The latest articles on DEV Community by Whetlan (@whetlan). https://dev.to/whetlan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3810837%2Fe139c2b0-30b8-40b6-88b6-22c31c93d6cb.png https://dev.to/whetlan en Whetlan Tue, 21 Apr 2026 10:42:18 +0000 https://dev.to/whetlan/i-asked-an-llm-to-generate-20-trading-strategies-14-were-the-same-thing-2f36 https://dev.to/whetlan/i-asked-an-llm-to-generate-20-trading-strategies-14-were-the-same-thing-2f36 <p>A few months ago I asked an LLM to generate twenty trading strategies.</p> <p>Fourteen were the same thing.</p> <p>Not similar ideas. Not variations on a theme. The same mean-reversion logic with different lookback windows and parameter names.</p> <p>I gave it historical price data, told it to find patterns, output entry/exit rules in Python. Ten minutes later I had twenty strategies. Clean code, proper docstrings, sensible-looking parameters.</p> <p>I backtested all twenty. Twelve looked profitable. Some showed 200%+ annual returns.</p> <p>Then I actually read the code.</p> <p>Same structure. Same assumptions. Same failure mode: in a trending market, they'd all keep buying into a falling asset with no awareness anything had changed.</p> <p>That's when I stopped thinking of LLMs as strategy generators and started thinking of them as very confident interns who hand you the same report twenty times with different cover pages.</p> <h2> People are giving these things real money now </h2> <p>Since then I've watched this move from experiment to actual deployment.</p> <p>RockAlpha has LLMs managing $100K stock portfolios that retail users can copy-trade. Aster DEX ran an arena where AI agents traded against humans—the humans got liquidated at 43%, the AIs at 0%. On GitHub, ai-hedge-fund has 56K stars and LLM personas of Warren Buffett and Charlie Munger debating trades.</p> <p>Last October a company called nof1.ai gave six frontier LLMs $10,000 each in real money and let them trade crypto perpetual contracts. No human intervention. Same prompts, same data feeds, same execution terms. Seventeen days.</p> <p>Two made money. Four got destroyed.</p> <h2> It's not the model. It's what the model sees. </h2> <p>Nof1 ran a second round on US stocks. A mystery model won with +12.1%, later revealed as Grok 4.20.</p> <p>It didn't win because it was smarter. It was processing 68 million tweets per day through the X Firehose, generating signals within minutes. GPT-5.1 had 15-minute delayed news summaries. Gemini was working from SEC filings with 30+ minute delays.</p> <p>RockAlpha's ongoing arena shows the same pattern. DeepSeek keeps outperforming across market regimes. Not because it reasons better, but because High-Flyer Quant built the model with time-series data and risk management baked in from training.</p> <p><strong>The model matters less than what it was trained on and what it's looking at.</strong></p> <p>People comparing "GPT vs Claude vs Gemini" for trading are asking the wrong question.</p> <h2> Three generations of trading software </h2> <p>I worked on an MT4 bridge once. About 50,000 lines of C++. FIX protocol integration, order routing, the whole thing.</p> <p>MQL4 was designed for people who think in moving averages and crossover signals. You write a rule, attach it to a chart, watch it go. That was Gen 1: human writes the rule, machine executes it.</p> <p>But here's what people forget. Before MT4, indicators like moving averages and RSI were tribal knowledge. Stuff you picked up from other traders, maybe a book if you were lucky. MT4 turned that into reusable components. Click a button, get an RSI.</p> <p>That's Gen 1's real legacy. <strong>It crystallized the indicators.</strong></p> <p>Gen 2 built on top of those indicators.</p> <p>Frameworks like vnpy (14K stars), backtrader, freqtrade. Python-based. You define your indicators, the framework runs genetic algorithms or grid search to find the best parameters.</p> <p>Gen 2 crystallized the <strong>strategy</strong>. Not just individual indicators, but combinations of them—entry rules, exit rules, position sizing, all packaged into something reusable.</p> <p>I evaluated a few of these when I was looking at Python quant stacks. They work, technically. But Python's GIL kills you on anything latency-sensitive, and the optimization loop is a trap. You can always find parameters that backtest beautifully.</p> <p>Gen 3: ML enters. QuantConnect, WorldQuant BRAIN.</p> <p>Instead of optimizing parameters on fixed indicators, you build a feature pool and let XGBoost or LightGBM figure out which combinations matter.</p> <p>Gen 3 crystallized the <strong>system</strong>. The whole pipeline. Data ingestion, feature engineering, model training, risk management, execution.</p> <p>What Renaissance Technologies needed hundreds of PhDs and decades to build, QuantConnect turned into a platform.</p> <p>Each generation left something behind for the next one to stand on. Indicators. Strategies. Systems.</p> <p>Each one also hit the same wall: <strong>the gap between backtest and live performance.</strong></p> <p>The interesting question isn't why they all hit this wall. It's what happens when someone can build on all three layers at once.</p> <h2> Two failure modes </h2> <p>After watching arena results and looking at how LLMs behave with financial data, I think there are two distinct failure modes that keep showing up.</p> <h3> Strategy Hallucination </h3> <p>The LLM generates strategies that look structurally valid but encode no real market insight.</p> <p>My twenty mean-reversion clones were this. Proper entry/exit logic, proper position sizing, proper risk management. Also all exploiting the same artifact in the training data.</p> <p>A human quant would have caught it in five minutes. I caught it in two hours. Someone less experienced might not catch it at all.</p> <p>The arena results suggest this happens at model level too. GPT-5 and Gemini generated plausible-looking trading behavior that fell apart under real conditions. The strategies "made sense" the way a hallucinated Wikipedia article makes sense. Coherent. Confident. Wrong.</p> <h3> Backtest Overfitting Blindness </h3> <p>The LLM doesn't understand that a beautiful backtest is a warning sign, not a success metric.</p> <p>When I asked it to generate strategies with "strong backtesting performance," it optimized for exactly that. Curve-fitted parameters, lookahead bias in feature construction, survivorship bias in asset selection. Every quant knows these traps. The LLM walked into all of them with total confidence.</p> <p>Here's what one looked like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># What the LLM generated (looks clean): </span><span class="k">def</span> <span class="nf">signal</span><span class="p">(</span><span class="n">prices</span><span class="p">,</span> <span class="n">window</span><span class="o">=</span><span class="mi">14</span><span class="p">,</span> <span class="n">threshold</span><span class="o">=</span><span class="mf">2.0</span><span class="p">):</span> <span class="n">zscore</span> <span class="o">=</span> <span class="p">(</span><span class="n">prices</span> <span class="o">-</span> <span class="n">prices</span><span class="p">.</span><span class="nf">rolling</span><span class="p">(</span><span class="n">window</span><span class="p">).</span><span class="nf">mean</span><span class="p">())</span> <span class="o">/</span> <span class="n">prices</span><span class="p">.</span><span class="nf">rolling</span><span class="p">(</span><span class="n">window</span><span class="p">).</span><span class="nf">std</span><span class="p">()</span> <span class="k">return</span> <span class="n">zscore</span> <span class="o">&lt;</span> <span class="o">-</span><span class="n">threshold</span> <span class="c1"># buy when "oversold" </span> <span class="c1"># What it didn't tell you: # - window=14 was fit to this specific dataset # - threshold=2.0 maximized backtest returns # - this exact pattern appears in 14 of 20 "different" strategies # - in a trending market, zscore stays below -threshold for weeks # and you keep buying into a falling knife </span></code></pre> </div> <p>These two failure modes compound. The LLM hallucinates strategies, then fits them perfectly to historical data. Results look incredible on paper.</p> <p>The worse part: the more strategies you generate, the more likely at least one shows amazing backtest results purely by chance.</p> <h2> What seems to work so far </h2> <p>I don't have this figured out yet. But after the twenty-clones incident and watching six months of arena results, a few things seem consistent.</p> <h3> Don't let the LLM pick parameters </h3> <p>Use it to generate structure—indicator combinations, entry logic, risk rules. Then run parameter optimization through something that understands walk-forward testing, out-of-sample validation, and transaction costs.</p> <p>The LLM proposes. Something that can actually do math evaluates.</p> <h3> Treat outputs as hypotheses </h3> <p>This sounds obvious, but it's not how most people use them.</p> <p>When the LLM hands you a strategy with a 180% annual return, the natural reaction is to start looking for reasons it might work. Flip it. Start by assuming it doesn't work and look for reasons the backtest is lying to you.</p> <h3> Check for actual diversity </h3> <p>Before running a batch of LLM strategies, cluster them.</p> <p>If your "50 different strategies" collapse into four underlying patterns, you don't have diversification. You have four strategies wearing costumes.</p> <p>I should have done this before getting excited about twelve profitable backtests.</p> <h2> What I keep thinking about </h2> <p>I wrote something a while back about <a href="https://alanlan.substack.com/p/the-trident-and-the-green-ox" rel="noopener noreferrer">a metaphor that stuck with me</a>. A rider on an ox, carrying a trident. The ox is raw power, the trident is precision.</p> <p>The three generations of trading software? That's the trident being forged. Indicators, strategies, systems. Each layer more precise than the last.</p> <p>The arenas skipped all of it. Gave the LLM money and said go. Most crashed.</p> <p>But here's what keeps me thinking. Building a Gen 3 system used to require a team, serious funding, years of work. The kind of thing only a Medallion Fund or a QuantConnect could pull off.</p> <p>With AI, one person can realistically assemble their own version. Not a toy version. An actual pipeline with data ingestion, feature engineering, walk-forward validation, risk controls.</p> <p>AI doesn't replace the three generations of accumulated knowledge. It makes them accessible.</p> <p>I don't know what Gen 4 looks like yet. But if enough people are standing on Gen 3 instead of being locked out of it, we'll probably find out faster than anyone expects.</p> <p>I've been building in this direction. Slowly figuring out what the right pieces are. Still making mistakes, but at least they're new mistakes.</p> <p>I might be overfitting my own conclusions here. But from what I've seen, the pattern holds.</p> <p>What does your setup look like? Has anyone else tried running LLM-generated strategies through traditional backtesting infrastructure and actually survived? Curious what failure modes you hit.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> ai trading python discuss Whetlan Tue, 07 Apr 2026 11:00:01 +0000 https://dev.to/whetlan/why-ai-code-needs-the-same-rigor-we-should-have-been-using-all-along-1kk4 https://dev.to/whetlan/why-ai-code-needs-the-same-rigor-we-should-have-been-using-all-along-1kk4 <p><strong>Context</strong>: This came out of a discussion on <a href="https://news.ycombinator.com/item?id=47587953" rel="noopener noreferrer">"Slop is not necessarily the future"</a>. I commented that technical debt from sloppy code shows up too late to fix. someone replied: "Humans also write sloppy code." That's absolutely right, but it got me thinking about what's actually different when AI is involved.</p> <p>The whole "AI writes sloppy code" vs "humans write sloppy code too" thing has been going around, and it keeps bugging me. Not because either side is wrong. It's that both kind of miss what actually goes wrong in practice.</p> <p>I've been using AI to generate code pretty heavily. The problems I keep running into aren't that different from the problems I've caused myself over the years. The difference is speed and volume. But there's something specific that keeps nagging at me: <strong>when AI misunderstands what you want, it commits fully to the wrong interpretation</strong>. No clarifying questions. Just goes.</p> <p>Two things I keep coming back to: the gap between what you meant and what got built, and the fact that you can't predict which code will stick around.</p> <h2> Where things actually go wrong </h2> <p>AI has extremely wide understanding. Ask it to solve a problem, it knows dozens of valid approaches. When your prompt is vague, it just picks one and runs with it.</p> <p>Some examples I've hit:</p> <p><strong>"Add error handling"</strong> and it wraps everything in try-catch with console.log. I wanted typed error propagation so the caller could decide. <strong>"Make this faster"</strong> and it rewrites the hot path with a clever optimization. Benchmarks look great. Two weeks later there's corrupted data in edge cases I didn't mention. <strong>"Add validation"</strong> and it puts input checks at the API boundary when I meant the domain layer. Now validation is in the wrong place and the domain model still accepts invalid state.</p> <p>Humans do this too. But humans usually ask clarifying questions first. AI just commits.</p> <p>At any given moment, your understanding of what you need and AI's interpretation of what you asked for are two different things. And whatever gets written ends up somewhere in that gap.</p> <h2> You don't know what sticks around </h2> <p>A Google engineer in the thread mentioned something that stuck with me:</p> <blockquote> <p>"I think I calculated the half-life of my code written at my first stint of Google (15 years ago) as 1 year. Within 1 year, half of the code I'd written was deprecated, deleted, or replaced, and it continued to decay exponentially like that throughout my 6-year tenure there.</p> <p>Interestingly, I still have some code in the codebase... I submitted about 680K LOC and 2^15 is 32768, so I'd expect to have about 20 lines left, which is actually surprisingly close to accurate (I didn't precisely count, but a quick glance at what I recognized suggested about 200 non-deprecated lines remain in prod)."</p> </blockquote> <p>680,000 lines down to ~200 in 15 years. But here's the key: the author expected 20 lines based on exponential decay, got 200. <strong>10x off.</strong> Even with a mathematical model, you can't predict which code survives. And those 200 lines? Probably not the ones he'd have chosen to keep.</p> <p>You write a quick fix to ship something. Three years later it's still there, load-bearing infrastructure. The placeholder variable name is part of the public API.</p> <p>AI makes this worse. You can generate a thousand lines of "just get it working" code in ten seconds. How much of that will still be running three years from now? No idea.</p> <h2> What I've Settled On: Test Everything, Then Test It Again </h2> <p>So you've got two problems: AI might not understand what you meant, and you can't predict which code becomes permanent.</p> <p>What I've settled on is <strong>100% test coverage at every level</strong>. Yeah, that sounds extreme, and in practice you never actually get there. But treating it as the goal changes how you work.</p> <p>Not just "write some tests." Unit tests (does each piece do what it's supposed to?), integration tests (do the pieces work together?), business logic tests (does it actually solve the business problem?), and system tests end-to-end. The unit tests catch "AI picked the wrong algorithm." The integration tests catch "AI put validation in the wrong layer." The system tests catch edge cases you didn't know existed.</p> <p>What took me a while to realize: <strong>tests aren't just for catching bugs here. They're for verifying that what got built is actually what you had in your head.</strong> The whole chain from your mental model to a natural language prompt to AI's interpretation to generated code, every step is lossy. Tests are how you check whether the signal survived.</p> <h2> Where It Gets Iterative </h2> <p>Even with all that coverage, you're only testing against what you currently understand. There are always gaps.</p> <p>First pass: you write tests based on your understanding, AI generates code, tests pass, you think you're done. Then you start poking at corner cases. What if the input is empty? What about two operations at once? You find gaps, add tests, some fail, code gets fixed.</p> <p>Then you do something that feels weird: you ask AI to find the edge cases you missed. "What am I not testing?" Turns out AI is actually good at this, because it's seen thousands of similar systems fail. It suggests scenarios you hadn't considered. More tests. More failures. More fixes.</p> <p>I had this happen with a data processing pipeline. Happy path tests all passed. Then I started asking about mid-record stream failures, malformed data that passes validation but breaks downstream, concurrent workers hitting the same data. Half the new tests failed. Asked AI what else could go wrong. It came back with memory exhaustion, unavailable output destinations, crash recovery. Hadn't thought about any of those. By the end I had a system that was genuinely solid, not because AI wrote perfect code, but because the back-and-forth kept closing gaps.</p> <p>Each iteration, you clarify what you actually need, AI understands better, and the tests protect code that might survive years.</p> <h2> When the code quietly changes meaning on you </h2> <p>One specific thing that burned me: AI optimized a hot path in a system I maintain. Benchmarks looked great. Tests passed. Two weeks later, corrupted output in edge cases.</p> <p>The optimization changed the semantics in a way my tests didn't verify. Still a pure function in the common case, but not in the rare one. Code looked correct at the time. Passed everything. Hidden semantic shift just waiting to bite.</p> <p>After that I added a rule: any AI-generated change needs tests that verify <em>the semantics didn't drift</em>. If it's supposed to be a pure function, write a property test that proves it. Idempotent? Run it twice and check. This isn't about who or what wrote the code. It's about having a process that verifies the code actually matches what you meant, and holds up over time.</p> <h2> What Else Changed </h2> <p>Testing is the core, but other stuff had to tighten up too.</p> <p>CI gates that don't bend. Every AI-generated PR hits the same pipeline: tests pass, coverage at 90%, build succeeds. We used to let things slide when rushing. When code is getting generated this fast, the question is how to keep everything else up.</p> <p>Code review changed focus. Used to be about catching mistakes. Now it's: "Are these tests comprehensive enough? Did we verify the edge cases? Is this even the right approach?" The assumption is the code works. Review is about whether we're solving the right problem.</p> <p>One thing that surprised me: bug density for AI code vs human code, when both have the same test coverage? Basically no difference. The problem was never AI. It was misaligned requirements and untested processes. Maybe it always was.</p> <h2> The part that's actually hard </h2> <p>None of this is technically difficult. It's cultural.</p> <p>For years we treated tests as "nice to have" or "we'll add them later." Shipped fast, cut corners, celebrated velocity. AI makes that unsustainable. When code is cheap, the bottleneck moves. Writing code isn't the expensive part anymore. <strong>Figuring out what you actually need, making sure what got built matches that, making sure it holds up over time.</strong> That's the expensive part now.</p> <p>nocman had this comment on HN about treating code as craft, how it's not optional, it's how you build things that last. I agree, but not the way most people mean it. Craft isn't about hand-writing every line. It's about knowing exactly what's in your system and why. Doesn't matter who wrote it.</p> <p>If you're using AI to generate code but not investing in this kind of iterative verification, you're building on quicksand. Some of that code will be fine. Some will survive for years. You won't know which is which until it's too late.</p> <p>The answer isn't "use AI less." It's: build the process around it. Tests at every level. Iterative gap-closing. CI that actually enforces things. Review focused on approach, not syntax. Not because of who or what writes the code. Because you need a process that makes sure the code matches what you meant, and survives what comes next. That's not something you can wing.</p> <p><em>Originally posted on a HN thread about AI slop. Someone said humans write sloppy code too. They're not wrong. I just think the interesting question is somewhere else.</em></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> ai testing programming productivity Whetlan Fri, 03 Apr 2026 00:53:42 +0000 https://dev.to/whetlan/your-ai-agents-can-talk-they-just-cant-find-each-other-jig https://dev.to/whetlan/your-ai-agents-can-talk-they-just-cant-find-each-other-jig <p>Local AI is getting cheap. Really cheap. Open-weight models that used to need a data center now run on consumer GPUs, and the small ones fit on a phone. MCP gives them a way to communicate, A2A gives them a task protocol. Most of the wiring exists.