Forem: Meir Gabay

AI Code Generation, Smarter and More Cost-Efficient with Context Engineering

Meir Gabay — Mon, 21 Jul 2025 07:18:45 +0000

We've all hit that wall: endless tweaks to prompts, fixing AI-generated bugs, and wondering why such powerful tech feels so hit-or-miss. It often feels like working with a brilliant but forgetful junior developer who hasn't been onboarded to your project.

The problem isn't the model's power; it's the context we give it. Or rather, the context we don't give it.

This post is for you if you've ever been frustrated by an AI assistant that just doesn't "get" your project. We'll explore how a well-crafted DETAILS.md can save you time, reduce costs, and dramatically improve the quality of your AI-generated code.

Research shows models hallucinate packages; The average percentage of hallucinated packages is at least 5.2% for commercial models and 21.7% for open-source models.

The High Cost of Runtime Research

When an AI assistant lacks a high-level overview of your project, it's forced to build one on the fly. It skims through your files, trying to piece together the architecture, dependencies, and coding conventions. This "runtime research" is not only slow, but it's also incredibly expensive. Every file it reads, every line it analyzes, adds to the token count of your API call. This translates directly to higher costs.

More importantly, the results are often suboptimal. The AI might generate code that works in isolation but clashes with your existing patterns, ignores crucial utility functions, or re-invents a wheel you already have spinning smoothly in another module. It's a frustrating cycle of generating, correcting, and re-generating that kills productivity.

Your Solution: The `DETAILS.md` File

A DETAILS.md file acts as a concise, high-level "cheat sheet" for your AI assistant. It's not meant to replace your full documentation, but to provide an essential, distilled overview of the project. Think of it as the onboarding document you'd give a new human developer.

A great DETAILS.md file typically includes:

Project Overview: What does the project do? What problem does it solve? Who are the target users?
Architecture: A high-level description of the project's structure (e.g., microservices, monolithic, MVC). A link to an architecture diagram is a huge plus.
Key Components: A list of the most important files, directories, modules, or classes and their purpose. This helps the AI know where to look for relevant code.
Coding Conventions & Stack: The programming languages and versions (Python 3.11), frameworks (Express v4), and any specific patterns, libraries, or style guides (PEP 8) to follow.
"How-To" Guides: Simple instructions for common tasks like running tests, setting up the local environment, or interacting with the database.

By providing this information upfront, you stop treating your AI like a black box and start treating it like a team member. It no longer needs to guess or reverse-engineer your project's context.

🤔 Why This Matters

Adopting this practice isn't just a theoretical exercise. It delivers massive, measurable improvements in efficiency, cost, and reliability.

Metric	Without a `DETAILS.md` File	With a `DETAILS.md` File
Code Quality & Accuracy	Frequent hallucinations & bugs	Noticeably lower complexity, fewer code-smell warnings, and a steep drop in after-merge defects
Cost & Token Consumption	High token use, lots of retries	Prompts stay short; fewer tokens are sent to the API, cutting spend dramatically
Development Time & Velocity	Endless cycles of prompt-fix-repeat	Teams finish tasks faster and junior devs ramp up in days instead of weeks
Project-Specific Adherence	Ignores your patterns & standards	Suggestions follow your own architecture and style guidelines

Automating Your Context: Human-Focused vs. Agent-Focused Tools

Manually creating and maintaining a DETAILS.md file is a great start, but it can become a chore. This is where automated tools come in, but it's crucial to distinguish between tools designed for humans and tools designed for AI agents.

A great example of a human-oriented tool is Devin's DeepWiki. It excels at indexing a repository to produce a searchable, human-readable wiki with architecture diagrams and documentation. It's fantastic for helping a human developer get up to speed on an unfamiliar codebase.

However, when you need to provide context to an AI agent to perform a specific task, you need a different approach. This is where agent-oriented tools shine.

For instance, some tools are now being built specifically for this purpose. A good friend of mine developed one called Detailer that connects to a GitHub repository and automatically generates a DETAILS.md file tailored for AI agents. It's a neat approach that creates a standardized starting point that can be used across different platforms.

One Context to Rule Them All: Symlinking for Different Agents

Instead of maintaining separate CLAUDE.md - for Claude Code, GEMINI.md - for Gemini CLI, or AGENTS.md - for OpenAI Codex files, you can use a tool like Detailer to generate a single, canonical DETAILS.md. You can then use symbolic links to point different agent configurations to this one source of truth.

For example, you can set up your project like this:

# Symlink it for various AI coding tools
ln -s DETAILS.md CLAUDE.md      # For Claude Code
ln -s DETAILS.md GEMINI.md      # For Gemini CLI
ln -s DETAILS.md AGENTS.md      # For OpenAI Codex

If you're using an IDE like Cursor or Windsurf, you can add a rule to use the DETAILS.md file as the context for the agent.

ALWAYS read @DETAILS.md before taking any action to get context.

This elegant approach ensures that every agent-be it OpenAI Codex, Gemini CLI, Claude, or an IDE like Cursor-gets the same, up-to-date context without any duplication of effort. It's the ultimate "write once, inform everywhere" strategy for context engineering.

The Biggest Pitfall: LLMs Don't Read Like You (Understanding Context Rot)

Here’s a critical insight from AI research that explains why a focused DETAILS.md is so important: LLMs don't read like humans do.

We assume that if we paste a bunch of files into the prompt, the model will read and understand all of it equally. But that's not what happens. Multiple studies have confirmed that models pay the most attention to the very beginning and very end of the context window. Information stuck in the middle has a much higher chance of being ignored or forgotten-a phenomenon explained by the "lost-in-the-middle" problem. The research demonstrates that LLMs have a strong "U-shaped" attention bias, paying the most attention to the start and end of the context window, regardless of where the most relevant information is.

This phenomenon is known as "Context Rot." The longer and more unfocused your context is, the more likely the AI is to get lost. A huge, million-token context window is useless if it's mostly filled with irrelevant "noise" that drowns out the "signal." This is why a concise DETAILS.md is often more effective than naively dumping your entire codebase into a prompt. The goal isn't to provide more information, but more relevant information, placed strategically where the model will see it.

The Takeaway: Context is Everything

If you're frustrated with your AI coding tools, don't blame the model. The biggest gains in code quality, speed, and cost-efficiency don't come from switching to the "latest and greatest" LLM. They come from mastering the art and science of providing high-quality context.

Start small. Create a DETAILS.md for your current project. Be explicit about your architecture and standards. And watch as your AI assistant transforms from a clumsy, unpredictable intern into a valuable, reliable member of your team.

Want to Dig Deeper?

If you want to explore more about this stuff, here are some of the excellent resources I used to inform this post:

Overviews and Mindset:
- The New Skill in AI is Not Prompting, It's Context Engineering - A great high-level overview by Phil Schmid.
- Context Engineering: A Primer - By Addy Osmani, a must-read for programmers.
Academic and Research Papers:
- Code Generation with AlphaCodium: From Prompt Engineering to Flow Engineering - A deep, academic look at going beyond simple prompts to multi-step "flows".
- The Larger the Better? Improved LLM Code-Generation via Budget Reallocation - Research showing that running smaller models multiple times with better context can outperform one large model.
- Are Emergent Abilities of LLMs a Mirage? - Foundational paper showing how performance on complex tasks is often a result of better prompting and context.
- Toward a Theory of Tokenization in LLMs - Explains why proper tokenization and context optimization are crucial for code generation.
Best Practices:
- Cursor Docs: Working with Context - Practical advice from a leading AI-first editor.
- Claude Code Best Practices - From Anthropic's engineering team.
Cost Optimization:
- LLMLingua: Compressing Prompts for Massive Cost Savings - A Microsoft Research project for prompt compression.
- How to Monitor Your LLM API Costs and Cut Spending by 90% - Practical tips on reducing costs, many of which relate to better context.
- LLM Cost Optimization: How To Run Gen AI Apps Cost-Efficiently - More on balancing cost and performance.

What are your biggest frustrations with AI code generation? Have you tried any of these techniques, or do you have others that work well? I'd love to hear about it! 🤘

Beyond the Hype: Rediscovering Why Containers Won

Meir Gabay — Thu, 17 Jul 2025 05:58:02 +0000

Ever feel like you missed the memo on why everyone's obsessed with containers? Like, you know Docker exists, you've probably used it, but you're still wondering why it became the thing that basically took over infrastructure?

I was having this exact conversation with a colleague last week. They asked me, "Why don't we just run each app on its own tiny VM?" And honestly? It's a fair question. Let me walk you through why containers didn't just win by accident-they solved real problems that were driving us all crazy.

This post is for anyone who's ever thought: "Okay, containers are everywhere, but why exactly?"

🚂 The Real Difference: Containers vs VMs

Here's the thing-containers and VMs both do isolation, but they're solving it in completely different ways. Think of it like this:

What you get	Containers (Docker & friends)	Virtual Machines
How they isolate stuff	Share the kernel, separate processes	Each gets its own full OS
How fast they start	Seconds (sometimes milliseconds!)	Minutes (ugh)
Memory footprint	Megabytes	Gigabytes
How many per server	Tons	Limited by all that OS overhead
"It works on my machine"	Actually solved this	Still a problem sometimes
Security	Good, but shared kernel = shared risk	Stronger isolation

I remember when we used to spin up VMs for every little service. Want to test something? Wait 5 minutes for the VM to boot. Need to scale up? Hope you've got enough RAM for all those guest operating systems.

🏎️ Why Containers Feel Like Magic (Spoiler: They're Not Magic)

The first time I ran docker run hello-world and it just... worked in seconds, I was hooked. But why are they so much faster?

Think about it this way: When you boot a VM, you're basically starting up a whole computer inside your computer. The hypervisor has to pretend to be hardware, the guest OS has to go through its entire boot process, initialize all its services-it's a lot.

