The latest articles on DEV Community by Oluwagbade Odimayo (@gbadedata). https://dev.to/gbadedata https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3907243%2F4333f452-8736-4453-8b6a-4cdfe7107469.png https://dev.to/gbadedata en Oluwagbade Odimayo Thu, 07 May 2026 01:20:22 +0000 https://dev.to/gbadedata/from-broken-repo-to-policy-gated-deployment-platform-building-swiftdeploy-from-scratch-2nmo https://dev.to/gbadedata/from-broken-repo-to-policy-gated-deployment-platform-building-swiftdeploy-from-scratch-2nmo <h2> How I built a manifest-driven CLI that generates its own infrastructure, enforces environment policy through OPA, observes the running system in real time, and audits every decision it makes </h2> <p>Most deployment tools ask you to write configuration files. SwiftDeploy asks you to describe your intent once, then writes the configuration files for you - and refuses to deploy unless the environment is safe enough to proceed.</p> <p>This post covers the complete journey of building SwiftDeploy across two stages. Stage A established the foundation: a declarative CLI that generates Docker Compose and Nginx configuration from a single manifest, manages the container lifecycle, and supports stable/canary promotion. Stage B added the intelligence layer: Prometheus metrics, an Open Policy Agent sidecar that gates every deployment and promotion, a live status dashboard, and an append-only audit trail.</p> <p>A reader who follows this post from beginning to end should be able to replicate everything.</p> <h2> The Problem SwiftDeploy Solves </h2> <p>Consider a typical deployment workflow without tooling:</p> <ol> <li>Write a <code>docker-compose.yml</code> by hand</li> <li>Write an <code>nginx.conf</code> by hand</li> <li>Manually update both files every time a port, timeout, or service name changes</li> <li>Hope you didn't introduce a drift between the two files</li> <li>Have no policy gate before deployment</li> <li>Have no audit trail of what changed and when</li> </ol> <p>SwiftDeploy inverts this. You edit exactly one file - <code>manifest.yaml</code>. The CLI derives everything else from it. If you delete the generated files and run <code>swiftdeploy init</code>, they come back identically. The manifest is the single source of truth, and the tool enforces that guarantee mechanically.</p> <h2> Architecture </h2> <p>Here is the complete system after both stages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>manifest.yaml ← the only file you edit manually │ ▼ swiftdeploy CLI │ ├── OPA policy check (pre-deploy / pre-promote) │ │ │ ▼ │ policies/*.rego │ + policy_limits from manifest │ ▼ templates/ ├── docker-compose.yml.tpl └── nginx.conf.tpl │ ▼ ┌──────────────────────────────────────────┐ │ Docker Network │ │ │ │ ┌──────────────┐ ┌─────────────────┐ │ │ │ App │ │ Nginx │ │ │ │ :3000 │◄──│ :8080 (public) │ │ │ │ /metrics │ └─────────────────┘ │ │ │ /healthz │ │ │ │ /chaos │ ┌─────────────────┐ │ │ └──────────────┘ │ OPA │ │ │ │ :8181 (loopback)│ │ │ └─────────────────┘ │ └──────────────────────────────────────────┘ │ ▼ history.jsonl ← append-only audit trail │ ▼ audit_report.md ← generated on demand </code></pre> </div> <p><strong>Key isolation rules:</strong></p> <ul> <li>The app is never exposed directly to the host - all traffic goes through Nginx</li> <li>OPA is bound to <code>127.0.0.1:8181</code> only - not reachable via the Nginx port or from the internet</li> <li>The CLI is the only component that talks to OPA</li> <li>The app has no knowledge of policy decisions</li> </ul> <h2> Stage A: The Engine </h2> <h3> The Manifest </h3> <p>Everything starts with <code>manifest.yaml</code>. This file describes the entire deployment intent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">10</span> <span class="na">contact</span><span class="pi">:</span> <span class="s">o.odimayo@gbadedata.com</span> <span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openpolicyagent/opa:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8181</span> <span class="na">policies_dir</span><span class="pi">:</span> <span class="s">policies</span> <span class="na">decision_timeout_seconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">volume_name</span><span class="pi">:</span> <span class="s">swiftdeploy-logs</span> <span class="na">policy_limits</span><span class="pi">:</span> <span class="na">infrastructure</span><span class="pi">:</span> <span class="na">min_disk_free_gb</span><span class="pi">:</span> <span class="m">10</span> <span class="na">max_cpu_load</span><span class="pi">:</span> <span class="m">2.0</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">max_error_rate</span><span class="pi">:</span> <span class="m">0.01</span> <span class="na">max_p99_latency_ms</span><span class="pi">:</span> <span class="m">500</span> <span class="na">audit</span><span class="pi">:</span> <span class="na">history_file</span><span class="pi">:</span> <span class="s">history.jsonl</span> <span class="na">report_file</span><span class="pi">:</span> <span class="s">audit_report.md</span> </code></pre> </div> <p>Every value that the generated configuration needs comes from here. No hardcoded values exist in any template or policy file.</p> <h3> Template-based Config Generation </h3> <p>The CLI uses Jinja2 to render <code>docker-compose.yml</code> and <code>nginx.conf</code> from templates. This is how <code>swiftdeploy init</code> works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">template_name</span><span class="p">,</span> <span class="n">output_path</span><span class="p">,</span> <span class="n">manifest</span><span class="p">):</span> <span class="n">env</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">loader</span><span class="o">=</span><span class="nc">FileSystemLoader</span><span class="p">(</span><span class="n">TEMPLATE_DIR</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">"</span><span class="s">utf-8-sig</span><span class="sh">"</span><span class="p">),</span> <span class="n">autoescape</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">trim_blocks</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">lstrip_blocks</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">template</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="nf">get_template</span><span class="p">(</span><span class="n">template_name</span><span class="p">)</span> <span class="n">rendered</span> <span class="o">=</span> <span class="n">template</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="o">**</span><span class="n">manifest</span><span class="p">).</span><span class="nf">lstrip</span><span class="p">(</span><span class="sh">"</span><span class="se">\ufeff</span><span class="sh">"</span><span class="p">)</span> <span class="n">output_path</span><span class="p">.</span><span class="nf">write_bytes</span><span class="p">(</span><span class="n">rendered</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>The template for the app service in <code>docker-compose.yml.tpl</code> looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">services.image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-app</span> <span class="na">restart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">services.restart_policy</span> <span class="pi">}}</span> <span class="na">user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10001:10001"</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.mode</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.version</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.port</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p>Notice <code>expose</code> instead of <code>ports</code>. This is deliberate - the app is reachable inside the Docker network but not from the host machine. All external traffic must go through Nginx.