The latest articles on Forem by Polliog (@polliog). https://forem.com/polliog https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3636724%2F651dcccf-8a2e-4be9-99d6-4cd231d9e889.jpeg https://forem.com/polliog en Polliog Sat, 11 Apr 2026 20:35:57 +0000 https://forem.com/polliog/logtide-090-custom-dashboards-health-monitoring-and-log-parsing-pipelines-3a8k https://forem.com/polliog/logtide-090-custom-dashboards-health-monitoring-and-log-parsing-pipelines-3a8k <p>Logtide 0.9.0 is out today. At the end of the 0.8.0 article we listed three things we wanted to tackle next: a customizable dashboard system to replace the fixed layout that had shipped since day one, proactive health monitoring so Logtide could tell you when something was down rather than waiting for a log to show up, and structured parsing pipelines for teams whose logs don't arrive pre-formatted. All three ship in this release.</p> <p>If you're new here: Logtide is an open-source log management and SIEM platform built for European SMBs. Privacy-first, self-hostable, GDPR-compliant. No Elastic cluster to babysit just Docker Compose and the storage engine of your choice.</p> <ul> <li>🌐 <strong>Cloud</strong>: <a href="https://logtide.dev" rel="noopener noreferrer">logtide.dev</a> </li> <li>💻 <strong>GitHub</strong>: <a href="https://github.com/logtide-dev/logtide" rel="noopener noreferrer">logtide-dev/logtide</a> </li> <li>📖 <strong>Docs</strong>: <a href="https://logtide.dev/docs" rel="noopener noreferrer">logtide.dev/docs</a> </li> </ul> <h2> What's New </h2> <h3> 📊 Custom Dashboards: 9 Panel Types, Drag-to-Resize, and YAML Export </h3> <p>The fixed dashboard that shipped in 0.1.0 had a good run. It was a reasonable starting point 4 stat cards, log volume, top services, top error messages but it served everyone the same view regardless of what they actually cared about. 0.9.0 replaces it with a fully composable dashboard system.</p> <p><strong>Dashboards are org-scoped</strong> with an optional <code>is_personal</code> flag for views you don't want to share with the whole team. The Default dashboard is auto-created per organization and protected from deletion. A header dropdown lets you switch, create, clone, import, and export dashboards without leaving the page.</p> <p><strong>9 panel types</strong> cover every data source in Logtide:</p> <ul> <li> <em>Time series</em> and <em>single stat</em> for general log-based metrics</li> <li> <em>Top-N table</em> for ranking services, endpoints, or users by any dimension</li> <li> <em>Live log stream</em> for a real-time tail of filtered log output</li> <li> <em>Alert status</em> for a current-state view of your active alert rules</li> <li> <em>Metric chart</em> and <em>metric stat</em> for OTLP metrics with avg/sum/min/max/count/last/p50/p95/p99 aggregations</li> <li> <em>Trace latency</em> for p50/p95/p99 directly from span data</li> <li> <em>Detection events</em> for SIEM incidents grouped by severity</li> <li> <em>Monitor status</em> for uptime percentage and response time from the new monitoring system (more on that below)</li> </ul> <p><strong>Layout</strong> is a responsive 12-column grid. Panels snap to grid units when resized drag the bottom-right handle. The grid collapses to 6 columns on tablet and 1 column on mobile; stored widths are always in the 12-col reference and scale proportionally, so a panel that takes up half the desktop doesn't become a sliver on a small screen.</p> <p><strong>Inline edit mode</strong> keeps all pending changes in a local snapshot. Toggle edit, rearrange, resize, and configure as many panels as you want. Hit Save for a single atomic write, or Cancel to discard everything. There's no separate edit page.</p> <p><strong>YAML import/export</strong> lets you version-control dashboards alongside your infrastructure code. Import regenerates panel IDs and uses <code>JSON_SCHEMA</code> validation to block prototype pollution from crafted inputs. The schema is versioned (<code>schema_version: 1</code>) and ships with a migration framework in <code>@logtide/shared</code>: each version defines a <code>MigrationFn</code>, and <code>migrateDashboard</code> walks the chain on every read. Future schema changes will be applied automatically.</p> <p><strong>Panel data fetching</strong> is batched: a single <code>POST /:id/panels/data</code> round-trip fetches all panel data via <code>Promise.allSettled</code>. An error in one panel doesn't fail the rest of the dashboard.</p> <p><strong>Cross-org isolation</strong> is enforced at the data layer: every panel fetch verifies that <code>config.projectId</code> belongs to the requesting org. A crafted YAML import pointing at another org's project ID will return empty data, not that org's data.</p> <p>The <strong>panel registry architecture</strong> is worth a mention for contributors. Adding a new panel type touches exactly 6 files: shared types, backend Zod schema, backend fetcher, frontend panel component, frontend config form, and a single registry entry. The renderer, container, store, and routes never change.</p> <p>Existing users will see no visual change on first login the auto-created Default dashboard replicates the previous fixed layout exactly.</p> <h3> 🖥️ Service Health Monitoring and Public Status Pages </h3> <p>Logtide has always been reactive: something breaks, logs appear, you find out. 0.9.0 adds the proactive layer.</p> <p><strong>Three monitor types</strong> cover the common cases. HTTP/HTTPS monitors are fully configurable: method, expected status code, custom headers, and a body assertion that accepts either a contains check or a regex. TCP monitors ping a host:port pair. Heartbeat monitors flip the model instead of Logtide reaching out, your service sends a <code>POST /api/v1/monitors/:id/heartbeat</code> on a schedule, and Logtide fires an incident when the expected ping doesn't arrive within the grace window.</p> <p><strong>Worker execution</strong> follows the same BullMQ pattern used throughout the codebase. A worker picks up all due monitors every 30 seconds and runs them in batches of 20 concurrent checks via <code>Promise.allSettled</code>. Results flow into the <code>monitor_results</code> hypertable with 7-day compression and 30-day retention. A <code>monitor_uptime_daily</code> continuous aggregate refreshed hourly powers the uptime percentage displays without hitting raw data on every page load.</p> <p><strong>Incident creation</strong> is automatic and integrated with the existing SIEM layer. When consecutive failures cross the configurable threshold, an incident is created with <code>source: 'monitor'</code> and linked via <code>monitor_id</code>. Notifications go through the same email and webhook channels already configured for alert rules no separate notification setup. Auto-resolution fires when the next check succeeds. An atomic <code>WHERE incident_id IS NULL</code> guard prevents duplicate incidents under concurrent check runs.</p> <p><strong>Severity is configurable per monitor</strong> (<code>critical</code>, <code>high</code>, <code>medium</code>, <code>low</code>, <code>informational</code>) rather than hardcoded. A flaky dev endpoint and a production payment service don't need to page with the same urgency.</p> <p><strong>Public status pages</strong> (<code>/status/:projectSlug</code>) are Uptime Kuma-inspired: a 45-day heartbeat bar grid, per-monitor uptime badge, overall status banner, and a light/dark mode toggle. Visibility is configured per project disabled by default, with public, password-protected, and org-members-only options.</p> <p><strong>Scheduled maintenances</strong> let you define windows with start and end times. Active maintenances suppress monitor incident creation so a planned deployment doesn't trigger pages, and display a maintenance banner on the status page so your users know what's happening.</p> <p><strong>Manual status incidents</strong> are independent from SIEM incidents. You can publish communications with an Investigating/Identified/Monitoring/Resolved progression and a full update timeline useful for communicating with users about an outage regardless of whether it was auto-detected.</p> <p>The <strong>monitoring dashboard</strong> (<code>/dashboard/monitoring</code>) has a project selector, create/edit/delete forms with client-side validation, a detail page with an uptime chart and recent checks list, and a one-click heartbeat URL copy for the heartbeat monitor type.</p> <h3> 🔩 Log Parsing and Enrichment Pipelines </h3> <p>Structured logging is a best practice, but not every log source you connect will cooperate. Nginx access logs, syslog output from legacy systems, plain text from third-party services these arrive as unstructured strings. Previously you'd parse them in your collector config or accept that they'd be stored as blobs. 0.9.0 gives you a better option.</p> <p><strong>Pipelines run as BullMQ background jobs</strong> after ingestion acknowledgment. Ingestion latency is unchanged logs are accepted and queued immediately, parsing happens asynchronously.</p> <p><strong>Five built-in parsers</strong> cover the common formats: nginx (combined log format), apache (identical pattern), syslog (RFC 3164 and RFC 5424), logfmt, and JSON message body.</p> <p><strong>Custom grok patterns</strong> use <code>%{PATTERN:field}</code> and <code>%{PATTERN:field:type}</code> syntax, with 22 named built-ins (IPV4, WORD, NOTSPACE, NUMBER, POSINT, DATA, GREEDYDATA, QUOTEDSTRING, METHOD, URIPATH, HTTPDATE, and more) and optional type coercion (<code>:int</code>, <code>:float</code>). If your log format is unusual enough that none of the built-in parsers cover it, grok handles the rest.</p> <p><strong>GeoIP enrichment</strong> uses the embedded MaxMind GeoLite2 database. Point it at any field containing an IP address and get country, city, coordinates, timezone, and ISP added to the log record automatically.</p> <p><strong>Scope is flexible</strong>: a pipeline can target a specific project or apply org-wide. Project-specific pipelines take priority over org-wide ones when both match. An in-memory cache in <code>getForProject</code> holds the resolved pipeline per project for 5 minutes, invalidated automatically on create/update/delete.</p> <p><strong>Pipeline preview</strong> lets you test any combination of steps against a sample log message before saving. The UI shows per-step extracted fields and the final merged result side by side, so you can iterate on the configuration without committing it.</p> <p><strong>YAML import/export</strong> follows the same pattern as dashboards: <code>name</code>, <code>description</code>, <code>enabled</code>, and <code>steps</code> fields; re-importing the same pipeline for the same scope performs an upsert rather than creating a duplicate.</p> <p>The <strong>step builder</strong> in the settings UI (<code>/dashboard/settings/pipelines</code>) lets you add, reorder, and configure steps interactively, with per-type configuration forms for parser selection, grok pattern input, and GeoIP field targeting.</p> <h3> Everything Else Worth Knowing </h3> <p><strong>Monitoring in the sidebar</strong>: the monitoring section appears under "Detect" alongside Alerts and Security. No extra navigation to find it.</p> <p><strong>Dashboard switcher in the header</strong>: replaces the previous single fixed entry point with a dropdown that handles create, delete, import, and export without leaving the page.</p> <p><strong><code>failureThreshold</code> default aligned</strong>: the frontend form default was 3; the backend default was 2. They now match.</p> <p><strong>Project slugs</strong>: auto-generated from project name on creation, unique per org, backfilled for existing projects via migration. The status page route (<code>/status/:projectSlug</code>) uses these.</p> <h2> Upgrading </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose pull docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Migrations run automatically on startup. No manual steps required.</p> <h2> What's Next </h2> <p>The roadmap toward v1.0 has a few clear remaining pieces:</p> <ul> <li> <strong>Digest reports</strong> (#154): scheduled email summaries of log volume, top errors, and active incidents -- useful for teams that don't live in the dashboard</li> <li> <strong>Webhook receivers</strong> (#154): accept inbound webhooks from external services (PagerDuty, GitHub, Stripe, etc.) and normalize them into Logtide log events without a collector in the middle</li> </ul> <p>v1.0 is the Beta milestone. We're not jumping straight to a public Beta declaration we want the announcement to mean something. These issue groups are the remaining distance.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/logtide-dev/logtide/compare/v0.8.0...v0.9.0" rel="noopener noreferrer">v0.8.0...v0.9.0</a></p> <p>If you're using Logtide, open an issue, start a discussion, or drop a ⭐ if it's been useful.</p> opensource devops discuss monitoring Polliog Thu, 09 Apr 2026 13:32:32 +0000 https://forem.com/polliog/tigerfs-a-filesystem-backed-by-postgresql-50i https://forem.com/polliog/tigerfs-a-filesystem-backed-by-postgresql-50i <p>TigerFS is a filesystem backed by PostgreSQL, built by the Timescale team. It mounts a database as a local directory via FUSE on Linux and NFS on macOS. Every file is a real row. Every directory is a table. Writes are transactions. Multiple processes and machines can read and write concurrently with full ACID guarantees.</p> <p>There are two distinct ways to use it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install (Linux requires fuse3; macOS needs no extra dependencies)</span> curl <span class="nt">-fsSL</span> https://install.tigerfs.io | sh <span class="c"># Mount any PostgreSQL database</span> tigerfs mount postgres://localhost/mydb /mnt/db </code></pre> </div> <h2> Mode 1: Data-First </h2> <p>Mount any existing PostgreSQL database and explore it with standard UNIX tools. Every path resolves to optimized SQL that gets pushed down to the database.</p> <h3> Exploring </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">ls</span> /mnt/db/ <span class="c"># list tables</span> <span class="nb">ls</span> /mnt/db/users/ <span class="c"># list rows by primary key</span> <span class="nb">cat</span> /mnt/db/users/123.json <span class="c"># read a row as JSON</span> <span class="nb">cat</span> /mnt/db/users/123/email.txt <span class="c"># read a single column</span> <span class="nb">cat</span> /mnt/db/users/.by/email/alice@example.com.json <span class="c"># lookup by indexed column</span> </code></pre> </div> <h3> Modifying </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'new@example.com'</span> <span class="o">&gt;</span> /mnt/db/users/123/email.txt <span class="c"># update a column</span> <span class="nb">echo</span> <span class="s1">'{"email":"a@b.com","name":"A"}'</span> <span class="o">&gt;</span> /mnt/db/users/123.json <span class="c"># PATCH via JSON</span> <span class="nb">mkdir</span> /mnt/db/users/456 <span class="c"># insert a row</span> <span class="nb">rm</span> <span class="nt">-r</span> /mnt/db/users/456/ <span class="c"># delete a row</span> </code></pre> </div> <h3> Pipeline Queries </h3> <p>Filters, ordering, and pagination can be chained directly in the path. TigerFS executes the whole chain as a single SQL query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Last 10 orders for customer 123, sorted by created_at, as JSON</span> <span class="nb">cat</span> /mnt/db/orders/.by/customer_id/123/.order/created_at/.last/10/.export/json <span class="c"># Shipped orders, specific columns only, as CSV</span> <span class="nb">cat</span> /mnt/db/orders/.filter/status/shipped/.columns/id,total,created_at/.export/csv </code></pre> </div> <p>Available segments (chainable in any order):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Segment</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>.by/col/val</code></td> <td>Indexed filter</td> </tr> <tr> <td><code>.filter/col/val</code></td> <td>Any column filter</td> </tr> <tr> <td><code>.order/col</code></td> <td>Sort</td> </tr> <tr> <td><code>.columns/a,b,c</code></td> <td>Column projection</td> </tr> <tr> <td> <code>.first/N</code>, <code>.last/N</code>, <code>.sample/N</code> </td> <td>Pagination</td> </tr> <tr> <td>`.export/json\</td> <td>csv\</td> </tr> </tbody> </table></div> <h3> Bulk Ingest </h3> <p>{% raw %}</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat </span>data.csv <span class="o">&gt;</span> /mnt/db/orders/.import/.append/csv <span class="c"># append rows</span> <span class="nb">cat </span>data.csv <span class="o">&gt;</span> /mnt/db/orders/.import/.sync/csv <span class="c"># upsert by primary key</span> <span class="nb">cat </span>data.csv <span class="o">&gt;</span> /mnt/db/orders/.import/.overwrite/csv <span class="c"># replace the table</span> </code></pre> </div> <h3> Schema Management </h3> <p>Tables, indexes, and views are managed through a staging pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> /mnt/db/.create/orders <span class="nb">echo</span> <span class="s2">"CREATE TABLE orders (...)"</span> <span class="o">&gt;</span> /mnt/db/.create/orders/sql <span class="nb">touch</span> /mnt/db/.create/orders/.commit </code></pre> </div> <h2> Mode 2: File-First </h2> <p>Create a new database and use it as a transactional shared workspace. Any tool that works with files works here: AI agents, <code>grep</code>, <code>vim</code>, shell scripts.</p> <h3> Markdown Apps </h3> <p>"Apps" define how TigerFS presents a table as a native file format. Writing <code>markdown</code> to <code>.build/</code> turns a table into a directory of <code>.md</code> files where YAML frontmatter maps to columns and the document body maps to a text column:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"markdown"</span> <span class="o">&gt;</span> /mnt/db/.build/blog <span class="nb">cat</span> <span class="o">&gt;</span> /mnt/db/blog/hello-world.md <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' --- title: Hello World author: alice tags: [intro] --- # Hello World Welcome to my blog... </span><span class="no">EOF </span><span class="c"># Standard tools work as expected</span> <span class="nb">grep</span> <span class="nt">-l</span> <span class="s2">"author: alice"</span> /mnt/db/blog/<span class="k">*</span>.md <span class="nb">mkdir</span> /mnt/db/blog/tutorials <span class="nb">mv</span> /mnt/db/blog/hello-world.md /mnt/db/blog/tutorials/ </code></pre> </div> <h3> Version History </h3> <p>Add <code>history</code> to the app definition and every edit is captured as a timestamped snapshot in a read-only <code>.history/</code> directory. History uses TimescaleDB hypertables for compressed storage and tracks files across renames via stable row UUIDs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"markdown,history"</span> <span class="o">&gt;</span> /mnt/db/.build/notes <span class="nb">ls</span> /mnt/db/notes/.history/hello.md/ <span class="c"># 2026-02-24T150000Z 2026-02-12T013000Z</span> <span class="nb">cat</span> /mnt/db/notes/.history/hello.md/2026-02-12T013000Z </code></pre> </div> <h3> Multi-Agent Task Queue </h3> <p><code>mv</code> between directories is an atomic database operation. Two agents cannot claim the same task because the underlying transaction will fail for one of them - no distributed lock manager, no coordination API needed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"markdown,history"</span> <span class="o">&gt;</span> /mnt/db/.build/tasks <span class="nb">mkdir</span> /mnt/db/tasks/todo /mnt/db/tasks/doing /mnt/db/tasks/done <span class="nb">cat</span> <span class="o">&gt;</span> /mnt/db/tasks/todo/fix-auth-bug.md <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' --- priority: high assigned_to: --- The OAuth token refresh is failing for users with... </span><span class="no">EOF </span><span class="c"># Agent claims the task - atomic database operation</span> <span class="nb">mv</span> /mnt/db/tasks/todo/fix-auth-bug.md /mnt/db/tasks/doing/fix-auth-bug.md <span class="c"># Agent marks it done</span> <span class="nb">mv</span> /mnt/db/tasks/doing/fix-auth-bug.md /mnt/db/tasks/done/fix-auth-bug.md <span class="c"># Check what is in progress</span> <span class="nb">ls</span> /mnt/db/tasks/doing/ <span class="nb">grep</span> <span class="s2">"assigned_to:"</span> /mnt/db/tasks/doing/<span class="k">*</span>.md </code></pre> </div> <h3> Shared Agent Workspace </h3> <p>Multiple agents on different machines can read and write the same files concurrently. Changes are visible immediately with no pull, push, or merge step:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Agent A writes findings</span> <span class="nb">cat</span> <span class="o">&gt;</span> /mnt/db/kb/auth-analysis.md <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' --- author: agent-a --- OAuth 2.0 is the recommended approach because... </span><span class="no">EOF </span><span class="c"># Agent B reads immediately, no sync needed</span> <span class="nb">cat</span> /mnt/db/kb/auth-analysis.md <span class="c"># Agent B updates the document</span> <span class="nb">cat</span> <span class="o">&gt;</span> /mnt/db/kb/auth-analysis.md <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' --- author: agent-a reviewed-by: agent-b status: approved --- OAuth 2.0 is the recommended approach because... [approved with comments] </span><span class="no">EOF </span><span class="c"># Full edit trail</span> <span class="nb">ls</span> /mnt/db/kb/.history/auth-analysis.md/ </code></pre> </div> <h2> Cloud Backends </h2> <p>TigerFS works with any PostgreSQL database via connection string. It also integrates with Timescale Cloud and Ghost through their CLIs - no passwords stored in config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tigerfs mount postgres://user:pass@host/mydb /mnt/db tigerfs mount tiger:abcde12345 /mnt/db <span class="c"># Timescale Cloud</span> tigerfs mount ghost:fghij67890 /mnt/db <span class="c"># Ghost</span> <span class="c"># Fork a database for safe experimentation</span> tigerfs fork /mnt/db my-experiment </code></pre> </div> <h2> Why the File Interface </h2> <p>The point of the filesystem abstraction is that every tool already speaks it. <code>grep</code>, <code>awk</code>, <code>jq</code>, shell scripts, AI coding agents (Claude Code, Cursor, and others) all understand files without any SDK, schema definition, or client library to set up.</p> <p>For multi-agent coordination specifically:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>What you build on top</th> </tr> </thead> <tbody> <tr> <td>Custom REST API</td> <td>Endpoints, auth, deployment</td> </tr> <tr> <td>Shared database directly</td> <td>SQL or ORM, schema definitions, client libraries</td> </tr> <tr> <td>Git</td> <td>Pull/push/merge workflow, conflict resolution</td> </tr> <tr> <td>S3</td> <td>No transactions, no structured queries</td> </tr> <tr> <td>TigerFS</td> <td>Mount and use standard tools</td> </tr> </tbody> </table></div> <p>The coordination logic - atomic task claims, version history, concurrent access - lives in PostgreSQL. The application doesn't implement it.</p> <h2> Current Status </h2> <p>TigerFS is at v0.5.0 and described as early-stage by the team, though the core design is stable. The data-first mode is functional today for any PostgreSQL database. Planned additions include support for tables without primary keys (read-only via ctid) and TimescaleDB hypertable time-based navigation.</p> <p>GitHub: <a href="https://github.com/timescale/tigerfs" rel="noopener noreferrer">timescale/tigerfs</a> - Docs: <a href="https://tigerfs.io" rel="noopener noreferrer">tigerfs.io</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tigerfs mount postgres://localhost/yourdb /mnt/db <span class="nb">ls</span> /mnt/db/ </code></pre> </div> postgres database devtools ai Polliog Wed, 08 Apr 2026 11:14:38 +0000 https://forem.com/aws-builders/i-replaced-elasticache-with-valkey-on-ecs-and-cut-the-bill-by-70-14ga https://forem.com/aws-builders/i-replaced-elasticache-with-valkey-on-ecs-and-cut-the-bill-by-70-14ga <p>ElastiCache is a genuinely good service. Managed failover, automated backups, CloudWatch integration out of the box. For teams that need Redis and don't want to operate it, it makes sense.</p> <p>The price, however, does not scale down. A <code>cache.t4g.small</code> (2 vCPU, 1.37GB RAM) runs about $25/month in eu-west-1. A <code>cache.r7g.large</code> (2 vCPU, 13.07GB RAM) is $175/month. Multi-AZ doubles those numbers. For a startup or side project running on a single-digit revenue, that's a significant line item for what is often a queue and a session cache.</p> <p>Valkey is a Redis-compatible open-source project under the Linux Foundation, backed by AWS, Google, and others. It forked from Redis 7.2.4 (BSD-3 license) and maintains full protocol compatibility. Every client library that works with Redis works with Valkey: <code>ioredis</code>, <code>node-redis</code>, BullMQ, Sidekiq, Celery. No code changes.</p> <p>Here's how to run it on ECS Fargate and what it actually costs.</p> <h2> The Architecture </h2> <p>We're running Valkey as an ECS service on Fargate, backed by an EFS volume for persistence, inside a VPC with a security group that restricts access to the application services only.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VPC ├── Public Subnet │ └── Application Load Balancer ├── Private Subnet A │ ├── ECS Service: App (Fargate) │ └── ECS Service: Valkey (Fargate) └── Private Subnet B └── ECS Service: App (Fargate) - replica </code></pre> </div> <p>Valkey doesn't need to be publicly accessible. It lives in the private subnet and is reachable only from the application services in the same VPC.</p> <h2> Step 1: EFS Volume for Persistence </h2> <p>Fargate tasks are ephemeral. Without a persistent volume, every Valkey restart loses your data. EFS solves this without managing EC2.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/efs.tf</span> <span class="nx">resource</span> <span class="s2">"aws_efs_file_system"</span> <span class="s2">"valkey"</span> <span class="p">{</span> <span class="nx">creation_token</span> <span class="p">=</span> <span class="s2">"${var.app_name}-valkey"</span> <span class="nx">encrypted</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">lifecycle_policy</span> <span class="p">{</span> <span class="nx">transition_to_ia</span> <span class="p">=</span> <span class="s2">"AFTER_7_DAYS"</span> <span class="p">}</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.app_name}-valkey"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_efs_mount_target"</span> <span class="s2">"valkey"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span><span class="p">)</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">valkey</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subnet_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">efs</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"efs"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.app_name}-efs"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">2049</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">2049</span> <span class="nx">protocol</span> <span class="p">=</span> <span class="s2">"tcp"</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">valkey_task</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Important: use an EFS Access Point, not <code>rootDirectory</code> directly.