</p> <p>I've been running a few agents on my home network. One does code review, one runs automated tests, one generates docs. They all speak MCP. The protocols work fine.</p> <p>Here's the dumb part: none of them know the others exist.</p> <p>The agent on machine-1 has no idea there's another agent on machine-2. I have to manually tell each one: "hey, 192.168.1.42 port 8080, there's someone there you can talk to." IP changes? Reconfigure. Add a new machine? Update every existing agent. I kept assuming there was some obvious solution I was missing.</p> <h2> Protocols assume you already know where to look </h2> <p>MCP defines how agents communicate. Google's A2A goes further and specifies Agent Cards, basically a business card format for agents. Both useful, both quietly assuming the same thing: you already know where the other agent is.</p> <p>On my LAN, that assumption fell apart immediately. Four machines, no central registry, no DNS records pointing to any of these agents. Nothing that can answer "what's even running right now?" Google's approach leans toward one coordinator managing everything, which is fine if you actually have a central brain. I didn't.</p> <h2> Agents aren't microservices </h2> <p>"Just use service discovery. mDNS, Consul, etcd, pick one."</p> <p>That was my first instinct too. Tried a couple of them, spent more time on it than I'd like to admit. They solve the "where is this thing" question, but agents need more than an address. What can this agent do? Is it busy right now? What's its public key? Should I trust it, have we worked together before, what's its track record?</p> <p>None of those tools track any of that.</p> <p>I thought it was a discovery problem at first. It isn't. It's closer to identity. Something that binds a name, an address, capabilities, a public key, and trust history together in one record.</p> <h2> What I built </h2> <p>I ended up writing <a href="https://github.com/Lattice9AI/ClawNexus" rel="noopener noreferrer">ClawNexus</a>, an identity registry for AI agents. I didn't want to call it "service registry" or "DNS" because it does more than map addresses. Closer analogy is a business registration bureau. Not just your street address, but who you are, what you do, what your track record looks like.</p> <p>The discovery part layers a few methods together (UDP broadcast, mDNS, subnet scanning). Start an agent, it shows up. Stop it, it disappears. Each agent gets a human-readable name instead of <code>192.168.1.42:8080</code>, bound to a public key so changing IPs doesn't break identity. Cross-network traffic goes through an encrypted relay that can't read the content.</p> <p>It also generates A2A Agent Cards for discovered agents automatically, so anything speaking that protocol can find and call them without extra setup.</p> <p>Open source, MIT. <code>npm install</code> and it runs.</p> <h2> After discovery, things get fuzzy </h2> <p>So agents can find each other. Then what?</p> <p>When agents register, they declare capabilities. "I can do code review." "I can run benchmarks." That metadata travels with the identity, so when another agent discovers you, it already knows what you can do.</p> <p>I've been messing with a cloud layer on top of this that tracks how those capabilities evolve over time, which agents have communicated, what kind of work they've exchanged. Honestly it's pretty early and I keep going back and forth on how much of this belongs in a registry versus being a separate thing entirely. The boundary isn't obvious.</p> <p>The scenario I keep coming back to: if one agent is reliably good at a certain kind of task, other agents should be able to find it and request help directly, without me manually routing things. Whether that actually works in practice, I don't know yet. The cloud piece is still experimental and I don't want to describe it like it's further along than it is.</p> <h2> I'm not sure this is the right abstraction </h2> <p>MCP went toward communication protocols. A2A went toward task protocols. Identity seems like something everyone just assumes they'll deal with later, and maybe that's fine. Maybe it should be embedded inside an existing protocol instead of being a separate layer. Maybe everything ends up on a few big platforms anyway and decentralized identity becomes irrelevant.</p> <p>I genuinely don't know.</p> <p>But if you're running a few agents on your own network right now, and you want them to find each other and communicate securely, you'll notice there isn't really a standard answer for that. Models keep getting smaller and cheaper, more people are going to run local agents, and the discovery question doesn't go away on its own.</p> <p>My answer might be wrong. The problem is real though.</p> <p>Code: <a href="https://github.com/Lattice9AI/ClawNexus" rel="noopener noreferrer">github.com/Lattice9AI/ClawNexus</a></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> ai programming node mcp Whetlan Thu, 02 Apr 2026 10:00:02 +0000 https://dev.to/whetlan/the-hardest-part-of-modern-c-isnt-the-language-4p5h https://dev.to/whetlan/the-hardest-part-of-modern-c-isnt-the-language-4p5h <p>I've been a C programmer for most of my career. The kind who can feel what the CPU is doing. Move a register here, touch a block of memory there, shave off a microsecond. When you think at that level for long enough, you start to resent anything that calls itself "modern."</p> <p>Not because you can't learn it. Because it feels wrong. Too many layers between you and the metal.</p> <h2> C with classes </h2> <p>For years, my C++ was really just C with classes. I found out later that most people who put "C++ engineer" on their resume are doing exactly the same thing. That's where you plateau, and it's a comfortable plateau. You ship code. It works. Nobody complains.</p> <p>And a lot of people never leave that plateau. I'm not talking about junior developers. I'm talking about engineers with decades of C experience who never made the jump. The mental model of C is: I own every byte, I control every allocation, I decide when memory lives and dies. Accepting that a destructor will clean up for you, that you should <em>stop</em> calling <code>delete</code>, that <code>std::unique_ptr</code> knows better than you do when to free memory... that goes against everything a C programmer was trained to believe. Plenty of good engineers looked at that and said no thanks.</p> <p>I almost did too. But then <code>std::vector</code> clicked. Then RAII clicked. Then I ran into <code>compare_exchange_strong</code> and <code>compare_exchange_weak</code> and spent a full day understanding when to use which one. Then C++17 arrived with SFINAE and template metaprogramming.</p> <p>I questioned my life choices.</p> <h2> 50,000 lines by hand </h2> <p>But I kept going, because the payoff was real.</p> <p>My first serious Modern C++ project was a bridge layer between a trading platform and a strategy execution service. About 50,000 lines, took six months to write by hand. I picked C++ for speed and RAII, and the results justified the pain: on Windows 10, the process started at 22MB of memory, dropped to 11MB after running for a week. On Windows 11, 36MB at start, 12MB after a week. It was pulling tick data for every instrument at full frequency, the entire time.</p> <p>That was the stage where I could <em>use</em> Modern C++. Vectors, smart pointers, move semantics, atomics. I'd crossed the first two hurdles: from C to C-with-classes, and from C-with-classes to C++11/14. Both were hard. Both filtered out a lot of people.</p> <p>But those were hurdles you could clear on your own. Give a determined programmer enough time, and RAII will click. Move semantics will click. Smart pointers will click.</p> <p>The third hurdle is different.</p> <h2> The pipe organ </h2> <p>A pipe organ is the most complex instrument ever built. Thousands of pipes. Four or five keyboards stacked on top of each other, called manuals. A pedalboard at your feet for the bass lines. Dozens of stops that change the sound of every pipe. To play it, you need both hands working different keyboards, both feet on the pedals, and somehow you also need to pull stops in the middle of a piece.</p> <p>That's four hands' worth of work. You have two.</p> <p>Modern C++ past C++17 is a pipe organ.</p> <p>The vertical span alone is disorienting. At the bottom, you're still dealing with cache lines, branch prediction, and what the CPU is actually doing with your <code>alignas(std::hardware_destructive_interference_size)</code>. At the top, you're writing <code>concepts</code> and <code>consteval</code> functions that execute entirely during compilation. You need to hold both levels in your head at the same time, because a one-line change at the top can restructure what happens at the bottom.</p> <p>Then there's the depth. Every line of C++23 is a reverse derivation. <code>std::expected&lt;Value, Error&gt;</code> looks like one line. Behind it is a chain of compiler decisions about storage layout, copy elision, destructor sequencing, and exception-free error propagation that traces all the way back to what would have been fifty lines of C with manual error codes and goto cleanup blocks.</p> <p>And the sheer width of the thing. Templates. Concepts. Coroutines. Ranges. Modules. PMR. SIMD intrinsics versus portable abstractions. <code>constexpr</code> versus <code>consteval</code> versus <code>constinit</code>. Even the experts specialize. A template metaprogramming wizard might not know the first thing about coroutine frame allocation. A SIMD specialist might never touch ranges.</p> <h2> The Swiss watch inside </h2> <p>Here's the thing people miss when they complain about C++ being too complex: this isn't a design failure. This is a price.</p> <p>A mechanical watch movement has hundreds of components, machined to micron tolerances. It's absurdly complex. But it's complex because it chose to tell time without a battery, without a circuit board, without any external dependency. That constraint, total self-reliance with precision, is what forces the complexity. A quartz watch does the same job with a battery and a chip. Cheaper, more accurate, simpler. But the mechanical watch gives you something the quartz watch can't: it runs on nothing but itself.</p> <p>Modern C++ made the same bargain. Zero-cost abstractions. Full hardware control. Compile-time safety. No garbage collector, no runtime, no VM. The language chose to give you everything, from register-level performance to type-level metaprogramming, in one system. That commitment to not compromise on any axis is what makes it so powerful. And it's exactly what makes it so hard to hold in one head.</p> <p>The organ doesn't have five keyboards because the builder was a sadist. It has five keyboards because the music demands that range.</p> <h2> 1,000 lines to 10 </h2> <p>You want to see what that bargain looks like in practice? Look at the FIX protocol engine space.</p> <p><a href="https://github.com/quickfix/quickfix" rel="noopener noreferrer">QuickFIX</a> was the industry standard for years. It was written in C++98/03 style, and the engineers who built it were not amateurs. To get acceptable performance, they had to hand-craft everything. A custom object pool: about 1,000 lines of carefully debugged code. A lock-free queue for market data: another 500 lines. Manual cache-line alignment to prevent false sharing: 200 more lines. Months of debugging and tuning before any of it was production-ready.</p> <p>In C++23, the same functionality looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">std</span><span class="o">::</span><span class="n">pmr</span><span class="o">::</span><span class="n">monotonic_buffer_resource</span> <span class="n">pool_</span><span class="p">{</span><span class="mi">64</span><span class="n">_MB</span><span class="p">};</span> <span class="c1">// object pool</span> <span class="n">SPSCQueue</span><span class="o">&lt;</span><span class="n">T</span><span class="p">,</span> <span class="mi">4096</span><span class="o">&gt;</span> <span class="n">queue_</span><span class="p">;</span> <span class="c1">// lock-free queue</span> <span class="k">alignas</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">hardware_destructive_interference_size</span><span class="p">)</span> <span class="c1">// cache alignment</span> </code></pre> </div> <p>Three lines. Works correctly out of the box.</p> <p>Or take tag lookup. In the QuickFIX era, you'd write a giant switch statement or build a <code>std::unordered_map</code> at startup. Fifty-plus cases, each a runtime branch, hundreds of lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="n">std</span><span class="o">::</span><span class="n">string</span> <span class="nf">get_tag_name</span><span class="p">(</span><span class="kt">int</span> <span class="n">tag</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="p">(</span><span class="n">tag</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="mi">8</span><span class="p">:</span> <span class="k">return</span> <span class="s">"BeginString"</span><span class="p">;</span> <span class="k">case</span> <span class="mi">35</span><span class="p">:</span> <span class="k">return</span> <span class="s">"MsgType"</span><span class="p">;</span> <span class="k">case</span> <span class="mi">49</span><span class="p">:</span> <span class="k">return</span> <span class="s">"SenderCompID"</span><span class="p">;</span> <span class="c1">// ... 50+ more cases</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In C++23, you write a <code>consteval</code> function. The entire table gets computed during compilation. At runtime, looking up tag 35 is a single array index. No branches, no hash lookups:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">consteval</span> <span class="k">auto</span> <span class="nf">create_tag_table</span><span class="p">()</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">array</span><span class="o">&lt;</span><span class="n">TagEntry</span><span class="p">,</span> <span class="n">MAX_TAG</span><span class="o">&gt;</span> <span class="n">table</span><span class="p">{};</span> <span class="n">table</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">8</span><span class="o">&gt;::</span><span class="n">name</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">8</span><span class="o">&gt;::</span><span class="n">is_header</span><span class="p">};</span> <span class="n">table</span><span class="p">[</span><span class="mi">35</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">35</span><span class="o">&gt;::</span><span class="n">name</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">35</span><span class="o">&gt;::</span><span class="n">is_header</span><span class="p">};</span> <span class="c1">// ...</span> <span class="k">return</span> <span class="n">table</span><span class="p">;</span> <span class="p">}</span> <span class="kr">inline</span> <span class="k">constexpr</span> <span class="k">auto</span> <span class="n">TAG_TABLE</span> <span class="o">=</span> <span class="n">create_tag_table</span><span class="p">();</span> <span class="c1">// zero runtime cost</span> </code></pre> </div> <p>Or SFINAE versus concepts. Constraining a session handler type in the old way required 200 lines of <code>std::enable_if_t</code> nested inside template parameter lists, producing error messages that no human could read. In C++23:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">template</span> <span class="o">&lt;</span><span class="k">typename</span> <span class="nc">T</span><span class="p">&gt;</span> <span class="k">concept</span> <span class="n">SessionHandler</span> <span class="o">=</span> <span class="k">requires</span><span class="p">(</span><span class="n">T</span><span class="o">&amp;</span> <span class="n">h</span><span class="p">,</span> <span class="k">const</span> <span class="n">ParsedMessage</span><span class="o">&amp;</span> <span class="n">msg</span><span class="p">)</span> <span class="p">{</span> <span class="p">{</span> <span class="n">h</span><span class="p">.</span><span class="n">on_app_message</span><span class="p">(</span><span class="n">msg</span><span class="p">)</span> <span class="p">}</span> <span class="k">noexcept</span><span class="p">;</span> <span class="p">{</span> <span class="n">h</span><span class="p">.</span><span class="n">on_send</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">declval</span><span class="o">&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">span</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">&gt;&gt;</span><span class="p">())</span> <span class="p">}</span> <span class="k">noexcept</span> <span class="o">-&gt;</span> <span class="n">std</span><span class="o">::</span><span class="n">same_as</span><span class="o">&lt;</span><span class="kt">bool</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">{</span> <span class="n">h</span><span class="p">.</span><span class="n">on_state_change</span><span class="p">(</span><span class="n">SessionState</span><span class="p">{},</span> <span class="n">SessionState</span><span class="p">{})</span> <span class="p">}</span> <span class="k">noexcept</span><span class="p">;</span> <span class="p">{</span> <span class="n">h</span><span class="p">.</span><span class="n">on_error</span><span class="p">(</span><span class="n">SessionError</span><span class="p">{})</span> <span class="p">}</span> <span class="k">noexcept</span><span class="p">;</span> <span class="p">};</span> </code></pre> </div> <p>Twenty-five lines. Reads like documentation. And when something doesn't satisfy the concept, the compiler says "T does not satisfy SessionHandler" instead of vomiting 500 lines of template substitution failure.</p> <p>None of this means the QuickFIX engineers' work was wasted. The opposite. Their 1,000 lines of hand-crafted optimization became the blueprint for the next standard. <code>std::pmr</code> exists because people like them proved that custom allocators matter. Concepts exist because SFINAE was so painful that the committee had to find a better way. Every one-line C++23 idiom is standing on the shoulders of someone who wrote the 1,000-line version first.</p> <p>But it also means that every line of C++23, that clean, compact, one-line call, is carrying the cognitive weight of those 1,000 lines inside it. The complexity didn't disappear. It got absorbed into the language. And now you need to understand what's happening beneath that one line, or you'll misuse it in ways that compile fine and fail silently at scale.</p> <p>C++17 through C++23 didn't just raise the bar. They added three more keyboards to the organ. The instrument kept growing, and one person's hands didn't.</p> <h2> The planet I couldn't reach </h2> <p>Here's what that third hurdle looks like up close.</p> <p>I have a set of compile-time sorting algorithms sitting in my code archive. QuickSort, MergeSort, HeapSort. All three run during compilation. Not at runtime. During compilation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">template</span><span class="o">&lt;</span><span class="kt">int</span><span class="p">...</span> <span class="n">Vs</span><span class="p">&gt;</span> <span class="k">struct</span> <span class="nc">arr</span> <span class="p">{};</span> <span class="k">using</span> <span class="n">input</span> <span class="o">=</span> <span class="n">arr</span><span class="o">&lt;</span><span class="mi">5</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">8</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">9</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">using</span> <span class="n">sorted</span> <span class="o">=</span> <span class="n">quicksort_t</span><span class="o">&lt;</span><span class="n">input</span><span class="o">&gt;</span><span class="p">;</span> <span class="c1">// arr&lt;1, 3, 5, 8, 9&gt;</span> </code></pre> </div> <p>The input is a type. The output is a type. The sorting happens when the compiler processes your code, and at runtime the cost is zero.</p> <p>To make this work, you need a full toolkit of compile-time operations: <code>filter</code>, <code>concat</code>, <code>take</code>, <code>drop</code>, <code>merge</code>, <code>prepend</code>, all implemented as template specializations. The QuickSort partitions around a pivot using template predicates. The MergeSort splits the type in half, sorts recursively, and merges with ordered comparison. Even the correctness checks are compile-time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">static_assert</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">is_same_v</span><span class="o">&lt;</span><span class="n">quicksort_t</span><span class="o">&lt;</span><span class="n">arr</span><span class="o">&lt;</span><span class="mi">5</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">1</span><span class="o">&gt;&gt;</span><span class="p">,</span> <span class="n">arr</span><span class="o">&lt;</span><span class="mi">1</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">5</span><span class="o">&gt;&gt;</span><span class="p">);</span> <span class="k">static_assert</span><span class="p">(</span><span class="n">is_sorted_v</span><span class="o">&lt;</span><span class="n">mergesort_t</span><span class="o">&lt;</span><span class="n">arr</span><span class="o">&lt;</span><span class="mi">9</span><span class="p">,</span><span class="mi">7</span><span class="p">,</span><span class="mi">5</span><span class="p">,</span><span class="mi">3</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">8</span><span class="p">,</span><span class="mi">6</span><span class="p">,</span><span class="mi">4</span><span class="p">,</span><span class="mi">2</span><span class="p">,</span><span class="mi">0</span><span class="o">&gt;&gt;&gt;</span><span class="p">);</span> </code></pre> </div> <p>If any of those fail, the code doesn't compile. The tests run before the binary even exists.