</p> <h3> The Five Validation Checks </h3> <p>Before any deployment, the CLI runs five pre-flight checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[PASS] manifest.yaml exists and is valid YAML [PASS] All required fields are present and non-empty [PASS] Docker image exists locally: swift-deploy-1-node:latest [PASS] Nginx port is free on host: 8080 [PASS] Generated nginx.conf is syntactically valid </code></pre> </div> <p>The Nginx syntax check is particularly interesting - it runs <code>nginx -t</code> inside a temporary container with a host mapping for the <code>app</code> upstream name, so DNS resolution works without the full stack being active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">command</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--rm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--add-host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">app:127.0.0.1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-v</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">NGINX_FILE</span><span class="si">}</span><span class="s">:/etc/nginx/nginx.conf:ro</span><span class="sh">"</span><span class="p">,</span> <span class="n">nginx_image</span><span class="p">,</span> <span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-t</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> The Application Service </h3> <p>The app is a Python Flask service that exposes four endpoints:</p> <ul> <li> <code>GET /</code> - welcome message with mode, version, and timestamp</li> <li> <code>GET /healthz</code> - liveness check with uptime in seconds</li> <li> <code>GET /metrics</code> - Prometheus-format metrics (added in Stage B)</li> <li> <code>POST /chaos</code> - fault injection, canary mode only</li> </ul> <h3> Stable and Canary Promotion </h3> <p>Promotion updates the manifest in-place, regenerates the Compose file, and restarts only the app container - Nginx is untouched:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_promote</span><span class="p">(</span><span class="n">args</span><span class="p">):</span> <span class="n">target_mode</span> <span class="o">=</span> <span class="n">args</span><span class="p">.</span><span class="n">mode</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="c1"># policy check runs here for promote stable (Stage B) </span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">target_mode</span> <span class="nf">write_manifest</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">docker-compose.yml.tpl</span><span class="sh">"</span><span class="p">,</span> <span class="n">COMPOSE_FILE</span><span class="p">,</span> <span class="n">manifest</span><span class="p">)</span> <span class="nf">run_command</span><span class="p">([</span> <span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">compose</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">up</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-d</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--no-deps</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--force-recreate</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">app</span><span class="sh">"</span> <span class="p">])</span> </code></pre> </div> <p>The same image runs in both modes. The difference is the <code>MODE</code> environment variable injected by the generated Compose file - no rebuild required.</p> <h3> Nginx: Structured Logging and JSON Errors </h3> <p>The generated <code>nginx.conf</code> enforces three important behaviours.</p> <p><strong>Required access log format:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> $<span class="p">{</span><span class="kn">request_time</span><span class="err">}</span><span class="s">s</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">2026-05-06T23:04:50+00:00 | 200 | 0.001s | 172.18.0.2:3000 | GET / HTTP/1.1 </span></code></pre> </div> <p><strong>JSON error responses</strong> for upstream failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">error_page</span> <span class="mi">502</span> <span class="p">=</span> <span class="s">@error502</span><span class="p">;</span> <span class="k">location</span> <span class="s">@error502</span> <span class="p">{</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":"bad</span> <span class="s">gateway","code":502,"service":"swiftdeploy","contact":"o.odimayo@gbadedata.com"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Platform headers</strong> on every response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="k">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> </code></pre> </div> <h3> Security Hardening </h3> <p>Every container runs with least privilege:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10001:10001"</span> <span class="c1"># app</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> </code></pre> </div> <p>Images are built from <code>python:3.12-slim</code> and verified under 300MB. No secrets are baked into any image - all configuration is injected at runtime via environment variables.</p> <h2> Stage B: The Intelligence Layer </h2> <h3> Part 1: Instrumentation </h3> <p>The first requirement was a <code>/metrics</code> endpoint in Prometheus text format. I used the <code>prometheus_client</code> library and Flask's request hooks to instrument every endpoint automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">HTTP_REQUESTS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">"</span><span class="s">http_requests_total</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Total HTTP requests</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">HTTP_REQUEST_DURATION_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">"</span><span class="s">http_request_duration_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">HTTP request latency in seconds</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">],</span> <span class="n">buckets</span><span class="o">=</span><span class="p">(</span><span class="mf">0.005</span><span class="p">,</span> <span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.025</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.25</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">5</span><span class="p">),</span> <span class="p">)</span> <span class="n">APP_MODE</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">app_mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Application mode: 0=stable, 1=canary</span><span class="sh">"</span><span class="p">)</span> <span class="n">CHAOS_ACTIVE</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">chaos_active</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Chaos state: 0=none, 1=slow, 2=error</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_UPTIME_SECONDS</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">app_uptime_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Application uptime in seconds</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>The <code>after_request</code> hook records every request automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.after_request</span> <span class="k">def</span> <span class="nf">after_request</span><span class="p">(</span><span class="n">response</span><span class="p">):</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">monotonic</span><span class="p">()</span> <span class="o">-</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">g</span><span class="p">,</span> <span class="sh">"</span><span class="s">request_started_at</span><span class="sh">"</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">monotonic</span><span class="p">())</span> <span class="n">HTTP_REQUESTS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span> <span class="n">method</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">path</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">),</span> <span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">HTTP_REQUEST_DURATION_SECONDS</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span> <span class="n">method</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">path</span><span class="p">,</span> <span class="p">).