DEV Community: Kiell Tampubolon

I Built a Kubernetes Alternative. It Changed My Perspective on Complexity.

Kiell Tampubolon — Wed, 27 May 2026 04:50:58 +0000

After three long nights of coding, I stood on the edge of quitting. The most recent error? 'Connection refused: too many retries.' How does one recover from such a humiliating message? I guess you just pick yourself up and try again.

ACT 1: The Confidence Built on Ignorance

At first, I was cocky about my ability to develop a simpler alternative to Kubernetes. After all, I was drawing from over five years of experience building and managing containerized applications. Besides, I had graduated from a reputable programming boot camp, which ended up leading me to some great opportunities. I figured if I could wrangle Kubernetes, I could surely create something less complex and more approachable.

When I began this project, I believed the only thing standing in my way was time. I had convinced myself that my technical skills were enough; all I had to do was write the code, and it would come together. I thought eliminating a few features and minimizing configurations would be all it took to create something user-friendly. I pictured it, lightweight, no more than 300 lines of code for my entire tool. Simple, right?

ACT 2: The Moment It Broke

That illusion shattered when I hit my first major roadblock. After several days of coding with barely any sleep, I tried to deploy my work for the first time. I was so giddy with excitement; it was like I was seeing the light at the end of a tunnel. For about two seconds, it felt like everything was going great. And then came the error message:

Error: invalid configuration: failed to find a ready to use service

I thought, “How could this happen?” My tool was designed to simplify the deployment process, not make it more convoluted. After sweating over the terminal for hours, I tried everything. I rechecked the API calls, re-evaluated services, and even consulted the Kubernetes official documentation (which, let's be honest, is just a fancy way of saying I ended up down a rabbit hole of YAML files).

At that moment, it hit me: I hadn’t just omitted complexity; I had disregarded the very principles that make Kubernetes powerful, its ability to manage the scalability and orchestration of applications in distributed environments. I realized simplicity doesn't always mean fewer lines of code. Sometimes, it means better abstractions that serve higher purposes.

The Turning Point: What I Discovered

I decided to roll my sleeves up, go back to the drawing board, and analyze what I was actually trying to achieve. Instead of just cutting features, I began to rethink some of them entirely. I analyzed critical aspects like service discovery and load balancing and realized that perhaps they weren’t

I Dumped My Entire Codebase into Gemma 4. It Found a Bug My Team Missed for 3 Months.

Kiell Tampubolon — Mon, 18 May 2026 13:54:12 +0000

This is a submission for the Gemma 4 Challenge: Write About Gemma 4

The bug had been in production for 90 days. Three sprint reviews. Two refactors nearby. One team member who actually touched that file and left a comment saying "looks fine."

I found it in 4 minutes by pasting 47,000 tokens into Gemma 4 31B and asking one question.

I want to tell you this is a story about AI being brilliant. It is not. It is a story about what happens when you stop treating a 128K context window as a spec sheet number and start treating it as a tool.

Quick context if you're new to Gemma 4: It's Google DeepMind's latest open-weight model family, released April 2026 under Apache 2.0. The 31B dense variant is the largest in the family and the one that ships with a 128K context window and built-in reasoning mode. You can access it free via OpenRouter with no credit card required.

The Bug Was Invisible at File Level

We run a mid-sized Python backend. Not a startup toy project, not a monolith from 2009 either. Around 18,000 lines across 200-ish files, with a payment reconciliation module that processes about 4,000 transactions a day.

For three months we had an off-by-one error in how we accumulated daily totals. The kind of bug that doesn't crash anything, doesn't throw an exception, and stays quiet until someone runs a quarterly audit. Finance flagged it. Our first assumption was the database. Our second assumption was a race condition. Our third assumption was a rounding issue inherited from a third-party SDK.

All wrong. The bug was in how we correlated timestamps across two functions that lived 800 lines apart in the same module. You could not see it by reading either function. You had to hold both in your head at the same time, along with the utility function they both relied on, to see the logic drift.

Nobody held all three at once. Humans don't naturally do that across 800 lines.

What I Actually Did

I pulled the relevant module (about 1,400 lines), the shared utilities it imports (another 600 lines), and the test file (300 lines). Total: roughly 2,300 lines of Python. That's somewhere around 46,000 tokens.

I chose Gemma 4 31B, accessed via OpenRouter, specifically because of the context window size and the reasoning capability. The 128K window was not the point in itself. The point was that 128K let me stop chunking.

Every time I had tried to debug this with smaller-context tools I was feeding pieces of the problem. Paste function A, get feedback. Paste function B, get different feedback. Try to synthesize the two answers manually. That synthesis step is where the bug kept hiding.

With 31B I pasted the full thing at once:

prompt = f"""
You are reviewing Python source code for a financial reconciliation system.
Below is the complete module, its utility dependencies, and its test suite.

Find any logic errors related to timestamp handling, accumulation order,
or correlation between functions. Be specific about line numbers and
explain the interaction that causes the error, not just the error itself.

<module>
{reconciliation_module}
</module>

<utilities>
{shared_utils}
</utilities>

<tests>
{test_suite}
</tests>
"""

That's it. No chunking. No iterative back-and-forth. One completion.

The response came back in about 40 seconds. It flagged three things. Two were style notes I already knew about. The third was this:

accumulate_daily() uses record.created_at for grouping (line 312), but reconcile_period() filters by record.settled_at (line 1089). For records that settle in a different calendar day than they were created, these two functions will assign the same record to different days. The test suite only creates records where created_at and settled_at are within the same UTC day, so this has never been caught by the test harness.

I sat there for a second. Then I checked the two functions side by side:

# line 312 — in accumulate_daily()
day_key = record.created_at.date()   # <-- groups by creation date

# line 1089 — in reconcile_period()
if record.settled_at < period_end:   # <-- filters by settlement date
    totals[day_key] += record.amount

When a transaction is created on Monday but settles on Tuesday, accumulate_daily() puts it in Monday's bucket. reconcile_period() counts it toward Tuesday's filter window. Same record. Two different days. Neither function is wrong on its own. Together they silently drift.

Then I checked the test fixtures. Every single test record had created_at and settled_at set to the same UTC day. The tests never exercised the cross-day case.

It was exactly right.

Why This Worked and Why It Didn't Work Before

The test suite was the key detail. The model wasn't just spotting a timestamp mismatch between two functions. It was reading the tests and noticing the gap: the tests don't cover the case where these dates differ. That kind of cross-file reasoning requires the full context to be present simultaneously.

