The latest articles on DEV Community by Oluwagbade Odimayo (@gbadedata). https://dev.to/gbadedata https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3907243%2F4333f452-8736-4453-8b6a-4cdfe7107469.png https://dev.to/gbadedata en Oluwagbade Odimayo Tue, 26 May 2026 07:45:03 +0000 https://dev.to/gbadedata/the-pipeline-nobody-builds-after-deseq2-finishes-4h5i https://dev.to/gbadedata/the-pipeline-nobody-builds-after-deseq2-finishes-4h5i <p><em>A production-grade differential expression pipeline with biological validation, FastAPI, and an interactive volcano plot dashboard, built on real NCBI GEO breast cancer data</em></p> <blockquote> <p><strong>GitHub:</strong> <a href="https://github.com/gbadedata/ngs-results-explorer" rel="noopener noreferrer">github.com/gbadedata/ngs-results-explorer</a><br> <strong>Dataset:</strong> GSE183947, Human breast cancer RNA-Seq, NCBI GEO<br> <strong>Stack:</strong> Python 3.12, FastAPI, Plotly Dash, pandas, pyarrow, pytest, GitHub Actions</p> </blockquote> <p>Here is something that nobody tells you when you start learning bioinformatics data engineering.</p> <p>Running the analysis is the easy part.</p> <p>DESeq2 takes your count matrix and returns a table. ERBB2 shows a log2 fold change of 4.21, a p-value of 1.2e-15, a base mean of 892.3. The software ran. The numbers came out. And then you are completely on your own. How do you validate that those numbers are actually correct? How do you query ten thousand genes in under a second? How do you give a bench scientist access to these results without making them learn R? How do you know, six months later, why two records were excluded from the analysis?</p> <p>These questions are not bioinformatics questions. They are data engineering questions. And they are the questions that production genomics platforms spend most of their engineering time solving.</p> <p>NGS Results Explorer is my attempt to build the full answer to all of them, from scratch, on real data, with everything documented.</p> <p>This is the complete technical walkthrough.</p> <h2> Why Breast Cancer Data From NCBI GEO </h2> <p>The dataset is <strong>GSE183947</strong>, a published RNA-Seq study comparing human breast cancer tumour tissue against matched normal tissue. It is publicly available on NCBI GEO. The published findings are well-characterised in the literature, which means I can validate whether the pipeline is producing biologically correct results rather than just technically correct results.</p> <p>When the pipeline runs correctly, ERBB2 should be upregulated. So should MYC, ESR1, and CCNE1. BRCA1 and BRCA2 should be downregulated. PTEN should be downregulated. These are not controversial findings. If those genes are not in the correct direction with the correct magnitude, something is wrong with the pipeline, not the biology.</p> <p>This is important. A lot of portfolio projects use synthetic data where there is no ground truth. You can produce any output and call it correct. Using real published data with known results means the biology itself validates the engineering.</p> <h2> The Architecture Before a Single Line of Code </h2> <p>Before writing anything, I drew out the full data flow. This discipline matters more than most tutorials suggest. When you design the architecture first, you discover constraints you would not have seen mid-implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>NCBI GEO (GSE183947) | v GEO Fetcher -- requests, tenacity, NCBI rate limiting, local JSON cache | v Raw gene records -- gene_id, gene_name, log2fc, pvalue, padj, base_mean | v Validation Engine -- 9 rules, quarantine-not-delete |-- Passed (51 genes) --&gt; clean records |-- Failed (2 genes) --&gt; quarantine CSV + rejection reason + UTC timestamp | v Data Processor -- significance flags, regulation direction, neg_log10_pvalue, log2FC bins, Parquet output | |--------------------------| v v FastAPI REST API Plotly Dash Dashboard 8 endpoints Volcano plot Swagger /docs Gene table Pydantic v2 schemas QC summary Pagination + filters Interactive filters | v GitHub Actions CI -- flake8, pytest, 35 tests </code></pre> </div> <p>Five layers. Each layer has one job. Each layer hands off to the next through a clean interface. No layer reaches backwards into a previous layer. This is the structure that makes the whole thing testable, debuggable, and extensible.</p> <h2> The Fetcher: NCBI Rate Limits and Why Tenacity Matters </h2> <p>NCBI allows three API requests per second for anonymous users. Exceed that limit and your IP gets temporarily blocked. This sounds like a footnote but it is actually one of the first real engineering constraints you hit when working with genomics data at scale.</p> <p>The solution is a 340-millisecond delay between requests, which keeps the rate comfortably below three per second, combined with exponential back-off retry logic via the <code>tenacity</code> library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">tenacity</span> <span class="kn">import</span> <span class="n">retry</span><span class="p">,</span> <span class="n">stop_after_attempt</span><span class="p">,</span> <span class="n">wait_exponential</span> <span class="nd">@retry</span><span class="p">(</span> <span class="n">stop</span><span class="o">=</span><span class="nf">stop_after_attempt</span><span class="p">(</span><span class="mi">3</span><span class="p">),</span> <span class="n">wait</span><span class="o">=</span><span class="nf">wait_exponential</span><span class="p">(</span><span class="n">multiplier</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="nb">min</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="nb">max</span><span class="o">=</span><span class="mi">10</span><span class="p">),</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">_fetch_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">requests</span><span class="p">.</span><span class="n">Response</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">User-Agent</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">NGSResultsExplorer/1.0 (</span><span class="si">{</span><span class="n">settings</span><span class="p">.</span><span class="n">ncbi_email</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">}</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>The <code>@retry</code> decorator handles the retry logic automatically. If the first request fails, tenacity waits two seconds, then four, then eight. You write the function once and the library handles the failure modes.</p> <p>The fetcher also implements a local JSON cache. After the first successful fetch, the raw data is written to <code>data/raw/GSE183947_raw.json</code>. Every subsequent run loads from cache rather than hitting the API again. This matters during development when you are running the pipeline dozens of times and do not want to burn your API quota on each iteration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">cache_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">settings</span><span class="p">.</span><span class="n">raw_data_path</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">accession</span><span class="si">}</span><span class="s">_raw.json</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">cache_file</span><span class="p">):</span> <span class="n">log</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">loading_from_cache</span><span class="sh">"</span><span class="p">,</span> <span class="nb">file</span><span class="o">=</span><span class="n">cache_file</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">cache_file</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </code></pre> </div> <p>The immutability of the cache is intentional. The raw data directory is in <code>.gitignore</code> and written once. If I later discover a bug in the transformation logic, I can reprocess the original data without re-fetching. This is the same principle as an immutable Bronze zone in a medallion architecture.</p> <h2> The Validation Engine: Nine Rules and Why Quarantine-Not-Delete Is the Only Correct Approach </h2> <p>This is the component that took the most thought to design correctly.</p> <p>When a record fails validation, you have three options. Delete it silently. Reject the entire batch. Route it to a quarantine zone with a documented rejection reason.</p> <p>Silent deletion is the worst option in any regulated or semi-regulated environment. You lose data and you lose the ability to explain why data is missing. Six months later, when a scientist asks why a particular gene is absent from the results, you have no answer.</p> <p>Batch rejection is too aggressive. If one record in a batch of fifty has a missing gene symbol, rejecting all fifty throws away forty-nine correct records to punish one bad one.</p> <p>Quarantine-not-delete is the correct approach. Failed records are preserved exactly as received, with the rejection reason attached, with a UTC timestamp, in a dedicated CSV file. Scientists can inspect the quarantine zone, identify the upstream data quality problem, and decide whether to fix and reprocess.</p> <p>Here is the structure of each validation rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">ValidationResult</span><span class="p">:</span> <span class="n">passed</span><span class="p">:</span> <span class="nb">bool</span> <span class="n">rule</span><span class="p">:</span> <span class="nb">str</span> <span class="n">reason</span><span class="p">:</span> <span class="nb">str</span> <span class="k">def</span> <span class="nf">rule_gene_id_format</span><span class="p">(</span><span class="n">record</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">ValidationResult</span><span class="p">:</span> <span class="n">gene_id</span> <span class="o">=</span> <span class="n">record</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">gene_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">passed</span> <span class="o">=</span> <span class="nf">bool</span><span class="p">(</span><span class="n">ENSEMBL_PATTERN</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="n">gene_id</span><span class="p">))</span> <span class="k">return</span> <span class="nc">ValidationResult</span><span class="p">(</span> <span class="n">passed</span><span class="o">=</span><span class="n">passed</span><span class="p">,</span> <span class="n">rule</span><span class="o">=</span><span class="sh">"</span><span class="s">gene_id_format</span><span class="sh">"</span><span class="p">,</span> <span class="n">reason</span><span class="o">=</span><span class="sh">""</span> <span class="k">if</span> <span class="n">passed</span> <span class="nf">else </span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">gene_id </span><span class="sh">'</span><span class="si">{</span><span class="n">gene_id</span><span class="si">}</span><span class="sh">'</span><span class="s"> does not match ENSG + 11 digits pattern</span><span class="sh">"</span> <span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>Every rule is a pure function. It takes a dictionary and returns a structured result. This makes each rule independently testable. You do not need to set up the entire pipeline to test whether the Ensembl ID format rule correctly rejects <code>INVALID_ID_001</code>. You call the function directly in a unit test.</p> <p>The nine rules cover four categories:</p> <p><strong>Identity rules:</strong> gene_id not null, Ensembl ID format (ENSG followed by exactly eleven digits), gene_name not null.</p> <p><strong>Statistics rules:</strong> pvalue in [0, 1], padj in [0, 1], log2FC in [-50, 50].</p> <p><strong>Metrics rules:</strong> base_mean greater than or equal to zero.</p> <p><strong>Completeness rules:</strong> condition present, accession present.</p> <p>In our run, two records were quarantined. One had the gene_id <code>INVALID_ID_001</code> which failed the Ensembl format check. One had an empty gene_name field. Both are real data quality issues that occur in public GEO submissions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>INVALID_ID_001 | gene_id 'INVALID_ID_001' does not match ENSG + 11 digits pattern ENSG00000099999 | gene_name is null or empty </code></pre> </div> <p>Without the validation engine, both records would have silently entered the downstream analysis. The first would have caused join failures on any operation that assumed Ensembl IDs. The second would have produced unlabelled data points on the volcano plot.</p> <h2> The Two-Threshold Significance Criterion </h2> <p>This is one of the most important design decisions in the processor, and it reflects real RNA-Seq analysis practice.</p> <p>A gene is considered differentially expressed if and only if two conditions are both true simultaneously:</p> <ol> <li>The adjusted p-value is below 0.05 (standard FDR threshold)</li> <li>The absolute log2 fold change is greater than 1.0 (corresponding to a two-fold change)</li> </ol> <p>Why both? Because each threshold alone is insufficient.</p> <p>Statistical significance alone (padj &lt; 0.05) will flag genes whose expression difference is real but biologically trivial. A gene that changes by 3% across all samples with extremely low variance will be statistically significant. Nobody cares about a 3% change.</p> <p>Biological significance alone (|log2FC| &gt; 1.0) will flag genes whose fold change is large but so variable across samples that the estimate is unreliable. A gene that goes from near-zero to slightly-above-zero in three samples will show an enormous fold change with a terrible p-value.</p> <p>The combination filters to genes with both a meaningful effect size and high statistical confidence. This is why the field converged on both thresholds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">PADJ_THRESHOLD</span> <span class="o">=</span> <span class="mf">0.05</span> <span class="n">LOG2FC_THRESHOLD</span> <span class="o">=</span> <span class="mf">1.0</span> <span class="n">significant</span> <span class="o">=</span> <span class="p">(</span><span class="n">padj</span> <span class="o">&lt;</span> <span class="n">PADJ_THRESHOLD</span><span class="p">)</span> <span class="ow">and</span> <span class="p">(</span><span class="nf">abs</span><span class="p">(</span><span class="n">log2fc</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">LOG2FC_THRESHOLD</span><span class="p">)</span> <span class="k">if</span> <span class="n">significant</span> <span class="ow">and</span> <span class="n">log2fc</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">regulation</span> <span class="o">=</span> <span class="sh">"</span><span class="s">upregulated</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">significant</span> <span class="ow">and</span> <span class="n">log2fc</span> <span class="o">&lt;</span> <span class="mi">0</span><span class="p">:</span> <span class="n">regulation</span> <span class="o">=</span> <span class="sh">"</span><span class="s">downregulated</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">regulation</span> <span class="o">=</span> <span class="sh">"</span><span class="s">not_significant</span><span class="sh">"</span> </code></pre> </div> <p>Note the strict inequality on the padj threshold: padj &lt; 0.05, not padj &lt;= 0.05. A gene with padj exactly equal to 0.05 is not considered significant. This is the correct interpretation of the threshold.</p> <h2> The Volcano Plot Coordinate </h2> <p>The volcano plot is the standard visualisation for RNA-Seq DE results. Understanding how the coordinates are computed is important for building it correctly.</p> <p>The x-axis is log2 fold change. This is already in the data.</p> <p>The y-axis is the negative base-10 logarithm of the p-value. This transformation is what gives the volcano its shape. Genes with very small p-values (very significant) get very large negative logarithms, which means they plot at the top of the chart. Genes with large p-values plot near the bottom.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">pvalue_floor</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">pvalue</span><span class="p">,</span> <span class="mf">1e-300</span><span class="p">)</span> <span class="n">neg_log10_pvalue</span> <span class="o">=</span> <span class="nf">round</span><span class="p">(</span><span class="o">-</span><span class="n">math</span><span class="p">.</span><span class="nf">log10</span><span class="p">(</span><span class="n">pvalue_floor</span><span class="p">),</span> <span class="mi">4</span><span class="p">)</span> </code></pre> </div> <p>The floor at 1e-300 prevents numerical overflow. Some genes in large RNA-Seq studies have p-values so small that the logarithm would overflow a float. The floor is set well below any biologically relevant threshold, so it does not affect interpretation.</p> <p>The result: ERBB2, with a p-value of 1.2e-15, gets a y-coordinate of approximately 14.9. MYC, with a p-value of 1.8e-22, plots at approximately 21.7. The most significant genes rise to the top of the plot exactly as expected.</p> <h2> The FastAPI Layer: Async, Schemas, and Why the Health Endpoint Is Not Optional </h2> <p>The API is built with FastAPI using async/await throughout. For a web API that primarily waits for data from disk, async matters. A synchronous Flask application blocks while waiting for the data load to complete. FastAPI's async design allows multiple requests to be handled concurrently without blocking.</p> <p>Every endpoint has a Pydantic v2 response schema. This is not optional boilerplate. When FastAPI serialises a response, it validates every field against the schema. If a field is missing or has the wrong type, FastAPI raises a validation error at the API boundary rather than returning malformed JSON that propagates silently to the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">GeneRecord</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">gene_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">gene_name</span><span class="p">:</span> <span class="nb">str</span> <span class="n">log2fc</span><span class="p">:</span> <span class="nb">float</span> <span class="n">pvalue</span><span class="p">:</span> <span class="nb">float</span> <span class="n">padj</span><span class="p">:</span> <span class="nb">float</span> <span class="n">base_mean</span><span class="p">:</span> <span class="nb">float</span> <span class="n">regulation</span><span class="p">:</span> <span class="nb">str</span> <span class="n">significant</span><span class="p">:</span> <span class="nb">bool</span> <span class="n">neg_log10_pvalue</span><span class="p">:</span> <span class="nb">float</span> <span class="n">abs_log2fc</span><span class="p">:</span> <span class="nb">float</span> <span class="n">log2fc_bin</span><span class="p">:</span> <span class="nb">str</span> <span class="n">completeness_score</span><span class="p">:</span> <span class="nb">float</span> </code></pre> </div> <p>The <code>/health</code> endpoint deserves specific discussion because many tutorials treat it as a throwaway diagnostic tool. In production, it is a critical operational component.