</span><span class="nf">observe</span><span class="p">(</span><span class="n">duration</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>The <code>/metrics</code> endpoint itself is just two lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="nf">update_runtime_metrics</span><span class="p">()</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">(</span><span class="nf">generate_latest</span><span class="p">(),</span> <span class="n">mimetype</span><span class="o">=</span><span class="n">CONTENT_TYPE_LATEST</span><span class="p">)</span> </code></pre> </div> <h3> Part 2: The Policy Engine </h3> <p>This was the most architecturally significant part of Stage B. The requirement was absolute: <strong>the CLI must not make any allow/deny decision itself. All decision logic lives exclusively in OPA.</strong></p> <h4> Why this matters </h4> <p>If the CLI embeds policy logic in Python, changing a threshold requires deploying new CLI code. When OPA owns the decisions, changing a threshold means editing one line in <code>manifest.yaml</code>. The operational difference is enormous - and the auditing story is much cleaner.</p> <h4> OPA in the Docker Compose template </h4> <p>OPA runs as a fourth service in the generated stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">opa.image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-opa</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">run"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--server"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--addr=0.0.0.0:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/policies"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./{{ opa.policies_dir }}:/policies:ro</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> </code></pre> </div> <p>The critical detail: <code>127.0.0.1:8181:8181</code> binds OPA only to the host loopback interface. It is reachable by the CLI but not via the Nginx port. The OPA API cannot be queried or probed from the internet.</p> <h4> Policy organisation </h4> <p>Each domain owns exactly one question and one set of input data. A change to the canary policy never touches the infrastructure policy.</p> <p><strong>Infrastructure policy</strong> (<code>policies/infrastructure.rego</code>) - answers: <em>is this host safe to deploy on?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">infrastructure</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">disk_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&gt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="p">}</span> <span class="n">cpu_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">cpu_load</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="p">}</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_deploy"</span> <span class="n">disk_ok</span> <span class="n">cpu_ok</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"Disk free %vGB is below required minimum %vGB"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">],</span> <span class="p">)</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">cpu_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"CPU load %.2f exceeds allowed maximum %.2f"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">cpu_load</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_cpu_load</span><span class="p">],</span> <span class="p">)</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"infrastructure"</span><span class="p">,</span> <span class="s2">"question"</span><span class="o">:</span> <span class="s2">"pre_deploy"</span><span class="p">,</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary safety policy</strong> (<code>policies/canary.rego</code>) - answers: <em>is the canary healthy enough to promote to stable?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">canary</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">error_rate_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">input</span><span class="p">.</span><span class="n">metrics</span><span class="p">.</span><span class="n">error_rate</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_error_rate</span> <span class="p">}</span> <span class="n">p99_latency_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">input</span><span class="p">.</span><span class="n">metrics</span><span class="p">.</span><span class="n">p99_latency_ms</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_p99_latency_ms</span> <span class="p">}</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">error_rate_ok</span> <span class="n">p99_latency_ok</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"canary"</span><span class="p">,</span> <span class="s2">"question"</span><span class="o">:</span> <span class="s2">"pre_promote"</span><span class="p">,</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h4> Thresholds in the manifest, not in Rego </h4> <p>Neither policy file contains a hardcoded number. The limits come from <code>input.limits</code>, which the CLI sends as part of the JSON payload. The actual values live in <code>manifest.yaml</code> under <code>policy_limits</code>. Tune thresholds by editing the manifest - no Rego files need to be touched.</p> <h4> The pre-deploy gate </h4> <p>Before starting the stack, the CLI collects host stats and queries OPA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">pre_deploy_policy_check</span><span class="p">(</span><span class="n">manifest</span><span class="p">):</span> <span class="n">stats</span> <span class="o">=</span> <span class="nf">get_host_stats</span><span class="p">()</span> <span class="n">limits</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">policy_limits</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">infrastructure</span><span class="sh">"</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pre_deploy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stats</span><span class="sh">"</span><span class="p">:</span> <span class="n">stats</span><span class="p">,</span> <span class="sh">"</span><span class="s">limits</span><span class="sh">"</span><span class="p">:</span> <span class="n">limits</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">=</span> <span class="nf">call_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy/infrastructure/decision</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="nf">print_policy_decision</span><span class="p">(</span><span class="n">decision</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">):</span> <span class="nf">append_history</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_violation</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">domain</span><span class="sh">"</span><span class="p">:</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">domain</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">reasons</span><span class="sh">"</span><span class="p">:</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">reasons</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]),</span> <span class="sh">"</span><span class="s">stats</span><span class="sh">"</span><span class="p">:</span> <span class="n">stats</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>To prove the hard gate, I temporarily set <code>min_disk_free_gb: 99999</code> and ran <code>swiftdeploy deploy</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][FAIL] infrastructure.pre_deploy - Disk free 2GB is below required minimum 99999GB [FAIL] Deployment blocked by policy. </code></pre> </div> <p>The stack never starts. The block is absolute.