I had tried a similar experiment with GPT-4 earlier in the week by pasting sections iteratively. It flagged the created_at vs settled_at discrepancy in isolation but didn't make the connection to the test fixtures because the test file wasn't in scope when it saw the functions. The insight was split across two separate completions, and I didn't connect them.

With the full module in one pass, the model could see the claim ("here is how we accumulate") and the verification ("here is what the tests assert") in the same window, and notice they didn't match on the cross-day case.

The Honest Limits

This is not a "just paste your codebase and it will find all your bugs" story. Three caveats that matter:

Latency is real. The 31B model via OpenRouter takes time on a 46K token completion. For quick questions I still reach for smaller models or a local Gemma 4 E4B setup. The 31B is the right tool when you need the full picture and can afford the wait.
A vague prompt gets vague answers. My first attempt asked "find any issues." It returned generic style feedback. The version that found the bug asked specifically for "logic errors related to timestamp handling" because I had already narrowed the domain. The model amplified my hypothesis. It did not generate one from nothing.
It still missed one bug. I found it later through manual review. Not a humiliating miss. But a reminder that "found the bug I missed" and "found all the bugs" are very different sentences.

What This Actually Changes

The 128K context window is not about being able to process more. It is about being able to stop decomposing.

Most debugging assistance with AI is a decomposition problem: I have to decide what to show and what to leave out, and that editorial decision is exactly where bugs hide. The moment I have to decide "this function is probably not relevant," I might be wrong about that, and the model will never tell me.

When the window is large enough that I can stop curating, the model sees the same thing I should be seeing: the whole picture, including the parts I didn't think to highlight.

That changes the failure mode from "I showed it the wrong piece" to "I asked the wrong question." The second failure mode is actually fixable.

Try it yourself: grab a module you've been meaning to audit, load the full file plus its tests into Gemma 4 31B on OpenRouter (free tier, no card), and ask specifically about the interaction between the functions, not just each function alone. Drop what you find in the comments. I'm genuinely curious whether the cross-file blindspot is a universal problem or just a symptom of how our specific codebase grew.

I Was Wrong About AI. Here Is the Moment That Changed It.

Kiell Tampubolon — Mon, 18 May 2026 13:30:36 +0000

The debugging tool flagged a staggering 150 issues in my code almost instantly. I was astonished by how many mistakes I had made and how far I still had to go. This moment revealed the complexity of AI that I had underestimated all along.

The Moment It Broke

That breaking point was unexpected. I was toying with a fancy AI algorithm, thinking it was about to churn out perfect code. I had linked it with my code editor, set everything up, and watched with excitement as it typed out solutions based on prompts I fed it. After a few successful iterations, I made a huge mistake. I forgot to properly validate the inputs.

One afternoon, I threw in a random input to test its limits. The console displayed the message that will haunt me: "Runtime Error: Unexpected Token."

For a moment, I was frozen. I had ignored something critical: AI is a tool, not a solution in itself. More often than not, I’d been treating it as some kind of oracle instead of evaluating how it actually understood my requests. I should’ve known better. Sure, AI can assist in many ways, but nothing beats core programming principles.

What I Discovered

When I finally debugged the mess, I took a moment to reflect. I realized that I had neglected proper coding best practices in favor of a shiny new toy. AI works wonderfully when it augments your existing understanding and workflow. Here’s a snippet demonstrating the change I made:

// Original flawed function without validation
function aiSuggestion(prompt) {
 return aiModel.generate(prompt);
}

// Improved function with validation
function aiSuggestion(prompt) {
 if (typeof prompt !== 'string' || !prompt) {
 throw new Error('Invalid input: Please provide a valid string.');
 }
 return aiModel.generate(prompt);
}

Just adding that validation step made a world of difference. I could trust my AI’s feedback more because I was guiding it with better input. It was a simple tweak, but it became pivotal in my project’s success. I still smiled when my AI echoed back code that was far more functional than my initial attempts, but now I was equipped with the knowledge that I needed to do my part first.

The Bigger Principle

This lead to a bigger realization: tools are just extensions of ourselves. They don't replace the fundamentals. If you're a developer working with AI, you have to take responsibility for your code. Forgetting that turns you into a passive user, and honestly, nobody wants to be that. It’s like trying to build a house without knowing how to lay bricks; the walls might look good for a while, but they’re bound to crumble eventually.

When I look back, what annoys me most is that I didn’t question my assumptions sooner. I could’ve saved time, energy, and probably a few hairs on my head. Relying solely on AI to deliver the goods is tempting, but it leads to dangerous shortcuts. Proper coding practices don’t just lead to better outcomes; they prevent mistakes down the road.

In hindsight, I’d tell past-me to challenge the narrative that tech can solve everything. AI should elevate our skills, not replace them. So here’s my burning question: Are AI and automation a developer's best support system, or do they create a dangerous dependency that might weaken our core skills? What’s your take on this?

I Struggled with Data Analysis. Claude for Excel Changed Everything.

Kiell Tampubolon — Fri, 08 May 2026 12:02:15 +0000

At 2 AM, I was ready to throw my laptop out the window. I had just spent hours gaining zero insights from a sprawling sea of data. Then I stumbled upon Claude for Excel, and suddenly everything clicked into place.

The Problem with Real Error or Messy Code

Like many developers, especially those of us who aren't formally trained as data analysts, Excel can sometimes feel like a jungle. I was trying to generate reports that needed to highlight sales trends, which required me to wrangle all that data into a coherent narrative. I needed to create pivot tables to analyze the responses, but navigating through cumbersome formulas was turning my brain into mush. I spent hours merging cells, applying filters, and trying to remember whether I used SUM or AVERAGE last time.

One day, I spent an entire Sunday trying to get a complex formula to work. I ended up with #VALUE! errors splattered across my sheet, leading to frustration that lasted longer than I care to admit. My family could see my stress levels rising as I muttered incoherently about Excel's cryptic syntax. I wanted to blame the software, but the truth was, I was the one wrestling with messy data and unrealistic expectations on myself. The more I struggled, the more irrational I became.

The Fix

Enter Claude for Excel—a tool that instantly began to take the burden off my shoulders. After a brief introduction and tutorial, I realized this could be my new best friend in the world of data. The functionality was like getting handed a magic wand; it could analyze data without needing me to trip over complex formulas.

For example, I was once stuck trying to calculate the year-over-year growth of sales figures across various regions, which involved a spreadsheet of about 3,000 rows. Typically, I would have diced and sliced this data manually, hoping to avoid errors along the way. Instead, using Claude, I could simply upload my data set and ask it for the required analysis in plain language:

Analyze the sales data and show year-over-year growth by region.