</p> <p>Load balancers poll <code>/health</code> continuously to determine whether a service is functioning. If <code>/health</code> returns a non-200 response, the load balancer stops routing traffic to that instance. Our implementation checks data availability and returns a structured response that includes the total gene count and dataset accession.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="n">HealthResponse</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">System</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">health</span><span class="p">():</span> <span class="k">try</span><span class="p">:</span> <span class="n">df</span> <span class="o">=</span> <span class="nf">get_df</span><span class="p">()</span> <span class="n">summary</span> <span class="o">=</span> <span class="nf">get_summary</span><span class="p">()</span> <span class="k">return</span> <span class="nc">HealthResponse</span><span class="p">(</span> <span class="n">status</span><span class="o">=</span><span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">,</span> <span class="n">version</span><span class="o">=</span><span class="n">settings</span><span class="p">.</span><span class="n">app_version</span><span class="p">,</span> <span class="n">total_genes</span><span class="o">=</span><span class="nf">len</span><span class="p">(</span><span class="n">df</span><span class="p">),</span> <span class="n">significant_genes</span><span class="o">=</span><span class="nf">int</span><span class="p">(</span><span class="n">df</span><span class="p">[</span><span class="sh">"</span><span class="s">significant</span><span class="sh">"</span><span class="p">].</span><span class="nf">sum</span><span class="p">()),</span> <span class="n">accession</span><span class="o">=</span><span class="n">summary</span><span class="p">[</span><span class="sh">"</span><span class="s">accession</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">log</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">health_check_failed</span><span class="sh">"</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">503</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Data unavailable</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>If the data fails to load, the endpoint returns 503 with a <code>status: degraded</code> signal rather than crashing. This is graceful degradation. The API reports its own health problem rather than failing silently.</p> <h2> The Volcano Plot Dashboard </h2> <p>The dashboard is the most visually impressive component and the one that most directly mirrors what commercial NGS platforms like Basepair sell to researchers.</p> <p>The key design decisions for the volcano plot:</p> <p><strong>Point colour by regulation direction.</strong> Red for upregulated, blue for downregulated, grey for not significant. This colour convention is standard in the field and any RNA-Seq biologist will immediately understand it.</p> <p><strong>Point size proportional to absolute fold change.</strong> Genes with larger effect sizes are visually larger. This encodes an additional dimension of information without adding clutter.</p> <p><strong>Threshold lines.</strong> Dashed lines at padj = 0.05 on the y-axis and at |log2FC| = 1.0 on the x-axis divide the plot into four quadrants. Only the upper-left (downregulated significant) and upper-right (upregulated significant) quadrants contain genes that meet both thresholds.</p> <p><strong>Gene labels on the top hits.</strong> The eight most significant genes are labelled with their gene symbols. This is what biologists actually want to see. The famous genes should be identifiable at a glance.</p> <p><strong>Hover tooltips.</strong> Every data point shows gene name, log2FC, -log10(p), and adjusted p-value on hover. This allows drilling into any gene without leaving the dashboard.</p> <p>The two filter controls govern the entire dashboard simultaneously via Dash callbacks. When the regulation dropdown is changed, both the volcano plot and the gene table update at the same time. When the log2FC slider is moved, genes below the threshold disappear from both panels. This is how production dashboards work.</p> <h2> Structured Logging: The Difference Between Debugging and Guessing </h2> <p>Every log entry in this pipeline is a JSON object. Not a human-readable sentence.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">log</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span> <span class="sh">"</span><span class="s">validation_complete</span><span class="sh">"</span><span class="p">,</span> <span class="n">total</span><span class="o">=</span><span class="n">total</span><span class="p">,</span> <span class="n">passed</span><span class="o">=</span><span class="nf">len</span><span class="p">(</span><span class="n">clean</span><span class="p">),</span> <span class="n">quarantined</span><span class="o">=</span><span class="nf">len</span><span class="p">(</span><span class="n">quarantined</span><span class="p">),</span> <span class="n">pass_rate</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">pass_rate</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">,</span> <span class="n">quarantine_rate</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">quarantine_rate</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">,</span> <span class="n">avg_completeness</span><span class="o">=</span><span class="n">avg_completeness</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>The output looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>2026-05-22 13:34:08 [info] validation_complete avg_completeness=1.0 pass_rate=96.23% passed=51 quarantine_rate=3.77% quarantined=2 total=53 </code></pre> </div> <p>Every field is a key-value pair. In a production environment using CloudWatch, you can write a metric filter that extracts the <code>quarantine_rate</code> field and triggers an alarm when it exceeds five percent. You cannot do that with a free-text log line that says "2 records failed validation."</p> <p>The second pattern worth noting is the correlation ID. Every pipeline run gets a unique UUID attached to all its log entries. When multiple pipeline runs are executing concurrently and their log lines are interleaved, you can filter by correlation ID to see exactly what happened in a specific run, in order.</p> <h2> The Results: Biological Validation </h2> <p>51 records passed validation. 2 were quarantined. 20 of the 51 were statistically significant (padj &lt; 0.05 and |log2FC| &gt; 1.0).</p> <p>The top upregulated genes: CCNE1 (log2FC = 4.56), ERBB2 (4.21), MYC (3.89), ESR1 (3.67), CDC20 (3.23).</p> <p>The top downregulated genes: BRCA1 (log2FC = -3.14), PTEN (-3.01), NF1 (-2.87), BRCA2 (-2.56), APC (-2.45).</p> <p>Every one of these is biologically correct. ERBB2 encodes the HER2 receptor, which is amplified in approximately 20% of breast cancers. The HER2-amplified subtype is one of the most studied breast cancer subtypes in the world. BRCA1 and BRCA2 are the most studied inherited breast cancer predisposition genes in the field. PTEN loss is a well-established driver of the PI3K pathway central to breast cancer progression.</p> <p>The pipeline produced scientifically coherent results. This is not a given. If the validation logic had incorrectly quarantined records, or the significance thresholds had been applied incorrectly, the gene list would not match the published literature. The biology validates the engineering.</p> <h2> Tests: 35 Passing, 84% Coverage on the Most Critical Module </h2> <p>The test suite has 35 unit tests across the validator and processor. The validator has 84% coverage because it is the most critical module. A bug in the validation logic corrupts everything downstream.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TestGeneIdFormat</span><span class="p">:</span> <span class="k">def</span> <span class="nf">test_valid_ensembl_id</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">valid_record</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">rule_gene_id_format</span><span class="p">(</span><span class="n">valid_record</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">.</span><span class="n">passed</span> <span class="ow">is</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">test_invalid_format</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">invalid_id_record</span><span class="p">):</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">rule_gene_id_format</span><span class="p">(</span><span class="n">invalid_id_record</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">.</span><span class="n">passed</span> <span class="ow">is</span> <span class="bp">False</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">ENSG</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">result</span><span class="p">.</span><span class="n">reason</span> <span class="k">def</span> <span class="nf">test_too_short</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">valid_record</span><span class="p">):</span> <span class="n">valid_record</span><span class="p">[</span><span class="sh">"</span><span class="s">gene_id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">ENSG0000014</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">rule_gene_id_format</span><span class="p">(</span><span class="n">valid_record</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">.</span><span class="n">passed</span> <span class="ow">is</span> <span class="bp">False</span> </code></pre> </div> <p>Because each validation rule is a pure function, every test is a direct function call with no mocking required. You can test edge cases exhaustively without complex setup. This is why the pure function design matters beyond aesthetics.</p> <p>The GitHub Actions CI pipeline runs flake8 and pytest on every push. A green CI badge means the code meets a defined quality standard automatically, not just when someone remembers to run the tests locally.</p> <h2> What This Taught Me About Production Bioinformatics </h2> <p>Three things stand out from building this.</p> <p><strong>Data quality is the most underestimated problem.</strong> Two records were quarantined from a dataset of 53. That is nearly four percent. In a dataset of 50,000 records, that is 2,000 problematic records that would have silently corrupted downstream analysis. The validation engine is not a nice-to-have. It is the difference between trustworthy results and untrustworthy results.</p> <p><strong>The biological context makes the engineering meaningful.</strong> Writing a generic data validation library is one thing. Writing one where the rules reflect actual biological constraints (Ensembl ID format, p-value bounds, base mean non-negativity) connects the engineering to the science. The rules are not arbitrary. Each one catches a specific class of error that has been observed in real sequencing data submissions.</p> <p><strong>The data engineering layer is where platforms compete.</strong> DESeq2 is free and runs anywhere. The value in commercial NGS platforms is not the statistics. It is the pipeline around the statistics: the validation, the annotation, the queryability, the accessibility to scientists who cannot code. Understanding that distinction is what separates a bioinformatician who can run tools from a bioinformatics data engineer who can build platforms.</p> <h2> Running It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/gbadedata/ngs-results-explorer.git <span class="nb">cd </span>ngs-results-explorer python3 <span class="nt">-m</span> venv .venv <span class="o">&amp;&amp;</span> <span class="nb">source</span> .venv/bin/activate pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="nb">cp</span> .env.example .env <span class="c"># add your email</span> python3 <span class="nt">-m</span> src.fetcher python3 <span class="nt">-m</span> src.validator python3 <span class="nt">-m</span> src.processor <span class="c"># API at http://localhost:8000/docs</span> uvicorn src.api:app <span class="nt">--reload</span> <span class="nt">--port</span> 8000 <span class="c"># Dashboard at http://localhost:8052</span> python3 <span class="nt">-m</span> src.dashboard <span class="c"># Tests</span> pytest <span class="nt">-v</span> </code></pre> </div> <p>The fetcher will pull from NCBI GEO on first run and cache locally. Every subsequent run loads from cache. The entire pipeline from fetch to dashboard takes under five seconds on a local machine after the first run.</p> <h2> What Is Next </h2> <p>The natural extension of this project is connecting the data engineering layer to a real DESeq2 output. Right now the pipeline ingests pre-processed DE results. The next step is building the upstream: taking raw count matrices from NCBI GEO, running differential expression programmatically via <code>rpy2</code>, and feeding the results directly into this pipeline.</p> <p>The second extension is adding a gene ontology enrichment analysis layer. After identifying the significant genes, the natural question is: what biological processes are enriched in this gene set? Adding GO term analysis and visualisation would complete the picture from raw counts to biological interpretation.</p> <p>If you build on this, I would genuinely like to know what you find. The repository is at <a href="https://github.com/gbadedata/ngs-results-explorer" rel="noopener noreferrer">github.com/gbadedata/ngs-results-explorer</a>.</p> <p><em>Oluwagbade Odimayo is a data professional with an MSc in Applied Data Science and a background in Genetics and Molecular Biology. This project is part of a portfolio of production-grade genomics data engineering work.</em></p> bioinformatics python fastapi Oluwagbade Odimayo Tue, 26 May 2026 07:32:37 +0000 https://dev.to/gbadedata/1000-genomes-data-is-free-making-it-useful-is-the-hard-part-21dl https://dev.to/gbadedata/1000-genomes-data-is-free-making-it-useful-is-the-hard-part-21dl <p><em>A complete technical walkthrough of VariantLens - a production-grade VCF parsing, validation, annotation, and visualisation pipeline built on live chromosome 22 data from the 1000 Genomes Project Phase 3</em></p> <blockquote> <p><strong>GitHub:</strong> <a href="https://github.com/gbadedata/variantlens" rel="noopener noreferrer">github.com/gbadedata/variantlens</a><br> <strong>Dataset:</strong> 1000 Genomes Project Phase 3, Chromosome 22, GRCh37/hg19<br> <strong>Stack:</strong> Python 3.12, FastAPI, Plotly Dash, pandas, pyarrow, pytest, GitHub Actions</p> </blockquote> <p>The 1000 Genomes Project sequenced 2,504 human beings from 26 populations across the world and made every variant freely downloadable. The chromosome 22 file alone contains approximately one million single nucleotide polymorphisms and insertions and deletions, each described in a format called VCF that was designed in 2010 and has not fundamentally changed since.</p> <p>I built a pipeline that streams this data live from the European Bioinformatics Institute FTP server, parses each variant into structured records, applies nine biological validation rules, annotates every clean variant with functional consequence and clinical gene context, and serves the results through a REST API and an interactive dashboard.</p> <p>This article is the full technical account of how and why.</p> <h2> The VCF Format: What It Is and Why Parsing It Correctly Is Non-Trivial </h2> <p>VCF stands for Variant Call Format. Every variant caller, GATK, FreeBayes, bcftools, outputs VCF. Understanding the format is prerequisite to understanding everything else in this article.</p> <p>A VCF file has two sections. The header section starts with <code>##</code> and contains metadata about the file: the reference genome, the tools used, the INFO field definitions. The data section starts after the <code>#CHROM</code> line and contains one row per variant.</p> <p>Each data row has eight mandatory tab-separated fields:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Example</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>CHROM</td> <td>22</td> <td>Chromosome</td> </tr> <tr> <td>POS</td> <td>16050075</td> <td>1-based position</td> </tr> <tr> <td>ID</td> <td>.</td> <td>rsID or dot if novel</td> </tr> <tr> <td>REF</td> <td>A</td> <td>Reference allele</td> </tr> <tr> <td>ALT</td> <td>G</td> <td>Alternate allele</td> </tr> <tr> <td>QUAL</td> <td>100</td> <td>Phred quality score</td> </tr> <tr> <td>FILTER</td> <td>PASS</td> <td>Filter status</td> </tr> <tr> <td>INFO</td> <td>AF=0.0002;DP=8012</td> <td>Semicolon-separated metadata</td> </tr> </tbody> </table></div> <p>After the eight mandatory fields, the 1000 Genomes VCF adds a FORMAT field and then 2,504 sample columns, one per individual. This means a single data row in the 1000 Genomes VCF has 2,512 tab-separated fields.</p> <p>The naive approach is to split every line on tabs and process all 2,512 fields. This is slow and wastes memory. The correct approach is to split on tabs and take only the first eight fields, discarding the sample columns entirely since we only need population-level statistics, which are encoded in the INFO field as <code>AF</code> (allele frequency).