DARKDEN — Blog

DARKDEN — BlogField notes from production.https://darkden.net/Audit Your Own Code As If You Were the Attackerhttps://darkden.net/en/blog/adversarial-code-review/https://darkden.net/en/blog/adversarial-code-review/Reviewing your code looking for confirmation that it's fine finds typos, not design flaws. Adversarial review flips the goal: it assumes the code is broken and tries to prove it. Multiple lenses, independent verification, and why 'zero criticals' isn't security.Thu, 04 Jun 2026 00:00:00 GMTThe JWT Should Never Touch the Browser: the BFF Patternhttps://darkden.net/en/blog/bff-auth-pattern/https://darkden.net/en/blog/bff-auth-pattern/Stashing the access token in localStorage is handing it to the first XSS that comes along. The Backend-for-Frontend pattern keeps the JWT on the server and leaves only an httpOnly cookie in the browser that JavaScript can't read. How it works, step by step.Thu, 04 Jun 2026 00:00:00 GMTThe 4 Failure Modes of AI Agents in Production (and How to Mitigate Them)https://darkden.net/en/blog/failure-modes-ai-agents-production/https://darkden.net/en/blog/failure-modes-ai-agents-production/Leave an agent loop running unsupervised and the runaway token bill and corrupted state show up on their own. The four failures that recur in every agentic system —loops, stuck turns, no-op turns, and misclassified errors— and the engineering patterns that contain them.Thu, 04 Jun 2026 00:00:00 GMTGoverning AI Agents: Why 'Done' Has to Be Earnedhttps://darkden.net/en/blog/governing-ai-agents/https://darkden.net/en/blog/governing-ai-agents/An autonomous agent that approves its own work isn't autonomy, it's a time bomb. How to govern teams of agents with separation of duties, independent review gates, and a 'done' invariant that nobody gets to skip.Thu, 04 Jun 2026 00:00:00 GMTProduction-Grade Kubernetes on a Single Server: The Complete Guidehttps://darkden.net/en/blog/production-grade-kubernetes-single-server/https://darkden.net/en/blog/production-grade-kubernetes-single-server/How to build a full Kubernetes cluster on a single server with kubeadm, Calico eBPF, Istio ambient, cert-manager, Grafana, Loki, and the full security stack. No shortcuts.Sat, 14 Mar 2026 00:00:00 GMTProxmox + Ceph + PBS: Complete Guide for a Production-Ready Homelabhttps://darkden.net/en/blog/proxmox-ceph-pbs-homelab-guide/https://darkden.net/en/blog/proxmox-ceph-pbs-homelab-guide/How to set up Proxmox with Ceph using separate SSD and HDD pools, CRUSH rules by device class, and Proxmox Backup Server in a VM. From installation to a setup that actually works.Sat, 14 Mar 2026 00:00:00 GMT