Within seconds, not only did Claude give me the results, but it also generated a pivot table for me. I couldn't believe my eyes. The tool had processed the entire sheet seamlessly, saving me at least three hours of work. I was able to use the generated table to make decisions swiftly and present findings during Monday’s meeting with confidence. This was not magic—it was just a smart combination of AI and my ongoing need for efficiency.

Furthermore, when I felt extra adventurous, I asked Claude:

Show me the top 5 products based on customer feedback.

Again, I received a neat summary sans the usual headache.

The Bigger Principle Behind the Fix

What I learned through this process was simple yet profound: embracing tools that streamline techniques is essential. Rather than getting tangled in the complexity of data manipulation, using Claude for Excel allowed me to focus on what truly mattered—insightful analysis and decision-making. I began to see an increase in my productivity, as I could spend time analyzing results rather than scrambling over formulas. In concrete terms, I've gone from spending about 20 hours a month on data analysis down to fewer than 10.

So what's the bigger principle here? It's about understanding your limitations and recognizing when to employ technology that complements your skills. Claude for Excel shifted not only the way I handled data but also my perception of it. Instead of feeling overwhelmed, I started feeling empowered, knowing I had a sophisticated partner by my side.

Reflecting on the time wasted before discovering this tool, I can’t help but chuckle. I wish I had found it sooner. If you're knee-deep in data analysis and feel like you’re drowning in formulas, I highly recommend you take a look at Claude. Just make sure to remember the old saying: it's not about knowing it all, but knowing how to ask the right questions.

If you've had similar experiences with data tools, what’s the most significant win you've achieved with a new software? What one tool would you recommend to others drowning in data that could provide clarity without the headache?

I Struggled with a Bug for Days — Here's What I Learned About Clean Code and Debugging

Kiell Tampubolon — Thu, 07 May 2026 15:14:19 +0000

As I sat in front of my computer screen one humid evening in Batam, covered with the shadows of unfinished projects, I felt a sinking frustration deep in my chest. For days, I was plagued by a bug in a JavaScript function that seemed to mock me, with every test yielding inconsistent results. I was convinced I had a handle on clean code principles, but the hours spent chasing this elusive problem made me question everything I knew.

Context & Stakes

debugging effectively is essential for any developer, especially when working in tight deadlines or collaborative environments. I was leading a small team on a client project, a dynamic web application intended to streamline local business operations. Our success depended on delivering clean, efficient code, and I was the one responsible for reviewing and finalizing it. The stakes were high, and with each failed attempt to fix the issue, our timeline slipped further.

The bug originated in a function designed to fetch user data from an API, but the data only loaded half the time. After scanning and re-scanning the code, everything seemed fine — I had followed all the recommended practices. Yet, the problem persisted. This relentless loop of testing and frustration forced me to confront my limitations head-on. Would I be able to solve this before our deadline?

CHALLENGE

What I had overlooked was a crucial aspect of my code's asynchronous nature. Here’s the snippet that tripped me up:

async function fetchUserData(userId) {
  const response = await fetch(`https://api.example.com/users/${userId}`);
  if (!response.ok) {
    throw new Error('Network response was not ok');
  }
  const data = await response.json();
  return data;
}

At first glance, this code looked correct, but the challenge was in the way it interacted with the rest of the application. I was using this function in multiple places within the codebase, but because the API could occasionally be slow, I hadn’t handled the failures correctly in the components calling it. This led to intermittent fraying of user experience, with components loading only half the time or throwing unhandled errors.

I felt the weight of inefficiency weighing down my team. The pressure to deliver without compromising quality left me juggling multiple hats, and I realized that my understanding of clean, maintainable code had been superficial. I needed to dig deeper into both debugging techniques and code readability practices to navigate this complexity.

BREAKTHROUGH

The breakthrough came when I decided to systematically approach the problem. Instead of diving straight into fixing it, I first resurfaced and rewrote the function to make it clearer and more manageable:

async function fetchUserData(userId) {
  try {
    const response = await fetch(`https://api.example.com/users/${userId}`);
    if (!response.ok) {
      throw new Error('Network response was not ok');
    }
    return await response.json();
  } catch (error) {
    console.error('Fetching user data failed: ', error);  // Logging error with context
    return null;  // Handle this gracefully on the calling side
  }
}

By adding error handling and a try/catch block, I octupled my chances of catching errors early. However, the biggest revelation was shifting my mindset from fixing bugs to devising solutions that make the code robust against future issues. I took the time to document the expected outcomes in the comments as a reminder to myself and my teammates. This transparency in the code not only made it easier for us to follow, but it also set the stage for better collaboration.

DEEPER INSIGHT

Through this experience, I gleaned a larger principle: clean code is not just about aesthetics or following patterns; it is about making it maintainable and resilient. As developers, we must anticipate how our code may misbehave under unexpected conditions. The cleaner and more explicit we write our code, the easier it becomes for us and others to debug it — saving precious development time in the long run.

Additionally, the experience reinforced the idea that debugging is as much about mindset as it is about skill. It’s easy to get lost in the weeds of our code; stepping back to reassess the problem can sometimes bring clarity, especially with peer programming, where you can have a fresh set of eyes or someone to help brainstorm.

WHAT I'D DO DIFFERENTLY

Upon reflection, here are a few actionable steps I’d take to improve my approach to debugging and code quality moving forward:

Prioritize Error Handling: Always include explicit error handling strategies within asynchronous functions. Errors are inevitable; planning for them pays off.
Encourage Team Code Reviews: Foster a culture of peer reviews within your team. Fresh perspectives often unearth issues that one might overlook.
Document Potential Errors: Add comments to clarify how functions behave in edge cases. Documentation can be a lifesaver.
Test-Driven Development (TDD): Implement TDD practices for new features to catch bugs early in the development cycle, enhancing code reliability.
Set Up Monitoring: Utilize tools like Sentry to catch runtime errors and log issues transparently into the application, so you can react in real-time.

By taking these steps, I believe we can significantly minimize bugs and build a more resilient infrastructure for our applications.

CLOSING QUESTION

What debugging techniques or coding practices have you found essential in your own projects? How have you dealt with seemingly insurmountable bugs? Let's discuss in the comments!