Containers? They're just processes. Really well-isolated processes, but still just processes. They use your existing kernel and just sandbox everything else. So you get:

Instant startup (I'm talking milliseconds to seconds)
Way less memory waste (no duplicate OS copies eating RAM)
More bang for your buck (run way more stuff on the same hardware)
Smaller cloud bills (seriously, this adds up)

🔒 The Security Reality Check

Let's be honest here-containers aren't some magical security fortress. They share the host kernel, which means if someone finds a kernel exploit, they could potentially break out of all containers on that host.

VMs? Each one has its own OS and runs through a hypervisor. That's like having separate apartments vs. separate rooms with really good locks.

Containers: Super fast and efficient, but if the building has a problem, everyone feels it
VMs: Slower and heavier, but each one is its own fortress

This is why a lot of smart teams run containers inside VMs. You get the speed and efficiency of containers with an extra layer of VM isolation. Best of both worlds, if you can afford the complexity.

🚀 The "It Works on My Machine" Problem (Finally Solved!)

You know that feeling when your code works perfectly on your laptop but explodes in production? Yeah, containers basically ended that nightmare.

I used to spend hours debugging environment differences. "Oh, you're running Python 3.8 but production has 3.7." "Wait, did anyone install that dependency on the staging server?" "Why is this library behaving differently on Ubuntu vs CentOS?"

Containers package everything together-your app, its dependencies, the runtime, even specific library versions. When you ship a container, you're shipping the exact environment your code was tested in.

This revolutionized how we build and deploy software:

No more environment drift between dev, staging, and production
CI/CD pipelines that actually work consistently
Easy rollbacks (just swap container images)
Language mixing (Python microservice next to a Go service? No problem)

DevOps teams love this because they can deploy and test stuff way faster. As one wise person said: "Containerization complements DevOps because software can be deployed and tested faster, improving feedback loops." Octopus Deploy

⚖️ Why CFOs Love Containers Too

Here's something that sold containers to the business side: they save money. Real money.

When you can run 10x more applications on the same hardware, that means fewer servers to buy, maintain, and power. Your cloud bills get smaller because you're not paying for a bunch of idle operating systems sitting around doing nothing.

I saw one study that said IBM found containers can cut server maintenance, administration, and facilities costs by about 75% compared to VMs. Now, take that with a grain of salt because these studies always sound too good to be true, but the basic math makes sense-less waste means lower costs. NAMU Tech

🛠️ Kubernetes: When Containers Got Superpowers

Containers by themselves are cool, but when you combine them with orchestration platforms like Kubernetes? That's when things get really interesting.

Kubernetes basically gives you:

Auto-scaling (traffic spike? More containers appear automatically)
Self-healing (container crashes? New one starts up)
Zero-downtime deployments (rolling updates like a boss)
Service discovery (containers can find each other without hardcoded IPs)

The adoption numbers are pretty crazy-apparently 96% of organizations are using Kubernetes now. That's not just hype; that's because it actually solves real operational problems. Edge Delta

🧩 When You Should Still Use VMs (Yes, Really)

Look, I'm not here to tell you containers are the answer to everything. Sometimes VMs still make more sense:

Legacy apps that were built assuming they own a whole machine
Compliance requirements that demand hardware-level isolation
Mixed OS environments (need Windows and Linux on the same host? VMs got you)
Really untrusted workloads (like running customer code)

Most companies I know run a hybrid setup. Containers for new, cloud-native stuff. VMs for legacy systems and security-sensitive workloads. And often, containers running inside VMs for that extra security layer.

🔮 What's Next: The Lines Are Blurring

The future is getting weird in a good way. New technologies like AWS Firecracker and serverless containers (AWS Fargate, Google Cloud Run) are basically giving you VM-level security with container-level performance.

There are also these things called micro-VMs that start almost as fast as containers but give you better isolation. It's like getting the best of both worlds without having to choose.

We're moving toward a world where you don't really have to pick sides-you just pick the right tool for each job.

📚 Want to Dig Deeper?

If you want to explore more about this stuff, here are some resources I found helpful:

✅ So, Why Did Containers Win?

Containers didn't win because of marketing or hype. They won because they solved real problems that were making our lives miserable:

The "works on my machine" problem
Slow deployment cycles
Expensive, wasteful infrastructure
Environment inconsistencies
Scaling headaches

Are they perfect? Nope. But they're the right tool for most modern applications, and when you combine them with orchestration platforms, they become incredibly powerful.

The smartest teams I know use containers where they shine, VMs where they must, and aren't religious about either one. It's all about picking the right tool for the job.

What's your experience with containers vs VMs? Any war stories or "aha" moments? I'd love to hear about them! 🤘

The Ultimate Guide: Which AI Coding Model Should You Use

Meir Gabay — Wed, 25 Jun 2025 05:48:28 +0000

Ever wondered which AI model is truly best for coding tasks? Spoiler alert: there’s no one‑size‑fits‑all answer. Instead, I switch between top‑tier models depending on the task. Here’s my go‑to lineup and why it works wonders.

I'll use Cursor IDE as an example, but the same principles apply to other AI coding tools.

🛠️ My Model Workflow

💎 `gemini-2.5-pro` – My Default All‑Rounder

I rely on Gemini for most tasks: planning, execution, and drafting docs. It’s my everyday workhorse-fast, insightful, and reliable.

🎨 `claude-4-sonnet (thinking)` – For Beautiful UI/UX

When it's time to build or revamp the frontend, I switch to Claude‑4‑Sonnet. Its styling finesse and design‑savvy code make it perfect for initial setup or feature‑rich interfaces. Since it costs about double Gemini, I quickly return to Gemini after the heavy lifting is done.

🚧 `o3` – The Breakthrough Model

When I hit a wall-bugs or logic loops that seem unsolvable-o3 steps in. Recent price cuts make it more affordable, but its brevity means I only use it for major obstacles. Once the issue's cracked, it's back to Gemini for full implementation.

📋 Gemini + Claude Combo – For Clean Execution

For large projects, my workflow is:

Plan with Gemini gemini-2.5-pro → generate structured Markdown breakdowns
Execute with Claude‑4‑Sonnet claude-4-sonnet (standard mode)

This duo gives me precise, well‑organized results without the “thinking noise” of Gemini. Claude follows the plan faithfully.

✍️ `gpt-4.1` – For Polished Human Docs

Finally, for rewriting documentation, I call in GPT‑4.1. Gemini goes over the code and drafts the docs according to logic; then I prompt GPT‑4.1 to make them natural, human‑friendly, state‑of‑the‑art. Its English style simply outshines the rest, probably because I'm used to interacting with ChatGPT in the last couple of years.

📌 TL;DR: Which LLM for Which Task

Task	Preferred Model(s)
Everyday coding & planning	gemini‑2.5‑pro
Frontend UI/UX setup	claude‑4‑sonnet (thinking) then back to Gemini
Breaking through tough bugs	o3, then back to Gemini
Large plan + structured build	Gemini + claude‑4‑sonnet (standard)
Natural‑language doc polishing	gpt‑4.1

✅ Why This Setup Works for Me

Efficiency: I use Gemini as my stable foundation for most work.
Specialization: I deploy other models only where they excel-Claude for styling, o3 for breakthroughs, GPT‑4.1 for writing polish.
Cost control: I minimize expensive model usage to specific tasks where they add the most value.

💡 Final Thought

In Cursor, the smartest model isn’t always the most powerful one-it’s the right tool for the task. Tailoring your workflow across these LLMs gives you speed, quality, and cost‑effectiveness. 😉

Feel free to let me know if you'd like me to add sample Cursor commands or prompts!

How did the company you work for adopt ChatGPT?

Meir Gabay — Tue, 15 Aug 2023 08:35:34 +0000

The new AI tool ChatGPT is out there, though with such a powerful tool comes great responsibility.

Uncle Ben to Spiderman

The main challenge is for companies and corporations that don't want secrets, passwords, codebase, Physical Health Indicator (PHI), medical data, or any other information to be leaked to OpenAI's ChatGPT.

The web is full of articles and blog posts about the challenges, google for - ChatGPT regulation challenge.

How does the company/organization/corporation you work for adopt ChatGPT? Do they block access to chat.openai.com? Have you been instructed not to use it at all? Are you aware of the risks of copy-pasting organization data when asking ChatGPT questions?

I would love to hear your thoughts and discuss this topic, fire at will.

Writing Bash Scripts Like A Pro - Part 2 - Error Handling

Meir Gabay — Sat, 29 Jul 2023 22:02:19 +0000

In the previous blog post of this series, we covered the basics of how to write a proper Bash script, with a consistent naming convention. Writing Bash scripts consistently while learning new terms can be a significant challenge when doing it from scratch. But fear not! We're here to guide you on becoming a Bash scripting master!

And the journey of loving Bash continues!

Definition of Done

Before diving into the fascinating error-handling world in Bash scripts, let's set the "definition of done." By the end of this blog post, we aim to achieve the following:

Get familiar with Bash's exit codes.
Take advantage of STDERR and STDOUT to handle errors.
Allow script execution to continue even if there's an error.
Invoke an error handler (function) according to an error message.

Handling Errors Like a Pro: Understanding Exit Codes

Bash scripts return an exit status or exit code after execution. An exit code 0 means success, while a non-zero exit code indicates an error. Understanding exit codes is fundamental to effective error handling.

When a command succeeds, it returns an exit code of 0, indicating success:

#!/usr/bin/env bash

ls "$HOME"
echo $? # Print the exit code of the last command

# Exit code 0 indicates success

/path/to/home/dir
0

If the ls command fails, it returns a non-zero exit code, indicating an error:

#!/usr/bin/env bash

ls /path/to/non-existent/directory
echo $? # Print the exit code of the last command

# Exit code non-zero indicates an error

ls: /path/to/non-existent/directory: No such file or directory
1

Using Exit Codes to Our Advantage

One way to handle errors is by adding the set -e option to your Bash scripts. When enabled, it ensures that the script will terminate immediately if any command exits with a non-zero status. It's like a safety net that automatically catches errors and stops the script from continuing.