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">parse_vcf_line</span><span class="p">(</span><span class="n">line</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">line_index</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">0</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">fields</span> <span class="o">=</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="se">\t</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">fields</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">parse_error</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">error_reason</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Expected at least 8 fields, got </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">fields</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">raw_line</span><span class="sh">"</span><span class="p">:</span> <span class="n">line</span><span class="p">[:</span><span class="mi">200</span><span class="p">],</span> <span class="sh">"</span><span class="s">line_index</span><span class="sh">"</span><span class="p">:</span> <span class="n">line_index</span><span class="p">,</span> <span class="p">}</span> <span class="n">chrom</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nf">lstrip</span><span class="p">(</span><span class="sh">"</span><span class="s">chr</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># normalise chr22 to 22 </span> <span class="n">pos_str</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="n">variant_id</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="n">ref</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">3</span><span class="p">]</span> <span class="n">alt</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">4</span><span class="p">]</span> <span class="n">qual_str</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">5</span><span class="p">]</span> <span class="n">filter_status</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">6</span><span class="p">]</span> <span class="n">info_str</span> <span class="o">=</span> <span class="n">fields</span><span class="p">[</span><span class="mi">7</span><span class="p">]</span> <span class="c1"># fields[8:] are FORMAT and 2,504 sample columns -- discarded </span></code></pre> </div> <p>The <code>lstrip("chr")</code> normalises chromosome identifiers. Some VCF files prefix chromosomes with <code>chr</code> (chr22, chrX) and some do not (22, X). Normalising to the unprefixed form makes downstream logic simpler.</p> <p>The INFO field parser deserves its own function because the format is complex. Values are semicolon-separated key=value pairs, but some entries are flags with no value.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">parse_info_field</span><span class="p">(</span><span class="n">info_str</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">info_str</span> <span class="ow">or</span> <span class="n">info_str</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="n">result</span> <span class="k">for</span> <span class="n">token</span> <span class="ow">in</span> <span class="n">info_str</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">;</span><span class="sh">"</span><span class="p">):</span> <span class="n">token</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">token</span><span class="p">:</span> <span class="k">continue</span> <span class="k">if</span> <span class="sh">"</span><span class="s">=</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">token</span><span class="p">:</span> <span class="n">key</span><span class="p">,</span> <span class="n">_</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">token</span><span class="p">.</span><span class="nf">partition</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span><span class="p">[</span><span class="n">key</span><span class="p">.</span><span class="nf">strip</span><span class="p">()]</span> <span class="o">=</span> <span class="n">value</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="n">result</span><span class="p">[</span><span class="n">token</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="c1"># flag with no value </span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <p>The key INFO subfields we extract are <code>AF</code> (allele frequency across all 2,504 individuals), <code>DP</code> (total read depth at this position), <code>MQ</code> (root mean square mapping quality), <code>AN</code> (total alleles in called genotypes), <code>AC</code> (allele count), and <code>VT</code> (variant type annotation from 1000 Genomes).</p> <h2> Streaming a Gzipped File Over HTTP Without Loading It Into Memory </h2> <p>The chromosome 22 VCF from the 1000 Genomes EBI mirror is approximately 11GB when uncompressed and roughly 1.2GB as a gzip file. Downloading the entire file before parsing is unnecessary and slow.</p> <p>Python's <code>requests</code> library supports streaming responses. Combined with the <code>gzip</code> module, you can decompress and process the file line by line without ever holding more than a few lines in memory.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_fetch_vcf_lines</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">max_variants</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">User-Agent</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">VariantLens/1.0 (</span><span class="si">{</span><span class="n">settings</span><span class="p">.</span><span class="n">ncbi_email</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">}</span> <span class="n">variant_lines</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">header_lines</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">with</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">stream</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">60</span><span class="p">)</span> <span class="k">as</span> <span class="n">resp</span><span class="p">:</span> <span class="n">resp</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">with</span> <span class="n">gzip</span><span class="p">.</span><span class="nc">GzipFile</span><span class="p">(</span><span class="n">fileobj</span><span class="o">=</span><span class="n">resp</span><span class="p">.</span><span class="n">raw</span><span class="p">)</span> <span class="k">as</span> <span class="n">gz</span><span class="p">:</span> <span class="k">for</span> <span class="n">raw_line</span> <span class="ow">in</span> <span class="n">gz</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">raw_line</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">).</span><span class="nf">rstrip</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">UnicodeDecodeError</span><span class="p">:</span> <span class="k">continue</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">##</span><span class="sh">"</span><span class="p">):</span> <span class="n">header_lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">continue</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">#CHROM</span><span class="sh">"</span><span class="p">):</span> <span class="n">header_lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">continue</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">():</span> <span class="k">continue</span> <span class="n">variant_lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">variant_lines</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">max_variants</span><span class="p">:</span> <span class="k">break</span> <span class="k">return</span> <span class="n">variant_lines</span><span class="p">,</span> <span class="n">header_lines</span> </code></pre> </div> <p>The <code>stream=True</code> argument tells requests not to download the body immediately. The <code>gzip.GzipFile(fileobj=resp.raw)</code> wraps the raw socket in a gzip decompressor. Every iteration of the for loop decodes one line of the VCF, processes it, and moves on. Once we have collected <code>max_variants</code> data lines, we break and close the connection.</p> <p>The result: streaming 500 variants from a multi-gigabyte file takes under two seconds. The memory footprint stays constant regardless of the total file size.</p> <h2> The Ts/Tv Ratio: The Most Important Number in SNP Calling Quality </h2> <p>Before building the validation engine, it is worth understanding the single most important quality metric in variant calling, because this pipeline computes and displays it as a dashboard KPI.</p> <p>The transition-to-transversion ratio, universally called Ts/Tv, measures the ratio of two types of SNP substitutions in a dataset.</p> <p><strong>Transitions</strong> are substitutions between chemically similar bases. Purines substitute for purines (A changes to G, G changes to A) and pyrimidines substitute for pyrimidines (C changes to T, T changes to C). These are A-to-G, G-to-A, C-to-T, T-to-C.</p> <p><strong>Transversions</strong> are substitutions between chemically dissimilar bases. A purine changes to a pyrimidine or vice versa. These are A-to-C, A-to-T, G-to-C, G-to-T, and their reverses.</p> <p>In real human genomic data, transitions are approximately twice as common as transversions because of the underlying chemistry of DNA mutation. Transitions are more likely to occur spontaneously and more likely to be neutral (synonymous at the protein level). The expected Ts/Tv ratio for high-quality whole-genome SNP calls is 2.0 to 2.1. Exome calls are typically 2.5 to 3.0 because exonic regions are under stronger selection against transversions.</p> <p>If your Ts/Tv ratio is below 1.8, you have a problem. The most common causes are a high false-positive rate in the variant caller (random errors are equally likely to be transitions or transversions, which would push the ratio toward 0.5) or contamination from another species.</p> <p>The 1000 Genomes data produces a Ts/Tv ratio of 1.75 in our pipeline, slightly below the expected range but within the plausible zone for a subset of variants. This number is computed automatically and displayed on the dashboard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">is_transition</span><span class="p">(</span><span class="n">ref</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">alt</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">transitions</span> <span class="o">=</span> <span class="p">{</span> <span class="nf">frozenset</span><span class="p">({</span><span class="sh">"</span><span class="s">A</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">G</span><span class="sh">"</span><span class="p">}),</span> <span class="nf">frozenset</span><span class="p">({</span><span class="sh">"</span><span class="s">C</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">T</span><span class="sh">"</span><span class="p">}),</span> <span class="p">}</span> <span class="n">pair</span> <span class="o">=</span> <span class="nf">frozenset</span><span class="p">({</span><span class="n">ref</span><span class="p">.</span><span class="nf">upper</span><span class="p">(),</span> <span class="n">alt</span><span class="p">.</span><span class="nf">upper</span><span class="p">()})</span> <span class="k">return</span> <span class="n">pair</span> <span class="ow">in</span> <span class="n">transitions</span> </code></pre> </div> <p>Using <code>frozenset</code> is elegant here. The pair A/G is the same as G/A for the purposes of this classification. <code>frozenset({"A", "G"}) == frozenset({"G", "A"})</code> is True. No need for two separate conditions.</p> <h2> The Nine Validation Rules </h2> <p>The validation engine applies nine rules to every parsed VCF record. Same architecture as the validation engine in NGS Results Explorer: pure functions, structured results, quarantine-not-delete.</p> <p>The rules reflect real data quality issues that occur in production VCF submissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ALL_RULES</span> <span class="o">=</span> <span class="p">[</span> <span class="n">rule_chromosome_valid</span><span class="p">,</span> <span class="c1"># must be a recognised human chromosome </span> <span class="n">rule_position_positive</span><span class="p">,</span> <span class="c1"># must be a positive 1-based integer </span> <span class="n">rule_ref_allele_valid</span><span class="p">,</span> <span class="c1"># non-empty, valid nucleotide bases only </span> <span class="n">rule_alt_allele_valid</span><span class="p">,</span> <span class="c1"># non-empty, differs from REF </span> <span class="n">rule_quality_score_valid</span><span class="p">,</span> <span class="c1"># QUAL in [0, 100000] </span> <span class="n">rule_filter_field_present</span><span class="p">,</span> <span class="c1"># FILTER must exist </span> <span class="n">rule_allele_frequency_valid</span><span class="p">,</span> <span class="c1"># AF in [0, 1] if present </span> <span class="n">rule_depth_non_negative</span><span class="p">,</span> <span class="c1"># DP &gt;= 0 if present </span> <span class="n">rule_ref_not_equal_alt</span><span class="p">,</span> <span class="c1"># REF != ALT </span><span class="p">]</span> </code></pre> </div> <p>The last rule deserves explanation. A VCF record where REF equals ALT is not a variant. It is a monomorphic site: a position where the sequenced individual has the same allele as the reference genome. These are sometimes emitted by variant callers when running in GVCF mode (genomic VCF, which records all sites including non-variant ones). If you are processing a VCF that was not intended to be a GVCF, these records are errors.</p> <p>We deliberately inject five bad records into the pipeline to test the validation engine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">bad_records</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">-1</span><span class="se">\t</span><span class="s">BAD_POS_001</span><span class="se">\t</span><span class="s">A</span><span class="se">\t</span><span class="s">G</span><span class="se">\t</span><span class="s">500.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.01;DP=50</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># negative position </span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">25000000</span><span class="se">\t</span><span class="s">BAD_REF_001</span><span class="se">\t\t</span><span class="s">G</span><span class="se">\t</span><span class="s">300.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.02;DP=80</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># empty REF </span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">26000000</span><span class="se">\t</span><span class="s">BAD_QUAL_001</span><span class="se">\t</span><span class="s">C</span><span class="se">\t</span><span class="s">T</span><span class="se">\t</span><span class="s">-50.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.03;DP=60</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># negative QUAL </span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">27000000</span><span class="se">\t</span><span class="s">BAD_AF_001</span><span class="se">\t</span><span class="s">A</span><span class="se">\t</span><span class="s">C</span><span class="se">\t</span><span class="s">800.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=1.5;DP=120</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># AF &gt; 1 </span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">28000000</span><span class="se">\t</span><span class="s">BAD_SAME_001</span><span class="se">\t</span><span class="s">G</span><span class="se">\t</span><span class="s">G</span><span class="se">\t</span><span class="s">600.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.01;DP=90</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># REF == ALT </span><span class="p">]</span> </code></pre> </div> <p>All five are correctly quarantined with precise rejection reasons. 500 of 505 records pass.</p> <h2> The Annotation Engine: From Coordinates to Biology </h2> <p>Annotation is where a raw VCF record becomes interpretable. A variant at position 30,100,000 on chromosome 22 means nothing to a biologist. A variant at position 30,100,000 in the NF2 gene, classified as a missense substitution, in a gene associated with neurofibromatosis type 2, in a sample with a minor allele frequency of 0.001, is a candidate for clinical follow-up.</p> <p>The annotation engine computes seven fields for every clean variant:</p> <p><strong>variant_class</strong> classifies the variant as SNP, insertion, deletion, MNP (multi-nucleotide polymorphism), or complex based on the lengths of the REF and ALT alleles.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">classify_variant_type</span><span class="p">(</span><span class="n">ref</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">alt</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">alt_first</span> <span class="o">=</span> <span class="n">alt</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">strip</span><span class="p">()</span> <span class="n">ref_len</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">ref</span><span class="p">)</span> <span class="n">alt_len</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">alt_first</span><span class="p">)</span> <span class="k">if</span> <span class="n">ref_len</span> <span class="o">==</span> <span class="mi">1</span> <span class="ow">and</span> <span class="n">alt_len</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">SNP</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">alt_len</span> <span class="o">&gt;</span> <span class="n">ref_len</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">insertion</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">ref_len</span> <span class="o">&gt;</span> <span class="n">alt_len</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">deletion</span><span class="sh">"</span> <span class="k">elif</span> <span class="n">ref_len</span> <span class="o">==</span> <span class="n">alt_len</span> <span class="ow">and</span> <span class="n">ref_len</span> <span class="o">&gt;</span> <span class="mi">1</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">MNP</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">complex</span><span class="sh">"</span> </code></pre> </div> <p><strong>ts_tv</strong> classifies each SNP as a transition or transversion using the function shown earlier. Non-SNP variants get <code>not_applicable</code>.</p> <p><strong>consequence</strong> assigns a functional consequence category. In a full clinical pipeline, this uses VEP (Ensembl Variant Effect Predictor) or SnpEff with transcript databases. VariantLens applies rule-based classification: frameshift if the indel length is not divisible by three, inframe if it is, synonymous or missense for SNPs based on a deterministic random assignment seeded by the variant coordinates.</p> <p><strong>gene</strong> assigns a gene name based on chromosomal position using a coordinate map derived from Ensembl GRCh37 release 87. The map covers the clinically significant genes on chromosome 22.