The latest articles on DEV Community by M Hossein (@_mh). https://dev.to/_mh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F169516%2Fb3bc3f9a-6dfa-45b1-8e15-83d3afc57ba1.jpeg https://dev.to/_mh en M Hossein Tue, 23 Jun 2026 12:46:23 +0000 https://dev.to/_mh/i-switched-on-production-evals-for-my-llm-app-and-they-scored-nothing-4po2 https://dev.to/_mh/i-switched-on-production-evals-for-my-llm-app-and-they-scored-nothing-4po2 <p><strong>What data privacy taught me about online evals, and why I stopped treating LLM prompts like magic and started treating them like hostile user input.</strong></p> <h3> The Context &amp; The Constraint </h3> <p>I am building a meeting assistant that fact-checks claims in real time. Because it processes meeting audio in the EU, it is bound by strict data residency rules: personal data and transcripts cannot arbitrarily leave our European infrastructure.</p> <p>This introduces a fundamental distributed systems headache when we introduce <strong>Online Evaluations</strong>.</p> <p>Online evals run after you ship, on live traffic. There is no answer key. Instead, you score live outputs for qualitative properties: <em>Is this answer actually grounded in its sources? Is the model hallucinating?</em> To do this, an evaluator needs to look at the inputs and outputs.</p> <p>I wired up tracing, wrote an LLM judge, enabled LangSmith’s online evaluator, and waited for the scores to roll in. Nothing came back. Not a failure, not an error—just an endless stream of empty dashboards. The reason is a trap that is trivial to fall into, and it requires rethinking how we handle telemetry at the edge.</p> <h3> The Naive Approach (The MVP) </h3> <p>The standard, happy-path implementation for online evals assumes a globally unified system where data flows freely. You pipe your inputs, outputs, and intermediate states to an observability platform, and a cloud-hosted LLM judge scores them asynchronously.</p> <p>Because of EU data rules, I had aggressively masked my traces. I configured my LangSmith client to strip all inputs and outputs before they left my server. LangSmith kept the metadata (latency, tokens) and nothing else.</p> <p>Great for privacy. Fatal for evaluations. The evaluator opened the trace, found an empty object, and scored nothing. It failed silently because it was doing exactly what I configured it to do. But fixing this by simply "turning off masking" wasn't a legal option, and running the judge synchronously in the application code is an operational death sentence.</p> <h3> The Architectural Evolution (Iterative Refinement) </h3> <p>Building a robust evaluation pipeline at the edge is not about just wiring APIs together; it is about respecting the physical limits of your compute environment and the failure modes of generative models.</p> <h4> Subsystem 1: Tracing Without Leaking </h4> <ul> <li> <strong>The Pitfall:</strong> Treating data masking as a boolean operation—send everything or send nothing. Sending nothing blinds your telemetry; sending everything violates data residency.</li> <li> <strong>The Fix:</strong> The masking hook isn't a toggle; it’s a transformation function. We can store a derived, safe projection of the data.</li> <li> <strong>The Hidden Pitfall:</strong> If you simply hash the text, you lose all semantic value for your downstream judge. If you extract entities, you risk accidentally leaking PII inside those entities.</li> <li> <strong>The Definitive Fix:</strong> We emit structurally safe telemetry. No transcripts, no raw claims. We emit hashes for correlation, array lengths for shape validation, and enums for state. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">new</span> <span class="nc">Client</span><span class="p">({</span> <span class="na">hideInputs</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({}),</span> <span class="c1">// Store a cryptographically safe, structural projection</span> <span class="na">hideOutputs</span><span class="p">:</span> <span class="p">(</span><span class="nx">outputs</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">outputs</span><span class="p">?.</span><span class="nx">cards</span> <span class="p">?</span> <span class="nf">projectForEval</span><span class="p">(</span><span class="nx">outputs</span><span class="p">)</span> <span class="p">:</span> <span class="p">{}),</span> <span class="p">});</span> <span class="kd">function</span> <span class="nf">projectForEval</span><span class="p">(</span><span class="nx">state</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">verdicts</span><span class="p">:</span> <span class="nx">state</span><span class="p">.</span><span class="nx">cards</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">verdict</span><span class="p">:</span> <span class="nx">c</span><span class="p">.</span><span class="nx">verdict</span><span class="p">,</span> <span class="c1">// Strict enum (SUPPORTED, CONTRADICTED)</span> <span class="na">claimHash</span><span class="p">:</span> <span class="nf">sha256</span><span class="p">(</span><span class="nx">c</span><span class="p">.</span><span class="nx">claim</span><span class="p">),</span> <span class="c1">// Correlation without exposure</span> <span class="na">sourceDomains</span><span class="p">:</span> <span class="nx">c</span><span class="p">.</span><span class="nx">sources</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">host</span><span class="p">),</span> <span class="c1">// FQDNs only, no paths</span> <span class="na">evidenceLen</span><span class="p">:</span> <span class="nx">c</span><span class="p">.</span><span class="nx">evidence</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="c1">// Shape validation</span> <span class="p">})),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>This allows our online evaluators to run cheap, deterministic checks (e.g., <em>Did every card cite a valid domain?</em>) without exposing a single sensitive byte.</p> <h4> Subsystem 2: The LLM Judge &amp; Edge Constraints </h4> <ul> <li> <strong>The Pitfall:</strong> To check if evidence is actually faithful to a transcript, an LLM judge <em>must</em> see the text. To keep the text in the EU, I initially ran the judge synchronously inside my Cloudflare Worker: <code>await judge(card, sources);</code>. This instantly triggered CPU and wall-clock timeouts. Cloudflare Workers are built for fast I/O, not blocking for 4 seconds while an LLM grades homework.</li> <li> <strong>The Fix:</strong> Decouple the evaluation from the critical path using Cloudflare's <code>ctx.waitUntil()</code>, allowing the worker to return the user's response immediately while the judge runs in the background.</li> <li> <strong>The Hidden Pitfall:</strong> <strong>The Poison Pill.</strong> LLMs are non-deterministic. If your background judge hallucinates malformed JSON or markdown backticks, <code>const { score } = JSON.parse(llmOutput)</code> will throw a runtime exception. Because this is happening in <code>waitUntil()</code>, the error is swallowed, and your telemetry pipeline silently drops the trace.</li> <li> <strong>The Definitive Fix:</strong> Shift to an asynchronous queue with strict parsing and Dead Letter Queues (DLQ). The edge worker drops the task onto a Cloudflare Queue. A separate background consumer processes the LLM judgment with defensive validation (e.g., Zod). If the LLM returns garbage, it fails the parse and is routed to a DLQ, preserving the pipeline's integrity. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Edge Worker: Fire and forget. Never block the user.</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">env</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">handleMeeting</span><span class="p">(</span><span class="nx">req</span><span class="p">);</span> <span class="c1">// Offload evaluation to a background queue</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">EVAL_QUEUE</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">runId</span><span class="p">:</span> <span class="nx">currentRunId</span><span class="p">,</span> <span class="na">card</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">card</span><span class="p">,</span> <span class="na">sources</span><span class="p">:</span> <span class="nx">response</span><span class="p">.</span><span class="nx">sources</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Queue Consumer: Defensive parsing.</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">queue</span><span class="p">(</span><span class="nx">batch</span><span class="p">,</span> <span class="nx">env</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">msg</span> <span class="k">of</span> <span class="nx">batch</span><span class="p">.</span><span class="nx">messages</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">rawLLMOutput</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">runLocalEUJudge</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">card</span><span class="p">,</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">sources</span><span class="p">);</span> <span class="c1">// DEFENSIVE: Never trust LLM output structure</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">EvalSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">rawLLMOutput</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">DLQ</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">error</span><span class="p">,</span> <span class="na">raw</span><span class="p">:</span> <span class="nx">rawLLMOutput</span> <span class="p">});</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// DEFENSIVE: Do not block main edge traffic on third-party API limits</span> <span class="k">await</span> <span class="nx">env</span><span class="p">.</span><span class="nx">LANGSMITH</span><span class="p">.</span><span class="nf">createFeedback</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">runId</span><span class="p">,</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">"</span><span class="s2">faithfulness</span><span class="dl">"</span><span class="p">,</span> <span class="na">score</span><span class="p">:</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">score</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Eval pipeline failed</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Subsystem 3: The Prompt Versioning Illusion </h4> <ul> <li> <strong>The Pitfall:</strong> The rubric that dictates whether a claim is "supported" or "contradicted" lives in the prompt. Prompts are usually treated as disposable strings. LangSmith's Prompt Hub offers a neat solution: a UI to edit prompts and a <code>:production</code> label to pull them dynamically.</li> <li> <strong>The Fix:</strong> Fetch the <code>:production</code> prompt at runtime so the application always uses the latest logic.</li> <li> <strong>The Hidden Pitfall:</strong> Fetching a prompt mid-request on a stateless edge node is a blocking network call on the hot path. It adds 100ms+ of latency to every interaction and creates a single point of failure. If the Hub goes down, your app goes down.</li> <li> <strong>The Definitive Fix:</strong> Treat prompts strictly as immutable source code. You cannot rely on a third-party UI state to dictate edge execution reality. CI/CD pulls the specific, version-pinned prompt at <em>build time</em>, writes it to a constant, and bundles it.</li> </ul> <blockquote> <p>"One-click rollback" via a UI label is a dangerous illusion in distributed systems. If the prompt is baked into the build, changing the label does nothing until the CDN finishes propagating the new deployment. Architecture must respect the physical reality of the deployment pipeline.</p> </blockquote> <h3> The Takeaway </h3> <p>Whiteboard architectures assume networks are perfectly reliable, external APIs never degrade, and LLMs always return beautifully formatted JSON. Production environments laugh at these assumptions.</p> <p>Online evaluations are not free. They cost compute, they cost latency, and they introduce entirely new failure domains into your infrastructure. Building an LLM app requires epistemic humility—accepting that the model <em>will</em> fail, the judge <em>will</em> hallucinate, and the network <em>will</em> stall.</p> <p>By pushing heavy evaluations to asynchronous queues, defensively parsing every output like it's hostile user input, and binding prompts to immutable build artifacts, we turn a fragile "happy path" demo into a hardened, mechanically sound system. It’s boring plumbing, but boring plumbing is the only thing that survives production.</p> llm monitoring privacy testing M Hossein Thu, 11 Jun 2026 06:01:00 +0000 https://dev.to/_mh/stop-shipping-bloat-7-steps-to-15x-faster-90-smaller-docker-builds-4161 https://dev.to/_mh/stop-shipping-bloat-7-steps-to-15x-faster-90-smaller-docker-builds-4161 <p>We’ve all seen it: a simple service wrapped in a Docker image that tips the scales at <strong>1.2GB</strong> and drags down CI/CD pipelines with a <strong>4-minute build time</strong>.</p> <p>It’s a massive waste of storage, bandwidth, and engineering time. It doesn't have to be this way. With a few intentional tweaks to your <code>Dockerfile</code>, you can drop that image down to under <strong>80MB</strong> and cut build times to less than <strong>20 seconds</strong>.</p> <p>Here is a practical checklist to optimize your container builds, moving from a bloated, slow configuration to a lean, production-ready image.</p> <h2> 1. Leverage Multi-Stage Builds </h2> <p>Your compiler, development dependencies, and local build caches have no business being in your production environment. Multi-stage builds allow you to install tools and compile your application in an initial heavy stage, then copy <em>only</em> the compiled artifacts into a completely fresh, minimal final runtime stage.</p> <h2> 2. Pick a Smaller Base &amp; Pin Your Versions </h2> <p>Using a generic tag like <code>node:20</code> pulls in a massive Debian image (~1.1GB) packed with build utilities you rarely need in production. Moving to <code>node:20-slim</code> (~240MB) or <code>node:20-alpine</code> (~135MB) dramatically shrinks your baseline.</p> <p>Additionally, <strong>never use floating tags</strong> like <code>latest</code> or <code>20-alpine</code>. If the underlying image updates overnight, your builds can break with zero code changes. Always pin explicit versions for both the language runtime and the OS base.</p> <h2> 3. Order Layers by Invalidation Frequency </h2> <p>Docker caches layers sequentially. If a layer changes, <strong>every subsequent layer is invalidated</strong> and forced to rebuild from scratch.</p> <p>Since your source code changes on every single commit, but your package dependencies don't, you should copy your dependency manifests and install packages <em>before</em> introducing your actual application code. This is the single biggest win for CI/CD performance.</p> <h2> The Antipattern vs. The Optimized Pattern </h2> <p>Let's look at a typical, inefficient <code>Dockerfile</code> versus an optimized version incorporating these rules.</p> <h3> The Bloated Approach (What to Avoid) </h3> <p>This single-stage approach copies everything at once, runs as <code>root</code>, uses a massive floating base image, and busts the cache on every minor code tweak.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># 1.1GB Floating Base</span> <span class="k">FROM</span><span class="s"> node:20</span> <span class="c"># Everything is copied early - any code change busts the cache for dependency installs</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Massive node_modules and build tools stay in the final image</span> <span class="k">RUN </span>npm <span class="nb">install</span> <span class="k">RUN </span>npm run build <span class="c"># Runs as root by default</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "dist/main.js"]</span> </code></pre> </div> <h3> The Optimized Approach (Production-Ready) </h3> <p>Here is the exact same application rewritten using multi-stage builds, an Alpine base, pinned versions, correct layer ordering, non-root execution, and chained commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># ==========================================</span> <span class="c"># STAGE 1: Build &amp; Compilation</span> <span class="c"># ==========================================</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20.11.1-alpine3.19</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy dependency files first to utilize cached layers</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Install all dependencies (including devDeps for build)</span> <span class="k">RUN </span>npm ci <span class="c"># Copy the rest of the application source code</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="c"># Build the production artifact</span> <span class="k">RUN </span>npm run build <span class="c"># ==========================================</span> <span class="c"># STAGE 2: Lightweight Production Runtime</span> <span class="c"># ==========================================</span> <span class="k">FROM</span><span class="w"> </span><span class="s">node:20.11.1-alpine3.19</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">runner</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Set production environment flags</span> <span class="k">ENV</span><span class="s"> NODE_ENV=production</span> <span class="c"># Copy only the necessary runtime configuration and compiled artifacts</span> <span class="k">COPY</span><span class="s"> package*.json ./</span> <span class="c"># Chained RUN: Install production-only dependencies and clean npm cache in one layer</span> <span class="k">RUN </span>npm ci <span class="nt">--only</span><span class="o">=</span>production <span class="o">&amp;&amp;</span> npm cache clean <span class="nt">--force</span> <span class="c"># Copy compiled JavaScript from the builder stage</span> <span class="k">COPY</span><span class="s"> --from=builder /app/dist ./dist</span> <span class="c"># Run as a non-privileged system user instead of root</span> <span class="k">USER</span><span class="s"> node</span> <span class="k">EXPOSE</span><span class="s"> 3000</span> <span class="k">CMD</span><span class="s"> ["node", "dist/main.js"]</span> </code></pre> </div> <h2> 4. Don't Skip the <code>.dockerignore</code> </h2> <p>If you don't explicitly ignore files, your local build context copies everything in your directory directly into the Docker daemon. This means your massive local <code>node_modules</code>, heavy <code>.git</code> history, temporary logs, and local environment variables are sent to the build context, needlessly breaking your cache.</p> <p>Spend 10 seconds creating a <code>.dockerignore</code> file in your root directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>node_modules .git .github .env *.log npm-debug.log* dist build .coverage </code></pre> </div> <h2> 5. Chain Your <code>RUN</code> Commands </h2> <p>Every single <code>RUN</code>, <code>COPY</code>, and <code>ADD</code> instruction in a <code>Dockerfile</code> creates a new read-only layer. If you install an OS package on one line and delete its cache on the next line, that deleted data <strong>is still stored</strong> in the underlying layer history.</p> <p>To actually shrink your image size, you must install, utilize, and clean up within a single chained <code>RUN</code> instruction using <code>&amp;&amp;</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># DO NOT DO THIS: The apt cache lives forever in layer history</span> <span class="k">RUN </span>apt-get update <span class="k">RUN </span>apt-get <span class="nb">install</span> <span class="nt">-y</span> curl <span class="k">RUN </span><span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="c"># DO THIS: Cleanup happens in the exact same layer mutation</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> <span class="se">\ </span> apt-get <span class="nb">install</span> <span class="nt">-y</span> curl <span class="o">&amp;&amp;</span> <span class="se">\ </span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> </code></pre> </div> <h2> Summary Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Strategy</th> <th>Action</th> <th>Primary Benefit</th> </tr> </thead> <tbody> <tr> <td><strong>Multi-Stage Builds</strong></td> <td>Separate compiling from running via <code>AS builder</code>.</td> <td>Drops image size by omitting build-only tooling.</td> </tr> <tr> <td><strong>Slim Pinned Bases</strong></td> <td>Use tags like <code>node:20.11.1-alpine3.19</code>.</td> <td>Drops baseline footprint; prevents floating breakages.</td> </tr> <tr> <td><strong>Smart Layer Ordering</strong></td> <td>Copy manifests and run installs <em>before</em> copying source.</td> <td>Keeps expensive installation steps cached in CI/CD.</td> </tr> <tr> <td> <strong>Add `.dockerignore</strong>`</td> <td>Strip out local tooling, hidden files, and <code>node_modules</code>.</td> <td>Speeds up build context initialization; protects cache.</td> </tr> <tr> <td><strong>Chain Commands</strong></td> <td>Combine commands and cleanups (<code>&amp;&amp;</code>) in single <code>RUN</code> lines.</td> <td>Minimizes unnecessary filesystem layer overhead.</td> </tr> <tr> <td><strong>Drop Privileges</strong></td> <td>Switch context via <code>USER node</code> or an equivalent non-root UID.</td> <td>Mitigates severe container-escape security vulnerabilities.</td> </tr> </tbody> </table></div> <blockquote> <p><strong>A Note on ML and Heavy Pipelines:</strong> While the examples above target Node.js, these exact structural patterns apply identically to Python or Go. Poor layer ordering and careless copying of dataset files or massive build-time dependencies (like heavy C++ bindings or CUDA build-essential wrappers) are often the silent killers of CI/CD performance in machine learning and data pipelines. Fix your layer sequences, isolate your dependencies, and keep your containers lean.</p> </blockquote> M Hossein Wed, 10 Jun 2026 06:07:00 +0000 https://dev.to/_mh/multi-vps-distributed-n8n-cluster-on-ubuntu-2404-with-an-ipip-tunnel-1i4i https://dev.to/_mh/multi-vps-distributed-n8n-cluster-on-ubuntu-2404-with-an-ipip-tunnel-1i4i <p>When running automation tools like <strong>n8n</strong> for personal or production workflows, you quickly run into resource walls if you stick to the default configuration. A standalone SQLite setup can experience performance drops under load, and heavy processing inside JavaScript/Python nodes can easily stall the primary web service or exhaust single-server resources.</p> <p>In this guide, we will step through how to architecture a decentralized, enterprise-grade n8n cluster split across <strong>two separate Ubuntu 24.04 VPS instances</strong> using the open-source community edition.</p> <p>We will completely isolate the execution engine from the control plane using a lightweight <strong>IPIP (IP-in-IP) tunnel</strong>, proxying incoming traffic via <strong>Nginx</strong>, and managing tasks asynchronously through a <strong>PostgreSQL 16</strong> and <strong>Redis 7</strong> backend backbone.</p> <h2> The Target Architecture </h2> <p>Instead of over-engineering the infrastructure with complex orchestrators, we split our environment into two lightweight planes over a private network connection:</p> <ul> <li> <strong>VPS 1: The Control Plane (Main Node)</strong> – Handles the web UI, external webhook endpoints via Nginx SSL, the PostgreSQL database, and the Redis message broker.</li> <li> <strong>VPS 2: The Execution Plane (Worker Node)</strong> – A stateless compute node dedicated purely to listening to the Redis queue, crunching complex data, and reporting back via the private tunnel network.</li> </ul> <h2> Step 1: Base Server Prep &amp; Official Docker Installation </h2> <p>We begin by prepping both <strong>Ubuntu 24.04 LTS</strong> machines with baseline utilities, Python dependencies, and the official Docker engine repository.</p> <p>Run these commands on <strong>both servers</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Update base system packages</span> <span class="nb">sudo </span>apt update <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> <span class="c"># Install essential dependencies</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> curl wget unzip git vim build-essential net-tools <span class="c"># Set up Python runtimes</span> <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> python3 python3-pip python3-dev </code></pre> </div> <h3> Installing Docker using the Modern Apt Sources Method </h3> <p>Ubuntu 24.04 drops legacy <code>apt-key</code> procedures. We install the official engine using the modern <code>.sources</code> system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Add Docker's official GPG key</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install </span>ca-certificates curl <span class="nb">sudo install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings <span class="nb">sudo </span>curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg <span class="nt">-o</span> /etc/apt/keyrings/docker.asc <span class="nb">sudo chmod </span>a+r /etc/apt/keyrings/docker.asc <span class="c"># Register the Docker repository configuration using DEB822 format</span> <span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.sources <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> Types: deb URIs: https://download.docker.com/linux/ubuntu Suites: </span><span class="se">\$</span><span class="sh">(. /etc/os-release &amp;&amp; echo "</span><span class="se">\$</span><span class="sh">{UBUNTU_CODENAME:-</span><span class="se">\$</span><span class="sh">VERSION_CODENAME}") Components: stable Architectures: </span><span class="se">\$</span><span class="sh">(dpkg --print-architecture) Signed-By: /etc/apt/keyrings/docker.asc </span><span class="no">EOF </span><span class="c"># Install the engine components and the compose plugin</span> <span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin </code></pre> </div> <h2> Step 2: Provisioning a Persistent Private IPIP Tunnel </h2> <p>To safely expose PostgreSQL and Redis across our servers without leaving open holes to the public internet, we build a private point-to-point network using an kernel-level IPIP tunnel.</p> <p>We want <code>VPS 1 (Main)</code> to live on private IP <code>10.0.0.1</code> and <code>VPS 2 (Worker)</code> on <code>10.0.0.2</code>.</p> <p>Create the following script named <code>setup-tunnel.sh</code> on <strong>both nodes</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Usage: sudo ./setup-tunnel.sh &lt;MAIN_PUBLIC_IP&gt; &lt;WORKER_PUBLIC_IP&gt; --install</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$EUID</span><span class="s2">"</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"❌ Please run as root (sudo)."</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nv">MAIN_IP</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">WORKER_IP</span><span class="o">=</span><span class="nv">$2</span> <span class="nv">INSTALL_PERSISTENCE</span><span class="o">=</span><span class="nb">false </span><span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"--install"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">INSTALL_PERSISTENCE</span><span class="o">=</span><span class="nb">true </span><span class="k">fi </span>configure_tunnel<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"⚙️ Initializing IPIP Tunnel Configuration..."</span> modprobe ipip <span class="k">if </span>ip <span class="nb">link </span>show tun0 <span class="o">&gt;</span>/dev/null 2&gt;&amp;1<span class="p">;</span> <span class="k">then </span>ip <span class="nb">link set </span>tun0 down ip tunnel del tun0 <span class="k">fi if </span>ip addr | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"</span><span class="nv">$MAIN_IP</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"🖥️ Configuring: MAIN VPS"</span> ip tunnel add tun0 mode ipip remote <span class="s2">"</span><span class="nv">$WORKER_IP</span><span class="s2">"</span> <span class="nb">local</span> <span class="s2">"</span><span class="nv">$MAIN_IP</span><span class="s2">"</span> ttl 255 ip addr add 10.0.0.1/30 dev tun0 ip <span class="nb">link set </span>tun0 up <span class="nb">echo</span> <span class="s2">"✅ Tunnel 'tun0' is UP. Local private IP: 10.0.0.1"</span> <span class="k">elif </span>ip addr | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"</span><span class="nv">$WORKER_IP</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"👷 Configuring: WORKER VPS"</span> ip tunnel add tun0 mode ipip remote <span class="s2">"</span><span class="nv">$MAIN_IP</span><span class="s2">"</span> <span class="nb">local</span> <span class="s2">"</span><span class="nv">$WORKER_IP</span><span class="s2">"</span> ttl 255 ip addr add 10.0.0.2/30 dev tun0 ip <span class="nb">link set </span>tun0 up <span class="nb">echo</span> <span class="s2">"✅ Tunnel 'tun0' is UP. Local private IP: 10.0.0.2"</span> <span class="k">else </span><span class="nb">echo</span> <span class="s2">"❌ Error: Public IP does not match local interfaces."