I Deployed My First Cloudflare Worker — Here's What I Learned

Kiell Tampubolon — Wed, 06 May 2026 11:32:05 +0000

I sat there staring at the screen, my heart racing as I clicked 'deploy' on my first Cloudflare Worker. What should have been a straightforward process felt like a rollercoaster of confusion and excitement. Just moments before, I'd lined everything up: my code looked good, my environment seemed solid—how could anything go wrong?

But then it hit me. 401 Unauthorized. What? I hadn’t encountered this in all my testing. Little did I know, the culprit was hiding in the shadows of a misconfigured secret token, like a ghost refusing to leave its haunted house.

The Setup

Being a developer, I often toggle between creative solutions and technical bottlenecks. I’ve spent countless late nights coding, occasionally stacking hundreds of browser tabs filled with information, guides, and articles. Typical developer life, right? In an attempt to re-organize my chaotic digital world, I finally utilized Notion Web Clipper. It became my sidekick, ensuring that everything I stumbled upon would be neatly packed away for when I needed it. But nothing prepared me for the impending chaos with Cloudflare Workers.

I was eager to build a simple API service that could run globally. After all, deploying on Cloudflare should have been a piece of cake. I picked a couple of templates and dived in, but secret management? Talk about a headache! I had breezed through the initial setup, barely taking note of how tokens should be correctly managed in the environment variables.

The Challenge

The panic kicked in when my worker returned a loud, resounding 401 Unauthorized error. I felt defeated. It felt like grasping at straws, trying various approaches that led me further into confusion. I had mistakenly selected a template that wasn’t suitable for my use case, throwing my authorization strategy out the window like an old shoe.

The main issue was that I lost sight of what tokens I was using for authentication. I had multiple API keys lying around from various services, and sure enough, I grabbed the wrong one. It reminded me of those ‘SELECT A TEMPLATE’ dropdown menus you see on documentation pages that you just don’t read. Instead of reading through the instructions, I assumed I knew it all. Classic developer hubris.

The Breakthrough

Eventually, instead of banging my head against the desk, I took a deep breath and revisited the documentation for Cloudflare Workers. Turns out, the secret management was not just a convenient feature; it was crucial for keeping my application secure and functional. They even had detailed instructions on how to handle these secrets correctly.

I quickly updated my API tokens using Cloudflare's secret management tools with these steps:

Revisit the dashboard: Ensure that you've saved your tokens properly.
Use .env file: If you're unsure of where to place your secrets, Cloudflare Workers let you conveniently manage these in the dashboard.
Go with the right template: Choose wisely! The correct template would seamlessly integrate with your authentication flow.

After implementing the right token, I deployed it again. It felt surreal to see the 200 OK response this time; everything felt right in the world again.

Deeper Insight

What I realized through this whole ordeal is much larger than just the technical issue. It served as a reminder of the importance of understanding the tools we use—rushing into a setup without learning the fundamentals can be disastrous. This situation taught me that our tools can either propel our success or hinder it, and we should respect the complexity involved in building software. Reading documentation isn’t just for beginners; it’s for anyone looking to level up.

In my experience, spending a bit more time upfront in understanding the scope and limits of what I was working on saved me hours of troubleshooting later.

What I'd Do Differently

Take Notes: Throughout the cloud worker setup, I started losing track of what I was doing. If I’d kept notes or a checklist, I could’ve avoided such an embarrassing mistake.
Don’t Rush: I was so eager to deploy my worker that I skimmed through critical documentation. In the future, I'll be more patient and thorough.
Debugging Tools: Use Cloudflare's built-in development tools. They can help you pinpoint those pesky authorization issues sooner.
Ask for Help: Instead of trying to figure it all out alone, asking in developer communities could save time—like moments of doubt and confusion I faced.

Closing Question

Have you ever overlooked an essential detail in your development work that led to a frustrating error? How did you recover, and what lessons did you take away from it? I’d love to hear your stories in the comments!

I Thought I Understood State Management in React. Then a Memory Leak Happened.

Kiell Tampubolon — Wed, 06 May 2026 11:27:58 +0000

I was deep in debugging a React application one lazy afternoon, staring at the console as error after error cropped up. I had implemented a pretty standard state management pattern to ensure that my component re-renders whenever specific data changed. But somehow, things were behaving strangely. Components were unmounting; states weren’t resetting; everything felt like a mess despite my confidence. What I thought was a straightforward approach was crumbling right in front of my eyes.

The Stakes

I was working on an important project that involved managing complex user interactions with real-time data. If I couldn’t contain the bugs swarming around my application, we risked missing a critical deadline. Not just that—I was also concerned about the user experience. A leaked memory could mean sluggish performance, and nobody wants to use an app that feels like it’s dragging its feet. I needed clarity, and I needed it fast.

Before diving deeper, let's take a look at the state management approach I had employed:

import React, { useState, useEffect } from 'react';

function UserProfile() {
    const [userData, setUserData] = useState(null);

    useEffect(() => {
        fetchUserData();
    }, []);

    async function fetchUserData() {
        const response = await fetch('/api/user');
        const data = await response.json();
        setUserData(data);
    }

    return <div>{userData ? userData.name : 'Loading...'}</div>;
}

This seemed fine at first, but things didn’t end up that way. My app started showing out-of-memory errors after several updates, and it felt like a ticking time bomb. I realized the crux of my problem lay in how I managed my component's lifecycle.

The Challenge: Memory Leak Mystery

As I navigated through the sea of warnings in my console, I faced the sudden realization that my fetch operation could stay ongoing even after the component unmounted, leading to a memory leak. If the API call completed after the component was no longer present, I was trying to update an unmounted component's state. This was a classic example of state management gone wrong, resulting in a mess that I had to unravel.

I had two main problems here:

Unsuccessful cleanup of the side effect in useEffect: I hadn’t set up any mechanism to cancel the fetch request once the component unmounted.
Leaving state updates in a volatile state: If fetchUserData finished running after the component was no longer mounted, it was going to throw an error.

Breakthrough: Fixing the Leak

After reeling back slightly and analyzing the proper way to approach an asynchronous fetch operation within a functional React component, I devised a plan.

Use a flag to keep track of the component's status: This would help me commune with React's lifecycle effectively.
Incorporate a cleanup function in useEffect: This would help cancel any ongoing requests or avoid updating the state if the component was no longer active.