</p> <p>I wrote these. It was not easy, not quick, and not something I could have figured out by reading cppreference for an afternoon. Template metaprogramming at this level is a different language wearing C++ syntax as a disguise. You're not writing instructions for the CPU. You're programming the compiler.</p> <p>And this is one stop on the pipe organ. One. There's <code>consteval</code>, concepts, ranges, coroutines, modules, and every three years the language adds another row of pipes.</p> <h2> The registrant </h2> <p>Here's the thing about pipe organs: historically, the organist never played alone.</p> <p>There was always a person next to them called the registrant. The registrant pulled stops, turned pages, managed the wind supply. Not because the organist was bad. Because the instrument required more hands than any human has.</p> <p>Modern electronic organs solved part of this with combination actions: memory banks that store complete stop configurations. Instead of the registrant pulling twelve stops one by one between movements, the organist presses a single button and the entire registration changes instantly.</p> <p>The registrant didn't make the organ simpler. The organ is exactly as complex. But the registrant made it <em>playable</em>.</p> <p>AI is the registrant for Modern C++. And when you give it the right instructions, it doesn't just pull stops. It pulls the <em>right</em> stops.</p> <p>When I started building <a href="https://github.com/SilverstreamsAI/NexusFix" rel="noopener noreferrer">NexusFix</a>, a high-performance FIX protocol engine in C++23, I didn't just throw code at AI and hope for the best. I wrote a rulebook. Not vaguely. Specifically.</p> <p>Mandatory patterns: C++23 standard compliance, zero-copy data flow with <code>std::span</code> and move semantics, compile-time optimization with <code>consteval</code> and <code>constexpr</code>, memory sovereignty through PMR pools and cache-line alignment, type safety with strong types and <code>[[nodiscard]]</code>, deterministic execution with <code>noexcept</code> and no exceptions on hot paths.</p> <p>Prohibited patterns: no <code>new</code>/<code>delete</code> on hot paths, no <code>virtual</code> functions in performance-critical code, no <code>std::shared_ptr</code> on hot paths, no floating-point for prices, no dynamic memory allocation during message parsing.</p> <p>Forty-five numbered techniques, each mapped to specific source files. A six-phase optimization roadmap with measurable success criteria: zero hot-path allocations, cache miss rates below 5%, branch miss rates below 1%. A benchmark framework specifying exactly how to measure, down to RDTSC timing with <code>lfence</code> barriers and cache-line contention tests.</p> <p>When AI has this kind of context, it doesn't guess about <code>std::expected</code> versus exceptions. The rulebook says no exceptions on hot paths, use <code>std::expected</code>, target deterministic control flow. The decision is already made. AI implements it correctly, in the specific codebase, following the established patterns.</p> <p>The problem was never that AI couldn't write good C++23. The problem was that without constraints, it had to guess at hundreds of decisions that each require deep domain knowledge. Give it the constraints, and it stops guessing.</p> <p>Remember those QuickFIX-era 1,000-line object pools? My rulebook has one line about them: "Use <code>std::pmr::monotonic_buffer_resource</code> for hot path allocation." AI reads that, implements the pool with pre-allocation and per-message reset, following the established memory patterns. Hot-path allocations dropped from 12 per message to zero. The 1,000 lines of knowledge that QuickFIX engineers accumulated over years is now compressed into one rule that AI can execute in an afternoon.</p> <p>SIMD selection: I described the workload, AI prototyped implementations with raw intrinsics, Highway, and xsimd, all following the project's zero-copy and cache-alignment rules. xsimd won. The delimiter scan went from ~150ns to under 12ns. Thirteen times faster.</p> <p>Compile-time lookup tables: the rulebook includes <code>consteval</code> protocol hardening. AI generated tag lookup tables from the FIX specification, replacing those 300 runtime switch branches the old way required, with compile-time verification that every entry was correct. Improvement ranged from 55% to 97%.</p> <p>Each of these was a stop on the organ. With proper instructions, AI pulled them correctly.</p> <h2> What actually changed </h2> <p>When C++ reached C++17 and kept going, the language outgrew what one person could handle. The organ got more keyboards, more stops, more pipes. The music it could produce was extraordinary. But the number of hands you'd need to play it kept growing.</p> <p>AI is the tool that lets us take Modern C++ back.</p> <p>Not by making it simpler. C++23 is more complex than C++17, which was more complex than C++11. More features, more interactions between features, more ways to get subtly wrong results that compile without complaint.</p> <p>What collapsed is the time between knowing and doing. "I know <code>std::expected</code> exists" to "I have a benchmarked, integrated implementation" used to take days. Now it takes hours. "I've heard of PMR" to "my hot path has zero allocations" used to take a week. Now it takes a day. The gap between reading about a C++23 feature and actually deploying it in production code has always been the widest in C++. Years wide, sometimes. Careers wide.</p> <p>AI didn't close that gap. It made it crossable.</p> <p>You still need to know what you're doing. If I didn't understand RAII, or what a cache line is, or why branch misprediction costs you 15 cycles, no amount of AI could help me write a meaningful rulebook. The organist still needs to know music. The registrant handles the logistics so the organist can focus on playing.</p> <p>But here's what I learned: the registrant needs a score to follow. When I gave AI vague instructions, I got vague C++. When I gave it forty-five specific techniques, mandatory patterns, prohibited patterns, measurable success criteria, and a benchmark framework, it gave me code I could review and ship. The precision of the output matched the precision of the input.</p> <p>The organ is exactly as complex as it was before. The music demands it. But with a registrant who knows the score, one person can play it again.</p> <p><a href="https://github.com/SilverstreamsAI/NexusFix" rel="noopener noreferrer">NexusFix</a> parses FIX execution reports in 246 nanoseconds. Three times faster than QuickFIX. The hot path does zero allocations. The SIMD pipeline processes delimiters at 13x scalar speed. I built it in C++23, using AI as a constant collaborator on every technical decision, constrained by a rulebook that left nothing to chance.</p> <p>The hardest part of Modern C++ was never the language. It was doing it alone.</p> <p>You don't have to anymore.</p> <p><em>The author builds high-performance C++ trading systems at <a href="https://github.com/SilverstreamsAI" rel="noopener noreferrer">SilverstreamsAI</a>. <a href="https://github.com/SilverstreamsAI/NexusFix" rel="noopener noreferrer">NexusFix</a> is an open-source FIX protocol engine in C++23.</em></p> <p><em>He also writes <a href="https://open.substack.com/pub/alanlan/p/the-ancient-mirror-of-immortality" rel="noopener noreferrer">The Ancient Mirror of Immortality</a>, a hard sci-fi serial where C++ concepts are the laws of physics.</em></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> cpp ai programming softwareengineering Whetlan Wed, 01 Apr 2026 02:04:31 +0000 https://dev.to/whetlan/rewriting-a-fix-engine-in-c23-what-got-simpler-and-what-didnt-4icg https://dev.to/whetlan/rewriting-a-fix-engine-in-c23-what-got-simpler-and-what-didnt-4icg <p>I've been working on a FIX protocol engine in C++23. Header-only, about 5K lines, compiled with <code>-O2 -march=native</code> on Clang 18. Parses an ExecutionReport in ~246 ns on my bench rig. QuickFIX does the same message in ~730 ns.</p> <p>Before anyone gets excited: single core, pinned affinity, warmed cache, synthetic input. Not production traffic. The 3x gap will shrink on real messages with variable-length fields and optional tags. I know.</p> <p>But the code that got there was more interesting to me than the final number. Most of the gains came from replacing stuff that QuickFIX had to build by hand because C++98 didn't have the tools.</p> <h2> The pool that disappeared </h2> <p>QuickFIX has a hand-rolled object pool. About 1,000 lines of allocation logic, intrusive free lists, manual cache line alignment. Made total sense when it was written. C++98 didn't give you anything better.</p> <p>Now there's <code>std::pmr::monotonic_buffer_resource</code>. Stack buffer, pointer bump, reset between messages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">template</span> <span class="o">&lt;</span><span class="kt">size_t</span> <span class="n">Size</span><span class="p">&gt;</span> <span class="k">class</span> <span class="nc">MonotonicPool</span> <span class="o">:</span> <span class="k">public</span> <span class="n">std</span><span class="o">::</span><span class="n">pmr</span><span class="o">::</span><span class="n">memory_resource</span> <span class="p">{</span> <span class="k">alignas</span><span class="p">(</span><span class="mi">64</span><span class="p">)</span> <span class="n">std</span><span class="o">::</span><span class="n">array</span><span class="o">&lt;</span><span class="kt">char</span><span class="p">,</span> <span class="n">Size</span><span class="o">&gt;</span> <span class="n">buffer_</span><span class="p">{};</span> <span class="n">std</span><span class="o">::</span><span class="n">pmr</span><span class="o">::</span><span class="n">memory_resource</span><span class="o">*</span> <span class="n">upstream_</span><span class="p">;</span> <span class="n">std</span><span class="o">::</span><span class="n">pmr</span><span class="o">::</span><span class="n">monotonic_buffer_resource</span> <span class="n">resource_</span><span class="p">;</span> <span class="k">public</span><span class="o">:</span> <span class="n">MonotonicPool</span><span class="p">()</span> <span class="k">noexcept</span> <span class="o">:</span> <span class="n">upstream_</span><span class="p">{</span><span class="n">std</span><span class="o">::</span><span class="n">pmr</span><span class="o">::</span><span class="n">null_memory_resource</span><span class="p">()}</span> <span class="p">,</span> <span class="n">resource_</span><span class="p">{</span><span class="n">buffer_</span><span class="p">.</span><span class="n">data</span><span class="p">(),</span> <span class="n">buffer_</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span> <span class="n">upstream_</span><span class="p">}</span> <span class="p">{}</span> <span class="kt">void</span> <span class="nf">reset</span><span class="p">()</span> <span class="k">noexcept</span> <span class="p">{</span> <span class="n">resource_</span><span class="p">.</span><span class="n">release</span><span class="p">();</span> <span class="p">}</span> <span class="c1">// do_allocate/do_deallocate just forward to resource_</span> <span class="p">};</span> </code></pre> </div> <p>Call <code>reset()</code> after each message. P99 went from 780 ns to 56 ns. That's 14x on the tail, and it's basically just "stop hitting the allocator."</p> <p>I also use mimalloc for per-session heaps. <code>mi_heap_new()</code> per session, <code>mi_heap_destroy()</code> on disconnect. Felt wasteful at first, like I was throwing away too much memory per session. But <code>perf stat</code> said otherwise so I stopped arguing.</p> <h2> consteval tag lookup </h2> <p>FIX messages are key-value pairs with integer tag numbers. Tag 35 is MsgType, tag 49 is SenderCompID, tag 55 is Symbol. QuickFIX resolves these with a switch statement, fifty-something cases.</p> <p>C++23 lets you build the lookup table at compile time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="kr">inline</span> <span class="k">constexpr</span> <span class="kt">int</span> <span class="n">MAX_COMMON_TAG</span> <span class="o">=</span> <span class="mi">200</span><span class="p">;</span> <span class="k">consteval</span> <span class="n">std</span><span class="o">::</span><span class="n">array</span><span class="o">&lt;</span><span class="n">TagEntry</span><span class="p">,</span> <span class="n">MAX_COMMON_TAG</span><span class="o">&gt;</span> <span class="n">create_tag_table</span><span class="p">()</span> <span class="p">{</span> <span class="n">std</span><span class="o">::</span><span class="n">array</span><span class="o">&lt;</span><span class="n">TagEntry</span><span class="p">,</span> <span class="n">MAX_COMMON_TAG</span><span class="o">&gt;</span> <span class="n">table</span><span class="p">{};</span> <span class="k">for</span> <span class="p">(</span><span class="k">auto</span><span class="o">&amp;</span> <span class="n">entry</span> <span class="o">:</span> <span class="n">table</span><span class="p">)</span> <span class="p">{</span> <span class="n">entry</span> <span class="o">=</span> <span class="p">{</span><span class="s">""</span><span class="p">,</span> <span class="nb">false</span><span class="p">,</span> <span class="nb">false</span><span class="p">};</span> <span class="p">}</span> <span class="n">table</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">1</span><span class="o">&gt;::</span><span class="n">name</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">1</span><span class="o">&gt;::</span><span class="n">is_header</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">1</span><span class="o">&gt;::</span><span class="n">is_required</span><span class="p">};</span> <span class="n">table</span><span class="p">[</span><span class="mi">8</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">8</span><span class="o">&gt;::</span><span class="n">name</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">8</span><span class="o">&gt;::</span><span class="n">is_header</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">8</span><span class="o">&gt;::</span><span class="n">is_required</span><span class="p">};</span> <span class="n">table</span><span class="p">[</span><span class="mi">35</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">35</span><span class="o">&gt;::</span><span class="n">name</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">35</span><span class="o">&gt;::</span><span class="n">is_header</span><span class="p">,</span> <span class="n">TagInfo</span><span class="o">&lt;</span><span class="mi">35</span><span class="o">&gt;::</span><span class="n">is_required</span><span class="p">};</span> <span class="c1">// ~30 more entries</span> <span class="k">return</span> <span class="n">table</span><span class="p">;</span> <span class="p">}</span> <span class="kr">inline</span> <span class="k">constexpr</span> <span class="k">auto</span> <span class="n">TAG_TABLE</span> <span class="o">=</span> <span class="n">create_tag_table</span><span class="p">();</span> <span class="p">[[</span><span class="n">nodiscard</span><span class="p">]]</span> <span class="kr">inline</span> <span class="k">constexpr</span> <span class="n">std</span><span class="o">::</span><span class="n">string_view</span> <span class="n">tag_name</span><span class="p">(</span><span class="kt">int</span> <span class="n">tag_num</span><span class="p">)</span> <span class="k">noexcept</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">tag_num</span> <span class="o">&gt;=</span> <span class="mi">0</span> <span class="o">&amp;&amp;</span> <span class="n">tag_num</span> <span class="o">&lt;</span> <span class="n">MAX_COMMON_TAG</span><span class="p">)</span> <span class="p">[[</span><span class="n">likely</span><span class="p">]]</span> <span class="p">{</span> <span class="k">return</span> <span class="n">TAG_TABLE</span><span class="p">[</span><span class="n">tag_num</span><span class="p">].</span><span class="n">name</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="s">""</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Array index, O(1), zero branches at runtime. About 300 branches eliminated across the parser.</p> <p>Field offsets use the same trick. QuickFIX stores them in a <code>std::map&lt;int, offset&gt;</code>, so every field access is a tree traversal. Here it's <code>offsets_[tag]</code>. Took me a while to get the constexpr initialization right for nested structs, but once it compiled it was basically free.</p> <h2> SIMD: the scenic route </h2> <p>FIX uses SOH (0x01) as the field delimiter. Scanning for it byte-by-byte is fine until your messages have 40+ fields.</p> <p>Started with raw AVX2 intrinsics. Worked. Process 32 bytes, compare against SOH, extract positions from the bitmask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">const</span> <span class="n">__m256i</span> <span class="n">soh_vec</span> <span class="o">=</span> <span class="n">_mm256_set1_epi8</span><span class="p">(</span><span class="n">fix</span><span class="o">::</span><span class="n">SOH</span><span class="p">);</span> <span class="k">for</span> <span class="p">(</span><span class="kt">size_t</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="n">simd_end</span><span class="p">;</span> <span class="n">i</span> <span class="o">+=</span> <span class="mi">32</span><span class="p">)</span> <span class="p">{</span> <span class="n">__m256i</span> <span class="n">chunk</span> <span class="o">=</span> <span class="n">_mm256_loadu_si256</span><span class="p">(</span> <span class="k">reinterpret_cast</span><span class="o">&lt;</span><span class="k">const</span> <span class="n">__m256i</span><span class="o">*&gt;</span><span class="p">(</span><span class="n">ptr</span> <span class="o">+</span> <span class="n">i</span><span class="p">));</span> <span class="n">__m256i</span> <span class="n">cmp</span> <span class="o">=</span> <span class="n">_mm256_cmpeq_epi8</span><span class="p">(</span><span class="n">chunk</span><span class="p">,</span> <span class="n">soh_vec</span><span class="p">);</span> <span class="kt">uint32_t</span> <span class="n">mask</span> <span class="o">=</span> <span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">uint32_t</span><span class="o">&gt;</span><span class="p">(</span><span class="n">_mm256_movemask_epi8</span><span class="p">(</span><span class="n">cmp</span><span class="p">));</span> <span class="k">while</span> <span class="p">(</span><span class="n">mask</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kt">int</span> <span class="n">bit</span> <span class="o">=</span> <span class="n">__builtin_ctz</span><span class="p">(</span><span class="n">mask</span><span class="p">);</span> <span class="c1">// lowest set bit</span> <span class="n">result</span><span class="p">.</span><span class="n">push</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">uint16_t</span><span class="o">&gt;</span><span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="n">bit</span><span class="p">));</span> <span class="n">mask</span> <span class="o">&amp;=</span> <span class="n">mask</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="c1">// clear it</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then I realized I'd need an AVX-512 path, an SSE path, and an ARM NEON path. Four copies of the same logic with different intrinsic names. Maintaining that sounded miserable.</p> <p>Tried Highway (Google's portable SIMD library). Nice API, but the build dependency was heavy for a header-only project. Compile times went up noticeably. I spent a couple hours trying to make it work as a submodule before giving up.</p> <p>Ended up on xsimd. Header-only, template-based, picks the instruction set at compile time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight cpp"><code><span class="k">template</span> <span class="o">&lt;</span><span class="k">typename</span> <span class="nc">Arch</span><span class="p">&gt;</span> <span class="kr">inline</span> <span class="n">SohPositions</span> <span class="n">scan_soh_xsimd</span><span class="p">(</span><span class="n">std</span><span class="o">::</span><span class="n">span</span><span class="o">&lt;</span><span class="k">const</span> <span class="kt">char</span><span class="o">&gt;</span> <span class="n">data</span><span class="p">)</span> <span class="k">noexcept</span> <span class="p">{</span> <span class="k">using</span> <span class="n">batch_t</span> <span class="o">=</span> <span class="n">xsimd</span><span class="o">::</span><span class="n">batch</span><span class="o">&lt;</span><span class="kt">uint8_t</span><span class="p">,</span> <span class="n">Arch</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">constexpr</span> <span class="kt">size_t</span> <span class="n">width</span> <span class="o">=</span> <span class="n">batch_t</span><span class="o">::</span><span class="n">size</span><span class="p">;</span> <span class="k">const</span> <span class="n">batch_t</span> <span class="n">soh_vec</span><span class="p">(</span><span class="k">static_cast</span><span class="o">&lt;</span><span class="kt">uint8_t</span><span class="o">&gt;</span><span class="p">(</span><span class="n">fix</span><span class="o">::</span><span class="n">SOH</span><span class="p">));</span> <span class="c1">// same loop, portable across architectures</span> <span class="p">}</span> </code></pre> </div> <p>Raw AVX2 was maybe 5% faster on the same hardware. I kept both paths in the repo but default to xsimd. The portability is worth 5%.