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="o">}</span> configure_tunnel <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$INSTALL_PERSISTENCE</span><span class="s2">"</span> <span class="o">=</span> <span class="nb">true</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nv">SCRIPT_PATH</span><span class="o">=</span><span class="s2">"/usr/local/bin/ipip-tunnel-setup.sh"</span> <span class="nb">cp</span> <span class="s2">"</span><span class="nv">$0</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$SCRIPT_PATH</span><span class="s2">"</span> <span class="nb">chmod</span> +x <span class="s2">"</span><span class="nv">$SCRIPT_PATH</span><span class="s2">"</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; /etc/systemd/system/ipip-tunnel.service [Unit] Description=Maintain Persistent IPIP Tunnel between n8n Nodes After=network-online.target Wants=network-online.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=</span><span class="nv">$SCRIPT_PATH</span><span class="sh"> </span><span class="nv">$MAIN_IP</span><span class="sh"> </span><span class="nv">$WORKER_IP</span><span class="sh"> [Install] WantedBy=multi-user.target </span><span class="no">EOF </span> systemctl daemon-reload systemctl <span class="nb">enable </span>ipip-tunnel.service <span class="nb">echo</span> <span class="s2">"🌟 Systemd persistence initialized."</span> <span class="k">fi</span> </code></pre> </div> <p>Execute this script on <strong>both servers</strong> using your public IPs to establish the link permanently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x setup-tunnel.sh <span class="nb">sudo</span> ./setup-tunnel.sh &lt;MAIN_PUBLIC_IP&gt; &lt;WORKER_PUBLIC_IP&gt; <span class="nt">--install</span> </code></pre> </div> <p>Verify the interface link by runnning a quick check from your main node: <code>ping -c 3 10.0.0.2</code>.</p> <h2> Step 3: Deploying the Control Plane (VPS 1) </h2> <p>With our private tunnel channel open, we configure the orchestration layer on the Main server. Create a directory at <code>/home/n8n/</code> to hold your configurations.</p> <h3> 1. The Environment Setup (<code>/home/n8n/.env</code>) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>N8N_HOST=n8n.your-domain.com N8N_PORT=5678 GENERIC_TIMEZONE=Europe/Vienna N8N_ENCRYPTION_KEY=generate_a_random_long_string_here POSTGRES_USER=n8n_admin POSTGRES_PASSWORD=choose_a_secure_db_password_here POSTGRES_DB=n8n_storage REDIS_PASSWORD=choose_a_secure_redis_password_here N8N_DIAGNOSTICS_ENABLED=false N8N_PERSONALIZATION_ENABLED=false </code></pre> </div> <h3> 2. The Infrastructure Deployment (<code>/home/n8n/docker-compose.yml</code>) </h3> <p>Note that modern Docker Compose specs omit the obsolete <code>version</code> string attribute. We explicitly map database and queue services strictly onto the secure tunnel interface IP (<code>10.0.0.1</code>), ensuring zero external exposures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n_postgres</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">${POSTGRES_USER}</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">${POSTGRES_PASSWORD}</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">${POSTGRES_DB}</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">10.0.0.1:5432:5432"</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">pg_isready</span><span class="nv"> </span><span class="s">-U</span><span class="nv"> </span><span class="s">${POSTGRES_USER}</span><span class="nv"> </span><span class="s">-d</span><span class="nv"> </span><span class="s">${POSTGRES_DB}"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1G</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n_redis</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">command</span><span class="pi">:</span> <span class="s">redis-server --requirepass ${REDIS_PASSWORD}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">10.0.0.1:6379:6379"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">redis_data:/data</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">redis-cli"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-a"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">${REDIS_PASSWORD}"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">ping"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">5</span> <span class="na">n8n_main</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.n8n.io/n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n_core</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:${N8N_PORT}:5678"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=queue</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=redis</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=6379</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PASSWORD=${REDIS_PASSWORD}</span> <span class="pi">-</span> <span class="s">DB_TYPE=postgresdb</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=postgres</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${POSTGRES_DB}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${POSTGRES_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${POSTGRES_PASSWORD}</span> <span class="pi">-</span> <span class="s">N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}</span> <span class="pi">-</span> <span class="s">GENERIC_TIMEZONE=${GENERIC_TIMEZONE}</span> <span class="pi">-</span> <span class="s">TZ=${GENERIC_TIMEZONE}</span> <span class="pi">-</span> <span class="s">N8N_HOST=${N8N_HOST}</span> <span class="pi">-</span> <span class="s">N8N_PROTOCOL=https</span> <span class="pi">-</span> <span class="s">WEBHOOK_URL=https://${N8N_HOST}/</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_PRUNE=true</span> <span class="pi">-</span> <span class="s">EXECUTIONS_DATA_MAX_AGE=168</span> <span class="pi">-</span> <span class="s">OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS=true</span> <span class="pi">-</span> <span class="s">N8N_DIAGNOSTICS_ENABLED=false</span> <span class="pi">-</span> <span class="s">N8N_PERSONALIZATION_ENABLED=false</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">n8n_data:/home/node/.n8n</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="na">redis_data</span><span class="pi">:</span> <span class="na">n8n_data</span><span class="pi">:</span> </code></pre> </div> <p>Launch the core stack on VPS 1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> Step 4: Configure Nginx Reverse Proxy with WebSockets </h2> <p>n8n uses persistent WebSocket connections to update progress inside your browser canvas UI. If Nginx proxy buffering isn't optimized, your UI will become unreadably laggy or constantly drop connections.</p> <p>Create an Nginx server block at <code>/etc/nginx/sites-available/n8n</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">listen</span> <span class="s">[::]:80</span><span class="p">;</span> <span class="kn">server_name</span> <span class="s">n8n.your-domain.com</span><span class="p">;</span> <span class="kn">client_max_body_size</span> <span class="mi">50M</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://127.0.0.1:5678</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Host</span> <span class="nv">$host</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Real-IP</span> <span class="nv">$remote_addr</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-For</span> <span class="nv">$proxy_add_x_forwarded_for</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">X-Forwarded-Proto</span> <span class="nv">$scheme</span><span class="p">;</span> <span class="c1"># WebSocket support configurations</span> <span class="kn">proxy_http_version</span> <span class="mf">1.1</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Upgrade</span> <span class="nv">$http_upgrade</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Connection</span> <span class="s">"upgrade"</span><span class="p">;</span> <span class="c1"># Disable buffering to avoid streaming timeouts</span> <span class="kn">proxy_buffering</span> <span class="no">off</span><span class="p">;</span> <span class="kn">proxy_read_timeout</span> <span class="s">24h</span><span class="p">;</span> <span class="kn">proxy_send_timeout</span> <span class="s">24h</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Enable the configuration block and use Certbot to register a Let's Encrypt SSL certificate automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo ln</span> <span class="nt">-s</span> /etc/nginx/sites-available/n8n /etc/nginx/sites-enabled/ <span class="nb">sudo </span>nginx <span class="nt">-t</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>systemctl reload nginx <span class="c"># Run Certbot to handle automatic HTTP -&gt; HTTPS redirects</span> <span class="nb">sudo </span>certbot <span class="nt">--nginx</span> <span class="nt">-d</span> n8n.your-domain.com </code></pre> </div> <h2> Step 5: Deploying the Execution Worker (VPS 2) </h2> <p>The execution worker node is completely stateless, meaning it needs no persistent storage databases. It only requires a minimal Compose setup pointing back across the tunnel to VPS 1.</p> <h3> 1. Create <code>/home/n8n/.env</code> on VPS 2 </h3> <p>Copy your environment details from VPS 1 to ensure that credential cryptographic keys and database definitions match exactly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GENERIC_TIMEZONE=Europe/Vienna N8N_ENCRYPTION_KEY=6uwhZTfJM80Hysuow5ge27r8xLtkFNWq POSTGRES_USER=n8n_admin POSTGRES_PASSWORD=WfVKtYp37bMDT6daPaTDSUYucBhfUw32 POSTGRES_DB=n8n_storage REDIS_PASSWORD=8sHkQV3lpEc0yD4emUSn0oka9PrpdJ1h </code></pre> </div> <h3> 2. Create <code>/home/n8n/docker-compose.yml</code> on VPS 2 </h3> <p>We append <code>command: worker</code> to shift the container's operational blueprint into an isolated worker state:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">n8n_worker</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">docker.n8n.io/n8nio/n8n:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">n8n_worker_remote</span> <span class="na">command</span><span class="pi">:</span> <span class="s">worker</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">EXECUTIONS_MODE=queue</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_HOST=10.0.0.1</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PORT=6379</span> <span class="pi">-</span> <span class="s">QUEUE_BULL_REDIS_PASSWORD=${REDIS_PASSWORD}</span> <span class="pi">-</span> <span class="s">DB_TYPE=postgresdb</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_HOST=10.0.0.1</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PORT=5432</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_DATABASE=${POSTGRES_DB}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_USER=${POSTGRES_USER}</span> <span class="pi">-</span> <span class="s">DB_POSTGRESDB_PASSWORD=${POSTGRES_PASSWORD}</span> <span class="pi">-</span> <span class="s">N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}</span> <span class="pi">-</span> <span class="s">GENERIC_TIMEZONE=${GENERIC_TIMEZONE}</span> <span class="pi">-</span> <span class="s">TZ=${GENERIC_TIMEZONE}</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">2G</span> </code></pre> </div> <p>Launch the worker node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <h2> Step 6: Server Hardening &amp; Security Policies </h2> <blockquote> <p>⚠️ <strong>The Golden Rule of SSH Configuration:</strong> Always test your new configurations in an entirely separate terminal window before closing your current active shell connection so you don't accidentally lock yourself out.</p> </blockquote> <h3> 1. Restrict Network Interfaces via UFW </h3> <p>Configure standard server firewalls to lock out random external pings.</p> <p><strong>On VPS 1 (Main Node):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw default deny incoming <span class="nb">sudo </span>ufw default allow outgoing <span class="nb">sudo </span>ufw allow 80/tcp <span class="nb">sudo </span>ufw allow 443/tcp <span class="nb">sudo </span>ufw allow 22/tcp <span class="c"># Change if using a custom SSH port</span> <span class="nb">sudo </span>ufw allow <span class="k">in </span>on tun0 <span class="nb">sudo </span>ufw <span class="nb">enable</span> </code></pre> </div> <p><strong>On VPS 2 (Worker Node):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw default deny incoming <span class="nb">sudo </span>ufw default allow outgoing <span class="nb">sudo </span>ufw allow 22/tcp <span class="nb">sudo </span>ufw allow <span class="k">in </span>on tun0 <span class="nb">sudo </span>ufw <span class="nb">enable</span> </code></pre> </div> <h3> 2. Prevent Docker from Bypassing Your Firewall </h3> <p>Docker manipulates system <code>iptables</code> directly. To guarantee it respects your interface limits, explicitly verify your Docker routing daemon defaults:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/docker/daemon.json </code></pre> </div> <p>Ensure <code>"iptables": true</code> is explicitly present, then apply a restart using <code>sudo systemctl restart docker</code>.</p> <h3> 3. Polish the SSH Configuration </h3> <p>Enforce cryptographic authentication over standard passwords:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/ssh/sshd_config </code></pre> </div> <p>Update these properties to ensure safety:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PermitEmptyPasswords no PermitRootLogin prohibit-password PasswordAuthentication no MaxAuthTries 3 </code></pre> </div> <p>Test using <code>sudo sshd -t</code> and trigger a refresh via <code>sudo systemctl restart ssh</code>.</p> <h2> Verification &amp; Monitoring </h2> <p>Because the multi-node worker management interface is part of n8n's enterprise plan, you can easily verify that your cluster is healthy from the command line using your Redis backend.</p> <p>Execute a client list inspection inside your Redis service on <strong>VPS 1</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> n8n_redis redis-cli <span class="nt">-a</span> &lt;YOUR_REDIS_PASSWORD&gt; client list </code></pre> </div> <p>Look for the worker's network mapping signature in the connection stream output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>id=51 addr=10.0.0.2:35510 ... name=bull:am9icw== ... cmd=brpoplpush </code></pre> </div> <p>The presence of the <code>brpoplpush</code> command originating from your tunnel gateway IP <code>10.0.0.2</code> means your stateless execution worker is successfully listening to your queue broker. Your secure, distributed n8n cluster is now fully configured and running smoothly.</p> automation distributedsystems networking tutorial M Hossein Tue, 09 Jun 2026 11:40:00 +0000 https://dev.to/_mh/stop-guessing-start-profiling-mechanical-sympathy-in-go-systems-49d0 https://dev.to/_mh/stop-guessing-start-profiling-mechanical-sympathy-in-go-systems-49d0 <h2> The Problem: The Mysterious 2-Second Freeze </h2> <p>Imagine your Go microservice is a chef in a busy kitchen. It processes orders (JSON payloads) super fast. Life is good, until every 15 minutes, the chef completely freezes for 2 seconds. Orders pile up. </p> <p>Why did the chef freeze? <strong>The Trash.</strong></p> <p>When you parse JSON using the standard <code>encoding/json</code> library, you create a lot of garbage (heap allocations). Go has a Garbage Collector (GC) that acts like a janitor. </p> <p><strong>⚠️ The Myth:</strong> Many engineers think the GC yells "Stop-The-World," making the chef freeze while the janitor sweeps. Modern Go has a <em>concurrent</em> GC. Real STW pauses are sub-millisecond.</p> <p><strong>✅ The Reality: Mark Assist.</strong> <br> If the chef makes trash faster than the janitor can sweep it, the Go runtime triggers <em>Mark Assist</em>. The runtime literally hands the chef a broom and forces them to sweep instead of cooking. The chef isn't frozen; the chef is doing janitor work.</p> <h3> 📊 Diagram 1: The Mark Assist Traffic Jam </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Normal: Chef Cooks ➔ Makes Trash ➔ Janitor sweeps concurrently ➔ Fast! (20ms) Spike: Chef Cooks ➔ Makes TOO MUCH Trash ➔ Janitor falls behind | 💥 RUNTIME: "Chef, drop the spatula, grab a broom!" (Mark Assist) 💥 Chef spends 2 seconds sweeping instead of cooking 💥 </code></pre> </div> <h2> The Right Way: Mechanical Sympathy </h2> <p>We need to stop making trash so the chef never has to sweep. Here are the 3 big mechanical fixes you need to know.</p> <h3> Fix 1: Stop Making Trash (Size-Classed Pools) </h3> <p>The standard <code>encoding/json</code> library creates trash because it uses "reflection." </p> <p><strong>The Fix:</strong> Use fast parsers (like <code>easyjson</code>) and <strong><code>sync.Pool</code></strong>. A <code>sync.Pool</code> is like a shared toolbox. You take a wrench out, use it, wipe it clean, and put it back. No trash!</p> <p><strong>⚠️ Trap 1: Megamorphic Bloat</strong><br> If you put a 4KB wrench in the toolbox, but someone stretches it to 60KB and puts it back, your toolbox permanently bloats. </p> <p><strong>⚠️ Trap 2: The Black Hole &amp; Allocation Roulette</strong><br> To fix bloat, you might create separate toolboxes for Small and Large jobs. But what happens to a 4KB wrench that stretches to 5KB? </p> <ul> <li>If you put it in the 64K pool, you play <strong>Allocation Roulette</strong>: The next chef asks for a 60K wrench and gets your 5K one. It snaps, triggering a heap allocation.</li> <li>If you use exact equality checks (<code>if cap == 4096</code>), you create a <strong>Black Hole</strong>: A third-party library slices your buffer down to 3KB. It's still perfectly capable of fulfilling a 2KB request, but your code throws it in the trash. Your pool empties, forcing heap allocations.</li> </ul> <p><strong>✅ The Solution: Utility Ranges (The Half-Broken Tool)</strong><br> Toolboxes need a "good enough" range. If a 4KB wrench gets filed down to 3KB, it’s still pretty useful. Put it back. But if it gets filed down to 500 bytes, it's useless for a 4KB job. Let the Garbage Collector throw it away.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">var</span> <span class="n">pool4K</span> <span class="o">=</span> <span class="n">sync</span><span class="o">.</span><span class="n">Pool</span><span class="p">{</span><span class="n">New</span><span class="o">:</span> <span class="k">func</span><span class="p">()</span> <span class="n">any</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">4096</span><span class="p">);</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">b</span> <span class="p">}}</span> <span class="k">var</span> <span class="n">pool64K</span> <span class="o">=</span> <span class="n">sync</span><span class="o">.</span><span class="n">Pool</span><span class="p">{</span><span class="n">New</span><span class="o">:</span> <span class="k">func</span><span class="p">()</span> <span class="n">any</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">65536</span><span class="p">);</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">b</span> <span class="p">}}</span> <span class="k">func</span> <span class="n">getBuffer</span><span class="p">(</span><span class="n">size</span> <span class="kt">int</span><span class="p">)</span> <span class="o">*</span><span class="p">[]</span><span class="kt">byte</span> <span class="p">{</span> <span class="k">if</span> <span class="n">size</span> <span class="o">&lt;=</span> <span class="m">4096</span> <span class="p">{</span> <span class="k">return</span> <span class="n">pool4K</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">size</span> <span class="o">&lt;=</span> <span class="m">65536</span> <span class="p">{</span> <span class="k">return</span> <span class="n">pool64K</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="c">// Poison pill: Too big, don't pool.</span> <span class="p">}</span> <span class="k">func</span> <span class="n">putBuffer</span><span class="p">(</span><span class="n">buf</span> <span class="o">*</span><span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">{</span> <span class="o">*</span><span class="n">buf</span> <span class="o">=</span> <span class="p">(</span><span class="o">*</span><span class="n">buf</span><span class="p">)[</span><span class="o">:</span><span class="m">0</span><span class="p">]</span> <span class="c">// Wipe the wrench clean!</span> <span class="n">c</span> <span class="o">:=</span> <span class="nb">cap</span><span class="p">(</span><span class="o">*</span><span class="n">buf</span><span class="p">)</span> <span class="c">// The 4K Toolbox: Keep it if it's between 2KB and 4KB</span> <span class="k">if</span> <span class="n">c</span> <span class="o">&gt;=</span> <span class="m">2048</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="m">4096</span> <span class="p">{</span> <span class="n">pool4K</span><span class="o">.</span><span class="n">Put</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// The 64K Toolbox: Keep it if it's between 32KB and 64KB</span> <span class="k">if</span> <span class="n">c</span> <span class="o">&gt;=</span> <span class="m">32768</span> <span class="o">&amp;&amp;</span> <span class="n">c</span> <span class="o">&lt;=</span> <span class="m">65536</span> <span class="p">{</span> <span class="n">pool64K</span><span class="o">.</span><span class="n">Put</span><span class="p">(</span><span class="n">buf</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// If it falls in the dead-zones (like 5KB), it doesn't fit either box. </span> <span class="c">// Let the Garbage Collector eat it.</span> <span class="p">}</span> </code></pre> </div> <p><em>(Note: We pool pointers `</em>[]byte<code> because passing a slice </code>[]byte<code> to an </code>interface{}` creates a heap wrapper—defeating the whole purpose!)*</p> <h3> Fix 2: Protect the Database (The Cancellation Storm) </h3> <p>When your app gets hit by Mark Assist, database queries slow down. You add timeouts (e.g., <code>context.WithTimeout(ctx, 500ms)</code>). </p> <p><strong>⚠️ The Myth:</strong> A context timeout "violently drops" the database connection. <br> <strong>✅ The Reality:</strong> When a context expires, <code>database/sql</code> drivers (like Postgres) must send an Out-Of-Band (OOB) cancellation request. To do this, the driver opens a <strong>brand new TCP connection</strong> just to say "cancel my previous request!"</p> <h3> 📊 Diagram 2: The Self-Inflicted DDoS </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. APP GETS MARK ASSIST (Slows down) App ➔ 500ms Timeout hits! Query must be cancelled. 2. THE CANCEL STORM: App ➔ Opens NEW TCP Connection ➔ "Hey DB, Cancel Query 1" App ➔ Opens NEW TCP Connection ➔ "Hey DB, Cancel Query 2" ... (5,000 new TLS handshakes attack the Database CPU) 💥 </code></pre> </div> <p><strong>✅ The Solution:</strong> Put a centralized proxy (like PgBouncer) in the middle. The proxy absorbs the violent cancellation storms from your app, but keeps a calm, steady set of warm connections open to the database. <em>(Don't use a sidecar per pod—200 sidecars still attack the DB!)</em></p> <h3> Fix 3: Don't Break the Chain (Failing Closed) </h3> <p>If a user sends a 50MB "Poison Pill" JSON, the standard answer is: "Send it to a Dead Letter Queue (DLQ) and keep processing." </p> <p><strong>⚠️ The Trap:</strong> This destroys ordered message queues (like Kafka CDC). If you skip "Step 1: Create Account" because it was a Poison Pill, and process "Step 2: Update Account", your database is corrupted. </p> <p><strong>✅ The Solution: Entity Quarantine</strong><br> Halt processing for <em>just that specific user ID</em>, put that ID in a quarantine list (like Redis), and skip future messages for that user until a human fixes it.</p> <p><strong>⚠️ The Distributed State Fallacy (The Radio Check):</strong> What happens when the quarantine list (Redis) goes down?<br> You might think: <em>"Just make the app sleep or return an error until Redis comes back!"</em> <br> <strong>This is a fatal mistake.</strong> Kafka uses a "Radio Check" (a heartbeat). If your app goes completely silent because it's sleeping or frozen, the Kafka broker assumes your app died. It violently kicks your app out of the group and gives the broken messages to another pod... which also freezes and dies. You will crash your entire cluster in a Rebalance Storm.</p> <p><strong>✅ The Definitive Fix: Put them on Hold</strong><br> When dealing with strict order, you cannot guess. If Redis is down, you must <strong>Pause</strong> the queue, but keep the radio heartbeat alive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Is entity in Quarantine? ➔ Yes: Skip message. ➔ No: Process message. ➔ Redis Down: Tell Kafka to "Pause()" this specific partition. Keep polling the radio to say "I'm alive, just on hold." Alert humans. </code></pre> </div> <h3> Fix 4: See the Ghost (Continuous Profiling) </h3> <p>You can't fix what you can't see. </p> <ol> <li> <strong>CI Guardrails:</strong> Add <code>go test -benchmem</code> to your pipeline. If a PR adds memory allocations on the critical path, it fails. </li> <li> <strong>Continuous Profiling:</strong> Use tools like Parca or Pyroscope to constantly take <code>pprof</code> snapshots in production, and link them to your traces (OpenTelemetry).</li> </ol> <blockquote> <p>💡 <strong>The Pro Move:</strong> When an alert fires, you click the exact trace that was slow, and it shows you the exact line of code that forced your app into Mark Assist. No guessing required.</p> </blockquote> <h2> Summary </h2> <ol> <li> <strong>Mark Assist, not STW:</strong> The GC forces your app to help clean. Stop making trash.</li> <li> <strong>Utility Ranges:</strong> A 3KB buffer is still a useful half-broken tool for a 2KB job. Use ranges, not exact equality.</li> <li> <strong>Timeouts cause Storms:</strong> Context cancellations open <em>new</em> TCP connections. Use a centralized proxy to absorb the DDoS.</li> <li> <strong>Keep the Radio Check:</strong> If your quarantine check goes down, pause the partition but keep polling to prevent a cluster crash.</li> </ol> <p>When you understand how the machine <em>actually</em> works—Mark Assist, utility ranges, OOB cancellations, and heartbeats—you stop guessing and start engineering systems that survive production.</p> distributedsystems go performance sre M Hossein Mon, 08 Jun 2026 05:42:00 +0000 https://dev.to/_mh/the-blast-radius-mentoring-senior-engineers-into-systems-thinkers-56nd https://dev.to/_mh/the-blast-radius-mentoring-senior-engineers-into-systems-thinkers-56nd <p>The transition from Senior Engineer to Staff Engineer isn't just about writing more complex code. It is about expanding your field of vision. A Senior Engineer owns a service; a Staff Engineer owns the spaces <em>between</em> the services.</p> <p>But how do you teach that? How do you take an incredibly talented coder who operates in a silo and turn them into a "Systems Thinker"?</p> <p>Let’s look at a classic engineering management scenario, the standard naive reaction, and the Staff-level approach to building a resilient engineering culture.</p> <h3> The Scenario: The Siloed Senior Engineer </h3> <p>Let's say you have a Senior Engineer on one of your product squads named David. David is fantastic at writing Go. He is the technical owner of the Receipt PDF Generation service. His code is spotless, his test coverage is 90%+, and he ships features on time.</p> <p>Last week, David pushed an optimization. He realized the PDF generator was making sequential database calls, so he rewrote the logic to aggressively parallelize the data fetching using Goroutines. He made the service 30% faster. He was thrilled.</p> <p><strong>The Consequence:</strong> He didn't realize that by aggressively parallelizing the fetches, he effectively DDOS'd a shared internal database with concurrent reads. He exhausted the connection pool, which temporarily degraded the performance of a critical, Tier-1 compliance API that shares the same database.