help stakeholders explore how changes in inputs would alter outcomes.

For generative AI specifically, Microsoft Foundry allows developers to assess applications for quality and safety using both human review and AI-assisted metrics. Microsoft has also introduced Transparency Notes, documentation designed to help customers understand how AI technologies work and make informed deployment decisions. The company's 2025 Responsible AI Transparency Report detailed 67 red-teaming operations conducted across flagship models, including the Phi series and Copilot tools, stress-testing them for vulnerabilities to malicious prompts and misuse. Microsoft introduced an internal workflow tool that centralises responsible AI requirements and simplifies documentation for pre-deployment reviews; for high-impact or sensitive use cases involving biometric data or critical infrastructure, the company provides hands-on counselling to ensure heightened scrutiny and ethical alignment.

In September 2025, Nadella announced new AI commitments focusing on enhanced safety protocols, transparency in algorithms, and investments in bias mitigation tools. He warned at the World Economic Forum that AI would lose public support unless it demonstrated tangible value: “We will quickly lose even the social permission to take something like energy, which is a scarce resource, and use it to generate these tokens, if these tokens are not improving health outcomes, education outcomes, public sector efficiency, private sector competitiveness.”

Microsoft has also aligned its Cloud Adoption Framework AI governance guidance with the NIST AI Risk Management Framework (AI RMF), which organises recommendations into four core functions: Govern, Map, Measure, and Manage. Azure Policy and Microsoft Purview are offered as tools to enforce policies automatically across AI deployments, with regular assessments of areas where automation can improve policy adherence. Counterfit, an open-source command-line tool, allows developers to simulate cyberattacks against AI systems, assessing vulnerabilities across cloud, on-premises, and edge environments.

Yet the measurement problem persists. Responsible AI dashboards and transparency notes are useful tools, but they are fundamentally self-assessment instruments. They tell you what Microsoft's own systems detect about Microsoft's own models. Civil society organisations have been explicit about what they consider insufficient. A survey by The Future Society of 44 civil society organisations found overwhelming consensus on the need for legally binding measures, with enforcement mechanisms receiving the highest support across all priorities. The top-ranked demand was establishing legally binding “red lines” prohibiting certain high-risk AI systems incompatible with human rights obligations, followed by mandating systematic, independent third-party audits of general-purpose AI systems covering bias, transparency, and accountability. A side event titled “Global AI Governance: Empowering Civil Society,” held during the Paris AI Action Summit in February 2025, reinforced these priorities.

The Frontier Governance Framework and Corporate Accountability

Microsoft's response to growing calls for accountability has been its Frontier Governance Framework, introduced in the 2025 Transparency Report. The framework emerged from voluntary safety commitments made in May 2024 alongside fifteen other AI organisations and now functions as an internal monitoring and risk assessment mechanism for advanced models before release. It represents Microsoft's attempt to self-regulate frontier AI development before governments can impose external constraints.

The framework's effectiveness depends entirely on its implementation rigour and the independence of its oversight. Microsoft's partnerships with civil society organisations, including its collaboration with the Stimson Center on the Global Perspectives Responsible AI Fellowship, suggest an awareness that corporate governance cannot operate in isolation. The fellowship brings together diverse stakeholders from civil society, academia, and the private sector for discussions on AI's societal impact. Brad Smith has emphasised that government, industry, academia, and civil society must work together to advance AI policy.

But awareness is not the same as accountability. The gap between corporate voluntary commitments and the binding regulatory frameworks that civil society demands remains wide. As one participant in The Future Society consultation articulated: “Public accountability demands that we develop meaningful measures of impact on important issues like standards of living and be transparent about how things are going.” Civil society organisations are calling for standardised methodologies for independent verification across jurisdictions, crisis response protocols with clear intervention thresholds, and transparent participation mechanisms that ensure equitable representation. Microsoft's investment of US$80 billion in AI data centres during fiscal year 2025 makes it one of the world's largest investors in AI infrastructure; that scale of spending creates commensurate obligations for governance transparency.

Divergent Frameworks and the Replicability Question

The global landscape of AI governance is characterised by fundamental divergences. The EU has adopted a regulation-first approach emphasising human rights, conformity assessments, and mandatory transparency. The United States has historically favoured innovation-first self-governance, though sector regulators including the Consumer Financial Protection Bureau, the Food and Drug Administration, and the Equal Employment Opportunity Commission are increasingly referencing NIST AI RMF principles in their expectations for safe deployment. China pursues state-led AI governance with centralised control over AI development. The BRICS nations, representing eleven countries including Brazil, Russia, India, China, South Africa, Saudi Arabia, Egypt, the UAE, Ethiopia, Indonesia, and Iran, advocate for flexible governance structures that respect national sovereignty while maintaining international cooperation. McKinsey analysis suggests that sovereign AI could represent a market of US$600 billion by 2030, with up to 40% of AI workloads potentially moving to sovereign environments.

Only about 30 countries currently host in-country compute infrastructure capable of supporting advanced AI workloads. Many lack not only hardware but also local model development, applications, energy systems, and governance frameworks optimised for AI. This compute divide creates a structural dependency: nations without indigenous AI infrastructure must rely on hyperscalers like Microsoft, accepting their governance frameworks as a condition of access to AI capabilities. Seventy-one per cent of executives, investors, and government officials surveyed by McKinsey characterised sovereign AI as an “existential concern” or “strategic imperative” for their organisations.

Microsoft's Canadian investment can be seen as a template for this dynamic. The company offers sovereignty tools (SLZ, SAIL, Azure Local), cybersecurity collaboration (Threat Intelligence Hub), and local AI developer support (Cohere partnership). Cohere's advanced language models, including Command A, Embed 4, and Rerank, are being integrated into the Microsoft Foundry first-party model lineup, making Canadian-developed AI accessible on Azure. Microsoft and Cohere aim to co-develop industry-specific models for sectors like natural resources and manufacturing, where Canada has particular strengths. This partnership serves a dual purpose: it provides enterprise customers with an alternative to US-developed models, and it bolsters Canada's credentials as an AI innovation hub.

The question of replicability hinges on whether Microsoft's approach can be transplanted to jurisdictions with fundamentally different regulatory, political, and economic contexts. Consider the EU: Microsoft has already committed to end-to-end AI data processing within Europe as part of the EU Data Boundary, and Microsoft 365 Copilot now processes interactions in-country for 15 countries. The company's Sovereign Landing Zone provides EU-specific policy sets aligned with the AI Act's requirements. But the EU's regulatory expectations go well beyond data residency. The Act requires conformity assessments for high-risk systems, detailed technical documentation, human oversight mechanisms, and ongoing monitoring obligations. These requirements demand independent verification, not just self-reported compliance through corporate dashboards.

