Engineering
Notes from the team
Security, identity, and the boring infra it takes to make auth feel boring.
8 min readsecurityauditpostgres
How we made our audit log tamper-evident
A per-tenant SHA-256 chain + advisory locks. Why we picked this design over append-only Postgres logical replication.
Read more
5 min readobservabilitycompliancego
Log redaction without regret
How a 200-line slog.Handler wrapper made our structured logs SOC-2 friendly without changing a single call site.
Read more
6 min readsecurityjwtoauth
Why every JWT we sign carries a kid
JWKS rotation is invisible until it breaks. Mandatory kid headers + a retired-key window made our rotation safe.
Read more