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">CHR22_GENE_MAP</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="mi">17000000</span><span class="p">,</span> <span class="mi">20500000</span><span class="p">,</span> <span class="sh">"</span><span class="s">DGCR8</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DiGeorge syndrome</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">19700000</span><span class="p">,</span> <span class="mi">19800000</span><span class="p">,</span> <span class="sh">"</span><span class="s">TBX1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DiGeorge/velocardiofacial syndrome</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">21700000</span><span class="p">,</span> <span class="mi">21900000</span><span class="p">,</span> <span class="sh">"</span><span class="s">CRKL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DiGeorge syndrome</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">23400000</span><span class="p">,</span> <span class="mi">23700000</span><span class="p">,</span> <span class="sh">"</span><span class="s">BCR</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Chronic myelogenous leukaemia</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">23500000</span><span class="p">,</span> <span class="mi">23700000</span><span class="p">,</span> <span class="sh">"</span><span class="s">ABL1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Chronic myelogenous leukaemia</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">30000000</span><span class="p">,</span> <span class="mi">30200000</span><span class="p">,</span> <span class="sh">"</span><span class="s">NF2</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Neurofibromatosis type 2</span><span class="sh">"</span><span class="p">),</span> <span class="p">(</span><span class="mi">41900000</span><span class="p">,</span> <span class="mi">42100000</span><span class="p">,</span> <span class="sh">"</span><span class="s">SMAD4</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Juvenile polyposis, colorectal cancer</span><span class="sh">"</span><span class="p">),</span> <span class="c1"># ... </span><span class="p">]</span> </code></pre> </div> <p>BCR and ABL1 appear on chromosome 22. In chronic myelogenous leukaemia, a chromosomal translocation fuses BCR on chromosome 22 with ABL1 on chromosome 9, creating the Philadelphia chromosome and the BCR-ABL1 fusion oncogene. This fusion is the target of imatinib (Gleevec), one of the most celebrated successes in targeted cancer therapy. Any variant near these coordinates is clinically relevant.</p> <p><strong>af_tier</strong> classifies allele frequency into three tiers reflecting population genetics conventions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">annotate_af_tier</span><span class="p">(</span><span class="n">af</span><span class="p">:</span> <span class="nb">float</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="n">af</span> <span class="o">&lt;</span> <span class="mf">0.01</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">rare</span><span class="sh">"</span> <span class="c1"># &lt; 1% population frequency </span> <span class="k">elif</span> <span class="n">af</span> <span class="o">&lt;</span> <span class="mf">0.05</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">low_frequency</span><span class="sh">"</span> <span class="c1"># 1-5% </span> <span class="k">else</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s">common</span><span class="sh">"</span> <span class="c1"># &gt; 5% -- above GWAS MAF threshold </span></code></pre> </div> <p>In our dataset, 446 of 500 variants (89.2%) are rare. This is the expected distribution. The 1000 Genomes Project captured the full spectrum of human variation, and the vast majority of it is rare variation that exists in only a small fraction of the population.</p> <p><strong>dbsnp_status</strong> marks each variant as <code>known</code> (has an rsID from the dbSNP database) or <code>novel</code>. Novel variants are more likely to be either sequencing artefacts or genuinely rare private variants. In a clinical setting, novel variants require more careful interpretation.</p> <p><strong>filter_outcome</strong> summarises whether the variant passed the variant caller's filter as <code>pass</code> or <code>filtered</code>.</p> <h2> Parquet: Why Columnar Storage Matters for Variant Data </h2> <p>After validation and annotation, the 500 clean records are saved to Parquet format.</p> <p>Parquet is a columnar storage format. Traditional row-based formats like CSV store all fields for record one, then all fields for record two, and so on. Parquet stores all values of field one together, then all values of field two, and so on.</p> <p>This distinction matters enormously for analytical queries. Consider a query that asks: how many variants have a consequence of <code>missense</code>? With CSV, the database must read every field of every record to find the consequence column. With Parquet, the database reads only the consequence column, skipping all other columns entirely.</p> <p>For a table with 30 fields, Parquet can be 30 times faster for this type of column-selective query. At production scale, with millions of variants across thousands of samples, this difference is between a dashboard that responds in milliseconds and one that times out.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">df</span><span class="p">.</span><span class="nf">to_parquet</span><span class="p">(</span><span class="n">parquet_path</span><span class="p">,</span> <span class="n">index</span><span class="o">=</span><span class="bp">False</span><span class="p">)</span> </code></pre> </div> <p>The single line above writes the entire annotated DataFrame to a Parquet file that can be read by pandas, Apache Spark, Athena, BigQuery, and any other modern analytical engine. The format also stores column statistics (min, max, null count) in the file footer, which allows query engines to skip entire file sections when those statistics rule out matching records.</p> <h2> The API: Eight Endpoints and One That Only Genomics Platforms Have </h2> <p>The API has eight endpoints. Seven of them are standard data engineering fare: health, summary, paginated list, single record lookup, distributions, and quarantine.</p> <p>The eighth is the <code>/clinical</code> endpoint, and it is specific to genomics platforms.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/clinical</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="nb">list</span><span class="p">[</span><span class="n">ClinicalVariant</span><span class="p">],</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">Clinical</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">clinical_variants</span><span class="p">():</span> <span class="sh">"""</span><span class="s"> Variants located in disease-associated genes on chromosome 22. Genes include BCR, ABL1, NF2, SMAD4, EP300, TBX1, SHANK3. </span><span class="sh">"""</span> <span class="n">summary</span> <span class="o">=</span> <span class="nf">get_summary</span><span class="p">()</span> <span class="k">return</span> <span class="n">summary</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">clinical_variants</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> </code></pre> </div> <p>This endpoint returns every variant that falls within a gene known to be associated with a human disease. In a clinical genomics workflow, these are the variants that require manual review by a molecular pathologist. Surfacing them through a dedicated endpoint reflects real clinical sequencing practice.</p> <p>The <code>/variants</code> endpoint has five filter parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/variants</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_model</span><span class="o">=</span><span class="nb">list</span><span class="p">[</span><span class="n">VariantRecord</span><span class="p">],</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">Variants</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">list_variants</span><span class="p">(</span> <span class="n">variant_class</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">consequence</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">af_tier</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">gene</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">None</span><span class="p">),</span> <span class="n">clinical_only</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">False</span><span class="p">),</span> <span class="n">pass_only</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="bp">True</span><span class="p">),</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="mi">50</span><span class="p">,</span> <span class="n">ge</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">le</span><span class="o">=</span><span class="mi">500</span><span class="p">),</span> <span class="n">offset</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="nc">Query</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="n">ge</span><span class="o">=</span><span class="mi">0</span><span class="p">),</span> <span class="p">):</span> </code></pre> </div> <p>The <code>pass_only</code> parameter defaults to <code>True</code>, which means the default response only includes variants that passed the variant caller's filter. This is the correct default for clinical use. Filtered variants exist in the dataset but require explicit opt-in to access.</p> <h2> The Dashboard: Six Panels Built for Genomics Researchers </h2> <p>The dashboard is designed for the actual audience: bioinformaticians and molecular biologists who understand what they are looking at.</p> <p>The consequence distribution chart uses a biologically meaningful colour scheme. Synonymous variants are green because they do not change the protein sequence. Missense variants are orange because they change one amino acid and may or may not be functional. Nonsense and frameshift variants are red because they disrupt the protein entirely. This colour convention aligns with the clinical variant classification used in medical genetics.</p> <p>The allele frequency tier chart uses blue for rare, yellow for low-frequency, and red for common. The dominance of blue in the chart immediately communicates that this is population genomics data, where most variants are rare private variants. A dataset with a different balance (more common variants) would suggest either a selected population or a different sequencing strategy.</p> <p>The QUAL score histogram is the distribution of Phred-scaled quality scores across all 500 variants. A dataset with many low-quality variants would show a histogram shifted toward the left. The 1000 Genomes data is high quality and shows a distribution concentrated at higher scores.</p> <p>The variant class donut shows the SNP/indel composition. 96.8% SNPs and 3.2% indels, which is consistent with the expected composition for chromosome 22 from the 1000 Genomes Project.</p> <p>The QC summary panel shows every operational metric: pass rate, quarantine count, Ts/Tv ratio, completeness score, reference genome, and data source. This is the panel that tells an operator immediately whether the pipeline run was healthy.</p> <h2> The Results: What the Data Showed </h2> <p>505 records ingested (500 live from 1000 Genomes, 5 injected test cases).</p> <p>500 passed validation. 5 quarantined, each with a different failure mode: negative position, empty REF, negative QUAL, AF above 1.0, REF equal to ALT.</p> <p>Of the 500 clean variants:</p> <ul> <li>484 SNPs (96.8%)</li> <li>16 indels (3.2%)</li> <li>Ts/Tv ratio: 1.75</li> <li>Rare variants (AF &lt; 1%): 446 (89.2%)</li> <li>Low-frequency variants (AF 1-5%): 21 (4.2%)</li> <li>Common variants (AF &gt; 5%): 33 (6.6%)</li> </ul> <p>The consequence distribution: synonymous 388, missense 46, splice_region 40, frameshift 15, nonsense 10, inframe_insertion 1.</p> <p>The rare-variant dominance at 89.2% is the number that tells you this is real population genomics data. In a synthetic dataset, you would not see this distribution naturally.</p> <h2> Tests: 50 Passing Across Three Modules </h2> <p>The test suite covers three modules: the annotator (22 tests), the parser (20 tests), and the validator (8 tests).</p> <p>The parser tests verify correct behaviour across VCF edge cases. What happens when QUAL is a dot? What happens when the chromosome is prefixed with <code>chr</code>? What happens when a line has fewer than eight fields?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TestParseVcfLine</span><span class="p">:</span> <span class="k">def</span> <span class="nf">test_chr_prefix_normalised</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">line</span> <span class="o">=</span> <span class="sh">"</span><span class="s">chr22</span><span class="se">\t</span><span class="s">16050075</span><span class="se">\t</span><span class="s">.</span><span class="se">\t</span><span class="s">A</span><span class="se">\t</span><span class="s">G</span><span class="se">\t</span><span class="s">100.0</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.001</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">parse_vcf_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">chrom</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">22</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">test_missing_qual</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">line</span> <span class="o">=</span> <span class="sh">"</span><span class="s">22</span><span class="se">\t</span><span class="s">100</span><span class="se">\t</span><span class="s">.</span><span class="se">\t</span><span class="s">A</span><span class="se">\t</span><span class="s">G</span><span class="se">\t</span><span class="s">.</span><span class="se">\t</span><span class="s">PASS</span><span class="se">\t</span><span class="s">AF=0.01</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">parse_vcf_line</span><span class="p">(</span><span class="n">line</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">qual</span><span class="sh">"</span><span class="p">]</span> <span class="ow">is</span> <span class="bp">None</span> <span class="k">assert</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">parse_error</span><span class="sh">"</span><span class="p">]</span> <span class="ow">is</span> <span class="bp">False</span> </code></pre> </div> <p>A missing QUAL field (represented as <code>.</code> in VCF) is not an error. It is a valid representation of an unknown quality. The parser returns <code>None</code> for the qual field and <code>False</code> for the parse_error flag.</p> <p>The annotator tests verify biological correctness. The test for NF2 gene detection is particularly important:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">test_clinical_gene_detection</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">valid_record</span><span class="p">):</span> <span class="n">valid_record</span><span class="p">[</span><span class="sh">"</span><span class="s">pos</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="mi">30100000</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">annotate_record</span><span class="p">(</span><span class="n">valid_record</span><span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">is_clinical_gene</span><span class="sh">"</span><span class="p">]</span> <span class="ow">is</span> <span class="bp">True</span> <span class="k">assert</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">gene</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">NF2</span><span class="sh">"</span> </code></pre> </div> <p>This test confirms that a variant at position 30,100,000 on chromosome 22 is correctly identified as being in the NF2 gene and flagged as clinically significant. If the gene coordinate map had a bug, this test would catch it.</p> <h2> What I Learned About Building for Genomics </h2> <p>Four things stand out.</p> <p><strong>The VCF format is deceptively complex.</strong> The eight mandatory fields are straightforward. The INFO field alone can contain dozens of subfields with different value types, multi-allelic representations, and tool-specific annotations. A robust parser needs to handle all of this gracefully, including the case where an expected subfield is absent.</p> <p><strong>Streaming matters more than you think.</strong> The naive approach of downloading the entire file before processing would work for small datasets. For the 1000 Genomes chromosome 22 VCF at 11GB uncompressed, it would take minutes and require significant memory. Streaming reduces the latency to seconds and the memory footprint to a constant.</p> <p><strong>Biological context is not optional.</strong> The Ts/Tv ratio, the allele frequency tiers, the clinical gene map, the consequence classification: these are not decorative. They are the domain knowledge that separates a genomics data platform from a generic data platform. Building them correctly requires understanding the biology, not just the engineering.</p> <p><strong>The data engineering is where platforms differentiate.</strong> GATK is free. The 1000 Genomes data is free. The variant calling is done. The value in a commercial variant analysis platform is everything that sits downstream: the parsing, the validation, the annotation, the queryability, the clinical reporting, the dashboard. That is the data engineering problem, and it is hard.</p> <h2> Running It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/gbadedata/variantlens.git <span class="nb">cd </span>variantlens python3 <span class="nt">-m</span> venv .venv <span class="o">&amp;&amp;</span> <span class="nb">source</span> .venv/bin/activate pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt <span class="nb">cp</span> .env.example .env <span class="c"># add your email</span> python3 <span class="nt">-m</span> src.fetcher <span class="c"># streams from 1000 Genomes live</span> python3 <span class="nt">-m</span> src.parser <span class="c"># parses VCF, computes Ts/Tv</span> python3 <span class="nt">-m</span> src.validator <span class="c"># validates, writes quarantine</span> python3 <span class="nt">-m</span> src.annotator <span class="c"># adds consequence, gene, AF tier</span> python3 <span class="nt">-m</span> src.processor <span class="c"># builds Parquet, writes summary</span> <span class="c"># API at http://localhost:8001/docs</span> uvicorn src.api:app <span class="nt">--reload</span> <span class="nt">--port</span> 8001 <span class="c"># Dashboard at http://localhost:8050</span> python3 <span class="nt">-m</span> src.dashboard pytest <span class="nt">-v</span> </code></pre> </div> <p>The fetcher streams from the live EBI server on first run and caches locally. Subsequent runs use the cache.</p> <h2> Where This Goes Next </h2> <p>The obvious extension is full VEP annotation. Running the Ensembl Variant Effect Predictor against the pipeline output would replace the rule-based consequence classification with transcript-level annotation, canonical splice site detection, and population frequency data from gnomAD. This would bring the annotation quality to clinical-grade.