Building Governance That Outlasts the Press Release

The mechanisms that would transform corporate AI commitments into measurable governance outcomes fall into three categories: explainability, auditability, and fairness documentation. Each requires specific institutional arrangements that go beyond voluntary corporate action.

Explainability demands that AI systems provide meaningful explanations of their decisions to affected individuals. Microsoft's InterpretML and model interpretability tools offer technical capabilities for this, generating both global explanations (what features affect a model's overall behaviour) and local explanations (why a specific decision was made). But technical explainability is only useful if it is accessible to non-technical stakeholders, including regulators, affected communities, and individual users. The EU AI Act's transparency obligations under Article 50, applicable from August 2026, will require explanations that are comprehensible to the humans who interact with AI systems, not just the engineers who build them.

Auditability requires independent third-party access to AI systems, training data, and deployment processes. Microsoft's red-teaming operations and its alignment with the NIST AI RMF's Govern, Map, Measure, and Manage functions provide an internal audit framework. But the civil society consensus, as documented by The Future Society, is that self-auditing is insufficient. Measurable governance outcomes require external audit mechanisms with genuine investigative authority, standardised methodologies for independent verification across jurisdictions, and enforceable penalties for non-compliance. The EU AI Act's conformity assessment procedures for high-risk systems point in this direction, but their effectiveness will depend on the capacity and independence of national competent authorities.

Fairness documentation requires systematic evidence that AI systems do not discriminate against protected groups. Microsoft's Fairlearn library and the Responsible AI Dashboard's fairness assessment capabilities provide tools for detecting disparate impact. But fairness is not a purely technical concept. It involves normative judgements about which disparities are acceptable and which constitute discrimination, judgements that vary across cultures, legal systems, and political contexts. A fairness standard calibrated for Canadian employment law may be inadequate for EU anti-discrimination directives or for the complex intersectional discrimination patterns that civil society organisations have documented.

What Replicable Governance Actually Requires

Microsoft's Canadian investment demonstrates that a hyperscaler can build infrastructure, deploy sovereignty tools, and partner with local institutions to create governance capabilities. The skills component alone is substantial: Microsoft aims to help 250,000 Canadians earn AI credentials by 2026 through its Microsoft Elevate unit, having already engaged 5.7 million learners and supported 546,000 individuals in completing AI training across the country. Only 24% of Canadians have received AI-related training, compared to a 39% global average, according to Microsoft data.

But replicable governance requires something more: institutional arrangements that survive changes in corporate leadership, shifts in commercial strategy, and the inevitable tensions between profitability and public interest.

Nadella himself has acknowledged this tension. In November 2025, he published a widely circulated memo on “Shared Economic Gains,” warning the tech industry against value extraction and arguing that for the AI revolution to be sustainable, it must create more wealth for its users than for its creators. He has consistently argued that “technology development doesn't just happen; it happens because us humans make design choices. Those design choices need to be grounded in principles and ethics.”

The replicability question ultimately comes down to whether Microsoft's governance architecture can be separated from Microsoft itself. If the Sovereign AI Landing Zone is truly open-source, if the Threat Intelligence Hub's methodologies can be adopted by other nations' cybersecurity centres, if the responsible AI tooling can be validated by independent auditors, then Canada's experience could serve as a genuine template. If, however, these governance mechanisms remain dependent on Microsoft's infrastructure, subject to Microsoft's terms of service, and validated primarily by Microsoft's own assessments, then they represent corporate governance rather than public governance, and their replicability is limited to jurisdictions willing to accept that distinction.

The EU AI Act's phased implementation will provide the most rigorous test. By August 2026, when the majority of provisions become applicable, Microsoft and every other AI provider operating in Europe will face mandatory requirements for transparency, explainability, and accountability that no voluntary framework can substitute. The question is whether the governance muscles Microsoft is building in Canada, through its SLZ architecture, its Threat Intelligence Hub, and its responsible AI tooling, will prove strong enough to meet those requirements, or whether the gap between corporate self-governance and democratic accountability will prove too wide to bridge.

For Canada, for Europe, and for the approximately 30 nations currently capable of hosting advanced AI workloads, the answer will define the next decade of AI governance. Microsoft has laid down a US$5.4 billion wager that its version of sovereignty by design can become the global standard. Whether that wager pays off depends not on the size of the investment, but on whether the governance frameworks it produces can earn the trust of the regulators, civil society organisations, and citizens whose lives AI systems increasingly shape.