Here’s how I revamped my component:

import React, { useState, useEffect } from 'react';

function UserProfile() {
    const [userData, setUserData] = useState(null);
    const [isMounted, setIsMounted] = useState(false);

    useEffect(() => {
        setIsMounted(true);

        const abortController = new AbortController(); 
        fetchUserData(abortController.signal);

        return () => {
            setIsMounted(false);
            abortController.abort();
        };
    }, []);

    async function fetchUserData(signal) {
        try {
            const response = await fetch('/api/user', { signal });
            const data = await response.json();
            if (isMounted) {
                setUserData(data);
            }
        } catch (error) {
            if (error.name === 'AbortError') {
                console.log('Fetch request aborted');
            } else {
                console.error('Error fetching user data:', error);
            }
        }
    }

    return <div>{userData ? userData.name : 'Loading...'}</div>;
}

Now with the AbortController, if my fetchUserData was still going, it would get terminated if the component unmounted before it resolved. Additionally, the isMounted flag helped me ensure that only my active component’s state updated. I felt relieved to see that my application became snappier, and the error messages evaporated.

Deeper Insight: Learning from the Experience

As I reflected on how easily I stumbled into a memory leak problem, I understood that state management in React isn't just about keeping track of state; it’s equally about understanding the component lifecycle and properly handling side-effects. Diving deep into the integration of asynchronous functions and how they interact with React’s lifecycle clarified a lot for me. It’s crucial to ensure that everything appears cohesive and doesn't lead to breakage during the component transitions.

I faced implications from this experience that transcended just fixing bugs. I learned to delve deeper into component lifecycles and how each part of my code interacts.

What I'd Do Differently

In hindsight, here are a few actionable steps I would recommend for anyone working with React (or thinking about working with state management):

Always plan for cleanup: Understand that with every effect you create, consider what should happen when the component unmounts.
Use AbortController: This is vital for avoiding memory leaks when making fetch requests.
Keep track of component status with flags: Make sure your state management checks whether the component is mounted before any state updates.
Test regularly: Develop a routine for testing the application in various scenarios to catch issues early.

How do you manage state and side-effects in your React applications? Have you ever faced memory leak issues before? Let's discuss your solutions and insights!

I Tidied Up Hundreds of Open Tabs with Notion Web Clipper — Here's What I Found

Kiell Tampubolon — Tue, 05 May 2026 14:42:29 +0000

It felt overwhelming—hundreds of tabs were open across my browser, each representing a piece of information I once deemed crucial. I had become a digital hoarder, accumulating resources with no plan to revisit them. It was time to act, and that’s when I stumbled upon Notion Web Clipper.

A New Approach to Information Management

As a developer based in Batam, Indonesia, my days often blur together as I juggle coding, learning, and keeping up with tech trends. My laptop’s performance suffered with every new tab I opened. I needed a better system to organize my knowledge without the digital clutter weighing me down.

After hearing about Notion Web Clipper from a fellow developer, I decided to give it a try. It promised an easier way to clip web content and store it neatly within Notion for future reference. Little did I know, this tool would not only streamline my research but also revolutionize the way I approach learning and working.

My Tab Overload Challenge

I still remember the day I decided to tackle the mess of open tabs. I had accumulated a collection of tutorials, tool documentation, and countless articles on topics ranging from "Write Code That's Easy to Delete" to AI-driven code reviews. Each tab was a potential goldmine of information but turning into an ever-growing source of distraction.

Here’s the reality: My browser was running slowly, and I constantly found myself hunting for specific information amidst the chaos. Frustration was mounting. I realized I had a serious case of tabitus, a term I just coined for my affliction.

Finding Relief: The Breakthrough

Using the Notion Web Clipper was a game-changer. I installed the extension and, over the next few days, began clipping articles, guides, and tutorials into designated pages within Notion. I set up a few databases to categorize everything into manageable pieces:

Learning - For articles I wanted to study.
Tools - Documentation for frameworks and libraries I was exploring.
Inspiration - Blog posts that sparked an idea for a project.

Like magic, I could now search for any topic, relying on either my Notion database or even asking AI for recommendations based on my notes. It transformed my chaos into clarity and significantly improved my productivity. Every time I opened Notion, I felt like I was revisiting a well-organized library instead of a messy cafe.

Diving Deeper: The Bigger Principle

The real lesson I learned was not just about using Notion Web Clipper. It was about the importance of organization in a developer's workflow. As a programmer, we often emphasize code quality, functionality, and efficiency in our projects, but how often do we apply the same principles to our knowledge management?

Maintaining a clean workspace, both physical and digital, allows for better focus and creativity. When your environment is organized, your mind can function with much more clarity. I began to see my newfound organization not just as a method but as an essential part of my professional development.

What I'd Do Differently

Reflecting on this journey, here are some actionable steps that I would recommend for anyone looking to tackle their tab overload:

Set Time Limits on Tab Openings: Create a rule for myself to only open tabs related to current tasks. If something piques my interest, I can clip it instead.
Regular Cleanup Sessions: Schedule weekly or bi-weekly sessions to revisit tabs and decide what to keep, clip, or close.
Engage with Saved Content: Allocate specific times to explore clipped resources so they don't just sit idle.
Use Tags and Folders Wisely: Tags in Notion make retrieval a breeze. Establish a consistent system for naming and categorizing to avoid future chaos.
Connect with Others: Share your insights and systems with fellow developers—feedback can inspire improvements and new approaches to organization.

A Final Thought

Digital organization might seem trivial to some, but for developers facing a constant flow of information, it can make or break productivity. Have you ever felt overwhelmed by the sheer volume of knowledge accessible today? What systems have you found effective for maintaining clarity in your work? Let’s talk about the methods you’ve discovered in the comments!

The Surprising Power of Code Reviews: Pull Requests That Saved My Project

Kiell Tampubolon — Tue, 05 May 2026 07:59:56 +0000

Introduction

Code reviews. For many developers, they are a necessary evil — a box to check in the development process. However, I have come to appreciate them as a powerful tool for elevating code quality, fostering collaboration, and improving team dynamics. Today, I want to share my journey from viewing code reviews as a mundane task to recognizing their critical role in successful projects.

Let me take you back to a project I led a few months ago. Our team was tasked with developing a complex web application with collaborative features that would require seamless integration and robust functionalities. In the early days, I saw my role as simply overseeing the process and ensuring that the final product met user expectations. However, I soon learned that underestimating the power of code reviews could lead to colossal mistakes — not just in the code, but in team morale and project outcomes.

Here’s a detailed account of my experience, the lessons learned, and the actionable strategies that transformed my approach to code reviews.

The Early Days: Ignoring Reviews Leading to Mistakes

In the project’s inception phase, I was hyper-focused on deadlines and feature deliveries. Our codebase grew rapidly, but I neglected the importance of formal reviews. I told myself, “I’ll just go over the code later; we need to push this out.” This resulted in my team producing a few hastily written functions with bugs that were not caught early on.