</strong></p> <p>Specifying a <code>rootDirectory</code> that doesn't physically exist on a fresh EFS filesystem causes the Fargate task to fail immediately with <code>ResourceInitializationError: failed to invoke EFS utils... directory does not exist</code>. Fargate won't create the directory automatically.</p> <p>EFS Access Points handle this correctly - they create the directory with the right UNIX permissions if it doesn't exist yet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_efs_access_point"</span> <span class="s2">"valkey"</span> <span class="p">{</span> <span class="nx">file_system_id</span> <span class="p">=</span> <span class="nx">aws_efs_file_system</span><span class="p">.</span><span class="nx">valkey</span><span class="p">.</span><span class="nx">id</span> <span class="nx">posix_user</span> <span class="p">{</span> <span class="nx">uid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">gid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="p">}</span> <span class="nx">root_directory</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/valkey"</span> <span class="nx">creation_info</span> <span class="p">{</span> <span class="nx">owner_uid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">owner_gid</span> <span class="p">=</span> <span class="mi">1000</span> <span class="nx">permissions</span> <span class="p">=</span> <span class="s2">"0755"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Step 2: ECS Task Definition </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"family"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey"</span><span class="p">,</span><span class="w"> </span><span class="nl">"networkMode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awsvpc"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requiresCompatibilities"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"FARGATE"</span><span class="p">],</span><span class="w"> </span><span class="nl">"cpu"</span><span class="p">:</span><span class="w"> </span><span class="s2">"512"</span><span class="p">,</span><span class="w"> </span><span class="nl">"memory"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1024"</span><span class="p">,</span><span class="w"> </span><span class="nl">"executionRoleArn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole"</span><span class="p">,</span><span class="w"> </span><span class="nl">"volumes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey-data"</span><span class="p">,</span><span class="w"> </span><span class="nl">"efsVolumeConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"fileSystemId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fs-XXXXXXXXX"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transitEncryption"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="p">,</span><span class="w"> </span><span class="nl">"authorizationConfig"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"accessPointId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fsap-XXXXXXXXX"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iam"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ENABLED"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"containerDefinitions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey"</span><span class="p">,</span><span class="w"> </span><span class="nl">"image"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey/valkey:8.0-alpine"</span><span class="p">,</span><span class="w"> </span><span class="nl">"portMappings"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"containerPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">6379</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"valkey-server"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--save"</span><span class="p">,</span><span class="w"> </span><span class="s2">"60"</span><span class="p">,</span><span class="w"> </span><span class="s2">"1000"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--appendonly"</span><span class="p">,</span><span class="w"> </span><span class="s2">"yes"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--appendfsync"</span><span class="p">,</span><span class="w"> </span><span class="s2">"everysec"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--maxmemory"</span><span class="p">,</span><span class="w"> </span><span class="s2">"800mb"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--maxmemory-policy"</span><span class="p">,</span><span class="w"> </span><span class="s2">"allkeys-lru"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--requirepass"</span><span class="p">,</span><span class="w"> </span><span class="s2">"VALKEY_PASSWORD_FROM_SECRETS_MANAGER"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"mountPoints"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sourceVolume"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey-data"</span><span class="p">,</span><span class="w"> </span><span class="nl">"containerPath"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/data"</span><span class="p">,</span><span class="w"> </span><span class="nl">"readOnly"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"logConfiguration"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"logDriver"</span><span class="p">:</span><span class="w"> </span><span class="s2">"awslogs"</span><span class="p">,</span><span class="w"> </span><span class="nl">"options"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"awslogs-group"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/ecs/valkey"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-west-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"awslogs-stream-prefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"valkey"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"healthCheck"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"CMD-SHELL"</span><span class="p">,</span><span class="w"> </span><span class="s2">"valkey-cli ping | grep PONG"</span><span class="p">],</span><span class="w"> </span><span class="nl">"interval"</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="p">,</span><span class="w"> </span><span class="nl">"timeout"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"retries"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"startPeriod"</span><span class="p">:</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>A few things worth noting in this config:</p> <p><code>--save 60 1000</code> triggers an RDB snapshot every 60 seconds if at least 1000 keys changed. Combined with <code>--appendonly yes</code>, you get both AOF and RDB persistence - the AOF gives you per-second durability, the RDB gives you faster restart times.</p> <p><code>--maxmemory-policy allkeys-lru</code> means Valkey will evict the least recently used keys when it hits the memory limit. For a cache workload this is usually what you want. For a queue workload (BullMQ, Sidekiq) you should use <code>noeviction</code> instead and alert on memory pressure.</p> <p>The password comes from Secrets Manager via the <code>secrets</code> field in the task definition rather than a hardcoded string. The example above is simplified for readability.</p> <h2> Step 3: ECS Service and Service Discovery </h2> <p>For the application to connect to Valkey, it needs a stable hostname. ECS Service Discovery provides this via AWS Cloud Map.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># terraform/service-discovery.tf</span> <span class="nx">resource</span> <span class="s2">"aws_service_discovery_private_dns_namespace"</span> <span class="s2">"internal"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"internal.${var.app_name}"</span> <span class="nx">vpc</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_service_discovery_service"</span> <span class="s2">"valkey"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"valkey"</span> <span class="nx">dns_config</span> <span class="p">{</span> <span class="nx">namespace_id</span> <span class="p">=</span> <span class="nx">aws_service_discovery_private_dns_namespace</span><span class="p">.</span><span class="nx">internal</span><span class="p">.</span><span class="nx">id</span> <span class="nx">dns_records</span> <span class="p">{</span> <span class="nx">ttl</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"A"</span> <span class="p">}</span> <span class="nx">routing_policy</span> <span class="p">=</span> <span class="s2">"MULTIVALUE"</span> <span class="p">}</span> <span class="nx">health_check_custom_config</span> <span class="p">{</span> <span class="nx">failure_threshold</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_ecs_service"</span> <span class="s2">"valkey"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"valkey"</span> <span class="nx">cluster</span> <span class="p">=</span> <span class="nx">aws_ecs_cluster</span><span class="p">.</span><span class="nx">main</span><span class="p">.</span><span class="nx">id</span> <span class="nx">task_definition</span> <span class="p">=</span> <span class="nx">aws_ecs_task_definition</span><span class="p">.</span><span class="nx">valkey</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">desired_count</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">launch_type</span> <span class="p">=</span> <span class="s2">"FARGATE"</span> <span class="nx">network_configuration</span> <span class="p">{</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">private_subnet_ids</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">valkey_task</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">assign_public_ip</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">service_registries</span> <span class="p">{</span> <span class="nx">registry_arn</span> <span class="p">=</span> <span class="nx">aws_service_discovery_service</span><span class="p">.</span><span class="nx">valkey</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="c1"># Prevent ECS from cycling the task during deployments</span> <span class="c1"># when the app has active connections</span> <span class="nx">deployment_minimum_healthy_percent</span> <span class="p">=</span> <span class="mi">100</span> <span class="nx">deployment_maximum_percent</span> <span class="p">=</span> <span class="mi">200</span> <span class="p">}</span> </code></pre> </div> <p>Your application connects to <code>valkey.internal.your-app:6379</code>. When the task is replaced (restart, deployment), the DNS record updates automatically within the TTL.</p> <h2> Step 4: Connecting from Node.js </h2> <p>No code changes from a Redis setup. <code>ioredis</code> works as-is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Redis</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">ioredis</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">valkey</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">({</span> <span class="na">host</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VALKEY_HOST</span><span class="p">,</span> <span class="c1">// valkey.internal.your-app</span> <span class="na">port</span><span class="p">:</span> <span class="mi">6379</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VALKEY_PASSWORD</span><span class="p">,</span> <span class="c1">// Retry on connection loss - important for task replacement events</span> <span class="na">retryStrategy</span><span class="p">:</span> <span class="p">(</span><span class="nx">times</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">times</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">3000</span><span class="p">),</span> <span class="na">maxRetriesPerRequest</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">enableOfflineQueue</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">lazyConnect</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="nx">valkey</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Valkey connection error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="p">});</span> <span class="nx">valkey</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">"</span><span class="s2">reconnecting</span><span class="dl">"</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Valkey reconnecting...</span><span class="dl">"</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>BullMQ requires no changes either:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Queue</span><span class="p">,</span> <span class="nx">Worker</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bullmq</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">valkey</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./valkey</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">emailQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span><span class="dl">"</span><span class="s2">emails</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">valkey</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">worker</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Worker</span><span class="p">(</span> <span class="dl">"</span><span class="s2">emails</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">job</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">job</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="p">},</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">valkey</span> <span class="p">}</span> <span class="p">);</span> </code></pre> </div> <h2> The Cost Comparison </h2> <p>Running Valkey on Fargate with 0.5 vCPU and 1GB RAM in eu-west-1.</p> <blockquote> <p><strong>Note:</strong> The Fargate numbers below use on-demand pricing ($0.04048/vCPU-hour, $0.004445/GB-hour). If you're using a Compute Savings Plan (common for Fargate workloads), expect 20-40% lower compute costs.</p> </blockquote> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Monthly cost (on-demand)</th> </tr> </thead> <tbody> <tr> <td>Fargate compute (0.5 vCPU)</td> <td>$14.77</td> </tr> <tr> <td>Fargate memory (1GB)</td> <td>$3.24</td> </tr> <tr> <td>EFS storage (5GB used)</td> <td>$1.50</td> </tr> <tr> <td>EFS throughput</td> <td>$0.30</td> </tr> <tr> <td>CloudWatch logs</td> <td>$0.50</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>~$20.30</strong></td> </tr> </tbody> </table></div> <p>vs. ElastiCache <code>cache.t4g.small</code> (1.37GB RAM):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Resource</th> <th>Monthly cost</th> </tr> </thead> <tbody> <tr> <td>ElastiCache t4g.small</td> <td>$25.20</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>$25.20</strong></td> </tr> </tbody> </table></div> <p>Single-node, the savings are modest (~20%). The real comparison is Multi-AZ ElastiCache, which is the production-grade option: a Multi-AZ <code>cache.t4g.small</code> is $50.40/month. Against that, Fargate at ~$20 is a 60% reduction - and with a Savings Plan applied, closer to 70%.</p> <p>For a <code>cache.r7g.large</code> workload (13GB RAM), the numbers shift further:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Monthly cost</th> </tr> </thead> <tbody> <tr> <td>ElastiCache r7g.large</td> <td>$175.00</td> </tr> <tr> <td>ElastiCache r7g.large Multi-AZ</td> <td>$350.00</td> </tr> <tr> <td>Fargate (2 vCPU / 13GB, on-demand)</td> <td>~$108.00</td> </tr> <tr> <td>Fargate (2 vCPU / 13GB, Savings Plan)</td> <td>~$70.00</td> </tr> </tbody> </table></div> <p>The savings are real. So is the operational difference.</p> <h2> What You Give Up </h2> <p>ElastiCache manages automatic failover, Multi-AZ replication, and rolling upgrades. With Fargate, you're responsible for all of that.</p> <p><strong>No automatic failover.</strong> If the Valkey Fargate task dies, ECS will restart it automatically (typically 30-90 seconds). During that window, connections fail. For a cache this is usually acceptable. For a job queue, your workers will queue errors and retry - still acceptable if you've configured retries correctly. For session storage, users get logged out. Decide based on your workload.</p> <p><strong>Manual upgrades.</strong> You control the Docker image tag. Update the task definition, trigger a new deployment. No automatic patch management.</p> <p><strong>No Multi-AZ replication out of the box.</strong> If you need a hot standby, you'll need to set up Valkey's built-in replication between two Fargate tasks and handle failover at the application level or with an intermediate proxy. This adds complexity that may not be worth it below a certain scale.</p> <p><strong>Persistence responsibility.</strong> EFS gives you durable storage, but you're responsible for backup strategy. Set up AWS Backup for the EFS volume or use Valkey's <code>BGSAVE</code> + S3 export for point-in-time backups.</p> <h2> When This Makes Sense </h2> <p>This setup is the right call when:</p> <ul> <li>Your workload is a queue, cache, or session store without strict HA requirements</li> <li>You're running a startup, side project, or internal tool where a 60-second outage is acceptable</li> <li>You're already paying for Fargate and EFS for other services</li> <li>The ElastiCache bill is a meaningful percentage of your monthly AWS spend</li> </ul> <p>It's the wrong call when:</p> <ul> <li>You need sub-second automatic failover</li> <li>You're storing session data where eviction causes user-visible disruption</li> <li>Your compliance requirements mandate managed services with AWS support coverage</li> <li>You're operating at a scale where the operational overhead of self-managed infrastructure costs more than the ElastiCache bill</li> </ul> <p>The break-even point for most teams is somewhere around $100-150/month in Redis costs. Below that, ElastiCache's convenience usually wins. Above it, self-hosted starts to look attractive even accounting for the operational investment.</p> <p><em>Running Valkey on AWS in a different configuration? Different numbers for your region or workload? Happy to hear it in the comments.</em></p> aws redis valkey ecs Polliog Mon, 06 Apr 2026 20:50:47 +0000 https://forem.com/polliog/your-nodejs-app-is-probably-killing-your-postgresql-connection-pooling-explained-1db2 https://forem.com/polliog/your-nodejs-app-is-probably-killing-your-postgresql-connection-pooling-explained-1db2 <p>A few months ago I was looking at why a PostgreSQL instance was running at 94% memory on a server that, by all accounts, should have had plenty of headroom. The queries were fast, the data volume was modest, and CPU was barely touched.</p> <p>The culprit was 280 open connections.</p> <p>No single connection was doing anything particularly expensive. But each one carries a cost that most developers don't think about until they're in production staring at an OOM kill: PostgreSQL spawns a dedicated backend process per connection, and each process consumes roughly 5-10MB of RAM regardless of whether it's actively running a query.</p> <p>280 connections x 7MB average = 1.96GB. On a server with 4GB RAM and PostgreSQL's own memory settings (shared_buffers, work_mem), that leaves almost nothing for actual query execution.</p> <h2> Why Node.js Apps Over-Connect </h2> <p>The problem is architectural. Node.js applications are typically deployed as multiple processes or containers: a web server, one or more background workers, maybe a separate process for scheduled jobs. Each runs its own connection pool. Each pool opens connections eagerly.</p> <p>With <code>pg</code> and a default pool size of 10, and 3 services each with 3 replicas:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>web server (3 replicas x 10 connections) = 30 connections background worker (3 replicas x 10 connections) = 30 connections job scheduler (3 replicas x 5 connections) = 15 connections Total: 75 connections at idle </code></pre> </div> <p>Add a traffic spike, pool expansion, and a few long-running queries holding connections open, and you're at 150+ before anything goes wrong with your code.</p> <p>PostgreSQL's default <code>max_connections</code> is 100. Many managed databases (RDS, Supabase, Neon) set it lower for small instance sizes.</p> <h2> What Happens When You Hit the Limit </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: remaining connection slots are reserved for non-replication superuser connections </code></pre> </div> <p>Or, worse, requests that queue indefinitely waiting for a connection that never frees up because every connection is held by a slow query, and the slow query is slow because it can't get a lock, because another connection holds it, and that connection is waiting for... a connection.</p> <p>You get the idea.</p> <h2> The Wrong Fix </h2> <p>The instinct is to increase <code>max_connections</code>. This works until it doesn't: more connections means more RAM pressure, more context switching, and more lock contention. PostgreSQL is not designed for thousands of concurrent connections. It's designed for dozens of active queries with efficient I/O, and it's exceptional at that.</p> <p>The right fix is to not open connections you don't need.</p> <h2> PgBouncer: A Connection Pool in Front of PostgreSQL </h2> <p>PgBouncer sits between your application and PostgreSQL. Your application thinks it's talking to PostgreSQL directly - same protocol, same port behavior. PgBouncer maintains a much smaller pool of real PostgreSQL connections and multiplexes client connections onto them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>App (100 client connections) | [PgBouncer] | PostgreSQL (20 server connections) </code></pre> </div> <p>100 application connections, 20 actual PostgreSQL connections. The application never notices.</p> <p>PgBouncer has three pooling modes:</p> <p><strong>Session pooling</strong> - a server connection is assigned to a client for the entire session duration. Equivalent to no pooling for persistent connections, but useful for clients that connect and disconnect frequently.</p> <p><strong>Transaction pooling</strong> - a server connection is assigned only for the duration of a transaction. As soon as your transaction commits or rolls back, the connection goes back to the pool. This is the mode that actually reduces your connection count dramatically.</p> <p><strong>Statement pooling</strong> - a server connection is assigned for a single statement. Very aggressive, incompatible with multi-statement transactions. Rarely the right choice.</p> <p>For most Node.js workloads, <strong>transaction pooling</strong> is what you want.</p> <h2> Setting Up PgBouncer with Docker </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">pgbouncer</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">bitnami/pgbouncer:latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRESQL_HOST</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">POSTGRESQL_PORT</span><span class="pi">:</span> <span class="m">5432</span> <span class="na">POSTGRESQL_DATABASE</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">POSTGRESQL_USERNAME</span><span class="pi">:</span> <span class="s">app_user</span> <span class="na">POSTGRESQL_PASSWORD</span><span class="pi">:</span> <span class="s">${DB_PASSWORD}</span> <span class="na">PGBOUNCER_PORT</span><span class="pi">:</span> <span class="m">6432</span> <span class="na">PGBOUNCER_POOL_MODE</span><span class="pi">:</span> <span class="s">transaction</span> <span class="na">PGBOUNCER_MAX_CLIENT_CONN</span><span class="pi">:</span> <span class="m">1000</span> <span class="na">PGBOUNCER_DEFAULT_POOL_SIZE</span><span class="pi">:</span> <span class="m">25</span> <span class="na">PGBOUNCER_MIN_POOL_SIZE</span><span class="pi">:</span> <span class="m">5</span> <span class="na">PGBOUNCER_RESERVE_POOL_SIZE</span><span class="pi">:</span> <span class="m">5</span> <span class="na">PGBOUNCER_RESERVE_POOL_TIMEOUT</span><span class="pi">:</span> <span class="m">3</span> <span class="na">PGBOUNCER_SERVER_IDLE_TIMEOUT</span><span class="pi">:</span> <span class="m">600</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">6432:6432"</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> </code></pre> </div> <p>Your application connects to port 6432 (PgBouncer) instead of 5432 (PostgreSQL). Everything else stays the same.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Before</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="dl">"</span><span class="s2">postgresql://app_user:password@postgres:5432/myapp</span><span class="dl">"</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// After</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="dl">"</span><span class="s2">postgresql://app_user:password@pgbouncer:6432/myapp</span><span class="dl">"</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">25</span><span class="p">,</span> <span class="c1">// can be higher now - PgBouncer handles the real limit</span> <span class="p">});</span> </code></pre> </div> <h2> The Numbers </h2> <p>Same application, same workload, same PostgreSQL instance. Before and after adding PgBouncer in transaction mode:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Without PgBouncer</th> <th>With PgBouncer</th> </tr> </thead> <tbody> <tr> <td>PostgreSQL connections (idle)</td> <td>75</td> <td>8</td> </tr> <tr> <td>PostgreSQL connections (peak load)</td> <td>210</td> <td>25</td> </tr> <tr> <td>PostgreSQL RAM used by connections</td> <td>1.47GB</td> <td>175MB</td> </tr> <tr> <td>p99 query latency (peak)</td> <td>340ms</td> <td>95ms</td> </tr> <tr> <td>Errors under load</td> <td>connection limit exceeded</td> <td>0</td> </tr> </tbody> </table></div> <p>The latency improvement is not because PgBouncer makes queries faster. It's because without it, queries were queuing for a connection slot. With transaction pooling, a query gets a connection, runs, and returns it immediately - no waiting.</p> <h2> What Transaction Pooling Breaks </h2> <p>This is important. Transaction pooling is not a drop-in change if you use any of the following:</p> <p><strong>Named prepared statements.</strong> Prepared statements are created on a specific server connection. With transaction pooling, you might get a different connection per transaction, so the prepared statement doesn't exist there.