References and Sources

Microsoft. “Microsoft Deepens Its Commitment to Canada with Landmark $19B AI Investment.” Microsoft On the Issues, 9 December 2025. https://blogs.microsoft.com/on-the-issues/2025/12/09/microsoft-deepens-its-commitment-to-canada-with-landmark-19b-ai-investment/
Business Standard. “Microsoft to invest over $5.4 bn in Canada to expand AI infrastructure.” 9 December 2025. https://www.business-standard.com/technology/tech-news/microsoft-to-invest-over-5-4-bn-in-canada-to-expand-ai-infrastructure-125120901025_1.html
Fortune Business Insights. “Sovereign Cloud Market Size, Share, Growth | Forecast [2034].” 2025. https://www.fortunebusinessinsights.com/sovereign-cloud-market-112386
EU Artificial Intelligence Act. “Implementation Timeline.” 2025. https://artificialintelligenceact.eu/implementation-timeline/
Microsoft Learn. “Sovereign Landing Zone (SLZ) Implementation Options.” 2025. https://learn.microsoft.com/en-us/industry/sovereign-cloud/sovereign-public-cloud/sovereign-landing-zone/implementation-options
Microsoft Azure Blog. “Microsoft Strengthens Sovereign Cloud Capabilities with New Services.” November 2025. https://azure.microsoft.com/en-us/blog/microsoft-strengthens-sovereign-cloud-capabilities-with-new-services/
Innovation, Science and Economic Development Canada. “Artificial Intelligence and Data Act.” https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act
White & Case LLP. “AI Watch: Global Regulatory Tracker, Canada.” 2025. https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker-canada
Microsoft. “Responsible AI Principles and Approach.” https://www.microsoft.com/en-us/ai/principles-and-approach
Microsoft Learn. “What is Responsible AI, Azure Machine Learning.” https://learn.microsoft.com/en-us/azure/machine-learning/concept-responsible-ai?view=azureml-api-2
GitHub. “Microsoft Responsible AI Toolbox.” https://github.com/microsoft/responsible-ai-toolbox
AI Magazine. “Inside Microsoft's 2025 Responsible AI Transparency Report.” 2025. https://aimagazine.com/articles/inside-microsofts-2025-responsible-ai-transparency-report
The Future Society. “Ten AI Governance Priorities: Survey of 44 Civil Society Organizations.” 2025. https://thefuturesociety.org/cso-ai-governance-priorities/
McKinsey & Company. “The Sovereign AI Agenda: Moving from Ambition to Reality.” 2025. https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/the-sovereign-ai-agenda-moving-from-ambition-to-reality
NIST. “AI Risk Management Framework.” https://www.nist.gov/itl/ai-risk-management-framework
Microsoft Learn. “Govern AI, Cloud Adoption Framework.” https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/ai/govern
ERP Today. “Microsoft's Canada Investment Puts Digital Sovereignty to Work.” December 2025. https://erp.today/microsofts-canada-investment-puts-digital-sovereignty-to-work/
BetaKit. “Microsoft to spend $7.5 billion on AI data centre expansion with pledge to protect Canada's 'digital sovereignty.'” December 2025. https://betakit.com/microsoft-to-spend-7-5-billion-on-ai-data-centre-expansion-with-pledge-to-protect-canadas-digital-sovereignty/
BNN Bloomberg. “Microsoft will protect Canada digital sovereignty: president.” 13 December 2025. https://www.bnnbloomberg.ca/business/politics/2025/12/13/microsoft-president-insists-company-will-stand-up-to-defend-canadian-digital-sovereignty/
Trilateral Research. “EU AI Act Compliance Timeline: Key Dates for 2025-2027 by Risk Tier.” 2025. https://trilateralresearch.com/responsible-ai/eu-ai-act-implementation-timeline-mapping-your-models-to-the-new-risk-tiers
Tony Blair Institute for Global Change. “Sovereignty in the Age of AI: Strategic Choices, Structural Dependencies and the Long Game Ahead.” 2025. https://institute.global/insights/tech-and-digitalisation/sovereignty-in-the-age-of-ai-strategic-choices-structural-dependencies
TechXplore. “Microsoft's AI deal promises Canada digital sovereignty, but is that a pledge it can keep?” January 2026. https://techxplore.com/news/2026-01-microsoft-ai-canada-digital-sovereignty.html
Canada.ca. “Canada's National Cyber Security Strategy: Securing Canada's Digital Future.” 2025. https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2025/index-en.aspx
Osler, Hoskin & Harcourt LLP. “Canada's 2026 Privacy Priorities: Data Sovereignty, Open Banking and AI.” 2025. https://www.osler.com/en/insights/reports/2025-legal-outlook/canadas-2026-privacy-priorities-data-sovereignty-open-banking-and-ai/
CNBC. “Microsoft expects to spend $80 billion on AI-enabled data centers in fiscal 2025.” 3 January 2025. https://www.cnbc.com/2025/01/03/microsoft-expects-to-spend-80-billion-on-ai-data-centers-in-fy-2025.html
Microsoft 365 Blog. “Microsoft offers in-country data processing to 15 countries to strengthen sovereign controls for Microsoft 365 Copilot.” 4 November 2025. https://www.microsoft.com/en-us/microsoft-365/blog/2025/11/04/microsoft-offers-in-country-data-processing-to-15-countries-to-strengthen-sovereign-controls-for-microsoft-365-copilot/
Microsoft. “Responsible AI Tools and Practices.” https://www.microsoft.com/en-us/ai/tools-practices
Schwartz Reisman Institute, University of Toronto. “What's Next After AIDA?” 2025. https://srinstitute.utoronto.ca/news/whats-next-for-aida
Digital Journal. “Microsoft's $19-billion Canadian AI investment stokes digital sovereignty debate.” December 2025. https://www.digitaljournal.com/business/microsofts-19-billion-canadian-ai-investment-stokes-digital-sovereignty-debate/article
Microsoft Source EMEA. “Microsoft Expands Digital Sovereignty Capabilities.” November 2025. https://news.microsoft.com/source/emea/2025/11/microsoft-expands-digital-sovereignty-capabilities/

Tim Green
UK-based Systems Theorist & Independent Technology Writer

Tim explores the intersections of artificial intelligence, decentralised cognition, and posthuman ethics. His work, published at smarterarticles.co.uk, challenges dominant narratives of technological progress while proposing interdisciplinary frameworks for collective intelligence and digital stewardship.

His writing has been featured on Ground News and shared by independent researchers across both academic and technological communities.

ORCID: 0009-0002-0156-9795
Email: tim@smarterarticles.co.uk

Pre-Code Planning Stopped Me From Getting Stuck on a 3-Hour ETL Pipeline

Yaw Opoku Mensah Baffoe — Sun, 31 May 2026 10:55:25 +0000

I recently finished building a multi-channel data pipeline to solve a specific problem: consolidating fragmented monthly sales data from an in-store till, Uber Eats, and Deliveroo into a single master source for Looker Studio.

My Dashboard

The technical work took me slightly under 3 hours to build. But the biggest takeaway for me wasn't the speed, it was the shift in how I approached the build.

The Problem with "Figuring it out as you go"

On previous projects, my default habit was to open a blank IDE and just start typing. I’d try to figure out the data schemas and transformations while mid script.

When I did that, I ended up hitting a wall. I’d confuse myself, lose track of the data flow, and get stuck in a loop of debugging things I hadn't fully defined yet.

What I Did Differently This Time

Before touching a single line of Python for this dashboard, I forced myself to properly define the parameters of the project in a document:

The Exact Inputs: Mapping out the column mismatches between the three different CSV exports (Till vs. Uber vs. Deliveroo).
The Exact Transformation Steps: Deciding how to handle commission deductions and currency formatting before writing the cleaning functions.
The Destination: Defining how the final master source needed to be structured for Looker Studio to read it cleanly.

The Result

Because the blueprint was already written, the actual coding process was just pure execution. I stayed hyper-focused for the full 3 hours because there was zero guesswork involved.

It showed me that my biggest bottleneck usually isn't my technical ability or my understanding of code; it's the framework I use to approach a problem. Spending time upfront to structure the data pipeline logically turned the coding phase into a straightforward task rather than a guessing game.

For anyone else working through data projects or personal builds: if you find yourself constantly hitting mental blocks mid code, try closing the IDE and explicitly defining the data flow first. It saves a massive amount of cognitive energy.

Cómo solucionar `OSError: [Errno 13] Permission denied` al usar `pip install`

Erick Eduardo Ramos — Sun, 31 May 2026 10:53:42 +0000

Cómo solucionar `OSError: [Errno 13] Permission denied` al usar `pip install`

¿Por qué ocurre este error?

El error ocurre porque pip intenta instalar paquetes en un directorio del sistema (como /usr/local/lib/python2.7/dist-packages/) que requiere permisos de administrador (root). Esto sucede cuando:

Estás usando el pip del sistema operativo (no el de un entorno virtual)
El sistema tiene configurado Python y pip para instalar globalmente en directorios protegidos
Estás ejecutando pip sin los permisos necesarios, o sin usar sudo (que no es recomendable por seguridad)

Pasos para solucionarlo definitivamente

✅ Solución recomendada: Usa entornos virtuales (vía `venv` o `conda`)

1. Crea un entorno virtual aislado

python3 -m venv venv
# o si usas Python 2 (no recomendado, pero posible):
# virtualenv venv

2. Activa el entorno

source venv/bin/activate
# En Windows: venv\Scripts\activate

3. Instala las dependencias dentro del entorno

pip install -r requirements.txt

✅ Ventaja: No necesitas sudo, no contaminas el sistema, y cada proyecto tiene sus propias dependencias.