This atmosphere of speed over quality led to miscommunication within the team. Some developers had differing opinions on the implementation of core features, and since we weren't catching these issues through code reviews, they propelled into the main branch. For instance, an authentication feature, which was crucial, ended up with conflicting logic due to two separate devs implementing their versions without oversight. Here’s a snippet that illustrates this moment:

// Auth function without review
function authenticateUser(username, password) {
    // Assume hashPassword is a utility function we've created
    return getUserByUsername(username).then(user => {
        return user.password === hashPassword(password);
    });
}

This snippet looks benign, but unreviewed, it ended up breaking several functionalities, leading to a user panic when they faced login issues. A thread of confusion ensued, users were locked out, and our credibility took a hit.

Lesson Learned: I realized that without code reviews, we were sacrificing not only the integrity of our code but also the trust within our team and with our users. It was a wake-up call that led to the implementation of a stricter code review process.

Transforming the Code Review Process

Once I recognized the critical importance of code reviews, I began reformulating our approach. The focus shifted from a mere task to a critical collaborative process that involved everyone. Here are the steps we took:

1. Establish Clear Guidelines

I began by drafting clear, concise guidelines on our code review process. I emphasized that reviews should not only check for bugs but also assess design choices, coding standards, and documentation. Clear expectations set the tone for how we approached reviews. We settled on using GitHub pull requests, which allowed for an easy review process. Here’s an example of our guidelines:

Purpose of Review: Ensure functionality, maintainability, and clarity.
Who Reviews: At least two team members must review before merging.
Focus Areas: Structure, readability, potential edge cases, naming conventions, and performance.

2. Educating the Team

With our framework in place, it was crucial to educate the team on effective code reviewing. I scheduled a workshop where we discussed best practices. One takeaway was to ask questions rather than impose personal preferences. For example, instead of saying, "Change this variable name to 'userId'," we encouraged feedback like, "What do you think about naming this variable 'userIdentifier' for clarity?"

This approach not only improved our code quality but also fostered a culture of respect and collaborative growth. I even modeled a review for a particularly tricky component. Here’s a sample of how I structured my feedback:

### Feedback on `authenticateUser` function

1. **Rename the function**: Consider changing to `isAuthenticated` for clarity on its purpose.
2. **Add Error Handling**: If the username is not found, currently the function would return undefined, which could lead to confusion. Consider handling this case explicitly.
3. **Utility Usage**: Instead of comparing raw passwords with hashed values in this method, why not delegate that logic to a utility function? This adds to maintainability.

Lesson Learned: A clear structure around code reviews transformed them from a task into an opportunity for everyone on the team to learn from each other’s strengths and weaknesses.

Building a Culture of Continuous Improvement

With a solid review process in place, I set out to cultivate a culture of continuous improvement. This didn’t happen overnight; it took dedication and encouragement from all team members. We began celebrating great reviews. Whenever a particularly insightful comment improved code quality, we acknowledged it during our team meetings, motivating developers to take pride in their contributions.

Encourage Pair Programming

I also introduced pair programming sessions, where team members would collaborate on challenging components. This approach not only increased engagement but also minimized the chances of oversight, as developers could hash out design decisions in real-time before code even reached the review phase. Here’s a stripped-down version of an implementation process:

// Pair-programming snippet
function registerUser(userData) {
    return hashPassword(userData.password).then(hashed => {
        return db.insert({...userData, password: hashed});
    });
} // Account for registration without review

This snippet encapsulates ideas generated during pair programming sessions where we were able to identify potential flaws before they made their way to the review process.

Lesson Learned: Investing in relationships through pair programming not only improved the quality of the code but also strengthened our team’s commitment to collaborative improvement.

Conclusion

After implementing a robust code review process, I witnessed a significant transformation not just in our code quality, but also in team morale. Challenges that previously had the power to derail us became collaborative learning opportunities. We moved from a culture of blame and speed to one of accountability and quality.

Now I see code reviews as a vital part of the software development lifecycle, a necessity for building better software and a stronger team. I’d love to hear from you: What has been your experience with code reviews? Have you faced challenges in your process or found unexpected benefits? Let's discuss in the comments below!

I Shipped My First Cloudflare Worker via GitHub Actions in 47 Minutes (3 Were Wasted on the Wrong API Token)

Kiell Tampubolon — Tue, 05 May 2026 03:36:33 +0000

My first Cloudflare Worker deployed in 47 minutes. Three of those were spent staring at this exact error in a red GitHub Actions log: Authentication error [code: 10000]. I had the API token. I had the account ID. I had copy-pasted the workflow from the official docs. It still failed.

The fix was one checkbox I never selected. That checkbox is the entire reason I'm writing this post, because every tutorial I read assumed I would not get it wrong.

What I Built

A Cloudflare Worker that returns a JSON response saying hello. Three lines of actual logic. One wrangler.toml file. One GitHub Actions workflow. Push to main, the Worker is live on the edge, end of story.

The point was never the Worker itself. The point was getting the pipeline working so the next 100 commits ship themselves.

The Setup That Actually Works

Here is the worker. It lives at src/index.js:

export default {
  async fetch(request, env, ctx) {
    return Response.json({
      message: "Hello from the edge",
      region: request.cf?.colo ?? "unknown",
    });
  },
};

The wrangler.toml:

name = "hello-edge"
main = "src/index.js"
compatibility_date = "2025-01-01"

And the GitHub Actions workflow at .github/workflows/deploy.yml:

name: Deploy Worker

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cloudflare/wrangler-action@v3
        with:
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

That is the whole thing. Three files. Roughly 25 lines including blanks.

The 3 Minutes I Want Back

The first time I pushed, the Action failed in 11 seconds with Authentication error [code: 10000]. I assumed I had pasted the token wrong. I rotated it. Same error. I checked the secret name. Correct. I read the wrangler-action README twice. I started questioning the structure of reality.

What I had done: created a Cloudflare API token using the "Read All Resources" template because I was being cautious. That token can read everything and write nothing. Wrangler needs to write. The fix was to use the "Edit Cloudflare Workers" template instead, which scopes write access to exactly the Workers resource and nothing else.

The reason this isn't obvious from the error: code 10000 is Cloudflare's generic auth failure. It does not say "your token has no write permission." It says "auth bad." Three minutes of my life, gone, to a missing checkbox.