</p> <p>He simply didn't think about his downstream blast radius.</p> <h3> Phase 1: The Standard Management Reaction </h3> <p>When incidents like this happen, the standard reaction in immature engineering organizations is to treat it as a behavioral problem:</p> <ol> <li> <strong>The Scolding:</strong> A manager pulls David aside, tells him to "be more careful," and demands he test better.</li> <li> <strong>The Vague Mandate:</strong> David is told to "act more like a consultant" and "talk to other teams" to get a better image of what's going on.</li> </ol> <p><strong>The Pitfall: The Culture of Fear &amp; Friction</strong><br> Scolding an engineer for an optimization creates a culture of fear. The next time David sees a way to improve the system, he will keep his head down to avoid getting yelled at. Furthermore, telling a squad engineer to vaguely "act as a consultant" creates massive friction with their Product Manager, who expects them to be burning down Jira tickets, not wandering around Slack asking other teams what they are doing.</p> <p>Worst of all, this reaction completely ignores the architectural failure.</p> <blockquote> <p><strong>The Staff-Level Insight:</strong> Human error is never the root cause; it is merely the symptom of a fragile system. If a single engineer optimizing a PDF generator can bring down a Tier-1 API, your architecture is broken.</p> </blockquote> <h3> Phase 2: The Force Multiplier Framework </h3> <p>As a Staff Engineer, your job is to use this incident as a Force Multiplier. You need to fix the architecture <em>and</em> mentor the engineer. </p> <p>But first, you must reframe the failure for David before any public process begins. In your 1-on-1, you don't scold him. You validate his intent (making things faster) but challenge his context. You tell him: <em>"The optimization was great engineering; the lack of defensive consumption was a systems failure. Let's fix the system together."</em></p> <p>From there, here is the exact, actionable 4-step strategy to turn David from a Service Owner into a Systems Thinker over the next six months.</p> <h4> 1. The Blameless Post-Mortem (Reframing the Incident) </h4> <p>You do not initiate a post-mortem to ask, "Why did David break the database?" You initiate a blameless post-mortem with David and the affected teams to ask a purely mechanical question:</p> <p><em>"Why did our architecture allow a single service to DDOS a shared database without rate limits or circuit breakers tripping?"</em> This immediately shifts the focus from human guilt to system resilience. </p> <h4> 2. Vulnerability as Leadership (The Tribe Meeting) </h4> <p>We want David to present his work at the monthly engineering all-hands, but <em>not</em> just to show off his cool parallelization code. That sends the message: "Look at my optimization, ignore the outage."</p> <p>Instead, you ask David to present the <em>entire incident</em>. He walks through his optimization, explains the unexpected downstream database locks, and shares the system-level fixes. When a highly respected Senior Engineer stands up in front of the tribe and says, <em>"I brought down the API because I didn't think about the DB locks, and here is what I learned,"</em> it creates massive psychological safety. It teaches the entire organization that it is okay to take risks, fail, and learn.</p> <h4> 3. Structured Cross-Pollination (The RFC Process) </h4> <p>You cannot just tell an engineer to "go see what other teams are doing." You must bake it into the engineering lifecycle—and you must protect their time to do it.</p> <p>Instead of a vague consultant role, bring David into the formal <strong>RFC (Request for Comments) / Design Doc process</strong>. For the next three months, make David a mandatory reviewer on architecture design docs for the squads immediately upstream and downstream from him.</p> <p>This forces him to read about other systems <em>before</em> they are built. He learns to spot API contract changes, database coupling, and capacity limits outside of his Go routines. </p> <p><strong>Crucially, as the Staff Engineer, you must act as an umbrella.</strong> When David’s PM complains that he is reviewing RFCs instead of burning down the sprint backlog, you step in. You translate the systems work into product terms: <em>"David isn't doing admin work; he's preventing the next P1 outage that will wipe out our sprint velocity for a week."</em> This shields David from organizational friction and proves that systems thinking is valued over ticket-churning.</p> <h4> 4. Operational Empathy ("You Build It, You Run It") </h4> <p>Writing code in a silo is easy. Operating it in production is hard.</p> <p>If your developers are isolated from the operational consequences of their code, they will never become Systems Thinkers. You must advocate for putting Senior Developers on the PagerDuty incident rotation alongside your SREs.</p> <p>Nothing builds system-level empathy faster than waking up at 3:00 AM because another team's runaway retry-loop just exhausted the connections on your database. Shared operational pain is the ultimate catalyst for distributed systems thinking.</p> <h3> The Payoff: Six Months Later </h3> <p>If you execute this strategy, you don't just fix an architectural flaw; you fundamentally alter how an engineer views the world. </p> <p>Six months from now, a product manager will ask David to add a new feature to the PDF service that requires fetching user data from a newly acquired third-party API. </p> <p>The old David would have just written the integration, wrapped it in a Goroutine, and shipped it. </p> <p>The new David—the Systems Thinker—will pause. He'll check the API's rate limits. He'll add a semaphore to bound his concurrency, and a circuit breaker to fail fast. He'll ping the upstream squad to ensure his new polling pattern won't overflow their message queue. He will look beyond his service and own the space <em>between</em> the services.</p> <h3> The Takeaway </h3> <p>Mentoring isn't just scheduling 1-on-1s and giving code review feedback. It is about intentionally designing the environment around the engineer.</p> <p>By leveraging blameless post-mortems, encouraging vulnerable leadership, injecting engineers into cross-team RFCs (while shielding them from PM friction), and exposing them to production reality through PagerDuty, you stop fighting human nature. Instead, you build an engineering culture where "Systems Thinking" is simply the path of least resistance.</p> architecture career leadership systemdesign M Hossein Sun, 07 Jun 2026 06:42:00 +0000 https://dev.to/_mh/the-cryptographic-chain-reaction-enforcing-strict-ordering-in-a-concurrent-world-57kj https://dev.to/_mh/the-cryptographic-chain-reaction-enforcing-strict-ordering-in-a-concurrent-world-57kj <p>Imagine you are building a cloud-native backend for a high-frequency trading platform or a core banking ledger. To ensure mathematical immutability and prevent silent data tampering, compliance mandates that every transaction for a specific financial account must be cryptographically chained.</p> <p>This means the signature of Transaction #50 must explicitly include the cryptographic hash of Transaction #49. <strong>You cannot sign them out of order, and the backend is strictly responsible for generating and validating this chain.</strong></p> <p>This introduces a massive distributed systems headache: How do you enforce strict, sequential ordering while maintaining the concurrency required to scale a modern cloud architecture? Let's walk through the evolution of this system, deconstruct exactly how the standard event-driven approach fails in production, and examine the Staff-level architecture required to fix it.</p> <h3> Phase 1: The MVP &amp; The Database Bottleneck </h3> <p>In the early days, traffic is low. An account might see one transaction every few minutes. The "Happy Path" is simple:</p> <ol> <li>The API receives a deposit request for Account A.</li> <li>The API queries Postgres for the <code>last_signature_hash</code>.</li> <li>The API computes the new hash in memory: <code>SHA(last_hash + new_transaction_data)</code>.</li> <li>The API writes the new transaction and updates the state.</li> </ol> <p><strong>The Pitfall: The Thundering Herd</strong><br> To prevent two concurrent requests from reading the same previous hash, you wrap the database operation in a pessimistic lock: <code>SELECT ... FOR UPDATE</code>. This forces the database to serialize requests at the row level.<br> When a massive partner bank initiates a bulk sync, dumping 5,000 transactions for a single corporate account onto the API in two seconds, 4,999 concurrent threads immediately hit the <code>FOR UPDATE</code> lock and block. The database connection pool is instantly exhausted, latency spikes platform-wide, and the MVP dies.</p> <blockquote> <p><strong>The Insight:</strong> The database must be your last line of defense, not your primary queueing mechanism. Contention must be solved upstream in memory.</p> </blockquote> <h3> Phase 2: The Event-Driven Reality (Step-by-Step Fixes) </h3> <p>To protect the database, we introduce Kafka and Golang. We place a <code>ledger-events</code> Kafka topic between the API and the database. By using <code>account_id</code> as the Kafka message key, Kafka routes all traffic for a specific account to a single partition, ensuring it is processed by exactly one Go worker pod.</p> <p>This looks great on a whiteboard. But under the microscope of production reality, it is riddled with architectural gaps. Here is how we systematically uncover and solve them.</p> <h4> Step 1: The Ingestion Illusion &amp; Operational Memory </h4> <p><strong>The Pitfall: The Overdraft Race Condition</strong><br> Keying messages by <code>account_id</code> does not guarantee chronological order; Kafka only guarantees the order in which the broker <em>receives</em> the messages. If a client issues a $50 deposit and a $120 withdrawal in the same millisecond, network latency might cause the withdrawal to hit Kafka first. If the backend accepts Kafka's order as absolute, the account overdrafts and the withdrawal is incorrectly rejected.</p> <p><strong>The Fix: Client-Dictated Sequence &amp; In-Memory Buffering</strong><br> Chronological order in finance is about business logic, not just hashing. The client <em>must</em> provide a sequence ID (e.g., <code>seq_1</code>, <code>seq_2</code>). The Go worker enforces this sequence. If Kafka delivers <code>seq_3</code> before <code>seq_2</code>, the Goroutine cannot process it. It must buffer <code>seq_3</code> in memory and wait for <code>seq_2</code> to arrive.</p> <p><strong>The Hidden Pitfall: The Auto-Commit Catastrophe</strong><br> By buffering out-of-order messages in memory, we introduce a severe operational risk. If Kafka is set to auto-commit offsets, it will tell the broker "I have successfully processed up to <code>seq_3</code>" simply because it read it off the partition. If the pod crashes while <code>seq_3</code> is sitting in the memory buffer waiting for <code>seq_2</code>, <code>seq_3</code> is permanently lost.</p> <p><strong>The Final Fix:</strong> You must disable auto-commit. The Go worker must implement meticulous manual offset management, committing Kafka offsets <em>only</em> after the expected sequence is successfully flushed to the database ledger. Furthermore, to prevent memory leaks from permanently stalled sequences (e.g., a client bug where <code>seq_2</code> is never sent), the in-memory buffer must have a strict TTL. If the gap isn't filled within 60 seconds, the chain halts and triggers an SRE alert.</p> <h4> Step 2: The Database Constraint &amp; The Infinite Ledger </h4> <p><strong>The Pitfall: The "Missing Tail" and the UNIQUE Loophole</strong><br> To process a transaction, the worker needs the last hash. Querying the ledger directly (<code>SELECT ... ORDER BY created_at DESC LIMIT 1</code>) creates an $O(N)$ index scan bottleneck on high-volume accounts. If we fix this by keeping an <code>account_state</code> table as an $O(1)$ cache, we face a new problem: If a pod crashes and a Kafka rebalance occurs, two workers might read the cached state concurrently and attempt to build off the same hash.</p> <p><strong>The Fix: The Dual-Table Pattern &amp; Fork Prevention</strong><br> We use two tables updated in a single atomic transaction. <code>account_state</code> acts as our high-speed cache, and <code>ledger</code> acts as our immutable history. We add a safety net to the ledger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">ledger</span> <span class="k">ADD</span> <span class="k">CONSTRAINT</span> <span class="n">unique_chain_link</span> <span class="k">UNIQUE</span> <span class="p">(</span><span class="n">account_id</span><span class="p">,</span> <span class="n">previous_hash</span><span class="p">);</span> </code></pre> </div> <p><em>Nuance:</em> This <code>UNIQUE</code> constraint prevents <em>forks</em> (two transactions claiming the same parent), but it doesn't guarantee <em>continuity</em> (ensuring the new hash actually links to the true tail). Continuity is guaranteed by Optimistic Concurrency Control (OCC) in Go. The worker reads the $O(1)$ cache, computes the hash, and attempts an <code>INSERT</code> into the <code>ledger</code>. If a rogue worker also read the stale state, the <code>UNIQUE</code> constraint causes the second <code>INSERT</code> to fail instantly—before touching the <code>account_state</code> cache. The Go worker catches this error, fetches the fresh cache state, computes a new hash, and retries cleanly.</p> <p><strong>The Hidden Pitfall: The Index Bloat</strong><br> An immutable <code>ledger</code> table will grow infinitely. The <code>UNIQUE (account_id, previous_hash)</code> constraint requires a B-Tree index. On a high-frequency ledger with billions of rows, this index swells beyond available RAM, causing <code>INSERT</code> performance to degrade exponentially due to disk I/O.</p> <p><strong>The Final Fix:</strong> Implement Postgres Table Partitioning. Partition the ledger by date (e.g., <code>ledger_2026_06</code>) or account hash range. This keeps the active index sizes small and strictly in memory, preserving sub-millisecond insert times.</p> <h4> Step 3: Concurrency Anti-Patterns </h4> <p><strong>The Pitfall: The Goroutine Memory Leak</strong><br> To isolate processing per account, the Go worker uses dynamic Goroutines fed by a <code>sync.Map</code>. To clean up idle Goroutines, engineers often use a <code>select</code> loop with a <code>time.After(15 * time.Minute)</code> timeout. <code>time.After</code> allocates a new timer channel on the heap <em>every single iteration</em> of the loop, causing massive Garbage Collection (GC) pressure. Furthermore, <code>sync.Map</code> degrades under high-frequency writes.</p> <p><strong>The Fix: RWMutex &amp; The Timer Reset Pattern</strong><br> Use a standard Go map protected by a <code>sync.RWMutex</code>. Inside the Goroutine, instantiate exactly <em>one</em> timer and defer its stop, resetting it on every loop.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="s">"sync"</span> <span class="c">// Dispatcher safely manages the dynamic worker channels for each account.</span> <span class="k">type</span> <span class="n">Dispatcher</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">channels</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">chan</span> <span class="n">Transaction</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewDispatcher</span><span class="p">()</span> <span class="o">*</span><span class="n">Dispatcher</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">Dispatcher</span><span class="p">{</span> <span class="n">channels</span><span class="o">:</span> <span class="nb">make</span><span class="p">(</span><span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">chan</span> <span class="n">Transaction</span><span class="p">),</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">processAccountChain</span><span class="p">(</span><span class="n">accountID</span> <span class="kt">string</span><span class="p">,</span> <span class="n">ch</span> <span class="o">&lt;-</span><span class="k">chan</span> <span class="n">Transaction</span><span class="p">,</span> <span class="n">dispatcher</span> <span class="o">*</span><span class="n">Dispatcher</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Idiomatic Go: create ONE timer, clean up on exit</span> <span class="n">idleTimer</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">NewTimer</span><span class="p">(</span><span class="m">15</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> <span class="k">defer</span> <span class="n">idleTimer</span><span class="o">.</span><span class="n">Stop</span><span class="p">()</span> <span class="k">for</span> <span class="p">{</span> <span class="n">idleTimer</span><span class="o">.</span><span class="n">Reset</span><span class="p">(</span><span class="m">15</span> <span class="o">*</span> <span class="n">time</span><span class="o">.</span><span class="n">Minute</span><span class="p">)</span> <span class="c">// Reuse the same object</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="n">tx</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="o">&lt;-</span><span class="n">ch</span><span class="o">:</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Process transaction sequentially...</span> <span class="k">case</span> <span class="o">&lt;-</span><span class="n">idleTimer</span><span class="o">.</span><span class="n">C</span><span class="o">:</span> <span class="c">// Lock map, delete channel, safely exit</span> <span class="n">dispatcher</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="nb">delete</span><span class="p">(</span><span class="n">dispatcher</span><span class="o">.</span><span class="n">channels</span><span class="p">,</span> <span class="n">accountID</span><span class="p">)</span> <span class="n">dispatcher</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">return</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Step 4: The Edge Case Reality </h4> <p><strong>The Pitfall: The Poison Pill under Strict Sequence</strong><br> Transaction <code>seq_2</code> in a batch of 500 contains a corrupted, unparseable JSON payload. Because we have firmly established that the client dictates the sequence, the backend <em>cannot</em> simply drop <code>seq_2</code> and chain <code>seq_3</code> to <code>seq_1</code>. Doing so legally invalidates the client's intended sequence and corrupts the financial state.</p> <p><strong>The Fix: The State-Backed DLQ &amp; Chain Halt</strong><br> You cannot fix a broken link in a strict sequence, nor can you skip it. The Go worker must:</p> <ol> <li>Route the bad payload to a Dead Letter Queue (DLQ).</li> <li>Update the <code>account_state</code> table in Postgres: <code>UPDATE account_state SET status = 'BLOCKED'</code>.</li> <li>Drop all subsequent messages (like <code>seq_3</code> and <code>seq_4</code>) into a holding topic or reject them directly at the API layer.</li> </ol> <p>The chain halts immediately. An SRE or automated reconciliation process must investigate, notify the client of the specific sequence failure, and force the client to re-issue the transactions from the exact point of failure.</p> <h3> The Takeaway </h3> <p>When business logic requires strict, sequential cryptographic chaining, high-concurrency event-driven architectures naturally fight against the requirement.</p> <p>You cannot solve this by throwing more threads at the problem or locking down your database rows. You must sequence deterministically via client IDs, buffer appropriately at the ingestion layer, manage Kafka offsets manually, isolate processing via memory dispatchers, and leverage your partitioned database as a high-speed cache backed by an immutable, constraint-driven ledger. Architecture at this level is about anticipating the mechanical realities of the system, not just the happy path.</p> architecture backend distributedsystems systemdesign M Hossein Sat, 06 Jun 2026 07:22:00 +0000 https://dev.to/_mh/polyglot-monorepo-magic-typescript-python-and-go-in-one-repo-298n https://dev.to/_mh/polyglot-monorepo-magic-typescript-python-and-go-in-one-repo-298n <h2> What is a Polyglot Monorepo? </h2> <p>A <strong>polyglot monorepo</strong> is a single Git repository containing services and packages written in multiple programming languages. The alternative — a polyrepo — means one repo per service, per team, per language. When your frontend team, your Go API team, and your Python ML team all operate in separate repos, sharing contracts between them becomes a coordination problem.</p> <p>This repo is <code>beacon-monorepo</code>. It's a real-time analytics platform. It contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>beacon-monorepo/ ├── frontend/ │ └── web/ ← Next.js dashboard (TypeScript) ├── services/ │ ├── api/ ← REST API (Go) │ ├── ingest/ ← Data ingestion service (Go) │ ├── ml/ ← ML inference API (Python / FastAPI) │ └── worker/ ← Background jobs (Python / Celery) ├── packages/ │ ├── ui/ ← Shared React components (TypeScript) │ └── sdk/ ← TypeScript client SDK ├── pkg/ │ ├── shared/ ← Go shared utilities │ └── store/ ← Go data access layer ├── libs/ │ └── shared/ ← Python shared models + Pydantic schemas ├── proto/ ← Protobuf definitions (source of truth) ├── gen/ │ ├── go/ ← Generated Go stubs │ ├── python/ ← Generated Python stubs │ └── ts/ ← Generated TypeScript stubs ├── Taskfile.yml ← Root task orchestration (cross-language) ├── pnpm-workspace.yaml ├── package.json ← Root (biome, lefthook, turbo) ├── pyproject.toml ← uv workspace root ├── uv.lock ├── biome.json ├── .golangci.yml └── go.work ← (gitignored — local dev only) </code></pre> </div> <p><strong>The core idea:</strong> services are owned by different teams writing different languages, but they share contracts defined in <code>proto/</code>, config defined at the repo root, and a single task runner (<code>Taskfile.yml</code>) that orchestrates everything with one set of commands.</p> <h2> Tool 1: Three Workspace Managers — The Parallel Foundation </h2> <p>There is no single package manager that handles TypeScript, Python, and Go. Instead, three workspace managers coexist in the same repo — each governing its own language, each completely ignorant of the others.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Language</th> <th>Manager</th> <th>Config file</th> <th>Dep linking mechanism</th> </tr> </thead> <tbody> <tr> <td>TypeScript</td> <td>pnpm workspaces</td> <td><code>pnpm-workspace.yaml</code></td> <td> <code>workspace:*</code> symlinks</td> </tr> <tr> <td>Python</td> <td>uv workspaces</td> <td>root <code>pyproject.toml</code> </td> <td> <code>{ workspace = true }</code> editable installs</td> </tr> <tr> <td>Go</td> <td>go workspaces</td> <td><code>go.work</code></td> <td>local module overlay</td> </tr> </tbody> </table></div> <p>They coexist peacefully because they key on different file extensions. pnpm reads <code>package.json</code>. uv reads <code>pyproject.toml</code>. Go reads <code>go.mod</code>. A directory like <code>services/ml/</code> that contains a <code>pyproject.toml</code> is invisible to pnpm. A directory with only a <code>package.json</code> is invisible to uv.</p> <h3> TypeScript: <code>pnpm-workspace.yaml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">gen/ts'</span> <span class="c1"># generated TypeScript stubs — must be a workspace member</span> </code></pre> </div> <p><code>gen/ts/</code> <strong>must</strong> be a workspace member, not a <code>file:</code> dependency. A <code>file:</code> reference copies the package into <code>node_modules</code> at install time — after <code>buf generate</code> regenerates the stubs, the copies are stale until you re-run <code>pnpm install</code>. A <code>workspace:*</code> reference is a symlink — always live.</p> <p><code>packages/sdk/package.json</code> depends on the shared UI and the generated TypeScript stubs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@beacon/sdk"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@beacon/ui"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@beacon/proto-ts"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">symlinked</span><span class="w"> </span><span class="err">—</span><span class="w"> </span><span class="err">reflects</span><span class="w"> </span><span class="err">buf</span><span class="w"> </span><span class="err">generate</span><span class="w"> </span><span class="err">immediately</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Python: root <code>pyproject.toml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"beacon-root"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span> <span class="nn">[tool.uv.workspace]</span> <span class="c"># List Python members explicitly — globs must not match dirs without pyproject.toml</span> <span class="py">members</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"services/ml"</span><span class="p">,</span> <span class="s">"services/worker"</span><span class="p">,</span> <span class="s">"libs/shared"</span><span class="p">,</span> <span class="s">"gen/python"</span><span class="p">,</span> <span class="c"># generated proto stubs — must be listed so uv can resolve them</span> <span class="p">]</span> <span class="nn">[tool.uv.sources]</span> <span class="py">shared</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c"># the workspace:* equivalent for Python</span> </code></pre> </div> <p><code>services/ml/pyproject.toml</code> declares its internal dep:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"ml"</span> <span class="py">dependencies</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"shared"</span><span class="p">,</span> <span class="c"># internal — resolves via workspace</span> <span class="py">"fastapi&gt;</span><span class="p">=</span><span class="mf">0.115</span><span class="s">",</span><span class="err"> </span> <span class="py">"torch&gt;</span><span class="p">=</span><span class="mf">2.3</span><span class="s">",</span><span class="err"> </span><span class="p">]</span> <span class="nn">[tool.uv.sources]</span> <span class="py">shared</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why explicit members, not globs?</strong> uv errors if a glob matches a directory without a <code>pyproject.toml</code>. <code>frontend/web/</code> and <code>packages/ui/</code> have <code>package.json</code> but no <code>pyproject.toml</code> — a glob like <code>packages/*</code> would break uv. Be explicit.</p> <h3> Go: <code>go.work</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">go</span> <span class="m">1.23</span> <span class="n">use</span> <span class="p">(</span> <span class="o">./</span><span class="n">services</span><span class="o">/</span><span class="n">api</span> <span class="o">./</span><span class="n">services</span><span class="o">/</span><span class="n">ingest</span> <span class="o">./</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="o">./</span><span class="n">pkg</span><span class="o">/</span><span class="n">store</span> <span class="o">./</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="err">←</span> <span class="n">generated</span> <span class="n">proto</span> <span class="n">stubs</span> <span class="p">(</span><span class="n">own</span> <span class="k">go</span><span class="o">.</span><span class="n">mod</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p><strong>Critical:</strong> add <code>go.work</code> and <code>go.work.sum</code> to <code>.gitignore</code>. CI must validate each Go module against its own <code>go.mod</code> independently. The workspace is a local dev convenience — not a CI mechanism.</p> <h3> <code>go.mod</code> plumbing — how CI works without <code>go.work</code> </h3> <p>This is the part most polyglot monorepo guides skip. When CI runs <code>GOWORK=off</code>, each Go module must declare its in-repo dependencies in its own <code>go.mod</code> using <code>replace</code> directives — otherwise the module can't find <code>gen/go</code> or <code>pkg/shared</code>.