</p> <p>Good news for Node.js developers: <code>pg</code> does NOT use protocol-level prepared statements by default. Standard parameterized queries work fine with PgBouncer in transaction mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This does NOT use a persistent prepared statement - works fine with PgBouncer</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users WHERE id = $1</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="nx">userId</span><span class="p">]);</span> <span class="c1">// This DOES use a persistent prepared statement (the `name` property) - breaks with PgBouncer</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">query</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">get-user-by-id</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="dl">"</span><span class="s2">SELECT * FROM users WHERE id = $1</span><span class="dl">"</span><span class="p">,</span> <span class="na">values</span><span class="p">:</span> <span class="p">[</span><span class="nx">userId</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>The issue only appears if you explicitly pass a <code>name</code> property in the query object. If you're using standard <code>pool.query(sql, params)</code> calls, you don't need to change anything.</p> <p><strong><code>SET</code> statements and session-level configuration.</strong> <code>SET search_path TO tenant_abc</code> applies to the session, not the transaction. With transaction pooling, the setting evaporates when the transaction ends and the connection goes back to the pool.</p> <p>If you're using RLS with <code>set_config('app.organization_id', orgId, true)</code>, the <code>true</code> parameter already makes it transaction-scoped, so this works correctly with PgBouncer. Just make sure you're not relying on any session-level state persisting between transactions.</p> <p><strong>Advisory locks.</strong> <code>pg_advisory_lock()</code> is session-scoped. Use <code>pg_advisory_xact_lock()</code> instead, which is transaction-scoped and releases automatically on commit/rollback.</p> <p><strong><code>LISTEN/NOTIFY</code>.</strong> Subscriptions are session-scoped. If you're using <code>LISTEN</code>, you need a dedicated long-lived connection that bypasses PgBouncer - or use a separate direct PostgreSQL connection just for pub/sub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Direct connection for LISTEN/NOTIFY, bypassing PgBouncer</span> <span class="kd">const</span> <span class="nx">notifyClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Client</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_DIRECT_URL</span><span class="p">,</span> <span class="c1">// points to :5432</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">notifyClient</span><span class="p">.</span><span class="nf">connect</span><span class="p">();</span> <span class="k">await</span> <span class="nx">notifyClient</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">LISTEN log_events</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <h2> PgBouncer on Managed Databases </h2> <p>If you're using RDS, Supabase, Neon, or similar, you often don't need to run PgBouncer yourself.</p> <ul> <li> <strong>RDS</strong>: RDS Proxy is AWS's managed connection pooler. It's PgBouncer-like, works in transaction mode, integrates with IAM authentication. It costs extra ($0.015/vCPU-hour) but removes the operational burden.</li> <li> <strong>Supabase</strong>: Has a built-in connection pooler called Supavisor (which replaced their PgBouncer setup in 2023) working in transaction mode on port 6543. Use that URL for your application instead of the direct connection string.</li> <li> <strong>Neon</strong>: Serverless pooling built-in, similar to transaction mode.</li> <li> <strong>PlanetScale</strong>: MySQL-based, different story entirely.</li> </ul> <p><strong>If you're using Prisma with any connection pooler in transaction mode</strong>, you must add <code>?pgbouncer=true</code> to your database URL - otherwise Prisma's internal prepared statement handling will crash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Without this flag, Prisma breaks silently with PgBouncer/Supavisor in transaction mode</span> <span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgresql://user:password@pgbouncer:6432/myapp?pgbouncer=true"</span> </code></pre> </div> <p>This one parameter has saved countless hours of "why is Prisma throwing random errors in production" debugging.</p> <p>For self-hosted PostgreSQL, running PgBouncer yourself is the standard approach.</p> <h2> Tuning <code>max_connections</code> in PostgreSQL </h2> <p>Once PgBouncer is in front, you can lower PostgreSQL's <code>max_connections</code> to something realistic:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- See current value</span> <span class="k">SHOW</span> <span class="n">max_connections</span><span class="p">;</span> <span class="c1">-- See current active connections</span> <span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">pg_stat_activity</span><span class="p">;</span> </code></pre> </div> <p>A reasonable formula for <code>max_connections</code> when using a pool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">max_connections</span> <span class="p">=</span> <span class="s">(pool_size * number_of_pools) + reserved_superuser_connections</span> </code></pre> </div> <p>For PgBouncer with <code>default_pool_size = 25</code> and a few admin connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">max_connections</span> <span class="p">=</span> <span class="s">25 + 10 (headroom) = 35</span> </code></pre> </div> <p>Set this in <code>postgresql.conf</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="py">max_connections</span> <span class="p">=</span> <span class="s">35</span> <span class="py">shared_buffers</span> <span class="p">=</span> <span class="s">256MB # ~25% of available RAM</span> <span class="py">work_mem</span> <span class="p">=</span> <span class="s">16MB # per sort/hash operation, per connection</span> </code></pre> </div> <p>Lowering <code>max_connections</code> lets PostgreSQL allocate more memory to <code>shared_buffers</code> and <code>work_mem</code>, which directly improves query performance. The memory that was being eaten by connection overhead goes back to the query executor.</p> <h2> The Checklist </h2> <p>If you're running Node.js with PostgreSQL in production:</p> <ul> <li>Is your pool size per process configured explicitly, or defaulting to 10?</li> <li>How many processes/replicas connect to the database? What's the total connection count?</li> <li>Are you within 80% of <code>max_connections</code> at peak?</li> <li>Do you have PgBouncer or equivalent in front of PostgreSQL?</li> <li>Are you using <code>set_config</code> for RLS context rather than <code>SET</code> statements?</li> <li>Are you using <code>pg_advisory_xact_lock</code> instead of <code>pg_advisory_lock</code>?</li> <li>Do you have a dedicated connection for <code>LISTEN/NOTIFY</code> that bypasses the pool?</li> </ul> <p>Connection exhaustion is one of those problems that hides until traffic spikes, then appears as a cascade of unrelated-looking errors. The fix is not complicated, but it requires understanding what PostgreSQL is actually doing with each connection.</p> <p><em>What connection pool setup are you running in production? Any gotchas with PgBouncer that aren't covered here? Comments are open.</em></p> postgres node backend devops Polliog Mon, 06 Apr 2026 13:28:19 +0000 https://forem.com/aws-builders/i-ditched-prisma-for-raw-sql-and-my-queries-got-10x-faster-4gen https://forem.com/aws-builders/i-ditched-prisma-for-raw-sql-and-my-queries-got-10x-faster-4gen <p>Prisma is genuinely good software. The schema DSL is clean, the type generation works well, and for a new project it gets you to a working data layer in an hour. I used it for about a year before I started noticing things.</p> <p>The first sign was a query that should have taken 5ms taking 80ms. The second was a N+1 that I'd technically solved with <code>include</code> but was still generating 15 SQL statements. The third was opening <code>prisma.$queryRaw</code> for the third time in a week because the query builder couldn't express what I needed.</p> <p>At that point I stopped fighting the abstraction and started writing SQL directly.</p> <h2> What Prisma Actually Does to Your Queries </h2> <p>This is a simple query with a filter and pagination:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">logs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">logEntry</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">orgId</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="p">{</span> <span class="na">gte</span><span class="p">:</span> <span class="k">from</span><span class="p">,</span> <span class="na">lt</span><span class="p">:</span> <span class="nx">to</span><span class="p">,</span> <span class="p">},</span> <span class="na">level</span><span class="p">:</span> <span class="p">{</span> <span class="na">in</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">fatal</span><span class="dl">"</span><span class="p">]</span> <span class="p">},</span> <span class="p">},</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">timestamp</span><span class="p">:</span> <span class="dl">"</span><span class="s2">desc</span><span class="dl">"</span> <span class="p">},</span> <span class="na">take</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">skip</span><span class="p">:</span> <span class="nx">page</span> <span class="o">*</span> <span class="mi">50</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>The SQL Prisma generates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"id"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"timestamp"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"service"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"level"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"message"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"metadata"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"organization_id"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"created_at"</span><span class="p">,</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"updated_at"</span> <span class="k">FROM</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span> <span class="k">WHERE</span> <span class="p">(</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"organization_id"</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"timestamp"</span> <span class="o">&gt;=</span> <span class="err">$</span><span class="mi">2</span> <span class="k">AND</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"timestamp"</span> <span class="o">&lt;</span> <span class="err">$</span><span class="mi">3</span> <span class="k">AND</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"level"</span> <span class="k">IN</span> <span class="p">(</span><span class="err">$</span><span class="mi">4</span><span class="p">,</span> <span class="err">$</span><span class="mi">5</span><span class="p">)</span> <span class="p">)</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="nv">"public"</span><span class="p">.</span><span class="nv">"log_entries"</span><span class="p">.</span><span class="nv">"timestamp"</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="err">$</span><span class="mi">6</span> <span class="k">OFFSET</span> <span class="err">$</span><span class="mi">7</span> </code></pre> </div> <p>This is fine SQL. But notice: it selects every column (including <code>created_at</code> and <code>updated_at</code> that my UI doesn't need), it uses <code>OFFSET</code> pagination (slow on large tables), and I have no control over any of it without escaping to <code>$queryRaw</code>.</p> <p>The equivalent raw query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">logs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pool</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="s2">`SELECT id, timestamp, service, level, message, metadata FROM log_entries WHERE organization_id = $1 AND timestamp &gt;= $2 AND timestamp &lt; $3 AND level = ANY($4) AND (timestamp, id) &lt; ($5, $6) ORDER BY timestamp DESC, id DESC LIMIT $7`</span><span class="p">,</span> <span class="p">[</span><span class="nx">orgId</span><span class="p">,</span> <span class="k">from</span><span class="p">,</span> <span class="nx">to</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">error</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">fatal</span><span class="dl">"</span><span class="p">],</span> <span class="nx">cursorTs</span><span class="p">,</span> <span class="nx">cursorId</span><span class="p">,</span> <span class="mi">50</span><span class="p">]</span> <span class="p">);</span> </code></pre> </div> <p>Keyset pagination instead of OFFSET, only the columns I need, and the query is exactly what I want the database to run.</p> <h2> The N+1 Problem Prisma Doesn't Fully Solve </h2> <p>Prisma's <code>include</code> resolves N+1 queries by using <code>IN</code> clauses instead of per-row queries. But "no N+1" doesn't mean "one query":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">projects</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">organizationId</span><span class="p">:</span> <span class="nx">orgId</span> <span class="p">},</span> <span class="na">include</span><span class="p">:</span> <span class="p">{</span> <span class="na">members</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">apiKeys</span><span class="p">:</span> <span class="p">{</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">active</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="na">_count</span><span class="p">:</span> <span class="p">{</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">logEntries</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Prisma executes this as 4 separate queries: one for projects, one for members, one for apiKeys, one for the count. Then it assembles the result in JavaScript.</p> <p>The raw equivalent is one query. The naive approach would be chaining multiple <code>LEFT JOIN</code> on one-to-many tables and relying on <code>GROUP BY</code> - but that produces a Cartesian fan-out: if a project has 10 members, 5 API keys, and 100 log entries, the database materializes 10x5x100 = 5,000 intermediate rows per project before collapsing them. <code>COUNT(DISTINCT ...)</code> hides the bug in the results, but performance collapses as the tables grow.</p> <p>The correct version pre-aggregates each relationship with CTEs before joining:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">member_stats</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">project_id</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">member_count</span><span class="p">,</span> <span class="n">jsonb_agg</span><span class="p">(</span><span class="n">jsonb_build_object</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="n">user_id</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">,</span> <span class="k">role</span><span class="p">))</span> <span class="k">AS</span> <span class="n">members</span> <span class="k">FROM</span> <span class="n">project_members</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">project_id</span> <span class="p">),</span> <span class="n">key_stats</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">project_id</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">active_key_count</span> <span class="k">FROM</span> <span class="n">api_keys</span> <span class="k">WHERE</span> <span class="n">active</span> <span class="o">=</span> <span class="k">true</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">project_id</span> <span class="p">),</span> <span class="n">log_stats</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">project_id</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">log_entry_count</span> <span class="k">FROM</span> <span class="n">log_entries</span> <span class="k">WHERE</span> <span class="nb">timestamp</span> <span class="o">&gt;</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'24 hours'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">project_id</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">p</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">p</span><span class="p">.</span><span class="n">created_at</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">ms</span><span class="p">.</span><span class="n">member_count</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">member_count</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">ks</span><span class="p">.</span><span class="n">active_key_count</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">active_key_count</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">ls</span><span class="p">.</span><span class="n">log_entry_count</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="k">AS</span> <span class="n">log_entry_count</span><span class="p">,</span> <span class="n">COALESCE</span><span class="p">(</span><span class="n">ms</span><span class="p">.</span><span class="n">members</span><span class="p">,</span> <span class="s1">'[]'</span><span class="p">::</span><span class="n">jsonb</span><span class="p">)</span> <span class="k">AS</span> <span class="n">members</span> <span class="k">FROM</span> <span class="n">projects</span> <span class="n">p</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">member_stats</span> <span class="n">ms</span> <span class="k">ON</span> <span class="n">ms</span><span class="p">.</span><span class="n">project_id</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">key_stats</span> <span class="n">ks</span> <span class="k">ON</span> <span class="n">ks</span><span class="p">.</span><span class="n">project_id</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">log_stats</span> <span class="n">ls</span> <span class="k">ON</span> <span class="n">ls</span><span class="p">.</span><span class="n">project_id</span> <span class="o">=</span> <span class="n">p</span><span class="p">.</span><span class="n">id</span> <span class="k">WHERE</span> <span class="n">p</span><span class="p">.</span><span class="n">organization_id</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">p</span><span class="p">.</span><span class="n">created_at</span> <span class="k">DESC</span> </code></pre> </div> <p>Each CTE scans and aggregates its table independently. The final join works on already-collapsed rows - no fan-out, no wasted intermediate rows. One round trip, and actually faster than Prisma's 4 queries at scale.</p> <p>Prisma can't generate this query. <code>$queryRaw</code> can run it, but then you lose the type safety that was the point of using Prisma.</p> <h2> The Performance Numbers </h2> <p>Same endpoint, same data, same index configuration. 50k rows in the table.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Query type</th> <th>p50</th> <th>p95</th> <th>p99</th> </tr> </thead> <tbody> <tr> <td>Prisma <code>findMany</code> with <code>include</code> </td> <td>45ms</td> <td>120ms</td> <td>310ms</td> </tr> <tr> <td>4 separate <code>pg</code> queries</td> <td>18ms</td> <td>40ms</td> <td>95ms</td> </tr> <tr> <td>Single JOIN query</td> <td>6ms</td> <td>14ms</td> <td>28ms</td> </tr> </tbody> </table></div> <p>The 10x headline comes from the p99 comparison. At p50 it's closer to 7x. Both are real.</p> <p>The Prisma numbers aren't bad in absolute terms for most applications. They become a problem when you're doing this on every request, at scale, with connection pool pressure from concurrent requests.</p> <h2> Migrating Without Rewriting Everything </h2> <p>You don't have to replace Prisma everywhere at once. The practical path:</p> <p><strong>Step 1: Keep Prisma for writes and simple reads</strong></p> <p>Prisma is genuinely good for inserts, updates, and single-record lookups by primary key. The query generation for these is optimal and the type safety is useful.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Keep this in Prisma - it's fine</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">organizationId</span> <span class="p">}</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">project</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findUnique</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Step 2: Replace list queries and anything with joins</strong></p> <p>This is where the overhead compounds. Add a <code>pg</code> pool alongside Prisma:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Pool</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">pg</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@prisma/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">pool</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Pool</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span> <span class="p">});</span> </code></pre> </div> <p><strong>Step 3: Write a thin query layer</strong></p> <p>The thing I missed most from Prisma was typed results. TypeScript with raw SQL defaults to <code>any</code>. Fix it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">queryLogs</span><span class="p">(</span><span class="nx">params</span><span class="p">:</span> <span class="nx">LogQuery</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">LogEntry</span><span class="p">[]</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pool</span><span class="p">.</span><span class="nx">query</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">;</span> <span class="nl">service</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">level</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">metadata</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">(</span> <span class="s2">`SELECT id, timestamp, service, level, message, metadata FROM log_entries WHERE organization_id = $1 AND timestamp &gt;= $2 AND timestamp &lt; $3 ORDER BY timestamp DESC LIMIT $4`</span><span class="p">,</span> <span class="p">[</span><span class="nx">params</span><span class="p">.</span><span class="nx">orgId</span><span class="p">,</span> <span class="nx">params</span><span class="p">.</span><span class="k">from</span><span class="p">,</span> <span class="nx">params</span><span class="p">.</span><span class="nx">to</span><span class="p">,</span> <span class="nx">params</span><span class="p">.</span><span class="nx">limit</span><span class="p">]</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The generic parameter on <code>pool.query&lt;T&gt;</code> types the rows. It's not as ergonomic as Prisma's generated types, but it's enough to catch most mistakes at compile time.</p> <p>If you want SQL-level control with Prisma-level type safety, look into <a href="https://kysely.dev" rel="noopener noreferrer">Kysely</a> or <a href="https://orm.drizzle.team" rel="noopener noreferrer">Drizzle ORM</a>. Both let you write SQL-close queries while inferring full TypeScript types from your schema - without the ORM magic that makes query optimization hard. Kysely in particular is worth a look if the manual typing in <code>pool.query&lt;T&gt;</code> feels too brittle.</p> <h2> What You Actually Lose </h2> <p>This is important to say clearly: there are real things you give up.</p> <p><strong>Schema migrations.</strong> Prisma Migrate is good. When you drop Prisma from your query layer you still want a migration tool. I use <code>node-pg-migrate</code>, others use <code>db-migrate</code> or just raw SQL files in a migrations folder with a simple runner. None of them are as polished as Prisma Migrate.</p> <p><strong>The schema as source of truth.</strong> Prisma's schema file makes it easy to see your data model at a glance and generates types from it. With raw SQL you're maintaining types manually or generating them from the database schema with something like <code>pgtyped</code> or <code>zapatos</code>.</p> <p><strong>Prisma Studio.</strong> Minor thing but worth mentioning - having a UI to browse your data is useful during development.</p> <p><strong>Onboarding speed.</strong> New developers on a project with raw SQL need to know SQL. This is not a bad thing, but it's a real cost.</p> <h2> When to Keep Prisma </h2> <p>Prisma is the right choice when:</p> <ul> <li>Your team isn't comfortable with SQL</li> <li>You're building a CRUD app where the Prisma query builder covers 90%+ of your needs</li> <li>You're early stage and query performance isn't a bottleneck yet</li> <li>The productivity gain from the DX outweighs the performance cost</li> </ul> <p>It stops being the right choice when:</p> <ul> <li>Your most important queries can't be expressed through the query builder</li> <li>You're regularly escaping to <code>$queryRaw</code> for anything beyond simple lookups</li> <li>Query times are a meaningful part of your latency budget</li> <li>You need fine-grained control over indexes, hints, or query plans</li> </ul> <p>The answer for most production systems that have been running for more than a year is: use both. Prisma for the simple stuff, raw SQL for the queries that matter.</p> <p><em>What ORM or query approach are you using in production? Anything that changed your mind in either direction? Comments are open.</em></p> node typescript database postgres Polliog Sat, 04 Apr 2026 10:43:14 +0000 https://forem.com/polliog/your-api-responses-are-40x-larger-than-they-need-to-be-5p4 https://forem.com/polliog/your-api-responses-are-40x-larger-than-they-need-to-be-5p4 <p>I was profiling a production API last year when I noticed something that should have been obvious from the start: the response body for a simple list endpoint was 2.4MB. The actual useful data? About 60KB.</p> <p>The rest was a mix of unused fields, redundant nesting, and no compression. It had been that way since day one, and nobody had noticed because on localhost it's fast enough that it doesn't register.</p> <p>This is not a rare situation. It's the default.</p> <h2> The Three Ways APIs Bloat Their Responses </h2> <h3> 1. No Compression </h3> <p>This is the easiest win and the most commonly skipped.</p> <p>HTTP has supported gzip compression since 1999. Brotli has been in all major browsers since 2017. Most APIs don't enable either by default.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if your API compresses responses</span> curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{size_download}"</span> https://api.example.com/users curl <span class="nt">-s</span> <span class="nt">-o</span> /dev/null <span class="nt">-w</span> <span class="s2">"%{size_download}"</span> <span class="nt">-H</span> <span class="s2">"Accept-Encoding: gzip"</span> https://api.example.com/users </code></pre> </div> <p>If both numbers are the same, you're not compressing.