The other gotcha most posts skip: the Account ID is not a secret. It's visible in your dashboard URL. Storing it as a GitHub secret is fine, but it's not protecting anything sensitive. The API token is the actual key to the kingdom. Do not commit it. Do not log it. Rotate it if you so much as look at it sideways in a public terminal.

Why I Bothered With CI/CD on Day One

Honest answer: I almost didn't. The Cloudflare dashboard has a perfectly fine "Connect to Git" button that wires up auto-deploys without writing a single line of YAML. For a beginner shipping one Worker, that is the faster path.

I went with GitHub Actions anyway because of one thing: control. The wrangler-action approach lets me add steps I'll need later, like running tests before deploy, deploying to a staging environment first, posting to Slack on failure, gating on a manual approval. The dashboard integration gives me a black box. The Actions workflow gives me a file I can read.

The trade is more setup time now (about 15 extra minutes) for unlimited flexibility later. For a learning project, that's the right trade. For shipping a one-off marketing site, just click the button.

The First Successful Deploy

It logged this:

Total Upload: 0.42 KiB / gzip: 0.30 KiB
Uploaded hello-edge (1.15 sec)
Deployed hello-edge triggers (0.32 sec)
  https://hello-edge.<my-subdomain>.workers.dev

I clicked the URL. It loaded in 38 milliseconds from a Singapore data center. I am writing this from Batam, Indonesia, so that's roughly 60 km away. My code, on a server, 60 km from me, deployed by a GitHub Action I wrote 47 minutes ago.

The thing I was not expecting: the satisfaction came from the pipeline, not the Worker. Pushing to main and watching the green check appear on GitHub, knowing my Worker is now live globally without me touching the Cloudflare dashboard, that's the actual feature. The Worker is a hello world. The CI/CD is the real thing I built.

What This Teaches

Three things, if you're about to do this for the first time:

Use the "Edit Cloudflare Workers" API token template, not "Read All Resources" or any custom one you build yourself. The pre-baked template has the exact scopes wrangler needs. Custom tokens are how you lose 3 minutes to error code 10000.

Set up the Actions pipeline before your code is interesting. A boring Worker behind a working pipeline is worth more than a clever Worker you deploy by hand. The pipeline compounds. Your hand-deploys do not.

The Account ID is public, the API token is not. Store both as secrets if it makes your life easier, but understand which one matters. One leak is a footgun. The other leak is a key handed to a stranger.

What I'm Building Next

Next step is preview deploys per pull request, so every PR gets its own *.workers.dev URL automatically. I think the answer is a second job in the workflow keyed on pull_request, plus a comment bot that posts the preview URL on the PR.

If you've done this with Workers (not Pages, that's the easy mode), what does your workflow look like? And what's the one CI/CD mistake you wish someone had warned you about on day one?

I Connected 11 MCP Servers. 3 of Them Actually Did Anything.

Kiell Tampubolon — Mon, 04 May 2026 14:39:34 +0000

I spent a weekend connecting every MCP server that sounded useful. By Sunday night I had 11 running, a claude_desktop_config.json that scrolled off the screen, and an agent that was technically capable of doing almost anything. In practice, it was doing almost nothing useful.

What I learned had very little to do with which servers are "good."

The List Looks Better Than It Performs

The MCP ecosystem has exploded. There are directories with thousands of servers now. You can connect your agent to GitHub, Notion, Google Drive, Slack, your calendar, your email, your databases, your browser, a web search tool, a weather API, and about 40 other things I cannot remember anymore. The pitch is always the same: connect everything and your agent becomes superhuman.

What nobody tells you is what happens to your context window when you do.

Every MCP server shows up in your agent's prompt as a block of tool definitions: name, description, parameter schema. This is not free. Perplexity's CTO said publicly in March that tool descriptions alone eat 40 to 50% of available context before the agent touches a single real task. I ran my own rough test with 11 servers and came out around 35%. One third of my agent's thinking capacity, gone before the first message. The agent still technically worked. It just worked slower, cost more per turn, and occasionally picked the wrong tool because it had 80 options to reason about instead of a handful.

What I Kept

After a week of watching which tools the agent actually called, I stripped it down to three: web search, my calendar, and file system access to one specific folder.

My claude_desktop_config.json went from this kind of sprawl:

{
  "mcpServers": {
    "brave-search": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-brave-search"] },
    "github": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"] },
    "notion": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-notion"] },
    "slack": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-slack"] },
    "google-calendar": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-google-calendar"] },
    "filesystem": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you"] },
    "puppeteer": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-puppeteer"] }
  }
}

To this:

{
  "mcpServers": {
    "brave-search": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-brave-search"] },
    "google-calendar": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-google-calendar"] },
    "filesystem": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you/work"] }
  }
}

Note the filesystem path change. /Users/you gave the agent access to everything on my machine. /Users/you/work gives it access to what it actually needs. Smaller scope, less noise in file lookups, faster responses.

The difference was immediate and embarrassing. I had spent a whole weekend adding capabilities, and the agent got noticeably better the moment I removed most of them.

Web search is the tool that punches farthest above its weight. An agent that can look something up in real time stops being a static oracle and becomes useful for questions whose answers change. Calendar access mattered more than I expected, not because the agent scheduled things for me, but because it could check whether I had time before suggesting I do something. "You have a 2-hour block on Thursday" as context is qualitatively different from a suggestion with no time anchor. File system access scoped to one working folder let me point the agent at my notes and drafts without handing it my entire machine.

Everything else I connected was called once or twice across a full week of actual use, then never again. GitHub: technically impressive, practically unnecessary because I just used the CLI. Notion: ran three queries, never opened it through the agent again. Slack: the agent drafted messages I never sent. Browser automation: impressive in a demo, zero practical value in my real workflow.

The Rule I Wish Someone Had Told Me Earlier

A connected MCP server costs you context whether or not you ever use it. The tool definitions sit in the prompt on every single turn. The agent reasons about whether to invoke them each time. More servers is not "free and neutral, then occasionally useful." More servers is always a cost, and only sometimes worth it. That is a fundamentally different calculation.

An MCP list that looks impressive in a screenshot will slow your agent down in production. Connect what you actually use, not what sounds good.

Before adding any server, the right question is not "could this be useful?" It is "did I actually need this in the last seven days?" If the answer is no, leave it disconnected. You can always add it back in thirty seconds.

What I Would Do Differently

Start with zero servers. Use the agent for a week on its base model alone. Write down every moment you hit a wall, something the agent could not do that you genuinely needed. Then connect exactly those servers and nothing else. Nothing else.