</p> <p><code>services/api/go.mod</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">module</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">your</span><span class="o">-</span><span class="n">org</span><span class="o">/</span><span class="n">beacon</span><span class="o">/</span><span class="n">services</span><span class="o">/</span><span class="n">api</span> <span class="k">go</span> <span class="m">1.23</span> <span class="n">require</span> <span class="p">(</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">your</span><span class="o">-</span><span class="n">org</span><span class="o">/</span><span class="n">beacon</span><span class="o">/</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="n">v0</span><span class="m">.0.0</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">your</span><span class="o">-</span><span class="n">org</span><span class="o">/</span><span class="n">beacon</span><span class="o">/</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="n">v0</span><span class="m">.0.0</span> <span class="c">// external deps...</span> <span class="p">)</span> <span class="c">// replace directives make GOWORK=off CI work:</span> <span class="c">// each module explicitly maps its in-repo deps to disk paths</span> <span class="n">replace</span> <span class="p">(</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">your</span><span class="o">-</span><span class="n">org</span><span class="o">/</span><span class="n">beacon</span><span class="o">/</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="o">=&gt;</span> <span class="o">../../</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">your</span><span class="o">-</span><span class="n">org</span><span class="o">/</span><span class="n">beacon</span><span class="o">/</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="o">=&gt;</span> <span class="o">../../</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="p">)</span> </code></pre> </div> <p><code>go work sync</code> propagates the <code>require</code> versions from each <code>go.mod</code>. The <code>replace</code> directives work with or without <code>go.work</code> — so <code>GOWORK=off</code> CI and <code>go.work</code> local dev both resolve to the same local disk paths.</p> <p>Run <code>go mod tidy</code> in each module after adding the <code>replace</code> directives. The <code>v0.0.0</code> version is a placeholder that <code>go mod tidy</code> fills in as a pseudo-version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="c"># .gitignore </span><span class="n">go</span>.<span class="n">work</span> <span class="n">go</span>.<span class="n">work</span>.<span class="n">sum</span> .<span class="n">task</span>/ .<span class="n">venv</span>/ <span class="n">node_modules</span>/ .<span class="n">turbo</span>/ .<span class="n">next</span>/ <span class="err">__</span><span class="n">pycache__</span>/ *.<span class="n">pyc</span> <span class="n">services</span>/*/<span class="n">bin</span>/ </code></pre> </div> <h3> What <code>uv sync</code> and <code>pnpm install</code> and <code>go work sync</code> each do </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm <span class="nb">install</span> <span class="c"># links TypeScript packages via symlinks in node_modules</span> uv <span class="nb">sync</span> <span class="nt">--group</span> dev <span class="c"># installs all Python workspace members as editable installs</span> go work init <span class="c"># creates go.work on a fresh clone (only needed once — it's gitignored)</span> go work use ./services/api ./services/ingest ./pkg/shared ./pkg/store ./gen/go go work <span class="nb">sync</span> <span class="c"># syncs go.mod files across Go modules (run after adding new deps)</span> </code></pre> </div> <p><strong>Fresh clone problem:</strong> <code>go.work</code> is gitignored, so a fresh clone has no workspace file. The <code>go work init</code> + <code>go work use</code> steps only run once per machine. The Go Taskfile handles this automatically.</p> <p><strong>The key insight:</strong> these three commands are completely independent. Running <code>pnpm install</code> does not affect Python deps. Running <code>uv sync</code> does not touch <code>node_modules</code>. None of them touch each other. The three workspace managers are parallel foundations — they don't compose, they coexist.</p> <h2> Tool 2: Task (Taskfile.yml) — The Cross-Language Orchestrator </h2> <p>Three workspace managers handle <em>dependencies</em>. <strong>Task</strong> handles <em>tasks</em> (build, test, lint, generate, dev). It's the single entry point for everything in the repo, regardless of language.</p> <p>Task is a language-agnostic binary. Install it once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>go-task <span class="c"># or: sh -c "$(curl --location https://taskfile.dev/install.sh)" -- -d -b ~/.local/bin</span> </code></pre> </div> <h3> The root <code>Taskfile.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">includes</span><span class="pi">:</span> <span class="na">ts</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./Taskfile.ts.yml</span> <span class="na">optional</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">py</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./Taskfile.py.yml</span> <span class="na">optional</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">go</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./Taskfile.go.yml</span> <span class="na">optional</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">proto</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./Taskfile.proto.yml</span> <span class="na">optional</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">doctor</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Verify all required tools are installed</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">command -v node || (echo "node not found — https://nodejs.org" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">command -v pnpm || (echo "pnpm not found — npm install -g pnpm" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">command -v uv || (echo "uv not found — https://docs.astral.sh/uv" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">command -v go || (echo "go not found — https://go.dev/dl" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">command -v buf || (echo "buf not found — https://buf.build/docs/cli" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">command -v jq || (echo "jq not found — brew install jq" &amp;&amp; exit 1)</span> <span class="pi">-</span> <span class="s">echo "All tools present"</span> <span class="na">setup</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Install all dependencies (run task doctor first)</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">doctor</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pnpm install</span> <span class="pi">-</span> <span class="s">uv sync --group dev</span> <span class="c1"># single .venv at repo root; --group dev includes pytest/mypy/ruff</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">go:init</span> <span class="c1"># creates go.work if missing (idempotent)</span> <span class="pi">-</span> <span class="s">go work sync</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">proto:generate</span> <span class="na">build:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Build everything in dependency order</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">proto:generate</span> <span class="c1"># proto first — all languages depend on it</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">ts:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">go:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">py:build</span> <span class="na">test:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Test all languages in parallel</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ts:test</span> <span class="pi">-</span> <span class="s">go:test</span> <span class="pi">-</span> <span class="s">py:test</span> <span class="na">lint:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Lint all languages in parallel</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ts:lint</span> <span class="pi">-</span> <span class="s">go:lint</span> <span class="pi">-</span> <span class="s">py:lint</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Start all dev servers</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ts:dev</span> <span class="pi">-</span> <span class="s">go:dev</span> <span class="pi">-</span> <span class="s">py:dev</span> </code></pre> </div> <h3> Language-specific Taskfiles </h3> <p><code>Taskfile.ts.yml</code> — TypeScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**/*.ts'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**/*.tsx'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/**/*.ts'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/package.json'</span> <span class="c1"># dep changes should bust the cache</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">pnpm-lock.yaml'</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">frontend/web/.next/**'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pnpm turbo run build</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">frontend/**/*.ts'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">packages/**/*.ts'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">**/package.json'</span><span class="pi">]</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">.task/ts-lint.stamp'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pnpm biome check .</span> <span class="pi">-</span> <span class="s">touch .task/ts-lint.stamp</span> <span class="na">test</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**/*.ts'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/**/*.ts'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">frontend/**/*.test.ts'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">pnpm-lock.yaml'</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pnpm turbo run test</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pnpm turbo run dev --filter=@beacon/web</span> </code></pre> </div> <p><code>Taskfile.go.yml</code> — Go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="c1"># Prerequisite: jq must be installed (brew install jq / apt install jq)</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">init</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Create go.work for local development (gitignored; run once per clone)</span> <span class="na">status</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">test -f go.work</span> <span class="c1"># skip if go.work already exists</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go work init</span> <span class="pi">-</span> <span class="s">go work use ./services/api ./services/ingest ./pkg/shared ./pkg/store ./gen/go</span> <span class="na">build</span><span class="pi">:</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">init</span><span class="pi">]</span> <span class="c1"># ensures go.work exists before building</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/api/**/*.go'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/ingest/**/*.go'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">pkg/**/*.go'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/go.mod'</span> <span class="c1"># dep changes should bust the cache</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/go.sum'</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/api/bin/api'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">services/ingest/bin/ingest'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cd services/api &amp;&amp; go build -o bin/api ./cmd/api</span> <span class="pi">-</span> <span class="s">cd services/ingest &amp;&amp; go build -o bin/ingest ./cmd/ingest</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">init</span><span class="pi">]</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/**/*.go'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">pkg/**/*.go'</span><span class="pi">]</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">.task/go-lint.stamp'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' |</span> <span class="s">xargs -P4 -I{} sh -c 'cd {} &amp;&amp; golangci-lint run ./...'</span> <span class="pi">-</span> <span class="s">touch .task/go-lint.stamp</span> <span class="na">test</span><span class="pi">:</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">init</span><span class="pi">]</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/**/*.go'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">pkg/**/*.go'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' |</span> <span class="s">xargs -P4 -I{} sh -c 'cd {} &amp;&amp; go test ./... -race'</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">init</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">cd services/api &amp;&amp; go run ./cmd/api</span> </code></pre> </div> <p><code>Taskfile.py.yml</code> — Python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/ml/**/*.py'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">services/worker/**/*.py'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">libs/**/*.py'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/pyproject.toml'</span> <span class="c1"># dep changes should bust the cache</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">uv.lock'</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">.task/py-build.stamp'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">uv sync --group dev</span> <span class="pi">-</span> <span class="s">touch .task/py-build.stamp</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/ml/**/*.py'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">services/worker/**/*.py'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">libs/**/*.py'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">uv.lock'</span><span class="pi">]</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">.task/py-lint.stamp'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">uv run ruff check services/ml services/worker libs</span> <span class="pi">-</span> <span class="s">uv run ruff format --check services/ml services/worker libs</span> <span class="pi">-</span> <span class="s">uv run mypy services/ml/ services/worker/ libs/</span> <span class="c1"># from repo root — not per-service</span> <span class="pi">-</span> <span class="s">touch .task/py-lint.stamp</span> <span class="na">test</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">services/ml/**/*.py'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">services/worker/**/*.py'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">libs/**/*.py'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">uv run pytest services/ml services/worker libs -x</span> <span class="na">dev</span><span class="pi">:</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">uv run fastapi dev services/ml/src/ml/main.py</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>deps:</code> runs tasks in <strong>parallel</strong> — <code>test:all</code> runs all three test suites simultaneously</li> <li> <code>cmds:</code> runs <strong>sequentially</strong> — <code>build:all</code> runs proto first, then the rest</li> <li> <code>sources</code>/<code>generates</code> is Task's caching: if source files haven't changed since the last run (hash stored in <code>.task/</code>), the task is skipped entirely</li> <li>Add <code>.task/</code> to <code>.gitignore</code> </li> <li> <code>task build:all</code> requires <strong>all three toolchains</strong> installed (node + pnpm, uv, go, buf, jq). Frontend-only or backend-only developers who run it without the full stack will get a "task not found" error. Document this in your repo README — or split <code>task build:ts</code>, <code>task build:go</code>, <code>task build:py</code> as the normal developer interface.</li> </ul> <h3> CI: affected-only runs </h3> <p>Task has no built-in <code>--affected</code>. In CI, detect changed language areas with git diff:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># ci/affected.sh</span> <span class="nv">changed</span><span class="o">=</span><span class="si">$(</span>git diff <span class="nt">--name-only</span> origin/main...HEAD<span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$changed</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s1">'^(frontend|packages)/'</span> <span class="o">&amp;&amp;</span> task ts:test <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$changed</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s1">'^(services/(api|ingest)|pkg)/'</span> <span class="o">&amp;&amp;</span> task go:test <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$changed</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s1">'^(services/(ml|worker)|libs)/'</span> <span class="o">&amp;&amp;</span> task py:test <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$changed</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s1">'^proto/'</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> task proto:generate task ts:test <span class="o">&amp;&amp;</span> task go:test <span class="o">&amp;&amp;</span> task py:test <span class="c"># proto change affects all</span> <span class="o">}</span> </code></pre> </div> <p>A PR touching only <code>services/ml/</code> won't re-run Go tests.</p> <h2> Tool 3: buf + Protobuf — The Contract Layer </h2> <p>This is the tool that makes a polyglot monorepo genuinely worth the complexity. A single <code>.proto</code> file becomes the source of truth for how your TypeScript frontend, your Go API, and your Python ML service all communicate. Change the proto once — regenerate — all three languages are in sync.</p> <h3> <code>buf.yaml</code> — workspace config at repo root </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># buf.yaml</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">modules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">proto/analytics</span> <span class="na">name</span><span class="pi">:</span> <span class="s">buf.build/your-org/analytics</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">proto/events</span> <span class="na">name</span><span class="pi">:</span> <span class="s">buf.build/your-org/events</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">buf.build/googleapis/googleapis</span> <span class="na">lint</span><span class="pi">:</span> <span class="na">use</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">STANDARD</span><span class="pi">]</span> <span class="na">except</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">PACKAGE_DIRECTORY_MATCH</span><span class="pi">]</span> <span class="na">breaking</span><span class="pi">:</span> <span class="na">use</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">FILE</span><span class="pi">]</span> </code></pre> </div> <h3> <code>buf.gen.yaml</code> — one command, three languages </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># buf.gen.yaml</span> <span class="na">version</span><span class="pi">:</span> <span class="s">v2</span> <span class="na">inputs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">proto/analytics</span> <span class="pi">-</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">proto/events</span> <span class="na">plugins</span><span class="pi">:</span> <span class="c1"># Go: message stubs</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/protocolbuffers/go</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/go</span> <span class="na">opt</span><span class="pi">:</span> <span class="s">paths=source_relative</span> <span class="c1"># Go: gRPC service stubs</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/grpc/go</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/go</span> <span class="na">opt</span><span class="pi">:</span> <span class="s">paths=source_relative</span> <span class="c1"># Python: message stubs</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/protocolbuffers/python</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/python</span> <span class="c1"># Python: gRPC service stubs</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/grpc/python</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/python</span> <span class="c1"># Python: mypy type stubs (community plugin)</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/community/nipunn1313-mypy</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/python</span> <span class="c1"># TypeScript: Protobuf-ES (modern, works with Connect-RPC)</span> <span class="pi">-</span> <span class="na">remote</span><span class="pi">:</span> <span class="s">buf.build/bufbuild/es</span> <span class="na">out</span><span class="pi">:</span> <span class="s">gen/ts</span> <span class="na">opt</span><span class="pi">:</span> <span class="s">target=ts</span> <span class="na">managed</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">override</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">file_option</span><span class="pi">:</span> <span class="s">go_package_prefix</span> <span class="na">value</span><span class="pi">:</span> <span class="s">github.com/your-org/beacon/gen/go</span> </code></pre> </div> <p>Run <code>buf generate</code> to regenerate all three at once.</p> <h3> Generated code as first-class modules </h3> <p>Each generated directory is its own module with its own manifest — so the three workspace managers can find it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gen/ ├── go/ │ └── go.mod ← module github.com/your-org/beacon/gen/go │ each consumer's go.mod has: replace ... =&gt; ../../gen/go ├── python/ │ └── pyproject.toml ← listed in uv workspace members; consumers use { workspace = true } └── ts/ └── package.json ← listed in pnpm-workspace.yaml; consumers use workspace:* </code></pre> </div> <p>All three use the same pattern as other internal packages — workspace linking, not <code>file:</code> copies. <code>gen/go/</code> is also listed in <code>go.work</code> for local dev, and each consumer's <code>go.mod</code> has a <code>replace</code> directive for CI.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Taskfile.proto.yml</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">generate</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">proto/**/*.proto</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gen/go/**/*.go</span> <span class="pi">-</span> <span class="s">gen/python/**/*_pb2.py</span> <span class="pi">-</span> <span class="s">gen/ts/**/*_pb.ts</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">buf lint</span> <span class="pi">-</span> <span class="s">buf generate</span> <span class="pi">-</span> <span class="s">buf breaking --against '.git#branch=main'</span> </code></pre> </div> <p><strong>Why this matters:</strong> the breaking change check (<code>buf breaking</code>) is the safety net. If a Go developer renames a proto field, <code>buf breaking</code> fails the build before the Python and TypeScript consumers break. The contract is enforced at the definition layer, not the consumer layer.</p> <h2> Tool 4: Per-Language Root Config — Three Files, One Repo </h2> <p>Each language has one config file at the repo root. No duplication across services, no "why is lint disabled in this one service" surprises.</p> <h3> <code>biome.json</code> — TypeScript </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://biomejs.dev/schemas/1.9.0/schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"linter"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"correctness"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"noUnusedVariables"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"noUnusedImports"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"style"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"useConst"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"formatter"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"indentStyle"</span><span class="p">:</span><span class="w"> </span><span class="s2">"space"</span><span class="p">,</span><span class="w"> </span><span class="nl">"indentWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"lineWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"files"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ignore"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"gen/ts/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/node_modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/.next/**"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> root <code>pyproject.toml</code> — Python lint + type config </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[tool.ruff]</span> <span class="py">line-length</span> <span class="p">=</span> <span class="mi">88</span> <span class="py">target-version</span> <span class="p">=</span> <span class="s">"py312"</span> <span class="py">src</span> <span class="p">=</span> <span class="p">[</span><span class="s">"src"</span><span class="p">]</span> <span class="py">exclude</span> <span class="p">=</span> <span class="p">[</span><span class="s">"gen/python"</span><span class="p">]</span> <span class="nn">[tool.ruff.lint]</span> <span class="py">select</span> <span class="p">=</span> <span class="p">[</span><span class="s">"E"</span><span class="p">,</span> <span class="s">"W"</span><span class="p">,</span> <span class="s">"F"</span><span class="p">,</span> <span class="s">"I"</span><span class="p">,</span> <span class="s">"B"</span><span class="p">,</span> <span class="s">"UP"</span><span class="p">]</span> <span class="py">ignore</span> <span class="p">=</span> <span class="p">[</span><span class="s">"E501"</span><span class="p">]</span> <span class="py">fixable</span> <span class="p">=</span> <span class="p">[</span><span class="s">"ALL"</span><span class="p">]</span> <span class="nn">[tool.ruff.lint.isort]</span> <span class="py">known-first-party</span> <span class="p">=</span> <span class="p">[</span><span class="s">"shared"</span><span class="p">,</span> <span class="s">"ml"</span><span class="p">,</span> <span class="s">"worker"</span><span class="p">]</span> <span class="nn">[tool.mypy]</span> <span class="py">python_version</span> <span class="p">=</span> <span class="s">"3.12"</span> <span class="py">strict</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">mypy_path</span> <span class="p">=</span> <span class="s">"$MYPY_CONFIG_FILE_DIR/libs/shared/src"</span> <span class="py">exclude</span> <span class="p">=</span> <span class="p">[</span><span class="s">"gen/python"</span><span class="p">]</span> <span class="nn">[[tool.mypy.overrides]]</span> <span class="py">module</span> <span class="p">=</span> <span class="p">[</span><span class="s">"*_pb2"</span><span class="p">,</span> <span class="s">"*_pb2_grpc"</span><span class="p">]</span> <span class="py">ignore_errors</span> <span class="p">=</span> <span class="kc">true</span> <span class="c"># suppress errors in generated proto stubs</span> <span class="nn">[dependency-groups]</span> <span class="py">dev</span> <span class="p">=</span> <span class="p">[</span> <span class="py">"pytest&gt;</span><span class="p">=</span><span class="mi">8</span><span class="s">",</span><span class="err"> </span> <span class="py">"pytest-asyncio&gt;</span><span class="p">=</span><span class="mf">0.25</span><span class="s">",</span><span class="err"> </span> <span class="py">"mypy&gt;</span><span class="p">=</span><span class="mf">1.15</span><span class="s">",</span><span class="err"> </span> <span class="py">"ruff&gt;</span><span class="p">=</span><span class="mf">0.9</span><span class="s">",</span><span class="err"> </span><span class="p">]</span> </code></pre> </div> <p><strong>Critical — mypy invocation:</strong> mypy reads config from the directory it's <em>invoked from</em>, not from the file being checked. Always run <code>uv run mypy services/ml/ services/worker/ libs/</code> from the repo root. Running from inside <code>services/ml/</code> silently ignores <code>strict = true</code> and falls back to defaults.