#!/usr/bin/env bash

# Stop execution on any error
set -e

echo "This line will be printed."

# Simulate an error
ls /nonexistent-directory

echo "This line will NOT be printed."

This line will be printed.
ls: /nonexistent-directory: No such file or directory

In this example, the ls command attempts to list the contents of a non-existent directory, causing an error. Due to set -e, the script will stop executing after encountering the error, and the last line won't be printed.

Recap on new terms

We covered a few new characters and terms, so let's make sure we fully understand what they do:

The $HOME variable exists on any POSIX system, so I used it to demonstrate how Bash can use a Global Environment Variable that contains your "home directory path".
The $? character is an exit status variable which stores the exit code of the previous command.
The option set -e forces the script to stop executing when encountering any error.

Redirecting STDERR and STDOUT: Capturing Errors

Often, you might want to capture the output (both STDOUT and STDERR) of a command and handle it differently based on whether it succeeded or failed (raised an error).

We can use the expression $(subcommand) to execute a command and then capture its output into a variable. The important part is to redirect STDERR to STDOUT by adding 2>&1 to the end of the "subcommand".

#!/usr/bin/env bash

# Run the 'ls' command and redirect both STDOUT and STDERR to the 'response' variable
response="$(ls /nonexistent-directory 2>&1)"
# Did NOT set `set -e`, hence script continues even if there's an error
if [[ $? -eq 0 ]]; then
    echo "Success: $response"
else
    echo "Error: $response"
fi

Error: ls: /nonexistent-directory: No such file or directory

In this example, the ls command attempts to list the contents of a non-existent directory. The output (including the error message) is captured in the response variable. We then check the exit status using $? and print either "Success: $response" or "Error: $response" accordingly.

Allowing Script Execution Despite Errors

So far, we covered set -e to terminate execution on an error and redirect error output to standard output 2>&1, but what happens if we combine them?

You may want to continue executing the script even if a command fails and save the error message for later use in an error handler. The || true technique comes to the rescue! It allows the script to proceed without terminating, even if a command exits with a non-zero status. That is an excellent technique for handling errors according to their content.

Ping Servers Scenario

In the following example, we attempt to ping each server, with a timeout of 1 second, using the ping command. If the server is reachable, we should print "Response - ${response}.". Though what happens if the ping fails? How do we handle that? Let's solve it with a use-case scenario!

To make it authentic as possible, I added an array of servers with the variable_name=() expression.

After that, I used the for do; something; done loop to iterate over the servers. For each iteration, we ping a server and redirect STDERR to STDOUT to capture the error's output to the variable response.

And the final tweak was to add || true inside the $() evaluation so that even if the ping command fails, its output is saved in the response variable.

#!/usr/bin/env bash

# PARTIAL SOLUTION - do not copy paste

# Stop execution on any error
set -e


# Creates an array, values are delimited by spaces
servers=("google.com" "netflix.com" "localhost:1234")


for item in "${servers[@]}"; do
    # Use the 'ping' command and redirect both STDOUT and STDERR to the 'response' variable
    response="$(ping -c 1 -t 1 "$item" 2>&1 || true)"

    # TODO: Fix, always evaluates as true
    if [[ $? -eq 0 ]]; then
        echo "
Response for ${item}:
--------------------------------------------------------------
${response}
--------------------------------------------------------------"
    else
        echo "Error - ${response}"
    fi
done

Response for google.com:
--------------------------------------------------------------
PING google.com (172.217.22.14): 56 data bytes
64 bytes from 172.217.22.14: icmp_seq=0 ttl=56 time=126.156 ms

--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 126.156/126.156/126.156/0.000 ms
--------------------------------------------------------------

Response for netflix.com: <------- Sholuld've been Error not Response
--------------------------------------------------------------
PING netflix.com (3.251.50.149): 56 data bytes

--- netflix.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
--------------------------------------------------------------

Response for localhost:1234: <------- Sholuld've been Error not Response
--------------------------------------------------------------
ping: cannot resolve localhost:1234: Unknown host
--------------------------------------------------------------

The response will always be evaluated as true because of this part:

# ...
    response="$(ping -c 1 -t 1 "$item" 2>&1 || true)"
    # <-- At this point, `$?` is always `0` because of `|| true`

    # Will constantly evaluate as `true`, 0 = 0
    if [ $? -eq 0 ]; then
# ...

The best way to fix it is to analyze a successful response message and set it as an "indicator of a successful response", and in any other case, the script should fail with an error message.

In the case of running ping -c 1 -t1 $item, a successful response can be considered as:

# Good response, according to a tested output
1 packets transmitted, 1 packets received, 0.0% packet loss

The analysis should be done for a specific use case; this approach assists with handling unknown errors by setting a single source of truth for a successful response and considering anything else as an error.

Here's the final version of the code, with a few upgrades to the output:

#!/usr/bin/env bash

# Good example

# Stop execution on any error
set -e


servers=("google.com" "netflix.com" "localhost:1234")


for item in "${servers[@]}"; do
    # Use the 'ping' command and redirect both STDOUT and STDERR to the 'response' variable
    response=$(ping -c 1 "$item" -t 1 2>&1 || true)

    # The condition is based on what we consider a successful response
    if echo "$response" | grep "1 packets transmitted, 1 packets received, 0.0% packet loss" 1>/dev/null 2>/dev/null ; then
        echo "
SUCCESS :: ${item}
--------------------------------------------------------------
${response}
--------------------------------------------------------------"
    else
        echo "
ERROR :: ${item}
--------------------------------------------------------------
${response}
--------------------------------------------------------------"
    fi
done

SUCCESS :: google.com
--------------------------------------------------------------
PING google.com (172.217.22.14): 56 data bytes
64 bytes from 172.217.22.14: icmp_seq=0 ttl=56 time=159.311 ms

--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 159.311/159.311/159.311/0.000 ms
--------------------------------------------------------------

ERROR :: netflix.com
--------------------------------------------------------------
PING netflix.com (54.246.79.9): 56 data bytes

--- netflix.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
--------------------------------------------------------------

ERROR :: localhost:1234
--------------------------------------------------------------
ping: cannot resolve localhost:1234: Unknown host
--------------------------------------------------------------

What the grep?

You've just learned how to use a Bash pipe | to pass data to the grep command. The trick is to echo ${a_variable} and pipe it with | to the grep command like this:

response="some response"
echo "$response" | grep "some" 1>/dev/null 2>/dev/null # Success
echo $?
echo "$response" | grep "not-in-text" 1>/dev/null 2>/dev/null # Fail
echo $?

0
1

You've also learned about /dev/null, a black hole where you can redirect output that shouldn't be printed or saved anywhere.

Implementing Custom Error Handlers

A more complex scenario may require dedicated error handlers, for example, executing an HTTP Request with curl, and handling HTTP Responses; You can create a custom function to handle specific responses gracefully, like this:

#!/usr/bin/env bash

# Stop execution on any error
set -e


handle_api_error() {
    local msg="$1"
    case $msg in
        '{"message":"Not Found","code":404}') # In case of page not found
            echo "Error: Resource not found!"
            exit 4 # Bash exit code
            ;;
        *) # Any other case
            echo "Error: Unknown API error with message ${msg}."
            ;;
    esac

    # Exit either way
    exit 1
}


# Make a request to the API and store the response text in the 'response' variable
response="$(curl -s https://catfact.ninja/fact 2>&1 || true)"


# According to a successful response, having `"fact":` is a good indicator
# If `"fact"` does not `!` appear in the message, it's an error
if ! echo "$response" | grep "\"fact\":" 1>/dev/null ; then
    handle_api_error "$response"
fi

# At this point, we are sure the response is valid
echo "Response: ${response}"

# For this specific API, a successful response returns a random fact about cats
Response: {"fact":"Neutering a male cat will, in almost all cases, stop him from spraying (territorial marking), fighting with other males (at least over females), as well as lengthen his life and improve its quality.","length":198}

Final Words

This blog post took it up a notch; you've learned several terms and can now handle errors in Bash like a Pro! There are still more tricks in this error-handling mix, like trapping CTRL-C error; we'll discover more about that and other ways to handle errors using Bash scripts.

Create Multiple Static Sites In A Single AWS S3 Bucket Served By AWS CloudFront

Meir Gabay — Wed, 07 Sep 2022 01:34:55 +0000

In this blog post, I'll share how to host multiple static websites in a single S3 bucket, where each site is stored in a single directory (path).

CloudFront will serve the static website, and the trick to fetch the relevant site from the origin, S3 bucket, in this case, relies on a Lambda@Edge function.

Objectives

Serve safely behind a CDN via HTTPS - CloudFront + ACM.
Accessing the S3 bucket should be forbidden to anyone except for the serving CloudFront distribution; we'll use CloudFront OAI for that
Store in durable storage, S3 Standard Durability 99.999999999% (11 9's), and highly available servers, S3 Standard Availability 99.99%

By the end of this blog post, I expect to have two live websites, which are stored on a single S3 bucket, and I want proof.

And of course, I'm too excited to keep to myself, right now I'm inspired by the below song ... So ... Are you re-e-e-e-ady let's go!

Escape the Fate - "One For The Money"

(1/6) HTTPS And DNS Validation

This step is optional if you already own an eligible ACM Certificate in the AWS region N.Virginia (us-east-1).

I own the domain meirg.co.il, so to avoid breaking my site, I'm adding another subdomain, and I'll name it multiple-sites, which makes my FQDN



multiple-sites.meirg.co.il

Additionally, I want to support accessing the site with www or any other subdomain (maybe api), so I'll add another FQDN



*.multiple-sites.meirg.co.il

Create An AWS ACM Certificate

Create DNS Validation Records In DNS

Now I need to validate the certificate in my DNS management provider; in my case, it's Cloudflare (flare, not Front 😉)

Then, I copied the CNAME+Value that was generated in ACM

And then, I created two new DNS records in my DNS management provider (how to do it in AWS Route53). Here's how it looks like in Cloudflare:

NOTE: Cloudflare provides a native CDN solution per DNS address, which is fantastic. As you can see, I turned it off (DNS Only) since it's irrelevant for the DNS validation.