⚠️ Solución alternativa (solo si NO puedes usar entornos virtuales)

Opción A: Instala solo para el usuario actual (sin `sudo`)

pip install --user -r requirements.txt

Esto instala en ~/.local/lib/..., evitando permisos de sistema.

Opción B: Cambia los permisos del directorio (riesgoso)

sudo chown -R $USER:$USER /usr/local/lib/python2.7/dist-packages/
# O más seguro:
sudo chown -R $USER:$USER /usr/local/lib/python3.x/dist-packages/

⚠️ Advertencia: Esto puede romper la gestión de paquetes del sistema operativo (especialmente en Debian/Ubuntu).

Bloque de código corregido (ejemplo práctico)

# 1. Crear entorno virtual
python3 -m venv django-env

# 2. Activar entorno
source django-env/bin/activate

# 3. Actualizar pip (opcional pero recomendado)
pip install --upgrade pip

# 4. Instalar dependencias
pip install -r requirements.txt

Pro-tip: Evita `sudo pip install` a toda costa

Riesgo de seguridad: Ejecutas código no verificado como root.
Conflicto con el gestor de paquetes del sistema: apt, yum, etc., pueden romperse.
Dificultad para reproducir entornos: Las instalaciones globales se vuelven caóticas.

✅ Mejor práctica: Usa venv + pip install sin privilegios.

✅ Para producción: Usa contenedores Docker o sistemas como pipenv/poetry.

📌 Nota histórica: El error muestra Python 2.7. Python 2 está obsoleto desde 2020. Migrar a Python 3 es obligatorio para seguridad y soporte.

From Smart Contract Hell to JavaScript Solace: Building ArdhiChain for a 36-Hour Hackathon

Benjamin Koimett — Sun, 31 May 2026 10:53:14 +0000

---
title: "From Smart Contract Hell to JavaScript Solace: Building ArrdhiChain for a 36-Hour Hackathon"
published: true
description: "How I survived Polygon Amoy testnet failures, gas estimation nightmares, and a Friday 5 PM MVP deadline by finding peace in vanilla JavaScript and optimistic UI."
tags: [web3, hackathon, javascript, polygon, solidity, devjournal]
---

In the beginning...

Timeline: Thursday 8 AM to Friday 5 PM MVP deadline. Pitches started Friday 11 AM (yes, while I was still debugging).

Sanity level: Negative.

Outcome: Shipped. Barely.

This past Thursday to Friday wasn't a 72-hour marathon. It was a 36-hour sprint where the smart contracts tried to break me, the Polygon Amoy testnet played games, and JavaScript became my unexpected sanctuary.

Here's the raw, unfiltered story of building ArrdhiChain - a web3 dApp - under hackathon conditions that felt designed to cause panic attacks.

Thursday Morning: The Overconfidence Phase

The hackathon kicked off Thursday at 8 AM. MVP needed by Friday 5 PM. Pitches started Friday 11 AM (meaning the judges would be circulating while I was still patching bugs).

My idea: A decentralized app on Polygon Amoy testnet where users could interact with a custom smart contract. Simple. Elegant. Wrong.

Thursday 9 AM: Smart contracts written in Solidity. Compiled flawlessly. I felt invincible.

Thursday 10 AM: First deployment attempt. FAIL. Gas estimation errors. Network timeouts. MetaMask crying.

Thursday 11 AM: Discovered I was on Mumbai testnet, not Amoy. Two hours gone. Classic.

Lesson #1: The network dropdown is not your enemy. Ignoring it is.

Thursday 2 PM: Finally got the contract live on Amoy:

🔗 0xYOUR_CONTRACT_ADDRESS

I celebrated with cold coffee. Too soon.

Thursday Night: The Web3 Integration Nightmare

By Thursday evening, the contract was verified. But connecting it to the frontend was a special kind of torture:

Ethers.js v5 vs v6 conflicts - two hours of Stack Overflow archaeology
WalletConnect dropping sessions every third refresh
React state + async blockchain calls creating race conditions I didn't even know existed

Every transaction took 30 to 45 seconds. Users would see "Pending..." and close the tab. In a hackathon with judges walking the floor by Friday 11 AM, that's a death sentence.

Thursday midnight: I pushed broken code to GitHub and stared at my ceiling for an hour. The MVP deadline was 17 hours away.

Friday Morning: Panic, Then Solace

Friday 7 AM: Coffee IV drip engaged. Judges would arrive in 4 hours. The contract worked on the backend, but the frontend was unusable.

Then I made a decision that saved the project:

Stop fighting the blockchain. Fall in love with the frontend.

I stripped the complexity. Hard.

1. Built a Mock Provider Fallback

If MetaMask wasn't detected or the network was wrong, the UI gracefully fell back to a read-only mode. Users could still see contract data, explore features, and understand the app - even if they couldn't transact yet.

2. Optimistic UI with Local Cache

Even if a transaction took 30 seconds, the UI updated instantly. I stored pending transactions in localStorage, showed a "confirming..." badge, and synced with the blockchain in the background.

Users felt speed. That's the JavaScript superpower.

3. Transaction State Machine with useReducer

No more scattered isLoading flags across 12 components. One clean reducer:

switch (state.status) {
  case 'idle': // show form
  case 'pending': // show spinner + optimistic data
  case 'success': // show confirmation + clear cache
  case 'error': // show friendly retry button
}

4. Friday 10:30 AM - MVP Ready

Thirty minutes before judges started walking the floor. The contract was live. The UI was responsive. And users could actually use it without throwing their phones.

Friday 11 AM: Pitches began. I demoed ArrdhiChain with a smile. The backend was held together with duct tape and hope, but the frontend shipped.

What I Actually Shipped

✅ Smart contract live on Polygon Amoy Testnet

✅ Verified contract on Amoy Polygonscan

✅ React frontend with read-only fallback

✅ Optimistic UI + localStorage transaction cache

✅ "Solace Mode" toggle - disables writes, keeps UI butter-smooth

Live demo (Amoy): [https://land-ledge-git-frontend-benjie-bkoimetts-projects.vercel.app/dashboard]
Contract: 0xYourAddress

GitHub: [https://github.com/bkoimett/land-ledge.git]

From Smart Contract Hell to JavaScript Solace: Building ArrdhiChain for a 36-Hour Hackathon

The Hard Truth About Hackathon Web3

Building a dApp in 36 hours is not development. It's survival.