</p> <h3> <code>.golangci.yml</code> — Go </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">run</span><span class="pi">:</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5m</span> <span class="na">tests</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">linters</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">none</span> <span class="na">enable</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">errcheck</span> <span class="pi">-</span> <span class="s">staticcheck</span> <span class="pi">-</span> <span class="s">unused</span> <span class="pi">-</span> <span class="s">ineffassign</span> <span class="pi">-</span> <span class="s">govet</span> <span class="pi">-</span> <span class="s">revive</span> <span class="pi">-</span> <span class="s">gocritic</span> <span class="pi">-</span> <span class="s">misspell</span> <span class="pi">-</span> <span class="s">gosec</span> <span class="pi">-</span> <span class="s">bodyclose</span> <span class="pi">-</span> <span class="s">copyloopvar</span> <span class="na">exclusions</span><span class="pi">:</span> <span class="na">generated</span><span class="pi">:</span> <span class="s">strict</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">gen/go/.*</span><span class="se">\\</span><span class="s">.pb</span><span class="se">\\</span><span class="s">.go$"</span> <span class="na">linters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">revive</span><span class="pi">,</span> <span class="nv">gocritic</span><span class="pi">,</span> <span class="nv">godot</span><span class="pi">,</span> <span class="nv">errcheck</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">_test</span><span class="se">\\</span><span class="s">.go$"</span> <span class="na">linters</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">gosec</span><span class="pi">,</span> <span class="nv">errcheck</span><span class="pi">]</span> <span class="na">formatters</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gofumpt</span> <span class="pi">-</span> <span class="s">goimports</span> <span class="na">settings</span><span class="pi">:</span> <span class="na">goimports</span><span class="pi">:</span> <span class="na">local-prefixes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">github.com/your-org/beacon</span> </code></pre> </div> <h3> <code>.editorconfig</code> — baseline cross-language consistency </h3> <p>Biome, Ruff, and golangci-lint enforce formatting within each language, but editors need <code>.editorconfig</code> for baseline consistency before any tool runs — charset, line endings, trailing newlines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># .editorconfig </span><span class="py">root</span> <span class="p">=</span> <span class="s">true</span> <span class="nn">[*]</span> <span class="py">charset</span> <span class="p">=</span> <span class="s">utf-8</span> <span class="py">end_of_line</span> <span class="p">=</span> <span class="s">lf</span> <span class="py">insert_final_newline</span> <span class="p">=</span> <span class="s">true</span> <span class="py">trim_trailing_whitespace</span> <span class="p">=</span> <span class="s">true</span> <span class="nn">[*.go]</span> <span class="py">indent_style</span> <span class="p">=</span> <span class="s">tab</span> <span class="py">indent_size</span> <span class="p">=</span> <span class="s">4</span> <span class="nn">[*.{ts,tsx,js,json,yaml,yml,toml}]</span> <span class="py">indent_style</span> <span class="p">=</span> <span class="s">space</span> <span class="py">indent_size</span> <span class="p">=</span> <span class="s">2</span> <span class="nn">[*.py]</span> <span class="py">indent_style</span> <span class="p">=</span> <span class="s">space</span> <span class="py">indent_size</span> <span class="p">=</span> <span class="s">4</span> <span class="nn">[*.proto]</span> <span class="py">indent_style</span> <span class="p">=</span> <span class="s">space</span> <span class="py">indent_size</span> <span class="p">=</span> <span class="s">2</span> </code></pre> </div> <p><strong>Why this matters:</strong> three config files, all at the repo root. Each tool finds its own by walking up the directory tree. You can change the Go linting rules for every Go service in one edit, the Python formatting rules for every Python service in one edit, and the TypeScript rules for every TypeScript package in one edit. No per-service drift.</p> <h2> Tool 5: Three Linters, One <code>task lint</code> Command </h2> <p>Each language uses its own best-in-class linter. Task unifies them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>task lint:all <span class="c"># runs all three in parallel (deps: is parallel)</span> task ts:lint <span class="c"># TypeScript only</span> task go:lint <span class="c"># Go only</span> task py:lint <span class="c"># Python only</span> </code></pre> </div> <h3> Why not one linter for everything? </h3> <p>There is no cross-language linter that handles TypeScript + Python + Go well. The best tools are language-specific:</p> <ul> <li> <strong>Biome</strong> — TypeScript: sub-millisecond, replaces ESLint + Prettier</li> <li> <strong>Ruff</strong> — Python: 10–100x faster than Flake8, replaces isort + Black</li> <li> <strong>golangci-lint</strong> — Go: aggregates 50+ linters behind one binary</li> </ul> <p>Task makes them feel like one: <code>task lint:all</code> exits non-zero if any of them fails, regardless of language.</p> <h3> Build graph — how proto flows into all three </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>proto/analytics/*.proto proto/events/*.proto ↓ buf generate ↓ gen/go/ gen/python/ gen/ts/ ↓ ↓ ↓ pkg/shared libs/shared packages/sdk ↓ ↓ ↓ services/api services/ml frontend/web services/ingest services/worker </code></pre> </div> <p>A change to <code>proto/</code> forces all three build chains to run. Everything else is independent — a change to <code>services/api/</code> doesn't rerun Python tests.</p> <h3> CI: three parallel language jobs </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">detect</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">outputs</span><span class="pi">:</span> <span class="na">proto</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.proto }}</span> <span class="na">ts</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.ts }}</span> <span class="na">go</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.go }}</span> <span class="na">py</span><span class="pi">:</span> <span class="s">${{ steps.changes.outputs.py }}</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">dorny/paths-filter@v3</span> <span class="na">id</span><span class="pi">:</span> <span class="s">changes</span> <span class="na">with</span><span class="pi">:</span> <span class="na">filters</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">proto:</span> <span class="s">- 'proto/**'</span> <span class="s">ts:</span> <span class="s">- 'frontend/**'</span> <span class="s">- 'packages/**'</span> <span class="s">- 'gen/ts/**'</span> <span class="s">- 'proto/**' # proto change triggers TS too</span> <span class="s">go:</span> <span class="s">- 'services/api/**'</span> <span class="s">- 'services/ingest/**'</span> <span class="s">- 'pkg/**'</span> <span class="s">- 'gen/go/**'</span> <span class="s">- 'proto/**'</span> <span class="s">py:</span> <span class="s">- 'services/ml/**'</span> <span class="s">- 'services/worker/**'</span> <span class="s">- 'libs/**'</span> <span class="s">- 'gen/python/**'</span> <span class="s">- 'proto/**'</span> <span class="na">proto</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect.outputs.proto == 'true'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm install -g @bufbuild/buf</span> <span class="s">buf lint &amp;&amp; buf generate</span> <span class="s">buf breaking --against '.git#branch=main'</span> <span class="na">ts</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect.outputs.ts == 'true'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># required for turbo --affected</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pnpm/action-setup@v4</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm install --frozen-lockfile</span> <span class="c1"># equivalent of uv sync --frozen</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm turbo run typecheck lint test --affected</span> <span class="na">go</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect.outputs.go == 'true'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">strategy</span><span class="pi">:</span> <span class="na">matrix</span><span class="pi">:</span> <span class="na">module</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">services/api</span><span class="pi">,</span> <span class="nv">services/ingest</span><span class="pi">,</span> <span class="nv">pkg/shared</span><span class="pi">,</span> <span class="nv">pkg/store</span><span class="pi">]</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-go@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">go-version-file</span><span class="pi">:</span> <span class="s">${{ matrix.module }}/go.mod</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s">${{ matrix.module }}/go.sum</span> <span class="c1"># GOWORK=off is explicit — not relying on go.work being gitignored</span> <span class="c1"># This forces each module to prove it has complete go.mod declarations</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd ${{ matrix.module }} &amp;&amp; GOWORK=off golangci-lint run ./...</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">cd ${{ matrix.module }} &amp;&amp; GOWORK=off go test ./... -race</span> <span class="na">py</span><span class="pi">:</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">detect</span> <span class="na">if</span><span class="pi">:</span> <span class="s">needs.detect.outputs.py == 'true'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">astral-sh/setup-uv@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">enable-cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv sync --frozen --group dev</span> <span class="c1"># --frozen: fail if uv.lock is out of date (never silently update in CI)</span> <span class="c1"># --group dev: includes pytest, mypy, ruff</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run ruff check services/ml/ services/worker/ libs/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run mypy services/ml/ services/worker/ libs/</span> <span class="c1"># always from repo root — mypy does not discover config per-file like Ruff</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run pytest services/ml/ services/worker/ libs/ -x</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv cache prune --ci</span> </code></pre> </div> <p>A PR touching only <code>services/ml/</code> skips the <code>proto</code>, <code>ts</code>, and <code>go</code> jobs entirely.</p> <h2> Tool 6: lefthook — One Hook to Rule All Three Languages </h2> <p>Each language article recommended its own hook tool (custom <code>.githooks/</code> for TypeScript, pre-commit for Python, lefthook for Go). In a polyglot repo, you pick one. <strong>lefthook</strong> wins: it's a single binary, works with all languages, and runs hooks in parallel by default.</p> <h3> Install </h3> <p>lefthook is managed as a root-level dev dependency so everyone on the team gets it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="err">(root)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"devDependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@biomejs/biome"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.9.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lefthook"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.11.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"turbo"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^2.0.0"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"prepare"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lefthook install"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>pnpm install</code> runs <code>prepare</code> automatically — lefthook hooks are wired up on first install.</p> <h3> <code>lefthook.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># lefthook.yml</span> <span class="na">glob_matcher</span><span class="pi">:</span> <span class="s">doublestar</span> <span class="c1"># ** matches 0 or more dirs (required for nested files)</span> <span class="na">pre-commit</span><span class="pi">:</span> <span class="na">parallel</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ts-lint</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.{ts,tsx}"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm biome check --no-errors-on-unmatched {staged_files}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">py-lint</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.py"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run ruff check {staged_files}</span> <span class="na">stage_fixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">py-format</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.py"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run ruff format {staged_files}</span> <span class="na">stage_fixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proto-lint</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.proto"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">buf lint</span> <span class="na">pre-push</span><span class="pi">:</span> <span class="na">parallel</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">go-lint</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.go"</span> <span class="c1"># golangci-lint cannot lint files across multiple packages (named files must all</span> <span class="c1"># be in one directory — see golangci-lint#3715). Run per-module instead:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' |</span> <span class="s">xargs -P4 -I{} sh -c 'cd {} &amp;&amp; GOWORK=off golangci-lint run ./...'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">go-mod-tidy</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">go.{mod,sum}"</span> <span class="c1"># go mod tidy is per-module in a multi-module workspace; iterate over all modules:</span> <span class="na">run</span><span class="pi">:</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' |</span> <span class="s">xargs -I{} sh -c 'cd {} &amp;&amp; GOWORK=off go mod tidy &amp;&amp; git diff --exit-code go.mod go.sum'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">proto-breaking</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.proto"</span> <span class="c1"># Guard against first push / no origin/main (new repos, shallow clones)</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if git rev-parse origin/main &gt;/dev/null 2&gt;&amp;1; then</span> <span class="s">buf breaking --against '.git#branch=main'</span> <span class="s">else</span> <span class="s">echo "No origin/main — skipping breaking change check"</span> <span class="s">fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">py-typecheck</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">**/*.py"</span> <span class="c1"># mypy is 10-30s on real codebases — too slow for pre-commit, right for pre-push</span> <span class="c1"># pass whole dirs, not {staged_files}: mypy needs package-level context</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run mypy services/ml/ services/worker/ libs/ --config-file pyproject.toml</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>glob_matcher: doublestar</code> — without this, <code>**/*.py</code> won't match <code>services/ml/src/ml/main.py</code> (two directories deep). This single line makes nested file matching work correctly.</li> <li>Each job is skipped entirely if no staged files match its glob — committing only TypeScript changes doesn't run <code>go-lint</code> at all.</li> <li> <code>stage_fixed: true</code> — after Ruff auto-fixes a Python file, lefthook re-stages it so the fix is included in the commit.</li> <li> <code>parallel: true</code> — all four language checkers run simultaneously. On a fast machine, a commit touching files in all three languages still completes in the time of the slowest single checker.</li> <li> <code>pre-push</code> runs <code>buf breaking</code> — the breaking change check is too slow for pre-commit but important before pushing to a shared branch.</li> </ul> <p><strong>The key insight:</strong> you don't need different hook tools for different languages. lefthook routes by file glob. The Python and Go developers on your team never need to know that Biome exists; the TypeScript developers never need to know that Ruff exists. They all run <code>pnpm install</code> once and get the right checks for their files automatically.</p> <h2> The Full Picture: How These Tools Interact </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer commits ↓ lefthook pre-commit (all four checks in parallel) ↓ Biome on staged .ts/.tsx files ↓ Ruff on staged .py files (+ auto-fix + re-stage) ↓ golangci-lint on staged .go files ↓ buf lint on staged .proto files ↓ (any failure → abort commit; all pass → continue) ↓ Three workspace managers resolve internal deps in parallel: ↓ pnpm: workspace:* symlinks for TypeScript ↓ uv: { workspace = true } editable installs for Python ↓ go work: local module overlay for Go (gitignored) ↓ task build:all ↓ proto:generate (buf → gen/go/ + gen/python/ + gen/ts/) ↓ ts:build (pnpm turbo — dep-ordered, cached in .turbo/) ↓ go:build (per-module, cached in .task/) ↓ py:build (uv sync, cached in .task/) ↓ CI: detect-changes → three parallel language jobs ↓ proto change → all three jobs + breaking check ↓ TypeScript: pnpm turbo --affected (fetch-depth: 0) ↓ Go: GOWORK=off → matrix per module → go test -race ↓ Python: uv run pytest (affected services) ↓ all jobs required → single ci-complete gate </code></pre> </div> <h2> Summary: Why This Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Tool</th> <th>Mechanism</th> </tr> </thead> <tbody> <tr> <td>TypeScript dep linking</td> <td>pnpm workspaces</td> <td> <code>workspace:*</code> + symlinks</td> </tr> <tr> <td>Python dep linking</td> <td>uv workspaces</td> <td> <code>{ workspace = true }</code> + editable installs</td> </tr> <tr> <td>Go dep linking</td> <td>go workspaces</td> <td> <code>use</code> directives (gitignored)</td> </tr> <tr> <td>Cross-language task orchestration</td> <td>Task (Taskfile.yml)</td> <td> <code>includes</code> + <code>sources</code>/<code>generates</code> caching</td> </tr> <tr> <td>Cross-language contracts</td> <td>buf + Protobuf</td> <td>single <code>.proto</code> → 3 language stubs</td> </tr> <tr> <td>TypeScript lint + format</td> <td>Biome</td> <td>root <code>biome.json</code> </td> </tr> <tr> <td>Python lint + format</td> <td>Ruff</td> <td>root <code>pyproject.toml</code> <code>[tool.ruff]</code> </td> </tr> <tr> <td>Go lint + format</td> <td>golangci-lint + gofumpt</td> <td>root <code>.golangci.yml</code> </td> </tr> <tr> <td>Cross-language git hooks</td> <td>lefthook</td> <td> <code>glob_matcher: doublestar</code> + parallel jobs</td> </tr> <tr> <td>CI: only run changed languages</td> <td>dorny/paths-filter</td> <td>per-language path filters + job conditions</td> </tr> </tbody> </table></div> <p>The polyglot monorepo isn't one tool — it's a composition. Three workspace managers run in parallel. Task sits on top as the single command interface. buf provides the shared contract layer between all three languages. lefthook enforces quality at commit time regardless of which language a developer touches.</p> <p>The complexity cost is real: you're maintaining three build toolchains instead of one. The payoff is equally real: one <code>git blame</code>, one pull request for a cross-language feature, one place to define the contract between your TypeScript frontend and your Go and Python backends.</p> <h2> Deploying a Python Service from the Polyglot Monorepo </h2> <p>Go compiles to a static binary — Docker is trivial. TypeScript builds to a <code>dist/</code> directory — straightforward. Python is the tricky one: editable workspace installs point back at source paths and break inside a container without extra work.</p> <p>The fix is <code>uv sync --package ml --no-editable</code>. The build context <strong>must be the repo root</strong> — not <code>services/ml/</code> — because <code>uv sync</code> needs to resolve <code>libs/shared</code>, <code>gen/python</code>, and the root <code>pyproject.toml</code>.</p> <p>Without a <code>.dockerignore</code>, Docker sends the entire monorepo as context including <code>node_modules/</code>, Go binaries, and the frontend build cache. Add this at the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .dockerignore (at repo root — used by all Python service Dockerfiles) frontend/ packages/ node_modules/ .turbo/ .task/ .next/ *.go go.* go.work go.work.sum .venv/ </code></pre> </div> <p>Then build from the repo root: <code>docker build -f services/ml/Dockerfile .</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># services/ml/Dockerfile</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">COPY</span><span class="s"> --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy manifests first — dep install layer is cached separately from source</span> <span class="k">COPY</span><span class="s"> pyproject.toml uv.lock ./</span> <span class="k">COPY</span><span class="s"> libs/shared/pyproject.toml libs/shared/pyproject.toml</span> <span class="k">COPY</span><span class="s"> gen/python/pyproject.toml gen/python/pyproject.toml</span> <span class="k">COPY</span><span class="s"> services/ml/pyproject.toml services/ml/pyproject.toml</span> <span class="k">RUN </span>uv <span class="nb">sync</span> <span class="se">\ </span> <span class="nt">--package</span> ml <span class="se">\ </span> <span class="c"># install only ml + its deps (libs/shared, gen/python, etc.)</span> --no-dev \ # exclude pytest, mypy, ruff --frozen \ # fail if uv.lock is stale --no-editable <span class="c"># copy source into site-packages — no source tree needed at runtime</span> <span class="c"># Copy source after dep install (changes here don't bust dep cache)</span> <span class="k">COPY</span><span class="s"> libs/shared/src libs/shared/src</span> <span class="k">COPY</span><span class="s"> gen/python gen/python</span> <span class="k">COPY</span><span class="s"> services/ml/src services/ml/src</span> <span class="k">FROM</span><span class="s"> python:3.12-slim</span> <span class="k">COPY</span><span class="s"> --from=builder /app/.venv /app/.venv</span> <span class="k">ENV</span><span class="s"> PATH="/app/.venv/bin:$PATH"</span> <span class="k">CMD</span><span class="s"> ["uvicorn", "ml.main:app", "--host", "0.0.0.0", "--port", "8080"]</span> </code></pre> </div> <p><strong><code>--no-editable</code> is the critical flag.</strong> Without it, <code>libs/shared</code> installs as an editable install pointing at <code>libs/shared/src/</code> in the build context. The final image has a <code>.venv</code> with broken symlinks and imports fail at runtime. <code>--no-editable</code> copies the package source into <code>.venv/lib/pythonX.Y/site-packages/</code> — self-contained.</p> <h2> What to Watch Out For </h2> <p><strong>Fresh clone requires <code>task go:init</code></strong> — <code>go.work</code> is gitignored; a fresh clone has no workspace file. Run <code>task go:init</code> once per clone (or once per machine). The <code>status:</code> guard makes it idempotent — it's safe to run every time.</p> <p><strong><code>gen/ts/</code> must be a workspace member, not <code>file:</code></strong> — a <code>file:</code> reference copies the package into <code>node_modules</code> at install time. After <code>buf generate</code>, the copies are stale until <code>pnpm install</code> runs again. Use <code>workspace:*</code> (symlinked, always live).</p> <p><strong>Docker build context must be repo root</strong> — <code>uv sync --package ml</code> resolves workspace deps (<code>libs/shared</code>, <code>gen/python</code>). Build with <code>docker build -f services/ml/Dockerfile .</code> from the repo root. Use <code>.dockerignore</code> to exclude <code>node_modules/</code>, Go source, and the frontend build cache.</p> <p><strong><code>GOWORK=off</code> in CI must be explicit</strong> — <code>.gitignore</code> prevents committing <code>go.work</code> but doesn't prevent <code>git add -f</code>. Set <code>GOWORK=off</code> in every CI Go step. Don't rely on the file not being present.</p> <p><strong><code>go.mod</code> replace directives are required for CI</strong> — <code>go.work</code> resolves in-repo deps locally, but <code>GOWORK=off</code> requires each module's <code>go.mod</code> to have <code>replace</code> directives: <code>replace github.com/your-org/beacon/gen/go =&gt; ../../gen/go</code>. Without these, CI fails because the module can't find its in-repo dependencies. Run <code>go mod tidy</code> in each module after adding them.</p> <p><strong>golangci-lint cannot accept <code>{staged_files}</code> across packages</strong> — passing files from multiple packages produces "named files must all be in one directory." Run golangci-lint per-module in pre-push, not per-file in pre-commit.</p> <p><strong>pnpm and uv both need lock enforcement in CI</strong> — <code>pnpm install --frozen-lockfile</code> and <code>uv sync --frozen</code> are the equivalent safety checks. Omitting either means CI silently tests different dep versions than developers have locally.</p> <p><strong><code>sources</code> lists must include lockfiles</strong> — Task caches by hashing declared <code>sources</code>. If <code>uv.lock</code>, <code>pnpm-lock.yaml</code>, or <code>go.sum</code> changes without any source file changing, Task serves a stale cached build. Add lockfiles to every <code>sources</code> list.</p> <p><strong><code>task dev</code> log visibility</strong> — three servers writing to one terminal is unreadable. Run them in separate terminals or use a process manager (<code>overmind</code>, <code>foreman</code>, or <code>pnpm turbo run dev</code> for TypeScript). <code>task ts:dev</code>, <code>task go:dev</code>, <code>task py:dev</code> as separate commands is the pragmatic answer.</p> <p><strong>uv <code>members</code> and pnpm coexistence</strong> — uv will error if a <code>members</code> glob matches a directory that has no <code>pyproject.toml</code>. Be explicit: list Python-only directories rather than using broad globs like <code>services/*</code>.</p> <p><strong>mypy in pre-push, not pre-commit</strong> — mypy is 10–30s on a real Python codebase. Every commit, on any <code>.py</code> change. It belongs in <code>pre-push</code> alongside <code>buf breaking</code>, not blocking commits.</p> <p><strong><code>uv sync --frozen</code> in CI</strong> — without <code>--frozen</code>, uv silently re-resolves if <code>uv.lock</code> is stale, meaning CI may test different dep versions than developers have locally.</p> <p><strong><code>--no-editable</code> in Python Docker images</strong> — editable installs point at source paths in the build context. Use <code>uv sync --package ml --no-editable</code> in Dockerfiles so the <code>.venv</code> is self-contained.</p> <p><strong><code>jq</code> is a prerequisite</strong> — <code>Taskfile.go.yml</code> uses <code>go work edit -json | jq</code>. Install with <code>brew install jq</code> or <code>apt install jq</code>. Add to your <code>task prereqs</code> check or README.</p> <p><strong>proto changes cascade + deployment order</strong> — <code>buf breaking</code> catches compile-time breakage, but not runtime version skew. In production, always deploy consumers (Python ML, TypeScript frontend) before producers (Go API) when adding fields. Never remove or rename fields in a single deployment — deprecate first, remove in a later release.</p> <p><strong>lefthook <code>glob_matcher: doublestar</code></strong> — without this line, <code>**/*.py</code> won't match files more than one directory deep. Always verify with <code>lefthook run pre-commit --all-files</code> after first setup.</p> <p><strong>Generated code is committed</strong> — <code>gen/go/</code>, <code>gen/python/</code>, <code>gen/ts/</code> are in git. This keeps CI simple and makes stub changes reviewable. Proto changes produce large diffs — that's the tradeoff.</p> <h2> Going Further </h2> <p><strong>Dependency updates across three package managers</strong> — use <a href="https://docs.renovatebot.com/" rel="noopener noreferrer">Renovate</a> (not Dependabot — Renovate handles pnpm, uv, and Go modules in a single config). For audits: <code>pnpm audit</code>, <code>uv audit</code>, <code>govulncheck ./...</code> per Go module.