</p> <p>SOH scan throughput: 3.32 GB/s. Sounds impressive until you realize that's just finding delimiters. Actual parsing is slower. But it means delimiter scanning isn't the bottleneck anymore, which is the whole point.</p> <h2> What didn't get simpler </h2> <p>Session state. FIX sessions have sequence numbers, heartbeat timers, gap fill logic, reject handling. I was hoping <code>std::expected</code> would clean up the error propagation and... it helped a little. Like 10% less boilerplate. The complexity is in the protocol, not the language. It's a state machine with a lot of branches and I don't think any C++ standard is going to fix that.</p> <p>Message type coverage. I've got 9 types (NewOrderSingle, ExecutionReport, the session-level ones). QuickFIX covers all of them. Adding a new type isn't hard, just tedious. Field definitions, validation rules, serialization. About a day per message type if you include tests. I got to nine and just... stopped. Started working on the transport layer instead because that was more interesting. Not my proudest engineering decision.</p> <p>Header-only at 5K lines. Compiles in 2.8s on Clang, 4.1s on GCC. That's fine on my machine. No idea what happens on a CI runner with 2GB of RAM. I keep saying I'll add a compiled-library option. Haven't done it.</p> <h2> Benchmarks </h2> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>./bench <span class="nt">--iterations</span><span class="o">=</span>100000 <span class="nt">--pin-cpu</span><span class="o">=</span>3 <span class="go"> ExecutionReport parse: 246 ns (QuickFIX: 730 ns) NewOrderSingle parse: 229 ns (QuickFIX: 661 ns) Field access (4): 11 ns (QuickFIX: 31 ns) Throughput: 4.17M msg/sec (QuickFIX: 1.19M msg/sec) </span></code></pre> </div> <p>Single core, RDTSCP timing, 100K iterations, synthetic messages. Not captured from a real feed. The gap will narrow on production traffic with variable-length fields and optional tags. I'm pretty confident the parser is faster, just not sure by how much once you leave the lab.</p> <h2> Where I am with it </h2> <p>Not production-ready. Parser and session layer work well enough to benchmark, but nobody should route real orders through this.</p> <p>The thing that kept surprising me was how much of QuickFIX's complexity was the language, not the problem. PMR replaced a thousand-line pool. consteval eliminated a fifty-case switch. And xsimd collapsed four architecture-specific codepaths into one template. These aren't exotic features either, they just didn't exist in C++98. I don't know if this thing will ever cover all the message types QuickFIX does, but the parser core feels solid enough that I keep coming back to it on weekends.</p> <p>GitHub: <a href="https://github.com/StratCraftsAI/NexusFIX" rel="noopener noreferrer">github.com/StratCraftsAI/NexusFIX</a></p> <p>Still figuring out: whether header-only holds past 10K lines, how much the 3x gap closes on captured traffic, and which message types actually matter beyond the obvious nine. If you've worked with FIX and have opinions on any of that, I'm interested.</p> <p><em>Part of <a href="https://github.com/StratCraftsAI/NexusFIX" rel="noopener noreferrer">NexusFix</a>, an open-source FIX protocol engine in C++23.</em></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> cpp performance programming opensource Whetlan Tue, 31 Mar 2026 10:00:02 +0000 https://dev.to/whetlan/the-trident-and-the-green-ox-2c2i https://dev.to/whetlan/the-trident-and-the-green-ox-2c2i <p>I've been writing code for a few decades now. Started with C. The kind of C where you know roughly what the CPU is doing at any given moment — moving a register, touching a block of memory, shaving off a few microseconds. There's something satisfying about that directness. Assembly-level intuition. It sticks with you.</p> <p>It also makes you a little hostile toward anything that calls itself a "modern language."</p> <p>Not because you can't learn it. Because it doesn't feel right.</p> <h2> From C to modern C++ </h2> <p>For a long time, my C++ was really just C with classes. I found out later that most people who have "C++ engineer" on their resume are doing the same thing. That's where most of us plateau.</p> <p>Then I started using <code>std::vector</code>. Then RAII. Then I ran into <code>compare_exchange_strong</code> and <code>compare_exchange_weak</code> — spent a full day just figuring out when to use which. Then came C++17, SFINAE, template metaprogramming.</p> <p>Honestly, I questioned my life choices.</p> <p>But those tools also made my first serious project work the way I wanted it to.</p> <h2> 50,000 lines of C++, then 3.5 million lines of Python </h2> <p>That first project was a bridge layer between a trading platform and a strategy execution service. About 50,000 lines of modern C++, took me six months to write by hand.</p> <p>I picked C++ for two reasons: speed, and RAII.</p> <p>The results: on Windows 10, it started at around 22MB of memory, then dropped to 11MB after running continuously for a week. On Windows 11, it started at 36MB, settled at 12MB. During all that time it was pulling and processing tick data for every instrument at full frequency.</p> <p>Rough around the edges. But the direction was right.</p> <p>Later, the product evolved into a web application: AI-assisted strategy editing, multi-user backtesting, a Python backend, and a WordPress frontend. The whole thing took two years.</p> <p>The Python backend peaked at 3.5 million lines. WordPress passed 4 million. AI was involved full-time at this point — I was using Claude 3.5.</p> <p>But it was still just a multi-user backtesting system. Plenty of features still missing.</p> <h3> A 14-day dead end </h3> <p>Claude 3.5 had a habit of breaking things while fixing them.</p> <p>One time, the multi-process backtesting module was working perfectly. Then after a round of heavy refactoring, it stopped working entirely. I spent 14 days trying to fix it. Twelve hours a day. Back then Claude didn't have the weekly or per-5-hour usage caps yet, so I was grinding pretty much around the clock to make the most of my subscription.</p> <p>After 14 days, I gave up. Rolled back to the last stable version. Then manually merged all the other changes from those two weeks, testing each one as I went.</p> <p>Turns out AI can write code really fast. It can also drive you off a cliff really fast.</p> <h2> Cutting 90% </h2> <p>At the end of 2025, I made a decision: cut 90% of the codebase.</p> <p>Python backend went from 3.5 million lines to under 500,000. WordPress went from 4 million to under 500,000.</p> <p>The system itself was running fine. I didn't cut it because it was broken. I cut it because of money.</p> <p>AWS bills were brutal — the system needed multiple servers. Even Claude's parent company says it'll take two years to reach profitability. OpenAI says five. If the AI companies themselves are getting squeezed by infrastructure costs, a small independent project like mine didn't stand a chance.</p> <p>I also realized something: users probably want to build their own trading systems on their own machines. They don't need me running a massive cloud engine for them.</p> <p>So I rebuilt it as a desktop app.</p> <p>Without the queue system, the saga orchestration, the multi-user concurrency — plus two years of backend code to reference — things moved a lot faster. Started the rewrite on January 2nd, basically finished by mid-February. 500,000 lines of code, six weeks.</p> <p>I went back through the git log later and roughly tallied what I'd deleted from the old system. Ten entire subsystems — server-side backtesting engine, task queue with priority management, a process manager with its own state machine, real-time WebSocket streaming, a saga orchestrator for failure cleanup, historical data playback, checkpoint recovery for power failures, a standalone cleanup microservice, a cross-service ZMQ communication layer across six dedicated ports, and a session identity context system.</p> <p>The saga orchestrator alone had a five-step cleanup protocol: WebSocket recycle → worker completion wait → active user cleanup → test session cleanup → resource release. The process manager ran its own state machine (STARTING → RUNNING → RECYCLING → STOPPED → ERROR) with health checks and automatic recovery. The checkpoint recovery system could detect interrupted backtests on server restart by checking MySQL status flags, recover state from Redis, and re-queue everything.</p> <p>All gone. Listing it out made me a little dizzy.</p> <h2> Claude 3.5 to 4.6 </h2> <p>Using Claude to write code has been a love-hate relationship.</p> <p>In the 3.5 era, it was $100 a month max. When the model got dumb — I honestly wasn't sure whether my rage would destroy my computer first or give me a heart attack first. I seriously considered both outcomes.</p> <p>I wrote in to yell at customer support.</p> <p>Then I ran into a billing bug: after requesting a refund, the system showed I'd unsubscribed. Except I hadn't. A month later it started charging again. I successfully canceled, tried every other coding tool on the market, realized I still needed Claude, and resubscribed. Successfully canceled again. Got auto-resubscribed anyway.</p> <p>Long story short, it didn't kill me. I stuck with it all the way to 4.6.</p> <h2> A domain name and a new project </h2> <p>After gutting the codebase, I tried to register a domain name for the project. Didn't get it.</p> <p>But that failure got me thinking about something: if in the future everyone is running multiple AI entities, how do those entities discover each other? They need addressable identities. They need to be findable, trustable. They might even need a reputation system to support collaboration. It's like Windows 95 and the internet — before that, regular people didn't have an on-ramp to the web. AI entities need that kind of infrastructure layer too.</p> <p>So I started <a href="https://github.com/SilverstreamsAI/ClawNexus" rel="noopener noreferrer">ClawNexus</a> — an identity registry for OpenClaw instances. It discovers AI agent instances on the network, gives each one a persistent name, and tracks capabilities, trust scores, and online status.</p> <h3> AI picked the popular choice. The popular choice didn't work. </h3> <p>By version 0.3, ClawNexus had over 300 unit tests and 5 integration tests — the integration tests were for multi-node discovery across a WireGuard VPN, with nodes at 10.66.66.x addresses.</p> <p>Claude chose mDNS for discovery — standard practice. But in my WireGuard environment, it kept casually skipping certain cross-machine test cases.</p> <p>I sat it down for a serious conversation: why can't this supposedly universal protocol handle all the scenarios? It couldn't give me a straight answer.</p> <p>Here's the thing. I have this habit at home — I set up LAN games of StarCraft with friends. We use IPX-over-UDP via ipxwrapper. And that setup has always worked perfectly over WireGuard.</p> <p>So I asked Claude directly: why not use the IPX protocol? It pushed back. Said we didn't need it.</p> <p>Fine. I made it implement those skipped test cases using IPX anyway.</p> <p>That evening:</p> <ul> <li>10:35 PM — started adding IPX support</li> <li>11:00 PM — cross-machine tests running</li> <li>11:25 PM — all cases passing</li> </ul> <p>Afterward I asked Claude to explain why it had originally chosen mDNS over IPX.</p> <p>The explanation sounded perfectly reasonable. It just had nothing to do with the system I was actually running.</p> <h3> 300 unit tests weren't enough </h3> <p>This is a habit from my C days.</p> <p>Even with 300+ unit tests all passing, I still went through every command-line parameter by hand.</p> <p>Found several that weren't doing anything at all.</p> <p>Claude 4.6's explanation sounded completely correct.</p> <p>But I couldn't accept it.</p> <p>I adjusted my approach after that: I didn't just have AI write code and tests — I baked my manual testing process into its workflow too. The problem never came back.</p> <h3> Three days after launch, a copycat appeared </h3> <p>Three days after publishing ClawNexus to npm, I stumbled across a GitHub repo with the exact same name on social media.</p> <p>This is where Claude's breadth of knowledge showed up. It helped me investigate the other project's origins, the problems in their implementation, the flaws in their design philosophy. Then in a very short time it helped me shore up every position I needed to hold.</p> <p>I wouldn't have gotten through any of that on my own.</p> <h2> The Trident and The Green Ox </h2> <p>Why do the immortals in mythology ride mounts?</p> <p>Laozi rode a green ox through Hangu Pass. Guanyin rides a golden-haired lion. The Buddha's mount is a six-tusked white elephant. The ox is faster than walking, but it needs someone on top who knows where to go. AI is that ox — it writes code faster than me, searches information faster than me, analyzes competitors faster than me. But it didn't know that mDNS doesn't work well over WireGuard. It didn't know whether to write or cut 90% of the code. It even managed to run me in circles for 14 days.</p> <p>So why does Poseidon also carry a trident?</p> <p>Because some situations demand certainty.</p> <p>AI sometimes guesses. Same question, different answers. Rephrase it slightly, different answer again.</p> <p>Code doesn't do that. <code>compare_exchange_strong</code> (a C++ atomic operation) gives you the same result every single time. Doesn't matter how many times you call it. C++ template metaprogramming, Python's deterministic pipelines, Rust's type system — those are tridents. Same input, same output, every time. They pick up where AI's guesswork leaves off.</p> <p>Think about it: tools like Claude Code and Codex are themselves an ox wielding a trident. The AI generates, the code tools execute deterministically, and somewhere in the middle there's supposed to be a human making sure none of it goes sideways.</p> <p>The world needs the speed of the ox.</p> <p>The certainty of the trident.</p> <p>And most of all — the people who can ride one and wield the other, and survive every moment when things fall apart.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> ai programming cpp devjournal Whetlan Tue, 24 Mar 2026 10:29:26 +0000 https://dev.to/whetlan/npm-supply-chain-security-mistakes-i-made-publishing-my-first-packages-2io9 https://dev.to/whetlan/npm-supply-chain-security-mistakes-i-made-publishing-my-first-packages-2io9 <p>I published four npm packages from a pnpm monorepo in March. Node 22, TypeScript, ~4k lines across the four packages, eleven direct dependencies total. First time publishing anything to npm. Within two weeks I'd almost shipped a <code>.env.example</code>, missed a provenance setting that fails with zero output, and found out that 2FA on npm is basically theater once you start using automation tokens.</p> <h2> postinstall </h2> <p>Before my first publish I went through every dependency's package.json looking for lifecycle scripts. Took about an hour. The reason: <code>ua-parser-js</code> in 2021, <code>colors</code> + <code>faker</code> in 2022, <code>@ledgerhq/connect-kit</code> in 2023. All compromised through npm. All exploited postinstall.</p> <p>The attack is dead simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"postinstall"</span><span class="p">:</span><span class="w"> </span><span class="s2">"node ./setup.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Runs on <code>npm install</code>. No prompt, no sandbox. Full user permissions. Read env vars, POST them somewhere, done.</p> <p>pnpm doesn't run lifecycle scripts from deps by default. npm and yarn do. That alone is a reason to use pnpm, honestly.</p> <p>To see which deps declare postinstall:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm query <span class="s1">':has(&gt; .scripts[postinstall])'</span> </code></pre> </div> <p>npm's CSS-selector query syntax. I had to find it in the npm docs because nobody talks about it. Found two packages with postinstall in my tree: <code>esbuild</code> and <code>protobufjs</code>. Both legitimate. But you don't know that until you check.</p> <h2> Provenance (the silent failure that got me) </h2> <p>npm has had provenance attestations since 2023. One flag on publish:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm publish <span class="nt">--provenance</span> </code></pre> </div> <p>Green checkmark on npmjs.com. Links the tarball to a specific GitHub Actions run and commit hash.</p> <p>I didn't set this up for my first few publishes. Was running <code>npm publish</code> from my laptop. Provenance needs OIDC, so it only works inside CI (GitHub Actions, GitLab, CircleCI). Can't fake it locally.</p> <p>The key part of my GitHub Actions workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># THIS. Without it, provenance silently fails.</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">publish</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pnpm/action-setup@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">22</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://registry.npmjs.org'</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm install --frozen-lockfile</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm -r build</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm publish --provenance --access public</span> <span class="na">env</span><span class="pi">:</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> </code></pre> </div> <p>I spent 30 minutes refreshing the npmjs.com page after my first CI publish, wondering where the green checkmark was. Re-ran the workflow. Published another version. Nothing. Checked the Actions log for errors. Clean. Turns out <code>id-token: write</code> was missing and <code>--provenance</code> just... silently doesn't attest. One line of YAML.</p> <h2> 2FA doesn't protect what you think it does </h2> <p>I enabled <code>auth-and-writes</code> on day one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm profile <span class="nb">set </span>auth-and-writes </code></pre> </div> <p>Felt secure. Then I set up CI publishing with an automation token and realized: automation tokens bypass 2FA entirely. By design. There's no human to type the OTP code, so npm just... skips it.</p> <p>So if someone grabs your <code>NPM_TOKEN</code> from a leaked <code>.env</code> or a compromised GitHub secret, they can publish whatever they want. 2FA doesn't help.</p> <p>My first automation token had full publish access to every package on my account. Didn't scope it. Didn't restrict IPs. Just a bearer token sitting in a GitHub secret that could publish anything under my name.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># what I should have done from the start</span> <span class="nv">$ </span>npm token create <span class="nt">--cidr</span><span class="o">=</span>&lt;your-ci-ip-range&gt; <span class="nt">--publish</span> <span class="nt">--package</span><span class="o">=</span>my-package </code></pre> </div> <p>Scoped tokens help. But the real fix is OIDC provenance (no long-lived secret at all). The whole token model on npm feels stuck in 2015.</p> <h2> Someone ran <code>npm install</code> in my pnpm repo </h2> <p>I accidentally ran <code>npm install</code> instead of <code>pnpm install</code> in my monorepo. Generated a <code>package-lock.json</code>, committed it without thinking. CI started resolving different dependency versions. Tests went flaky. Took me a full day to trace it back to the lockfile.</p> <p>My <code>.npmrc</code> now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">frozen-lockfile</span><span class="p">=</span><span class="s">true</span> <span class="py">engine-strict</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <p>And in the root <code>package.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=22"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pnpm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=9"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>engine-strict</code> means npm and yarn refuse to install. Sounds aggressive. But pnpm's lockfile stores content-addressable hashes for every tarball. If a dependency gets republished with different contents (yes, this happens, npm allows it within 72 hours), pnpm rejects the mismatch. npm is more forgiving about "fixing" stale lockfiles. That forgiveness is the problem.</p> <h2> I almost shipped a <code>.env</code> </h2> <p>On my third publish I ran <code>npm pack --dry-run</code> out of habit and saw my <code>.env.example</code> in the tarball. It had placeholder values. But the <code>.env</code> file itself was only excluded because <code>.gitignore</code> caught it. If I'd had a <code>.env.local</code> or <code>.env.production</code> that wasn't in <code>.gitignore</code>, it would have shipped to npm.