</p> <p>The second extension is multi-chromosome support. The current pipeline is hardcoded to chromosome 22. Generalising to any chromosome, or to whole-genome VCF input, would require partitioning the output by chromosome and building an index for fast position-based queries.</p> <p>The third extension is clinical report generation. The <code>/clinical</code> endpoint already identifies variants in disease-associated genes. Converting this to a structured PDF clinical variant report, with ACMG classification guidelines applied automatically, would bring the project into clinical utility territory.</p> <p>If this project is useful to you or you build on it, I would like to know. The repository is at <a href="https://github.com/gbadedata/variantlens" rel="noopener noreferrer">github.com/gbadedata/variantlens</a>.</p> <p><em>Oluwagbade Odimayo is a data professional with an MSc in Applied Data Science and a background in Genetics and Molecular Biology. This project is part of a portfolio of production-grade genomics data engineering work covering RNA-Seq, variant calling, AWS, and GCP.</em></p> bioinformatics python genomics Oluwagbade Odimayo Thu, 07 May 2026 01:20:22 +0000 https://dev.to/gbadedata/from-broken-repo-to-policy-gated-deployment-platform-building-swiftdeploy-from-scratch-2nmo https://dev.to/gbadedata/from-broken-repo-to-policy-gated-deployment-platform-building-swiftdeploy-from-scratch-2nmo <h2> How I built a manifest-driven CLI that generates its own infrastructure, enforces environment policy through OPA, observes the running system in real time, and audits every decision it makes </h2> <p>Most deployment tools ask you to write configuration files. SwiftDeploy asks you to describe your intent once, then writes the configuration files for you - and refuses to deploy unless the environment is safe enough to proceed.</p> <p>This post covers the complete journey of building SwiftDeploy across two stages. Stage A established the foundation: a declarative CLI that generates Docker Compose and Nginx configuration from a single manifest, manages the container lifecycle, and supports stable/canary promotion. Stage B added the intelligence layer: Prometheus metrics, an Open Policy Agent sidecar that gates every deployment and promotion, a live status dashboard, and an append-only audit trail.</p> <p>A reader who follows this post from beginning to end should be able to replicate everything.</p> <h2> The Problem SwiftDeploy Solves </h2> <p>Consider a typical deployment workflow without tooling:</p> <ol> <li>Write a <code>docker-compose.yml</code> by hand</li> <li>Write an <code>nginx.conf</code> by hand</li> <li>Manually update both files every time a port, timeout, or service name changes</li> <li>Hope you didn't introduce a drift between the two files</li> <li>Have no policy gate before deployment</li> <li>Have no audit trail of what changed and when</li> </ol> <p>SwiftDeploy inverts this. You edit exactly one file - <code>manifest.yaml</code>. The CLI derives everything else from it. If you delete the generated files and run <code>swiftdeploy init</code>, they come back identically. The manifest is the single source of truth, and the tool enforces that guarantee mechanically.</p> <h2> Architecture </h2> <p>Here is the complete system after both stages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>manifest.yaml ← the only file you edit manually │ ▼ swiftdeploy CLI │ ├── OPA policy check (pre-deploy / pre-promote) │ │ │ ▼ │ policies/*.rego │ + policy_limits from manifest │ ▼ templates/ ├── docker-compose.yml.tpl └── nginx.conf.tpl │ ▼ ┌──────────────────────────────────────────┐ │ Docker Network │ │ │ │ ┌──────────────┐ ┌─────────────────┐ │ │ │ App │ │ Nginx │ │ │ │ :3000 │◄──│ :8080 (public) │ │ │ │ /metrics │ └─────────────────┘ │ │ │ /healthz │ │ │ │ /chaos │ ┌─────────────────┐ │ │ └──────────────┘ │ OPA │ │ │ │ :8181 (loopback)│ │ │ └─────────────────┘ │ └──────────────────────────────────────────┘ │ ▼ history.jsonl ← append-only audit trail │ ▼ audit_report.md ← generated on demand </code></pre> </div> <p><strong>Key isolation rules:</strong></p> <ul> <li>The app is never exposed directly to the host - all traffic goes through Nginx</li> <li>OPA is bound to <code>127.0.0.1:8181</code> only - not reachable via the Nginx port or from the internet</li> <li>The CLI is the only component that talks to OPA</li> <li>The app has no knowledge of policy decisions</li> </ul> <h2> Stage A: The Engine </h2> <h3> The Manifest </h3> <p>Everything starts with <code>manifest.yaml</code>. This file describes the entire deployment intent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">swift-deploy-1-node:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3000</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">stable</span> <span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">1.0.0"</span> <span class="na">restart_policy</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8080</span> <span class="na">proxy_timeout</span><span class="pi">:</span> <span class="m">10</span> <span class="na">contact</span><span class="pi">:</span> <span class="s">o.odimayo@gbadedata.com</span> <span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openpolicyagent/opa:latest</span> <span class="na">port</span><span class="pi">:</span> <span class="m">8181</span> <span class="na">policies_dir</span><span class="pi">:</span> <span class="s">policies</span> <span class="na">decision_timeout_seconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">network</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">swiftdeploy-net</span> <span class="na">driver_type</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">logs</span><span class="pi">:</span> <span class="na">volume_name</span><span class="pi">:</span> <span class="s">swiftdeploy-logs</span> <span class="na">policy_limits</span><span class="pi">:</span> <span class="na">infrastructure</span><span class="pi">:</span> <span class="na">min_disk_free_gb</span><span class="pi">:</span> <span class="m">10</span> <span class="na">max_cpu_load</span><span class="pi">:</span> <span class="m">2.0</span> <span class="na">canary</span><span class="pi">:</span> <span class="na">max_error_rate</span><span class="pi">:</span> <span class="m">0.01</span> <span class="na">max_p99_latency_ms</span><span class="pi">:</span> <span class="m">500</span> <span class="na">audit</span><span class="pi">:</span> <span class="na">history_file</span><span class="pi">:</span> <span class="s">history.jsonl</span> <span class="na">report_file</span><span class="pi">:</span> <span class="s">audit_report.md</span> </code></pre> </div> <p>Every value that the generated configuration needs comes from here. No hardcoded values exist in any template or policy file.</p> <h3> Template-based Config Generation </h3> <p>The CLI uses Jinja2 to render <code>docker-compose.yml</code> and <code>nginx.conf</code> from templates. This is how <code>swiftdeploy init</code> works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">render_template</span><span class="p">(</span><span class="n">template_name</span><span class="p">,</span> <span class="n">output_path</span><span class="p">,</span> <span class="n">manifest</span><span class="p">):</span> <span class="n">env</span> <span class="o">=</span> <span class="nc">Environment</span><span class="p">(</span> <span class="n">loader</span><span class="o">=</span><span class="nc">FileSystemLoader</span><span class="p">(</span><span class="n">TEMPLATE_DIR</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">"</span><span class="s">utf-8-sig</span><span class="sh">"</span><span class="p">),</span> <span class="n">autoescape</span><span class="o">=</span><span class="bp">False</span><span class="p">,</span> <span class="n">trim_blocks</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">lstrip_blocks</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="n">template</span> <span class="o">=</span> <span class="n">env</span><span class="p">.</span><span class="nf">get_template</span><span class="p">(</span><span class="n">template_name</span><span class="p">)</span> <span class="n">rendered</span> <span class="o">=</span> <span class="n">template</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="o">**</span><span class="n">manifest</span><span class="p">).</span><span class="nf">lstrip</span><span class="p">(</span><span class="sh">"</span><span class="se">\ufeff</span><span class="sh">"</span><span class="p">)</span> <span class="n">output_path</span><span class="p">.</span><span class="nf">write_bytes</span><span class="p">(</span><span class="n">rendered</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>The template for the app service in <code>docker-compose.yml.tpl</code> looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">services.image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-app</span> <span class="na">restart</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">services.restart_policy</span> <span class="pi">}}</span> <span class="na">user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10001:10001"</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">MODE</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.mode</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_VERSION</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.version</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">APP_PORT</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">expose</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">{{</span><span class="nv"> </span><span class="s">services.port</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p>Notice <code>expose</code> instead of <code>ports</code>. This is deliberate - the app is reachable inside the Docker network but not from the host machine. All external traffic must go through Nginx.</p> <h3> The Five Validation Checks </h3> <p>Before any deployment, the CLI runs five pre-flight checks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[PASS] manifest.yaml exists and is valid YAML [PASS] All required fields are present and non-empty [PASS] Docker image exists locally: swift-deploy-1-node:latest [PASS] Nginx port is free on host: 8080 [PASS] Generated nginx.conf is syntactically valid </code></pre> </div> <p>The Nginx syntax check is particularly interesting - it runs <code>nginx -t</code> inside a temporary container with a host mapping for the <code>app</code> upstream name, so DNS resolution works without the full stack being active:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">command</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">run</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--rm</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--add-host</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">app:127.0.0.1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-v</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">NGINX_FILE</span><span class="si">}</span><span class="s">:/etc/nginx/nginx.conf:ro</span><span class="sh">"</span><span class="p">,</span> <span class="n">nginx_image</span><span class="p">,</span> <span class="sh">"</span><span class="s">nginx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-t</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <h3> The Application Service </h3> <p>The app is a Python Flask service that exposes four endpoints:</p> <ul> <li> <code>GET /</code> - welcome message with mode, version, and timestamp</li> <li> <code>GET /healthz</code> - liveness check with uptime in seconds</li> <li> <code>GET /metrics</code> - Prometheus-format metrics (added in Stage B)</li> <li> <code>POST /chaos</code> - fault injection, canary mode only</li> </ul> <h3> Stable and Canary Promotion </h3> <p>Promotion updates the manifest in-place, regenerates the Compose file, and restarts only the app container - Nginx is untouched:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">cmd_promote</span><span class="p">(</span><span class="n">args</span><span class="p">):</span> <span class="n">target_mode</span> <span class="o">=</span> <span class="n">args</span><span class="p">.</span><span class="n">mode</span><span class="p">.</span><span class="nf">lower</span><span class="p">()</span> <span class="n">manifest</span> <span class="o">=</span> <span class="nf">load_manifest</span><span class="p">()</span> <span class="c1"># policy check runs here for promote stable (Stage B) </span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">mode</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">target_mode</span> <span class="nf">write_manifest</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="nf">render_template</span><span class="p">(</span><span class="sh">"</span><span class="s">docker-compose.yml.tpl</span><span class="sh">"</span><span class="p">,</span> <span class="n">COMPOSE_FILE</span><span class="p">,</span> <span class="n">manifest</span><span class="p">)</span> <span class="nf">run_command</span><span class="p">([</span> <span class="sh">"</span><span class="s">docker</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">compose</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">up</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-d</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--no-deps</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">--force-recreate</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">app</span><span class="sh">"</span> <span class="p">])</span> </code></pre> </div> <p>The same image runs in both modes. The difference is the <code>MODE</code> environment variable injected by the generated Compose file - no rebuild required.</p> <h3> Nginx: Structured Logging and JSON Errors </h3> <p>The generated <code>nginx.conf</code> enforces three important behaviours.</p> <p><strong>Required access log format:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">swiftdeploy</span> <span class="s">'</span><span class="nv">$time_iso8601</span> <span class="s">|</span> <span class="nv">$status</span> <span class="s">|</span> $<span class="p">{</span><span class="kn">request_time</span><span class="err">}</span><span class="s">s</span> <span class="s">|</span> <span class="nv">$upstream_addr</span> <span class="s">|</span> <span class="nv">$request</span><span class="s">'</span><span class="p">;</span> </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">2026-05-06T23:04:50+00:00 | 200 | 0.001s | 172.18.0.2:3000 | GET / HTTP/1.1 </span></code></pre> </div> <p><strong>JSON error responses</strong> for upstream failures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">error_page</span> <span class="mi">502</span> <span class="p">=</span> <span class="s">@error502</span><span class="p">;</span> <span class="k">location</span> <span class="s">@error502</span> <span class="p">{</span> <span class="kn">return</span> <span class="mi">502</span> <span class="s">'</span><span class="p">{</span><span class="kn">"error":"bad</span> <span class="s">gateway","code":502,"service":"swiftdeploy","contact":"o.odimayo@gbadedata.com"</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Platform headers</strong> on every response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">add_header</span> <span class="s">X-Deployed-By</span> <span class="s">swiftdeploy</span> <span class="s">always</span><span class="p">;</span> <span class="k">proxy_pass_header</span> <span class="s">X-Mode</span><span class="p">;</span> </code></pre> </div> <h3> Security Hardening </h3> <p>Every container runs with least privilege:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">user</span><span class="pi">:</span> <span class="s2">"</span><span class="s">10001:10001"</span> <span class="c1"># app</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> </code></pre> </div> <p>Images are built from <code>python:3.12-slim</code> and verified under 300MB. No secrets are baked into any image - all configuration is injected at runtime via environment variables.</p> <h2> Stage B: The Intelligence Layer </h2> <h3> Part 1: Instrumentation </h3> <p>The first requirement was a <code>/metrics</code> endpoint in Prometheus text format. I used the <code>prometheus_client</code> library and Flask's request hooks to instrument every endpoint automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">HTTP_REQUESTS_TOTAL</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">"</span><span class="s">http_requests_total</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Total HTTP requests</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">HTTP_REQUEST_DURATION_SECONDS</span> <span class="o">=</span> <span class="nc">Histogram</span><span class="p">(</span> <span class="sh">"</span><span class="s">http_request_duration_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">HTTP request latency in seconds</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">],</span> <span class="n">buckets</span><span class="o">=</span><span class="p">(</span><span class="mf">0.005</span><span class="p">,</span> <span class="mf">0.01</span><span class="p">,</span> <span class="mf">0.025</span><span class="p">,</span> <span class="mf">0.05</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">,</span> <span class="mf">0.25</span><span class="p">,</span> <span class="mf">0.5</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">5</span><span class="p">),</span> <span class="p">)</span> <span class="n">APP_MODE</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">app_mode</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Application mode: 0=stable, 1=canary</span><span class="sh">"</span><span class="p">)</span> <span class="n">CHAOS_ACTIVE</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">chaos_active</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Chaos state: 0=none, 1=slow, 2=error</span><span class="sh">"</span><span class="p">)</span> <span class="n">APP_UPTIME_SECONDS</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span><span class="sh">"</span><span class="s">app_uptime_seconds</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Application uptime in seconds</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>The <code>after_request</code> hook records every request automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.after_request</span> <span class="k">def</span> <span class="nf">after_request</span><span class="p">(</span><span class="n">response</span><span class="p">):</span> <span class="n">duration</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">monotonic</span><span class="p">()</span> <span class="o">-</span> <span class="nf">getattr</span><span class="p">(</span><span class="n">g</span><span class="p">,</span> <span class="sh">"</span><span class="s">request_started_at</span><span class="sh">"</span><span class="p">,</span> <span class="n">time</span><span class="p">.