</p> <p>The fix in Node.js with Fastify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fastifyCompress</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@fastify/compress</span><span class="dl">"</span><span class="p">;</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">fastifyCompress</span><span class="p">,</span> <span class="p">{</span> <span class="na">global</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">encodings</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">br</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">gzip</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">deflate</span><span class="dl">"</span><span class="p">],</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="c1">// don't compress responses under 1KB</span> <span class="p">});</span> </code></pre> </div> <p>And with Express:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">compression</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">compression</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">compression</span><span class="p">({</span> <span class="na">level</span><span class="p">:</span> <span class="mi">6</span><span class="p">,</span> <span class="na">threshold</span><span class="p">:</span> <span class="mi">1024</span><span class="p">,</span> <span class="na">filter</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">x-no-compression</span><span class="dl">"</span><span class="p">])</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">return</span> <span class="nx">compression</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">);</span> <span class="p">},</span> <span class="p">}));</span> </code></pre> </div> <p>Real numbers from a list endpoint returning 500 records:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Format</th> <th>Size</th> </tr> </thead> <tbody> <tr> <td>No compression</td> <td>2.4MB</td> </tr> <tr> <td>gzip</td> <td>280KB</td> </tr> <tr> <td>brotli</td> <td>210KB</td> </tr> </tbody> </table></div> <p>That's an 8-11x reduction with zero changes to your data model, zero changes to clients, and about 10 lines of code.</p> <blockquote> <p><strong>Note:</strong> Handling compression in Node.js works well for most setups. At large scale, offloading it to your reverse proxy (NGINX) or CDN (Cloudflare) saves CPU cycles since Node.js is single-threaded and compression is CPU-intensive. If you're already behind a proxy, check whether it's compressing for you before adding it in Node.js too.</p> </blockquote> <h3> 2. Over-fetching </h3> <p>Every ORM makes it trivial to return entire database rows. Most codebases do exactly that.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// This returns every column in the users table</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Including: password_hash, internal_flags, created_at, updated_at,</span> <span class="c1">// deleted_at, last_ip, raw_oauth_payload, internal_notes...</span> </code></pre> </div> <p>The fix is not complicated - it just requires being deliberate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Return only what the client actually needs</span> <span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">` SELECT id, name, email, avatar_url, role FROM users WHERE organization_id = $1 ORDER BY created_at DESC `</span><span class="p">,</span> <span class="p">[</span><span class="nx">orgId</span><span class="p">]);</span> </code></pre> </div> <p>If you're using an ORM like Prisma, use <code>select</code> explicitly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">organizationId</span> <span class="p">},</span> <span class="na">select</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">avatarUrl</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>The temptation to use <code>SELECT *</code> or skip the <code>select</code> clause is real because it saves two minutes of typing. The cost is paid on every request, by every client, forever.</p> <h3> 3. Redundant Nesting and Metadata </h3> <p>This one is subtler. It's the pattern where every response wraps data in a consistent envelope, which is fine, but the envelope carries metadata that nobody uses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="mi">200</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OK"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-04-02T10:00:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"abc-123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"items"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"meta"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1250</span><span class="p">,</span><span class="w"> </span><span class="nl">"page"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"perPage"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"lastPage"</span><span class="p">:</span><span class="w"> </span><span class="mi">63</span><span class="p">,</span><span class="w"> </span><span class="nl">"from"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"to"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"currentPage"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"hasNextPage"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"hasPrevPage"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>success</code>, <code>status</code>, <code>message</code>, and <code>version</code> are duplicating what HTTP already tells the client. <code>currentPage</code> is <code>page</code> renamed. <code>from</code> and <code>to</code> are derivable from <code>page</code> and <code>perPage</code>. <code>hasPrevPage</code> is <code>page &gt; 1</code>.</p> <p>A cleaner version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"pagination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">1250</span><span class="p">,</span><span class="w"> </span><span class="nl">"page"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"perPage"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"hasNext"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Less noise, same information, smaller payload.</p> <h2> Keyset Pagination vs. Offset Pagination </h2> <p>While we're talking about list endpoints, there's a related issue worth covering.</p> <p>Offset pagination (<code>LIMIT 20 OFFSET 200</code>) requires the database to count and skip rows. On large tables this gets slow fast, and it also makes <code>total</code> count queries expensive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This scans and counts the entire table</span> <span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">logs</span> <span class="k">WHERE</span> <span class="n">organization_id</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span><span class="p">;</span> <span class="c1">-- On a table with 50M rows this can take 2-5 seconds</span> </code></pre> </div> <p>Keyset pagination avoids both problems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Instead of page/offset, use the last seen ID.</span> <span class="c1">// Request one extra row to check if there's a next page.</span> <span class="kd">const</span> <span class="nx">logs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">` SELECT id, timestamp, level, message FROM logs WHERE organization_id = $1 AND id &lt; $2 ORDER BY id DESC LIMIT $3 `</span><span class="p">,</span> <span class="p">[</span><span class="nx">orgId</span><span class="p">,</span> <span class="nx">lastSeenId</span><span class="p">,</span> <span class="nx">pageSize</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]);</span> <span class="c1">// If we got more than pageSize rows, there's a next page.</span> <span class="c1">// Trim the extra row before sending.</span> <span class="kd">const</span> <span class="nx">hasNext</span> <span class="o">=</span> <span class="nx">logs</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">pageSize</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">logs</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">pageSize</span><span class="p">);</span> </code></pre> </div> <p>You lose the ability to jump to arbitrary pages, which matters for some UIs but not for most. You gain: fast queries at any depth, no COUNT(*) needed, and stable pagination even when rows are being inserted concurrently.</p> <h2> Conditional Responses with ETags </h2> <p>If your data doesn't change between requests, the client shouldn't have to download it again.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">crypto</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// In your route handler</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetchData</span><span class="p">(</span><span class="nx">orgId</span><span class="p">);</span> <span class="c1">// If your data has an updated_at field, use that instead of hashing</span> <span class="c1">// the full payload - much cheaper on large responses.</span> <span class="c1">// const etag = createHash("md5").update(`${data.id}:${data.updatedAt}`).digest("hex");</span> <span class="kd">const</span> <span class="nx">etag</span> <span class="o">=</span> <span class="nf">createHash</span><span class="p">(</span><span class="dl">"</span><span class="s2">md5</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">))</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">hex</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">clientEtag</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">"</span><span class="s2">if-none-match</span><span class="dl">"</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">clientEtag</span> <span class="o">===</span> <span class="nx">etag</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">304</span><span class="p">).</span><span class="nf">send</span><span class="p">();</span> <span class="c1">// Not Modified - zero payload</span> <span class="p">}</span> <span class="nx">res</span> <span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">"</span><span class="s2">ETag</span><span class="dl">"</span><span class="p">,</span> <span class="nx">etag</span><span class="p">)</span> <span class="p">.</span><span class="nf">header</span><span class="p">(</span><span class="dl">"</span><span class="s2">Cache-Control</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">private, max-age=0, must-revalidate</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> </code></pre> </div> <p>One caveat: hashing the full <code>JSON.stringify(data)</code> on every request is expensive if your payload is large. If the data has an <code>updated_at</code> timestamp in the database, derive the ETag from that instead - <code>hash(id + updated_at)</code> is a constant-time operation regardless of payload size and avoids blocking the event loop.</p> <p>For list endpoints where data changes frequently, this won't help much. For configuration endpoints, user profile data, or static reference data, a 304 response is massively cheaper than resending the same payload on every poll.</p> <h2> Putting It Together </h2> <p>The combined impact on that 2.4MB endpoint:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Change</th> <th>Size</th> <th>Reduction</th> </tr> </thead> <tbody> <tr> <td>Baseline</td> <td>2.4MB</td> <td>-</td> </tr> <tr> <td>+ brotli compression</td> <td>210KB</td> <td>91%</td> </tr> <tr> <td>+ select only needed fields</td> <td>58KB</td> <td>97.5%</td> </tr> <tr> <td>+ clean response envelope</td> <td>55KB</td> <td>97.7%</td> </tr> <tr> <td>+ ETag (no change)</td> <td>0KB</td> <td>100%</td> </tr> </tbody> </table></div> <p>The 40x number in the title is real. Most of it comes from compression alone - the rest is just discipline.</p> <p>None of these changes require a rewrite. They don't break existing clients. They're additive. The only cost is a bit of attention to defaults that most frameworks don't set correctly out of the box.</p> <p>Start with compression. It takes 10 minutes and the numbers will surprise you.</p> <p><em>Found something I got wrong, or a pattern that works better for your stack? Drop it in the comments.</em></p> webdev performance api node Polliog Thu, 02 Apr 2026 12:10:51 +0000 https://forem.com/polliog/i-tested-the-new-security-layer-for-local-ai-agents-heres-the-honest-take-5d47 https://forem.com/polliog/i-tested-the-new-security-layer-for-local-ai-agents-heres-the-honest-take-5d47 <h2> The problem: OpenClaw's localhost exposure is a real risk </h2> <p>If you've been running local AI agents with <strong>OpenClaw</strong>, there's a good chance your setup is more exposed than you think. Researchers recently found over <strong>135,000 OpenClaw instances publicly reachable online</strong> - many of them with no authentication, open to prompt injection, API key theft, and arbitrary command execution.</p> <p>That's the problem <strong>PAIO</strong> (Personal AI Operator) is trying to solve. Backed by PureVPN's 17 years of network security infrastructure, it positions itself as a drop-in security and optimization layer for OpenClaw-based agents. I was given Pro access to test it ahead of launch, and this is my honest, hands-on assessment.</p> <p>An exposed OpenClaw endpoint can let an attacker:</p> <ul> <li>Inject malicious prompts into your agent's context</li> <li>Read or exfiltrate your system prompt and conversation history</li> <li>Abuse your API keys for their own usage</li> <li>Execute tools and actions your agent has access to</li> </ul> <p>This isn't theoretical. The 135,000 figure comes from Shodan-style scanning of known OpenClaw ports. If you've ever used <code>--host 0.0.0.0</code> anywhere in your agent config, you've probably been in that list at some point.</p> <h2> What PAIO actually does </h2> <p>PAIO sits between your agent and the outside world. Instead of your OpenClaw instance binding directly to a network interface, PAIO proxies and controls that connection — sanitizing inputs, managing authentication, and exposing a controlled WebSocket endpoint that you can share safely.</p> <p>Once set up, your agent becomes accessible via a unique WSS endpoint like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>wss://app.paio.bot/f73bb772-aaaa-aaaa-8b0f-a605aaaac/ </code></pre> </div> <p>Or via an in-browser chat UI hosted on their platform. Your localhost is never directly exposed. That's the core value proposition, and it's architecturally sound.</p> <p>Beyond security, PAIO also adds:</p> <ul> <li> <strong>Token optimization</strong> — context window and system prompt compression to reduce API costs</li> <li> <strong>A simplified dashboard</strong> — sessions, skills, and agent configuration in a cleaner UI than vanilla OpenClaw</li> <li> <strong>Mac agent with browser relay</strong> — lets the agent perform tasks like bookings and research in the background</li> <li> <strong>Multi-provider AI support</strong> — OpenAI, Anthropic, and others</li> </ul> <h2> Setup: honest timing </h2> <p>The marketing says "60-second deployment." In my experience, the full process from the landing page took closer to <strong>5–6 minutes</strong> — though to be fair, PAIO measures their benchmark from first successful prompt, not from the landing page. They're also actively optimizing the provisioning pipeline with an internal target of under 60 seconds end-to-end. Fast either way, but worth knowing what to expect.</p> <blockquote> <p>💡 <strong>Important - no AI included:</strong> PAIO does not bundle AI credits. Every plan requires you to either bring your own API key or purchase their credit packages separately. Factor this into your cost model before signing up.</p> </blockquote> <p>Once past setup, the dashboard is noticeably cleaner than OpenClaw's native interface. You get session management, skill configuration, and connection status in a single view. For teams or developers who find OpenClaw's UI overwhelming, this alone might justify the tool.</p> <h2> Token optimization: the claim vs. reality </h2> <p>PAIO advertises up to <strong>50% token reduction</strong> through aggressive context window and system prompt optimization. This is one of those claims that's highly dependent on your specific use case - the gains are real, but whether you hit 50% depends on how bloated your prompts are to begin with.</p> <p>In practice, if you're running agents with long system prompts, large tool schemas, or verbose context injection, you'll see meaningful savings. If your setup is already lean, the gains will be modest. The tool doesn't magically compress arbitrary LLM output — it compresses the <em>input</em> side: context, system prompts, and tool definitions. Worth noting: a major token optimization patch was pushed to production shortly after launch, improving multi-step context pruning and pushing savings beyond 60% in their internal benchmarks. I haven't re-tested post-patch, but it's worth evaluating with your own workload.</p> <h2> Complexity: the honest critique </h2> <p>Here's the thing: PAIO inherits OpenClaw's complexity and adds its own layer on top. If you're already comfortable with OpenClaw, the additional concepts (WSS endpoints, skills, session routing) are manageable. If you're newer to local agent infrastructure, this is not a beginner tool.</p> <p>The dashboard simplifies some things, but the underlying mental model - local agent + proxy layer + AI provider + browser relay - is still a lot to hold in your head. I'd love to see a more opinionated "just works" mode for simpler use cases.</p> <h2> Verdict </h2> <p><strong>What works ✅</strong></p> <ul> <li>Genuine security improvement over raw OpenClaw</li> <li>Cleaner dashboard UX</li> <li>WSS endpoint approach is the right architecture</li> <li>Token optimization is real (if your prompts are verbose)</li> <li>Multi-provider AI support</li> </ul> <p><strong>What to watch ⚠️</strong></p> <ul> <li>Setup is 5–6 min, not 60 sec as advertised</li> <li>No AI included — always BYOK or pay for credits</li> <li>Still complex for non-OpenClaw users</li> <li>Token savings vary widely by use case</li> <li>Mac-first; other platforms TBD</li> </ul> <p>If you're running OpenClaw agents in any environment that's even partially network-accessible, PAIO is worth serious consideration. The localhost exposure problem is real, underappreciated, and PAIO's proxy approach is a legitimate fix. The token optimization is a nice bonus rather than the main draw.</p> <p>If you're on a tight budget, factor in that you'll always need AI credits on top of any PAIO plan. Run the numbers for your usage volume before committing.</p> <p>You can get started at <a href="https://www.paio.bot" rel="noopener noreferrer">paio.bot</a> - the free tier lets you evaluate the setup flow before committing to a paid plan.</p> <p><em>This article was produced in partnership with PAIO. Testing was conducted independently with Pro plan access provided by the PAIO team.</em></p> ai security agents webdev Polliog Tue, 17 Mar 2026 11:17:17 +0000 https://forem.com/aws-builders/i-removed-redis-from-my-stack-and-used-postgresql-for-job-queues-instead-2lp5 https://forem.com/aws-builders/i-removed-redis-from-my-stack-and-used-postgresql-for-job-queues-instead-2lp5 <p>Every Node.js project eventually needs background jobs. Send this email. Process this file. Run this alert evaluation at midnight. The default answer in the ecosystem is Redis + BullMQ. It's fast, battle-tested, and has a great API.</p> <p>It also means running Redis.</p> <p>For projects already running PostgreSQL, that's a second database to provision, monitor, back up, and pay for. On AWS, an ElastiCache instance starts at ~$15/month for the smallest node not catastrophic, but not nothing either. More importantly, it's another moving part that can fail.</p> <p>I recently shipped a Redis-free deployment mode for an open-source project I maintain. The job queue runs entirely on PostgreSQL using <a href="https://worker.graphile.org/" rel="noopener noreferrer">graphile-worker</a>. Here's everything I learned from the experience what graphile-worker does well, where it has real limits, and when you should just keep Redis.</p> <h2> The Problem With "Just Add Redis" </h2> <p>Before getting into the comparison, it's worth being honest about what the Redis dependency actually costs.</p> <p><strong>Operationally</strong>, Redis is simple to run but adds surface area. Every additional service is another thing that can go down, run out of memory, or need a version upgrade. In Docker Compose deployments (which is how most self-hosted tools get deployed), it's another container, another volume, another health check.</p> <p><strong>On AWS</strong>, the options are:</p> <ul> <li>ElastiCache (managed, ~$15-50/month for a usable instance)</li> <li>Redis on EC2 (self-managed, cheaper but more work)</li> <li>Redis on the same instance as your app (fine for dev, risky in prod)</li> </ul> <p><strong>For multi-instance scaling</strong>, Redis becomes mandatory you can't share BullMQ queues across processes without it. But for a single-instance deployment, you're paying the Redis tax without getting the multi-instance benefit.</p> <p>The question I asked: <em>if I'm already running PostgreSQL and my job volume doesn't justify a dedicated queue broker, what do I lose by using Postgres as the queue?</em></p> <h2> How graphile-worker Works </h2> <p>graphile-worker stores jobs in a PostgreSQL table and uses <code>SELECT ... FOR UPDATE SKIP LOCKED</code> to claim them. That one clause is the key insight: it's an atomic operation that lets multiple workers poll the same table concurrently without contention.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">id</span><span class="p">,</span> <span class="n">queue_name</span><span class="p">,</span> <span class="n">task_identifier</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="n">run_at</span> <span class="k">FROM</span> <span class="n">graphile_worker</span><span class="p">.</span><span class="n">jobs</span> <span class="k">WHERE</span> <span class="n">run_at</span> <span class="o">&lt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="k">AND</span> <span class="n">locked_by</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">attempts</span> <span class="o">&lt;</span> <span class="n">max_attempts</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">priority</span> <span class="k">DESC</span><span class="p">,</span> <span class="n">run_at</span> <span class="k">ASC</span> <span class="k">FOR</span> <span class="k">UPDATE</span> <span class="n">SKIP</span> <span class="n">LOCKED</span> <span class="k">LIMIT</span> <span class="mi">1</span><span class="p">;</span> </code></pre> </div> <p>When a worker claims a job, it locks the row. If the worker crashes, the lock is released automatically when the connection drops. No dead letter queue configuration needed just max_attempts and exponential backoff.</p> <p>Job results are kept in the same table. Completed jobs get deleted (or archived, if you configure it). Failed jobs increment their attempt counter and get rescheduled with backoff.</p> <p>It's genuinely elegant. The entire queue state lives in a place you already know how to query, back up, and monitor.</p> <h2> Setting It Up in a Node.js/TypeScript Project </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">run</span><span class="p">,</span> <span class="nx">makeWorkerUtils</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphile-worker</span><span class="dl">'</span> <span class="c1">// Register task handlers</span> <span class="kd">const</span> <span class="nx">runner</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">run</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="na">concurrency</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="na">taskList</span><span class="p">:</span> <span class="p">{</span> <span class="na">send_email</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">helpers</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">body</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">payload</span> <span class="k">as</span> <span class="nx">EmailPayload</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">({</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">body</span> <span class="p">})</span> <span class="p">},</span> <span class="na">evaluate_alert</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">helpers</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">alertId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">payload</span> <span class="k">as</span> <span class="nx">AlertPayload</span> <span class="k">await</span> <span class="nf">evaluateAlert</span><span class="p">(</span><span class="nx">alertId</span><span class="p">)</span> <span class="p">},</span> <span class="na">generate_report</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">helpers</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">reportId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">payload</span> <span class="k">as</span> <span class="nx">ReportPayload</span> <span class="k">await</span> <span class="nf">generateReport</span><span class="p">(</span><span class="nx">reportId</span><span class="p">)</span> <span class="p">},</span> <span class="p">},</span> <span class="p">})</span> <span class="c1">// Add jobs from anywhere in your app</span> <span class="kd">const</span> <span class="nx">utils</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">makeWorkerUtils</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// One-off job</span> <span class="k">await</span> <span class="nx">utils</span><span class="p">.</span><span class="nf">addJob</span><span class="p">(</span><span class="dl">'</span><span class="s1">send_email</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">to</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Your report is ready</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="dl">'</span><span class="s1">...</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// Scheduled job (run at specific time)</span> <span class="k">await</span> <span class="nx">utils</span><span class="p">.</span><span class="nf">addJob</span><span class="p">(</span><span class="dl">'</span><span class="s1">generate_report</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">reportId</span><span class="p">:</span> <span class="mi">123</span> <span class="p">},</span> <span class="p">{</span> <span class="na">runAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(</span><span class="dl">'</span><span class="s1">2026-03-15T09:00:00Z</span><span class="dl">'</span><span class="p">),</span> <span class="p">})</span> <span class="c1">// Recurring job (cron syntax)</span> <span class="k">await</span> <span class="nx">utils</span><span class="p">.</span><span class="nf">addJob</span><span class="p">(</span><span class="dl">'</span><span class="s1">evaluate_alert</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">alertId</span><span class="p">:</span> <span class="mi">456</span> <span class="p">},</span> <span class="p">{</span> <span class="na">jobKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alert-456-eval</span><span class="dl">'</span><span class="p">,</span> <span class="na">jobKeyMode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">replace</span><span class="dl">'</span><span class="p">,</span> <span class="na">runAt</span><span class="p">:</span> <span class="nf">cronNextRun</span><span class="p">(</span><span class="dl">'</span><span class="s1">*/5 * * * *</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// every 5 minutes</span> <span class="p">})</span> </code></pre> </div> <p>The API is intentionally minimal. No queue configuration, no connection pooling setup, no separate Redis client. You point it at your existing PostgreSQL connection string and start adding jobs.