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm pack <span class="nt">--dry-run</span> 2&gt;&amp;1 npm notice Tarball Contents npm notice 1.2kB README.md npm notice 15.4kB dist/index.js npm notice 3.1kB dist/index.d.ts npm notice 847B package.json npm notice 234B .env.example <span class="c"># wait, why is this here?</span> </code></pre> </div> <p>Without a <code>files</code> field, <code>npm publish</code> ships everything not in <code>.gitignore</code>. I've seen packages on npm that include test fixtures, <code>.git</code> directories (full commit history), even AWS key pairs in a <code>keys/</code> folder that someone forgot to gitignore.</p> <p>My fix was adding <code>"files": ["dist", "README.md"]</code> to every package.json. Now only what I explicitly list gets published. <code>npm pack --dry-run</code> before every publish. Takes 5 seconds.</p> <h2> <code>npm audit</code> is noisy </h2> <p>It flags everything. Prototype pollution in a transitive dev dependency that only runs in tests? Critical. ReDoS in a markdown parser you use to render a help page? High.</p> <p>I ran <code>pnpm audit</code> on my project the first time and got 4 advisories. All in transitive deps. None reachable from my code paths. But each one took 20 minutes to verify because you have to trace the import chain to confirm it's actually dead code.</p> <p>My process now: <code>pnpm audit</code> weekly, check if the vulnerable path is reachable, update prod deps immediately, batch dev deps monthly.</p> <p>No Dependabot. Opens too many PRs for 11 direct dependencies. I run <code>pnpm outdated</code> instead and read the changelogs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pnpm outdated Package Current Latest fastify 5.1.0 5.2.1 drizzle-orm 0.38.2 0.39.0 vitest 3.0.4 3.0.5 </code></pre> </div> <p>Three updates. I'll read the fastify changelog, check if drizzle has breaking changes (it usually does), and bump vitest blindly because test runner patches are low risk.</p> <h2> <code>--ignore-scripts</code> </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pnpm <span class="nb">install</span> <span class="nt">--ignore-scripts</span> <span class="nv">$ </span>pnpm rebuild esbuild <span class="c"># only rebuild what actually needs native compilation</span> </code></pre> </div> <p>Separates "download dependencies" from "run arbitrary code." Most packages don't need lifecycle scripts. The ones that do (native addons, platform binaries) can be rebuilt explicitly.</p> <p>I haven't defaulted to this yet because <code>playwright</code> breaks without its postinstall (it downloads browsers). For production CI though, where the dep tree is locked and tested, I'd do it.</p> <p>The npm ecosystem doesn't have a real security boundary between "install a package" and "run arbitrary code on the user's machine." Provenance is good. Lockfiles help. <code>files</code> field prevents accidental leaks. But if a maintainer's account gets compromised tomorrow, the only thing standing between their users and a malicious postinstall is whether someone notices before the next <code>npm install</code>.</p> <p>I have eleven dependencies. I can audit them manually. If you have two hundred, I don't know what to tell you.</p> <p><em>Part of <a href="https://silverstream.tech/clawnexus" rel="noopener noreferrer">ClawNexus</a>, an open-source identity registry for AI agents.</em></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> security node webdev opensource Whetlan Thu, 19 Mar 2026 11:30:02 +0000 https://dev.to/whetlan/running-a-nodejs-daemon-with-fastify-no-pm2-no-systemd-99i https://dev.to/whetlan/running-a-nodejs-daemon-with-fastify-no-pm2-no-systemd-99i <p>Every few months someone on Reddit asks "how do I run a Node.js process in the background." The answers are always PM2, forever, or systemd. All fine. But if you're shipping a CLI tool that users install on their own machines, you can't assume any of those exist.</p> <p>I have a CLI that starts a local HTTP daemon. <code>my-tool start</code> forks into the background, user closes their terminal, daemon keeps running. About 700 lines for the whole thing, 150 of which are just the fork/PID/signal plumbing. Fastify 5 for the HTTP layer.</p> <h2> Fork, detach, forget </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">fork</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:child_process</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:fs</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:path</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">os</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:os</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DATA_DIR</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">os</span><span class="p">.</span><span class="nf">homedir</span><span class="p">(),</span> <span class="dl">"</span><span class="s2">.my-tool</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">LOG_PATH</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">,</span> <span class="dl">"</span><span class="s2">daemon.log</span><span class="dl">"</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">startDaemon</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">,</span> <span class="p">{</span> <span class="na">recursive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">logFd</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">openSync</span><span class="p">(</span><span class="nx">LOG_PATH</span><span class="p">,</span> <span class="dl">"</span><span class="s2">a</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">child</span> <span class="o">=</span> <span class="nf">fork</span><span class="p">(</span><span class="nx">__filename</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">start</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">--_daemon</span><span class="dl">"</span><span class="p">],</span> <span class="p">{</span> <span class="na">detached</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">stdio</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">ignore</span><span class="dl">"</span><span class="p">,</span> <span class="nx">logFd</span><span class="p">,</span> <span class="nx">logFd</span><span class="p">,</span> <span class="dl">"</span><span class="s2">ipc</span><span class="dl">"</span><span class="p">],</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">child</span><span class="p">.</span><span class="nf">disconnect</span><span class="p">();</span> <span class="nx">child</span><span class="p">.</span><span class="nf">unref</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Daemon started (PID </span><span class="p">${</span><span class="nx">child</span><span class="p">.</span><span class="nx">pid</span><span class="p">}</span><span class="s2">).`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>detached: true</code> gives the child its own process group. <code>child.unref()</code> lets the parent exit. <code>child.disconnect()</code> drops the IPC channel.</p> <p>stdout/stderr go straight to a log file via the fd. Append mode so restarts don't clobber history.</p> <p>The <code>--_daemon</code> flag is how the child process knows it's the daemon and not the CLI. Underscore prefix to keep it out of <code>--help</code>.</p> <p>When the child starts with that flag, it writes a PID file and hooks signals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">PID_FILE</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">DATA_DIR</span><span class="p">,</span> <span class="dl">"</span><span class="s2">daemon.pid</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">argv</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">--_daemon</span><span class="dl">"</span><span class="p">))</span> <span class="p">{</span> <span class="nf">writePid</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">pid</span><span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">removePid</span><span class="p">();</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">SIGINT</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">removePid</span><span class="p">();</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> <span class="nf">startServer</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>SIGTERM comes from <code>stop</code>. SIGINT is ctrl-c if you run it in foreground for debugging. I don't handle SIGHUP. Some daemons use it for config reload. Mine reads config at startup. Change config, restart.</p> <h2> PID files and stale processes </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">writePid</span><span class="p">(</span><span class="nx">pid</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">path</span><span class="p">.</span><span class="nf">dirname</span><span class="p">(</span><span class="nx">PID_FILE</span><span class="p">),</span> <span class="p">{</span> <span class="na">recursive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFileSync</span><span class="p">(</span><span class="nx">PID_FILE</span><span class="p">,</span> <span class="nc">String</span><span class="p">(</span><span class="nx">pid</span><span class="p">),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">readPid</span><span class="p">():</span> <span class="kr">number</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pid</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">PID_FILE</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">).</span><span class="nf">trim</span><span class="p">(),</span> <span class="mi">10</span><span class="p">,</span> <span class="p">);</span> <span class="nx">process</span><span class="p">.</span><span class="nf">kill</span><span class="p">(</span><span class="nx">pid</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="c1">// signal 0 = just check if alive</span> <span class="k">return</span> <span class="nx">pid</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">removePid</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">unlinkSync</span><span class="p">(</span><span class="nx">PID_FILE</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="cm">/* gone already */</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>process.kill(pid, 0)</code> doesn't send a signal. It checks if the process exists. If the PID file says 12345 but that process is dead, <code>kill</code> throws and <code>readPid()</code> returns <code>null</code>.</p> <p>Stale PID files happen constantly. Hard crash, <code>kill -9</code>, OOM killer, power loss. Without the signal-0 check, <code>start</code> would refuse to run because of a leftover file from a daemon that died three days ago.</p> <h2> Fastify as the daemon core </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Fastify</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">fastify</span><span class="dl">"</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">startServer</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nc">Fastify</span><span class="p">({</span> <span class="na">logger</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">PORT</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_TOOL_PORT</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">17890</span><span class="dl">"</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">HOST</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">MY_TOOL_HOST</span> <span class="o">??</span> <span class="dl">"</span><span class="s2">127.0.0.1</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/health</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ok</span><span class="dl">"</span><span class="p">,</span> <span class="na">pid</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">pid</span><span class="p">,</span> <span class="na">uptime</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nf">uptime</span><span class="p">(),</span> <span class="na">memory</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nf">memoryUsage</span><span class="p">().</span><span class="nx">rss</span> <span class="o">/</span> <span class="mi">1024</span> <span class="o">/</span> <span class="mi">1024</span><span class="p">),</span> <span class="p">}));</span> <span class="nx">app</span><span class="p">.</span><span class="nf">addHook</span><span class="p">(</span><span class="dl">"</span><span class="s2">onClose</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// stop things that produce events first</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">healthTimer</span><span class="p">);</span> <span class="nx">connector</span><span class="p">?.</span><span class="nf">disconnect</span><span class="p">();</span> <span class="c1">// then flush storage</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="nx">PORT</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="nx">HOST</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Listening on </span><span class="p">${</span><span class="nx">HOST</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>logger: false</code> because stdout already goes to the log file via fd redirect. Fastify's pino would double-log everything. I just use <code>console.log</code> with a <code>[component]</code> prefix. Not pretty, works fine for a local tool.</p> <p><code>127.0.0.1</code> not <code>0.0.0.0</code>. Local daemon, no reason to expose it to the network.</p> <h2> Health check after fork </h2> <p><code>/health</code> does double duty. It's a monitoring endpoint, but it's also how <code>start</code> confirms the daemon actually booted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">cmdStart</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="nf">readPid</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Already running (PID </span><span class="p">${</span><span class="nx">existing</span><span class="p">}</span><span class="s2">).`</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nf">startDaemon</span><span class="p">();</span> <span class="c1">// ugly but necessary</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">r</span><span class="p">,</span> <span class="mi">1000</span><span class="p">));</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`http://127.0.0.1:</span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">/health`</span><span class="p">,</span> <span class="p">{</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">AbortSignal</span><span class="p">.</span><span class="nf">timeout</span><span class="p">(</span><span class="mi">3000</span><span class="p">),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Daemon running. PID </span><span class="p">${</span><span class="nx">data</span><span class="p">.</span><span class="nx">pid</span><span class="p">}</span><span class="s2">, port </span><span class="p">${</span><span class="nx">PORT</span><span class="p">}</span><span class="s2">.`</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Daemon forked but not responding yet. Check the logs.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The 1-second sleep is ugly. The child needs time to import modules and bind the port. Without it you get <code>ECONNREFUSED</code> every time.</p> <p>I tried IPC ("child sends 'ready' to parent") but that means keeping the IPC channel open, which means the parent can't exit cleanly. Sleep + HTTP is dumber. Works.</p> <p>I learned the hard way why this health check matters. Early version didn't have it. Two instances on the same port:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>my-tool start <span class="go">Daemon started (PID 48291). </span><span class="gp">$</span><span class="w"> </span><span class="nb">cat</span> ~/.my-tool/daemon.log <span class="go">Error: listen EADDRINUSE: address already in use 127.0.0.1:17890 </span></code></pre> </div> <p>Parent already printed success and exited. Daemon is actually dead. User thinks it's running. Now the health check catches this.</p> <h2> Shutdown ordering matters </h2> <p>This is where I wasted actual time. First version of the <code>onClose</code> hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// wrong</span> <span class="nx">app</span><span class="p">.</span><span class="nf">addHook</span><span class="p">(</span><span class="dl">"</span><span class="s2">onClose</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">store</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="c1">// flush to disk</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">healthTimer</span><span class="p">);</span> <span class="c1">// stop health checks</span> <span class="nx">connector</span><span class="p">?.</span><span class="nf">disconnect</span><span class="p">();</span> <span class="c1">// drop WebSocket</span> <span class="p">});</span> </code></pre> </div> <p><code>store.close()</code> flushes pending writes. But the health checker was still running and could trigger a write during the flush. Race condition. Store got corrupted about once a week. Always on shutdown, always a half-written JSON file.</p> <p>Took me three corrupted files to connect the dots. Added a <code>--foreground</code> flag to run the daemon in the current terminal, caught it within an hour.</p> <p>Fixed version is in the Fastify setup above. Stop producers first, then flush consumers.</p> <h2> start / stop / status / restart </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">cmdStop</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pid</span> <span class="o">=</span> <span class="nf">readPid</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">pid</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Daemon is not running.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">process</span><span class="p">.</span><span class="nf">kill</span><span class="p">(</span><span class="nx">pid</span><span class="p">,</span> <span class="dl">"</span><span class="s2">SIGTERM</span><span class="dl">"</span><span class="p">);</span> <span class="nf">removePid</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Stopped (PID </span><span class="p">${</span><span class="nx">pid</span><span class="p">}</span><span class="s2">).`</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nf">removePid</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Process already gone. Cleaned up PID file.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>No wait for exit. SIGTERM fires the handler, handler calls <code>process.exit(0)</code>, Fastify's <code>onClose</code> runs, done. If that chain takes more than a second or two, something else is broken.</p> <p><code>restart</code> = stop, sleep 500ms (port release), start. <code>status</code> = read PID + hit <code>/health</code>. If the PID file exists but health check fails, the daemon crashed without cleanup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">$</span><span class="w"> </span>my-tool status <span class="go">PID file says 48291 but daemon not responding. </span></code></pre> </div> <h2> Interval callbacks will kill your daemon </h2> <p>Most daemons run periodic tasks. Health checks, cache cleanup, token refresh.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">CHECK_INTERVAL</span> <span class="o">=</span> <span class="mi">30</span><span class="nx">_000</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">HealthChecker</span> <span class="p">{</span> <span class="k">private</span> <span class="nx">timer</span><span class="p">:</span> <span class="nb">ReturnType</span><span class="o">&lt;</span><span class="k">typeof</span> <span class="nx">setInterval</span><span class="o">&gt;</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="nf">start</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">stop</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">timer</span> <span class="o">=</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">checkAll</span><span class="p">().</span><span class="k">catch</span><span class="p">(</span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">);</span> <span class="p">},</span> <span class="nx">CHECK_INTERVAL</span><span class="p">);</span> <span class="p">}</span> <span class="nf">stop</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">timer</span><span class="p">)</span> <span class="p">{</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">timer</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">timer</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>That <code>.catch(console.error)</code> is load-bearing. Without it, a rejected promise inside the interval is an unhandled rejection. Node 22 crashes the process on those.</p> <p>My daemon ran fine for a day, then a DNS timeout in the health checker produced an unhandled rejection. Dead process, stale PID file, nobody noticed until the next morning. Added the <code>.catch</code>, hasn't died since.</p> <h2> Why not PM2 / systemd / Docker </h2> <p>PM2 adds a dependency and has its own process management (PID files, logs, restart policies) that can conflict with yours.</p> <p>systemd is great if you control the box. But this runs on developer laptops. I'm not going to ask macOS users to write a launchd plist.</p> <p>Docker assumes Docker is installed. On a lot of dev machines, it's not.</p> <p>Fork works everywhere Node runs. macOS, Linux, Windows (add <code>windowsHide: true</code> to the fork options or you get a console window flash).