</span><span class="nf">monotonic</span><span class="p">())</span> <span class="n">HTTP_REQUESTS_TOTAL</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span> <span class="n">method</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">path</span><span class="p">,</span> <span class="n">status_code</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">),</span> <span class="p">).</span><span class="nf">inc</span><span class="p">()</span> <span class="n">HTTP_REQUEST_DURATION_SECONDS</span><span class="p">.</span><span class="nf">labels</span><span class="p">(</span> <span class="n">method</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">method</span><span class="p">,</span> <span class="n">path</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">path</span><span class="p">,</span> <span class="p">).</span><span class="nf">observe</span><span class="p">(</span><span class="n">duration</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p>The <code>/metrics</code> endpoint itself is just two lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/metrics</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">metrics</span><span class="p">():</span> <span class="nf">update_runtime_metrics</span><span class="p">()</span> <span class="k">return</span> <span class="nc">Response</span><span class="p">(</span><span class="nf">generate_latest</span><span class="p">(),</span> <span class="n">mimetype</span><span class="o">=</span><span class="n">CONTENT_TYPE_LATEST</span><span class="p">)</span> </code></pre> </div> <h3> Part 2: The Policy Engine </h3> <p>This was the most architecturally significant part of Stage B. The requirement was absolute: <strong>the CLI must not make any allow/deny decision itself. All decision logic lives exclusively in OPA.</strong></p> <h4> Why this matters </h4> <p>If the CLI embeds policy logic in Python, changing a threshold requires deploying new CLI code. When OPA owns the decisions, changing a threshold means editing one line in <code>manifest.yaml</code>. The operational difference is enormous - and the auditing story is much cleaner.</p> <h4> OPA in the Docker Compose template </h4> <p>OPA runs as a fourth service in the generated stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">opa</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="pi">{{</span> <span class="nv">opa.image</span> <span class="pi">}}</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">swiftdeploy-opa</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">run"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--server"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">--addr=0.0.0.0:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/policies"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">127.0.0.1:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}:{{</span><span class="nv"> </span><span class="s">opa.port</span><span class="nv"> </span><span class="s">}}"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./{{ opa.policies_dir }}:/policies:ro</span> <span class="na">cap_drop</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ALL</span> <span class="na">security_opt</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">no-new-privileges:true</span> </code></pre> </div> <p>The critical detail: <code>127.0.0.1:8181:8181</code> binds OPA only to the host loopback interface. It is reachable by the CLI but not via the Nginx port. The OPA API cannot be queried or probed from the internet.</p> <h4> Policy organisation </h4> <p>Each domain owns exactly one question and one set of input data. A change to the canary policy never touches the infrastructure policy.</p> <p><strong>Infrastructure policy</strong> (<code>policies/infrastructure.rego</code>) - answers: <em>is this host safe to deploy on?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">infrastructure</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">disk_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">disk_free_gb</span> <span class="o">&gt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">min_disk_free_gb</span> <span class="p">}</span> <span class="n">cpu_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">cpu_load</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_cpu_load</span> <span class="p">}</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_deploy"</span> <span class="n">disk_ok</span> <span class="n">cpu_ok</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">disk_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"Disk free %vGB is below required minimum %vGB"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">disk_free_gb</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">min_disk_free_gb</span><span class="p">],</span> <span class="p">)</span> <span class="p">}</span> <span class="n">reasons</span> <span class="n">contains</span> <span class="n">msg</span> <span class="n">if</span> <span class="p">{</span> <span class="ow">not</span> <span class="n">cpu_ok</span> <span class="n">msg</span> <span class="o">:=</span> <span class="n">sprintf</span><span class="p">(</span> <span class="s2">"CPU load %.2f exceeds allowed maximum %.2f"</span><span class="p">,</span> <span class="p">[</span><span class="n">input</span><span class="p">.</span><span class="n">stats</span><span class="p">.</span><span class="n">cpu_load</span><span class="p">,</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_cpu_load</span><span class="p">],</span> <span class="p">)</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"infrastructure"</span><span class="p">,</span> <span class="s2">"question"</span><span class="o">:</span> <span class="s2">"pre_deploy"</span><span class="p">,</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Canary safety policy</strong> (<code>policies/canary.rego</code>) - answers: <em>is the canary healthy enough to promote to stable?</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rego"><code><span class="ow">package</span> <span class="n">swiftdeploy</span><span class="p">.</span><span class="n">canary</span> <span class="ow">default</span> <span class="n">allow</span> <span class="o">:=</span> <span class="kc">false</span> <span class="n">error_rate_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">input</span><span class="p">.</span><span class="n">metrics</span><span class="p">.</span><span class="n">error_rate</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_error_rate</span> <span class="p">}</span> <span class="n">p99_latency_ok</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">input</span><span class="p">.</span><span class="n">metrics</span><span class="p">.</span><span class="n">p99_latency_ms</span> <span class="o">&lt;=</span> <span class="n">input</span><span class="p">.</span><span class="n">limits</span><span class="p">.</span><span class="n">max_p99_latency_ms</span> <span class="p">}</span> <span class="n">allow</span> <span class="n">if</span> <span class="p">{</span> <span class="n">input</span><span class="p">.</span><span class="n">context</span> <span class="o">==</span> <span class="s2">"pre_promote"</span> <span class="n">error_rate_ok</span> <span class="n">p99_latency_ok</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">:=</span> <span class="p">{</span> <span class="s2">"domain"</span><span class="o">:</span> <span class="s2">"canary"</span><span class="p">,</span> <span class="s2">"question"</span><span class="o">:</span> <span class="s2">"pre_promote"</span><span class="p">,</span> <span class="s2">"allow"</span><span class="o">:</span> <span class="n">allow</span><span class="p">,</span> <span class="s2">"reasons"</span><span class="o">:</span> <span class="n">reasons</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h4> Thresholds in the manifest, not in Rego </h4> <p>Neither policy file contains a hardcoded number. The limits come from <code>input.limits</code>, which the CLI sends as part of the JSON payload. The actual values live in <code>manifest.yaml</code> under <code>policy_limits</code>. Tune thresholds by editing the manifest - no Rego files need to be touched.</p> <h4> The pre-deploy gate </h4> <p>Before starting the stack, the CLI collects host stats and queries OPA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">pre_deploy_policy_check</span><span class="p">(</span><span class="n">manifest</span><span class="p">):</span> <span class="n">stats</span> <span class="o">=</span> <span class="nf">get_host_stats</span><span class="p">()</span> <span class="n">limits</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">policy_limits</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">infrastructure</span><span class="sh">"</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pre_deploy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">stats</span><span class="sh">"</span><span class="p">:</span> <span class="n">stats</span><span class="p">,</span> <span class="sh">"</span><span class="s">limits</span><span class="sh">"</span><span class="p">:</span> <span class="n">limits</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">=</span> <span class="nf">call_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy/infrastructure/decision</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="nf">print_policy_decision</span><span class="p">(</span><span class="n">decision</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">):</span> <span class="nf">append_history</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">policy_violation</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span> <span class="sh">"</span><span class="s">domain</span><span class="sh">"</span><span class="p">:</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">domain</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">reasons</span><span class="sh">"</span><span class="p">:</span> <span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">reasons</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]),</span> <span class="sh">"</span><span class="s">stats</span><span class="sh">"</span><span class="p">:</span> <span class="n">stats</span><span class="p">,</span> <span class="p">})</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">return</span> <span class="bp">True</span> </code></pre> </div> <p>To prove the hard gate, I temporarily set <code>min_disk_free_gb: 99999</code> and ran <code>swiftdeploy deploy</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][FAIL] infrastructure.pre_deploy - Disk free 2GB is below required minimum 99999GB [FAIL] Deployment blocked by policy. </code></pre> </div> <p>The stack never starts. The block is absolute.</p> <h4> The pre-promote gate </h4> <p>Before promoting from canary to stable, the CLI scrapes <code>/metrics</code>, calculates the current error rate and P99 latency, and queries OPA:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">pre_promote_policy_check</span><span class="p">(</span><span class="n">manifest</span><span class="p">):</span> <span class="n">metrics_text</span> <span class="o">=</span> <span class="nf">scrape_metrics</span><span class="p">(</span><span class="n">manifest</span><span class="p">)</span> <span class="n">samples</span> <span class="o">=</span> <span class="nf">parse_prometheus_metrics</span><span class="p">(</span><span class="n">metrics_text</span><span class="p">)</span> <span class="n">observed</span> <span class="o">=</span> <span class="nf">calculate_observed_metrics</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">limits</span> <span class="o">=</span> <span class="n">manifest</span><span class="p">[</span><span class="sh">"</span><span class="s">policy_limits</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">canary</span><span class="sh">"</span><span class="p">]</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pre_promote</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">metrics</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">error_rate</span><span class="sh">"</span><span class="p">:</span> <span class="n">observed</span><span class="p">[</span><span class="sh">"</span><span class="s">error_rate</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">observed</span><span class="p">[</span><span class="sh">"</span><span class="s">p99_latency_ms</span><span class="sh">"</span><span class="p">],</span> <span class="p">},</span> <span class="sh">"</span><span class="s">limits</span><span class="sh">"</span><span class="p">:</span> <span class="n">limits</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">decision</span> <span class="o">=</span> <span class="nf">call_opa</span><span class="p">(</span><span class="n">manifest</span><span class="p">,</span> <span class="sh">"</span><span class="s">swiftdeploy/canary/decision</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload</span><span class="p">)</span> <span class="nf">print_policy_decision</span><span class="p">(</span><span class="n">decision</span><span class="p">)</span> <span class="k">return</span> <span class="nf">bool</span><span class="p">(</span><span class="n">decision</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">allow</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <h4> OPA failure handling </h4> <p>The CLI handles every distinct failure mode explicitly:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Failure</th> <th>Message</th> </tr> </thead> <tbody> <tr> <td>Connection refused</td> <td><code>OPA unavailable at http://127.0.0.1:8181</code></td> </tr> <tr> <td>Request timed out</td> <td><code>OPA decision timed out after 5s</code></td> </tr> <tr> <td>Non-200 response</td> <td><code>OPA returned HTTP 503</code></td> </tr> <tr> <td>Non-JSON response</td> <td><code>OPA returned non-JSON response</code></td> </tr> <tr> <td>Missing result</td> <td><code>OPA response did not include a decision result</code></td> </tr> </tbody> </table></div> <p>In every case the operation is blocked and the event is recorded in the audit trail.</p> <h3> Part 3: The Chaos - What Happened When I Injected Failures </h3> <p>With the canary safety gate in place, I needed to prove it actually blocks unsafe promotions.</p> <p><strong>Deploy stable, promote to canary:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[PASS] Health check passed: mode=stable, version=1.0.0 [PASS] Promotion confirmed through /healthz: mode=canary </code></pre> </div> <p><strong>Inject 50% error chaos:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://127.0.0.1:8080/chaos <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"mode":"error","rate":0.5}'</span> </code></pre> </div> <p><strong>Generate traffic to build up the error rate:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>500 200 500 200 500 500 200 500 200 200 </code></pre> </div> <p><strong>Run the status dashboard - this is where it gets interesting:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">SwiftDeploy Status ================== </span>Timestamp: 2026-05-06T23:12:26.328363+00:00 Mode: canary Chaos: error Req/s: 0.00 Error rate: 38.10% P99 latency: 5.00ms Uptime: 128.42s <span class="gh">Policy Compliance ----------------- </span>[PASS] infrastructure.pre_deploy <span class="p"> -</span> Infrastructure policy passed [FAIL] canary.pre_promote <span class="p"> -</span> Error rate 0.380952 exceeds allowed maximum 0.01 </code></pre> </div> <p>The status dashboard scrapes <code>/metrics</code>, calculates error rate from raw Prometheus counters, and queries both OPA domains independently on every interval. The infrastructure policy passes (the host is healthy) while the canary policy fails (the service is broken).</p> <p><strong>Attempt promotion — blocked:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][FAIL] canary.pre_promote - Error rate 0.380952 exceeds allowed maximum 0.01 [FAIL] Promotion blocked by policy. </code></pre> </div> <p>This is the safety guarantee the system is designed to provide. A broken canary cannot accidentally become the stable deployment.</p> <p><strong>Recover, generate clean traffic, promote successfully:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[POLICY][PASS] canary.pre_promote - Canary safety policy passed [PASS] Promotion confirmed through /healthz: mode=stable </code></pre> </div> <h3> Part 4: The Status Dashboard </h3> <p><code>swiftdeploy status</code> is a live-refreshing terminal dashboard. It runs continuously, scraping <code>/metrics</code> on every interval and appending every result to <code>history.jsonl</code>.</p> <p>The interesting engineering challenge was calculating P99 latency from raw Prometheus histogram buckets without a Prometheus server. Prometheus histograms store cumulative bucket counts - to find P99, you need to find the smallest bucket whose cumulative count exceeds 99% of total requests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">calculate_p99_from_buckets</span><span class="p">(</span><span class="n">bucket_totals</span><span class="p">):</span> <span class="n">total_count</span> <span class="o">=</span> <span class="n">bucket_totals</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">,</span> <span class="mf">0.0</span><span class="p">)</span> <span class="k">if</span> <span class="n">total_count</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">target</span> <span class="o">=</span> <span class="n">total_count</span> <span class="o">*</span> <span class="mf">0.99</span> <span class="n">numeric_buckets</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span> <span class="p">[(</span><span class="nf">float</span><span class="p">(</span><span class="n">le</span><span class="p">),</span> <span class="n">count</span><span class="p">)</span> <span class="k">for</span> <span class="n">le</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">bucket_totals</span><span class="p">.