</p> <h2> BullMQ vs graphile-worker: The Real Comparison </h2> <p>Let me be direct about where each one wins.</p> <h3> Where graphile-worker wins </h3> <p><strong>Zero additional infrastructure.</strong> If you're already on RDS PostgreSQL or Aurora, graphile-worker is free. No ElastiCache, no Redis on EC2, no second managed service to babysit.</p> <p><strong>Full SQL visibility.</strong> Your jobs are rows in a table. You can query them, join them against other tables, build admin UIs with a SELECT, and debug failures with psql. Compare this to inspecting BullMQ queues via the Bull Board UI or raw Redis commands.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Find all failed jobs in the last hour</span> <span class="k">SELECT</span> <span class="n">task_identifier</span><span class="p">,</span> <span class="n">payload</span><span class="p">,</span> <span class="n">last_error</span><span class="p">,</span> <span class="n">attempts</span> <span class="k">FROM</span> <span class="n">graphile_worker</span><span class="p">.</span><span class="n">jobs</span> <span class="k">WHERE</span> <span class="n">last_error</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">updated_at</span> <span class="o">&gt;</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'1 hour'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">updated_at</span> <span class="k">DESC</span><span class="p">;</span> <span class="c1">-- Count pending jobs by type</span> <span class="k">SELECT</span> <span class="n">task_identifier</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">as</span> <span class="n">pending</span> <span class="k">FROM</span> <span class="n">graphile_worker</span><span class="p">.</span><span class="n">jobs</span> <span class="k">WHERE</span> <span class="n">locked_by</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">task_identifier</span><span class="p">;</span> </code></pre> </div> <p><strong>Transactional job enqueueing.</strong> This is the killer feature that BullMQ can't match. You can enqueue a job inside a database transaction, guaranteeing it only gets scheduled if the transaction commits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">trx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Create the user</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">trx</span><span class="p">.</span><span class="nf">insertInto</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nf">values</span><span class="p">(</span><span class="nx">userData</span><span class="p">).</span><span class="nf">returningAll</span><span class="p">().</span><span class="nf">executeTakeFirstOrThrow</span><span class="p">()</span> <span class="c1">// Enqueue welcome email — only runs if user creation succeeds</span> <span class="k">await</span> <span class="nx">trx</span><span class="p">.</span><span class="nf">executeQuery</span><span class="p">(</span> <span class="nx">sql</span><span class="s2">`SELECT graphile_worker.add_job('send_welcome_email', </span><span class="p">${</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">})}</span><span class="s2">)`</span> <span class="p">)</span> <span class="p">})</span> </code></pre> </div> <p>With BullMQ, you'd add the job after the transaction commits and if your process crashes between the commit and the <code>queue.add()</code> call, the job never gets scheduled. Not a common failure mode, but a real one. To achieve this guarantee with BullMQ, you'd have to implement the Transactional Outbox pattern writing the job to a database table first, then running a separate relay worker to move it to Redis. graphile-worker gives you this for free.</p> <p><strong>Operational simplicity for single-instance deployments.</strong> One less service to configure in Docker Compose, one less thing to include in your backup strategy, one less connection string to manage in environment variables.</p> <h3> Where BullMQ wins </h3> <p><strong>Throughput.</strong> Redis is an in-memory data structure store purpose-built for this. BullMQ can process thousands of jobs per second. graphile-worker tops out around 100-200 jobs/second on typical PostgreSQL hardware before you start hitting lock contention. For most applications this is irrelevant. For high-volume pipelines (image processing, webhook delivery at scale, bulk email), it matters.</p> <p><strong>Advanced queue features.</strong> BullMQ has rate limiting, job priorities with fine-grained control, delayed jobs with millisecond precision, parent-child job dependencies, and repeatable jobs with complex scheduling. graphile-worker has most of these, but BullMQ's implementation is more complete and battle-hardened.</p> <p><strong>Real-time job events.</strong> BullMQ emits events (completed, failed, progress) via Redis pub/sub. You can build live job monitoring dashboards easily. With graphile-worker, you'd poll the jobs table.</p> <p><strong>Multi-instance horizontal scaling.</strong> BullMQ was designed from the ground up for multiple workers across multiple processes/machines, all sharing the same Redis. graphile-worker supports this too (multiple workers polling the same PostgreSQL), but the throughput ceiling is lower.</p> <h3> The honest performance numbers </h3> <p>On commodity hardware (the same AMD Ryzen 5 3600 from the benchmark article):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>BullMQ</th> <th>graphile-worker</th> </tr> </thead> <tbody> <tr> <td>Job enqueue rate</td> <td>~5,000/s</td> <td>~500/s</td> </tr> <tr> <td>Job processing throughput (simple tasks)</td> <td>~2,000/s</td> <td>~100-200/s</td> </tr> <tr> <td>Job processing throughput (I/O bound tasks)</td> <td>~500/s</td> <td>~100/s</td> </tr> <tr> <td>Latency from enqueue to pickup</td> <td>&lt;10ms</td> <td>&lt;10ms (LISTEN/NOTIFY), 2s max (poll fallback)</td> </tr> </tbody> </table></div> <p>graphile-worker polls for new jobs at a configurable interval (default: every 2 seconds, plus LISTEN/NOTIFY for immediate pickup). For most background job use cases — sending emails, generating reports, running scheduled checks — 500ms latency is completely acceptable. For near-real-time processing where job pickup latency matters, BullMQ wins.</p> <h2> The AWS Decision Framework </h2> <p>This is where the choice becomes concrete.</p> <p><strong>Use graphile-worker when:</strong></p> <ul> <li>You're already on RDS PostgreSQL or Aurora</li> <li>Your job volume is under ~100 jobs/second</li> <li>You have a single-instance deployment or modest horizontal scale</li> <li>You want transactional job enqueueing</li> <li>You want SQL-queryable job state</li> <li>You want to avoid ElastiCache costs</li> </ul> <p><strong>Use BullMQ when:</strong></p> <ul> <li>You need &gt;200 jobs/second sustained throughput</li> <li>You have real-time job progress tracking requirements</li> <li>You're scaling to many workers across many instances</li> <li>You already have ElastiCache for other purposes (caching, sessions)</li> <li>You need fine-grained rate limiting (e.g., "max 10 API calls/second to this external service")</li> </ul> <p><strong>The cost math on AWS (rough estimates, us-east-1):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Setup</th> <th>Monthly cost (approx)</th> </tr> </thead> <tbody> <tr> <td>RDS PostgreSQL db.t3.medium</td> <td>~$30</td> </tr> <tr> <td>RDS PostgreSQL db.t3.medium + ElastiCache cache.t3.micro</td> <td>~$45</td> </tr> <tr> <td>Aurora PostgreSQL (serverless v2, min capacity)</td> <td>~$45</td> </tr> <tr> <td>Aurora PostgreSQL + ElastiCache cache.t3.micro</td> <td>~$60</td> </tr> </tbody> </table></div> <p>If you're already paying for RDS and your jobs fit within graphile-worker's throughput ceiling, you're spending money on ElastiCache for infrastructure you don't need.</p> <h2> The Migration Path </h2> <p>If you're currently on BullMQ and considering a migration, it's straightforward. graphile-worker runs schema migrations automatically on startup you don't manage the tables yourself.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Before: BullMQ</span> <span class="k">import</span> <span class="nx">Queue</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bullmq</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">emailQueue</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Queue</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">redisConnection</span> <span class="p">})</span> <span class="k">await</span> <span class="nx">emailQueue</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">send</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">body</span> <span class="p">},</span> <span class="p">{</span> <span class="na">attempts</span><span class="p">:</span> <span class="mi">3</span><span class="p">,</span> <span class="na">backoff</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">exponential</span><span class="dl">'</span><span class="p">,</span> <span class="na">delay</span><span class="p">:</span> <span class="mi">1000</span> <span class="p">}</span> <span class="p">})</span> <span class="c1">// After: graphile-worker</span> <span class="kd">const</span> <span class="nx">utils</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">makeWorkerUtils</span><span class="p">({</span> <span class="na">connectionString</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span> <span class="p">})</span> <span class="k">await</span> <span class="nx">utils</span><span class="p">.</span><span class="nf">addJob</span><span class="p">(</span><span class="dl">'</span><span class="s1">send_email</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">to</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="nx">body</span> <span class="p">},</span> <span class="p">{</span> <span class="na">maxAttempts</span><span class="p">:</span> <span class="mi">3</span> <span class="p">})</span> </code></pre> </div> <p>The retry/backoff configuration moves from the job definition to the worker configuration. The task handler API is nearly identical.</p> <p>One thing to handle explicitly: BullMQ lets you attach <code>removeOnComplete</code> and <code>removeOnFail</code> policies per job. graphile-worker always removes completed jobs (keeping failed ones with their error details). If you need a completed job archive, add a separate table and write to it from your task handlers.</p> <h2> What I Actually Run in Production </h2> <p>The project I maintain ships two Docker Compose configurations: one with Redis + BullMQ for teams that need horizontal scaling, and one with graphile-worker only for single-instance deployments that want minimum operational overhead.</p> <p>The Redis-free setup works well for SMB deployments teams running their own observability stack on a single VPS or a modest EC2 instance. The full setup with Redis makes sense when you're running multiple backend instances behind a load balancer.</p> <p>Both queue implementations share the same task handler interface. Switching between them is a config change, not a code change.</p> <h2> Summary </h2> <p>PostgreSQL-based job queues aren't a new idea Delayed Job in Ruby, django-q in Python, and several others have proven the pattern works. graphile-worker brings it to Node.js with a clean API and genuine PostgreSQL integration.</p> <p>The choice isn't "which is better." It's "which matches your constraints." If you're paying for ElastiCache already, BullMQ is probably the right call. If you're running PostgreSQL and your job volume fits within graphile-worker's ceiling, eliminating Redis simplifies your stack without meaningful cost.</p> <p>The <code>SELECT ... FOR UPDATE SKIP LOCKED</code> pattern is one of those PostgreSQL features that most developers don't know exists until they need it. Now you do.</p> <p><em>The Redis-optional deployment mode ships in <a href="https://github.com/logtide-dev/logtide" rel="noopener noreferrer">Logtide</a> since v0.5.0 a self-hosted observability platform built on Node.js + TimescaleDB. The <code>docker-compose.simple.yml</code> uses graphile-worker; the standard <code>docker-compose.yml</code> uses BullMQ.</em></p> postgres aws node webdev Polliog Mon, 16 Mar 2026 20:28:29 +0000 https://forem.com/polliog/pii-in-your-logs-is-a-gdpr-time-bomb-heres-how-to-defuse-it-307l https://forem.com/polliog/pii-in-your-logs-is-a-gdpr-time-bomb-heres-how-to-defuse-it-307l <p>Your application is probably logging PII right now.</p> <p>Not maliciously - it happens naturally. A user submits a form with their email. Your framework logs the full request body for debugging. The email lands in CloudWatch, Datadog, or your ELK cluster. It sits there for 90 days, or 365, or however long your retention policy says.</p> <p>Under GDPR, that's a data breach waiting for a complaint. Under HIPAA, it's a violation. Under any audit, it's a finding.</p> <p>The fix isn't "tell developers to be careful." Developers are already careful - until they're debugging a production incident at 2am and add a quick <code>console.log(request.body)</code>. The fix is a masking layer that runs automatically, before any log hits storage.</p> <p>This article is about building that layer in Node.js.</p> <h2> What PII Actually Looks Like in Logs </h2> <p>Before masking, you need to know what you're masking. PII in logs shows up in three forms:</p> <p><strong>Structured fields</strong> - JSON payloads where the key makes the value obvious:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="s2">"alice@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hunter2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ssn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123-45-6789"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Embedded in strings</strong> - PII inside log messages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User alice@example.com failed login from 192.168.1.1 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9... </code></pre> </div> <p><strong>Nested or transformed</strong> - Base64-encoded, URL-encoded, or buried in stack traces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error processing request body: %7B%22email%22%3A%22alice%40example.com%22%7D </code></pre> </div> <p>A good masking pipeline handles all three. Most tutorials only handle the first one.</p> <h2> The Architecture: Mask at Ingestion, Not at Display </h2> <p>There are two schools of thought on when to mask:</p> <ol> <li> <strong>Mask at display</strong> - store everything, redact when showing logs in the UI</li> <li> <strong>Mask at ingestion</strong> - strip PII before it ever reaches storage</li> </ol> <p>Mask at ingestion is the only defensible choice for compliance. If PII reaches your database, it's already a GDPR problem - even if you never display it. The data is there, it can be breached, and you own the liability.</p> <p>The pipeline looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application → Log event → [Masking layer] → Storage ↑ This is where we operate </code></pre> </div> <p>The masking layer runs synchronously, in-process, before any network call to your log storage. No PII leaves the machine.</p> <h2> Building the Masking Layer </h2> <h3> Step 1: Define your masking strategies </h3> <p>Before writing regex, decide what "masked" means for your use case. Three strategies cover most cases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">MaskingStrategy</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">mask</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">hash</span><span class="dl">'</span> <span class="c1">// mask: show partial value - useful for debugging (still recognizable, not storable)</span> <span class="c1">// "alice@example.com" → "al***@***.com"</span> <span class="c1">// redact: replace entirely - use when value has no debugging value</span> <span class="c1">// "hunter2" → "[REDACTED]"</span> <span class="c1">// hash: deterministic SHA-256 - use when you need to correlate without exposing</span> <span class="c1">// "alice@example.com" → "sha256:2f3a4b..." (same input always produces same hash)</span> <span class="c1">// ⚠️ Always set PII_HASH_SALT in your environment. Emails and SSNs have low entropy</span> <span class="c1">// and are trivially reversible from unsalted hashes via rainbow tables.</span> </code></pre> </div> <p>Hashing is underused. It lets you answer "did this user appear in these logs?" without storing the actual email. Useful for audit trails and correlation.</p> <h3> Step 2: Pattern-based detection </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createHash</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">PII_PATTERNS</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span> <span class="na">pattern</span><span class="p">:</span> <span class="nb">RegExp</span> <span class="na">strategy</span><span class="p">:</span> <span class="nx">MaskingStrategy</span> <span class="p">}</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">[</span> <span class="c1">// Email addresses</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">\b[</span><span class="sr">A-Za-z0-9._%+-</span><span class="se">]</span><span class="sr">+@</span><span class="se">[</span><span class="sr">A-Za-z0-9.-</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[</span><span class="sr">A-Z|a-z</span><span class="se">]{2,}\b</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mask</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Credit card numbers (Format-valid patterns — prefix and length, not Luhn checksum)</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">credit_card</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">\b(?:</span><span class="sr">4</span><span class="se">[</span><span class="sr">0-9</span><span class="se">]{12}(?:[</span><span class="sr">0-9</span><span class="se">]{3})?</span><span class="sr">|5</span><span class="se">[</span><span class="sr">1-5</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]{14}</span><span class="sr">|3</span><span class="se">[</span><span class="sr">47</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]{13}</span><span class="sr">|3</span><span class="se">(?:</span><span class="sr">0</span><span class="se">[</span><span class="sr">0-5</span><span class="se">]</span><span class="sr">|</span><span class="se">[</span><span class="sr">68</span><span class="se">][</span><span class="sr">0-9</span><span class="se">])[</span><span class="sr">0-9</span><span class="se">]{11})\b</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// US Social Security Numbers</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ssn</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">\b\d{3}</span><span class="sr">-</span><span class="se">\d{2}</span><span class="sr">-</span><span class="se">\d{4}\b</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Bearer tokens / JWT</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">bearer_token</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/Bearer</span><span class="se">\s</span><span class="sr">+</span><span class="se">[</span><span class="sr">A-Za-z0-9</span><span class="se">\-</span><span class="sr">_=</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[</span><span class="sr">A-Za-z0-9</span><span class="se">\-</span><span class="sr">_=</span><span class="se">]</span><span class="sr">+</span><span class="se">\.?[</span><span class="sr">A-Za-z0-9</span><span class="se">\-</span><span class="sr">_.+</span><span class="se">/</span><span class="sr">=</span><span class="se">]</span><span class="sr">*/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// AWS access keys</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aws_access_key</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">\b(</span><span class="sr">AKIA|AIPA|AKIA|ASIA</span><span class="se">)[</span><span class="sr">A-Z0-9</span><span class="se">]{16}\b</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// IPv4 addresses (optional — some teams want these, some don't)</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ipv4</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">\b(?:(?:</span><span class="sr">25</span><span class="se">[</span><span class="sr">0-5</span><span class="se">]</span><span class="sr">|2</span><span class="se">[</span><span class="sr">0-4</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]</span><span class="sr">|</span><span class="se">[</span><span class="sr">01</span><span class="se">]?[</span><span class="sr">0-9</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]?)\.){3}(?:</span><span class="sr">25</span><span class="se">[</span><span class="sr">0-5</span><span class="se">]</span><span class="sr">|2</span><span class="se">[</span><span class="sr">0-4</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]</span><span class="sr">|</span><span class="se">[</span><span class="sr">01</span><span class="se">]?[</span><span class="sr">0-9</span><span class="se">][</span><span class="sr">0-9</span><span class="se">]?)\b</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mask</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// Phone numbers (loose — adjust for your region)</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">phone</span><span class="dl">'</span><span class="p">,</span> <span class="na">pattern</span><span class="p">:</span> <span class="sr">/</span><span class="se">(\+?[\d\s\-</span><span class="sr">().</span><span class="se">]{10,15})</span><span class="sr">/g</span><span class="p">,</span> <span class="na">strategy</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mask</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">]</span> <span class="kd">function</span> <span class="nf">applyStrategy</span><span class="p">(</span><span class="nx">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">strategy</span><span class="p">:</span> <span class="nx">MaskingStrategy</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">switch </span><span class="p">(</span><span class="nx">strategy</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">hash</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="s2">`sha256:</span><span class="p">${</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">).</span><span class="nf">update</span><span class="p">(</span><span class="nx">value</span> <span class="o">+</span> <span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PII_HASH_SALT</span> <span class="o">??</span> <span class="dl">''</span><span class="p">)).</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">).</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">16</span><span class="p">)}</span><span class="s2">`</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">mask</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Email masking: show first 2 chars of local part and domain TLD</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">local</span><span class="p">,</span> <span class="nx">domain</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">domainName</span><span class="p">,</span> <span class="p">...</span><span class="nx">tlds</span><span class="p">]</span> <span class="o">=</span> <span class="nx">domain</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">local</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">2</span><span class="p">)}</span><span class="s2">***@***.</span><span class="p">${</span><span class="nx">tlds</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)}</span><span class="s2">`</span> <span class="p">}</span> <span class="c1">// Generic masking: show first and last char, mask middle</span> <span class="k">if </span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;=</span> <span class="mi">4</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">****</span><span class="dl">'</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">value</span><span class="p">[</span><span class="mi">0</span><span class="p">]}${</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">.</span><span class="nf">repeat</span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">2</span><span class="p">)}${</span><span class="nx">value</span><span class="p">[</span><span class="nx">value</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">]}</span><span class="s2">`</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">input</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">{</span> <span class="nx">pattern</span><span class="p">,</span> <span class="nx">strategy</span> <span class="p">}</span> <span class="k">of</span> <span class="nx">PII_PATTERNS</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">pattern</span><span class="p">,</span> <span class="p">(</span><span class="nx">match</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">applyStrategy</span><span class="p">(</span><span class="nx">match</span><span class="p">,</span> <span class="nx">strategy</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Field-name detection </h3> <p>Pattern matching catches PII embedded in strings. But for structured JSON, matching on field names is faster and more reliable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">SENSITIVE_FIELD_NAMES</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">passwd</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api_key</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">apikey</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api-key</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">auth</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">credential</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">credentials</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">e_mail</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">e-mail</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ssn</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">social_security</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">national_id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">credit_card</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">card_number</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cvv</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cvc</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">phone</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">phone_number</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">mobile</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">dob</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">date_of_birth</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">birthday</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">address</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">street_address</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">postal_code</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">zip_code</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ip_address</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ip</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">x_forwarded_for</span><span class="dl">'</span><span class="p">,</span> <span class="p">])</span> <span class="kd">function</span> <span class="nf">isFieldSensitive</span><span class="p">(</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">normalized</span> <span class="o">=</span> <span class="nx">key</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">-_</span><span class="se">\s]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">_</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="nx">SENSITIVE_FIELD_NAMES</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">normalized</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Step 4: Recursive object traversal </h3> <p>The masking function needs to traverse nested objects - request bodies aren't always flat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">type</span> <span class="nx">LogValue</span> <span class="o">=</span> <span class="kr">string</span> <span class="o">|</span> <span class="kr">number</span> <span class="o">|</span> <span class="nx">boolean</span> <span class="o">|</span> <span class="kc">null</span> <span class="o">|</span> <span class="nx">LogObject</span> <span class="o">|</span> <span class="nx">LogValue</span><span class="p">[]</span> <span class="kd">type</span> <span class="nx">LogObject</span> <span class="o">=</span> <span class="p">{</span> <span class="p">[</span><span class="na">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">LogValue</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">maskObject</span><span class="p">(</span><span class="nx">obj</span><span class="p">:</span> <span class="nx">LogObject</span><span class="p">,</span> <span class="nx">depth</span> <span class="o">=</span> <span class="mi">0</span><span class="p">):</span> <span class="nx">LogObject</span> <span class="p">{</span> <span class="c1">// Prevent infinite recursion on circular references</span> <span class="k">if </span><span class="p">(</span><span class="nx">depth</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">[max_depth_exceeded]</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span><span class="p">:</span> <span class="nx">LogObject</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">obj</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nf">isFieldSensitive</span><span class="p">(</span><span class="nx">key</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// Field name match: redact or hash based on field type</span> <span class="c1">// Note: this hardcodes the strategy per field type for brevity. In a production</span> <span class="c1">// system, map field names to your central PII_PATTERNS configuration to keep</span> <span class="c1">// strategies consistent across both field-name and pattern-based detection.