</p> <h2> Log rotation </h2> <p>One more thing I didn't think about until a test machine had a 200MB log file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">rotateLog</span><span class="p">():</span> <span class="k">void</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">stats</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">statSync</span><span class="p">(</span><span class="nx">LOG_PATH</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">stats</span><span class="p">.</span><span class="nx">size</span> <span class="o">&gt;</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">1024</span> <span class="o">*</span> <span class="mi">1024</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">backup</span> <span class="o">=</span> <span class="nx">LOG_PATH</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">.1</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">fs</span><span class="p">.</span><span class="nf">existsSync</span><span class="p">(</span><span class="nx">backup</span><span class="p">))</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">unlinkSync</span><span class="p">(</span><span class="nx">backup</span><span class="p">);</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">renameSync</span><span class="p">(</span><span class="nx">LOG_PATH</span><span class="p">,</span> <span class="nx">backup</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="cm">/* first run, no log yet */</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Call this before opening the log fd in <code>startDaemon()</code>. One backup, 10MB cap. Could use logrotate on Linux but again, can't assume it's configured.</p> <p>Fastify 5 boots in under 50ms, which matters when the user is staring at a terminal. The fork + PID + signal + health check pattern has been running on about a dozen machines for a couple months now with zero babysitting. That's the whole point of a daemon, I guess.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> node typescript webdev tutorial Whetlan Wed, 18 Mar 2026 11:59:01 +0000 https://dev.to/whetlan/building-e2e-encryption-in-nodejs-without-libsodium-3hhm https://dev.to/whetlan/building-e2e-encryption-in-nodejs-without-libsodium-3hhm <p>I run two daemons on different machines that talk through a WebSocket relay on a cheap VPS. The relay forwards messages between them, and I didn't want it reading any of that traffic. Partly principle, partly because if someone pops the box I don't want cleartext payloads sitting in memory or logs.</p> <p>The whole thing ended up around ~160 lines of TypeScript. Ed25519 for identity, X25519 for key exchange, AES-256-GCM for the actual encryption. All <code>node:crypto</code>, zero external deps. Node 22.</p> <h2> Two key pairs (blame Node) </h2> <p>Ed25519 and X25519 are both Curve25519. Ed25519 signs. X25519 does Diffie-Hellman.</p> <p>You can convert between them (libsodium has <code>crypto_sign_ed25519_sk_to_curve25519</code>). I tried. Node.js <code>crypto</code> doesn't expose that conversion. You'd need tweetnacl or libsodium-wrappers, and I was trying to keep deps at zero.</p> <p>So: two key pairs. Ed25519 is the long-lived identity, persisted to disk. X25519 is ephemeral, generated per connection, never saved.</p> <h2> Persisting the identity </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:crypto</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:fs/promises</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">IdentityKeys</span> <span class="p">{</span> <span class="nl">privateKey</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">KeyObject</span><span class="p">;</span> <span class="nl">publicKeyHex</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">loadOrCreateKeys</span><span class="p">(</span><span class="nx">keysDir</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">IdentityKeys</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">privPath</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">keysDir</span><span class="p">}</span><span class="s2">/identity.key`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">pubPath</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">keysDir</span><span class="p">}</span><span class="s2">/identity.pub`</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">privDer</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">privPath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pubHex</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFile</span><span class="p">(</span><span class="nx">pubPath</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">privateKey</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createPrivateKey</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">privDer</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">privateKey</span><span class="p">,</span> <span class="na">publicKeyHex</span><span class="p">:</span> <span class="nx">pubHex</span><span class="p">.</span><span class="nf">trim</span><span class="p">()</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// first run, generate fresh</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">privateKey</span><span class="p">,</span> <span class="nx">publicKey</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">generateKeyPairSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">ed25519</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">privDer</span> <span class="o">=</span> <span class="nx">privateKey</span><span class="p">.</span><span class="k">export</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFile</span><span class="p">(</span><span class="nx">privPath</span><span class="p">,</span> <span class="nx">privDer</span><span class="p">);</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">chmod</span><span class="p">(</span><span class="nx">privPath</span><span class="p">,</span> <span class="mo">0o600</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">pubSpki</span> <span class="o">=</span> <span class="nx">publicKey</span><span class="p">.</span><span class="k">export</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">spki</span><span class="dl">"</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// 44 bytes come back. first 12 are ASN.1 header junk. real key is 12-43.</span> <span class="kd">const</span> <span class="nx">publicKeyHex</span> <span class="o">=</span> <span class="nx">pubSpki</span><span class="p">.</span><span class="nf">subarray</span><span class="p">(</span><span class="mi">12</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">writeFile</span><span class="p">(</span><span class="nx">pubPath</span><span class="p">,</span> <span class="nx">publicKeyHex</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">privateKey</span><span class="p">,</span> <span class="nx">publicKeyHex</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The SPKI export cost me time. You ask for the public key, you get 44 bytes back instead of 32. Sat there running <code>xxd</code> and comparing against RFC 8032 test vectors until I realized the first 12 bytes are ASN.1 wrapping that Node just includes. Slicing the buffer is ugly but it works.</p> <p>Signing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">sign</span><span class="p">(</span><span class="nx">privateKey</span><span class="p">:</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">KeyObject</span><span class="p">,</span> <span class="nx">payload</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">payload</span><span class="p">),</span> <span class="dl">"</span><span class="s2">utf-8</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">privateKey</span><span class="p">);</span> <span class="k">return</span> <span class="nx">signature</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>First arg to <code>crypto.sign</code> is the digest algorithm. Ed25519 needs <code>null</code> because the hash is built into the algorithm. I passed <code>"sha256"</code> the first time and got a throw with zero useful context.</p> <h2> ECDH </h2> <p>Each side generates a throwaway X25519 pair per connection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">KeyPair</span> <span class="p">{</span> <span class="nl">publicKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">;</span> <span class="nl">privateKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">generateKeyPair</span><span class="p">():</span> <span class="nx">KeyPair</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">publicKey</span><span class="p">,</span> <span class="nx">privateKey</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">generateKeyPairSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">x25519</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">publicKey</span><span class="p">:</span> <span class="nx">publicKey</span><span class="p">.</span><span class="k">export</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">spki</span><span class="dl">"</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span> <span class="p">}),</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">privateKey</span><span class="p">.</span><span class="k">export</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>ECDH, then HKDF:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">deriveSessionKey</span><span class="p">(</span> <span class="nx">localPrivateKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">remotePubKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="p">):</span> <span class="nx">Buffer</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">privKey</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createPrivateKey</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">localPrivateKey</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">pubKey</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createPublicKey</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">remotePubKey</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">spki</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">sharedSecret</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">diffieHellman</span><span class="p">({</span> <span class="na">privateKey</span><span class="p">:</span> <span class="nx">privKey</span><span class="p">,</span> <span class="na">publicKey</span><span class="p">:</span> <span class="nx">pubKey</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">hkdfSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">sha256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">sharedSecret</span><span class="p">,</span> <span class="dl">""</span><span class="p">,</span> <span class="dl">"</span><span class="s2">relay-e2e-v1</span><span class="dl">"</span><span class="p">,</span> <span class="mi">32</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Don't skip the HKDF step. The raw ECDH output is a curve point, not uniformly random bytes. The info string (<code>"relay-e2e-v1"</code>) just binds it to this protocol.</p> <h2> The actual encryption </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nx">sessionKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">plaintext</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">12</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cipher</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createCipheriv</span><span class="p">(</span><span class="dl">"</span><span class="s2">aes-256-gcm</span><span class="dl">"</span><span class="p">,</span> <span class="nx">sessionKey</span><span class="p">,</span> <span class="nx">iv</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">concat</span><span class="p">([</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">),</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">final</span><span class="p">(),</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">getAuthTag</span><span class="p">();</span> <span class="c1">// iv (12) + authTag (16) + ciphertext</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">concat</span><span class="p">([</span><span class="nx">iv</span><span class="p">,</span> <span class="nx">authTag</span><span class="p">,</span> <span class="nx">encrypted</span><span class="p">]).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nx">sessionKey</span><span class="p">:</span> <span class="nx">Buffer</span><span class="p">,</span> <span class="nx">encoded</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">encoded</span><span class="p">,</span> <span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nf">subarray</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">12</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nf">subarray</span><span class="p">(</span><span class="mi">12</span><span class="p">,</span> <span class="mi">28</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ciphertext</span> <span class="o">=</span> <span class="nx">data</span><span class="p">.</span><span class="nf">subarray</span><span class="p">(</span><span class="mi">28</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decipher</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createDecipheriv</span><span class="p">(</span><span class="dl">"</span><span class="s2">aes-256-gcm</span><span class="dl">"</span><span class="p">,</span> <span class="nx">sessionKey</span><span class="p">,</span> <span class="nx">iv</span><span class="p">);</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">setAuthTag</span><span class="p">(</span><span class="nx">authTag</span><span class="p">);</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">concat</span><span class="p">([</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">),</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">final</span><span class="p">(),</span> <span class="p">]).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>IV + auth tag + ciphertext packed into one base64 string. Receiver knows the layout. No framing needed.</p> <p>This error wasted my entire night:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Unsupported state or unable to authenticate data </code></pre> </div> <p><code>decipher.final()</code> throws that when the auth tag doesn't match. I was convinced my ECDH was broken. Added <code>console.log</code> on both sides, dumped the shared secret hex, they were identical. Stared at the code for way too long.</p> <p>Turned out I had <code>.toString("base64")</code> on the sender and <code>.toString("base64url")</code> on the receiver. One character difference in the output. The error message tells you nothing about <em>what</em> actually failed.</p> <h2> Over the wire </h2> <p>The relay is just a WebSocket server. Two peers join a room. First message each side sends is its X25519 public key, unencrypted:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// both sides send this on connect</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DATA</span><span class="dl">"</span><span class="p">,</span> <span class="na">room_id</span><span class="p">:</span> <span class="nx">roomId</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">KEY_EXCHANGE</span><span class="dl">"</span><span class="p">,</span> <span class="na">pubkey</span><span class="p">:</span> <span class="nx">myKeyPair</span><span class="p">.</span><span class="nx">publicKey</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">),</span> <span class="p">}),</span> <span class="p">}));</span> </code></pre> </div> <p>On the receiving end:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">handleData</span><span class="p">(</span><span class="nx">roomId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">payload</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">room</span> <span class="o">=</span> <span class="nx">rooms</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">roomId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">room</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">_type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">KEY_EXCHANGE</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">pubkey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">remotePub</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">pubkey</span><span class="p">,</span> <span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">);</span> <span class="nx">room</span><span class="p">.</span><span class="nx">sessionKey</span> <span class="o">=</span> <span class="nf">deriveSessionKey</span><span class="p">(</span><span class="nx">myKeyPair</span><span class="p">.</span><span class="nx">privateKey</span><span class="p">,</span> <span class="nx">remotePub</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// not JSON = encrypted payload</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">room</span><span class="p">.</span><span class="nx">sessionKey</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">plaintext</span> <span class="o">=</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nx">room</span><span class="p">.</span><span class="nx">sessionKey</span><span class="p">,</span> <span class="nx">payload</span><span class="p">);</span> <span class="c1">// handle decrypted message</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">decrypt failed for room</span><span class="dl">"</span><span class="p">,</span> <span class="nx">roomId</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Yeah, <code>JSON.parse</code> failure as the encrypted/unencrypted discriminator. Not elegant. But the key exchange piggybacks on the relay's existing DATA message type, so I didn't have to touch the relay code at all.</p> <h2> DER vs PEM </h2> <p>I store keys as DER. Smaller, no base64 overhead, no <code>-----BEGIN</code> headers.</p> <p>But pass DER bytes with <code>format: "pem"</code> and you get this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>error:0480006C:PEM routines::no start line </code></pre> </div> <p>Googled that error, got a bunch of OpenSSL forum posts about certificate chains. Took me 20 minutes to realize I just had the format string wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// this works</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createPrivateKey</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">derBuffer</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">der</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span> <span class="p">});</span> <span class="c1">// this doesn't - DER bytes but told Node to expect PEM</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createPrivateKey</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">derBuffer</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pem</span><span class="dl">"</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pkcs8</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <h2> What this doesn't do </h2> <p>No forward secrecy beyond the session level. If someone records traffic and later grabs the X25519 private key from memory, they can decrypt that session. Real forward secrecy means key ratcheting like Signal does. Per-session ephemeral keys felt like enough for my case. They live in memory and die on disconnect.</p> <p>The relay can also MITM the key exchange. It sees both X25519 public keys go through, could swap them and sit in the middle. The fix is signing the exchange with Ed25519. Haven't built it yet because I own the relay box. But I know that's a cop-out.</p> <p>Not using GCM's AAD either, so replaying an encrypted message from one room into another would technically decrypt fine. Low priority when you control both sides.</p> <p>All <code>node:crypto</code>. The API has gotten a lot less painful since Node 20, and on 22 everything just worked without having to fight KeyObject conversions.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> security typescript node cryptography Whetlan Sat, 14 Mar 2026 11:40:19 +0000 https://dev.to/whetlan/i-published-an-npm-package-someone-used-the-same-name-8-days-later-42g0 https://dev.to/whetlan/i-published-an-npm-package-someone-used-the-same-name-8-days-later-42g0 <p>Eight days after I published my first npm package, I found a GitHub repo with the exact same name. Different author, different language, different country. Same name, same domain (AI agent identity), even some of the same crypto primitives.</p> <p>The package has about 4k lines of TypeScript, four workspace packages, 365 tests. Not a weekend project. So finding a repo called the same thing, first commit dated eight days after my npm publish, with a version tag of "v6.0" on that first commit... that was a weird morning.</p> <h2> npm timestamps don't lie </h2> <p>First thing I did was check what I actually had on my side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm view my-package <span class="nb">time</span> <span class="o">{</span> <span class="s1">'0.0.1'</span>: <span class="s1">'2026-03-01T...'</span>, <span class="s1">'0.2.0'</span>: <span class="s1">'2026-03-05T...'</span>, <span class="s1">'0.2.5'</span>: <span class="s1">'2026-03-05T...'</span>, <span class="s1">'0.2.8'</span>: <span class="s1">'2026-03-08T...'</span> <span class="o">}</span> </code></pre> </div> <p>npm publish timestamps are immutable. Git commits can be rebased and rewritten. npm timestamps can't.</p> <p>Their first commit: March 9. My <code>0.0.1</code>: March 1. That settled the priority question. But I did a lot of other stuff anyway, because panic is a hell of a motivator.