And then ... I wonder if all those "and then" reminded you Dobby from the Harry Potter movie 🤭

Cloudflare And AWS CAA Issue

I got into big trouble; my certificate failed to validate

Even though this part is not directly related to this blog post, I'm putting it here for future me (or the currently frustrated you who found it). Bottom line, I fixed it by reading How to Configure a CAA record for AWS and created the DNS records accordingly in Cloudflare.

Validated ACM

Finally, my ACM certificate is eligible, and all DNS records were validated successfully, thanks to the CAA records created above 🙇🏻‍♂️

(2/6) Create An S3 Bucket

This part is relatively easy if you're familiar with AWS S3, though I do want to emphasize something -

An AWS S3 bucket is an object storage; hence it cannot be served to a browser unless set to AWS S3 Static Website.

NOTE: S3 is an object storage, so directories (paths) aren't really "storage locations", but more like pointers that state where the data is stored in an organized way, like filesystem storage.

An S3 static website is only available via HTTP. Serving the site via HTTPS requires a CDN, such as AWS CloudFront or Cloudflare. This information is available at How do I use CloudFront to serve a static website hosted on Amazon S3?

So why am I double-posting something that is already out there? Because I found it very confusing to realize that the term "static website" and the term "S3 static website option" are different.

By its name, I would expect to enable AWS S3 Static Website Option to make this solution work. It should be disabled.

Here's the thing, AWS S3 Static Website doesn't support CloudFront Origin Access Identity (OAI). As mentioned in the Objectives, the site should be accessed from CloudFront only, which means I need the OAI functionality.

Recap - AWS Static Website Option

AWS Static Website Option should be disabled when served behind a CloudFront distribution.

CloudFront Invalidation

A CloudFront invalidation is the part where you purge the cache after pushing static content HTML/CSS/JS/etc., to the S3 bucket.

Later on, when I push new content, I will invalidate the cache to get immediate results. It's either that or setting the CloudFront's distribution TTL to a lower number than the default 86400 seconds (24 hours).

Create a bucket

The name doesn't matter as long as it's a valid S3 bucket name and that name is globally available across ALL AWS accounts.

As you can see, I chose a logical name for my bucket (luckily, it was available)



multiple-sites.meirg.co.il

IMPORTANT: The S3 bucket name doesn't have to be the same as your DNS records. If the name is taken, add a suffix like -site or any other logical suffix that would make sense when you search for the S3 bucket by name. In this solution, The S3 bucket is served behind a CDN (CloudFront), so its name doesn't matter.

Scroll down, keep the Block all public access ticked, and set Versioning to Enabled.

(3/6) Push Website Content To S3

By "push", I mean upload; I use the verb "push" because I want to keep in mind that an automated CI/CD process should "push" the content instead of "uploading" it manually via S3 like I'm about to do now.

Following the bucket creation, I've created two directories (folders); as promised in the beginning, each directory will serve a different website.

And then (Dobby again), I've created this dummy index.html file and made two copies, so I can differentiate between the sites when I check them in my browser.

site1/index.html



<h1>Welcome to site<u>1</u>!</h1>

site2/index.html



<h1>Welcome to site<u>2</u>!</h1>

Moving on to the tricky parts - Creating a CloudFront distribution and Lambda@Edge!

(4/6) Create A CloudFront Distribution

As part of this step, we'll also create (automatically) an Origin Access Identity, enabling access for CloudFront to the S3 bucket; Currently, none is allowed to view the websites.

Once you choose the CloudFront service, you're redirected to the "Global" region, don't let it fool you; it's considered as N.Virginia (EU-east-1), creating the ACM certificate in N.Virginia is essential, as it's the same region where CloudFront is hosted.

The story continues; I've created a CloudFront distribution and searched for my bucket multiple-sites.meirg.co.il as the Origin. The name of the origin was automatically changed in the GUI to multiple-sites.meirg.co.il.s3.eu-west-1.amazonaws.com.

To create an OAI, I've clicked the Create control setting button, and after reading Advanced settings for origin access control, I chose Always sign origin requests (recommended setting) since my bucket is private (future to be accessible only via CloudFront).

NOTE: I also realized that OAI had become legacy, and I should start using the Access Control Setting feature instead.

For cache key and origin requests, I've selected CORS-S3Origin, which is a must; otherwise, you'll get a 502 error due to failure of signing requests (try it).

I was surprised by the excellent UX (not kidding); After creating the CloudFront distribution, I got the following pop-up.

As instructed, I clicked Copy policy and the highlighted link Go to S3 bucket permissions to update policy, scrolled down a bit to Bucket Policy, and clicked Edit.

In this screen, I pasted the copied policy, and it got a bit messed up (no idea why), so I made sure the curly braces at the top { and in the end } are not indented at all, and then I was able to click Save Changes (scroll to bottom) without an issue.

Here's what it looks like after clicking the Save Changes button.

Recap So Far

Created an ACM certificate in N.Virginia (us-east-1) with eligible DNS records
- multiple-sites.meirg.co.il
- *.multiple-sites.meirg.co.il
Created an S3 bucket in Ireland (EU-west-1) and named it multiple-sites.meirg.co.il
Pushed two websites to the S3 bucket
- site1/index.html
- site2/index.html
Created a CloudFront distribution and updated the S3 bucket with the generated Access Control Bucket Policy

(5/6) Map DNS record to CloudFront

For testing purposes, I've created another index.html file; Remember that I set a Default Root Object during the CloudFront distribution creation? That is it.



<h1>Welcome to root site!</h1>

The new index.html file is pushed to the root directory / of the bucket; Before moving on to the "site per directory solution with Lambda@Edge" I want to make sure that everything is in place and that https://multiple-sites.meirg.co.il works as expected.

So now my S3 bucket looks like this:

FQDN Served by CloudFront (Not Reached) - https://multiple-sites.meirg.co.il
S3 Direct Access Link (Forbidden) - https://s3.eu-west-1.amazonaws.com/multiple-sites.meirg.co.il/index.html

The FQDN is still unavailable as I haven't added the DNS record in my DNS Management Provider (Cloudflare); As of now, none knows that my website multiple-sites.meirg.co.il should point to the created CloudFront distribution.

Copied the CNAME of the CloudFront distribution

And created a new DNS record for that CloudFront distribution CNAME; Since I'm already using CloudFront as a CDN, I prefer to disable Cloudflare's proxy feature, as It'll be CDN to CDN, which sounds like a bad idea.

Testing the root site https://multiple-sites.meirg.co.il ...

It worked 🥳 but that's not why we're here for! Moving on to the multiple directories magic. Why magic, you ask? The nested paths /site1,/site2 are restricted/forbidden; here's how accessing /site1 looks like at the time of writing this blog post:

(6/6) Create A Lambda@Edge Function

Writing code is excellent; copying from someone else and understanding what it does is even better. After Googling a bit, I stumbled on Implementing Default Directory Indexes in Amazon S3-backed Amazon CloudFront Origins Using Lambda@Edge
contains the exact code that I need.

I copied the snippet from the mentioned site and removed the console.log; I'll add them back if I need to debug.



'use strict';
exports.handler = (event, context, callback) => {

    // Extract the request from the CloudFront event that is sent to Lambda@Edge 
    var request = event.Records[0].cf.request;

    // Extract the URI from the request
    var olduri = request.URI;

    // Match any '/' that occurs at the end of a URI. Replace it with a default index
    var newuri = older.replace(/\/$/, '\/index.html');

    // Replace the received URI with the URI that includes the index page
    request.URI = newuri;

    // Return to CloudFront
    return callback(null, request);

};

How Does The Lambda@Edge Work?

By default, if an origin request URI doesn't contain file path, like navigating https://multiple-sites.meirg.co.il/site1/; An error will be raised since there's no default setting for sub-directories to use the hosted site1/index.html.

So why does it work when I navigate the root path of the bucket https://multiple-sites.meirg.co.il/? Because I've set the Default Root Object to index.html in the CloudFront distribution. That "fixes" the issue for a single website hosted at the root of an S3 bucket.

When it comes to multiple websites stored in the same S3 bucket, we need a mediator/proxy that will convert the origin request URI from / to /index.html, which is precisely what the above-copied code snippet does.

Create The Lambda@Edge Function

Firstly, in which region should I create the Lambda@Edge Function? .... Can you guess? ......... N.Virginia (us-east-1)! Reminding you that all CloudFront-related resources need to be located in N.Virginia (us-east-1).

Go ahead and create a Lambda Function in N.Virginia, and keep the default settings "Author from scratch > Node 16.x", reminding you that the Lambda Function's code snippet was in JavaScript.

Publish new version

This step is mandatory as Lambda@Edge functions are referenced with versions, unlike normal Lambda Functions can be referenced using the $LATEST alias.

Deploy Lambda@Edge To The CloudFront Distribution

Navigate back to the function and
Deploy to Lambda@Edge!

I clicked Deploy (with excitement), and then I got this pop-up message:

Correct the errors above and try again.
Your function's execution role must be assumable by the edgelambda.amazonaws.com service principal.

Hold on a sec; I need to add a Trust Relationship, so CloudFront is allowed to execute the function. Googling a bit got me here - Setting IAM permissions and roles for Lambda@Edge; the copying motive continues as I copied the IAM policy from that page



{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "Service": [
               "lambda.amazonaws.com",
               "edgelambda.amazonaws.com"
            ]
         },
         "Action": "sts:AssumeRole"
      }
   ]
}

After that, I edited the Lambda Function's IAM role Trust Relationship.

Let's try to deploy the Lambda Function again ... And of course, another error ...

Cannot read properties of undefined (reading 'startsWith')

Oh well, I refreshed the Lambda Function's page ... I Tried to deploy again ... Finally, deployed!