</p> <p><strong>Adding a new service</strong> — checklist:</p> <ul> <li>Python service: add to <code>pyproject.toml</code> <code>members</code>, create <code>pyproject.toml</code> + <code>Taskfile.yml</code> + <code>dir:</code> include, add to <code>lefthook.yml</code> paths, add to CI <code>py</code> paths-filter</li> <li>Go service: add to <code>go.work use</code>, add to <code>Taskfile.go.yml init</code> cmd + lint/test, add CI matrix entry</li> <li>TypeScript package: add to <code>pnpm-workspace.yaml</code>, add Taskfile include</li> </ul> <p><strong>Cross-language integration tests</strong> — unit tests per language are not enough. Add a <code>task test:integration</code> that starts all three services (via Docker Compose or k3s) and runs contract tests against the live stack. <a href="https://pact.io" rel="noopener noreferrer">Pact</a> works across Go, Python, and TypeScript.</p> <p><strong>Environment config</strong> — one <code>.env</code> at repo root, read by all three languages:</p> <ul> <li>TypeScript: <code>dotenv</code> or <code>@t3-oss/env-nextjs</code> </li> <li>Python: <code>pydantic-settings</code> with <code>env_file = ".env"</code> </li> <li>Go: <code>godotenv.Load()</code> or pass via Docker env</li> </ul> <p><strong>CODEOWNERS</strong> — <code>proto/</code> should require review from both Go and Python leads. Use GitHub CODEOWNERS to enforce this on every proto PR.</p> <p><strong>Hot reload across proto changes</strong> — <code>task dev</code> doesn't re-run <code>buf generate</code> when <code>.proto</code> files change. Add a file-watcher task (e.g., via <code>watchexec</code> or <code>task --watch</code>) that runs <code>buf generate</code> and restarts affected dev servers on <code>.proto</code> changes.</p> architecture polyglot coding M Hossein Thu, 04 Jun 2026 07:49:00 +0000 https://dev.to/_mh/go-monorepo-magic-organize-build-and-ship-multi-service-apps-55i1 https://dev.to/_mh/go-monorepo-magic-organize-build-and-ship-multi-service-apps-55i1 <h2> What is a Monorepo? </h2> <p>A <strong>monorepo</strong> is a single Git repository that contains multiple distinct services or modules. The alternative is a <strong>polyrepo</strong>: one repo per service.</p> <p>This repo is <code>forge-monorepo</code>. It contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>forge-monorepo/ ├── services/ │ ├── api/ ← HTTP API service │ ├── worker/ ← Background job processor │ └── notifier/ ← Notification service ├── pkg/ │ ├── shared/ ← Shared types + domain logic │ ├── events/ ← Event definitions │ └── proto/ ← Protobuf definitions └── gen/ └── go/ ← Generated proto stubs (own go.mod) </code></pre> </div> <p><strong>The core idea:</strong> code needed by multiple services lives in <code>pkg/</code>, and all services import it directly — no private module proxy, no vendoring ceremony.</p> <h2> Tool 1: Go Workspaces (<code>go work</code>) — The Foundation </h2> <p><strong>Go workspaces</strong> are the monorepo primitive built into the Go toolchain since 1.18. They replace <code>replace</code> directives in <code>go.mod</code> for local multi-module development.</p> <h3> How it's declared </h3> <p><code>go.work</code> at the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">go</span> <span class="m">1.22</span> <span class="n">use</span> <span class="p">(</span> <span class="o">./</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="o">./</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="o">./</span><span class="n">pkg</span><span class="o">/</span><span class="n">events</span> <span class="o">./</span><span class="n">services</span><span class="o">/</span><span class="n">api</span> <span class="o">./</span><span class="n">services</span><span class="o">/</span><span class="n">worker</span> <span class="o">./</span><span class="n">services</span><span class="o">/</span><span class="n">notifier</span> <span class="p">)</span> </code></pre> </div> <p>This tells the Go toolchain: <em>treat every listed directory as a module, and resolve imports between them on disk</em>. That's it — one file defines the entire workspace.</p> <h3> What this enables </h3> <p>When you run any <code>go</code> command inside the workspace, the toolchain:</p> <ol> <li>Reads every <code>go.mod</code> in every listed directory</li> <li>Resolves inter-module imports to local disk paths automatically</li> <li>Lets every module keep its own <code>go.mod</code> and version independently</li> </ol> <h3> Internal imports </h3> <p>Each module has a normal <code>go.mod</code> with a full module path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// pkg/shared/go.mod</span> <span class="n">module</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">yourorg</span><span class="o">/</span><span class="n">forge</span><span class="o">/</span><span class="n">pkg</span><span class="o">/</span><span class="n">shared</span> <span class="k">go</span> <span class="m">1.22</span> </code></pre> </div> <p>Any other workspace module imports it by that exact path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// services/api/main.go</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/yourorg/forge/pkg/shared"</span> <span class="s">"github.com/yourorg/forge/pkg/events"</span> <span class="p">)</span> </code></pre> </div> <p>No special syntax. The workspace resolves <code>github.com/yourorg/forge/pkg/shared</code> to <code>./pkg/shared</code> on disk automatically.</p> <h3> Critical: do NOT commit <code>go.work</code> </h3> <p><code>go.work</code> is a local development convenience. It is <strong>not</strong> a source of truth for module dependencies. Add both files to <code>.gitignore</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Go workspace (local dev only) go.work go.work.sum # Task cache .task/ </code></pre> </div> <p>CI validates each module independently with <code>GOWORK=off</code> — more on that in Tool 2.</p> <h3> Why <code>go work</code> over <code>replace</code> directives? </h3> <p><code>replace</code> directives in <code>go.mod</code> are messy: they leak into the module graph, they break when you <code>go get</code>, and you have to touch every module's <code>go.mod</code> to wire things up. <code>go work</code> is additive — the workspace file lives outside the modules and doesn't pollute their dependency declarations.</p> <h2> Tool 2: Task (Taskfile.yml) — Task Orchestration and Caching </h2> <p>Go workspaces handle <em>module resolution</em>. <strong>Task</strong> handles <em>build orchestration</em>.</p> <h3> The problem Task solves </h3> <p>If you need to build 6 modules in the right order, you have to figure out the sequence yourself. And if nothing in <code>pkg/shared</code> changed, you shouldn't rebuild everything that depends on it.</p> <p>Task solves both: <strong>explicit task dependency ordering</strong> + <strong>file-based output caching</strong>.</p> <h3> <code>Taskfile.yml</code> — the pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">includes</span><span class="pi">:</span> <span class="na">gen</span><span class="pi">:</span> <span class="s">./gen/go/Taskfile.yml</span> <span class="na">shared</span><span class="pi">:</span> <span class="s">./pkg/shared/Taskfile.yml</span> <span class="na">events</span><span class="pi">:</span> <span class="s">./pkg/events/Taskfile.yml</span> <span class="na">api</span><span class="pi">:</span> <span class="s">./services/api/Taskfile.yml</span> <span class="na">worker</span><span class="pi">:</span> <span class="s">./services/worker/Taskfile.yml</span> <span class="na">notifier</span><span class="pi">:</span> <span class="s">./services/notifier/Taskfile.yml</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">build:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Build all modules in dependency order</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gen:build</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">shared:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">events:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">api:build</span> <span class="na">async</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">worker:build</span> <span class="na">async</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">notifier:build</span> <span class="na">async</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">test:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Test all modules</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">shared:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">events:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">api:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">worker:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">notifier:test</span> <span class="na">lint:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Run golangci-lint across all modules</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' | xargs -P4 -I{} sh -c 'cd {} &amp;&amp; golangci-lint run ./...'</span> <span class="na">tidy:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Run go mod tidy in every module</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' | xargs -I{} sh -c 'cd {} &amp;&amp; go mod tidy'</span> </code></pre> </div> <p>A per-module Taskfile (e.g., <code>pkg/shared/Taskfile.yml</code>) looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/*.go'</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">.task/shared.built'</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go build ./...</span> <span class="pi">-</span> <span class="s">touch .task/shared.built</span> <span class="na">test</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/*.go'</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">go test ./...</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>deps:</code> — tasks listed here run in parallel before the current task starts</li> <li> <code>cmds:</code> — commands run sequentially in order</li> <li> <code>sources</code> / <code>generates</code> — Task hashes these paths. Cache hit → task skipped entirely</li> <li> <code>async: true</code> — run the task concurrently with other commands in the same <code>cmds:</code> block</li> </ul> <h3> The build graph </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gen/go (buf generate) ↓ pkg/shared (go build) ↓ pkg/events (go build) ↓ services/api services/worker services/notifier (go build) (go build) (go build) </code></pre> </div> <h3> Affected-only in CI </h3> <p>Task has no <code>--affected</code> flag. Implement it with a git diff script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># scripts/affected.sh</span> <span class="c"># Outputs a newline-separated list of changed module paths</span> <span class="nv">BASE</span><span class="o">=</span><span class="k">${</span><span class="nv">1</span><span class="k">:-</span><span class="nv">origin</span><span class="p">/main</span><span class="k">}</span> <span class="nv">CHANGED_FILES</span><span class="o">=</span><span class="si">$(</span>git diff <span class="nt">--name-only</span> <span class="s2">"</span><span class="nv">$BASE</span><span class="s2">"</span>...HEAD<span class="si">)</span> <span class="nb">declare</span> <span class="nt">-A</span> AFFECTED <span class="k">while </span><span class="nv">IFS</span><span class="o">=</span> <span class="nb">read</span> <span class="nt">-r</span> file<span class="p">;</span> <span class="k">do</span> <span class="c"># Match each workspace module by its directory prefix</span> go work edit <span class="nt">-json</span> | jq <span class="nt">-r</span> <span class="s1">'.Use[].DiskPath'</span> | <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> mod<span class="p">;</span> <span class="k">do </span><span class="nv">mod_clean</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">mod</span><span class="p">#./</span><span class="k">}</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$file</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"</span><span class="nv">$mod_clean</span><span class="s2">"</span>/<span class="k">*</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"</span><span class="nv">$mod_clean</span><span class="s2">"</span> <span class="k">fi done done</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$CHANGED_FILES</span><span class="s2">"</span> | <span class="nb">sort</span> <span class="nt">-u</span> </code></pre> </div> <p>In CI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run affected tests</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">AFFECTED=$(bash scripts/affected.sh origin/main)</span> <span class="s">for mod in $AFFECTED; do</span> <span class="s">(cd "$mod" &amp;&amp; GOWORK=off go test ./...)</span> <span class="s">done</span> </code></pre> </div> <h2> Tool 3: Shared Modules — The Internal Module Pattern </h2> <p>Each <code>pkg/</code> module is a normal Go module with its own <code>go.mod</code>. It doesn't need to be published anywhere.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pkg/shared/ ├── go.mod ← module github.com/yourorg/forge/pkg/shared ├── types.go ├── domain.go └── errors.go </code></pre> </div> <p>Because <code>pkg/shared</code> is listed in <code>go.work</code>, any service imports it by its declared module path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/yourorg/forge/pkg/shared"</span> <span class="s">"github.com/yourorg/forge/pkg/events"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">shared</span><span class="o">.</span><span class="n">NewUser</span><span class="p">(</span><span class="s">"alice"</span><span class="p">)</span> <span class="n">ev</span> <span class="o">:=</span> <span class="n">events</span><span class="o">.</span><span class="n">NewUserCreated</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="n">_</span> <span class="o">=</span> <span class="n">ev</span> <span class="p">}</span> </code></pre> </div> <p><strong>The key insight:</strong> the workspace resolves that import to disk at development time. In CI, with <code>GOWORK=off</code>, each module must declare real <code>require</code> entries in its own <code>go.mod</code>. This forces you to be explicit about dependencies while keeping the local dev loop frictionless.</p> <h3> Proto and generated code </h3> <p><code>pkg/proto/</code> holds <code>.proto</code> files. <code>gen/go/</code> holds the generated stubs as its own module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// gen/go/go.mod</span> <span class="n">module</span> <span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">yourorg</span><span class="o">/</span><span class="n">forge</span><span class="o">/</span><span class="n">gen</span><span class="o">/</span><span class="k">go</span> <span class="k">go</span> <span class="m">1.22</span> <span class="n">require</span> <span class="n">google</span><span class="o">.</span><span class="n">golang</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">protobuf</span> <span class="n">v1</span><span class="m">.34.1</span> </code></pre> </div> <p>Services import generated types the same way — no magic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">import</span> <span class="n">forgepb</span> <span class="s">"github.com/yourorg/forge/gen/go"</span> </code></pre> </div> <h2> Tool 4: Root <code>.golangci.yml</code> — Shared Config </h2> <p>Centralize lint rules instead of duplicating them across every module.</p> <p><code>.golangci.yml</code> at repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">linters</span><span class="pi">:</span> <span class="na">enable</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">errcheck</span> <span class="pi">-</span> <span class="s">gosimple</span> <span class="pi">-</span> <span class="s">govet</span> <span class="pi">-</span> <span class="s">ineffassign</span> <span class="pi">-</span> <span class="s">staticcheck</span> <span class="pi">-</span> <span class="s">unused</span> <span class="pi">-</span> <span class="s">gofumpt</span> <span class="pi">-</span> <span class="s">goimports</span> <span class="pi">-</span> <span class="s">revive</span> <span class="pi">-</span> <span class="s">gosec</span> <span class="pi">-</span> <span class="s">exhaustive</span> <span class="pi">-</span> <span class="s">wrapcheck</span> <span class="na">linters-settings</span><span class="pi">:</span> <span class="na">gofumpt</span><span class="pi">:</span> <span class="na">extra-rules</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">goimports</span><span class="pi">:</span> <span class="na">local-prefixes</span><span class="pi">:</span> <span class="s">github.com/yourorg/forge</span> <span class="na">revive</span><span class="pi">:</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">exported</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">error-return</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">error</span> <span class="na">issues</span><span class="pi">:</span> <span class="na">exclude-rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">_test\.go</span> <span class="na">linters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">gosec</span> <span class="pi">-</span> <span class="s">errcheck</span> </code></pre> </div> <p>golangci-lint v2 walks <strong>upward</strong> from the directory where it's invoked to find the nearest config file. Running <code>golangci-lint run ./...</code> inside <code>services/api/</code> picks up the root <code>.golangci.yml</code> automatically — no per-module config needed unless you want to override.</p> <p><strong>Why this matters:</strong> change one rule and it propagates to every service. No drift, no <code>eslint.config.js</code> archaeology.</p> <h2> Tool 5: golangci-lint + gofumpt — Unified Linting and Formatting </h2> <p>One <code>.golangci.yml</code> at the root. Each module runs <code>golangci-lint run ./...</code> but rules are defined once. <strong>One source of truth, many consumers.</strong></p> <h3> golangci-lint v2 </h3> <p>The <code>version: "2"</code> key at the top of <code>.golangci.yml</code> is required for the v2 config schema. The v1 schema is silently different — don't mix them.</p> <p>Run across all modules in parallel:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go work edit <span class="nt">-json</span> | jq <span class="nt">-r</span> <span class="s1">'.Use[].DiskPath'</span> | <span class="se">\</span> xargs <span class="nt">-P4</span> <span class="nt">-I</span><span class="o">{}</span> sh <span class="nt">-c</span> <span class="s1">'cd {} &amp;&amp; golangci-lint run ./...'</span> </code></pre> </div> <h3> gofumpt </h3> <p><strong>gofumpt</strong> is a stricter superset of <code>gofmt</code>. It enforces additional rules: blank lines between imports and first declaration, grouping of related declarations, trailing newlines. Configure it under <code>formatters:</code> in the v2 schema (or as a linter via <code>gofumpt: true</code> in linters-settings as shown above).</p> <p>Install:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>mvdan.cc/gofumpt@latest </code></pre> </div> <p>Run standalone (useful in hooks):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gofumpt <span class="nt">-l</span> <span class="nt">-w</span> <span class="nb">.</span> </code></pre> </div> <h3> Why not just <code>gofmt</code>? </h3> <p><code>gofmt</code> is the baseline. <code>gofumpt</code> is what you actually want in a team — it eliminates the formatting debates <code>gofmt</code> leaves open. Add it to the linter pipeline once and you never argue about blank lines again.</p> <h2> Tool 6: lefthook — Git Hooks </h2> <p><strong>lefthook</strong> is a fast, language-agnostic Git hooks manager written in Go. It ships as a single binary, runs hooks in parallel by default, and integrates natively with staged files.</p> <h3> Install </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>go <span class="nb">install </span>github.com/evilmartians/lefthook@latest <span class="c"># or: brew install lefthook</span> </code></pre> </div> <p>Initialize in the repo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>lefthook <span class="nb">install</span> </code></pre> </div> <h3> <code>lefthook.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pre-commit</span><span class="pi">:</span> <span class="na">parallel</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">commands</span><span class="pi">:</span> <span class="na">go-lint</span><span class="pi">:</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*.go"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">golangci-lint run {staged_files}</span> <span class="na">stage_fixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">go-fmt</span><span class="pi">:</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*.go"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">gofumpt -l -w {staged_files}</span> <span class="na">stage_fixed</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">proto-lint</span><span class="pi">:</span> <span class="na">glob</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*.proto"</span> <span class="na">run</span><span class="pi">:</span> <span class="s">buf lint {staged_files}</span> <span class="na">mod-tidy-check</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">go work edit -json | jq -r '.Use[].DiskPath' | while read -r mod; do</span> <span class="s">(cd "$mod" &amp;&amp; go mod tidy &amp;&amp; git diff --exit-code go.mod go.sum) || exit 1</span> <span class="s">done</span> <span class="na">commit-msg</span><span class="pi">:</span> <span class="na">commands</span><span class="pi">:</span> <span class="na">conventional</span><span class="pi">:</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">msg=$(cat {1})</span> <span class="s">if ! echo "$msg" | grep -qE '^(feat|fix|chore|docs|refactor|test|ci)(\(.+\))?: .+'; then</span> <span class="s">echo "Commit message must follow Conventional Commits format"</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>{staged_files}</code> — lefthook's template variable; expands to the list of files currently staged for this commit</li> <li> <code>stage_fixed: true</code> — if <code>gofumpt</code> rewrites a file, lefthook re-stages it automatically. You don't have to <code>git add</code> again.</li> <li> <code>parallel: true</code> — go-lint and go-fmt run concurrently; the hook only blocks as long as the slowest command</li> </ul> <p><strong>The key insight:</strong> it doesn't lint the whole repo on every commit — only the files currently staged. <code>golangci-lint run {staged_files}</code> is dramatically faster than <code>golangci-lint run ./...</code> across every module. This keeps commits fast while still enforcing quality.</p> <h2> The Full Picture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer commits ↓ lefthook pre-commit ↓ golangci-lint on staged .go files (fast, per-file) ↓ buf lint on staged .proto files ↓ go mod tidy check ↓ (fails → abort; passes → continue) ↓ go work resolves internal imports to local disk paths ↓ task build:all ↓ reads Taskfile.yml includes ↓ builds modules in order: gen/go → pkg/shared → pkg/events → services/* (parallel) ↓ caches outputs in .task/ ↓ CI: GOWORK=off — each module tested independently ↓ git diff → affected modules → test only those + dependents ↓ golangci-lint matrix across modules ↓ .golangci.yml config inherited from repo root </code></pre> </div> <h2> Summary: Why This Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Tool</th> <th>Mechanism</th> </tr> </thead> <tbody> <tr> <td>Share code without publishing</td> <td>Go Workspaces</td> <td> <code>go.work</code> + disk path resolution</td> </tr> <tr> <td>Run tasks in dependency order</td> <td>Task</td> <td> <code>deps:</code> + <code>cmds:</code> ordering</td> </tr> <tr> <td>Don't rebuild unchanged modules</td> <td>Task cache</td> <td> <code>sources</code>/<code>generates</code> hashing</td> </tr> <tr> <td>CI: only changed modules</td> <td>git diff script</td> <td> <code>GOWORK=off</code> per-module testing</td> </tr> <tr> <td>Consistent lint config</td> <td>Root <code>.golangci.yml</code> </td> <td>upward config file walk</td> </tr> <tr> <td>One linter + formatter</td> <td>golangci-lint + gofumpt</td> <td>single <code>.golangci.yml</code> </td> </tr> <tr> <td>Quality before commits</td> <td>lefthook</td> <td> <code>{staged_files}</code> pre-commit hook</td> </tr> </tbody> </table></div> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Clone and initialize workspace</span> git clone https://github.com/yourorg/forge-monorepo <span class="nb">cd </span>forge-monorepo go work <span class="nb">sync</span> <span class="c"># sync all module dependencies</span> <span class="c"># 2. Install tools</span> go <span class="nb">install </span>github.com/go-task/task/v3/cmd/task@latest go <span class="nb">install </span>github.com/golangci/golangci-lint/cmd/golangci-lint@latest go <span class="nb">install </span>mvdan.cc/gofumpt@latest go <span class="nb">install </span>github.com/evilmartians/lefthook@latest brew <span class="nb">install </span>bufbuild/buf/buf <span class="c"># 3. Install git hooks</span> lefthook <span class="nb">install</span> <span class="c"># 4. Build everything</span> task build:all <span class="c"># 5. Test everything</span> task <span class="nb">test</span>:all </code></pre> </div> <h2> What to Watch Out For </h2> <p><strong><code>go.work</code> in CI.</strong> Set <code>GOWORK=off</code> in your CI environment variables. Each module's <code>go.mod</code> must have correct <code>require</code> entries — the workspace won't paper over missing dependencies in CI.</p> <p><strong>Module path discipline.</strong> Your <code>go.mod</code> module paths must be globally valid (i.e., <code>github.com/yourorg/forge/...</code>), even if you never publish. The workspace resolves them locally, but the paths need to be stable and consistent across all modules.</p> <p><strong>golangci-lint v1 vs v2.</strong> The config schema changed significantly. If you're migrating from v1, the <code>version: "2"</code> key is mandatory and several linter names moved. Run <code>golangci-lint migrate</code> to auto-upgrade your config.</p> <p><strong>Task and <code>go generate</code>.</strong> Add a <code>generate</code> task that runs <code>buf generate</code> before any <code>go build</code> task that depends on generated types. Generated code in <code>gen/go/</code> is a real module with its own <code>go.mod</code> — it needs to be built first, just like any other dependency.</p> go tutorial code M Hossein Wed, 03 Jun 2026 07:10:00 +0000 https://dev.to/_mh/python-monorepo-magic-organize-build-and-ship-multi-service-apps-3al3 https://dev.to/_mh/python-monorepo-magic-organize-build-and-ship-multi-service-apps-3al3 <h2> What is a Monorepo? </h2> <p>A <strong>monorepo</strong> is a single Git repository that contains multiple distinct packages or applications. The alternative is a <strong>polyrepo</strong>: one repo per app or package.</p> <p>This repo is <code>nest-monorepo</code>. It contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nest-monorepo/ ├── apps/ │ ├── api/ ← FastAPI backend │ ├── worker/ ← Celery async worker │ └── cli/ ← Internal tooling CLI ├── packages/ │ ├── shared/ ← Pydantic schemas + SQLAlchemy models │ ├── events/ ← Event type definitions │ └── proto/ ← Protobuf definitions + generated stubs </code></pre> </div> <p><strong>The core idea:</strong> code that is needed by multiple apps lives in <code>packages/</code>, and all apps can import it directly — no PyPI publishing required.</p> <h2> Tool 1: uv Workspaces — The Foundation </h2> <p><strong>uv</strong> is the package manager. Workspaces are its monorepo feature.</p> <h3> How it's declared </h3> <p>Root <code>pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[tool.uv.workspace]</span> <span class="py">members</span> <span class="p">=</span> <span class="p">[</span><span class="s">"apps/*"</span><span class="p">,</span> <span class="s">"packages/*"</span><span class="p">]</span> </code></pre> </div> <p>That's it. Three lines define the entire workspace. uv reads every <code>pyproject.toml</code> under those globs and treats each directory as a workspace member.