</p> <h2> So how do naming collisions actually work? </h2> <p>Here's the thing I didn't fully appreciate before this happened: npm, PyPI, and crates.io are completely independent namespaces. Owning <code>my-package</code> on npm gives you zero claim to <code>my-package</code> on PyPI. There's no cross-registry reservation system. There's no trademark-like protection unless you actually have a trademark.</p> <p>The other project was in Python. They couldn't use my npm name because I already had it. So they published on PyPI and built a website instead.</p> <p>Totally legal. Feels weird, but totally legal.</p> <h2> The 45-minute panic </h2> <p>Here's what I did in the first hour after finding the repo:</p> <p><strong>Checked PyPI.</strong> My name wasn't taken. Registered it immediately with a placeholder package.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pip <span class="nb">install </span>twine build <span class="c"># created a minimal pyproject.toml with just the name and version</span> <span class="nv">$ </span>python <span class="nt">-m</span> build <span class="o">&amp;&amp;</span> twine upload dist/<span class="k">*</span> </code></pre> </div> <p>PyPI's registration process is straightforward but I'd never done it before. Spent 15 minutes figuring out that you need a <code>pyproject.toml</code> now, not a <code>setup.py</code>. The Python packaging ecosystem changes its mind about this every two years.</p> <p><strong>Checked crates.io.</strong> Also not taken. Registered four variations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>cargo init my-package <span class="nt">--lib</span> <span class="nv">$ </span>cargo publish <span class="nt">--allow-dirty</span> </code></pre> </div> <p>crates.io requires a valid <code>Cargo.toml</code> with a license field and a non-empty <code>src/lib.rs</code>. My placeholder packages have exactly one line of Rust:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// placeholder - real implementation coming</span> </code></pre> </div> <p>Is this a good use of package registries? Probably not. But the alternative was watching someone else grab them.</p> <p><strong>Checked the GitHub username.</strong> Taken, but by an inactive account with zero repos. Nothing I can do about that.</p> <p>Total time: about 45 minutes. Could have been 10 if I'd done this before the first npm publish.</p> <h2> What tipped me off </h2> <p>I wasn't actively searching for copycats. I was checking if anyone had used a similar name before I registered on more platforms. Standard due diligence, a week late.</p> <p>The repo had 32 commits in 3 days. All by one person. The first commit was tagged "v6.0", which is a bold move for a repo that didn't exist the day before. Most of the code looked AI-generated (one commit had a co-author tag from an AI assistant). There was a Discord bot, a Supabase backend, some Solana stubs that didn't compile.</p> <p>I don't want to get into whether this counts as "copying." The name is unusual enough that it's not a coincidence. But the implementation was completely different, and open source doesn't have naming courts.</p> <p>What bothered me more than the copying was realizing how exposed I'd been. Eight days with an npm package and zero presence anywhere else. If they'd moved faster, they could have grabbed the PyPI name first.</p> <h2> What I'd actually recommend </h2> <p>If you're publishing an open source package with a distinctive name, do this stuff on day one. Not day eight.</p> <p><strong>Before your first <code>npm publish</code>:</strong></p> <p>Check these registries even if you have no plans to publish there:</p> <ul> <li>PyPI (<code>pip install</code> your name, see if it 404s)</li> <li>crates.io (search, or <code>cargo search your-name</code>)</li> <li>The GitHub username</li> <li>The <code>.com</code> / <code>.dev</code> / <code>.ai</code> domains</li> </ul> <p><strong>In your package.json:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"homepage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://github.com/your-org/your-package"</span><span class="p">,</span><span class="w"> </span><span class="nl">"repository"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"git"</span><span class="p">,</span><span class="w"> </span><span class="nl">"url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://github.com/your-org/your-package"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Sounds obvious but I didn't have the <code>homepage</code> field until after the incident. Google uses it when indexing npm packages.</p> <p><strong>In your README, near the top:</strong></p> <p>Something like "Originally published March 2026 on npm" with a link. Not aggressive, just a timestamp that lives in your repo.</p> <p><strong>Register placeholder packages on at least PyPI and crates.io.</strong> A minimal package with just a name and description takes 5 minutes per registry. The cost is near zero. The alternative is doing it in a panic at 11pm on a weekday.</p> <h2> The version tag thing still bugs me </h2> <p>Their repo's first commit was tagged <code>v6.0</code>. Not <code>v0.1.0</code>, not <code>v1.0.0</code>. Version 6.</p> <p>I can think of two reasons to do this. One is that they had five previous major versions in a private repo and decided to open-source at v6. The other is that they wanted the project to look mature.</p> <p>The repo had zero stars, zero forks, zero issues, one contributor. I'll let you decide which explanation is more likely.</p> <h2> npm doesn't care, and that's fine </h2> <p>I reached out to npm support just to understand the policy. There isn't one for cross-platform naming conflicts. npm's stance is basically: you own the name on npm, that's it. What happens on PyPI or GitHub is outside their scope.</p> <p>Which is the right answer, honestly. A centralized cross-platform naming authority would be a nightmare. Imagine disputing a crate name because you own the npm package. The governance complexity alone would be unworkable.</p> <p>The tradeoff is that defensive registration falls on you. Nobody else is going to protect your name across registries.</p> <h2> Eight days is a long time </h2> <p>That's the actual takeaway for me. I built the thing, tested extensively, published to npm, and then just... didn't think about other registries. For eight days. In a space where someone can scaffold an entire project with AI assistance in a weekend.</p> <p>If you're publishing something with a name you care about, spend the extra 30 minutes on day one. It's boring, it feels premature, and it will save you a very unpleasant surprise.</p> <p>My package registrations now look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm: ✅ (day 1) PyPI: ✅ (day 9, should have been day 1) crates.io: ✅ (day 9) GitHub org: ✅ (day 1) </code></pre> </div> <p>Four out of four. Would have been a lot less stressful if I'd done them all on the same day.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> opensource node webdev discuss Whetlan Fri, 13 Mar 2026 09:42:08 +0000 https://dev.to/whetlan/pnpm-workspaces-in-production-what-actually-matters-16p7 https://dev.to/whetlan/pnpm-workspaces-in-production-what-actually-matters-16p7 <p>I've been running a pnpm workspaces monorepo in production. Four packages, all TypeScript, about 8k lines total, published to npm. Node 22, pnpm 9, no build tool beyond <code>tsc</code>. Before I started I read a dozen "monorepo setup" articles and most of them were 2000 words on Turborepo vs Nx vs Lerna, and maybe two paragraphs on the stuff that actually breaks on a random Tuesday afternoon.</p> <p>This is the Tuesday afternoon stuff.</p> <h2> Two lines of config </h2> <p>My workspace config is two lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># pnpm-workspace.yaml</span> <span class="na">packages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">packages/*"</span> </code></pre> </div> <p>That's it. Every directory under <code>packages/</code> is a workspace package. The root <code>package.json</code> is private and just orchestrates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"private"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"build"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm -r build"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dev"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm -r --parallel dev"</span><span class="p">,</span><span class="w"> </span><span class="nl">"test"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm -r test"</span><span class="p">,</span><span class="w"> </span><span class="nl">"clean"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm -r --parallel exec rm -rf dist"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"engines"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"node"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=22"</span><span class="p">,</span><span class="w"> </span><span class="nl">"pnpm"</span><span class="p">:</span><span class="w"> </span><span class="s2">"&gt;=9"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>-r</code> means "run in every package." <code>--parallel</code> on <code>dev</code> and <code>clean</code> because those don't depend on each other. But <code>build</code> runs sequentially, because one of my packages imports from another and needs it compiled first. pnpm figures out the dependency order on its own, so the dependent package always builds after its dependency.</p> <p>I spent zero time choosing between Turborepo and Nx. <code>pnpm -r</code> handles orchestration, <code>tsc</code> handles compilation. That's it.</p> <h2> Shared tsconfig (the part that actually saves time) </h2> <p>Every monorepo article tells you to make a shared base tsconfig. They're right. But nobody tells you which settings go in the base vs per-package.</p> <p>My base:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ES2022"</span><span class="p">,</span><span class="w"> </span><span class="nl">"module"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Node16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"moduleResolution"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Node16"</span><span class="p">,</span><span class="w"> </span><span class="nl">"lib"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"ES2022"</span><span class="p">],</span><span class="w"> </span><span class="nl">"strict"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"esModuleInterop"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"skipLibCheck"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"declaration"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"declarationMap"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"sourceMap"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Each package extends it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="s2">"../../tsconfig.base.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rootDir"</span><span class="p">:</span><span class="w"> </span><span class="s2">"src"</span><span class="p">,</span><span class="w"> </span><span class="nl">"outDir"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"include"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"src/**/*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>rootDir</code> and <code>outDir</code> are per-package because they're relative paths. Everything else is shared.</p> <p>Before this, I had four slightly different tsconfigs and couldn't remember which one had <code>strictNullChecks</code>. Now I change a setting once and it applies everywhere.</p> <h3> What About TypeScript Project References? </h3> <p>I don't use them. <code>composite: true</code> gives you cross-package type checking at build time, but you have to maintain a <code>references</code> array in every tsconfig, keep them in sync with your dependency graph, and deal with <code>tsBuildInfo</code> files that get stale and produce phantom errors.</p> <p>Four packages, one internal dependency. I just build them in order. If I had ten packages or builds started taking minutes instead of seconds, I'd probably reconsider.</p> <h2> workspace:* vs workspace:^ </h2> <p>When one package depends on another in the monorepo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"my-daemon"</span><span class="p">:</span><span class="w"> </span><span class="s2">"workspace:*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>During development this creates a symlink. Live, always-current version of the dependency. No rebuild needed.</p> <p>At publish time, pnpm replaces <code>workspace:*</code> with the actual version number. So <code>"my-daemon": "workspace:*"</code> becomes <code>"my-daemon": "0.2.7"</code> in the published package.json.</p> <p>Here's where it bit me: I initially had <code>workspace:^</code> (with a caret). Published, and the dependency became <code>"^0.2.7"</code>. Consumers could install mismatched minor versions. For tightly coupled internal deps, use <code>workspace:*</code> for exact version pinning.</p> <h2> Phantom dependencies will find you </h2> <p>This one cost me a full afternoon. pnpm uses a strict <code>node_modules</code> structure by default. Packages can only access dependencies they explicitly declare. Which is great, until you realize half your code was relying on phantom dependencies and you didn't know it.</p> <p>If package A depends on <code>fastify</code> and package B doesn't declare it, B can't import <code>fastify</code> even though it's installed in the monorepo. With npm or yarn, hoisting would let B "accidentally" use A's fastify. You'd never notice until you publish and a user's install fails.</p> <p>I had this exact bug. One of my packages was importing a type from <code>@types/ws</code> without declaring it as a devDependency. Worked fine locally because another package had it, and VS Code happily resolved it through the workspace. Published to npm, got an issue within two days:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>error TS2307: Cannot find module 'ws' or its corresponding type declarations. </code></pre> </div> <p>Felt pretty dumb.</p> <p>The fix: run <code>pnpm why</code> in each workspace, check that every import has a matching declaration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cd </span>packages/client <span class="o">&amp;&amp;</span> pnpm why @types/ws <span class="c"># nothing? that's your bug</span> <span class="nv">$ </span>pnpm add <span class="nt">-D</span> @types/ws </code></pre> </div> <p>Boring work, but it would have saved me an embarrassing npm publish.</p> <h2> Vitest + workspaces </h2> <p>Vitest has a workspace feature. My root config just lists the packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vitest.workspace.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineWorkspace</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest/config</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineWorkspace</span><span class="p">([</span> <span class="dl">"</span><span class="s2">packages/server</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">packages/client</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">packages/cli</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">packages/core</span><span class="dl">"</span><span class="p">,</span> <span class="p">]);</span> </code></pre> </div> <p>Per-package config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">vitest/config</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">test</span><span class="p">:</span> <span class="p">{</span> <span class="na">testTimeout</span><span class="p">:</span> <span class="mi">10</span><span class="nx">_000</span><span class="p">,</span> <span class="na">restoreMocks</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><code>pnpm test</code> from root runs all suites. <code>pnpm --filter server test</code> runs just one.</p> <p>One gotcha: if your tests import from sibling packages, make sure you've built the dependency first. Vitest doesn't trigger builds. I ended up with a <code>pretest</code> script that runs <code>pnpm -r build</code> before the test suite. Wasteful, rebuilds everything even if nothing changed. But the alternative is forgetting to build and then spending 20 minutes debugging why the types don't match.</p> <h2> Publishing to npm </h2> <p>No Changesets, no Lerna. I bump versions manually and <code>pnpm publish</code> from each package directory.</p> <p>The <code>prepublishOnly</code> hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"prepublishOnly"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pnpm build"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Without this, you will eventually publish stale <code>dist/</code> files. Or no <code>dist/</code> at all. I did this on my second publish. Ran <code>npm info</code> on the package, stared at the file list, wondered why <code>dist/</code> was from three commits ago. Took me way too long to realize I just forgot to build before publishing.</p> <p>Also, explicit <code>files</code> field:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"files"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"dist"</span><span class="p">,</span><span class="w"> </span><span class="s2">"README.md"</span><span class="p">],</span><span class="w"> </span><span class="nl">"main"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/index.js"</span><span class="p">,</span><span class="w"> </span><span class="nl">"types"</span><span class="p">:</span><span class="w"> </span><span class="s2">"dist/index.d.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"exports"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"."</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"types"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist/index.d.ts"</span><span class="p">,</span><span class="w"> </span><span class="nl">"default"</span><span class="p">:</span><span class="w"> </span><span class="s2">"./dist/index.js"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>I once published a package that accidentally included my <code>src/</code> directory, test fixtures, and a 4MB debug log. The <code>files</code> field is an allowlist. Only what you list gets published. <code>npm pack --dry-run</code> is your friend here, run it once before every publish and actually read the output.</p> <h2> Stuff I tried that wasn't worth it </h2> <p>I tried Turborepo for about a day. My full build takes under 30 seconds. Remote caching and smart task scheduling are solving a problem I don't have. <code>pnpm -r build</code> is the whole build system.</p> <p>I also see monorepos with a <code>packages/eslint-config</code> internal package. For four packages that's a lot of ceremony for an eslint config. Mine lives at the root, each package references it with a relative path. Done.</p> <p>Early on I extracted a "shared utils" package. It had three functions in it. That's not a package, that's a file. I deleted it and just duplicated the two functions that were actually shared. Less abstraction, fewer symlink headaches.</p> <p>And I gave up on synchronized version numbers pretty quickly. My client library and server ship at different cadences. Forcing <code>v0.3.1</code> on both would mean publishing no-op releases just to keep numbers aligned.</p> <h2> Keep it boring </h2> <p>After all of this, the thing I keep coming back to is: keep it boring. <code>pnpm-workspace.yaml</code> should be two lines. Your root <code>package.json</code> should have like five scripts. If your monorepo setup needs a README to explain how it works, you've gone too far.</p> <p>When something breaks, don't reach for <code>shamefully-hoist=true</code> in <code>.npmrc</code>. Figure out why it broke. Nine times out of ten it's a missing dependency declaration, and your users will hit the same thing when they install your package.</p> <p>And put <code>prepublishOnly</code> hooks in every publishable package. I cannot stress this enough. Future you will forget to build before publishing. It's not a question of if.</p> <p>Four packages, plain pnpm, no Turborepo, no Nx. If build times become a problem I'll add something. They haven't yet.</p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> typescript node webdev productivity Whetlan Thu, 12 Mar 2026 11:00:02 +0000 https://dev.to/whetlan/building-zero-config-lan-discovery-in-nodejs-mdns-udp-broadcast-44go https://dev.to/whetlan/building-zero-config-lan-discovery-in-nodejs-mdns-udp-broadcast-44go <p>I was building a small daemon that runs on multiple machines in a LAN — think a couple of dev servers, a NAS, maybe a Raspberry Pi. I wanted them to discover each other automatically. No central server, no config files listing IP addresses, no "go edit this YAML and restart."</p> <p>Just start it and it should find its peers.</p> <p>I ended up layering three approaches: mDNS, a custom UDP broadcast protocol I basically stole from 1990s Novell NetWare, and a brute-force subnet scanner as the last resort. The whole thing is ~300 lines of TypeScript.</p> <h2> mDNS: great on paper </h2> <p>First attempt was pure mDNS. Typical setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Laptop (Wi-Fi) → office AP → corporate router → server running the daemon </code></pre> </div> <p>In theory mDNS handles this fine. In practice it worked on my MacBook at home, worked in a small office, then fell apart on real networks. Routers silently dropping multicast. Access points with client isolation. One corporate network had multicast disabled and nobody in IT could tell me why.