</span><span class="nf">items</span><span class="p">()</span> <span class="k">if</span> <span class="n">le</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">+Inf</span><span class="sh">"</span><span class="p">],</span> <span class="n">key</span><span class="o">=</span><span class="k">lambda</span> <span class="n">x</span><span class="p">:</span> <span class="n">x</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="p">)</span> <span class="k">for</span> <span class="n">upper_bound</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">numeric_buckets</span><span class="p">:</span> <span class="k">if</span> <span class="n">count</span> <span class="o">&gt;=</span> <span class="n">target</span><span class="p">:</span> <span class="k">return</span> <span class="n">upper_bound</span> <span class="o">*</span> <span class="mi">1000</span> <span class="c1"># convert to milliseconds </span> <span class="k">return</span> <span class="n">numeric_buckets</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="o">*</span> <span class="mi">1000</span> </code></pre> </div> <p>Health check and metrics paths are excluded from all calculations to avoid skewing the error rate and latency numbers.</p> <h3> Part 5: The Audit Trail </h3> <p>Every significant event is written to <code>history.jsonl</code> as a JSON line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:40:04+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deploy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stable"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.0.0"</span><span class="p">}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:42:53+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"policy_violation"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"domain"</span><span class="p">:</span><span class="w"> </span><span class="s2">"canary"</span><span class="p">,</span><span class="w"> </span><span class="nl">"reasons"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"Error rate 0.380952 exceeds allowed maximum 0.01"</span><span class="p">]}}</span><span class="w"> </span><span class="p">{</span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-06T23:45:32+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mode_change"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stable"</span><span class="p">}}</span><span class="w"> </span></code></pre> </div> <p>Running <code>swiftdeploy audit</code> generates <code>audit_report.md</code> - a GitHub Flavored Markdown report with a deployment timeline and violations table that renders directly on GitHub.</p> <h2> Complete CLI Reference </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Command</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td><code>swiftdeploy init</code></td> <td>Parse manifest, generate <code>docker-compose.yml</code> and <code>nginx.conf</code> </td> </tr> <tr> <td><code>swiftdeploy validate</code></td> <td>Run 5 pre-flight checks, exit non-zero on any failure</td> </tr> <tr> <td><code>swiftdeploy deploy</code></td> <td>init → validate → OPA infra check → compose up → health gate</td> </tr> <tr> <td><code>swiftdeploy promote canary</code></td> <td>Update manifest, regenerate Compose, restart app only</td> </tr> <tr> <td><code>swiftdeploy promote stable</code></td> <td>OPA canary check → update manifest → regenerate → restart app</td> </tr> <tr> <td><code>swiftdeploy status</code></td> <td>Live metrics + policy compliance dashboard, appends to history</td> </tr> <tr> <td><code>swiftdeploy status --once</code></td> <td>Single scrape and exit</td> </tr> <tr> <td><code>swiftdeploy audit</code></td> <td>Parse <code>history.jsonl</code>, generate <code>audit_report.md</code> </td> </tr> <tr> <td><code>swiftdeploy teardown</code></td> <td>Remove containers, networks, and volumes</td> </tr> <tr> <td><code>swiftdeploy teardown --clean</code></td> <td>Teardown + delete generated config files</td> </tr> </tbody> </table></div> <h2> Lessons Learned </h2> <h3> 1. The manifest discipline pays off at every stage </h3> <p>Every time I was tempted to hardcode a value - a port, a timeout, a threshold - I put it in the manifest instead. This cost five extra minutes each time and saved hours. Any value can be changed in the manifest and the entire system adapts without touching any other file.</p> <h3> 2. Separation of concerns is a survival strategy, not just a principle </h3> <p>When the CLI makes policy decisions in Python, changing a threshold means deploying new CLI code. When OPA owns the decisions, changing a threshold means editing one line in <code>manifest.yaml</code>. The operational difference is enormous. More importantly, the policy files can be reviewed, versioned, and audited independently of the tool that enforces them.</p> <h3> 3. Every failure mode deserves its own message </h3> <p>The first version of the OPA client raised a generic exception on any failure. Connection refused, timeout, bad JSON, missing result - all looked the same. Adding distinct handling for each case costs twenty lines of code and saves hours of debugging in production.</p> <h3> 4. Prometheus counters persist for the process lifetime </h3> <p>After recovering from error chaos and generating clean traffic, <code>promote stable</code> was still blocked. The reason: Prometheus counters never reset. The old error counts were still in the counter from before the recovery. Restarting the container resets them because it starts a fresh process. In production, you would use a time-windowed approach with a proper Prometheus server and PromQL range queries.</p> <h3> 5. OPA isolation is a hard security requirement </h3> <p>If OPA were reachable via the Nginx port, anyone could query your policy engine, discover your exact thresholds, and craft traffic that stays just below detection limits. Binding OPA to the loopback interface and keeping it off the public network is not a preference - it is the minimum viable security posture for a policy engine.</p> <h3> 6. Generated files should never be committed </h3> <p>Committing <code>docker-compose.yml</code> and <code>nginx.conf</code> to Git creates a false source of truth. Developers start editing the generated file instead of the manifest, the template drifts from reality, and the tool becomes meaningless. Keeping generated files in <code>.gitignore</code> enforces the discipline mechanically.</p> <h3> 7. The Windows BOM problem is real </h3> <p>On Windows, writing YAML with Python's <code>yaml.safe_dump</code> can produce a file with a UTF-8 BOM prefix. When that file is later read by the Jinja template loader, the BOM gets rendered into the first key name, producing <code>"\xEF\xBB\xBFservices"</code> instead of <code>services</code>. The fix is to always write files using <code>write_bytes(content.encode("utf-8"))</code> rather than <code>write_text(..., encoding="utf-8")</code>. The difference is subtle and the debugging is painful.</p> <h2> Running It Yourself </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Clone the repository</span> git clone https://github.com/gbadedata/swiftdeploy.git <span class="nb">cd </span>swiftdeploy <span class="c"># Set up Python environment</span> python <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate <span class="c"># Linux/macOS</span> <span class="c"># .\.venv\Scripts\Activate.ps1 # Windows PowerShell</span> pip <span class="nb">install </span>pyyaml jinja2 requests <span class="c"># Build the app image</span> docker build <span class="nt">-t</span> swift-deploy-1-node:latest <span class="nb">.</span> <span class="c"># Full lifecycle</span> python ./swiftdeploy deploy python ./swiftdeploy promote canary python ./swiftdeploy status <span class="nt">--once</span> python ./swiftdeploy promote stable python ./swiftdeploy audit <span class="c"># Clean up</span> python ./swiftdeploy teardown <span class="nt">--clean</span> </code></pre> </div> <p>The full source code, Rego policies, Jinja templates, and screenshots are at:<br> <strong><a href="https://github.com/gbadedata/swiftdeploy" rel="noopener noreferrer">https://github.com/gbadedata/swiftdeploy</a></strong></p> <h2> Final Thought </h2> <p>The most important insight from this project is that a deployment tool should be more than a script that runs <code>docker compose up</code>. It should be a control plane - one that enforces standards before acting, surfaces observable state while running, and leaves an auditable record of every decision it makes.</p> <p>SwiftDeploy is deliberately local-first and small in scope. But the patterns it demonstrates - manifest-driven generation, policy-gated lifecycle, metrics-based promotion gates, and append-only audit trails - are the same patterns that underpin tools like Argo CD, Flux, and every serious production deployment system.</p> <p>The small version teaches you the patterns. The patterns scale to any size.</p> <p><em>Source code: <a href="https://github.com/gbadedata/swiftdeploy" rel="noopener noreferrer">github.com/gbadedata/swiftdeploy</a></em></p> devops docker opa python Oluwagbade Odimayo Thu, 07 May 2026 00:45:38 +0000 https://dev.to/gbadedata/i-built-a-real-time-ddos-detection-engine-from-scratch-heres-every-decision-i-made-3jl1 https://dev.to/gbadedata/i-built-a-real-time-ddos-detection-engine-from-scratch-heres-every-decision-i-made-3jl1 <p><em>No Fail2Ban. No rate-limiting libraries. No shortcuts. Just Python, a deque, and statistics.</em></p> <p>There is a moment every engineer dreads.</p> <p>You are staring at your monitoring dashboard. The request graph is vertical. Your server is on its knees. Legitimate users are getting timeouts. And somewhere out there, an attacker is running a script they downloaded in five minutes - while your defence took you zero minutes to build, because you had none.</p> <p>That was the situation at <strong>cloud.ng</strong>, a rapidly growing cloud storage platform powered by Nextcloud. After a wave of suspicious activity, I was handed a mandate: build an anomaly detection engine that watches all incoming HTTP traffic in real time, learns what normal looks like, and automatically responds when something deviates.</p> <p>No off-the-shelf tools. No Fail2Ban. Build it from scratch.</p> <p>This is the full story - every decision, every line of reasoning, every tradeoff.</p> <h2> First, Understand the Enemy </h2> <p>A <strong>DDoS attack</strong> - Distributed Denial of Service - works by exhausting your server's resources. Your server has a finite ability to handle connections. When an attacker sends 10,000 requests per second, your server spends all its time handling garbage traffic and has nothing left for real users.</p> <p>But here is the subtler problem that most tutorials gloss over: <strong>you cannot just block "high traffic" IPs</strong>.</p> <p>Traffic is not constant. A cloud storage platform gets hammered at 9 AM when everyone starts their workday. It goes quiet at 3 AM. If you set a fixed threshold - say, "block any IP sending more than 50 requests per minute" - you will:</p> <ul> <li>Miss attacks during busy hours when 50 req/min is perfectly normal</li> <li>Flag innocent users during quiet hours when 50 req/min is genuinely suspicious</li> </ul> <p>What you need is a system that <strong>learns what normal looks like for right now</strong> - and flags deviations from that learned baseline. That is a statistics problem, not a configuration problem.</p> <p>This insight shaped every architectural decision I made.</p> <h2> The Architecture </h2> <p>Before writing a single line of code, I mapped out the full system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ HTTP ┌─────────────────┐ proxy ┌──────────────┐ │ Internet │ ────────────► │ Nginx │ ────────────► │ Nextcloud │ │ (clients) │ │ (reverse proxy) │ │ (app) │ └─────────────┘ └─────────────────┘ └──────────────┘ │ │ JSON access logs ▼ ┌─────────────────┐ (named Docker volume) │ hng-access.log │ └─────────────────┘ │ │ tail -f (continuous) ▼ ┌────────────────────────┐ │ Detector Daemon │ │ │ │ monitor.py ◄── reads log │ baseline.py ◄── learns normal │ detector.py ◄── spots anomalies │ blocker.py ◄── calls iptables │ unbanner.py ◄── releases bans │ notifier.py ◄── pings Slack │ dashboard.py ◄── live metrics UI └────────────────────────┘ │ │ iptables Slack DROP rule #hng-alerts </code></pre> </div> <p>Nginx sits in front of Nextcloud and writes every HTTP request as a JSON log line. The detector daemon reads that file continuously, processes each entry, and takes action when needed.</p> <p>The key design principle: <strong>the daemon runs forever as a systemd service</strong>. It is not a cron job. It is not a script you run manually. It is always watching.</p> <h2> Part 1: The Foundation - JSON Logs with All the Right Fields </h2> <p>Everything starts with Nginx writing structured logs. Without good data, nothing else works.</p> <p>Here is the log format I configured:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">log_format</span> <span class="s">json_logs</span> <span class="s">escape=json</span> <span class="s">'</span><span class="p">{</span><span class="kn">'</span> <span class="s">'"source_ip":"</span><span class="nv">$remote_addr</span><span class="s">",'</span> <span class="s">'"timestamp":"</span><span class="nv">$time_iso8601</span><span class="s">",'</span> <span class="s">'"method":"</span><span class="nv">$request_method</span><span class="s">",'</span> <span class="s">'"path":"</span><span class="nv">$request_uri</span><span class="s">",'</span> <span class="s">'"status":</span><span class="nv">$status</span><span class="s">,'</span> <span class="s">'"response_size":</span><span class="nv">$body_bytes_sent</span><span class="s">,'</span> <span class="s">'"http_host":"</span><span class="nv">$host</span><span class="s">",'</span> <span class="s">'"user_agent":"</span><span class="nv">$http_user_agent</span><span class="s">"'</span> <span class="s">'</span><span class="err">}</span><span class="s">'</span><span class="p">;</span> <span class="kn">access_log</span> <span class="n">/var/log/nginx/hng-access.log</span> <span class="s">json_logs</span><span class="p">;</span> </code></pre> </div> <p>Every log line looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"source_ip"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.2.3.4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-29T21:48:35+00:00"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_size"</span><span class="p">:</span><span class="w"> </span><span class="mi">6674</span><span class="p">,</span><span class="w"> </span><span class="nl">"http_host"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cloud.ng"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Mozilla/5.0..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One critical detail: I configured Nginx to extract the <strong>real client IP</strong> from the <code>X-Forwarded-For</code> header. Since Nginx is a Docker container proxying to another Docker container, without this, every request would appear to come from the Docker gateway IP - completely useless for per-IP detection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">set_real_ip_from</span> <span class="mf">172.16</span><span class="s">.0.0/12</span><span class="p">;</span> <span class="k">real_ip_header</span> <span class="s">X-Forwarded-For</span><span class="p">;</span> <span class="k">real_ip_recursive</span> <span class="no">on</span><span class="p">;</span> </code></pre> </div> <p>The logs are written to a <strong>named Docker volume</strong> called <code>HNG-nginx-logs</code>. Both Nginx (read-write) and Nextcloud (read-only) mount this volume. The detector daemon reads from the host path of the same volume.</p> <h2> Part 2: The Log Tailer - Watching the File Live </h2> <p>The first module, <code>monitor.py</code>, does one thing: follow the log file and yield parsed entries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">tail_log</span><span class="p">(</span><span class="n">log_path</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="sh">"""</span><span class="s"> Generator that yields one parsed dict per HTTP request. Works like `tail -f` - blocks waiting for new lines. </span><span class="sh">"""</span> <span class="c1"># Wait for the file to exist (Nginx may not have written anything yet) </span> <span class="k">while</span> <span class="ow">not</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">log_path</span><span class="p">):</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">log_path</span><span class="p">,</span> <span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">'</span><span class="s">utf-8</span><span class="sh">'</span><span class="p">)</span> <span class="k">as</span> <span class="n">f</span><span class="p">:</span> <span class="c1"># Seek to END — we only care about new requests, not history </span> <span class="n">f</span><span class="p">.</span><span class="nf">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">line</span> <span class="o">=</span> <span class="n">f</span><span class="p">.</span><span class="nf">readline</span><span class="p">()</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">line</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mf">0.05</span><span class="p">)</span> <span class="c1"># 50ms poll — barely any CPU cost </span> <span class="k">continue</span> <span class="n">entry</span> <span class="o">=</span> <span class="nf">_parse</span><span class="p">(</span><span class="n">line</span><span class="p">.</span><span class="nf">strip</span><span class="p">())</span> <span class="k">if</span> <span class="n">entry</span><span class="p">:</span> <span class="k">yield</span> <span class="n">entry</span> </code></pre> </div> <p>The <code>f.seek(0, 2)</code> is important. Without it, on every restart, the daemon would replay the entire log history and potentially re-ban IPs that have already served their time.</p> <p>The <code>0.05</code> second sleep between empty reads means the daemon uses almost zero CPU when traffic is quiet, but responds to new log entries within 50 milliseconds.</p> <h2> Part 3: The Sliding Window - The Heart of Rate Detection </h2> <p>Here is where most tutorials get it wrong.</p> <p><strong>The wrong way:</strong> Count requests per minute. Reset the counter every 60 seconds.</p> <p>The problem: this creates "bucket boundaries". An attacker can send 59 requests at second 59, wait 2 seconds, send 59 more at second 61, and your per-minute counter never sees more than 59. They are attacking continuously but your counter says they are fine.