Results

I'm not sure if I did it or if it happened automatically. Still, I think it's important to document it - initially, I got to the 403 Forbidden page when trying to access https://multiple-sites.meirg.co.il/site1/, so I checked the CloudFront distribution and found out that the S3 origin is set to Public, and I have no idea how or why that happened. So I changed it back to Origin access control settings (recommended), and everything works as expected.

Final Words

Initially, I wanted to use an Origin Access Identity (OAI) to restrict to CloudFront only. Then I discovered that OAI is considered legacy, so I proceeded with Access Control, and I'll probably migrate all my OAI resources to Access Control.

I left out (for now) the "S3 redirect from www" part because this blog post is already overkilled.

How To Recover Secrets From GitHub Actions

Meir Gabay — Fri, 01 Jul 2022 11:40:05 +0000

In this blog post, I'll share how to recover a secret from a CI/CD service, such as GitHub Actions.

If you're here, then you already know that secrets are hidden from CI/CD logs with ***, for example:

jobs:
  openssl:
    name: Recover With OpenSSL
    runs-on: ubuntu-20.04
    steps:
      - env:
          MY_CLIENT_SECRET: ${{ secrets.MY_CLIENT_SECRET }}
        run: |
          echo "MY_CLIENT_SECRET (***)     = ${MY_CLIENT_SECRET}"

# Output
MY_CLIENT_SECRET (***)     = ***

The above isn't very helpful since this is the situation you're probably in right now.

Quick And Dirty (Dangerous)

For private repositories, it's possible to use base64 to encode a secret before printing it to the CI/CD service logs; this way, GitHub Actions won't hide the secret with ***. Then, copy the encoded value and decode it locally.

name: Recovering secrets

# Assumption:
# You've created the following GitHub secrets in your repository:
# MY_CLIENT_ID - encode/decode with base64 - useful for private repositories

on:
  push:
  workflow_dispatch:

jobs:
  base64:
    name: Recover With Base64
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - env:
          MY_CLIENT_ID: ${{ secrets.MY_CLIENT_ID }}
        run: |
          echo "MY_CLIENT_ID (***)    = ${MY_CLIENT_ID}"
          echo "MY_CLIENT_ID (base64) = $(echo ${MY_CLIENT_ID} | base64)"
          echo "Copy the above value, and then execute locally:"
          echo "echo PASTE_HERE | base64 -D"

The above method is hazardous as anyone can decode the secret, so for public repositories, this is a no-go. And here's proof why it is super dangerous, assuming the printed encoded value is c29tZS1jbGllbnQtaWQtdmFsdWUK ...

echo c29tZS1jbGllbnQtaWQtdmFsdWUK | base64 -D
# some-client-id-value

I've just exposed MY_CLIENT_ID to the whole world ... I'm terrified.

How To Recover A Secret From A CICD Service

The best way to recover a secret from a CICD system without exposing it to the outside world is to encrypt the secret before printing it to the CI/CD logs.

name: Recovering secrets

# Assumption:
# You've created the following GitHub secrets in your repository:
# MY_CLIENT_SECRET - encrypt/decrypt with openssl - useful for public and private repositories
# MY_OPENSSL_PASSWORD - used to protect secrets
# MY_OPENSSL_ITER - Use a number of iterations on the password to derive the encryption key.
#                   High values increase the time required to brute-force the resulting file.
#                   This option enables the use of PBKDF2 algorithm to derive the key.

on:
  push:
  workflow_dispatch:

jobs:
  openssl:
    name: Recover With OpenSSL
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - env:
          MY_CLIENT_SECRET: ${{ secrets.MY_CLIENT_SECRET }}
          MY_OPENSSL_PASSWORD: ${{ secrets.MY_OPENSSL_PASSWORD }}
          MY_OPENSSL_ITER: ${{ secrets.MY_OPENSSL_ITER }}
        run: |
          echo "MY_CLIENT_SECRET (***)     = ${MY_CLIENT_SECRET}"
          echo "MY_CLIENT_SECRET (openssl) = $(echo "${MY_CLIENT_SECRET}" | openssl enc -e -aes-256-cbc -a -pbkdf2 -iter ${MY_OPENSSL_ITER} -k "${MY_OPENSSL_PASSWORD}")"
          echo "Copy the above value, and then execute locally:"
          echo "echo PASTE_HERE | openssl base64 -d | openssl enc -d -pbkdf2 -iter \$MY_OPENSSL_ITER -aes-256-cbc -k \$MY_OPENSSL_PASSWORD"

The only way to decrypt the above string U2FsdGVkX1+6/+7bvNG/Ga7siAI994FkMUn5Njzn4zyNwvf8qM3MY0MMmd9sCFvz is to use the right number of iter and password, otherwise you'll have to use a brute-force attack, good luck with that :)

Here's how I decrypted the above value on my local machine:

echo U2FsdGVkX1+CeN0/ScQLZGU8f0ix86fh1oLJg/1M+o2lbCM+pBA8BIUCbkHMCjRZ \
| openssl base64 -d \
| openssl enc -d -pbkdf2 -iter $MY_OPENSSL_ITER -aes-256-cbc -k $MY_OPENSSL_PASSWORD

Final Words

I suggest creating a separate workflow for recovering CI/CD (GitHub) secrets, like .github/workflows/recover-github-secrets.yml, followed by running the workflow and then deleting its logs once you're done recovering the secret.

References

How To Test A GitHub Action

Meir Gabay — Sat, 04 Dec 2021 20:01:48 +0000

My Workflow

The project unfor19/hero-action is an All-In-One action to a test GitHub Action.

Submission Categories

Maintainer Must-Haves
Wacky Wildcards - I'm adding this one because it's a "hacky" way of using GitHub Actions to test an action (feels like a recursion)

Yaml File or Link to Code

unfor19 / hero-action

All-in-one action to develop and maintain GitHub Actions.

hero-action

An All-In-One action to test a GitHub Action.

Tested in unfor19/hero-action-test

Usage

Generate a new Personal Access Token with the scope: repo + workflow. Keep this token in a safe place we'll use it later on.

Add the following workflow .github/workflows/testing.yml to your action's repository, e.g. hero-action

name: testing
on:
  push:
    branches: [master]
    paths-ignore:
      - "README.md"
  workflow_dispatch:

jobs:
  dispatch_test_action:
    name: Dispatch Test Action
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v2
      - name: Workflow Dispatch Status
        uses: unfor19/hero-action@v1.0.2
        with:
          action: "dispatch-status"
          src_repository: ${{ github.repository }}
          src_workflow_name: ${{ github.workflow }}
          src_sha: ${{ github.sha }}
          target_repository: ${{ github.repository }}-test
          target_workflow_name: "test-action.yml"
          gh_token: ${{ secrets.GH_TOKEN }} # scope: repo + workflow

Create a new GitHub repository to test your action, e.g. hero-action-test, add…

View on GitHub

The action repository, my-repo, triggers a workflow in the test repository, my-repo-test. Meanwhile, the my-repo is "stuck" with the commit status pending.
The repository my-repo-test tests the action by using it, see unfor19/hero-action-test
Upon success/failure, the test action my-repo-test creates a commit status in the action's repository, this updates the status of the pending workflow with success or failure

Additional Resources / Info

Using this action in:
1. unfor19/replacer-action
2. unfor19/install-aws-cli-action

How To Develop A Progressive Web Application On An Android Device

Meir Gabay — Thu, 02 Dec 2021 20:46:17 +0000

In the past few weeks, I've been wondering how the whole eco-system of a Progressive Web Application (PWA) works. Of course, I need to get my hands dirty and code something to understand it.

My main goal is to provision a local development environment, which hot-reloads (code changed) the application on a physical Android device.

The main challenge was figuring out a way to access the PWA, which runs on my local machine from my Android device (Samsung Galaxy S10). Why? Because PWA requires HTTPS access so using IP addresses is not an option.

Ladies and gentlemen, I present to you - unfor19/pwa-quasar-local

This project demonstrates how to develop a Progressive Web Application (PWA) locally on an Android device, using the Quasar Framework v2.

Final Results

IMPORTANT: Images may look weird on DEV.to; unsure why. Go to the GitHub repo unfor19/pwa-quasar-local if you experience funny widths and heights

I took screenshots with my Android device to document the whole user experience of installing a PWA for the first time.

Accessed PWA From Android Device

The Add to Home Screen popup appears!

Clicked Add To Home Screen

Clicked Install

Installation Completed

PWA Appears On The Device's Apps List

PWA Has A Cool Splashscreen

That is thanks to Quasar which does it, as always, automatically.

First Run After Installation

The application runs on the device as if it were a "normal application".

Final Words

It was a true joy to work with Quasar since it made the whole process of generating a PWA out-of-the-box without writing a single line of code. So head over to unfor19/pwa-quasar-local and do your PWA magic!

Improving email deliverability with DNS records

Meir Gabay — Fri, 26 Nov 2021 23:30:50 +0000

As always, every day brings up new challenges, and today I faced one of my greatest fears - dealing with mailing DNS records.

Up until today, I was only familiar with A Record, CNAME Record, and TXT Record. A while ago, I used the MX Record while setting up my mailbox for my domain, but I don't quite remember its purpose, but enough about me.

Mail eXchangers, such as Gmail, Yahoo, Outlook, check the validity of incoming email messages. As part of the validation process, the Mail eXchanger queries the DNS records of the sender and evaluates the sender's reputation.

The sender's reputation affects how the Mail eXchanger classifies the message and whether or not it should be marked as spam before it is delivered to the receiver. In some cases, the message is blocked entirely by the Mail eXchanger, and the receiver is unaware of it.

The Reputation

There are many algorithms out there for evaluating an email sender's reputation. To put it on a scale, I classified the reputation level into four levels - Very Low, Low, Standard, and Best.