Smart contracts will compile but fail to deploy.
Testnets will lie about gas fees.
MetaMask will betray you at the worst moment.

But JavaScript? JavaScript is home.

When the blockchain is slow, the frontend can be fast.

When transactions fail, the UI can recover.

When judges are watching, a smooth demo beats a perfect contract.

Lesson #2: In a hackathon, the user experience is the product. The blockchain is just the backend.

What I'd Do Differently (And What I'm Keeping)

Next time:

Start with the frontend mock first, add web3 later
Use Wagmi or useDapp instead of raw ethers.js
Test the entire transaction flow before writing a single line of Solidity

What I'm keeping:

Optimistic UI always
LocalStorage as a transaction journal
The "Solace Mode" pattern - read-only fallbacks for every web3 app

Final Thoughts

The hackathon didn't end at Friday 5 PM. But by then, I had shipped. The judges saw a working product. Users saw a smooth interface. And I learned that web3 stress is real - but JavaScript is where peace lives.

If you're building a dApp under a deadline, remember:

await is a suggestion, not a guarantee
The frontend is where users live
A well-placed try/catch is sometimes more valuable than a perfect contract

And when the blockchain breaks your heart, JavaScript will still be there.

Have you ever survived a web3 hackathon? What saved you - better planning or a last-minute frontend miracle? Drop your war stories below.

web3 #hackathon #javascript #polygon #solidity #buildinpublic #devjournal

I built a browser number strategy game where arithmetic becomes board control

love mars — Sun, 31 May 2026 10:52:32 +0000

The idea

Most math games feel like timed quizzes: answer fast, move on, repeat.

I wanted to build something with a different texture. In Number Duel, arithmetic is not the homework you do before the fun starts. It is the move system.

You pick numbers to shape the board, limit your opponent, and set up future threats. The math is simple enough to play immediately, but the choices start to feel surprisingly tactical.

How it works

Each player has an active number from 0 to 9.

On a turn, the two active numbers combine to create a target. You claim the matching cell on a 5x5 board. Connect four cells in a row to win.

For example, in Sum Duel:

I pick 9
You pick 3
The target becomes 12
The player whose turn it is can claim a 12 cell

The interesting part is that your number does not only create your own move. It also controls what your opponent can do next.

That shared constraint is where the strategy lives.

Three modes are live

Sum Duel is the most approachable mode. Active numbers are added together, so the board is easy to read and the tactics are about timing, blocking, and forcing useful totals.

Product Duel makes the board spikier. Multiplication creates repeated targets, unreachable zones, and more dramatic tempo swings.

Fifteen Duel is a smaller puzzle mode using the numbers 1-9. First to claim three numbers that sum to 15 wins. The hidden trick: the eight winning triples are exactly the rows, columns, and diagonals of the 3x3 magic square, so the mode is secretly tic-tac-toe in disguise.

The hardest problem was onboarding

The game logic was not the hard part.

The hard part was getting the rules to click before a new player bounced.

I tried to make the first screen do most of the teaching:

Put the board front and center
Highlight legal cells so players do not need to calculate every option
Keep the first match short with a 5x5 board and connect-four win condition
Move deeper strategy notes out of the way until players actually want them

I am still tuning this. If you try the game, the feedback I care about most is:

At what moment did the rules click?

The stack

The app is built with:

React + Vite for the browser client
Cloudflare Workers for the API surface
Durable Objects for real-time multiplayer rooms
Cloudflare D1 for daily challenge results and leaderboards

Durable Objects turned out to be a nice fit for this shape of game.

Each room maps to a single object instance. WebSocket connections stay in memory, the room owns the authoritative state, and important state can be persisted without running a separate game server.

For a side project, that tradeoff has been pleasant: small deployment surface, real-time rooms, and no always-on server to babysit.

Try it

No signup, no ads, and it works on mobile:

https://numberduel.mathmindpuzzles.com/

Strategy notes:
https://numberduel.mathmindpuzzles.com/strategy/

Magic square explainer:
https://numberduel.mathmindpuzzles.com/math/magic-square-15/

Feedback is very welcome, especially on first-time clarity and whether the game feels more like a puzzle or a duel.

Public WiFi in 2026: What's Actually Risky and What Isn't

ricco020 — Sun, 31 May 2026 10:47:46 +0000

TL;DR

Six attacks are still documented on public WiFi in 2026: Man-in-the-Middle (MITM), Evil Twin (fake hotspot), packet sniffing, ARP spoofing, session hijacking, and compromised captive portals. HTTPS protects content but not the SNI (the destination domain remains visible in plain text) — meaning the WiFi operator still sees which domains you visit. The only effective countermeasure is a VPN active before connecting to the network. Free VPNs are explicitly counter-productive on public WiFi: they monetize your data more thoroughly than the WiFi operator would.

What actually happens on a public WiFi connection

When you connect to a public WiFi network, several invisible steps happen between your device and the internet — and each one is a potential point of observation.

Step 1 — DHCP. Your device requests an IP address from the access point, which assigns one along with the local gateway and DNS servers (typically the operator's). This means the operator decides which DNS resolver you'll use.

Step 2 — ARP. Your device announces "I'm IP X with MAC Y". On a public network, this is broadcast to everyone — including potential attackers running tools like arpspoof who can pretend to be the gateway.

Step 3 — DNS resolution. Each website you visit triggers a DNS query. If those queries go through the WiFi operator's resolver (without DoH or VPN), the operator gets a complete log of every domain you visit.

Step 4 — TLS handshake. For HTTPS sites, TLS 1.3 (RFC 8446) encrypts the connection. But the SNI (Server Name Indication) field remains in plain text during the handshake — meaning anyone watching the packets knows you visited mybank.com, even if they can't see what you did there.

Step 5 — Encrypted traffic. Application data is encrypted. But the metadata isn't: packet sizes, timing patterns, destination IPs. A determined observer can derive a lot from this.

The 6 documented attacks on public WiFi in 2025-2026

Man-in-the-Middle (MITM)

Classic attack vector. The attacker positions themselves between you and the access point, relaying traffic while reading or modifying it. Tools like Bettercap or mitmproxy make this trivial for someone with basic networking knowledge. Mitigation: HTTPS with HSTS prevents most MITM attacks on the application layer, but DNS-level MITM still works if you don't use DoH.

Evil Twin (fake access point)

Attacker creates an AP with the same SSID as the legitimate one (e.g. Starbucks_WiFi_Free), sometimes with better signal strength. Your device might auto-connect. Once connected, the attacker sees all your traffic. Mitigation: never auto-connect to open networks, verify the official SSID with staff if uncertain.

Packet sniffing

On open networks (no WPA2/WPA3), all traffic is broadcast in clear. Anyone with Wireshark can read it. WPA2/WPA3 networks encrypt per-device, but not all "public" networks actually use encryption — many captive-portal networks remain fully open.