</p> <p>Node.js mDNS annoyances:</p> <ul> <li>No built-in support — you need the <code>multicast-dns</code> npm package</li> <li>macOS handles it natively (Bonjour), Linux needs avahi, Windows is a coin flip</li> <li>Port 5353 conflicts if avahi-daemon is already running</li> <li>Fails silently. Your queries just go into the void.</li> </ul> <h2> Stealing from 1990s NetWare </h2> <p>Novell NetWare had SAP — Service Advertising Protocol. Every server periodically broadcasts "hey, I exist, here's what I do" to the entire subnet. No multicast groups, no special infrastructure.</p> <p>I built the same thing on UDP/IP. Two message types:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">DiscoverMessage</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">discover</span><span class="dl">"</span><span class="p">;</span> <span class="nl">version</span><span class="p">:</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">AnnounceMessage</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">announce</span><span class="dl">"</span><span class="p">;</span> <span class="nl">version</span><span class="p">:</span> <span class="mi">1</span><span class="p">;</span> <span class="nl">instance_id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">display_name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">port</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">tls</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Node starts up, broadcasts <code>discover</code>. Running instances reply with <code>announce</code>. Periodic <code>announce</code> on a timer so late joiners get found too.</p> <h3> Socket setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">dgram</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:dgram</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">os</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">node:os</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">DISCOVERY_PORT</span> <span class="o">=</span> <span class="mi">17891</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">startDiscovery</span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">dgram</span><span class="p">.</span><span class="nx">Socket</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">((</span><span class="nx">resolve</span><span class="p">,</span> <span class="nx">reject</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">socket</span> <span class="o">=</span> <span class="nx">dgram</span><span class="p">.</span><span class="nf">createSocket</span><span class="p">(</span><span class="dl">"</span><span class="s2">udp4</span><span class="dl">"</span><span class="p">);</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">socket</span><span class="p">.</span><span class="nf">address</span><span class="p">())</span> <span class="p">{</span> <span class="nf">reject</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="c1">// failed during bind</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">bind</span><span class="p">(</span><span class="nx">DISCOVERY_PORT</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">setBroadcast</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="c1">// DO NOT FORGET THIS</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">socket</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>I wasted two hours on this. Ran tcpdump, stared at Wireshark captures, swapped ports, blamed the firewall.</p> <p>Turns out I forgot <code>socket.setBroadcast(true)</code>. Node.js won't send to broadcast addresses without it — doesn't throw, doesn't warn. The packets just vanish.</p> <h3> Broadcast addresses </h3> <p>On a machine with multiple NICs you need the per-subnet broadcast address, not just <code>255.255.255.255</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">getBroadcastTargets</span><span class="p">():</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">targets</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">ifaces</span> <span class="o">=</span> <span class="nx">os</span><span class="p">.</span><span class="nf">networkInterfaces</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">name</span><span class="p">,</span> <span class="nx">addrs</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">ifaces</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">addrs</span> <span class="o">||</span> <span class="nf">isVirtualInterface</span><span class="p">(</span><span class="nx">name</span><span class="p">))</span> <span class="k">continue</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">addr</span> <span class="k">of</span> <span class="nx">addrs</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">addr</span><span class="p">.</span><span class="nx">family</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">IPv4</span><span class="dl">"</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">addr</span><span class="p">.</span><span class="nx">internal</span><span class="p">)</span> <span class="p">{</span> <span class="nx">targets</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nf">calcBroadcast</span><span class="p">(</span><span class="nx">addr</span><span class="p">.</span><span class="nx">address</span><span class="p">,</span> <span class="nx">addr</span><span class="p">.</span><span class="nx">netmask</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">targets</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// broadcast = IP | ~mask, nothing fancy</span> <span class="kd">function</span> <span class="nf">calcBroadcast</span><span class="p">(</span><span class="nx">ip</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">mask</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ipParts</span> <span class="o">=</span> <span class="nx">ip</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nb">Number</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">maskParts</span> <span class="o">=</span> <span class="nx">mask</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nb">Number</span><span class="p">);</span> <span class="k">return</span> <span class="nx">ipParts</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">,</span> <span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span><span class="nx">b</span> <span class="o">|</span> <span class="p">(</span><span class="o">~</span><span class="nx">maskParts</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span><span class="o">!</span> <span class="o">&amp;</span> <span class="mh">0xff</span><span class="p">)))</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><code>192.168.1.42</code> with mask <code>255.255.255.0</code> → <code>192.168.1.255</code>. Bitwise OR with inverted netmask.</p> <h3> Filtering virtual interfaces </h3> <p>Docker running + WireGuard VPN = my daemon "discovering" phantom peers. Broadcasting over Docker bridges and VPN tunnels, getting garbage back.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">isVirtualInterface</span><span class="p">(</span><span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">n</span> <span class="o">=</span> <span class="nx">name</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">wg</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// WireGuard</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">tun</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// TUN (OpenVPN)</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">tap</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// TAP</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">docker</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// Docker</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">br-</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// Docker bridge</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">veth</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// Docker veth</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">virbr</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// KVM</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">vmnet</span><span class="dl">"</span><span class="p">)</span> <span class="o">||</span> <span class="c1">// VMware</span> <span class="nx">n</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">vboxnet</span><span class="dl">"</span><span class="p">)</span> <span class="c1">// VirtualBox</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Hardcoded prefix list. <code>os.networkInterfaces()</code> gives you zero info about physical vs virtual. On Linux you could parse sysfs but that doesn't help on macOS or Windows.</p> <h3> TCP probe before registering </h3> <p>UDP is unverified. Before registering a peer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">handleAnnounce</span><span class="p">(</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">AnnounceMessage</span><span class="p">,</span> <span class="nx">rinfo</span><span class="p">:</span> <span class="nx">dgram</span><span class="p">.</span><span class="nx">RemoteInfo</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// own broadcast echoing back — yes this happens</span> <span class="k">if </span><span class="p">(</span><span class="nf">isSelfIp</span><span class="p">(</span><span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">))</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// not on our subnet? reject</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">isInLocalSubnet</span><span class="p">(</span><span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">))</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// actually try to connect before believing it</span> <span class="kd">const</span> <span class="nx">alive</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">tcpProbe</span><span class="p">(</span><span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">port</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">alive</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nf">registerPeer</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">instance_id</span><span class="p">,</span> <span class="na">address</span><span class="p">:</span> <span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">port</span><span class="p">,</span> <span class="na">source</span><span class="p">:</span> <span class="dl">"</span><span class="s2">broadcast</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>You might get an announce from a service that crashed 30 seconds ago. TCP health check with 2-second timeout filters out the ghosts.</p> <p>Your own broadcasts also echo back. Found that when my daemon kept discovering itself.</p> <h3> Announce jitter </h3> <p>Without randomization, 10 simultaneous instances all broadcast at the exact same second forever:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">ANNOUNCE_INTERVAL</span> <span class="o">=</span> <span class="mi">60</span><span class="nx">_000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ANNOUNCE_JITTER</span> <span class="o">=</span> <span class="mi">10</span><span class="nx">_000</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">scheduleNextAnnounce</span><span class="p">(</span><span class="nx">socket</span><span class="p">:</span> <span class="nx">dgram</span><span class="p">.</span><span class="nx">Socket</span><span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">delay</span> <span class="o">=</span> <span class="nx">ANNOUNCE_INTERVAL</span> <span class="o">+</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="nx">ANNOUNCE_JITTER</span><span class="p">;</span> <span class="nf">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">broadcastAnnounce</span><span class="p">(</span><span class="nx">socket</span><span class="p">);</span> <span class="nf">scheduleNextAnnounce</span><span class="p">(</span><span class="nx">socket</span><span class="p">);</span> <span class="p">},</span> <span class="nx">delay</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>60s base + 0-10s random jitter. Same thing NTP does.</p> <h2> I still use mDNS though </h2> <p>Despite everything above, I run mDNS alongside the broadcast protocol. On home networks it works fine, and other programs can discover your service too.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">mDNS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">multicast-dns</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">mdns</span> <span class="o">=</span> <span class="nf">mDNS</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">SERVICE_TYPE</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">_my-service._tcp.local</span><span class="dl">"</span><span class="p">;</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">mdns</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">questions</span><span class="p">:</span> <span class="p">[{</span> <span class="na">name</span><span class="p">:</span> <span class="nx">SERVICE_TYPE</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">PTR</span><span class="dl">"</span> <span class="p">}],</span> <span class="p">});</span> <span class="p">},</span> <span class="mi">30</span><span class="nx">_000</span><span class="p">);</span> <span class="nx">mdns</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">response</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">response</span><span class="p">,</span> <span class="nx">rinfo</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">allRecords</span> <span class="o">=</span> <span class="p">[</span> <span class="p">...</span><span class="nx">response</span><span class="p">.</span><span class="nx">answers</span><span class="p">,</span> <span class="p">...</span><span class="nx">response</span><span class="p">.</span><span class="nx">additionals</span><span class="p">,</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">srvRecords</span> <span class="o">=</span> <span class="nx">allRecords</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">SRV</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">aRecords</span> <span class="o">=</span> <span class="nx">allRecords</span><span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="kd">type</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">A</span><span class="dl">"</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">srv</span> <span class="k">of</span> <span class="nx">srvRecords</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">port</span> <span class="o">=</span> <span class="nx">srv</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">port</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">target</span> <span class="o">=</span> <span class="nx">srv</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">target</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">aRecord</span> <span class="o">=</span> <span class="nx">aRecords</span><span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">r</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="nx">target</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">ip</span> <span class="o">=</span> <span class="nx">aRecord</span> <span class="p">?</span> <span class="nc">String</span><span class="p">(</span><span class="nx">aRecord</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">:</span> <span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Found peer: </span><span class="p">${</span><span class="nx">ip</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>One gotcha: lots of services bind to <code>127.0.0.1</code> and advertise that via mDNS. You connect to the A record and hit yourself.</p> <p>Fix — use the UDP packet's source IP when the A record is loopback:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">aRecordIp</span> <span class="o">=</span> <span class="nx">aRecord</span> <span class="p">?</span> <span class="nc">String</span><span class="p">(</span><span class="nx">aRecord</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">:</span> <span class="dl">""</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">isLoopback</span> <span class="o">=</span> <span class="nx">aRecordIp</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">127.0.0.1</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">aRecordIp</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">::1</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">aRecordIp</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">"</span><span class="s2">127.</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">address</span> <span class="o">=</span> <span class="nx">aRecordIp</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">isLoopback</span> <span class="p">?</span> <span class="nx">aRecordIp</span> <span class="p">:</span> <span class="nx">rinfo</span><span class="p">.</span><span class="nx">address</span><span class="p">;</span> </code></pre> </div> <p>I made mDNS a soft dependency — if <code>multicast-dns</code> isn't installed, broadcast-only mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">mdns</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">mDNS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">multicast-dns</span><span class="dl">"</span><span class="p">);</span> <span class="nx">mdns</span> <span class="o">=</span> <span class="nf">mDNS</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">"</span><span class="s2">mDNS unavailable, broadcast-only mode</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Last resort: subnet scan </h2> <p>When passive discovery doesn't cut it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">CONCURRENCY</span> <span class="o">=</span> <span class="mi">50</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">TIMEOUT</span> <span class="o">=</span> <span class="mi">2</span><span class="nx">_000</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">scanSubnet</span><span class="p">(</span><span class="nx">subnet</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">port</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">targets</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;=</span> <span class="mi">254</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">targets</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">subnet</span><span class="p">}</span><span class="s2">.</span><span class="p">${</span><span class="nx">i</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">port</span> <span class="p">});</span> <span class="p">}</span> <span class="o">---</span> <span class="o">*</span><span class="nx">Part</span> <span class="k">of</span> <span class="p">[</span><span class="nx">ClawNexus</span><span class="p">](</span><span class="nx">https</span><span class="p">:</span><span class="c1">//silverstream.tech/clawnexus), an open-source identity registry for AI agents.*</span> <span class="kd">const</span> <span class="nx">queue</span> <span class="o">=</span> <span class="p">[...</span><span class="nx">targets</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">while </span><span class="p">(</span><span class="nx">queue</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">target</span> <span class="o">=</span> <span class="nx">queue</span><span class="p">.</span><span class="nf">shift</span><span class="p">()</span><span class="o">!</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">alive</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">probeHost</span><span class="p">(</span><span class="nx">target</span><span class="p">.</span><span class="nx">host</span><span class="p">,</span> <span class="nx">target</span><span class="p">.</span><span class="nx">port</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">alive</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Found: </span><span class="p">${</span><span class="nx">target</span><span class="p">.</span><span class="nx">host</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">target</span><span class="p">.</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 50 workers chewing through the queue</span> <span class="kd">const</span> <span class="nx">workers</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="p">{</span> <span class="na">length</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">CONCURRENCY</span><span class="p">,</span> <span class="nx">targets</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">worker</span><span class="p">(),</span> <span class="p">);</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">allSettled</span><span class="p">(</span><span class="nx">workers</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>50 concurrent probes, 2-second timeout. Full /24 in about 10 seconds. I expose it as an on-demand API endpoint.</p> <h2> What I'd change </h2> <p>Should have filtered virtual interfaces on day one. That one wasted an entire evening — I kept thinking my broadcast protocol was broken until I noticed Docker bridges were happily replying to my packets.</p> <p>Should have used a binary header for UDP instead of raw JSON. Would have prevented the <code>JSON.parse</code> crash when a broken mDNS responder sent invalid data. I knew it could throw. Didn't wrap it. Classic.</p> <p>Test on Windows earlier. The firewall silently blocks UDP on custom ports. Ended up adding <code>netsh advfirewall</code> rule creation.</p> <p>Only dependencies are <code>dgram</code> and <code>os</code> from Node, plus <code>multicast-dns</code> if you want it.</p> <p><em>Fought with mDNS on corporate networks? What ended up working?</em></p> <p>Find me on <a href="https://whetan.substack.com" rel="noopener noreferrer">Substack</a> | <a href="https://stratcraft.ai/" rel="noopener noreferrer">StratCraft</a></p> networking typescript node tutorial