</p> <h4> The pre-promote gate </h4> <p>Before promoting from canary to stable, the CLI scrapes <code>/metrics</code>, calculates the current error rate and P99 latency, and queries OPA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">pre_promote_policy_check</span><span class="p">(</span><span class="n">manifest</span><span class="p">):</span> <span class="n">metrics_text</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">samples</span> <span class="o">=</span> <span class="nf">parse_prometheus_metrics</span><span class="p">(</span><span class="n">metrics_text</span><span class="p">)</span> <span class="n">observed</span> <span class="o">=</span> <span class="nf">calculate_observed_metrics</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">limits</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">policy_limits</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pre_promote</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">metrics</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">error_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">observed</span><span class="p">[</span><span class="sh">"</span><span class="s">error_rate</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">observed</span><span class="p">[</span><span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">],</span> <span class="p">},</span> <span class="sh">"</span><span class="s">limits</span><span class="sh">"</span><span class="p">:</span> <span class="n">limits</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">=</span> <span class="nf">call_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy/canary/decision</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="nf">print_policy_decision</span><span class="p">(</span><span class="n">decision</span><span class="p">)</span> <span class="k">return</span> <span class="nf">bool</span><span class="p">(</span><span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <h4> OPA failure handling </h4> <p>The CLI handles every distinct failure mode explicitly:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Failure</th> <th>Message</th> </tr> </thead> <tbody> <tr> <td>Connection refused</td> <td><code>OPA unavailable at http://127.0.0.1:8181</code></td> </tr> <tr> <td>Request timed out</td> <td><code>OPA decision timed out after 5s</code></td> </tr> <tr> <td>Non-200 response</td> <td><code>OPA returned HTTP 503</code></td> </tr> <tr> <td>Non-JSON response</td> <td><code>OPA returned non-JSON response</code></td> </tr> <tr> <td>Missing result</td> <td><code>OPA response did not include a decision result</code></td> </tr> </tbody> </table></div> <p>In every case the operation is blocked and the event is recorded in the audit trail.</p> <h3> Part 3: The Chaos - What Happened When I Injected Failures </h3> <p>With the canary safety gate in place, I needed to prove it actually blocks unsafe promotions.</p> <p><strong>Deploy stable, promote to canary:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[PASS] Health check passed: mode=stable, version=1.0.0 [PASS] Promotion confirmed through /healthz: mode=canary </code></pre> </div> <p><strong>Inject 50% error chaos:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://127.0.0.1:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode":"error","rate":0.5}'</span> </code></pre> </div> <p><strong>Generate traffic to build up the error rate:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>500 200 500 200 500 500 200 500 200 200 </code></pre> </div> <p><strong>Run the status dashboard - this is where it gets interesting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">SwiftDeploy Status ================== </span>Timestamp: 2026-05-06T23:12:26.328363+00:00 Mode: canary Chaos: error Req/s: 0.00 Error rate: 38.10% P99 latency: 5.00ms Uptime: 128.42s <span class="gh">Policy Compliance ----------------- </span>[PASS] infrastructure.pre_deploy <span class="p"> -</span> Infrastructure policy passed [FAIL] canary.pre_promote <span class="p"> -</span> Error rate 0.380952 exceeds allowed maximum 0.01 </code></pre> </div> <p>The status dashboard scrapes <code>/metrics</code>, calculates error rate from raw Prometheus counters, and queries both OPA domains independently on every interval. The infrastructure policy passes (the host is healthy) while the canary policy fails (the service is broken).</p> <p><strong>Attempt promotion — blocked:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][FAIL] canary.pre_promote - Error rate 0.380952 exceeds allowed maximum 0.01 [FAIL] Promotion blocked by policy. </code></pre> </div> <p>This is the safety guarantee the system is designed to provide. A broken canary cannot accidentally become the stable deployment.</p> <p><strong>Recover, generate clean traffic, promote successfully:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][PASS] canary.pre_promote - Canary safety policy passed [PASS] Promotion confirmed through /healthz: mode=stable </code></pre> </div> <h3> Part 4: The Status Dashboard </h3> <p><code>swiftdeploy status</code> is a live-refreshing terminal dashboard. It runs continuously, scraping <code>/metrics</code> on every interval and appending every result to <code>history.jsonl</code>.</p> <p>The interesting engineering challenge was calculating P99 latency from raw Prometheus histogram buckets without a Prometheus server. Prometheus histograms store cumulative bucket counts - to find P99, you need to find the smallest bucket whose cumulative count exceeds 99% of total requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">calculate_p99_from_buckets</span><span class="p">(</span><span class="n">bucket_totals</span><span class="p">):</span> <span class="n">total_count</span> <span class="o">=</span> <span class="n">bucket_totals</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">)</span> <span class="k">if</span> <span class="n">total_count</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">target</span> <span class="o">=</span> <span class="n">total_count</span> <span class="o">*</span> <span class="mf">0.99</span> <span class="n">numeric_buckets</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span> <span class="p">[(</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">),</span> <span class="n">count</span><span class="p">)</span> <span class="k">for</span> <span class="n">le</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">bucket_totals</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">le</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">],</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">upper_bound</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">numeric_buckets</span><span class="p">:</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">target</span><span class="p">:</span> <span class="k">return</span> <span class="n">upper_bound</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1"># convert to milliseconds </span> <span class="k">return</span> <span class="n">numeric_buckets</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">1000</span> </code></pre> </div> <p>Health check and metrics paths are excluded from all calculations to avoid skewing the error rate and latency numbers.