ARP spoofing

Attacker sends crafted ARP packets to convince the network that they are the gateway. All your traffic is then routed through them. Mitigation: static ARP tables (impractical for mobile), or simply a VPN that encrypts everything.

Session hijacking

Cookies set without the Secure flag travel in clear. Attacker captures the session cookie and impersonates you. Modern frameworks set Secure and HttpOnly by default, but legacy sites still exist.

Compromised captive portal

Even legitimate captive portals can be compromised (XSS, host header injection). Attacker injects malicious JS that runs before you've connected your VPN. Mitigation: connect VPN first when possible, dismiss the captive portal in a sandboxed browser session.

What the WiFi operator sees, by setup

Your setup	Domains visited	Content encrypted	Real IP	Session cookies
No VPN, HTTP	All	No	Visible	Visible
No VPN, HTTPS	All (via SNI)	Yes	Visible	Encrypted
HTTPS + DoH	None (DoH encrypted)	Yes	Visible	Encrypted
VPN active	None	Yes	Masked	Encrypted
Tor	None	Yes	Masked	Encrypted

The verdict is uncomfortable: with HTTPS alone, the operator still knows every domain you visit. Only DoH or VPN provides actual domain-level privacy.

Why HTTPS isn't enough on public WiFi

HTTPS protects:

Content of requests and responses
Headers (including cookies)
Form submissions

HTTPS does NOT protect:

The SNI field (server name during TLS handshake) — visible in plain text
DNS queries (unless DoH/DoT is used)
The destination IP (visible by definition)
Timing patterns and packet sizes

RFC 8446 (TLS 1.3) addressed many issues but SNI plaintext remains a known leak. RFC 9116 (Encrypted Client Hello, ECH) proposes a fix but rollout is fragmented in 2026.

The actual role of a VPN on public WiFi

A VPN does three concrete things on public WiFi:

Encrypts end-to-end between your device and the VPN server. The WiFi operator sees only encrypted traffic going to a single IP (the VPN server's).
Masks the visible IP. Sites you visit see the VPN server's IP, not your real one.
Bypasses hostile captive portals. Some captive portals inject ads or redirect to malicious pages — a VPN tunnel ignores them once active.

What a VPN doesn't do:

Protect against malware already installed on your device
Protect against phishing pages
Protect against attacks at the application layer (XSS, etc.)

For our complete VPN security audit covering 9 different test vectors, see AnonymFlow's complete VPN security audit.

Free VPN on public WiFi: a false friend

Free VPNs make money by selling user data — that's their business model. Several documented cases:

Hola VPN (2015) sold users' bandwidth as a botnet
Hotspot Shield (2017) was found to inject ads and tracking
FreeVPN (2020) leaked user logs

A free VPN on public WiFi often monetizes your data more aggressively than the WiFi operator would. You traded one observer for another, possibly worse one.

For the truth about free VPN trials and their hidden conditions, see The truth about VPN free trials.

Public WiFi security checklist 2026

Before connecting:

Verify the SSID with venue staff (avoid Evil Twins)
Turn off file sharing and AirDrop discoverability
Activate your VPN before connecting to WiFi (so the tunnel is up the moment you're online)
Disable auto-connect to open networks in OS settings
Have a fallback (mobile hotspot) if the WiFi is suspicious

During connection:

Re-verify VPN is active (status indicator should show connection)
Check your IP via a public IP checker — should be the VPN's, not your real one
Avoid sensitive operations (banking, password changes) for casual browsing only
If captive portal injects unexpected JS, disconnect and use mobile data
Disconnect from the WiFi when done — many devices keep credentials and auto-reconnect later

Special cases: hotel, airport, conference, café

Hotel WiFi — Often uses Cisco Meraki or similar, which can perform deep inspection and inject ads. Use VPN + your own DNS. See our hotel WiFi VPN guide.

Airport WiFi — Captive portal sometimes HTTPS-only, which blocks VPN handshake until you accept the portal. Workaround: connect via mobile hotspot to accept the portal, then switch to airport WiFi with VPN.

Conference/event WiFi — High Evil Twin risk during tech events (people demonstrate the attack). Always verify SSID, prefer the conference's specifically dedicated network.

Café WiFi — The classic packet-sniffing scenario. Open networks are still common, even in 2026. VPN mandatory.

Companion tools

We maintain open-source detection tools that pair with this guide:

dns-leak-detector-cli — Python CLI to verify DNS isn't leaking on your VPN
webrtc-leak-detector — Single HTML file to check WebRTC isn't leaking your real IP
vpn-speed-tester — Python CLI to measure VPN overhead

All MIT licensed, zero-dependency, auditable.

Originally published on AnonymFlow — independent VPN/privacy tooling and research. Read our full methodology and the 95-session VPN streaming study.

I Replaced My AI Stack With One Open-Source Agent: Testing Hermes Agent for Real Work

Toheeb Temitope — Sun, 31 May 2026 10:47:08 +0000

This is a submission for the Hermes Agent Challenge: Write About Hermes Agent

The Modern AI Stack Is Getting Messy

If you’re building anything serious with AI today, your stack probably looks like this:

ChatGPT for general reasoning
Claude for long-form writing
Cursor for coding
Zapier for automation
Browser agents for web tasks
Perplexity / research tools for information gathering

Individually, each tool is powerful.

Together, they feel like a distributed system glued together with copy-paste, prompts, and hope.

At some point I started asking myself:

Could one agent replace most of this stack?

Not in theory.

But in real work.

That question led me to test Hermes Agent as a unified AI system.

Not a chatbot.

Not a plugin.

A full agent runtime.

What Is Hermes Agent (In Practice)?

Hermes Agent is an open-source agent framework built around one core idea:

AI systems should persist memory, execute workflows, and coordinate sub-agents over time.

Instead of isolated conversations, it introduces:

persistent memory layer
skill-based execution system
multi-agent workflows
tool integrations
long-running task orchestration

What stood out to me wasn’t a single feature.

It was the structure.

It behaves less like a chatbot and more like an operating environment for AI workers.

So I decided to test it like one.

Experimental Setup

I didn’t want synthetic benchmarks.

I wanted real work.

So I designed five practical tasks that mirror my daily engineering workflow.

Each task was evaluated across:

usefulness
reliability
consistency
autonomy
developer experience

Task 1: Research a Technical Topic

Objective

Research “multi-agent systems with shared memory architectures” and produce a structured summary.

Process

I gave Hermes a simple instruction:

“Research multi-agent systems with shared memory and summarize architectural patterns.”