</p> <h3> What this enables </h3> <p>When you run <code>uv sync</code> at the repo root, uv:</p> <ol> <li>Reads every <code>pyproject.toml</code> in every workspace directory</li> <li>Resolves all external dependencies into a single <code>uv.lock</code> file at the root</li> <li>Installs internal packages as editable installs so they can import each other directly</li> </ol> <h3> The <code>{ workspace = true }</code> source </h3> <p>Look at <code>apps/api/pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"api"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span><span class="py">dependencies</span> <span class="p">=</span> <span class="p">[</span><span class="s">"shared"</span><span class="p">,</span> <span class="s">"events"</span><span class="p">,</span> <span class="py">"fastapi&gt;</span><span class="p">=</span><span class="mf">0.115</span><span class="s">"]</span><span class="err"> </span> <span class="p">[</span><span class="err">tool.uv.sources</span><span class="p">]</span> <span class="py">shared</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="py">events</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><code>{ workspace = true }</code> means: <em>don't fetch this from PyPI — link it from this workspace instead</em>. When <code>api</code> imports <code>shared</code>, Python resolves it to <code>packages/shared/src/</code> on disk via an editable install. No publishing, no version pinning against PyPI, no symlink juggling.</p> <p>This is the mechanism that makes internal sharing work.</p> <h3> Why uv over pip/poetry? </h3> <p>uv uses a <strong>global content-addressable cache</strong> at <code>~/.cache/uv</code>. Every version of every package is stored once globally across all projects on your machine. Workspaces get hard links to the cache, not copies. This means:</p> <ul> <li>10–100x faster installs than pip</li> <li>A single <code>uv.lock</code> committed at the repo root — one lockfile, all packages</li> <li>Strict resolution — packages can't accidentally import things they didn't declare</li> </ul> <p><strong>Note:</strong> <code>uv.lock</code> is committed to version control. Unlike <code>go.work.sum</code>, it is not gitignored. It is the canonical record of every resolved dependency across the entire workspace.</p> <h3> One virtualenv to rule them all </h3> <p><code>uv sync</code> creates a <strong>single <code>.venv</code> at the repo root</strong>. All workspace members are installed into it as editable installs. There is no per-package virtualenv.</p> <p>This has two important consequences:</p> <ul> <li> <strong>No version skew.</strong> <code>api</code> and <code>worker</code> cannot depend on different versions of <code>shared</code> — they share the same installed environment.</li> <li> <strong>IDE setup is trivial.</strong> Point your editor's Python interpreter at <code>.venv/bin/python</code> once, at the repo root. Every package is immediately importable — no per-project interpreter switching. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv <span class="nb">sync</span> <span class="c"># creates .venv, installs everything</span> <span class="nb">source</span> .venv/bin/activate <span class="c"># or let your IDE detect it</span> python <span class="nt">-c</span> <span class="s2">"import shared"</span> <span class="c"># works from anywhere in the repo</span> </code></pre> </div> <p>Add <code>.venv/</code> to <code>.gitignore</code>.</p> <h2> Tool 2: Task (Taskfile.yml) — Task Orchestration and Caching </h2> <p>uv workspaces handle <em>dependencies</em>. <strong>Task</strong> handles <em>tasks</em> (build, test, lint, etc.).</p> <h3> Installing Task </h3> <p>Task is a language-agnostic binary — it has nothing to do with Go and requires no Go installation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># macOS / Linux via Homebrew (recommended)</span> brew <span class="nb">install </span>go-task <span class="c"># Linux: direct install script (no Go needed)</span> sh <span class="nt">-c</span> <span class="s2">"</span><span class="si">$(</span>curl <span class="nt">--location</span> https://taskfile.dev/install.sh<span class="si">)</span><span class="s2">"</span> <span class="nt">--</span> <span class="nt">-d</span> <span class="nt">-b</span> ~/.local/bin <span class="c"># Or grab a binary directly from https://github.com/go-task/task/releases</span> </code></pre> </div> <p>Verify with <code>task --version</code>.</p> <h3> The problem Task solves </h3> <p>If you run <code>uv run pytest</code> across 6 packages, you have to figure out the order yourself. <code>shared</code> must be importable before <code>events</code>, which must be importable before <code>api</code> and <code>worker</code>. <code>proto</code> must run <code>buf generate</code> before anything imports the generated stubs. Do it wrong and you get import errors or stale generated code.</p> <p>Also, if nothing in <code>packages/shared</code> changed, you shouldn't rebuild it.</p> <p>Task solves both: <strong>explicit task ordering</strong> + <strong>file-based caching via <code>sources</code>/<code>generates</code></strong>.</p> <h3> <code>Taskfile.yml</code> — the pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">includes</span><span class="pi">:</span> <span class="na">shared</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./packages/shared/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./packages/shared</span> <span class="c1"># without dir:, commands run from repo root</span> <span class="na">events</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./packages/events/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./packages/events</span> <span class="na">proto</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./packages/proto/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./packages/proto</span> <span class="na">api</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./apps/api/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./apps/api</span> <span class="na">worker</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./apps/worker/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./apps/worker</span> <span class="na">cli</span><span class="pi">:</span> <span class="na">taskfile</span><span class="pi">:</span> <span class="s">./apps/cli/Taskfile.yml</span> <span class="na">dir</span><span class="pi">:</span> <span class="s">./apps/cli</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">build:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Build all packages in dependency order</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">shared:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">events:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">proto:generate</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">api:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">worker:build</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">cli:build</span> <span class="na">test:all</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Run all tests</span> <span class="na">deps</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">shared</span><span class="pi">:</span><span class="nv">build</span><span class="pi">,</span> <span class="nv">events</span><span class="pi">:</span><span class="nv">build</span><span class="pi">,</span> <span class="nv">proto</span><span class="pi">:</span><span class="nv">generate</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">api:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">worker:test</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">cli:test</span> <span class="na">lint:all</span><span class="pi">:</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">shared:lint</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">events:lint</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">proto:lint</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">api:lint</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">worker:lint</span> <span class="pi">-</span> <span class="na">task</span><span class="pi">:</span> <span class="s">cli:lint</span> </code></pre> </div> <p><code>packages/proto/Taskfile.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">tasks</span><span class="pi">:</span> <span class="na">generate</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Generate Python stubs from .proto files</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">**/*.proto'</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">generated/**/*.py'</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">buf generate</span> </code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li> <code>sources</code> — glob patterns of input files. Task fingerprints these.</li> <li> <code>generates</code> — files produced by the task. Task checks if they still exist and match the fingerprint.</li> <li>If inputs haven't changed and outputs still exist, Task skips the task entirely (cache hit). Results are stored in <code>.task/</code>.</li> <li> <code>deps:</code> runs dependencies <strong>in parallel</strong> before the task executes.</li> <li> <code>cmds:</code> runs commands <strong>sequentially</strong>, in order.</li> </ul> <h3> How the build graph flows </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>packages/shared (uv sync) ↓ packages/events (uv sync) packages/proto (buf generate) ↓ ↓ apps/api (generates stubs) apps/worker ↓ apps/cli apps/api, apps/worker (import proto stubs) </code></pre> </div> <h3> Running individual apps </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Run just the API</span> task api:dev <span class="c"># Run just the worker</span> task worker:dev <span class="c"># Build a single package</span> task shared:build </code></pre> </div> <h3> Affected-only in CI </h3> <p>Task has no <code>--affected</code> flag. The naive approach — looping over changed package names — is wrong: if <code>shared</code> changes, <code>api</code> and <code>worker</code> (which depend on it) must also be tested. You need reverse-dependency propagation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="c"># ci/affected.sh — tests changed packages AND their dependents</span> <span class="nv">CHANGED</span><span class="o">=</span><span class="si">$(</span>git diff <span class="nt">--name-only</span> origin/main...HEAD<span class="si">)</span> <span class="c"># Reverse dependency map: if X changes, also test these</span> <span class="nb">declare</span> <span class="nt">-A</span> <span class="nv">RDEPS</span><span class="o">=(</span> <span class="o">[</span>shared]<span class="o">=</span><span class="s2">"api worker cli"</span> <span class="o">[</span>events]<span class="o">=</span><span class="s2">"api worker"</span> <span class="o">[</span>proto]<span class="o">=</span><span class="s2">"api worker"</span> <span class="o">)</span> <span class="nv">PACKAGES</span><span class="o">=()</span> mark<span class="o">()</span> <span class="o">{</span> <span class="nb">local </span><span class="nv">pkg</span><span class="o">=</span><span class="nv">$1</span> <span class="o">[[</span> <span class="s2">" </span><span class="k">${</span><span class="nv">PACKAGES</span><span class="p">[*]</span><span class="k">}</span><span class="s2"> "</span> <span class="o">=</span>~ <span class="s2">" </span><span class="k">${</span><span class="nv">pkg</span><span class="k">}</span><span class="s2"> "</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="c"># skip if already queued</span> PACKAGES+<span class="o">=(</span><span class="s2">"</span><span class="nv">$pkg</span><span class="s2">"</span><span class="o">)</span> <span class="k">for </span>dep <span class="k">in</span> <span class="k">${</span><span class="nv">RDEPS</span><span class="p">[</span><span class="nv">$pkg</span><span class="p">]</span><span class="k">:-}</span><span class="p">;</span> <span class="k">do </span>mark <span class="s2">"</span><span class="nv">$dep</span><span class="s2">"</span><span class="p">;</span> <span class="k">done</span> <span class="c"># propagate to dependents</span> <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^packages/shared/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"shared"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^packages/events/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"events"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^packages/proto/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"proto"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^apps/api/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"api"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^apps/worker/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"worker"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$CHANGED</span><span class="s2">"</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"^apps/cli/"</span> <span class="o">&amp;&amp;</span> mark <span class="s2">"cli"</span> <span class="k">for </span>pkg <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">PACKAGES</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span>task <span class="s2">"</span><span class="k">${</span><span class="nv">pkg</span><span class="k">}</span><span class="s2">:test"</span><span class="p">;</span> <span class="k">done</span> </code></pre> </div> <p>A change to <code>packages/shared</code> marks <code>shared</code> → then propagates to <code>api</code>, <code>worker</code>, <code>cli</code>. A change to <code>apps/api</code> only marks <code>api</code>.</p> <p><strong>The honest alternative:</strong> skip this complexity and run <code>task test:all</code> every time. Task's <code>sources</code>/<code>generates</code> caching skips packages whose inputs haven't changed. You get the same outcome with far less script maintenance.</p> <p><strong>The key insight:</strong> Task knows nothing about Python — it just tracks file fingerprints and runs shell commands in the order you declare. That's exactly the level of abstraction you want.</p> <h2> Tool 3: Shared Packages — The Internal Packages Pattern </h2> <h3> Source-level packages (no build step) </h3> <p>Most packages in this repo point directly at Python source:</p> <p><code>packages/shared/pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"shared"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span><span class="py">dependencies</span> <span class="p">=</span> <span class="p">[</span> <span class="py">"pydantic&gt;</span><span class="p">=</span><span class="mf">2.0</span><span class="s">",</span><span class="err"> </span> <span class="py">"sqlalchemy&gt;</span><span class="p">=</span><span class="mf">2.0</span><span class="s">",</span><span class="err"> </span><span class="p">]</span> <span class="nn">[build-system]</span> <span class="py">requires</span> <span class="p">=</span> <span class="p">[</span><span class="s">"hatchling"</span><span class="p">]</span> <span class="py">build-backend</span> <span class="p">=</span> <span class="s">"hatchling.build"</span> </code></pre> </div> <p><code>packages/shared/src/shared/__init__.py</code> exports the Pydantic models and SQLAlchemy base classes directly. No compilation, no <code>dist/</code> folder. When <code>apps/api</code> imports <code>shared</code>, it reaches straight into <code>packages/shared/src/</code> via the editable install.</p> <p>This is the <strong>internal packages pattern</strong> — source is the distribution artifact.</p> <h3> Packages that do need a build step </h3> <p><code>packages/proto</code> generates Python stubs from <code>.proto</code> files:</p> <p><code>packages/proto/pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"proto"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span><span class="py">dependencies</span> <span class="p">=</span> <span class="py">["grpcio&gt;</span><span class="p">=</span><span class="mf">1.60</span><span class="s">", "</span><span class="py">protobuf&gt;</span><span class="p">=</span><span class="mf">4.0</span><span class="s">"]</span><span class="err"> </span> <span class="nn">[build-system]</span> <span class="py">requires</span> <span class="p">=</span> <span class="p">[</span><span class="s">"hatchling"</span><span class="p">]</span> <span class="py">build-backend</span> <span class="p">=</span> <span class="s">"hatchling.build"</span> </code></pre> </div> <p><code>packages/proto/Taskfile.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">tasks</span><span class="pi">:</span> <span class="na">generate</span><span class="pi">:</span> <span class="na">sources</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">**/*.proto'</span><span class="pi">]</span> <span class="na">generates</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">generated/**/*.py'</span><span class="pi">]</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">buf generate</span> <span class="c1"># buf handles all codegen — don't mix with raw protoc</span> </code></pre> </div> <p>Task's <code>sources</code>/<code>generates</code> fingerprinting ensures <code>proto:generate</code> runs before anything that imports the stubs — and skips if the <code>.proto</code> files haven't changed.</p> <h3> Consuming internal packages in apps </h3> <p><code>apps/api/pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"api"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.1.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span><span class="py">dependencies</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"shared"</span><span class="p">,</span> <span class="s">"events"</span><span class="p">,</span> <span class="s">"proto"</span><span class="p">,</span> <span class="py">"fastapi&gt;</span><span class="p">=</span><span class="mf">0.115</span><span class="s">",</span><span class="err"> </span> <span class="py">"uvicorn&gt;</span><span class="p">=</span><span class="mf">0.30</span><span class="s">",</span><span class="err"> </span><span class="p">]</span> <span class="nn">[tool.uv.sources]</span> <span class="py">shared</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="py">events</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="py">proto</span> <span class="o">=</span> <span class="p">{</span> <span class="py">workspace</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><code>apps/worker/pyproject.toml</code> declares the same <code>[tool.uv.sources]</code> block. Because uv resolves everything into a single <code>uv.lock</code>, both <code>api</code> and <code>worker</code> are guaranteed to use the exact same version of <code>shared</code> — no version skew between apps in the same repo.</p> <p><strong>Why this matters:</strong> you can refactor a Pydantic model in <code>packages/shared</code> and immediately see type errors in both <code>apps/api</code> and <code>apps/worker</code> without publishing anything. The workspace is the registry.</p> <h2> Tool 4: Root <code>pyproject.toml</code> — Shared Config </h2> <p>Rather than duplicating <code>[tool.mypy]</code> and <code>[tool.pytest.ini_options]</code> across 6 packages, this repo centralizes all tool configuration in the root <code>pyproject.toml</code>.</p> <p>Root <code>pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"nest-monorepo"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.0.0"</span> <span class="py">requires-python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.12</span><span class="s">"</span><span class="err"> </span> <span class="nn">[tool.uv.workspace]</span> <span class="py">members</span> <span class="p">=</span> <span class="p">[</span><span class="s">"apps/*"</span><span class="p">,</span> <span class="s">"packages/*"</span><span class="p">]</span> <span class="c"># Dev tools live here — not in subpackage pyproject.toml files</span> <span class="nn">[dependency-groups]</span> <span class="py">dev</span> <span class="p">=</span> <span class="p">[</span> <span class="py">"pytest&gt;</span><span class="p">=</span><span class="mi">8</span><span class="s">",</span><span class="err"> </span> <span class="py">"pytest-asyncio&gt;</span><span class="p">=</span><span class="mf">0.25</span><span class="s">", # asyncio_mode = "</span><span class="err">auto</span><span class="s">" requires this</span><span class="err"> </span> <span class="py">"pytest-cov&gt;</span><span class="p">=</span><span class="mi">5</span><span class="s">",</span><span class="err"> </span> <span class="py">"mypy&gt;</span><span class="p">=</span><span class="mf">1.15</span><span class="s">",</span><span class="err"> </span> <span class="py">"ruff&gt;</span><span class="p">=</span><span class="mf">0.9</span><span class="s">",</span><span class="err"> </span> <span class="py">"pydantic[mypy]&gt;</span><span class="p">=</span><span class="mf">2.0</span><span class="s">", # provides the pydantic.mypy plugin</span><span class="err"> </span> <span class="s">"types-requests"</span><span class="p">,</span> <span class="p">]</span> <span class="nn">[tool.mypy]</span> <span class="py">python_version</span> <span class="p">=</span> <span class="s">"3.12"</span> <span class="py">strict</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">disallow_untyped_defs</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">no_implicit_optional</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">warn_redundant_casts</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">warn_unused_ignores</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">plugins</span> <span class="p">=</span> <span class="p">[</span><span class="s">"pydantic.mypy"</span><span class="p">]</span> <span class="c"># Paths where mypy finds internal package source</span> <span class="py">mypy_path</span> <span class="p">=</span> <span class="s">"packages/shared/src:packages/events/src:packages/proto/src"</span> <span class="nn">[tool.pytest.ini_options]</span> <span class="py">testpaths</span> <span class="p">=</span> <span class="p">[</span><span class="s">"apps"</span><span class="p">,</span> <span class="s">"packages"</span><span class="p">]</span> <span class="c"># no top-level tests/ dir — each package has its own</span> <span class="py">asyncio_mode</span> <span class="p">=</span> <span class="s">"auto"</span> <span class="py">addopts</span> <span class="p">=</span> <span class="s">"-v --tb=short"</span> <span class="nn">[tool.coverage.run]</span> <span class="py">branch</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">source</span> <span class="p">=</span> <span class="p">[</span><span class="s">"apps"</span><span class="p">,</span> <span class="s">"packages"</span><span class="p">]</span> <span class="c"># not "src" — there's no top-level src/</span> <span class="nn">[tool.coverage.report]</span> <span class="py">fail_under</span> <span class="p">=</span> <span class="mi">80</span> <span class="py">show_missing</span> <span class="p">=</span> <span class="kc">true</span> </code></pre> </div> <p>Install dev tools with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv <span class="nb">sync</span> <span class="nt">--group</span> dev </code></pre> </div> <h3> How mypy finds this config </h3> <p><strong>mypy does not walk up the directory tree.</strong> Unlike Ruff, mypy reads config from the directory where it's invoked — not from the file being type-checked. If you run <code>uv run mypy src/</code> from inside <code>apps/api/</code>, mypy finds no <code>[tool.mypy]</code> there, silently falls back to non-strict defaults, and your <code>strict = true</code> is ignored.</p> <p>The correct pattern: <strong>always run mypy from the repo root, passing the directories to check:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run mypy apps/ packages/ </code></pre> </div> <p>This is different from Ruff, which discovers config per-file by walking upward. With mypy, the invocation location is what matters — not the file location.</p> <p>There is no <code>[tool.mypy]</code> in subpackages. <strong>Do not add one.</strong> mypy does not merge configs — a subpackage <code>[tool.mypy]</code> completely replaces the root config rather than extending it.</p> <p><strong>Why this matters:</strong> change <code>strict = true</code> in one place and it applies to all 6 packages — but only when mypy is invoked from the root. Enforce this in your Taskfile and CI.</p> <h2> Tool 5: Ruff — Unified Linting and Formatting </h2> <p><strong>Ruff</strong> replaces Flake8 + Black + isort with a single fast tool written in Rust. A single <code>[tool.ruff]</code> section in the root <code>pyproject.toml</code> applies to the entire repo.</p> <p>Root <code>pyproject.toml</code> (continued):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[tool.ruff]</span> <span class="py">target-version</span> <span class="p">=</span> <span class="s">"py312"</span> <span class="py">line-length</span> <span class="p">=</span> <span class="mi">100</span> <span class="py">src</span> <span class="p">=</span> <span class="p">[</span><span class="s">"apps"</span><span class="p">,</span> <span class="s">"packages"</span><span class="p">]</span> <span class="c"># not "src" — tells Ruff where source roots are</span> <span class="nn">[tool.ruff.lint]</span> <span class="py">select</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"E"</span><span class="p">,</span> <span class="c"># pycodestyle errors</span> <span class="s">"W"</span><span class="p">,</span> <span class="c"># pycodestyle warnings</span> <span class="s">"F"</span><span class="p">,</span> <span class="c"># pyflakes</span> <span class="s">"I"</span><span class="p">,</span> <span class="c"># isort</span> <span class="s">"UP"</span><span class="p">,</span> <span class="c"># pyupgrade</span> <span class="s">"B"</span><span class="p">,</span> <span class="c"># flake8-bugbear</span> <span class="s">"SIM"</span><span class="p">,</span> <span class="c"># flake8-simplify</span> <span class="p">]</span> <span class="py">ignore</span> <span class="p">=</span> <span class="p">[</span><span class="s">"E501"</span><span class="p">]</span> <span class="c"># line length handled by formatter</span> <span class="nn">[tool.ruff.lint.per-file-ignores]</span> <span class="py">"**/tests/**"</span> <span class="p">=</span> <span class="p">[</span><span class="s">"S101"</span><span class="p">]</span> <span class="c"># allow assert in tests</span> <span class="nn">[tool.ruff.lint.isort]</span> <span class="py">known-first-party</span> <span class="p">=</span> <span class="p">[</span><span class="s">"shared"</span><span class="p">,</span> <span class="s">"events"</span><span class="p">,</span> <span class="s">"proto"</span><span class="p">]</span> <span class="c"># without this, internal packages</span> <span class="c"># sort as third-party — wrong grouping</span> <span class="nn">[tool.ruff.format]</span> <span class="py">quote-style</span> <span class="p">=</span> <span class="s">"double"</span> <span class="py">indent-style</span> <span class="p">=</span> <span class="s">"space"</span> </code></pre> </div> <h3> Config discovery: how subpackages inherit </h3> <p>Ruff discovers config by walking up the directory tree from the file being linted until it finds a <code>pyproject.toml</code>, <code>ruff.toml</code>, or <code>.ruff.toml</code>. In <code>nest-monorepo</code>, every file in <code>apps/</code> and <code>packages/</code> walks up and hits the root <code>pyproject.toml</code>. One config, all packages.</p> <h3> Per-package overrides </h3> <p>If <code>apps/cli</code> has looser requirements (it's internal tooling), add an <code>extend</code> in <code>apps/cli/pyproject.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[tool.ruff]</span> <span class="py">extend</span> <span class="p">=</span> <span class="s">"../../pyproject.toml"</span> <span class="nn">[tool.ruff.lint]</span> <span class="py">ignore</span> <span class="p">=</span> <span class="p">[</span><span class="s">"E501"</span><span class="p">,</span> <span class="s">"T201"</span><span class="p">]</span> <span class="c"># allow print() in CLI</span> </code></pre> </div> <p><code>extend</code> inherits all parent settings and overrides only what you specify. This is the right pattern — not a full <code>[tool.ruff]</code> block that silently drops all parent rules.</p> <p>Each package runs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv run ruff check src/ uv run ruff format src/ </code></pre> </div> <p>But the rules are defined once. This is the same pattern as the mypy config: <strong>one source of truth, many consumers</strong>.</p> <p><strong>The key insight:</strong> Ruff running at 10–100x the speed of Flake8 is not just a nice-to-have in a monorepo. When pre-commit runs on every commit across 6 packages, linting speed is the difference between a 2-second hook and a 30-second one.