</p> <h3> Part 5: The Audit Trail </h3> <p>Every significant event is written to <code>history.jsonl</code> as a JSON line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:40:04+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:42:53+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"policy_violation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reasons"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Error rate 0.380952 exceeds allowed maximum 0.01"</span><span class="p">]}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:45:32+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mode_change"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stable"</span><span class="p">}}</span><span class="w"> </span></code></pre> </div> <p>Running <code>swiftdeploy audit</code> generates <code>audit_report.md</code> - a GitHub Flavored Markdown report with a deployment timeline and violations table that renders directly on GitHub.</p> <h2> Complete CLI Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Command</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><code>swiftdeploy init</code></td> <td>Parse manifest, generate <code>docker-compose.yml</code> and <code>nginx.conf</code> </td> </tr> <tr> <td><code>swiftdeploy validate</code></td> <td>Run 5 pre-flight checks, exit non-zero on any failure</td> </tr> <tr> <td><code>swiftdeploy deploy</code></td> <td>init → validate → OPA infra check → compose up → health gate</td> </tr> <tr> <td><code>swiftdeploy promote canary</code></td> <td>Update manifest, regenerate Compose, restart app only</td> </tr> <tr> <td><code>swiftdeploy promote stable</code></td> <td>OPA canary check → update manifest → regenerate → restart app</td> </tr> <tr> <td><code>swiftdeploy status</code></td> <td>Live metrics + policy compliance dashboard, appends to history</td> </tr> <tr> <td><code>swiftdeploy status --once</code></td> <td>Single scrape and exit</td> </tr> <tr> <td><code>swiftdeploy audit</code></td> <td>Parse <code>history.jsonl</code>, generate <code>audit_report.md</code> </td> </tr> <tr> <td><code>swiftdeploy teardown</code></td> <td>Remove containers, networks, and volumes</td> </tr> <tr> <td><code>swiftdeploy teardown --clean</code></td> <td>Teardown + delete generated config files</td> </tr> </tbody> </table></div> <h2> Lessons Learned </h2> <h3> 1. The manifest discipline pays off at every stage </h3> <p>Every time I was tempted to hardcode a value - a port, a timeout, a threshold - I put it in the manifest instead. This cost five extra minutes each time and saved hours. Any value can be changed in the manifest and the entire system adapts without touching any other file.</p> <h3> 2. Separation of concerns is a survival strategy, not just a principle </h3> <p>When the CLI makes policy decisions in Python, changing a threshold means deploying new CLI code. When OPA owns the decisions, changing a threshold means editing one line in <code>manifest.yaml</code>. The operational difference is enormous. More importantly, the policy files can be reviewed, versioned, and audited independently of the tool that enforces them.</p> <h3> 3. Every failure mode deserves its own message </h3> <p>The first version of the OPA client raised a generic exception on any failure. Connection refused, timeout, bad JSON, missing result - all looked the same. Adding distinct handling for each case costs twenty lines of code and saves hours of debugging in production.</p> <h3> 4. Prometheus counters persist for the process lifetime </h3> <p>After recovering from error chaos and generating clean traffic, <code>promote stable</code> was still blocked. The reason: Prometheus counters never reset. The old error counts were still in the counter from before the recovery. Restarting the container resets them because it starts a fresh process. In production, you would use a time-windowed approach with a proper Prometheus server and PromQL range queries.</p> <h3> 5. OPA isolation is a hard security requirement </h3> <p>If OPA were reachable via the Nginx port, anyone could query your policy engine, discover your exact thresholds, and craft traffic that stays just below detection limits. Binding OPA to the loopback interface and keeping it off the public network is not a preference - it is the minimum viable security posture for a policy engine.</p> <h3> 6. Generated files should never be committed </h3> <p>Committing <code>docker-compose.yml</code> and <code>nginx.conf</code> to Git creates a false source of truth. Developers start editing the generated file instead of the manifest, the template drifts from reality, and the tool becomes meaningless. Keeping generated files in <code>.gitignore</code> enforces the discipline mechanically.</p> <h3> 7. The Windows BOM problem is real </h3> <p>On Windows, writing YAML with Python's <code>yaml.safe_dump</code> can produce a file with a UTF-8 BOM prefix. When that file is later read by the Jinja template loader, the BOM gets rendered into the first key name, producing <code>"\xEF\xBB\xBFservices"</code> instead of <code>services</code>. The fix is to always write files using <code>write_bytes(content.encode("utf-8"))</code> rather than <code>write_text(..., encoding="utf-8")</code>. The difference is subtle and the debugging is painful.</p> <h2> Running It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/gbadedata/swiftdeploy.git <span class="nb">cd </span>swiftdeploy <span class="c"># Set up Python environment</span> python <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate <span class="c"># Linux/macOS</span> <span class="c"># .\.venv\Scripts\Activate.ps1 # Windows PowerShell</span> pip <span class="nb">install </span>pyyaml jinja2 requests <span class="c"># Build the app image</span> docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> <span class="c"># Full lifecycle</span> python ./swiftdeploy deploy python ./swiftdeploy promote canary python ./swiftdeploy status <span class="nt">--once</span> python ./swiftdeploy promote stable python ./swiftdeploy audit <span class="c"># Clean up</span> python ./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <p>The full source code, Rego policies, Jinja templates, and screenshots are at:<br> <strong><a href="https://github.com/gbadedata/swiftdeploy" rel="noopener noreferrer">https://github.com/gbadedata/swiftdeploy</a></strong></p> <h2> Final Thought </h2> <p>The most important insight from this project is that a deployment tool should be more than a script that runs <code>docker compose up</code>. It should be a control plane - one that enforces standards before acting, surfaces observable state while running, and leaves an auditable record of every decision it makes.</p> <p>SwiftDeploy is deliberately local-first and small in scope. But the patterns it demonstrates - manifest-driven generation, policy-gated lifecycle, metrics-based promotion gates, and append-only audit trails - are the same patterns that underpin tools like Argo CD, Flux, and every serious production deployment system.</p> <p>The small version teaches you the patterns. The patterns scale to any size.</p> <p><em>Source code: <a href="https://github.com/gbadedata/swiftdeploy" rel="noopener noreferrer">github.com/gbadedata/swiftdeploy</a></em></p> devops docker opa python Oluwagbade Odimayo Thu, 07 May 2026 00:45:38 +0000 https://dev.to/gbadedata/i-built-a-real-time-ddos-detection-engine-from-scratch-heres-every-decision-i-made-3jl1 https://dev.to/gbadedata/i-built-a-real-time-ddos-detection-engine-from-scratch-heres-every-decision-i-made-3jl1 <p><em>No Fail2Ban. No rate-limiting libraries. No shortcuts. Just Python, a deque, and statistics.</em></p> <p>There is a moment every engineer dreads.</p> <p>You are staring at your monitoring dashboard. The request graph is vertical. Your server is on its knees. Legitimate users are getting timeouts. And somewhere out there, an attacker is running a script they downloaded in five minutes - while your defence took you zero minutes to build, because you had none.</p> <p>That was the situation at <strong>cloud.ng</strong>, a rapidly growing cloud storage platform powered by Nextcloud. After a wave of suspicious activity, I was handed a mandate: build an anomaly detection engine that watches all incoming HTTP traffic in real time, learns what normal looks like, and automatically responds when something deviates.