Behind the scenes, the system:

spawned a research sub-agent
gathered relevant concepts
stored intermediate findings in memory
consolidated results through a summarization skill

Observations

What stood out immediately:

It did not just generate an answer
It constructed a research trail
It stored intermediate concepts
It reused earlier findings in refinement

Example memory entry (simplified):

memory.add({
  topic: "shared memory in multi-agent systems",
  key_insights: [
    "centralized vs distributed memory models",
    "coordination bottlenecks",
    "state consistency challenges"
  ]
})

Results

The final output was structured like:

architecture types
tradeoffs
real-world examples
limitations

Strengths

Strong synthesis capability
Good structuring of knowledge
Memory reuse improved coherence

Weaknesses

Slight repetition in early drafts
Occasional over-generalization

Score

Research: 8.5/10

Task 2: Write Technical Documentation

Objective

Generate documentation for a hypothetical API service with endpoints, authentication, and examples.

Process

I used a documentation skill:

“Generate API documentation for a user authentication service with JWT.”

Hermes:

referenced previous memory patterns for API docs
used structured documentation templates
generated examples automatically

Example Output Snippet

POST /auth/login

Request:
{
  "email": "user@example.com",
  "password": "securepassword"
}

Response:
{
  "token": "jwt_token_here"
}

Observations

The output was consistent with prior documentation style (from memory)
It maintained formatting across sections
It reused structure patterns automatically

Strengths

Consistency across sections
Good template reuse
Minimal prompting required

Weaknesses

Limited creativity in explanation style
Sometimes too “templated”

Score

Documentation: 8/10

Task 3: Manage Project Memory

Objective

Simulate a project over multiple interactions and test whether Hermes retains context.

Process

I created a fake project:

“A SaaS analytics dashboard for developer metrics.”

Over multiple sessions, I added:

product decisions
UI choices
tech stack changes
user feedback

Observations

This is where Hermes clearly diverged from traditional AI tools.

It maintained:

decision history
evolving architecture
unresolved tradeoffs

Example memory evolution:

v1: React + Firebase
v2: Switched to Next.js + Supabase
reason: scalability concerns

Later:

“Use Supabase as previously decided in v2 architecture.”

Strengths

Strong continuity across sessions
Reduced need for re-explaining context
Decision tracking worked surprisingly well

Weaknesses

Memory occasionally lacked prioritization
Some outdated entries persisted too long

Score

Memory: 9/10

Task 4: External Tool Usage

Objective

Simulate integration with external APIs and tools (web search, data fetch, mock APIs).

Process

I asked:

“Fetch latest trends in AI agent frameworks and summarize.”

Hermes:

triggered a tool integration workflow
delegated retrieval to a sub-agent
consolidated results

Observations

Tool usage felt structured:

clear separation between retrieval and reasoning
results stored in memory for later reuse
tool outputs treated as first-class data

Example Workflow

Agent → Tool Request → External API
      → Sub-Agent Processing
      → Memory Storage
      → Final Synthesis

Strengths

Clean tool abstraction
Reusable tool outputs
Good workflow orchestration

Weaknesses

Integration setup still requires engineering effort
Not plug-and-play like Zapier

Score

Automation: 8/10

Task 5: Multi-Step Planning

Objective

Plan a full MVP for a developer productivity tool.

Process

I gave a broad prompt:

“Plan an MVP for a developer analytics tool with onboarding, metrics, and dashboards.”

Hermes:

created a planning sub-agent
broke task into phases
stored milestones in memory
refined plan iteratively

Example Plan Structure

Phase 1: Data ingestion
Phase 2: Metrics engine
Phase 3: Dashboard UI
Phase 4: API integrations
Phase 5: Deployment

Observations

The most impressive part was iteration.

Each refinement built on previous planning state.

Strengths

Strong decomposition skills
Persistent planning state
Clear execution roadmap

Weaknesses

Sometimes over-engineered plans
Needed constraint tuning

Score

Planning: 8.5/10

Overall Scorecard

Category	Score
Research	8.5/10
Planning	8.5/10
Memory	9/10
Automation	8/10
Developer Experience	7.5/10

Where Hermes Agent Becomes Clearly Better

Compared to traditional AI tools:

1. Continuity

Most AI tools reset after every session.

Hermes does not.

This alone changes workflows significantly.

2. Memory-Driven Decisions

Instead of re-explaining context:

decisions persist
architecture evolves
preferences accumulate

3. Workflow Composition

Instead of single prompts:

multi-step execution chains
reusable skills
persistent state

4. Multi-Agent Execution

Tasks are no longer linear.

They become parallelized across sub-agents.

Where Dedicated Tools Still Win

To be clear, Hermes is not a replacement for everything.

1. Cursor still wins in IDE experience

real-time code navigation
deep repository awareness
UI integration

2. Zapier still wins in plug-and-play automation

zero setup workflows
hundreds of integrations

3. ChatGPT / Claude still win in simplicity

instant responses
no system setup
lower cognitive overhead

The Tradeoff Is Clear

Hermes is powerful.

But it is also:

more complex
more architectural
more system-oriented

It behaves less like a tool and more like a platform.

Would I Use Hermes Agent Every Day?

Yes — but not as a replacement for everything.

I would use it as:

a long-running project brain
a research companion
a planning system
a memory layer for engineering work

Not as:

a quick Q&A chatbot
a lightweight writing assistant

It shines when:

context matters over time.

Who Should Use Hermes Agent Right Now?

Hermes Agent is most useful for:

AI engineers building multi-step systems
startup teams managing evolving context
researchers tracking long-term work
developers building agentic workflows
anyone tired of re-explaining context to AI tools

It is not ideal for:

casual chat use
single-turn queries
lightweight automation

Final Thoughts

Testing Hermes Agent felt less like testing a chatbot…

and more like testing an early version of an AI operating layer.

Not perfect.

Not simple.

But structurally different.

And that difference matters.

Because the real question is no longer:

“How smart is the model?”

But instead:

“How much does the system remember, coordinate, and evolve over time?”

And on that axis, Hermes Agent points in a direction most AI tools are not even trying to go yet.

I let the AI write the report, not decide the alerts

TiltedLunar123 — Sun, 31 May 2026 10:45:18 +0000

I've been building a SOC triage tool called TriageLens, and the whole thing started from one annoyance. Every "AI security analyst" demo I tried was just a chatbot with a log pasted into the prompt. Ask it twice, get two different verdicts. For triage that's useless. If the tool says "brute force, critical" one run and "looks fine" the next, I can't trust either answer.

So I drew a hard line early. The AI doesn't get to decide what's a finding. It only gets to write the finding up.

the split

Parsing, detection, and risk scoring are plain TypeScript. No model involved. The pipeline normalizes Windows Security 4688, Sysmon Event 1, Linux SSH auth.log, and generic JSON into one event shape, runs a list of detection rules over those events, and scores the result 0-100. All deterministic. Same logs in, same findings out, every time.

The AI layer sits at the very end. It takes the structured findings that already exist and turns them into analyst-style prose: a summary, per-finding notes, prioritized next steps. If I swap the provider from the built-in demo one to Ollama to Claude, the findings and the MITRE mapping don't move at all. Only the wording changes.