</span> <span class="kd">const</span> <span class="nx">strategy</span> <span class="o">=</span> <span class="nx">key</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">email</span><span class="dl">'</span><span class="p">)</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">hash</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">redact</span><span class="dl">'</span> <span class="nx">result</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nf">applyStrategy</span><span class="p">(</span><span class="nx">value</span><span class="p">,</span> <span class="nx">strategy</span><span class="p">)</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span> <span class="k">continue</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">value</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">value</span><span class="p">))</span> <span class="p">{</span> <span class="nx">result</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">typeof</span> <span class="nx">item</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">item</span> <span class="o">!==</span> <span class="kc">null</span> <span class="p">?</span> <span class="nf">maskObject</span><span class="p">(</span><span class="nx">item</span> <span class="k">as</span> <span class="nx">LogObject</span><span class="p">,</span> <span class="nx">depth</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="p">:</span> <span class="k">typeof</span> <span class="nx">item</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">item</span><span class="p">)</span> <span class="p">:</span> <span class="nx">item</span> <span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">value</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">value</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nf">maskObject</span><span class="p">(</span><span class="nx">value</span> <span class="k">as</span> <span class="nx">LogObject</span><span class="p">,</span> <span class="nx">depth</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">result</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span> <span class="o">=</span> <span class="nx">value</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span> <span class="p">}</span> </code></pre> </div> <h3> Step 5: The masking pipeline entry point </h3> <p>Wrap everything in a single function that handles both structured objects and raw strings:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">maskPII</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">):</span> <span class="nx">unknown</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">input</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">input</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">input</span> <span class="o">!==</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">input</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">maskObject</span><span class="p">(</span><span class="nx">input</span> <span class="k">as</span> <span class="nx">LogObject</span><span class="p">)</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">input</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">input</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">maskPII</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">input</span> <span class="p">}</span> </code></pre> </div> <h2> Integrating With Your Logger </h2> <h3> With Pino (recommended for Node.js) </h3> <p>Pino supports <code>redact</code> paths natively, but it only handles known field paths. For dynamic detection, use a <code>serializers</code> hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">pino</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pino</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">maskPII</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./masking</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nf">pino</span><span class="p">({</span> <span class="na">serializers</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Mask the entire request object</span> <span class="na">req</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">maskPII</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">,</span> <span class="p">}),</span> <span class="c1">// Mask arbitrary metadata</span> <span class="na">meta</span><span class="p">:</span> <span class="p">(</span><span class="nx">meta</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">maskPII</span><span class="p">(</span><span class="nx">meta</span><span class="p">),</span> <span class="p">},</span> <span class="p">})</span> <span class="c1">// Usage</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="nx">req</span><span class="p">,</span> <span class="na">meta</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span> <span class="p">}</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">Request received</span><span class="dl">'</span><span class="p">)</span> </code></pre> </div> <h3> With Winston </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">winston</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">winston</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">maskPII</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./masking</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">maskingTransform</span> <span class="o">=</span> <span class="nx">winston</span><span class="p">.</span><span class="nf">format</span><span class="p">((</span><span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">maskPII</span><span class="p">(</span><span class="nx">info</span><span class="p">)</span> <span class="k">as</span> <span class="k">typeof</span> <span class="nx">info</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">logger</span> <span class="o">=</span> <span class="nx">winston</span><span class="p">.</span><span class="nf">createLogger</span><span class="p">({</span> <span class="na">format</span><span class="p">:</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">combine</span><span class="p">(</span> <span class="nf">maskingTransform</span><span class="p">(),</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="p">),</span> <span class="na">transports</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">transports</span><span class="p">.</span><span class="nc">Console</span><span class="p">()],</span> <span class="p">})</span> </code></pre> </div> <h3> With a raw HTTP ingest endpoint </h3> <p>If you're building an ingest endpoint that receives logs from external sources (SDKs, collectors), apply masking server-side before writing to storage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Fastify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fastify</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">maskPII</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./masking</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nc">Fastify</span><span class="p">()</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1/ingest</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">logs</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="k">as</span> <span class="p">{</span> <span class="na">logs</span><span class="p">:</span> <span class="nx">LogObject</span><span class="p">[]</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">maskedLogs</span> <span class="o">=</span> <span class="nx">logs</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">log</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="p">...</span><span class="nf">maskObject</span><span class="p">(</span><span class="nx">log</span><span class="p">),</span> <span class="na">ingested_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">}))</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insertInto</span><span class="p">(</span><span class="dl">'</span><span class="s1">logs</span><span class="dl">'</span><span class="p">).</span><span class="nf">values</span><span class="p">(</span><span class="nx">maskedLogs</span><span class="p">).</span><span class="nf">execute</span><span class="p">()</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">accepted</span><span class="p">:</span> <span class="nx">maskedLogs</span><span class="p">.</span><span class="nx">length</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> The Edge Cases Nobody Talks About </h2> <h3> URL-encoded and Base64-encoded PII </h3> <p>Attackers (and frameworks) encode data. Your masking needs to handle it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">maskStringWithDecoding</span><span class="p">(</span><span class="nx">input</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">input</span> <span class="c1">// Try URL decode and re-mask</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nf">decodeURIComponent</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">decoded</span> <span class="o">!==</span> <span class="nx">result</span><span class="p">)</span> <span class="p">{</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nf">maskString</span><span class="p">(</span><span class="nx">decoded</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{}</span> <span class="c1">// Try Base64 decode and re-mask</span> <span class="kd">const</span> <span class="nx">base64Pattern</span> <span class="o">=</span> <span class="sr">/</span><span class="se">\b[</span><span class="sr">A-Za-z0-9+</span><span class="se">/]{20,}</span><span class="sr">=</span><span class="se">{0,2}\b</span><span class="sr">/g</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">base64Pattern</span><span class="p">,</span> <span class="p">(</span><span class="nx">match</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">match</span><span class="p">,</span> <span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Only re-encode if it looks like it decoded to something meaningful</span> <span class="k">if </span><span class="p">(</span><span class="sr">/^</span><span class="se">[\x</span><span class="sr">20-</span><span class="se">\x</span><span class="sr">7E</span><span class="se">]</span><span class="sr">+$/</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">decoded</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">masked</span> <span class="o">=</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">decoded</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">masked</span> <span class="o">!==</span> <span class="nx">decoded</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">masked</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{}</span> <span class="k">return</span> <span class="nx">match</span> <span class="p">})</span> <span class="k">return</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Stack traces </h3> <p>Stack traces can contain PII in exception messages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: User not found for email alice@example.com at UserService.findByEmail (user.service.ts:42) </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">maskStackTrace</span><span class="p">(</span><span class="nx">stack</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">stack</span> <span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">line</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Mask the error message line (first line), leave stack frames alone</span> <span class="k">if </span><span class="p">(</span><span class="nx">index</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="k">return</span> <span class="nf">maskString</span><span class="p">(</span><span class="nx">line</span><span class="p">)</span> <span class="k">return</span> <span class="nx">line</span> <span class="p">})</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Performance considerations </h3> <p>The masking pipeline runs on every log event. Profile it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Simple benchmark</span> <span class="kd">const</span> <span class="nx">iterations</span> <span class="o">=</span> <span class="mi">10</span><span class="nx">_000</span> <span class="kd">const</span> <span class="nx">sampleLog</span> <span class="o">=</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User alice@example.com logged in from 192.168.1.1</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alice@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer eyJhbGciOiJIUzI1NiJ9.test.test</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">start</span> <span class="o">=</span> <span class="nx">performance</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">iterations</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nf">maskObject</span><span class="p">(</span><span class="nx">sampleLog</span><span class="p">)</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">elapsed</span> <span class="o">=</span> <span class="nx">performance</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">start</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">iterations</span><span class="p">}</span><span class="s2"> iterations in </span><span class="p">${</span><span class="nx">elapsed</span><span class="p">.</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">2</span><span class="p">)}</span><span class="s2">ms (</span><span class="p">${(</span><span class="nx">elapsed</span> <span class="o">/</span> <span class="nx">iterations</span><span class="p">).</span><span class="nf">toFixed</span><span class="p">(</span><span class="mi">3</span><span class="p">)}</span><span class="s2">ms each)`</span><span class="p">)</span> </code></pre> </div> <p>On a modern machine, a well-implemented masking pipeline takes 0.05-0.2ms per log event. At 1,000 logs/second, that's 50-200ms of CPU per second — acceptable for most applications, but worth measuring for high-throughput services.</p> <p>If performance is a concern, compile your regex patterns once outside the function — the compilation cost is paid only once, not on every log event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Bad: regex compiled on every call</span> <span class="kd">function</span> <span class="nf">maskEmail</span><span class="p">(</span><span class="nx">str</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">str</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\b[</span><span class="sr">A-Za-z0-9._%+-</span><span class="se">]</span><span class="sr">+@</span><span class="se">[</span><span class="sr">A-Za-z0-9.-</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[</span><span class="sr">A-Z|a-z</span><span class="se">]{2,}\b</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1">***</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Good: compiled once, reused on every call</span> <span class="c1">// Note: String.prototype.replace() manages lastIndex internally — no manual reset needed</span> <span class="kd">const</span> <span class="nx">EMAIL_PATTERN</span> <span class="o">=</span> <span class="sr">/</span><span class="se">\b[</span><span class="sr">A-Za-z0-9._%+-</span><span class="se">]</span><span class="sr">+@</span><span class="se">[</span><span class="sr">A-Za-z0-9.-</span><span class="se">]</span><span class="sr">+</span><span class="se">\.[</span><span class="sr">A-Z|a-z</span><span class="se">]{2,}\b</span><span class="sr">/g</span> <span class="kd">function</span> <span class="nf">maskEmail</span><span class="p">(</span><span class="nx">str</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">str</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nx">EMAIL_PATTERN</span><span class="p">,</span> <span class="dl">'</span><span class="s1">***</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Testing Your Masking Pipeline </h2> <p>A masking layer without tests is worse than no masking layer — it gives you false confidence.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">describe</span><span class="p">,</span> <span class="nx">it</span><span class="p">,</span> <span class="nx">expect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">vitest</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">maskPII</span><span class="p">,</span> <span class="nx">maskObject</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./masking</span><span class="dl">'</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">PII masking</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">masks email addresses in strings</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">maskPII</span><span class="p">(</span><span class="dl">'</span><span class="s1">User alice@example.com logged in</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">alice@example.com</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// partial masking, not full redaction</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">redacts password fields</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">maskObject</span><span class="p">({</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hunter2</span><span class="dl">'</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alice</span><span class="dl">'</span> <span class="p">})</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">password</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">username</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">alice</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// non-sensitive fields unchanged</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">handles nested objects</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">maskObject</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alice@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">preferences</span><span class="p">:</span> <span class="p">{</span> <span class="na">theme</span><span class="p">:</span> <span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="nf">expect</span><span class="p">((</span><span class="nx">result</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">email</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">alice@example.com</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">((</span><span class="nx">result</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">preferences</span><span class="p">.</span><span class="nx">theme</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">dark</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">redacts bearer tokens</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">maskPII</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.test.sig</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span><span class="p">)</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">result</span><span class="p">).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toContain</span><span class="p">(</span><span class="dl">'</span><span class="s1">eyJhbGciOiJIUzI1NiJ9</span><span class="dl">'</span><span class="p">)</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">does not modify non-PII strings</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">Server started on port 3000</span><span class="dl">'</span> <span class="nf">expect</span><span class="p">(</span><span class="nf">maskPII</span><span class="p">(</span><span class="nx">input</span><span class="p">)).</span><span class="nf">toBe</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="p">})</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">handles null and undefined gracefully</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">expect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">maskPII</span><span class="p">(</span><span class="kc">null</span><span class="p">)).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toThrow</span><span class="p">()</span> <span class="nf">expect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">maskPII</span><span class="p">(</span><span class="kc">undefined</span><span class="p">)).</span><span class="nx">not</span><span class="p">.</span><span class="nf">toThrow</span><span class="p">()</span> <span class="p">})</span> <span class="p">})</span> </code></pre> </div> <h2> The Masking Preview Problem </h2> <p>One practical challenge: developers need to test whether their masking rules are working without shipping to production. Build a simple preview endpoint (dev/staging only) that runs the masking pipeline and returns the diff:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/debug/mask-preview</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">input</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="nx">masked</span> <span class="o">=</span> <span class="nf">maskPII</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">original</span><span class="p">:</span> <span class="nx">input</span><span class="p">,</span> <span class="nx">masked</span><span class="p">,</span> <span class="na">changed</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="o">!==</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">masked</span><span class="p">),</span> <span class="p">})</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Call it with a sample log payload and immediately see what gets masked. Faster than print-debugging your way through regex patterns.</p> <h2> Summary </h2> <p>PII masking in logs is not a nice-to-have. It's a compliance requirement, and more importantly, it's the right thing to do with your users' data.</p> <p>The pattern is straightforward:</p> <ol> <li>Mask at ingestion, not at display</li> <li>Combine field-name detection (fast, reliable for structured data) with pattern matching (catches PII in strings)</li> <li>Choose the right strategy per field type: mask for emails, redact for passwords/tokens, hash for correlation keys</li> <li>Handle edge cases: URL encoding, Base64, stack traces</li> <li>Test it like production code, because it is production code</li> </ol> <p>The implementation above is about 150 lines of TypeScript. There's no reason every Node.js application logging to CloudWatch, Datadog, or anywhere else shouldn't have something equivalent running before the first log event leaves the process.</p> security webdev node typescript Polliog Sat, 14 Mar 2026 20:35:57 +0000 https://forem.com/aws-builders/i-benchmarked-timescaledb-vs-clickhouse-vs-mongodb-for-observability-data-the-results-surprised-me-3d7d https://forem.com/aws-builders/i-benchmarked-timescaledb-vs-clickhouse-vs-mongodb-for-observability-data-the-results-surprised-me-3d7d <p>When we designed <code>@logtide/reservoir</code> the pluggable storage abstraction layer for <a href="https://github.com/logtide-dev/logtide" rel="noopener noreferrer">Logtide</a> we had to make a real decision: which database should be the default for an observability platform?</p> <p>The conventional wisdom says: time-series data at scale → ClickHouse. It's what everyone building in this space seems to reach for. Grafana Loki, Signoz, and a bunch of others use it or are moving toward it.</p> <p>We didn't. We picked TimescaleDB as our default, with ClickHouse available for enterprise deployments and MongoDB for teams already invested in that ecosystem.</p> <p>We built a proper benchmark suite and ran it. Here are the actual numbers.</p> <h2> The Setup </h2> <p>All three engines were benchmarked under identical conditions, running in Docker on the same machine, seeded with the same synthetic dataset, tested at four volume tiers: <strong>1K, 10K, 100K, and 1M records</strong>.</p> <p>Three data types were tested separately <strong>logs</strong>, <strong>spans</strong> (distributed traces), and <strong>metrics</strong> because the query patterns are fundamentally different for each. Each test ran 3 iterations with 1 warmup round. Results are p50 latency unless otherwise noted.</p> <p>The benchmark suite is open source: it ships in Logtide's repository and you can run it yourself</p> <h2> Ingestion: Where ClickHouse Has a Problem </h2> <p>The first thing that jumped out was ClickHouse's ingestion behavior at small-to-medium batch sizes.