</p> <p>No off-the-shelf tools. No Fail2Ban. Build it from scratch.</p> <p>This is the full story - every decision, every line of reasoning, every tradeoff.</p> <h2> First, Understand the Enemy </h2> <p>A <strong>DDoS attack</strong> - Distributed Denial of Service - works by exhausting your server's resources. Your server has a finite ability to handle connections. When an attacker sends 10,000 requests per second, your server spends all its time handling garbage traffic and has nothing left for real users.</p> <p>But here is the subtler problem that most tutorials gloss over: <strong>you cannot just block "high traffic" IPs</strong>.</p> <p>Traffic is not constant. A cloud storage platform gets hammered at 9 AM when everyone starts their workday. It goes quiet at 3 AM. If you set a fixed threshold - say, "block any IP sending more than 50 requests per minute" - you will:</p> <ul> <li>Miss attacks during busy hours when 50 req/min is perfectly normal</li> <li>Flag innocent users during quiet hours when 50 req/min is genuinely suspicious</li> </ul> <p>What you need is a system that <strong>learns what normal looks like for right now</strong> - and flags deviations from that learned baseline. That is a statistics problem, not a configuration problem.</p> <p>This insight shaped every architectural decision I made.</p> <h2> The Architecture </h2> <p>Before writing a single line of code, I mapped out the full system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ HTTP ┌─────────────────┐ proxy ┌──────────────┐ │ Internet │ ────────────► │ Nginx │ ────────────► │ Nextcloud │ │ (clients) │ │ (reverse proxy) │ │ (app) │ └─────────────┘ └─────────────────┘ └──────────────┘ │ │ JSON access logs ▼ ┌─────────────────┐ (named Docker volume) │ hng-access.log │ └─────────────────┘ │ │ tail -f (continuous) ▼ ┌────────────────────────┐ │ Detector Daemon │ │ │ │ monitor.py ◄── reads log │ baseline.py ◄── learns normal │ detector.py ◄── spots anomalies │ blocker.py ◄── calls iptables │ unbanner.py ◄── releases bans │ notifier.py ◄── pings Slack │ dashboard.py ◄── live metrics UI └────────────────────────┘ │ │ iptables Slack DROP rule #hng-alerts </code></pre> </div> <p>Nginx sits in front of Nextcloud and writes every HTTP request as a JSON log line. The detector daemon reads that file continuously, processes each entry, and takes action when needed.</p> <p>The key design principle: <strong>the daemon runs forever as a systemd service</strong>. It is not a cron job. It is not a script you run manually. It is always watching.</p> <h2> Part 1: The Foundation - JSON Logs with All the Right Fields </h2> <p>Everything starts with Nginx writing structured logs. Without good data, nothing else works.</p> <p>Here is the log format I configured:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">json_logs</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"source_ip":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"timestamp":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"method":"</span><span class="nv">$request_method</span><span class="s">",'</span> <span class="s">'"path":"</span><span class="nv">$request_uri</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"response_size":</span><span class="nv">$body_bytes_sent</span><span class="s">,'</span> <span class="s">'"http_host":"</span><span class="nv">$host</span><span class="s">",'</span> <span class="s">'"user_agent":"</span><span class="nv">$http_user_agent</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/hng-access.log</span> <span class="s">json_logs</span><span class="p">;</span> </code></pre> </div> <p>Every log line looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-29T21:48:35+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">6674</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloud.ng"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One critical detail: I configured Nginx to extract the <strong>real client IP</strong> from the <code>X-Forwarded-For</code> header. Since Nginx is a Docker container proxying to another Docker container, without this, every request would appear to come from the Docker gateway IP - completely useless for per-IP detection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">set_real_ip_from</span> <span class="mf">172.16</span><span class="s">.0.0/12</span><span class="p">;</span> <span class="k">real_ip_header</span> <span class="s">X-Forwarded-For</span><span class="p">;</span> <span class="k">real_ip_recursive</span> <span class="no">on</span><span class="p">;</span> </code></pre> </div> <p>The logs are written to a <strong>named Docker volume</strong> called <code>HNG-nginx-logs</code>. Both Nginx (read-write) and Nextcloud (read-only) mount this volume. The detector daemon reads from the host path of the same volume.</p> <h2> Part 2: The Log Tailer - Watching the File Live </h2> <p>The first module, <code>monitor.py</code>, does one thing: follow the log file and yield parsed entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">log_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Generator that yields one parsed dict per HTTP request. Works like `tail -f` - blocks waiting for new lines. </span><span class="sh">"""</span> <span class="c1"># Wait for the file to exist (Nginx may not have written anything yet) </span> <span class="k">while</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">log_path</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="c1"># Seek to END — we only care about new requests, not history </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">line</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.05</span><span class="p">)</span> <span class="c1"># 50ms poll — barely any CPU cost </span> <span class="k">continue</span> <span class="n">entry</span> <span class="o">=</span> <span class="nf">_parse</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="k">if</span> <span class="n">entry</span><span class="p">:</span> <span class="k">yield</span> <span class="n">entry</span> </code></pre> </div> <p>The <code>f.seek(0, 2)</code> is important. Without it, on every restart, the daemon would replay the entire log history and potentially re-ban IPs that have already served their time.</p> <p>The <code>0.05</code> second sleep between empty reads means the daemon uses almost zero CPU when traffic is quiet, but responds to new log entries within 50 milliseconds.</p> <h2> Part 3: The Sliding Window - The Heart of Rate Detection </h2> <p>Here is where most tutorials get it wrong.</p> <p><strong>The wrong way:</strong> Count requests per minute. Reset the counter every 60 seconds.</p> <p>The problem: this creates "bucket boundaries". An attacker can send 59 requests at second 59, wait 2 seconds, send 59 more at second 61, and your per-minute counter never sees more than 59. They are attacking continuously but your counter says they are fine.</p> <p><strong>The right way:</strong> A true rolling window using <code>collections.deque</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">SlidingWindowCounter</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Each entry in the deque is a float timestamp of one request. The deque always contains only the requests from the last window_seconds. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">window_seconds</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="o">=</span> <span class="n">window_seconds</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># timestamps of individual requests </span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># timestamps of error requests (4xx/5xx) </span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ts</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">is_error</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">):</span> <span class="c1"># New request joins from the RIGHT </span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_error</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="c1"># Stale requests fall off the LEFT </span> <span class="k">while</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># O(1) — this is why deque, not list </span> <span class="k">while</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">def</span> <span class="nf">rate</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="c1"># Exact rolling rate — no bucketing, no approximation </span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="k">def</span> <span class="nf">error_rate</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> </code></pre> </div> <p>Picture the deque as a conveyor belt. Requests board at the right. Requests older than 60 seconds fall off the left automatically. At any moment, dividing the belt's occupancy by 60 gives the exact requests-per-second for the last minute.</p> <p><strong>Why O(1) matters:</strong> <code>list.pop(0)</code> shifts every element — O(n). <code>deque.popleft()</code> is O(1). At 10,000 requests per second across thousands of IPs, the difference between O(1) and O(n) is the difference between a daemon that keeps up and one that falls behind and misses attacks.</p> <p>Every IP gets its own <code>SlidingWindowCounter</code>. There is also one <strong>global</strong> counter tracking all traffic combined - this catches distributed attacks where no single IP is hitting hard, but collectively they are overwhelming the server.</p> <h2> Part 4: The Baseline - Teaching the System What Normal Looks Like </h2> <p>The sliding window answers <em>what is happening now</em>. The baseline answers <em>what normally happens</em>.</p> <p>I implemented a rolling 30-minute baseline of <strong>per-second request counts</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline ──────────────────────────────────────────────────────► │ 1req │ 0req │ 3req │ 2req │ ... │ 5req │ 2req │ NOW │ └──────────────────────────────────────────────────────┘ ◄────────── 30 minutes = 1800 seconds ──────────► </code></pre> </div> <p>Each slot represents one completed second. Every 60 seconds, the system recomputes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_recalculate</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_window</span><span class="p">]</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="c1"># Floor values prevent division-by-zero at startup </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_mean</span><span class="p">)</span> <span class="c1"># config: 0.1 </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_stddev</span><span class="p">)</span> <span class="c1"># config: 0.1 </span></code></pre> </div> <h3> The Hour-Slot System </h3> <p>Here is the part that makes the baseline actually smart.</p> <p>Traffic at 9 AM is genuinely different from traffic at 3 AM. If you use a single rolling window across all time, the baseline at 3 AM will reflect the busy afternoon - making it too permissive, missing real attacks.</p> <p>I maintain <strong>per-hour slots</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromtimestamp</span><span class="p">(</span><span class="n">ts</span><span class="p">).</span><span class="n">hour</span> <span class="n">self</span><span class="p">.</span><span class="n">_hour_slots</span><span class="p">[</span><span class="n">hour</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">count</span><span class="p">)</span> <span class="c1"># {0: [...], 1: [...], ..., 23: [...]} </span></code></pre> </div> <p>During recalculation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour_data</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_hour_slots</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">current_hour</span><span class="p">,</span> <span class="p">[])</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">hour_data</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">60</span><span class="p">:</span> <span class="c1"># Enough data for this hour — use it (more accurate) </span> <span class="n">samples</span> <span class="o">=</span> <span class="n">hour_data</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Fall back to the full rolling window </span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_window</span><span class="p">]</span> </code></pre> </div> <p>Once the system has been running for an hour, the 3 AM baseline reflects actual 3 AM traffic. The 9 AM baseline reflects actual 9 AM traffic. The system adapts to time-of-day patterns automatically, with zero configuration.</p> <p>This is also why <code>effective_mean</code> is never, ever hardcoded. It is always computed from real traffic data.</p> <h2> Part 5: The Detection Logic - Making the Call </h2> <p>Now the payoff. We have:</p> <ul> <li> <code>current_rate</code> — from the IP's sliding window</li> <li> <code>effective_mean</code> — what is normal right now</li> <li> <code>effective_stddev</code> — how much variation is normal</li> </ul> <p>We compute a <strong>z-score</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z = (current_rate − effective_mean) / effective_stddev </code></pre> </div> <p>The z-score is the number of standard deviations the current rate sits above the mean. In a normal distribution:</p> <ul> <li>z = 1.0 → slightly above average (84th percentile)</li> <li>z = 2.0 → notably above average (97th percentile) </li> <li>z = 3.0 → very far above average (99.87th percentile)</li> </ul> <p>At z ≥ 3.0, something is almost certainly not normal.</p> <p>But z-score alone has a weakness: if traffic is so explosive that the baseline itself has not had time to update yet, the stddev might be large and the z-score misleadingly small. So I add a second condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Flag if EITHER condition fires — whichever comes first </span><span class="n">is_anomalous</span> <span class="o">=</span> <span class="p">(</span><span class="n">zscore</span> <span class="o">&gt;=</span> <span class="mf">3.0</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">rate</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="o">*</span> <span class="n">effective_mean</span><span class="p">)</span> </code></pre> </div> <p>The 5× multiplier catches the "traffic just went vertical" scenario that z-score might miss.</p> <h3> The Error Surge Tightener </h3> <p>Sometimes attackers probe rather than flood. They scan your endpoints looking for vulnerabilities, generating lots of 4xx and 5xx errors without necessarily hitting the raw request rate threshold.</p> <p>The system detects this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">ip_error_rate</span> <span class="o">&gt;=</span> <span class="mi">3</span> <span class="o">*</span> <span class="n">baseline_error_mean</span><span class="p">:</span> <span class="c1"># This IP is generating errors at 3× the normal rate </span> <span class="c1"># Tighten the detection threshold — flag it sooner </span> <span class="n">z_threshold</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">z_threshold</span> <span class="o">-</span> <span class="mf">1.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">)</span> </code></pre> </div> <p>An IP generating suspicious error patterns gets caught at a lower threshold than regular traffic. This fires independently of the raw rate - it catches the probers.