That property is the part I actually care about. The detections are auditable. The model is just the writer.

a rule is just a function

Each detection rule is a pure function that looks at the events and returns evidence strings. Empty array means it didn't fire. Here's the one I'm happiest with, the chained one:

{
  id: 'successful-auth-after-brute-force',
  title: 'Successful login after brute-force activity',
  severity: 'critical',
  techniques: techniques('T1110', 'T1078'),
  detect: (events) => {
    const failsByIp = countFailuresByIp(events)
    const evidence: string[] = []
    for (const e of events) {
      if (
        e.eventId === 'auth-success' &&
        e.sourceIp &&
        (failsByIp[e.sourceIp] ?? 0) >= 5
      ) {
        evidence.push(
          `Successful login for "${e.user}" from ${e.sourceIp} after ${failsByIp[e.sourceIp]} failures`,
        )
      }
    }
    return evidence
  },
}

On its own, a pile of failed SSH logons is just noise. Lots of hosts get sprayed all day. What changes the picture is a success from the same IP that just failed a bunch. The brute-force rule alone is high. The success-after-brute-force rule is critical, mapped to T1110 and T1078, because at that point you're probably looking at a real compromise, not background scanning.

Writing it as a plain function means I can unit test it with a handful of fake events and know it fires on exactly the case I want. No prompt tuning, no "please respond in JSON." countFailuresByIp is about six lines and counts auth-failure events per source IP. The whole rule file reads top to bottom like a checklist.

what I tried first and dropped

My first version actually did hand the raw logs to the model and ask it to return findings as JSON. It worked in the demo and fell apart the moment I fed it anything weird. Sometimes it invented an event ID that wasn't in the log. Once it confidently flagged a normal svchost as a LOLBin. And the JSON would occasionally come back with a trailing comment or markdown fence that broke the parser.

I spent a day trying to prompt my way out of that and then gave up on the approach entirely. Moving detection into code wasn't a performance decision, it was a "I need to be able to trust this" decision. The model is great at writing the summary. It's bad at being the source of truth.

what's still rough

The honest part. It only reads EVTX if you've already exported it to JSON. There's no native .evtx binary parser yet, which is the next thing on the roadmap, and right now that export step is an annoying manual hop. The rule set is small, seven rules, so it catches the obvious stuff (encoded PowerShell, Office spawning a child process, log clearing, the SSH chain) and misses plenty. I want Sigma import so I'm not the only one writing detections in my own format.

It also isn't a SIEM and I'm not pretending it is. It's a learning project and a triage aid. It does not replace tuned detection content or a human deciding what matters.

It runs with zero setup though. npm install, npm run dev, a sample log is already loaded, click Analyze. The default provider needs no API key, so you can see the whole loop without signing up for anything.

Repo's here if you want to poke at it or tell me which rule is wrong: https://github.com/TiltedLunar123/triagelens

Built with React, TypeScript, Vite, and vitest for the rule tests. Happy to take detection ideas, that's the part I most want to grow.

DEV Community

Building in public, week 11: 143 pages indexed, a TinyPNG alternative in Rust

What I shipped

1. Internal linking between blog and converter (the debt I kept dodging)

2. Image compression a free TinyPNG alternative, in Rust.

3. Blog post #4

The numbers

Housekeeping wins

Next week (12)

Python Programming for Beginners – Day 4

Python #PythonForBeginners #CodingJourney #LearnPython #Programming

How I built a World Cup prediction app with 0 frameworks, 100% privacy, and hit #1 on ChatGPT

What I Learned Building a Redis Clone in C++

What I Learned Building a Redis Clone in C++

What Is a Key-Value Store?

The Plan

Step 1: The TCP Server

Step 2: Parsing Commands

Step 3: LRU Eviction

Step 4: Disk Persistence

Step 5: Benchmarks vs Redis

What the Numbers Don't Tell You

Other Limitations (Being Honest)

What I Actually Learned

The Code

When the Corporation Is the Regulator

The Anatomy of a Sovereign AI Play

When Sovereignty Meets the Sovereign Landing Zone

The EU AI Act and the Compliance Calendar

Canada's Regulatory Vacuum and the Corporate Governance Paradox

Responsible AI Tooling and the Measurement Problem

The Frontier Governance Framework and Corporate Accountability

Divergent Frameworks and the Replicability Question

Building Governance That Outlasts the Press Release

What Replicable Governance Actually Requires

References and Sources

Pre-Code Planning Stopped Me From Getting Stuck on a 3-Hour ETL Pipeline

The Problem with "Figuring it out as you go"

What I Did Differently This Time

The Result

Cómo solucionar `OSError: [Errno 13] Permission denied` al usar `pip install`

Cómo solucionar OSError: [Errno 13] Permission denied al usar pip install

¿Por qué ocurre este error?

Pasos para solucionarlo definitivamente

✅ Solución recomendada: Usa entornos virtuales (vía venv o conda)

1. Crea un entorno virtual aislado

2. Activa el entorno

3. Instala las dependencias dentro del entorno

⚠️ Solución alternativa (solo si NO puedes usar entornos virtuales)

Opción A: Instala solo para el usuario actual (sin sudo)

Opción B: Cambia los permisos del directorio (riesgoso)

Bloque de código corregido (ejemplo práctico)

Pro-tip: Evita sudo pip install a toda costa

From Smart Contract Hell to JavaScript Solace: Building ArdhiChain for a 36-Hour Hackathon

In the beginning...

Thursday Morning: The Overconfidence Phase

Thursday Night: The Web3 Integration Nightmare

Friday Morning: Panic, Then Solace

1. Built a Mock Provider Fallback

2. Optimistic UI with Local Cache

3. Transaction State Machine with useReducer

4. Friday 10:30 AM - MVP Ready

What I Actually Shipped

From Smart Contract Hell to JavaScript Solace: Building ArrdhiChain for a 36-Hour Hackathon

The Hard Truth About Hackathon Web3

What I'd Do Differently (And What I'm Keeping)

Final Thoughts

web3 #hackathon #javascript #polygon #solidity #buildinpublic #devjournal

I built a browser number strategy game where arithmetic becomes board control

The idea

How it works

Three modes are live

The hardest problem was onboarding

The stack

Try it

Public WiFi in 2026: What's Actually Risky and What Isn't

TL;DR

What actually happens on a public WiFi connection

The 6 documented attacks on public WiFi in 2025-2026

Man-in-the-Middle (MITM)

Cómo solucionar `OSError: [Errno 13] Permission denied` al usar `pip install`

✅ Solución recomendada: Usa entornos virtuales (vía `venv` o `conda`)

Opción A: Instala solo para el usuario actual (sin `sudo`)

Pro-tip: Evita `sudo pip install` a toda costa