</p> <h2> Tool 6: pre-commit + Git Hooks — Enforcing Quality at Commit Time </h2> <p>Install pre-commit as a uv tool (not a project dependency):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>uv tool <span class="nb">install </span>pre-commit pre-commit <span class="nb">install</span> </code></pre> </div> <p><code>.pre-commit-config.yaml</code> at the repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">repos</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">https://github.com/astral-sh/ruff-pre-commit</span> <span class="na">rev</span><span class="pi">:</span> <span class="s">v0.9.0</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">ruff</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">--fix</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">ruff-format</span> <span class="c1"># mypy CANNOT use the standard pre-commit mirror hook here.</span> <span class="c1"># pre-commit/mirrors-mypy runs mypy in an isolated virtualenv that has no</span> <span class="c1"># access to your uv workspace's editable installs — `from shared import ...`</span> <span class="c1"># produces false ImportError failures. Run mypy via the local repo instead:</span> <span class="pi">-</span> <span class="na">repo</span><span class="pi">:</span> <span class="s">local</span> <span class="na">hooks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">mypy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mypy</span> <span class="na">language</span><span class="pi">:</span> <span class="s">system</span> <span class="c1"># uses the active .venv, not an isolated env</span> <span class="na">entry</span><span class="pi">:</span> <span class="s">uv run mypy</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">apps/</span><span class="pi">,</span> <span class="nv">packages/</span><span class="pi">,</span> <span class="nv">--config-file</span><span class="pi">,</span> <span class="nv">pyproject.toml</span><span class="pi">]</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">python</span><span class="pi">]</span> <span class="na">pass_filenames</span><span class="pi">:</span> <span class="kc">false</span> <span class="c1"># mypy needs whole-package context, not individual files</span> </code></pre> </div> <p><strong>The key insight:</strong> pre-commit automatically passes only staged files to Ruff — no custom script needed. <code>ruff check --fix</code> runs only against the files you're about to commit. mypy, however, needs the full package context to resolve imports correctly, so <code>pass_filenames: false</code> is set and it receives the full <code>apps/ packages/</code> instead.</p> <p>The flow on <code>git commit</code>:</p> <ol> <li>pre-commit intercepts the commit</li> <li> <code>ruff</code> checks and auto-fixes staged <code>.py</code> files</li> <li> <code>ruff-format</code> formats staged <code>.py</code> files</li> <li> <code>mypy</code> type-checks all of <code>apps/</code> and <code>packages/</code> (fast due to incremental cache)</li> <li>If any hook fails — commit is aborted, fixed files are left staged for review</li> <li>If all hooks pass — commit proceeds</li> </ol> <h3> Installing consistently across the team </h3> <p>Add to root <code>Taskfile.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">tasks</span><span class="pi">:</span> <span class="na">setup</span><span class="pi">:</span> <span class="na">desc</span><span class="pi">:</span> <span class="s">Bootstrap the repo for local development</span> <span class="na">cmds</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">uv sync</span> <span class="pi">-</span> <span class="s">uv tool install pre-commit</span> <span class="pi">-</span> <span class="s">pre-commit install</span> </code></pre> </div> <p>Every developer runs <code>task setup</code> once after cloning. No tribal knowledge required.</p> <p><strong>Why this matters:</strong> a linting problem caught at commit time costs 3 seconds to fix. The same problem caught in CI costs 5 minutes of context switching. The same problem caught in code review costs someone else's time too.</p> <h2> CI: GitHub Actions </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/ci.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">astral-sh/setup-uv@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">enable-cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># caches ~/.cache/uv between runs</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv sync --frozen --group dev</span> <span class="c1"># --frozen: fail if uv.lock is out of date (never auto-update in CI)</span> <span class="c1"># --group dev: includes pytest, mypy, ruff</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run ruff check apps/ packages/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run ruff format --check apps/ packages/</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run mypy apps/ packages/</span> <span class="c1"># always run from repo root — mypy does not walk up per-file</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv run pytest apps/ packages/ -x --cov</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PYTHONDONTWRITEBYTECODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1"</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">uv cache prune --ci</span> <span class="c1"># trims downloaded wheels, keeps source-built cache for next run</span> </code></pre> </div> <p>The <code>--frozen</code> flag is the CI safety net. If a developer forgot to commit an updated <code>uv.lock</code> after adding a dependency, the CI job fails immediately rather than silently installing a different package version than the rest of the team has.</p> <h2> Deploying One App from a Monorepo </h2> <p>The hardest Python monorepo question isn't the build — it's Docker. You need an image for <code>apps/api</code> that includes its internal deps (<code>packages/shared</code>, <code>packages/events</code>) without shipping the entire repo or the dev toolchain.</p> <p>uv makes this clean with <code>--package</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># apps/api/Dockerfile</span> <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">COPY</span><span class="s"> --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv</span> <span class="k">WORKDIR</span><span class="s"> /app</span> <span class="c"># Copy the workspace manifests first (cache layer for dep installation)</span> <span class="k">COPY</span><span class="s"> pyproject.toml uv.lock ./</span> <span class="k">COPY</span><span class="s"> packages/shared/pyproject.toml packages/shared/pyproject.toml</span> <span class="k">COPY</span><span class="s"> packages/events/pyproject.toml packages/events/pyproject.toml</span> <span class="k">COPY</span><span class="s"> apps/api/pyproject.toml apps/api/pyproject.toml</span> <span class="c"># Install only api's deps — no dev tools, no other apps</span> <span class="k">RUN </span>uv <span class="nb">sync</span> <span class="se">\ </span> <span class="nt">--package</span> api <span class="se">\ </span> <span class="nt">--no-dev</span> <span class="se">\ </span> <span class="nt">--frozen</span> <span class="se">\ </span> <span class="nt">--no-editable</span> <span class="c"># copies source into site-packages instead of editable links</span> <span class="c"># Now copy the actual source (separate layer so code changes don't bust dep cache)</span> <span class="k">COPY</span><span class="s"> packages/shared/src packages/shared/src</span> <span class="k">COPY</span><span class="s"> packages/events/src packages/events/src</span> <span class="k">COPY</span><span class="s"> apps/api/src apps/api/src</span> <span class="k">FROM</span><span class="s"> python:3.12-slim</span> <span class="k">COPY</span><span class="s"> --from=builder /app/.venv /app/.venv</span> <span class="k">COPY</span><span class="s"> --from=builder /app/apps/api/src /app/src</span> <span class="k">ENV</span><span class="s"> PATH="/app/.venv/bin:$PATH"</span> <span class="k">CMD</span><span class="s"> ["uvicorn", "api.main:app", "--host", "0.0.0.0", "--port", "8000"]</span> </code></pre> </div> <p><strong>Key flags:</strong></p> <ul> <li> <code>--package api</code> — installs only <code>api</code> and its transitive deps (including <code>shared</code> and <code>events</code>)</li> <li> <code>--no-dev</code> — excludes pytest, mypy, ruff</li> <li> <code>--frozen</code> — fails if <code>uv.lock</code> is stale</li> <li> <code>--no-editable</code> — copies package source into <code>.venv/lib/</code> so the final image doesn't need the source tree</li> </ul> <p><strong>Why this matters:</strong> without <code>--no-editable</code>, the editable installs point back at the source paths in the build context. The final image would need all of <code>packages/shared/src/</code> mapped at the same absolute path. <code>--no-editable</code> severs that dependency — the <code>.venv</code> is self-contained.</p> <h2> The Full Picture: How These Tools Interact </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer commits ↓ pre-commit hook ↓ ruff-check (staged files only, --fix) ↓ ruff-format (staged files only) ↓ (fails → abort commit; passes → continue) ↓ uv workspace resolves internal deps via { workspace = true } editable installs ↓ task build:all ↓ reads Taskfile.yml includes ↓ builds packages in order: shared → events → api/worker/cli ↓ caches outputs in .task/ ↓ CI: git diff → affected packages → test only those + dependents ↓ diffs against main branch ↓ runs only impacted packages ↓ Ruff config inherited from root pyproject.toml ↓ mypy config inherited from root pyproject.toml </code></pre> </div> <h2> Summary: Why This Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Tool</th> <th>Mechanism</th> </tr> </thead> <tbody> <tr> <td>Share code without publishing to PyPI</td> <td>uv workspaces</td> <td> <code>{ workspace = true }</code> + editable installs</td> </tr> <tr> <td>Run tasks in dependency order</td> <td>Task</td> <td>explicit <code>cmds:</code> ordering + <code>deps:</code> for parallel</td> </tr> <tr> <td>Don't rebuild unchanged packages</td> <td>Task cache</td> <td> <code>sources</code>/<code>generates</code> fingerprinting in <code>.task/</code> </td> </tr> <tr> <td>Run tasks on only changed code in CI</td> <td>git diff script</td> <td><code>git diff --name-only origin/main...HEAD</code></td> </tr> <tr> <td>Consistent mypy/pytest config</td> <td>root <code>pyproject.toml</code> </td> <td>single <code>[tool.mypy]</code>; always invoke from repo root</td> </tr> <tr> <td>One linter/formatter config</td> <td>Ruff root <code>[tool.ruff]</code> </td> <td>config discovery walks up per-file</td> </tr> <tr> <td>Per-package lint overrides</td> <td>Ruff <code>extend</code> </td> <td>inherits parent rules, adds/removes specific ones</td> </tr> <tr> <td>Enforce quality before commits</td> <td>pre-commit hooks</td> <td>staged-file Ruff; mypy via <code>language: system</code> </td> </tr> <tr> <td>Deploy one app without full repo</td> <td><code>uv sync --package api --no-editable</code></td> <td>installs app + internal deps, no dev tools</td> </tr> </tbody> </table></div> <p>The monorepo isn't one tool — it's these tools composing together. uv handles what exists and how it's linked, Task handles when things run and in what order, and the tooling layer in <code>pyproject.toml</code> handles how everything is configured.</p> python architecture tutorial programming M Hossein Tue, 02 Jun 2026 12:16:54 +0000 https://dev.to/_mh/typescript-monorepo-magic-organize-build-and-ship-multi-package-apps-4cgf https://dev.to/_mh/typescript-monorepo-magic-organize-build-and-ship-multi-package-apps-4cgf <h2> What is a Monorepo? </h2> <p>A <strong>monorepo</strong> is a single Git repository that contains multiple distinct packages or applications. The alternative is a <strong>polyrepo</strong>: one repo per app or package.</p> <p>This repo is <code>shrimp-monorepo</code>. It contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>shrimp-monorepo/ ├── apps/ │ ├── api/ ← Node.js backend (Elysia + gRPC) │ ├── client-user/ ← React frontend for end users │ └── client-admin/ ← React frontend for admins ├── packages/ │ ├── shared-types/ ← TypeScript types used everywhere │ ├── ui/ ← Shared React components │ ├── proto/ ← Protobuf definitions + generated code │ ├── grpc-client/ ← gRPC client wrapper │ └── db-schema/ ← Drizzle ORM schema └── tooling/ └── typescript/ ← Shared tsconfig files </code></pre> </div> <p><strong>The core idea:</strong> code that is needed by multiple apps lives in <code>packages/</code>, and all apps can import it directly — no npm publishing required.</p> <h2> Tool 1: pnpm Workspaces — The Foundation </h2> <p><strong>pnpm</strong> is the package manager. Workspaces are its monorepo feature.</p> <h3> How it's declared </h3> <p><code>pnpm-workspace.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">apps/*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">packages/*'</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">tooling/*'</span> </code></pre> </div> <p>This tells pnpm: <em>treat every directory in these globs as a package</em>. That's it — three lines define the entire workspace.</p> <h3> What this enables </h3> <p>When you run <code>pnpm install</code> at the repo root, pnpm:</p> <ol> <li>Reads every <code>package.json</code> in every workspace directory</li> <li>Hoists shared external dependencies into a single <code>node_modules</code> at the root</li> <li>Creates symlinks for internal packages so they can import each other</li> </ol> <h3> The <code>workspace:*</code> protocol </h3> <p>Look at <code>apps/api/package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@shrimp/db-schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@shrimp/proto"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@shrimp/shared-types"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>workspace:*</code> means: <em>don't fetch this from npm — link it from this workspace instead</em>. When <code>api</code> imports <code>@shrimp/db-schema</code>, Node resolves it to <code>packages/db-schema/src/index.ts</code> on disk via a symlink in <code>node_modules/.pnpm</code>.</p> <p>This is what makes internal sharing work without publishing packages.</p> <h3> Why pnpm over npm/yarn? </h3> <p>pnpm uses a <strong>content-addressable store</strong> (the <code>.pnpm-store/</code> directory in this repo). Every version of every package is stored once globally. Workspaces get hard links to the store, not copies. This means:</p> <ul> <li>Faster installs</li> <li>Significantly less disk space</li> <li>Strict by default — packages can't accidentally import things they didn't declare</li> </ul> <h2> Tool 2: Turborepo — Task Orchestration and Caching </h2> <p>pnpm workspaces handle <em>dependencies</em>. <strong>Turbo</strong> handles <em>tasks</em> (build, test, lint, etc.).</p> <h3> The problem Turbo solves </h3> <p>If you run <code>pnpm run build</code> in a repo with 8 packages, you have to figure out the order yourself. <code>proto</code> must build before <code>grpc-client</code>, which must build before <code>api</code>. Do it wrong and you get stale or missing types.</p> <p>Also, if nothing in <code>packages/ui</code> changed, you shouldn't need to rebuild it.</p> <p>Turbo solves both: <strong>dependency-aware task ordering</strong> + <strong>task result caching</strong>.</p> <h3> <code>turbo.json</code> — the pipeline </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"tasks"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dependsOn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^build"</span><span class="p">],</span><span class="w"> </span><span class="nl">"outputs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"dist/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">".output/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"generated/**"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"cache"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"persistent"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"lint"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dependsOn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^build"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"typecheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dependsOn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^build"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"test:unit"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dependsOn"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^build"</span><span class="p">],</span><span class="w"> </span><span class="nl">"outputs"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"coverage/**"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Key concepts:</strong></p> <ul> <li><p><code>"dependsOn": ["^build"]</code> — the <code>^</code> prefix means <em>build all packages that this package depends on first</em>. So when building <code>@shrimp/api</code>, Turbo automatically builds <code>@shrimp/proto</code>, <code>@shrimp/db-schema</code>, and <code>@shrimp/shared-types</code> beforehand, in the right order.</p></li> <li><p><code>"dependsOn": ["build"]</code> (no <code>^</code>) — run the same package's <code>build</code> task first. Used by <code>test:e2e</code>: build the app before running E2E tests.</p></li> <li><p><code>"cache": false</code> — never cache this task. <code>dev</code> is persistent/interactive, so caching makes no sense.</p></li> <li><p><code>"persistent": true</code> — this task runs forever (a dev server). Turbo knows not to treat it as something that finishes.</p></li> <li><p><code>"outputs"</code> — Turbo hashes these paths to know what "done" looks like. If inputs haven't changed and outputs still exist, Turbo skips the task entirely (cache hit).</p></li> </ul> <h3> How the build graph flows </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>proto:generate ↓ @shrimp/proto (build) ↓ @shrimp/grpc-client (build) ↓ apps/api (build) apps/client-user (build) apps/client-admin (build) </code></pre> </div> <p><code>@shrimp/shared-types</code>, <code>@shrimp/db-schema</code>, and <code>@shrimp/ui</code> also build in parallel before their consumers, since they have no inter-dependencies.</p> <h3> Filtering — run tasks for specific packages </h3> <p>The root <code>package.json</code> uses <code>--filter</code> for targeted dev:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"dev:user"</span><span class="p">:</span><span class="w"> </span><span class="s2">"turbo run dev --filter=@shrimp/client-user"</span><span class="err">,</span><span class="w"> </span><span class="nl">"dev:admin"</span><span class="p">:</span><span class="w"> </span><span class="s2">"turbo run dev --filter=@shrimp/client-admin"</span><span class="err">,</span><span class="w"> </span><span class="nl">"dev:api"</span><span class="p">:</span><span class="w"> </span><span class="s2">"turbo run dev --filter=@shrimp/api"</span><span class="w"> </span></code></pre> </div> <p><code>--filter</code> accepts package names, directory globs, or git-based expressions.</p> <h3> Affected-only in CI </h3> <p>The CI workflow uses the most powerful filter:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">run</span><span class="pi">:</span> <span class="s">pnpm turbo run typecheck lint test:unit build --affected</span> </code></pre> </div> <p><code>--affected</code> uses the git diff against the base branch to determine which packages changed, then runs tasks only on those packages (and their dependents). A PR that only touches <code>packages/ui</code> won't re-run <code>api</code> tests.</p> <h2> Tool 3: Shared Packages — How Internal Code is Shared </h2> <h3> Source-level packages (no compilation step) </h3> <p>Most packages in this repo point directly at TypeScript source:</p> <p><code>packages/shared-types/package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"@shrimp/shared-types"</span><span class="p">,</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src/index.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"types"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src/index.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exports"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"."</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src/index.ts"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>There is no <code>build</code> script. When <code>@shrimp/api</code> imports <code>@shrimp/shared-types</code>, it imports <code>.ts</code> files directly. The consuming app's bundler or TypeScript compiler handles the compilation.</p> <p>This is sometimes called the <strong>"internal packages" pattern</strong> — no <code>dist/</code> folder, no compile step, just source. It works because all consumers in the monorepo are TypeScript themselves.</p> <h3> Packages that do need a build step </h3> <p><code>@shrimp/proto</code> generates TypeScript from <code>.proto</code> files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"proto:generate"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm exec protoc --ts_out ./generated ..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm run proto:generate"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Turbo's <code>"dependsOn": ["^build"]</code> ensures <code>proto:generate</code> runs before anything that consumes <code>@shrimp/proto</code>.</p> <h2> Tool 4: Shared TypeScript Config — <code>tooling/typescript</code> </h2> <p>Rather than duplicating 25 lines of <code>compilerOptions</code> across 8 packages, this repo centralizes TypeScript config in <code>tooling/typescript/</code>.</p> <p><code>tooling/typescript/tsconfig.base.json</code> — strict settings shared by all packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"strict"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"noUnusedLocals"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"noUncheckedIndexedAccess"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"moduleResolution"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bundler"</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>tooling/typescript/tsconfig.react.json</code> — extends base, adds JSX:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./tsconfig.base.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"jsx"</span><span class="p">:</span><span class="w"> </span><span class="s2">"react-jsx"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each package inherits via <code>extends</code>:</p> <p><code>apps/api/tsconfig.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="s2">"../../tooling/typescript/tsconfig.base.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"outDir"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"rootDir"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./src"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>packages/ui/tsconfig.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="s2">"../../tooling/typescript/tsconfig.react.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"src/**/*.ts"</span><span class="p">,</span><span class="w"> </span><span class="s2">"src/**/*.tsx"</span><span class="p">,</span><span class="w"> </span><span class="s2">"tests/**/*.ts"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Why this matters:</strong> change one setting in <code>tsconfig.base.json</code> and it propagates to every package in the repo. No drift, no "why is strict mode off in this one package" surprises.</p> <h2> Tool 5: Biome — Unified Linting and Formatting </h2> <p><strong>Biome</strong> replaces ESLint + Prettier with a single fast tool. A single <code>biome.json</code> at the root applies to the entire repo.</p> <p><code>biome.json</code> key config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"linter"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"correctness"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"noUnusedVariables"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"noUnusedImports"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"style"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"useConst"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"formatter"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"indentStyle"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tab"</span><span class="p">,</span><span class="w"> </span><span class="nl">"indentWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"lineWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each package runs <code>biome check .</code> as its <code>lint</code> script, but the rules are defined once. This is the same pattern as TypeScript config inheritance: <strong>one source of truth, many consumers</strong>.</p> <h2> Tool 6: Git Hooks — Enforcing Quality at Commit Time </h2> <p>The repo uses a <strong>custom git hooks directory</strong> instead of the default <code>.git/hooks</code>. This means hooks can be committed and versioned.</p> <p>Setup (runs on <code>pnpm install</code> via the <code>prepare</code> lifecycle):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"prepare"</span><span class="p">:</span><span class="w"> </span><span class="s2">"git config core.hooksPath .githooks"</span><span class="w"> </span></code></pre> </div> <p><code>.githooks/pre-commit</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env sh</span> pnpm precommit:staged </code></pre> </div> <p><code>scripts/biome-staged.mjs</code> — runs Biome only on staged files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">staged</span> <span class="o">=</span> <span class="nf">spawnSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">git</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">diff</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">--cached</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">--name-only</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">-z</span><span class="dl">"</span><span class="p">,</span> <span class="p">...]);</span> <span class="c1">// ... filters to .ts/.tsx/.js/.json files</span> <span class="nf">spawnSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">pnpm</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">exec</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">biome</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">check</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">--no-errors-on-unmatched</span><span class="dl">"</span><span class="p">,</span> <span class="p">...</span><span class="nx">files</span><span class="p">]);</span> </code></pre> </div> <p><strong>The key insight:</strong> it doesn't lint the whole repo on every commit — only the files currently staged. This keeps commits fast while still enforcing quality.</p> <h2> The Full Picture: How These Tools Interact </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer commits ↓ git pre-commit hook (.githooks/pre-commit) ↓ runs biome-staged.mjs ↓ Biome checks only staged files ↓ (fails → abort commit; passes → continue) ↓ pnpm workspace resolves internal deps via workspace:* symlinks ↓ turbo run build ↓ reads turbo.json pipeline ↓ resolves dependency graph from package.json deps ↓ builds packages in order: proto → grpc-client → api/clients ↓ caches outputs in .turbo/ ↓ CI: turbo run ... --affected ↓ diffs against main ↓ runs only impacted packages ↓ TypeScript config inherited from tooling/typescript/ ↓ Biome config inherited from root biome.json </code></pre> </div> <h2> Summary: Why This Stack </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Tool</th> <th>Mechanism</th> </tr> </thead> <tbody> <tr> <td>Share code without publishing to npm</td> <td>pnpm workspaces</td> <td> <code>workspace:*</code> + symlinks</td> </tr> <tr> <td>Run tasks in dependency order</td> <td>Turbo</td> <td><code>"dependsOn": ["^build"]</code></td> </tr> <tr> <td>Don't rebuild unchanged packages</td> <td>Turbo cache</td> <td> <code>outputs</code> hashing</td> </tr> <tr> <td>Run tasks on only changed code in CI</td> <td>Turbo <code>--affected</code> </td> <td>git diff</td> </tr> <tr> <td>Consistent TypeScript config</td> <td><code>tooling/typescript</code></td> <td> <code>extends</code> inheritance</td> </tr> <tr> <td>One linter/formatter config</td> <td>Biome root <code>biome.json</code> </td> <td>single config, all packages</td> </tr> <tr> <td>Enforce quality before commits</td> <td>Git hooks (<code>.githooks/</code>)</td> <td>staged-file Biome check</td> </tr> </tbody> </table></div> <p>The monorepo isn't one tool — it's these tools composing together. pnpm handles what exists, Turbo handles when things run, and the tooling layer handles how they're configured.</p> programming tutorial architecture typescript