</p> <h2> Part 6: Blocking with iptables - The Linux Firewall </h2> <p>When an IP is flagged, the daemon calls the Linux kernel's firewall directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">'</span><span class="s">iptables</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-I</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">INPUT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-s</span><span class="sh">'</span><span class="p">,</span> <span class="n">offending_ip</span><span class="p">,</span> <span class="sh">'</span><span class="s">-j</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">DROP</span><span class="sh">'</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> </code></pre> </div> <p><code>-I INPUT</code> inserts the rule at the <strong>top</strong> of the INPUT chain — it gets evaluated first, before anything else.<br> <code>-j DROP</code> silently discards the packet. No TCP RST. No HTTP response. The attacker's requests just vanish into nothing.</p> <p>This is more effective than returning a 403 for two reasons:</p> <ol> <li>It consumes zero application resources - the kernel drops the packet before it ever reaches Nginx</li> <li>The attacker gets no feedback - they cannot even confirm the server is alive</li> </ol> <h3> The Backoff Schedule </h3> <p>Permanent bans on first offence are both unfair and operationally risky. You might ban a legitimate user with a buggy client, or a friendly scraper, and then spend hours investigating why a partner's integration broke.</p> <p>The system uses a <strong>progressive backoff</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offence</th> <th>Duration</th> <th>Reasoning</th> </tr> </thead> <tbody> <tr> <td>1st</td> <td>10 minutes</td> <td>Could be a misconfigured client</td> </tr> <tr> <td>2nd</td> <td>30 minutes</td> <td>Likely intentional, more time needed</td> </tr> <tr> <td>3rd</td> <td>2 hours</td> <td>Persistent offender</td> </tr> <tr> <td>4th+</td> <td>Permanent</td> <td>They know what they are doing</td> </tr> </tbody> </table></div> <p>A background <code>Unbanner</code> thread wakes every 10 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_check_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">for</span> <span class="n">ban</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">get_banned_ips</span><span class="p">():</span> <span class="k">if</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Permanent — never release </span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">banned_at</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]:</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">unban</span><span class="p">(</span><span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># removes iptables rule </span> <span class="n">self</span><span class="p">.</span><span class="n">notifier</span><span class="p">.</span><span class="nf">send_unban</span><span class="p">(</span><span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># notifies Slack </span></code></pre> </div> <p>The <code>_ban_history</code> dict persists across unbans — so if an IP gets a 10-minute ban, behaves, gets released, then attacks again, it goes straight to the 30-minute tier. The system remembers repeat offenders even after their ban expires.</p> <h2> Part 7: Slack Alerts - Real-Time Visibility </h2> <p>Every significant event fires a Slack message to <code>#hng-alerts</code>:</p> <p><strong>Ban alert:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🚨 IP BANNED • Condition: ip_rate_anomaly • IP address: 1.2.3.4 • Current rate: 12.4000 req/s • Baseline mean: 0.4200 req/s • Z-score: 28.57 • Ban duration: 600s • Timestamp: 2026-04-29T21:48:35 </code></pre> </div> <p><strong>Global anomaly alert (no block - just awareness):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠ GLOBAL TRAFFIC ANOMALY • Condition: global_rate_anomaly • Current global rate: 48.3000 req/s • Baseline mean: 3.2000 req/s • Z-score: 14.09 • Action: Slack alert only (no IP block) </code></pre> </div> <p>All Slack calls run in daemon threads - the detection loop never waits for a network call.</p> <h2> Part 8: The Live Dashboard </h2> <p>The system serves a live metrics dashboard at <code>http://dashboard.gbadedata.com</code>. It auto-refreshes every 3 seconds via a simple JavaScript <code>setInterval</code> call hitting a Flask <code>/api/metrics</code> endpoint.</p> <p>The dashboard shows:</p> <ul> <li>Global requests per second (live)</li> <li>Baseline effective_mean and stddev</li> <li>CPU and memory usage</li> <li>All currently banned IPs with conditions, durations, and ban times</li> <li>Top 10 source IPs ranked by current request rate</li> <li>System uptime</li> </ul> <p>No frontend framework. No build step. Flask serves an HTML string with embedded JavaScript. The entire dashboard is ~80 lines of code.</p> <h2> Part 9: The Audit Log </h2> <p>Every ban, unban, and baseline recalculation writes a structured entry to <code>/var/log/detector-audit.log</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[2026-04-29T21:48:35.998876] BAN 172.18.0.1 | ip_rate_anomaly | rate=0.4000 | baseline=0.1000 | duration=600 [2026-04-29T21:58:38.252357] UNBAN 172.18.0.1 | ban_expired | rate=0.0000 | baseline=0.0000 | duration=600 [2026-04-30T12:20:17.038296] BASELINE_RECALC | source=rolling_window (2 samples) | rate=10.5000 | baseline=10.5000 | duration=0 </code></pre> </div> <p>This is your paper trail. If someone asks "why was our partner's IP blocked at 3 AM on Tuesday?" - the answer is in the audit log, timestamped to the millisecond.</p> <h2> What I Would Do Differently </h2> <p><strong>1. Use a proper WSGI server for the dashboard.</strong> Flask's development server works, but in production I would swap it for Gunicorn behind the existing Nginx setup.</p> <p><strong>2. Persist ban history across restarts.</strong> Currently, <code>_ban_history</code> lives in memory. If the daemon restarts, it forgets who was a repeat offender. A small SQLite database would fix this with minimal complexity.</p> <p><strong>3. Add IP allowlisting.</strong> Right now, any IP can be banned - including monitoring services, CDN health checkers, and your own office's IP. A config-driven allowlist would prevent embarrassing self-bans.</p> <p><strong>4. Ship metrics to Prometheus.</strong> The dashboard is useful for humans. For alerting, on-call tools, and long-term trend analysis, exposing a <code>/metrics</code> endpoint would integrate with the rest of a modern observability stack.</p> <h2> The Numbers </h2> <p>After running for 24 hours on the live server:</p> <ul> <li>Processed thousands of HTTP requests continuously</li> <li>Detected and blocked anomalous IPs within <strong>under 10 seconds</strong> of the first suspicious request</li> <li>Auto-released bans correctly on the configured schedule</li> <li>Dashboard refreshed without interruption</li> <li>Zero false positives on legitimate traffic once the baseline had enough data</li> </ul> <h2> Final Thoughts </h2> <p>The most important lesson from this project is not about Python or iptables or deques.</p> <p>It is about <strong>measurement before action</strong>.</p> <p>Every security tool that uses hardcoded thresholds is making a guess. This system does not guess - it measures, it learns, and it acts on what it has observed. The z-score is not magic. It is just a way of asking: "is what I am seeing now consistent with what I have seen in the past?"</p> <p>When the answer is no - decisively, statistically, not-even-close no - you block it.</p> <p>That is the whole idea.</p> <p><em>Full source code: <a href="https://github.com/gbadedata/hng14-stage3" rel="noopener noreferrer">https://github.com/gbadedata/hng14-stage3</a></em></p> <p><em>Live dashboard: <a href="http://dashboard.gbadedata.com" rel="noopener noreferrer">http://dashboard.gbadedata.com</a></em></p> architecture python security showdev