Most of the value in AI agents right now does not come from the size of the tool list. It comes from the agent having enough context headroom to reason clearly about the few tools it has. A focused agent with 3 servers beats a loaded one with 11. At least that is what a weekend of overengineering taught me.

If you have used MCP in a real workflow beyond demos, I want to know two things: which server do you use every single day, and which one did you connect and quietly never call again? Drop both. The most useful answers get turned into a proper teardown post with real usage data.

I Built an OSINT Aggregator That Queries 5 Threat Intel Sources in One Command

Kiell Tampubolon — Fri, 01 May 2026 11:54:36 +0000

One night. One command. Full threat intelligence picture.

The Problem

Every time I needed to check if an IP or domain was malicious, I'd end up with 5 browser tabs open:

VirusTotal
AlienVault OTX
Shodan
NVD CVE Database
GitHub Security Advisories

Copy. Paste. Wait. Repeat. Cross-reference. Then make a decision.

This workflow is fine once. But when you're triaging multiple alerts during an incident, or doing OSINT research on a list of indicators — it's a massive time sink.

So I built a tool to automate it.

Introducing SentinelScout

SentinelScout is an open-source CLI tool that queries 5 threat intelligence sources simultaneously, then uses AI to correlate the results into a single, actionable threat score.

$ sentinelscout query suspicious-domain.xyz

Query: suspicious-domain.xyz (5 sources)

Source         Status  Severity  Result
──────────────────────────────────────────────
Virustotal      [+]     HIGH     67/94 engines flagged
Alienvault      [+]     HIGH     3 pulses found, tags: [apt] [phishing]
Shodan          [+]     INFO     4 open ports detected
Cve             [-]     LOW      No known CVEs found
Github Adv      [-]     LOW      No advisories found

Threat Score: 87/100 [CRITICAL]

No browser tabs. No copy-pasting. Just answers.

How It Works

The tool is built on three pillars:

1. Async Python — Everything Runs in Parallel

All 5 sources are queried concurrently using Python's asyncio. Results come back in 2-4 seconds total, regardless of how slow any single source is.

async def _query(indicator: str, sources_filter: list[str] | None) -> AnalysisReport:
    all_sources: list[BaseSource] = [
        VirusTotalSource(),
        AlienVaultSource(),
        ShodanSource(),
        CVESource(),
        GitHubAdvSource(),
    ]
    if sources_filter:
        all_sources = [s for s in all_sources if s.source.value in sources_filter]

    tasks = [s.query(indicator) for s in all_sources]
    results = await asyncio.gather(*tasks)
    return AnalysisReport(indicator=indicator, sources=list(results))

The asyncio.gather() call fires all 5 API requests simultaneously. If one source is slow, it doesn't block the others. Total wait time = slowest source, not sum of all sources.

2. Source Adapters — Pluggable Architecture

Each threat intel source has its own adapter class that handles:

API authentication
Request/response handling
Data normalization to a standard IOCResult model

Adding a new source is just creating a new class:

class MySource(BaseSource):
    name = "mysource"
    source = Source.MYSOURCE

    async def query(self, indicator: str) -> IOCResult:
        # your scraping logic here
        return IOCResult(...)

Every adapter returns the same shape. The CLI doesn't care which source it came from — it just formats and displays it.

3. AI Correlation — Making Sense of It All

When you add an OpenAI API key, GPT-4o-mini reads all the raw results and generates:

A plain-English threat summary
A 0-100 threat score
A severity label (LOW / MEDIUM / HIGH / CRITICAL)

This is especially useful when different sources give conflicting signals — AI helps you make a judgment call instead of staring at contradictory data.

Supported Sources

Source	Type	API Required	Free Tier
VirusTotal	Domain/IP/Hash	Yes	500 req/day
AlienVault OTX	IP/Domain/Hash	Yes	10k pulses/day
Shodan	IP only	Yes	100 queries/month
NVD CVE	Vulnerabilities	No	Unlimited
GitHub Advisories	Vulnerabilities	No	Unlimited

Two sources (CVE and GitHub) work out of the box with no API key needed.

Quick Start

pip install sentinelscout

Get free API keys:

VirusTotal: virustotal.com/gui/my-apikey
AlienVault OTX: otx.alienvault.com/api
Shodan: account.shodan.io
OpenAI: platform.openai.com/api-keys (optional)

Set your keys:

export VIRUSTOTAL_API_KEY=your_key
export ALIENVAULT_API_KEY=your_key
export SHODAN_API_KEY=your_key
export OPENAI_API_KEY=your_key  # optional

Run it:

sentinelscout query suspicious-domain.xyz
sentinelscout sources   # check config status
sentinelscout --help

Project Structure

sentinelscout/
├── cli.py              # CLI entrypoint (Typer + Rich)
├── analyzer.py         # AI correlation engine (OpenAI)
├── config.py           # .env loader
├── models.py           # IOCResult, AnalysisReport dataclasses
├── sources/
│   ├── base.py         # BaseSource abstract class
│   ├── virustotal.py   # VirusTotal API client
│   ├── alienvault.py   # AlienVault OTX client
│   ├── shodan.py       # Shodan API client
│   ├── cve.py          # NVD CVE feed scraper (no key needed)
│   └── github.py       # GitHub Security Advisories (no key needed)
└── pyproject.toml      # package metadata

What I Learned

Async Python is powerful. Once you wrap your head around asyncio.gather(), you start seeing parallelism everywhere. It's the difference between a tool that takes 15 seconds and one that takes 3.

Structured data models > raw dicts. Defining IOCResult and AnalysisReport as clean dataclasses made the entire codebase simpler. Every source adapter returns the same shape. No more ad-hoc dict handling.

The best projects come from personal pain. I didn't build SentinelScout to impress anyone. I built it because I was annoyed with my own workflow. That specific irritation is what kept me going through the 3-hour build session — and it's what makes the tool actually useful, not just impressive-looking.

What's Next

Ideas on the roadmap:

🌐 Web UI (Gradio or Streamlit) for non-CLI users
📊 JSON/CSV export for SIEM integration
🤖 Telegram bot for on-the-go IOC queries
🔗 More sources: GreyNoise, AbuseIPDB, ThreatFox

Get the Code

Full source code, installation instructions, and documentation:

👉 github.com/glatinone/sentinelscout

Star it if you find it useful. Issues and PRs welcome.

Built with Python 3.10+, Typer, Rich, and httpx. No paid dependencies — runs entirely on free-tier APIs.