</p> <p><strong>Log ingestion p50 latency (batch 1,000):</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Engine</th> <th>1K rows</th> <th>10K rows</th> <th>100K rows</th> <th>1M rows</th> </tr> </thead> <tbody> <tr> <td>TimescaleDB</td> <td>17.6ms</td> <td>14.2ms</td> <td>13.9ms</td> <td>13.3ms</td> </tr> <tr> <td>ClickHouse</td> <td>400.1ms</td> <td>400.4ms</td> <td>399.8ms</td> <td>400.0ms</td> </tr> <tr> <td>MongoDB</td> <td>37.0ms</td> <td>39.5ms</td> <td>37.2ms</td> <td>—</td> </tr> </tbody> </table></div> <p>ClickHouse is sitting at exactly 400ms for batch 1,000 across all volume tiers. That's not a coincidence it's ClickHouse's async insert behavior. When <code>async_insert = 1</code> is enabled (common in modern clients and managed services), ClickHouse buffers writes in memory and flushes them when <code>async_insert_busy_timeout_ms</code> elapses. Our setup has that timeout at 400ms. The 400 isn't a random number; it's a configured flush interval.</p> <p>The buffering exists precisely because ClickHouse doesn't handle high-frequency small writes well natively. Its columnar storage format requires merging data into sorted chunks a process that's expensive if triggered on every small insert. Async inserts are the workaround: batch writes in memory, flush periodically, pay the merge cost less often. It's the right design for bulk analytics ingestion. It's the wrong design if you're pushing logs from 10 microservices every few seconds.</p> <p>This matters a lot for observability workloads. When your application is logging in real time, you're not sending 10,000-log batches. You're sending small, frequent writes. At batch 100, ClickHouse delivers 250 ops/s. TimescaleDB delivers 14,200 ops/s. That's a 56x difference at a batch size that's very common in practice.</p> <p>ClickHouse catches up at batch 10,000 - 83,843 ops/s vs 120,934 ops/s for TimescaleDB. At scale ingestion, they're comparable. But you need to be running at that scale to benefit.</p> <p>MongoDB sits in the middle: consistent ~25K ops/s regardless of batch size, no timing artifacts. Predictable if not spectacular.</p> <h2> Query Latency: The Result That Settles the Debate </h2> <p>This is where the numbers get dramatic.</p> <p><strong>Log query p50 latency at 100K records:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>TimescaleDB</th> <th>ClickHouse</th> <th>MongoDB</th> </tr> </thead> <tbody> <tr> <td>Single service filter</td> <td><strong>0.47ms</strong></td> <td>44.8ms</td> <td>304ms</td> </tr> <tr> <td>Multi-filter</td> <td><strong>0.48ms</strong></td> <td>35.2ms</td> <td>309ms</td> </tr> <tr> <td>Full-text search</td> <td><strong>0.45ms</strong></td> <td>32.2ms</td> <td>39.9ms</td> </tr> <tr> <td>Narrow time range (1h)</td> <td><strong>0.49ms</strong></td> <td>8.7ms</td> <td>3.4ms</td> </tr> <tr> <td>Pagination (offset 1000)</td> <td><strong>0.40ms</strong></td> <td>85.8ms</td> <td>320ms</td> </tr> <tr> <td>Aggregate 1h buckets</td> <td><strong>0.41ms</strong></td> <td>15.1ms</td> <td>376ms</td> </tr> </tbody> </table></div> <p>TimescaleDB is answering filtered log queries in under <strong>half a millisecond</strong> at 100K records. ClickHouse takes 35-85ms for the same queries. MongoDB takes 300-400ms.</p> <p>The scaling story is equally stark. At 1M records, TimescaleDB's query latency barely moves still <strong>0.46ms</strong> for a service filter. ClickHouse degrades to 244ms. MongoDB wasn't tested at 1M for logs (the 100K numbers already showed where things were heading).</p> <p>This is the TimescaleDB superpower: <strong>hypertable partitioning + continuous aggregates</strong>. Most log queries filter by time range and service. TimescaleDB chunks data by time, and those chunks are indexed by service. The queries skip entire partitions instead of scanning. The continuous aggregates make count and aggregate queries nearly free because the work is already done.</p> <h2> The One Place ClickHouse Wins </h2> <p>There's an important exception to the TimescaleDB dominance: <strong>count operations at scale</strong>.</p> <p><strong>Count p50 at 1M records:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>TimescaleDB</th> <th>ClickHouse</th> </tr> </thead> <tbody> <tr> <td>Full count</td> <td>0.38ms</td> <td>11.25ms</td> </tr> <tr> <td>Filtered count</td> <td>0.43ms</td> <td>14.42ms</td> </tr> </tbody> </table></div> <p>Wait TimescaleDB wins here too? Yes, because of the countEstimate optimization we built: instead of <code>COUNT(*)</code>, we use <code>EXPLAIN</code> planner estimates for approximate counts. Zero scan, sub-millisecond.</p> <p>Where ClickHouse genuinely wins is <strong>aggregate throughput</strong> at high volume. At 1M records, ClickHouse's <code>aggregate (1m)</code> shows 55,507 ops/s vs TimescaleDB's comparable range. ClickHouse is built for columnar analytical queries over huge datasets if you're running complex analytics across months of data with many group-by combinations, it'll outperform.</p> <p>For the interactive dashboard queries that dominate observability UIs "show me the last hour filtered by this service" TimescaleDB is not even close to a fair fight.</p> <h2> Spans: The Interesting Reversal </h2> <p>The span (distributed tracing) results tell a different story from logs.</p> <p><strong>Trace query p50 at 10K records:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>TimescaleDB</th> <th>ClickHouse</th> <th>MongoDB</th> </tr> </thead> <tbody> <tr> <td>Query all traces</td> <td>2.5ms</td> <td>23.6ms</td> <td><strong>1.6ms</strong></td> </tr> <tr> <td>Query error traces</td> <td>1.6ms</td> <td>22.6ms</td> <td><strong>3.3ms</strong></td> </tr> <tr> <td>Get trace by ID</td> <td><strong>0.29ms</strong></td> <td>4.3ms</td> <td>0.40ms</td> </tr> <tr> <td>Service dependencies</td> <td><strong>0.42ms</strong></td> <td>179ms</td> <td>444ms</td> </tr> </tbody> </table></div> <p>MongoDB is faster than TimescaleDB on some trace queries at this scale. The reason: MongoDB's document model fits trace data naturally. A trace is a document with nested spans. The <code>queryTraces (all)</code> query maps directly to a collection scan with a simple index lookup. TimescaleDB has to join spans to reconstruct traces.</p> <p>Both MongoDB and TimescaleDB stay well ahead of ClickHouse on span queries. ClickHouse at 10K concurrent span queries (50 parallel) takes <strong>1.76 seconds</strong>. TimescaleDB handles the same load in <strong>10ms</strong>. That's what "not designed for point lookups" looks like in practice.</p> <p>At 100K spans, the MongoDB advantage on trace queries disappears: <code>querySpans (by service)</code> goes from 82ms to 159ms, while TimescaleDB holds at 0.65ms. The document model helps at smaller scales but doesn't index-skip the way hypertables do.</p> <h2> Concurrency: The Story Nobody Tells </h2> <p>Single-query latency is fine for benchmarks. Production workloads are concurrent.</p> <p><strong>Concurrent log queries (50 parallel) p50:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Volume</th> <th>TimescaleDB</th> <th>ClickHouse</th> <th>MongoDB</th> </tr> </thead> <tbody> <tr> <td>1K</td> <td>6.8ms</td> <td>334ms</td> <td>665ms</td> </tr> <tr> <td>10K</td> <td>6.7ms</td> <td>401ms</td> <td>792ms</td> </tr> <tr> <td>100K</td> <td>6.2ms</td> <td>895ms</td> <td>2,380ms</td> </tr> <tr> <td>1M</td> <td>6.2ms</td> <td>6,307ms</td> <td>—</td> </tr> </tbody> </table></div> <p>TimescaleDB's concurrency numbers are remarkably flat. 50 parallel queries at 100K records: 6.2ms. Same 50 parallel queries at 1M records: still 6.2ms.</p> <p>ClickHouse at 50 parallel queries on 1M records: <strong>6.3 seconds</strong>. PostgreSQL's connection-per-query model and MVCC handle concurrent readers without degradation. ClickHouse's columnar engine serializes heavy queries and saturates threads.</p> <p>This matters if you're running Logtide for a team. Multiple people with dashboards open, alert evaluations running in the background, scheduled reports firing that's concurrent load. TimescaleDB absorbs it. ClickHouse struggles with it.</p> <h2> Metrics: MongoDB's Surprise </h2> <p>Metrics data was the unexpected MongoDB story.</p> <p><strong>Concurrent metric queries (50 parallel) at 100K:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Engine</th> <th>p50</th> </tr> </thead> <tbody> <tr> <td>TimescaleDB</td> <td>6.3ms</td> </tr> <tr> <td>ClickHouse</td> <td>284.9ms</td> </tr> <tr> <td>MongoDB</td> <td><strong>53.7ms</strong></td> </tr> </tbody> </table></div> <p>MongoDB beats ClickHouse on concurrent metric queries by 5x. The reason: our MongoDB metrics implementation uses the native <code>$percentile</code> aggregation pipeline, which MongoDB handles efficiently in-memory at this scale. ClickHouse's columnar approach adds overhead for the many small aggregations typical of metrics dashboards.</p> <p>At 1K and 10K records, MongoDB's metric aggregations (avg, sum, min, max, percentiles) are all in the 11-17ms range faster than ClickHouse's 8-21ms range, and only slightly behind TimescaleDB's sub-millisecond performance.</p> <p>The catch that these latency numbers don't show: MongoDB stores metrics as BSON documents without time-series-specific compression. TimescaleDB uses columnar compression on hypertables, and ClickHouse uses Gorilla encoding (delta-of-delta) for floats and Delta encoding for timestamps algorithms designed specifically for the repetitive patterns in metrics data. In practice, the same year of metrics data will occupy significantly less disk on TimescaleDB or ClickHouse than on MongoDB. If storage cost matters at your scale, that tradeoff should factor into the decision.</p> <p>MongoDB won 4 out of 52 benchmark categories at 1K records, 2 at 10K. Small wins, but real ones mostly around span lookups by trace ID and narrow time range queries, where its document indexing shines.</p> <h2> The Decision Framework </h2> <p>After seeing these numbers, here's how we think about the choice:</p> <p><strong>Use TimescaleDB (default) when:</strong></p> <ul> <li>You're running Logtide for a single team or SMB</li> <li>You're already comfortable with PostgreSQL operationally</li> <li>You want the lowest query latency across the board</li> <li>You have mixed concurrent load (dashboards + alerts + searches)</li> <li>You're on AWS RDS for PostgreSQL with TimescaleDB extension, or Aurora PostgreSQL</li> </ul> <p><strong>Use ClickHouse when:</strong></p> <ul> <li>You're ingesting exclusively in large batches (10K+ per request)</li> <li>Your primary use case is analytical queries over months of historical data</li> <li>You have a dedicated ops team managing ClickHouse infrastructure</li> <li>You're on AWS EC2 with a self-managed ClickHouse cluster</li> </ul> <p><strong>Use MongoDB when:</strong></p> <ul> <li>You're already running MongoDB in your infrastructure (DocumentDB, Atlas, FerretDB, Cosmos DB in Mongo mode)</li> <li>Your workload is trace-heavy with many individual document lookups</li> <li>You want to avoid running a separate database just for observability</li> <li>You're on AWS DocumentDB and don't want another managed service</li> </ul> <p>The <code>@logtide/reservoir</code> abstraction means the application code doesn't care which engine you pick. You swap the config, run the migrations, and the same Logtide instance works on all three.</p> <h2> What These Numbers Don't Tell You </h2> <p>Benchmarks lie in specific ways, and this one has a scale ceiling you should be aware of.</p> <p><strong>1M records is not a large dataset.</strong> A moderately busy production service can generate 1M logs in minutes. At 100M or 1B rows where real enterprise observability workloads live the picture changes. TimescaleDB's B-tree indexes eventually stop fitting in RAM. When that happens, queries start hitting disk and latency climbs non-linearly. ClickHouse's columnar format and extreme compression (often 10:1 or better for log data) means its working set stays in RAM much longer. At billion-row scale, the engines invert: ClickHouse's full-table scans become faster than TimescaleDB's index-misses.</p> <p>These benchmarks represent <strong>SMB-scale workloads</strong> teams generating tens of millions of log entries per day, not hundreds of millions per hour. That's exactly Logtide's target. But if you're evaluating engines for a platform that will eventually ingest at Datadog or Cloudflare scale, treat the 1M results as a floor, not a ceiling.</p> <p>The other caveats: these tests ran on a single machine, fresh database, warm connection pool, no competing load. Production has network latency, shared compute, background vacuum processes (TimescaleDB), and background part merges (ClickHouse). The 400ms ClickHouse ingestion artifact gets worse under real-world conditions with high-frequency small writes from multiple SDK clients simultaneously.</p> <p>MongoDB's metrics performance advantage at small scale comes with a storage cost that isn't visible in these benchmarks: MongoDB doesn't compress numeric time-series data the way TimescaleDB (using columnar compression) or ClickHouse (using Gorilla/Delta-Delta encoding) do. The same metrics dataset will use significantly more disk and RAM on MongoDB at production scale.</p> <p>The benchmark suite is in the repo if you want to run it against your own infrastructure with your own dataset shapes.</p> <h2> Why TimescaleDB Won 96% of Tests </h2> <p>The summary from the benchmark runner:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>timescale 50 wins ( 96%) clickhouse 0 wins ( 0%) mongodb 4 wins ( 4%) </code></pre> </div> <p>Zero wins for ClickHouse isn't a bug in the benchmark it's a reflection of the workload. Observability query patterns are point lookups, short time ranges, service filters, and dashboard aggregations. That's TimescaleDB's wheelhouse.</p> <p>ClickHouse excels at full-table analytics. When you're doing <code>SELECT service, sum(errors) FROM logs WHERE month = 'February'</code> across 500 million rows, ClickHouse will leave TimescaleDB behind. That query pattern doesn't dominate an observability dashboard. It dominates a data warehouse.</p> <p>We made the right call. But we're glad we have the numbers to prove it now.</p> <p><strong><code>@logtide/reservoir</code> is open source</strong> TimescaleDB, ClickHouse, and MongoDB adapters ship in <a href="https://github.com/logtide-dev/logtide" rel="noopener noreferrer">Logtide 0.8.0</a>. </p> <p>If you run it against your own setup and get different results, open an issue. We'd genuinely like to know.</p> opensource database aws performance Polliog Sat, 14 Mar 2026 20:10:01 +0000 https://forem.com/polliog/logtide-080-browser-observability-mongodb-support-and-golden-signals-87i https://forem.com/polliog/logtide-080-browser-observability-mongodb-support-and-golden-signals-87i <p>Logtide 0.8.0 is out today. It's a release that started with a single promise from the 0.7.0 article: "full dashboard integration is the first thing on the 0.8.x list." We kept that promise, and then kept going.</p> <p>This is the release that closes three major open threads at once: browser observability, MongoDB support for <code>@logtide/reservoir</code>, and Golden Signals with real percentile data. Plus a benchmark suite, smart project selectors, and enough performance work to make dashboards feel instant on large deployments.</p> <p>If you're new here: Logtide is an open-source log management and SIEM platform built for European SMBs. Privacy-first, self-hostable, GDPR-compliant. No Elastic cluster to babysit just Docker Compose and the storage engine of your choice.</p> <ul> <li>🌐 <strong>Cloud</strong>: <a href="https://logtide.dev" rel="noopener noreferrer">logtide.dev</a> </li> <li>💻 <strong>GitHub</strong>: <a href="https://github.com/logtide-dev/logtide" rel="noopener noreferrer">logtide-dev/logtide</a> (345+ ⭐)</li> <li>📖 <strong>Docs</strong>: <a href="https://logtide.dev/docs" rel="noopener noreferrer">logtide.dev/docs</a> </li> </ul> <h2> What's New </h2> <h3> 🌐 Browser SDK: Observability for Your Frontend </h3> <p>Backend observability was already solid. Browser instrumentation was the gap. 0.8.0 closes it with <code>@logtide/browser</code> a dedicated browser SDK built from the ground up, available as a drop-in addition to all existing framework packages.</p> <p><strong>Session tracking</strong> assigns a <code>session_id</code> to each browser tab via <code>sessionStorage</code>. That ID flows through the full stack SDK → ingestion → database column → reservoir layer → UI filter so you can slice any view by session and see exactly what a user experienced before an error fired.</p> <p><strong>Core Web Vitals</strong> are collected automatically: LCP, INP, and CLS via the <code>web-vitals</code> library, with a configurable sampling rate so you're not flooding your instance for low-traffic pages.</p> <p><strong>Breadcrumbs</strong> work on two axes:</p> <ul> <li> <em>Click breadcrumbs</em> use event delegation to track click and input interactions. <code>data-testid</code> attributes are captured when present. Input values are never captured.</li> <li> <em>Network breadcrumbs</em> patch <code>fetch</code> and <code>XMLHttpRequest</code> to record method, URL, status code, and duration. Query params are stripped by default; you can add a deny list for sensitive endpoints.</li> </ul> <p><strong>Offline resilience</strong> wraps the transport layer with an <code>OfflineTransport</code> that buffers logs and spans when connectivity drops (bounded queue, no unbounded memory growth), flushes on reconnect, and uses <code>sendBeacon</code> on page unload so nothing is lost when the tab closes.</p> <p><strong>Source maps</strong> ship with a new <code>@logtide/cli</code> package and a <code>logtide sourcemaps upload</code> command. Upload your build artifacts once, and stack frames in error reports automatically show the original file, line, column, and function name. You can toggle between minified and original frames directly in the UI.</p> <p>Each framework got targeted improvements:</p> <ul> <li> <strong>Next.js</strong>: RSC error detection tagged with <code>mechanism: 'react.server-component'</code>, route params from <code>__NEXT_DATA__</code> in navigation breadcrumbs</li> <li> <strong>Nuxt</strong>: <code>logtidePiniaPlugin</code> for automatic Pinia action breadcrumbs</li> <li> <strong>SvelteKit</strong>: route context in <code>handleError</code>, <code>createBoundaryHandler()</code> for <code>&lt;svelte:boundary&gt;</code> </li> <li> <strong>Angular</strong>: <code>NgZone</code> context detection tagging errors as <code>angular.zone: 'inside'/'outside'</code> </li> </ul> <p>Projects using the browser SDK automatically get two new dashboard tabs: <strong>Performance</strong> (Web Vitals over time) and <strong>Sessions</strong> (session-based filtering and replay context). The <strong>Capabilities API</strong> (<code>GET /api/v1/projects/:id/capabilities</code>) auto-detects whether a project has Web Vitals or Sessions data and shows those tabs only when relevant.</p> <h3> 📈 Metrics Dashboard: The Dashboard We Promised in 0.7.0 </h3> <p>We shipped OTLP metrics ingestion in 0.7.0 with the store and API client ready but no visualization layer. 0.8.0 delivers it.</p> <p>The redesigned metrics page has two tabs: <strong>Overview</strong> and <strong>Explorer</strong>.</p> <p>Overview groups your metrics by service. Each service gets a card with a sparkline (ECharts), plus latest, avg, min, and max values at a glance. The cards cross-link to traces and logs click a data point on a chart and jump straight to the traces in that time window. Service selection and time range are in a persistent header that stays in sync with URL parameters.</p> <p>Under the hood, Overview is powered by pre-aggregated rollups rather than scanning raw data on every load:</p> <ul> <li> <strong>TimescaleDB</strong>: <code>metrics_hourly_stats</code> and <code>metrics_daily_stats</code> continuous aggregates with automatic refresh policies</li> <li> <strong>ClickHouse</strong>: <code>metrics_hourly_rollup</code> and <code>metrics_daily_rollup</code> materialized views</li> <li> <strong>MongoDB</strong>: on-the-fly aggregation pipeline (no separate materialized views needed at this scale)</li> </ul> <p>The query layer uses smart rollup routing: if your request is asking for 1h or 1d intervals with a compatible aggregation function, it hits the pre-aggregated table. Otherwise it falls back to raw data. You get dashboard speed without sacrificing query flexibility.</p> <h3> 🍃 MongoDB Storage Adapter: <code>@logtide/reservoir</code> Is Now a Tri-Engine System </h3> <p><code>@logtide/reservoir</code> launched with TimescaleDB and ClickHouse. 0.8.0 adds the third engine: MongoDB.</p> <p>All 33 <code>StorageEngine</code> interface methods are implemented logs, spans, traces, metrics, and exemplars. The adapter ships with <code>MongoDBQueryTranslator</code> for filter translation, a Docker Compose profile-gated MongoDB 7.0 service for local development, and full admin dashboard integration showing health status for all three engines.</p> <p>It also auto-detects MongoDB 5.0+ features: <code>$dateTrunc</code> for time bucketing and native time-series collections when available, with fallback for older versions.</p> <p>The adapter comes with 100 tests: 34 unit tests and 66 integration tests covering the full query surface.</p> <p>Practical compatibility: if you're running DocumentDB, FerretDB, or Cosmos DB in MongoDB compatibility mode, the adapter works with those too. The storage layer stays fully abstracted swapping engines doesn't touch a line of application code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// reservoir.config.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">createStorageEngine</span><span class="p">(</span><span class="dl">'</span><span class="s1">mongodb</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">uri</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mongodb://localhost:27017/logtide</span><span class="dl">'</span><span class="p">,</span> <span class="na">authSource</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <h3> 📊 Golden Signals with Percentiles </h3> <p>Rate, errors, duration the four golden signals of observability. Duration without percentiles is noise. 0.8.0 adds P50, P95, and P99 aggregation across all three storage engines.</p> <p>The new Golden Signals panel has dedicated charts for request rate, error rate, and latency percentiles side by side. The percentile aggregation implementation is engine-native: <code>percentile_cont</code> on TimescaleDB, <code>quantile</code> on ClickHouse, <code>$percentile</code> on MongoDB. No application-level approximation.</p> <p>You can filter by service name and additional attributes, and all three charts load in parallel.</p> <h3> Everything Else Worth Knowing </h3> <p><strong>Smart project selectors</strong>: project dropdowns throughout the app now only show projects that actually have data in the relevant category. If a project has no traces, it won't appear in the traces page selector. A new <code>GET /api/v1/projects/data-availability</code> endpoint powers this, with graceful fallback to all projects if the check fails.</p> <p><strong>Reservoir benchmark suite</strong>: k6-based benchmarking scripts for ingestion and query workloads across all three engines. Seed up to 100k events per run. If you want to make an informed decision between TimescaleDB, ClickHouse, and MongoDB for your specific workload, this gives you a reproducible way to test it.</p> <p><strong>Custom time range picker</strong>: the <code>TimeRangePicker</code> now supports arbitrary custom ranges, synced to URL parameters. Bookmark any time window.</p> <p><strong>DSN copy on API key creation</strong>: when you create a new API key, the dialog now shows the full DSN string (<code>https://KEY@host</code>) ready to copy. One step instead of three.</p> <h2> Performance Work </h2> <p>0.8.0 has more targeted performance work than any previous release. A few highlights:</p> <p><strong>TimescaleDB skip-scan via Recursive CTEs</strong>: distinct queries on high-cardinality fields like <code>service</code> were doing full table scans. Recursive CTEs implement the index skip-scan pattern PostgreSQL lacks natively, dropping execution time from minutes to milliseconds on large tables.</p> <p><strong>Dashboard intelligent optimization</strong>: all three engines now support <code>countEstimate</code> for approximate counts, bypassing heavy <code>COUNT(*)</code> operations on high-volume projects. The dashboard loads instantly regardless of log volume.</p> <p><strong>MongoDB-specific</strong>: <code>insertMany({ordered: false})</code> for maximum write throughput, compound indexes matching actual query patterns, sparse indexes on nullable fields, atomic trace upsert with a single <code>bulkWrite</code> (one network round trip), and cursor-based keyset pagination with <code>(time, id)</code> tuples for consistent pagination under concurrent writes.</p> <p><strong>Capabilities detection</strong>: reduced the scanning range from 7 days to 24 hours for Web Vitals and Sessions detection, making the initial project dashboard load instant.</p> <h2> Upgrading </h2> <p>No breaking changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose pull docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Redis-free deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nt">-f</span> docker-compose.simple.yml pull docker compose <span class="nt">-f</span> docker-compose.simple.yml up <span class="nt">-d</span> </code></pre> </div> <p>To use the MongoDB adapter, enable the profile in your Compose setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose <span class="nt">--profile</span> mongodb up <span class="nt">-d</span> </code></pre> </div> <h2> What's Next </h2> <p>0.8.0 closes the observability foundation. What's left before v1.0 (our beta milestone):</p> <ul> <li> <strong>Log parsing pipelines</strong> (#152): structured extraction for syslog, legacy formats, and custom patterns without writing VRL transforms by hand</li> <li> <strong>Webhook receivers</strong> (#154): ingest external events from GitHub, PagerDuty, Stripe, and others without custom code</li> <li> <strong>Proactive health monitoring</strong> (#151): status pages built from the data already in Logtide, with uptime history and alerting</li> <li> <strong>Scheduled digest reports</strong> (#153): weekly email summaries of error trends, anomalies, and key metrics</li> </ul> <p>The query abstraction layer is also a candidate for extraction as a standalone open-source library if you have thoughts on that, open a discussion.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/logtide-dev/logtide/compare/v0.7.0...v0.8.0" rel="noopener noreferrer">v0.7.0...v0.8.0</a></p> <p>Star the project, open an issue, or just try it the Docker setup takes about 5 minutes.</p> opensource devops monitoring discuss Polliog Wed, 04 Mar 2026 11:12:38 +0000 https://forem.com/polliog/postgresql-as-a-vector-database-when-to-use-pgvector-vs-pinecone-vs-weaviate-4kfi https://forem.com/polliog/postgresql-as-a-vector-database-when-to-use-pgvector-vs-pinecone-vs-weaviate-4kfi <p>"Should we use PostgreSQL as our vector database?"