Very Low

Blocked completely without even bothering the receiver, here are two common error messages that may appear in the ESP's logs if the sender's email has sent too many emails in a short period.

421 4.7.0 [TS01] Messages from <1.2.3.4> temporarily deferred due to user complaints
<1.2.3.4> ;see http://postmaster.yahoo.com/421-ts01.html

553 5.7.1 [BL21] Connections will not be accepted from 1.2.3.4,
    because the ip is in Spamhaus's list; 
see http://postmaster.yahoo.com/550-bl23.html

Above snippets from - glockapps.com - How To Remove Your IP From Yahoo Blacklist – Yahoo Blacklist Checker

If there's a need to send large volumes of email messages, it is recommended to purchase a dedicated IP with a warm-up mechanism. The subject is broadly explained in the provided link, though in short, it's another method of identifying yourself as a trusted sender, by saying:

"I own a unique IP address because I'm confident that Mail eXchangers won't block me. I know that it's easy to block an IP address, so yeah, I'm that confident."

Low Reputation

Emails are marked as spam due to the low authenticity of the sender or previous reports of other users. But, most of the time, it's because the content of the message is not specific enough to the receiver.

For example, Willy is a Gmail customer, and he is interested in computer science and surfing. Then, out of the blue, Willy receives an email message about a great body lotion for women. Though Willy may have subscribed to some cosmetics stores websites, if the message isn't specific enough, like "Hi Willy," then it might be marked as spam.

Send the relevant content to the appropriate audience to avoid getting here.

Standard Reputation

Email messages are getting to the client's mailbox as they should, though, in some Mail eXchangers such as Gmail, messages could move to the Promotions tab, while it wasn't intended.

"... Gmail will recommend emails based on previous user engagement, regardless of whether annotations are present."

Best Reputation

Email messages are getting to the client's mailbox as the sender intended.

Some businesses may want to get on Gmail's Promotions tab on purpose; it all depends on the sender's needs.

Are you ready to explore the dark depths of mailing DNS records? Let's go!

Baseline

Previously, I mentioned that I'm familiar with a few DNS records, but that doesn't mean that we're on the same page. So line up!

Record Type	Target	Example Key Pair Values
A	IP addresses	Name: virtual-machine.meirg.co.il (For example, AWS Elastic IP) Value: 123.123.123.123
CNAME	Canonical name for other domain name	Name: meirg.co.il Value: meirg-website.pages.dev (Cloudflare Pages) Name: www.meirg.co.il (Redirects to meirg.co.il) Value: meirg.co.il
TXT	Domain validation and authenticity	Name: meirg.co.il (Google Domain Verification) Value: "google-site-verification=2NOO....XgotefAU"
MX	Let's leave it as a mystery for now (keep your Google Search gun down!)

Plot

I need to improve the email deliverability of outgoing emails. The request first came from the marketing expert of one of my customers, and he told me "We need you for the DNS part."

Ok, I'm up for it; let's set up the DNS records and assist my customer in reaching out to his end-users.

But how can I make sure that I succeed? I mean, doing/learning stuff is fun, it really is, but how will I know if my changes impacted my email sender reputation? How do I know if there's a better open/click rate for my emails?

The above questions are widespread when the need to send emails arises. That usually comes with many requirements, such as "unsubscribe mechanism", "group contacts by segments", "statistics of open/click", and the list goes on, depending on your marketing manager 😉

Developing a system that can measure open/click rate and handle email/contacts management will take ages to build...

So maybe I should ...

Use professional help

Here comes ESP into play! ESP stands for Email Service Provider, and that means there are cloud providers out there who are willing to send emails on my behalf and enable me to manage the whole email delivery system in a one-stop-shop.

There are many ESPs out there such as Google Workspace, SendGrid and Mailchimp. Each provider has its pros and cons, but the common ground is - they all send emails on behalf of your domain.

The difference usually comes when an ESP, like SendGrid, offers comprehensive services like Automated Security which enabled you to purchase a dedicated IP as a service (we'll get to that).

We covered ESPs, moving on to getting familiar with industry standards for improving email deliverability.

NOTE: I might mention SendGrid a lot during this blog post, though I'm not biased towards any ESP; SendGrid is simply the service I've been using recently, so it's easier for me to make references. Most ESPs offer a free/trial plan so you can explore their features and then decide, and I recommend evaluating at least two ESPs before picking one.

Standards For Better Email Delivery

According to Google, at least four standards should be implemented (in this order)

SPF
DKIM
DMARC
(Optional) BIMI

And, I'm adding A dedicated IP to the mix.

Mail eXchangers check if the sender meets industry standards by querying its DNS record, and according to that, evaluate the sender's reputation. The sender evaluation process includes other methods, such as looking in https://multirbl.valli.org/ to see if the source domain (eventually IP) of the sender is marked as an "official spammer", that all it depends on the Mail eXchanger. The more standards the sender meets, the higher the chances the sender's email message will arrive at its target audience (receiver).

The illustration below is for the SPF record. Still, the same communication process is the same for all standards, where the Receiving Email Server (Mail eXchanger) validates the email sender's authenticity and reputation.

Image Source: https://twilio-cms-prod.s3.amazonaws.com/original_images/spf_mail_flow.jpeg

SPF

Definition: Sender Policy Framework
Remember with: S for "Sending emails"

This record allows ESPs such as SendGrid, Gmail, Mailchimp to send emails on behalf of your domain. So if my domain name is meirg.co.il and I would like to send emails with Google Workspace, I need to add Google's SPF record to my domain meirg.co.il.

And the funny thing about an SPF Record, that it's actually a TXT Record. Let me remind you that TXT Records are for "Domain validation and authenticity," so it's nothing more than adding a TXT Record and adding a value that is specific for the SPF standard.

Here's an example for setting up two SPF records, one for Google Workspace and the other for SendGrid's SPF.

# Google Workspace
Type: TXT
Name: meirg.co.il
Value: v=spf1 include:_spf.google.com ~all

# Sendgrid
Type: TXT
Name: em123.meirg.co.il
Value: u12345678.wl123.sendgrid.net

Notice the weird thing? Google Workspace has an SPF expression, while SendGrid provides a CNAME as a value in the TXT record. My gut told me that the CNAME should eventually resolve to an SPF expression, so I checked it with Authentication @ tools.wordtothewise.com.

I tested it by navigating to https://tools.wordtothewise.com/dns/txt/em123.meirg.co.il, which resolved in ... Drums ... u12345678.wl123.sendgrid.net as a TXT record which contains the following expression.

# SendGrid's CNAME resolves to SPF expression
v=spf1 ip4:122.122.122.122 -all

It is quite a wonder that eventually, it's ip4:122.122.122.122 and not a CNAME, as we saw in Google Workspace include:_spf.google.com. This wonder is called a dedicated IP.

Declaring an SPF Record, or any other record that is related to mailing, usually comes with a complete guide on how to create it, check Google Workspace Basic Setup for SPF which also explains how to include multiple ESPs in a single SPF Record.

When should I use a single SPF expression?

Getting back to my previous example of Google Workspace and SendGrid; Luckily, SendGrid provides a particular TXT Record, which includes a unique subdomain, em123; this makes the setup is really nice since you don't modify existing with the fear of breaking something.

Assuming your ESP*s* required the TXT Record of SPF to be present in the root domain, e.g., meirg.co.il, you'll have to edit your existing SPF expression and add additional ESPs. For example, here's how you would write an SPF expression when using both Google Workspace and Mailgun.

# Google Workspace + Mailgun
Type: TXT
Name: meirg.co.il
Value: v=spf1 include:_spf.google.com include:mailgun.org ~all

NOTE: Regarding which ESP you should choose (Google/SendGrid/Mailchimp/Mailgun, etc.), it depends on your needs. I use Google Workspace for receiving/sending emails on behalf of human beings who use @meirg.co.il and SendGrid for sending automated emails with my web application @meirg.co.il. By the way, Mailchimp is also excellent, I used it a long time ago, and I truly enjoyed it.

Recap on SPF

A TXT record that contains an SPF expression or a CNAME that is eventually resolved to an SPF expression. The SPF expression contains an authorization policy about which service can send emails on your domain's behalf.

IMPORTANT Make sure you send emails from the same address that you've authenticated in the ESP (SendGrid, Google), for example, DO NOT TRY THE FOLLOWING, sending emails from no-reply@meirg.com. In contrast, my authenticated domain address is meirg.co.il. That can easily happen if you're using SendGrid - API keys to send emails since the FROM field is not protected, the API call can "endure" anything you shove it.

DKIM

Definition: DomainKeys Identified Mail (Signatures)
Remember with: K for Keys.

This one is going to be very short compared to SPF since we've already covered all basics,

I like to think about DKIM as the HTTPS of emails. So DKIM is a way for an email sender to increase authenticity by adding a signature to the headers of an email message.

"...DKIM adds an encrypted signature to the header of all outgoing messages. Email servers (Mail eXchangers) that get signed messages use DKIM to decrypt the message header and verify the message was not changed after it was sent."

Here's how the DKIM record looks for my domain meirg.co.il.

Type: TXT
Name: google._domainkey.meirg.co.il
Value: v=DKIM1; k=rsa; p=Ultra-Long-Key-PUBLIC-KEY-392-chars

The subdomain google._domainkey was generated by Google for my domain meirg.co.il. After generating the DKIM record, I followed the instructions and authenticated my domain by adding a TXT record with the value provided by Google.

If I intend to use other ESPs, I can generate a subdomain per ESP, so for SendGrid, it'll be s1._domainkey.

As you can see, the *._domainkey is the critical value, as that's the one that the Mail eXchanger is checking. So if a DNS record, such as TXT or CNAME, is named with _domainkey, you can classify it safely as DKIM. The *._domainkey prefix, such as google and s1, is called a selector. One domain can have multiple DKIM selectors when using various ESPs.