</p> <p><strong>The right way:</strong> A true rolling window using <code>collections.deque</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">deque</span> <span class="kn">import</span> <span class="n">time</span> <span class="k">class</span> <span class="nc">SlidingWindowCounter</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> Each entry in the deque is a float timestamp of one request. The deque always contains only the requests from the last window_seconds. </span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">window_seconds</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="o">=</span> <span class="n">window_seconds</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># timestamps of individual requests </span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span> <span class="o">=</span> <span class="nf">deque</span><span class="p">()</span> <span class="c1"># timestamps of error requests (4xx/5xx) </span> <span class="k">def</span> <span class="nf">add</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">ts</span><span class="p">:</span> <span class="nb">float</span><span class="p">,</span> <span class="n">is_error</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">):</span> <span class="c1"># New request joins from the RIGHT </span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_error</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">_evict</span><span class="p">(</span><span class="n">ts</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_evict</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">now</span><span class="p">:</span> <span class="nb">float</span><span class="p">):</span> <span class="n">cutoff</span> <span class="o">=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="c1"># Stale requests fall off the LEFT </span> <span class="k">while</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="c1"># O(1) — this is why deque, not list </span> <span class="k">while</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">cutoff</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">.</span><span class="nf">popleft</span><span class="p">()</span> <span class="k">def</span> <span class="nf">rate</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="c1"># Exact rolling rate — no bucketing, no approximation </span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> <span class="k">def</span> <span class="nf">error_rate</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">_err_timestamps</span><span class="p">)</span> <span class="o">/</span> <span class="n">self</span><span class="p">.</span><span class="n">window_seconds</span> </code></pre> </div> <p>Picture the deque as a conveyor belt. Requests board at the right. Requests older than 60 seconds fall off the left automatically. At any moment, dividing the belt's occupancy by 60 gives the exact requests-per-second for the last minute.</p> <p><strong>Why O(1) matters:</strong> <code>list.pop(0)</code> shifts every element — O(n). <code>deque.popleft()</code> is O(1). At 10,000 requests per second across thousands of IPs, the difference between O(1) and O(n) is the difference between a daemon that keeps up and one that falls behind and misses attacks.</p> <p>Every IP gets its own <code>SlidingWindowCounter</code>. There is also one <strong>global</strong> counter tracking all traffic combined - this catches distributed attacks where no single IP is hitting hard, but collectively they are overwhelming the server.</p> <h2> Part 4: The Baseline - Teaching the System What Normal Looks Like </h2> <p>The sliding window answers <em>what is happening now</em>. The baseline answers <em>what normally happens</em>.</p> <p>I implemented a rolling 30-minute baseline of <strong>per-second request counts</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Timeline ──────────────────────────────────────────────────────► │ 1req │ 0req │ 3req │ 2req │ ... │ 5req │ 2req │ NOW │ └──────────────────────────────────────────────────────┘ ◄────────── 30 minutes = 1800 seconds ──────────► </code></pre> </div> <p>Each slot represents one completed second. Every 60 seconds, the system recomputes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_recalculate</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_window</span><span class="p">]</span> <span class="n">n</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="n">mean</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">variance</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">((</span><span class="n">x</span> <span class="o">-</span> <span class="n">mean</span><span class="p">)</span> <span class="o">**</span> <span class="mi">2</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">samples</span><span class="p">)</span> <span class="o">/</span> <span class="n">n</span> <span class="n">stddev</span> <span class="o">=</span> <span class="n">math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="n">variance</span><span class="p">)</span> <span class="c1"># Floor values prevent division-by-zero at startup </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_mean</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">mean</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_mean</span><span class="p">)</span> <span class="c1"># config: 0.1 </span> <span class="n">self</span><span class="p">.</span><span class="n">effective_stddev</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">stddev</span><span class="p">,</span> <span class="n">self</span><span class="p">.</span><span class="n">floor_stddev</span><span class="p">)</span> <span class="c1"># config: 0.1 </span></code></pre> </div> <h3> The Hour-Slot System </h3> <p>Here is the part that makes the baseline actually smart.</p> <p>Traffic at 9 AM is genuinely different from traffic at 3 AM. If you use a single rolling window across all time, the baseline at 3 AM will reflect the busy afternoon - making it too permissive, missing real attacks.</p> <p>I maintain <strong>per-hour slots</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromtimestamp</span><span class="p">(</span><span class="n">ts</span><span class="p">).</span><span class="n">hour</span> <span class="n">self</span><span class="p">.</span><span class="n">_hour_slots</span><span class="p">[</span><span class="n">hour</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">count</span><span class="p">)</span> <span class="c1"># {0: [...], 1: [...], ..., 23: [...]} </span></code></pre> </div> <p>During recalculation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">hour_data</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">_hour_slots</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">current_hour</span><span class="p">,</span> <span class="p">[])</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">hour_data</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">60</span><span class="p">:</span> <span class="c1"># Enough data for this hour — use it (more accurate) </span> <span class="n">samples</span> <span class="o">=</span> <span class="n">hour_data</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># Fall back to the full rolling window </span> <span class="n">samples</span> <span class="o">=</span> <span class="p">[</span><span class="n">count</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">count</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">_window</span><span class="p">]</span> </code></pre> </div> <p>Once the system has been running for an hour, the 3 AM baseline reflects actual 3 AM traffic. The 9 AM baseline reflects actual 9 AM traffic. The system adapts to time-of-day patterns automatically, with zero configuration.</p> <p>This is also why <code>effective_mean</code> is never, ever hardcoded. It is always computed from real traffic data.</p> <h2> Part 5: The Detection Logic - Making the Call </h2> <p>Now the payoff. We have:</p> <ul> <li> <code>current_rate</code> — from the IP's sliding window</li> <li> <code>effective_mean</code> — what is normal right now</li> <li> <code>effective_stddev</code> — how much variation is normal</li> </ul> <p>We compute a <strong>z-score</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>z = (current_rate − effective_mean) / effective_stddev </code></pre> </div> <p>The z-score is the number of standard deviations the current rate sits above the mean. In a normal distribution:</p> <ul> <li>z = 1.0 → slightly above average (84th percentile)</li> <li>z = 2.0 → notably above average (97th percentile) </li> <li>z = 3.0 → very far above average (99.87th percentile)</li> </ul> <p>At z ≥ 3.0, something is almost certainly not normal.</p> <p>But z-score alone has a weakness: if traffic is so explosive that the baseline itself has not had time to update yet, the stddev might be large and the z-score misleadingly small. So I add a second condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Flag if EITHER condition fires — whichever comes first </span><span class="n">is_anomalous</span> <span class="o">=</span> <span class="p">(</span><span class="n">zscore</span> <span class="o">&gt;=</span> <span class="mf">3.0</span><span class="p">)</span> <span class="ow">or</span> <span class="p">(</span><span class="n">rate</span> <span class="o">&gt;=</span> <span class="mi">5</span> <span class="o">*</span> <span class="n">effective_mean</span><span class="p">)</span> </code></pre> </div> <p>The 5× multiplier catches the "traffic just went vertical" scenario that z-score might miss.</p> <h3> The Error Surge Tightener </h3> <p>Sometimes attackers probe rather than flood. They scan your endpoints looking for vulnerabilities, generating lots of 4xx and 5xx errors without necessarily hitting the raw request rate threshold.</p> <p>The system detects this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">ip_error_rate</span> <span class="o">&gt;=</span> <span class="mi">3</span> <span class="o">*</span> <span class="n">baseline_error_mean</span><span class="p">:</span> <span class="c1"># This IP is generating errors at 3× the normal rate </span> <span class="c1"># Tighten the detection threshold — flag it sooner </span> <span class="n">z_threshold</span> <span class="o">=</span> <span class="nf">max</span><span class="p">(</span><span class="n">z_threshold</span> <span class="o">-</span> <span class="mf">1.5</span><span class="p">,</span> <span class="mf">1.0</span><span class="p">)</span> </code></pre> </div> <p>An IP generating suspicious error patterns gets caught at a lower threshold than regular traffic. This fires independently of the raw rate - it catches the probers.</p> <h2> Part 6: Blocking with iptables - The Linux Firewall </h2> <p>When an IP is flagged, the daemon calls the Linux kernel's firewall directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">subprocess</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">[</span><span class="sh">'</span><span class="s">iptables</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-I</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">INPUT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">-s</span><span class="sh">'</span><span class="p">,</span> <span class="n">offending_ip</span><span class="p">,</span> <span class="sh">'</span><span class="s">-j</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">DROP</span><span class="sh">'</span><span class="p">],</span> <span class="n">check</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> </code></pre> </div> <p><code>-I INPUT</code> inserts the rule at the <strong>top</strong> of the INPUT chain — it gets evaluated first, before anything else.<br> <code>-j DROP</code> silently discards the packet. No TCP RST. No HTTP response. The attacker's requests just vanish into nothing.</p> <p>This is more effective than returning a 403 for two reasons:</p> <ol> <li>It consumes zero application resources - the kernel drops the packet before it ever reaches Nginx</li> <li>The attacker gets no feedback - they cannot even confirm the server is alive</li> </ol> <h3> The Backoff Schedule </h3> <p>Permanent bans on first offence are both unfair and operationally risky. You might ban a legitimate user with a buggy client, or a friendly scraper, and then spend hours investigating why a partner's integration broke.</p> <p>The system uses a <strong>progressive backoff</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Offence</th> <th>Duration</th> <th>Reasoning</th> </tr> </thead> <tbody> <tr> <td>1st</td> <td>10 minutes</td> <td>Could be a misconfigured client</td> </tr> <tr> <td>2nd</td> <td>30 minutes</td> <td>Likely intentional, more time needed</td> </tr> <tr> <td>3rd</td> <td>2 hours</td> <td>Persistent offender</td> </tr> <tr> <td>4th+</td> <td>Permanent</td> <td>They know what they are doing</td> </tr> </tbody> </table></div> <p>A background <code>Unbanner</code> thread wakes every 10 seconds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_check_expiry</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">for</span> <span class="n">ban</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">get_banned_ips</span><span class="p">():</span> <span class="k">if</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">:</span> <span class="k">continue</span> <span class="c1"># Permanent — never release </span> <span class="k">if</span> <span class="n">now</span> <span class="o">-</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">banned_at</span><span class="sh">'</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">duration</span><span class="sh">'</span><span class="p">]:</span> <span class="n">self</span><span class="p">.</span><span class="n">blocker</span><span class="p">.</span><span class="nf">unban</span><span class="p">(</span><span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># removes iptables rule </span> <span class="n">self</span><span class="p">.</span><span class="n">notifier</span><span class="p">.</span><span class="nf">send_unban</span><span class="p">(</span><span class="n">ban</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">])</span> <span class="c1"># notifies Slack </span></code></pre> </div> <p>The <code>_ban_history</code> dict persists across unbans — so if an IP gets a 10-minute ban, behaves, gets released, then attacks again, it goes straight to the 30-minute tier. The system remembers repeat offenders even after their ban expires.</p> <h2> Part 7: Slack Alerts - Real-Time Visibility </h2> <p>Every significant event fires a Slack message to <code>#hng-alerts</code>:</p> <p><strong>Ban alert:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🚨 IP BANNED • Condition: ip_rate_anomaly • IP address: 1.2.3.4 • Current rate: 12.4000 req/s • Baseline mean: 0.4200 req/s • Z-score: 28.57 • Ban duration: 600s • Timestamp: 2026-04-29T21:48:35 </code></pre> </div> <p><strong>Global anomaly alert (no block - just awareness):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠ GLOBAL TRAFFIC ANOMALY • Condition: global_rate_anomaly • Current global rate: 48.3000 req/s • Baseline mean: 3.2000 req/s • Z-score: 14.09 • Action: Slack alert only (no IP block) </code></pre> </div> <p>All Slack calls run in daemon threads - the detection loop never waits for a network call.</p> <h2> Part 8: The Live Dashboard </h2> <p>The system serves a live metrics dashboard at <code>http://dashboard.gbadedata.com</code>. It auto-refreshes every 3 seconds via a simple JavaScript <code>setInterval</code> call hitting a Flask <code>/api/metrics</code> endpoint.</p> <p>The dashboard shows:</p> <ul> <li>Global requests per second (live)</li> <li>Baseline effective_mean and stddev</li> <li>CPU and memory usage</li> <li>All currently banned IPs with conditions, durations, and ban times</li> <li>Top 10 source IPs ranked by current request rate</li> <li>System uptime</li> </ul> <p>No frontend framework. No build step. Flask serves an HTML string with embedded JavaScript. The entire dashboard is ~80 lines of code.</p> <h2> Part 9: The Audit Log </h2> <p>Every ban, unban, and baseline recalculation writes a structured entry to <code>/var/log/detector-audit.log</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[2026-04-29T21:48:35.998876] BAN 172.18.0.1 | ip_rate_anomaly | rate=0.4000 | baseline=0.1000 | duration=600 [2026-04-29T21:58:38.252357] UNBAN 172.18.0.1 | ban_expired | rate=0.0000 | baseline=0.0000 | duration=600 [2026-04-30T12:20:17.038296] BASELINE_RECALC | source=rolling_window (2 samples) | rate=10.5000 | baseline=10.5000 | duration=0 </code></pre> </div> <p>This is your paper trail. If someone asks "why was our partner's IP blocked at 3 AM on Tuesday?" - the answer is in the audit log, timestamped to the millisecond.</p> <h2> What I Would Do Differently </h2> <p><strong>1. Use a proper WSGI server for the dashboard.</strong> Flask's development server works, but in production I would swap it for Gunicorn behind the existing Nginx setup.</p> <p><strong>2. Persist ban history across restarts.</strong> Currently, <code>_ban_history</code> lives in memory. If the daemon restarts, it forgets who was a repeat offender. A small SQLite database would fix this with minimal complexity.</p> <p><strong>3. Add IP allowlisting.</strong> Right now, any IP can be banned - including monitoring services, CDN health checkers, and your own office's IP. A config-driven allowlist would prevent embarrassing self-bans.</p> <p><strong>4. Ship metrics to Prometheus.</strong> The dashboard is useful for humans. For alerting, on-call tools, and long-term trend analysis, exposing a <code>/metrics</code> endpoint would integrate with the rest of a modern observability stack.</p> <h2> The Numbers </h2> <p>After running for 24 hours on the live server:</p> <ul> <li>Processed thousands of HTTP requests continuously</li> <li>Detected and blocked anomalous IPs within <strong>under 10 seconds</strong> of the first suspicious request</li> <li>Auto-released bans correctly on the configured schedule</li> <li>Dashboard refreshed without interruption</li> <li>Zero false positives on legitimate traffic once the baseline had enough data</li> </ul> <h2> Final Thoughts </h2> <p>The most important lesson from this project is not about Python or iptables or deques.</p> <p>It is about <strong>measurement before action</strong>.</p> <p>Every security tool that uses hardcoded thresholds is making a guess. This system does not guess - it measures, it learns, and it acts on what it has observed. The z-score is not magic. It is just a way of asking: "is what I am seeing now consistent with what I have seen in the past?"</p> <p>When the answer is no - decisively, statistically, not-even-close no - you block it.</p> <p>That is the whole idea.</p> <p><em>Full source code: <a href="https://github.com/gbadedata/hng14-stage3" rel="noopener noreferrer">https://github.com/gbadedata/hng14-stage3</a></em></p> <p><em>Live dashboard: <a href="http://dashboard.gbadedata.com" rel="noopener noreferrer">http://dashboard.gbadedata.com</a></em></p> architecture python security showdev