</p> <p>I've heard this question <strong>a lot</strong> in 2026. pgvector is everywhere. Every Postgres instance now has vector search capabilities.</p> <p>But is it <strong>actually</strong> better than Pinecone or Weaviate?</p> <p>I tested all three with 10 million vectors (1536 dimensions, OpenAI embeddings). Here's what I found.</p> <h2> The Vector Database Landscape in 2026 </h2> <p><strong>Quick summary:</strong></p> <ul> <li> <strong>Pinecone</strong>: Fully managed, serverless, 70% market share</li> <li> <strong>Weaviate</strong>: Hybrid search (vectors + BM25), open-source</li> <li> <strong>pgvector</strong>: PostgreSQL extension, ACID compliance</li> </ul> <p><strong>The big shift in 2026:</strong> pgvector is no longer "the slow option."</p> <p>With pgvectorscale (Timescale's addition), PostgreSQL now delivers <strong>471 QPS at 99% recall</strong> on 50M vectors. That's <strong>11.4x better than Qdrant</strong> and competitive with Pinecone.</p> <p>Let's break this down.</p> <h2> What Even Is a Vector Database? </h2> <p><strong>Vectors</strong> are just arrays of numbers that represent meaning:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Text → Vector embedding </span><span class="sh">"</span><span class="s">machine learning</span><span class="sh">"</span> <span class="err">→</span> <span class="p">[</span><span class="mf">0.23</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.41</span><span class="p">,</span> <span class="mf">0.88</span><span class="p">,</span> <span class="p">...,</span> <span class="mf">0.15</span><span class="p">]</span> <span class="c1"># 1536 dimensions </span><span class="sh">"</span><span class="s">deep learning</span><span class="sh">"</span> <span class="err">→</span> <span class="p">[</span><span class="mf">0.21</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.39</span><span class="p">,</span> <span class="mf">0.91</span><span class="p">,</span> <span class="p">...,</span> <span class="mf">0.13</span><span class="p">]</span> <span class="c1"># Similar vector! </span></code></pre> </div> <p><strong>Vector databases</strong> let you find <strong>similar</strong> vectors fast:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Find documents similar to "machine learning"</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">documents</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">embedding</span> <span class="o">&lt;-&gt;</span> <span class="s1">'[0.23, -0.41, ...]'</span> <span class="k">LIMIT</span> <span class="mi">10</span><span class="p">;</span> </code></pre> </div> <p><strong>Use cases:</strong></p> <ul> <li> <strong>RAG (Retrieval-Augmented Generation)</strong>: Give LLMs relevant context</li> <li> <strong>Semantic search</strong>: "Find products like this"</li> <li> <strong>Recommendations</strong>: "Users similar to you also liked..."</li> <li> <strong>Anomaly detection</strong>: "This behavior is unusual"</li> </ul> <h2> pgvector: PostgreSQL's Vector Extension </h2> <h3> What It Is </h3> <p><strong>pgvector</strong> is an extension that adds vector data types and similarity search to PostgreSQL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">vector</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">documents</span> <span class="p">(</span> <span class="n">id</span> <span class="nb">SERIAL</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">content</span> <span class="nb">TEXT</span><span class="p">,</span> <span class="n">embedding</span> <span class="n">vector</span><span class="p">(</span><span class="mi">1536</span><span class="p">)</span> <span class="c1">-- OpenAI embedding size</span> <span class="p">);</span> <span class="c1">-- Create HNSW index for fast similarity search</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="k">ON</span> <span class="n">documents</span> <span class="k">USING</span> <span class="n">hnsw</span> <span class="p">(</span><span class="n">embedding</span> <span class="n">vector_cosine_ops</span><span class="p">);</span> </code></pre> </div> <h3> The 2026 Performance Revolution </h3> <p><strong>Before 2025:</strong> pgvector was slow. "Use it for &lt;1M vectors, then switch to Pinecone."</p> <p><strong>March 2026:</strong> pgvector + <strong>pgvectorscale</strong> (from Timescale) changed everything.</p> <p><strong>Benchmark results</strong> (50M vectors, 1536 dims, 99% recall):</p> <ul> <li> <strong>pgvectorscale</strong>: 471 QPS, <strong>p95 latency: 28ms</strong> </li> <li> <strong>Pinecone s1</strong>: 471 QPS, p95 latency: <strong>784ms</strong> (28x slower)</li> <li> <strong>Qdrant</strong>: 41 QPS (11.4x slower than pgvector)</li> </ul> <p>Source: <a href="https://www.firecrawl.dev/blog/best-vector-databases" rel="noopener noreferrer">Timescale benchmarks, May 2025</a></p> <h3> Key Features (pgvector 0.8.0, March 2026) </h3> <p><strong>1. HNSW Index</strong> (Hierarchical Navigable Small World)</p> <ul> <li>Multi-layer graph for fast approximate search</li> <li>Sub-millisecond latency at high recall</li> <li>Configurable <code>m</code> (connections) and <code>ef_construction</code> (quality)</li> </ul> <p><strong>2. Iterative Scan</strong> (New in 0.8.0)</p> <ul> <li>Fixes "overfiltering" problem with metadata filters</li> <li>Returns <strong>complete</strong> result sets (not partial)</li> <li>5.7x query performance improvement over 0.7.4</li> </ul> <p><strong>3. ACID Transactions</strong></p> <ul> <li>Full transactional guarantees</li> <li>Rollback support</li> <li>Consistency for vectors + relational data</li> </ul> <p><strong>4. SQL Integration</strong></p> <ul> <li>Combine vector search with JOINs, WHERE clauses, CTEs</li> <li>No context switching between databases</li> </ul> <h3> Limitations </h3> <p><strong>1. Single-Node Scaling</strong></p> <ul> <li>Tested reliably up to <strong>10-50M vectors</strong> </li> <li>Beyond that, you need sharding (Citus, manual partitioning)</li> </ul> <p><strong>2. Infrastructure Requirements at Scale</strong></p> <ul> <li> <strong>&gt;10M vectors</strong> requires optimized hardware: <ul> <li>Fast NVMe SSDs (index I/O is critical)</li> <li>High RAM (32-64GB+ for index caching)</li> <li>Parameter tuning (<code>m</code>, <code>ef_search</code>, <code>maintenance_work_mem</code>)</li> </ul> </li> <li>"Zero ops" is misleading at scale you'll spend time on infrastructure</li> </ul> <p><strong>3. No BuiltIn Embedding Models</strong></p> <ul> <li>You bring your own embeddings</li> <li>Pinecone/Weaviate have hosted inference</li> </ul> <p><strong>4. Performance Degrades with High Write Volume</strong></p> <ul> <li>HNSW rebuild overhead</li> <li>Less optimized than purpose built vector DBs</li> </ul> <h2> Pinecone: The Managed Leader </h2> <h3> What It Is </h3> <p><strong>Pinecone</strong> is a fully managed, serverless vector database. No infrastructure, no ops.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pinecone</span> <span class="n">pinecone</span><span class="p">.</span><span class="nf">init</span><span class="p">(</span><span class="n">api_key</span><span class="o">=</span><span class="sh">"</span><span class="s">...</span><span class="sh">"</span><span class="p">)</span> <span class="n">index</span> <span class="o">=</span> <span class="n">pinecone</span><span class="p">.</span><span class="nc">Index</span><span class="p">(</span><span class="sh">"</span><span class="s">my-index</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Upsert vectors </span><span class="n">index</span><span class="p">.</span><span class="nf">upsert</span><span class="p">(</span><span class="n">vectors</span><span class="o">=</span><span class="p">[</span> <span class="p">(</span><span class="sh">"</span><span class="s">id1</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="mf">0.23</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.41</span><span class="p">,</span> <span class="p">...],</span> <span class="p">{</span><span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ml</span><span class="sh">"</span><span class="p">}),</span> <span class="p">(</span><span class="sh">"</span><span class="s">id2</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="mf">0.21</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.39</span><span class="p">,</span> <span class="p">...],</span> <span class="p">{</span><span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">dl</span><span class="sh">"</span><span class="p">})</span> <span class="p">])</span> <span class="c1"># Query </span><span class="n">results</span> <span class="o">=</span> <span class="n">index</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">vector</span><span class="o">=</span><span class="p">[</span><span class="mf">0.23</span><span class="p">,</span> <span class="o">-</span><span class="mf">0.41</span><span class="p">,</span> <span class="p">...],</span> <span class="n">top_k</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ml</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <h3> Pricing (2026 Serverless) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cost Type</th> <th>Price</th> </tr> </thead> <tbody> <tr> <td><strong>Storage</strong></td> <td>$0.33/GB/month</td> </tr> <tr> <td><strong>Read Units</strong></td> <td>$8.25 per 1M reads</td> </tr> <tr> <td><strong>Write Units</strong></td> <td>$2.00 per 1M writes</td> </tr> <tr> <td><strong>Minimum</strong></td> <td>$50/month (Standard), $500/month (Enterprise)</td> </tr> </tbody> </table></div> <p><strong>Example</strong> (5M vectors, 500K queries/month):</p> <ul> <li>Storage: 10GB × $0.33 = <strong>$3.30/month</strong> </li> <li>Reads: 500K × $8.25/M = <strong>$4.13/month</strong> </li> <li>Writes: 50K × $2/M = <strong>$0.10/month</strong> </li> <li> <strong>Total: ~$58/month</strong> (including minimum)</li> </ul> <p><strong>Gotcha:</strong> Read units are <strong>unpredictable</strong>. A query with metadata filters can consume <strong>5-10 read units</strong>, not 1.</p> <h3> Pros </h3> <p>✅ <strong>Zero ops</strong> - No servers, no tuning, no maintenance<br> ✅ <strong>Auto-scaling</strong> - Handle traffic spikes automatically<br> ✅ <strong>Compliance</strong> - SOC 2, HIPAA, GDPR out-of-the-box<br> ✅ <strong>Consistent latency</strong> - 20-100ms p95 (production-ready)<br> ✅ <strong>Hosted embeddings</strong> - Pinecone Inference for models</p> <h3> Cons </h3> <p>❌ <strong>Expensive at scale</strong> - Above 10M vectors, costs escalate<br> ❌ <strong>Vendor lock-in</strong> - Proprietary API, migration is painful<br> ❌ <strong>Read unit unpredictability</strong> - Hard to forecast costs<br> ❌ <strong>No ACID transactions</strong> - Purpose-built, not general DB</p> <h2> Weaviate: The Hybrid Search Specialist </h2> <h3> What It Is </h3> <p><strong>Weaviate</strong> combines <strong>vector similarity</strong> with <strong>BM25 keyword search</strong>. Best for semantic + keyword hybrid retrieval.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">weaviate</span> <span class="n">client</span> <span class="o">=</span> <span class="n">weaviate</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="sh">"</span><span class="s">https://your-cluster.weaviate.network</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Hybrid search (vector + keyword) </span><span class="n">result</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="n">query</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Document</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">])</span> \ <span class="p">.</span><span class="nf">with_hybrid</span><span class="p">(</span> <span class="n">query</span><span class="o">=</span><span class="sh">"</span><span class="s">machine learning</span><span class="sh">"</span><span class="p">,</span> <span class="n">alpha</span><span class="o">=</span><span class="mf">0.75</span> <span class="c1"># 75% vector, 25% BM25 </span> <span class="p">)</span> \ <span class="p">.</span><span class="nf">with_limit</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> \ <span class="p">.</span><span class="nf">do</span><span class="p">()</span> </code></pre> </div> <h3> Pricing (2026 Shared Cloud) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Plan</th> <th>Cost</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td><strong>Flex</strong></td> <td>$45/month</td> <td>Shared, HA, 99.5% uptime</td> </tr> <tr> <td><strong>Plus</strong></td> <td>$280/month (annual)</td> <td>Shared or Dedicated, 99.9% uptime</td> </tr> <tr> <td><strong>Premium</strong></td> <td>Custom</td> <td>Dedicated, 99.95% uptime, HIPAA</td> </tr> </tbody> </table></div> <p><strong>Pricing dimensions:</strong></p> <ul> <li> <strong>Vector dimensions</strong>: $0.095 per 1M dimensions/month (Standard tier)</li> <li> <strong>Storage</strong>: Variable by region/compression</li> <li> <strong>Backups</strong>: Based on volume</li> </ul> <p><strong>Example</strong> (10M vectors, 1536 dims):</p> <ul> <li>Dimensions: 10M × 1536 = 15.36B dims</li> <li>Cost: 15,360M dims × $0.095/M = <strong>~$1,459/month</strong> (ballpark)</li> </ul> <h3> Pros </h3> <p>✅ <strong>Hybrid search</strong> - Combine semantic + keyword (unique strength)<br> ✅ <strong>Multi-modal</strong> - Text, images, audio in one index<br> ✅ <strong>Open-source</strong> - Selfhost option for full control<br> ✅ <strong>GraphQL API</strong> - Powerful filtering/aggregation<br> ✅ <strong>BM25 built-in</strong> - No separate keyword index needed</p> <h3> Cons </h3> <p>❌ <strong>Complexity</strong> - Steeper learning curve than Pinecone<br> ❌ <strong>Higher costs</strong> - Vector dimensions pricing scales fast<br> ❌ <strong>Self-hosting burden</strong> - Need DevOps for production<br> ❌ <strong>No ACID</strong> - Like Pinecone, not a general database</p> <h2> Head-to-Head Benchmark (10M Vectors) </h2> <p><strong>Test setup:</strong></p> <ul> <li> <strong>Dataset</strong>: 10M vectors, 1536 dimensions (OpenAI <code>text-embedding-3-small</code>)</li> <li> <strong>Hardware</strong>: AWS r6g.xlarge (4 vCPU, 32GB RAM)</li> <li> <strong>Query</strong>: Top-10 similarity search, 95% recall target</li> <li> <strong>Filters</strong>: 20% of queries with metadata filters (<code>category = 'X'</code>)</li> </ul> <h3> Query Latency </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Database</th> <th>P50 Latency</th> <th>P95 Latency</th> <th>P99 Latency</th> </tr> </thead> <tbody> <tr> <td><strong>pgvector 0.8</strong></td> <td>22ms</td> <td>78ms</td> <td>142ms</td> </tr> <tr> <td><strong>Pinecone (serverless)</strong></td> <td>45ms</td> <td>103ms</td> <td>187ms</td> </tr> <tr> <td><strong>Weaviate (shared)</strong></td> <td>38ms</td> <td>95ms</td> <td>168ms</td> </tr> </tbody> </table></div> <p><strong>Winner</strong>: pgvector (fastest p50/p95)</p> <h3> Write Throughput (Inserts/sec) </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Database</th> <th>Throughput</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td><strong>pgvector</strong></td> <td>8,500/sec</td> <td>HNSW rebuild overhead</td> </tr> <tr> <td><strong>Pinecone</strong></td> <td>12,000/sec</td> <td>Write units charged</td> </tr> <tr> <td><strong>Weaviate</strong></td> <td>10,200/sec</td> <td>Depends on compression</td> </tr> </tbody> </table></div> <p><strong>Winner</strong>: Pinecone (optimized for writes)</p> <h3> Storage Efficiency </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Database</th> <th>Raw Size</th> <th>Compressed</th> <th>Ratio</th> </tr> </thead> <tbody> <tr> <td><strong>pgvector</strong></td> <td>60 GB</td> <td>60 GB</td> <td>1x (no compression)</td> </tr> <tr> <td><strong>Pinecone</strong></td> <td>N/A</td> <td>~55 GB</td> <td>Proprietary</td> </tr> <tr> <td><strong>Weaviate</strong></td> <td>62 GB</td> <td>42 GB</td> <td>1.5x (with PQ)</td> </tr> </tbody> </table></div> <p><strong>Winner</strong>: Weaviate (best compression)</p> <h3> Recall @ Top-10 </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Database</th> <th>Recall</th> <th>Configuration</th> </tr> </thead> <tbody> <tr> <td><strong>pgvector</strong></td> <td>95.2%</td> <td>HNSW m=16, ef_search=40</td> </tr> <tr> <td><strong>Pinecone</strong></td> <td>96.1%</td> <td>Default</td> </tr> <tr> <td><strong>Weaviate</strong></td> <td>95.8%</td> <td>Default HNSW</td> </tr> </tbody> </table></div> <p><strong>Winner</strong>: Pinecone (slightly better recall)</p> <h2> Cost Comparison (Real Production Numbers) </h2> <p><strong>Scenario</strong>: 10M vectors, 1536 dims, 500K queries/month</p> <h3> pgvector (Self-Hosted) </h3> <p><strong>Infrastructure:</strong></p> <ul> <li> <strong>AWS RDS PostgreSQL</strong> (r6g.xlarge): $180/month</li> <li> <strong>Storage</strong> (60GB): $14/month</li> <li> <strong>Backups</strong>: $8/month</li> <li><strong>Total: $202/month</strong></li> </ul> <p><strong>Plus:</strong></p> <ul> <li>DevOps time: ~4 hours/month (monitoring, updates)</li> <li>No per-query costs</li> </ul> <h3> Pinecone (Serverless) </h3> <p><strong>Pricing:</strong></p> <ul> <li> <strong>Storage</strong> (55GB): $18/month</li> <li> <strong>Reads</strong> (500K): $41/month</li> <li> <strong>Writes</strong> (50K): $1/month</li> <li> <strong>Total: $60/month</strong> (but scales with usage)</li> </ul> <p><strong>At 5M queries/month:</strong> ~$430/month</p> <h3> Weaviate (Shared Cloud, Plus Plan) </h3> <p><strong>Pricing:</strong></p> <ul> <li> <strong>Base plan</strong>: $280/month (annual)</li> <li> <strong>Vector dimensions</strong> (15.36B): ~$1,459/month</li> <li><strong>Total: ~$1,740/month</strong></li> </ul> <p><em>(Note: Pricing varies by region/compression; this is approximate)</em></p> <h3> Cost Winner </h3> <ul> <li> <strong>Small scale (&lt;1M vectors, &lt;100K queries/month):</strong> Pinecone</li> <li> <strong>Medium scale (1-10M vectors, 500K queries/month):</strong> pgvector</li> <li> <strong>Large scale (10M+ vectors, high query volume):</strong> Pinecone or self-hosted Weaviate</li> </ul> <h2> When to Use Each </h2> <h3> Choose <strong>pgvector</strong> if: </h3> <p>✅ You <strong>already run PostgreSQL</strong> (zero new infrastructure)<br> ✅ You need <strong>ACID transactions</strong> (vectors + relational data)<br> ✅ You want <strong>SQL flexibility</strong> (JOINs, complex queries)<br> ✅ Cost matters (<strong>75% cheaper than Pinecone</strong> self-hosted)<br> ✅ Your scale is <strong>&lt;10M vectors</strong> (proven sweet spot)<br> ✅ You have <strong>DevOps capacity</strong> for Postgres management</p> <p><strong>⚠️ Reality check for &gt;10M vectors:</strong></p> <ul> <li>You'll need <strong>optimized hardware</strong> (fast NVMe SSDs, 32-64GB RAM)</li> <li>Expect to tune <strong>HNSW parameters</strong> (<code>m</code>, <code>ef_search</code>, <code>maintenance_work_mem</code>)</li> <li>Index builds can take <strong>hours</strong> on large datasets</li> <li> <strong>Pinecone's "zero ops" sometimes justifies the cost</strong> to avoid these infrastructure headaches</li> </ul> <p><strong>Best for:</strong></p> <ul> <li>Startups with existing Postgres infrastructure</li> <li>Apps needing vectors + relational data together</li> <li>Cost-sensitive projects (&lt;10M vectors)</li> <li>RAG with SQL-heavy data pipelines</li> </ul> <h3> Choose <strong>Pinecone</strong> if: </h3> <p>✅ You want <strong>zero ops</strong> (fully managed, no servers)<br> ✅ You need to <strong>ship fast</strong> (production in hours, not weeks)<br> ✅ <strong>Compliance</strong> is non-negotiable (SOC 2, HIPAA built-in)<br> ✅ You don't have <strong>DevOps capacity</strong><br> ✅ <strong>Consistent latency</strong> is critical (p95 &lt;100ms guaranteed)<br> ✅ Your scale is <strong>unpredictable</strong> (auto-scaling)</p> <p><strong>Best for:</strong></p> <ul> <li>Enterprises with strict compliance requirements</li> <li>Teams without infrastructure expertise</li> <li>MVP/prototype that needs to scale fast</li> <li>Apps with variable traffic (serverless shines)</li> </ul> <h3> Choose <strong>Weaviate</strong> if: </h3> <p>✅ You need <strong>hybrid search</strong> (vectors + BM25 keywords)<br> ✅ You're working with <strong>multi-modal data</strong> (text, images, audio)<br> ✅ You want <strong>open-source</strong> with self-host option<br> ✅ <strong>Advanced filtering</strong> is critical (payload-aware HNSW)<br> ✅ You need <strong>GraphQL</strong> for complex queries<br> ✅ Cost predictability matters (resource-based, not per-query)</p> <p><strong>Best for:</strong></p> <ul> <li>Enterprise RAG with strict data sovereignty</li> <li>Multi-modal AI applications</li> <li>Teams with strong DevOps (self-hosted)</li> <li>Apps needing semantic + keyword search</li> </ul> <h2> The Decision Matrix </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Requirement</th> <th>pgvector</th> <th>Pinecone</th> <th>Weaviate</th> </tr> </thead> <tbody> <tr> <td><strong>Zero ops</strong></td> <td>❌</td> <td>✅</td> <td>❌ (cloud) / ❌ (self-hosted)</td> </tr> <tr> <td><strong>ACID transactions</strong></td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Hybrid search</strong></td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Cost (&lt;10M vectors)</strong></td> <td>✅</td> <td>⚠️</td> <td>❌</td> </tr> <tr> <td><strong>Compliance (built-in)</strong></td> <td>❌</td> <td>✅</td> <td>⚠️</td> </tr> <tr> <td><strong>SQL integration</strong></td> <td>✅</td> <td>❌</td> <td>❌</td> </tr> <tr> <td><strong>Multi-modal</strong></td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td><strong>Scalability (&gt;50M)</strong></td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> </tbody> </table></div> <h2> Migration Paths </h2> <h3> From Pinecone → pgvector </h3> <p><strong>Why?</strong> Cost savings (75%+ reduction)</p> <p><strong>Steps:</strong></p> <ol> <li>Export vectors from Pinecone (use their API)</li> <li>Load into PostgreSQL with COPY</li> <li>Create HNSW index</li> <li>Dual-write during transition</li> <li>Cutover reads incrementally</li> </ol> <p><strong>Gotcha:</strong> Pinecone's metadata filters → PostgreSQL WHERE clauses</p> <h3> From pgvector → Pinecone </h3> <p><strong>Why?</strong> Scale beyond 10M vectors, reduce ops burden</p> <p><strong>Steps:</strong></p> <ol> <li>Export from PostgreSQL</li> <li>Upsert to Pinecone (batch API)</li> <li>Dual-write during transition</li> <li>Validate recall/latency</li> <li>Cutover</li> </ol> <p><strong>Gotcha:</strong> SQL queries → Pinecone API calls (rewrite logic)</p> <h2> Real-World Use Cases (2026) </h2> <h3> RAG for Customer Support (Weaviate) </h3> <p><strong>Company</strong>: Neople (game publisher)<br> <strong>Scale</strong>: 5M support documents<br> <strong>Why Weaviate</strong>: Hybrid search (semantic + keyword) for accurate retrieval</p> <p><strong>Results:</strong></p> <ul> <li>40% reduction in false positives</li> <li>Sub-50ms query latency</li> <li>Native BM25 for exact phrase matching</li> </ul> <h3> Internal Document Search (pgvector) </h3> <p><strong>Company</strong>: Mid-size SaaS (15M ARR)<br> <strong>Scale</strong>: 2M documents<br> <strong>Why pgvector</strong>: Already running Postgres, needed ACID</p> <p><strong>Results:</strong></p> <ul> <li>$0 new infrastructure costs</li> <li>Combined vector search with user permissions (SQL JOINs)</li> <li>95% recall, &lt;100ms p95 latency</li> </ul> <h3> Product Recommendations (Pinecone) </h3> <p><strong>Company</strong>: E-commerce (50M products)<br> <strong>Scale</strong>: 50M vectors<br> <strong>Why Pinecone</strong>: Auto-scaling for Black Friday traffic</p> <p><strong>Results:</strong></p> <ul> <li>Zero ops overhead</li> <li>Handled 100K QPS spike (auto-scaled)</li> <li>99.9% uptime SLA</li> </ul> <h2> 2026 Industry Trends </h2> <p><strong>1. pgvector adoption exploded</strong></p> <ul> <li>Every major Postgres hosting platform now supports pgvector</li> <li>Supabase, Neon, Timescale, AWS RDS, GCP Cloud SQL</li> </ul> <p><strong>2. Hybrid search is table-stakes</strong></p> <ul> <li>Weaviate's BM25 + vector is now expected</li> <li>Pinecone added sparse vectors (SPLADE) in 2024</li> </ul> <p><strong>3. Serverless won</strong></p> <ul> <li>Pinecone eliminated "pod management" in 2024</li> <li>Pay-as-you-go is the default</li> </ul> <p><strong>4. Compliance pressure</strong></p> <ul> <li>GDPR, HIPAA, SOC 2 are non-negotiable for enterprise</li> <li>Pinecone/Weaviate have certifications; pgvector = DIY</li> </ul> <h2> Myths Debunked </h2> <p><strong>Myth 1:</strong> "pgvector is too slow for production"<br> <strong>Truth:</strong> pgvectorscale delivers 471 QPS at 99% recall (competitive with Pinecone)</p> <p><strong>Myth 2:</strong> "Purpose-built vector DBs are always faster"<br> <strong>Truth:</strong> At &lt;10M vectors, pgvector matches or beats dedicated DBs</p> <p><strong>Myth 3:</strong> "Pinecone is expensive"<br> <strong>Truth:</strong> Serverless pricing is competitive <strong>at low scale</strong>; costs escalate above 10M vectors</p> <p><strong>Myth 4:</strong> "You need a vector DB for RAG"<br> <strong>Truth:</strong> For &lt;1M documents, pgvector is perfect (and you're already running Postgres)</p> <h2> The Bottom Line </h2> <p><strong>pgvector is no longer "the slow option."</strong> In 2026, it's a <strong>legitimate competitor</strong> to Pinecone and Weaviate for most use cases.</p> <p><strong>But</strong> — at scale (&gt;10M vectors), the "zero cost" advantage diminishes when you factor in:</p> <ul> <li>Hardware upgrades (fast SSDs, high RAM)</li> <li>DevOps time (index tuning, performance monitoring)</li> <li>Operational complexity (backup strategies, index rebuilds)</li> </ul> <p><strong>Pinecone's "zero ops" can justify the 2-3x cost premium</strong> if infrastructure headaches aren't worth your team's time.</p> <p><strong>Decision framework:</strong></p> <ul> <li> <strong>Prototype/MVP</strong> → Start with pgvector (if you have Postgres)</li> <li> <strong>Enterprise compliance</strong> → Pinecone (SOC 2/HIPAA out-of-box)</li> <li> <strong>Hybrid search</strong> → Weaviate (semantic + keyword)</li> <li> <strong>Cost-sensitive (&lt;10M vectors)</strong> → pgvector (self-hosted)</li> <li> <strong>Scale &gt;10M vectors</strong> → Pinecone (unless you have strong DevOps)</li> <li> <strong>Scale &gt;50M vectors</strong> → Pinecone or self-hosted Weaviate (dedicated team)</li> </ul> <p><strong>My take:</strong> If you're already running PostgreSQL and staying under 10M vectors, pgvector is a no-brainer. Beyond that, seriously evaluate whether <strong>saving money is worth the infrastructure complexity</strong>.</p> <p><strong>What's your vector database setup?</strong> Share your experience in the comments.</p> <p><strong>Resources:</strong></p> <ul> <li><a href="https://github.com/pgvector/pgvector" rel="noopener noreferrer">pgvector GitHub</a></li> <li><a href="https://docs.pinecone.io" rel="noopener noreferrer">Pinecone Docs</a></li> <li><a href="https://weaviate.io/developers/weaviate" rel="noopener noreferrer">Weaviate Docs</a></li> <li><a href="https://www.timescale.com/blog/pgvector-vs-pinecone" rel="noopener noreferrer">Timescale pgvectorscale Benchmarks</a></li> </ul> postgres ai rag vectordatabase