NOTE: Curious about my public key? Dig for it! dig TXT google._domainkey.meirg.co.il

DMARC - Here comes D-MARC tu du du du

Definition: Domain-based Message Authentication, Reporting & Conformance
Remember with: DM "Domain Monitoring" and D-MARC like "the man(ager)"

We covered SPF and DKIM, but how do we know that our email messages are authenticated with SPF and signed with DKIM? Is there a way to track down it down with numbers? There is.

DMARC is an email authentication standard - Meeting up this standard means your SPF and DKIM domain records are legit. How does it mean that they're legit, you ask?

Once a day, a DMARC Report is sent to a predefined mailbox. The report contains pass/fail attempts of SPF and DKIM.
DMARC has the reject policy, so if a sender attempts to send an email and both SPF and DKIM checks didn't pass, the receiver (recipient) would not get the message.
Furthermore, DMARC helps to authenticate the sender's identity since SPF requires a TXT record to exist in the sender's domain containing valid domains or IPs (usually of an ESP), and a TXT (or CNAME) record for DKIM which includes a public key that was given to sender by the ESP.

Here's how a DMARC Record looks like

Type: TXT
Name: _dmarc.meirg.co.il
Value: v=DMARC1; p=none; rua=mailto:meir+dmarc_agg@meirg.co.il, mailto:dmarc_agg@vali.email

The p=none is the declared policy, which is nothing. Having no policy at all is almost the same as not having a DMARC record. A proper DMARC record would be p=reject.

So why am I using p=none, you ask? Because I'm still not 100% sure that my outgoing email messages pass both SPF and DKIM by Mail eXchangers. Having p=reject would block my messages completely, so for testing purposes, start with p=none, and once you're sure that all your emails pass both SPF and DKIM, set the policy to p=reject.

Sounds great, but how can you check all that? It sounds tough.

See the rua key in the code snippet above; I added +dmarc_agg to my email address and created a filter in Gmail, so any message coming from meirg+dmarc_agg@meirg.co.il is tagged as dmarc-report. Remember that I mentioned that a daily DMARC report is sent to a "predefined email address"? that is it.

But do I want to analyze DMARC reports on my own? Yup, you guessed it, there's an excellent service that can do that for free, and it's called ValiMail. ValiMail gets the daily report and analyzes it by checking how many SPF and DKIM successes/failures occurred in the past 24 hours and presents the summary in a friendly dashboard.

ValiMail are partnered with many known organizations, such as Microsoft, Google, and SendGrid, so I consider them a trusted vendor.

NOTE: The silent dmarc_agg@vali.email in the rua key points to ValiMail's mailbox.

BIMI - Requires DMARC

Definition: Brand Indicators for Message Identification
Remember with: B for Bragging to our audience/receivers that we're a top-notch validated sender.

Reminding you that DMARC has the "reject policy", so if an email sender sets it to p=reject, pct=100 (or p=quarantine), ALL none qualifying emails (SPF+DKIM) will not be delivered. So, cool, who enforces it? BIMI!

Qualifying for BIMI requires registering a trademark in a known patent agency and then purchasing a Verified Mark Certificate (VMC) from DigiCert or Entrust So, meeting the BIMI standard is not that simple.

And of course, it is possible to partially meet BIMI for non-trademarked logos. However, since BIMI is still not enforced or widely recognized by Mail eXchangers, I consider it a nice-to-have, and I'll get to it once I'll implement it once I get enough data from the DMARC reports.

To my feeling, it'll be easier to qualify today for BIMI than it will be in a few years. If you spot a fully certified BIMI email sender, it means it is ... Genuine and can be trusted.

Mysterious MX

Definition: Mail Exchanger
Remember with: Gmail is a Mail Exchanger, Google Workspace is an ESP

Finally, we got to MX; in case you haven't noticed, I wrote "Mail eXchangers" each time I had to mention a mail exchanger. You've just learned that MX Record stands for Mail e*X*changers that are allowed to receive emails on your behalf.

Since MX Records are for receiving emails and not sending, see my stackoverflow answer on how to configure MX Records for AWS Simple Email Service (SES) and the things that I've learned during the process.

To see how an MX Record looks like, check mine with mxtoolbox.com.

Gmail is a Mail eXchanger

How do you send emails from your Gmail account if it's only receiving messages with a Mail eXchanger?

As part of being Gmail's client, you can send emails on behalf of @gmail.com. That is set behind the scenes by Gmail's engineers, so each time you send an email using Gmail's UI, or use Gmail's API, the emails that you send are signed with Gmail's signature, which includes SPF, DKIM, DMARC. That is why your emails are not marked as spam when you email your friends and family since most Mail Exchangers treat @gmail.com as a high reputation sender.

Strengthen your knowledge

Name all the standards and provide a short description

All records refer to the email sender's domain.

SPF - TXT record, which contains the allowed sources, domains or IPs, to send emails on behalf of an email sender.
DKIM - TXT/CNAME record, which contains a key generated by an ESP. I consider DKIM an HTTPS mechanism for emails, which uses the public-key cryptography to authenticate messages.
DMARC - TXT record, which contains the receiver of the daily reports. This record is not just for setting the receiver, and it also means that Mail eXchangers will check this record and act according to the rules in it. So if SPF and DKIM is not set, some email messages might not arrive at their destination.
BIMI - TXT record, which contains a URL to an SVG logo of the email sender, and a URL of the Verified Mark Certificate (VMC) that the email sender purchased. And of course, this is how email senders can brag that they're legit in front of their customers.

How do I check if my domain is a trusted email sender?

Check if your DMARC record is valid with https://tools.wordtothewise.com.

https://tools.wordtothewise.com/dmarc/check/DOMAIN_NAME

Hooray for Google Workspace customers - there's a dedicated online tool for checking whether your mailing DNS records are correctly set for Google Workspace ESP; here are my results meirg.co.il - Google Check MX Status

IMPORTANT: Do not be fooled; Google Workspace's tool is valid only if you're checking Google as an ESP. If you use this service on a Sendgrid domain, it will show many errors.

How do I read a DMARC expression?

The syntax of how to read/write a DMARC expression can be found in RFC7489 - Domain-based Message Authentication, Reporting, and Conformance (DMARC). Another excellent source for understanding the syntax is Google's tutorial on the DMARC record format

Let's inspect @gmail.com's DMARC record together

v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com

p=none - all emails, regardless if they're validated with SPF+DKIM, can get to the receiver
sp=quarantine - all emails sent from subdomains, e.g. subdomain.gmail.com and are not signed with SPF+DKIM are marked as spam in the receiver's mailbox. sp stands for subdomain-policy and overrides p rules for subdomains.
rua=mailto - It appears that Gmail is handling their DMARC reports internally since the reporting address belongs to @google.com. So I guess they have their own "analyzing and monitoring DMARC reports" system, kewl.

Inpsecting @yahoo.com's DMARC record

v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; mailto:d@ruf.agari.com;

p=reject - all emails that are not signed with SPF+DKIM are rejected.
pct=100 - the percentage of messages to apply the p policy. In this case, if it's not signed with SPF+DKIM, it's not getting to the receiver at all, very restrictive

It's fascinating to see how different enterprise-grade email senders are setting up their DMARC records. It might look like Gmail is very permissive with their p=none policy, but I'm sure they have a dedicated backend that filters out spam messages before they arrive at their customers' mailboxes.

Bonus - Can Gmail customers check the sender's validity in the UI?

Yes, yes, YES!

Eventually, an email message contains text, and this text instructs the Mail eXchanger how to validate the message's sender, process referenced images to be shown in the UI, etc.

Gmail made it very easy to check, click the ellipsis, and then Show Original.

That results in a very long page that contains the whole email message, though Gmail made it very easy to track the important things, such as if DMARC is valid.

After reading this blog post, you've just learned that checking DMARC is enough since it relies on both SPF and DKIM.

Dedicated IP

Psst! Glad to see that you've read it all; This blog post is long enough, so here's a great resource that can help you decide whether to purchase a dedicated IP or not - 3.4 Shared vs. Dedicated IPs, M3AAWG Sender Best Common Practices v3.0, Feb 2015.

In short, if you're sending high volumes, hundreds of thousands of emails a month, then you should purchase a dedicated IP. I hate it when it all ends up with "it depends on your needs", but hey, that's true.

Final Words

I admit that it was tough and felt like there's a lot to memorize, but once you truly understand how each components works, it's pretty nice and very not intimidating as it was. So enjoy setting up your mailing DNS records. That would be all.

Writing Bash Scripts Like A Pro - Part 1 - Styling Guide

Meir Gabay — Sun, 24 Oct 2021 23:51:25 +0000

Writing Bash scripts can be challenging if you don't know the quirks and perks. In my mother tongue, we use the Yiddish word for quirks and perks; it's called "Shtickim" (plural of "Shtick"). Are you ready to learn more about Bash's "Shtickim"?

This blog post is part of a series that I'm working on to preserve the knowledge for future me that forgets stuff, to assist new colleagues, and indulge programmers like you who wish to love Bash as I do. So let's begin, shall we?

It's A Scripting Language

It's important to remember that Bash is a scripting language, which means it doesn't offer the standard functionalities that a programming language has to offer, such as:

Object-Oriented Programming is not supported natively
There are no external libraries like Python's requests or Node's axios, though it is possible to use external applications such as curl
Variables Typing is not supported, and all values are evaluated as strings. However, it is possible to use numbers by using specific commands, such as test equality with -eq and increment a variable with ((VAR_NAME+1)). Nevertheless, there's a "weak" way of declaring variables type with the declare command.
Bash's Associative array like Python's dict or JavaScript's Object is supported from version Bash v4.4, and it's important to remember that macOS is shipped with Bash v3.2 (we'll get to that in future blog posts of this series)
There is no "source of truth" for naming convention. For example, how would you name a global variable? Pascal_Case? snake_case? SCREAMING_SNAKE_CASE?

As you already guessed, "Bash programmers" (if there is such a thing) face many challenges. The above list is merely the tip of the iceberg.

Here are great blog posts that share the same feelings as I do:

Now that we've covered the fact that I'm in love with Bash, I want to share that feeling with you; here goes.

Variables Naming Convention

Here's how I name variables in my Bash scripts

Type	Scope	Convention
Environment	Global	MY_VARIABLE
Global	Global	_MY_VARIABLE
Local	Function	my_variable

In my older Bash scripts, the names of the variables were hard to interpret. Changing to this naming convention helped me a lot to understand the scope of variables and their purpose.

Good Vibes Application

And of course, we gotta' see some practical example, so here's how I implement the above naming convention in my good_vibes.sh application.

good_vibes.sh

#!/usr/bin/env bash
# ^ This is called a Shebang
# I'll cover it in future blog posts


# Global variables are initialized by Env Vars.
# I'm setting a default value with "${VAR_NAME:-"DEFAULT_VALUE"}"
_USER_NAME="${USER_NAME:-"$USER"}"
_USER_AGE="${USER_AGE:-""}"


complement_name(){
  local name="$1"
  echo "Wow, ${name}, you have a beautiful name!"
}


complement_age(){
  local name="$1"
  local age="$2"
  if [[ "$age" -gt "30" ]]; then
    echo "Seriously ${name}? I thought you were $((age-7))"
  else
    echo "Such a weird age, are you sure it's a number?"
  fi
}


main(){
  # The only function that is not "pure"
  # This function is tightly coupled to the script
  complement_name "$_USER_NAME"
  complement_age "$_USER_NAME" "$_USER_AGE"
}


# Invokes the main function
main

good_vibes.sh - Execution and output

export USER_NAME="Julia" USER_AGE="36" && \
bash good_vibes.sh

# Output
Wow, Julia, you have a beautiful name!
Seriously Julia? I thought you were 29

Let's break down the good_vibes.sh application to a "set of rules" that can be implemented in your scripts.

Code block spacing

Two (2) blank rows between each block of code make the script more readable.

Indentation

I'm using two (2) spaces, though it's totally fine to use four (4) spaces for indentation. Just make sure you're not mixing between the two.

Curly braces

If it's a ${VARIABLE} concatenated with string, use curly braces as it makes it easier to read.

In case it's a "$LONELY_VARIABLE" there's no need for that, as it will help you realize faster if it's "lonely" or not.

The primary purpose for curly braces is for performing a Shell Parameter Expansion, as demonstrated in the Global variables initialization part.

Squared brackets

Using double [[ ]] squared brackets makes it easier to read conditional code blocks. However, do note that using double squared brackets is not supported in Shell sh; instead, you should use single brackets [ ].

To demonstrate the readability, here's a "complex" conditional code block:

if [[ "$USER_NAME" = "Julia" || "$USER_NAME" = "Willy" ]] \
   && [[ "$USER_AGE" -gt "30" ]]; then
  echo "Easy to read right?"
fi

# Mind that `||` is replaced with `-o`, see https://acloudguru.com/blog/engineering/conditions-in-bash-scripting-if-statements
# Thank you William Pursell
if [ "$USER_NAME" = "Julia" -o "$USER_NAME" = "Willy" ] \
   && [ "$USER_AGE" -gt "30" ]; then
  echo "No idea why but I feel lost with single brackets."
fi

In case you didn't notice, you've just learned that || stands for OR and && stands for AND. And the short -gt expression means greater than when using numbers. Finally, the \ character allows breaking rows in favor of making the code more readable.

Shtick: Using \ with an extra space \ <- extra space can lead to weird errors. Make sure there are no trailing spaces after \.

I assume that using [[ ]] feels more intuitive since most conditional commands are doubled && ||.

Variable initialization

Global variables are initialized with Environment Variables and are set with default values in case of empty Environment variables.

As mentioned in the good_vibes.sh comments, I'm setting a default value with

"${VAR_NAME:-"DEFAULT_VALUE"}"

In the above snippet, the text DEFAULT_VALUE is hardcoded, and it's possible to replace it with a variable. For example

_USER_NAME="${USER_NAME:-"$USER"}"

Functions and local function variables

Functions names and local function variables names are snake_cased. You might want to change functions names to lowerCamelCase, and of course, it's your call.

Coupling a function to the script is a common mistake, though I do sin from time to time, and you'll see Global/Environment variables in my functions, but that happens when I know that "this piece of code won't change a lot".

Oh, and make sure you don't use $1 or any other argument directly; always use local var_name="$1".

_USER_NAME="${USER_NAME:-"$USER"}"

# Bad - coupled
coupled_username(){
  echo "_USER_NAME = ${_USER_NAME}"
}

# Good - decoupled
decoupled_username(){
  local name="$1"
  echo "name = ${name}" 
}

# Usage
coupled_username  
decoupled_username "$_USER_NAME"

Functional Programming

This topic relates to Functions and local function variables, where functions are as "pure" as possible. As you can see in good_vibes.sh, almost everything is wrapped in a function, except for Initializing Global variables.

I don't see the point of writing the init_vars function, whose purpose is to deal with Global variables. However, I do find myself adding a validate_vars function from time to time, which goes over the Global variables and validates their values. I'm sure there's room for debate here, so feel free to comment with your thoughts.

Final Words

The "Good Vibes Application" mostly covered how to write a readable Bash script following the Functional Programming paradigm.

If you feel that there's a need to change how you name variables and functions, go for it! As long as it's easy to understand your code, you're on the right track.

The next blog posts in this series will cover the following topics:

Error handling
Retrieving JSON data from an HTTP endpoint
Background jobs and watching file for changes with fswatch
Git Repository structure - adding Bash scripts to existing repositories or creating a new repository with a Bash CLI application
Publishing a Bash CLI as a Docker image

And more, and more ... I'm just going to spit it all out to blog posts. Feel free to comment with questions or suggestions for my next blog posts.

Vue3 + Quasar 2.1 + TypeScript Sample CRUD Application Project

Meir Gabay — Mon, 11 Oct 2021 22:34:07 +0000

Hi all,
I've been working on a Vue3 + Quasar 2.1 + TypeScript CRUD application.
I'm using AWS SSM Parameters API to test the application and it is being served with localstack so I can test the application locally. In case it's not clear, AWS SSM Parameters (served by localstack) is my local "backend server".

To run the application and test it immediately, you need to have Docker and Docker-Compose installed - that's it.

Project link @ GitHub - https://github.com/unfor19/aws-webui

Sidenote- I'm not a frontend developer, so it was quite tough, but eventually, it was a great experience.

Feel free to ask any questions

Forem: Meir Gabay

AI Code Generation, Smarter and More Cost-Efficient with Context Engineering

The High Cost of Runtime Research

Your Solution: The DETAILS.md File

🤔 Why This Matters

Automating Your Context: Human-Focused vs. Agent-Focused Tools

One Context to Rule Them All: Symlinking for Different Agents

The Biggest Pitfall: LLMs Don't Read Like You (Understanding Context Rot)

The Takeaway: Context is Everything

Want to Dig Deeper?

Beyond the Hype: Rediscovering Why Containers Won

🚂 The Real Difference: Containers vs VMs

🏎️ Why Containers Feel Like Magic (Spoiler: They're Not Magic)

🔒 The Security Reality Check

🚀 The "It Works on My Machine" Problem (Finally Solved!)

⚖️ Why CFOs Love Containers Too

🛠️ Kubernetes: When Containers Got Superpowers

🧩 When You Should Still Use VMs (Yes, Really)

🔮 What's Next: The Lines Are Blurring

📚 Want to Dig Deeper?

✅ So, Why Did Containers Win?

The Ultimate Guide: Which AI Coding Model Should You Use

🛠️ My Model Workflow

💎 gemini-2.5-pro – My Default All‑Rounder

🎨 claude-4-sonnet (thinking) – For Beautiful UI/UX

🚧 o3 – The Breakthrough Model

📋 Gemini + Claude Combo – For Clean Execution

✍️ gpt-4.1 – For Polished Human Docs

📌 TL;DR: Which LLM for Which Task

✅ Why This Setup Works for Me

💡 Final Thought

How did the company you work for adopt ChatGPT?

Writing Bash Scripts Like A Pro - Part 2 - Error Handling

Definition of Done

Handling Errors Like a Pro: Understanding Exit Codes

Using Exit Codes to Our Advantage

Recap on new terms

Redirecting STDERR and STDOUT: Capturing Errors

Allowing Script Execution Despite Errors

Ping Servers Scenario

What the grep?

Implementing Custom Error Handlers

Final Words

Create Multiple Static Sites In A Single AWS S3 Bucket Served By AWS CloudFront

Objectives

(1/6) HTTPS And DNS Validation

Create An AWS ACM Certificate

Create DNS Validation Records In DNS

Cloudflare And AWS CAA Issue

Validated ACM

(2/6) Create An S3 Bucket

Recap - AWS Static Website Option

CloudFront Invalidation

Create a bucket

(3/6) Push Website Content To S3

(4/6) Create A CloudFront Distribution

Recap So Far

(5/6) Map DNS record to CloudFront

(6/6) Create A Lambda@Edge Function

How Does The Lambda@Edge Work?

Create The Lambda@Edge Function

Publish new version

Deploy Lambda@Edge To The CloudFront Distribution

Results

Final Words

How To Recover Secrets From GitHub Actions

Quick And Dirty (Dangerous)

How To Recover A Secret From A CICD Service

Final Words

References

How To Test A GitHub Action

My Workflow

Submission Categories

Yaml File or Link to Code

unfor19 / hero-action

All-in-one action to develop and maintain GitHub Actions.

hero-action

Usage

Additional Resources / Info

How To Develop A Progressive Web Application On An Android Device

Your Solution: The `DETAILS.md` File

💎 `gemini-2.5-pro` – My Default All‑Rounder

🎨 `claude-4-sonnet (thinking)` – For Beautiful UI/UX

🚧 `o3` – The Breakthrough Model

✍️ `gpt-4.1` – For Polished Human Docs