The cloud was never abstract. It was always a building with an address — and on March 1, 2026, that address got hit by a drone.

Iranian Shahed drones struck two Amazon Web Services data centres in the United Arab Emirates and damaged a third facility in Bahrain. This was not a cyberattack. This was not a software vulnerability. This was kinetic warfare — missiles and drones targeting the physical infrastructure that powers the digital economy.

The consequences were immediate and devastating. Abu Dhabi Commercial Bank, Emirates NBD, First Abu Dhabi Bank, ride-hailing platform Careem, payment platforms Hubpay and Alaan, and enterprise data platform Snowflake — all experienced outages. AWS confirmed that two of three Availability Zones in the UAE region (ME-CENTRAL-1) were “significantly impaired.” The third zone stayed up, but with cascading degradation across services that depended on cross-zone redundancy.

Then it got worse. On April 1, fresh Iranian strikes hit an AWS data centre in Bahrain again. The Islamic Revolutionary Guard Corps (IRGC) named 18 US tech companies — including Microsoft, Google, Apple, Meta, Oracle, Intel, and Nvidia — as “legitimate military targets.” The statement was explicit: for every assassination, an American company’s infrastructure would be destroyed.

This is the first time in history that a nation-state has deliberately targeted commercial cloud data centres during wartime. And it changes everything about how businesses need to think about their infrastructure.

Why Multi-AZ Failed — And What That Means for Every Cloud Customer

Before we get into the five roles, we need to understand exactly what broke — because it challenges the foundational assumption most businesses make about cloud reliability.

AWS regions are designed with multiple Availability Zones (AZs) — physically separate data centres within the same geographic area. The promise is simple: if one AZ goes down, your workloads failover to another. This is the basis of every “highly available” architecture.

But here’s what happened in ME-CENTRAL-1: two out of three AZs were hit simultaneously. The drones didn’t respect availability zone boundaries. Standard multi-AZ redundancy models assume independent failure domains — a power outage here, a hardware failure there. They do not account for a military strike that takes out multiple facilities in the same city.

As one cloud architect at ABN AMRO Clearing Bank put it bluntly after the attacks: Multi-AZ is NOT disaster recovery. It protects you from hardware failures, not a missile hitting an entire availability zone cluster in the same city.

AWS’s own response confirmed the severity. They advised customers to replicate critical data out of the ME-SOUTH-1 (Bahrain) region entirely — an implicit admission that the region itself was compromised as a safe location. They waived all usage charges for ME-CENTRAL-1 for the entire month of March.

The lesson is clear: multi-AZ gives you high availability. It does not give you disaster recovery. And in a world where data centres are military targets, the distinction between those two concepts is the difference between staying online and going dark.

With that context, here are the five engineering capabilities your business needs — whether you hire for them, build them internally, or partner with an agency that can deliver them.

1. Multi-Cloud and Disaster Recovery Engineer

The Gap Exposed

The AWS attacks exposed a painful truth: most businesses have a single-provider dependency they’ve never stress-tested against a regional catastrophe. The October 2025 AWS outage had already cost an estimated $581 million globally. Now we’re looking at physical destruction — something no SLA covers.

Standard commercial property and business interruption insurance policies frequently exclude acts of war. Companies that had workloads running in ME-CENTRAL-1 or ME-SOUTH-1 discovered they had no financial recourse, no fallback infrastructure, and no tested plan for regional failure.

Paradoxically, Amazon’s stock rallied approximately 3% after the attacks. Why? Analysts predicted that enterprises would now be forced to adopt multi-region and multi-cloud deployments — effectively increasing their cloud spend across providers.

Understanding DR Strategies

Disaster recovery isn’t one-size-fits-all. AWS defines four DR strategies, each with different cost and recovery characteristics:

Backup and Restore is the simplest and cheapest approach. You regularly back up data to cloud storage in another region and restore when needed. Recovery Time Objective (RTO) — how long it takes to get back online — is measured in hours. Recovery Point Objective (RPO) — how much data you lose — depends on backup frequency. This is the bare minimum every business should have.

Pilot Light keeps a minimal version of your environment running in a secondary region. Core infrastructure like databases are replicated, but application servers aren’t running. When disaster strikes, you spin up the full environment. RTO is measured in tens of minutes to hours.

Warm Standby runs a scaled-down but fully functional copy of your production environment in another region. It can handle traffic immediately, albeit at reduced capacity. RTO drops to minutes.

Multi-Site Active/Active is the gold standard. You run fully functional deployments in multiple regions simultaneously. Traffic is distributed across all regions via global load balancers. There’s no failover because all regions are always serving traffic. If one goes down, the others absorb the load automatically. RTO is effectively zero, but cost is highest.

The Tech Stack

For cross-region replication within AWS, the key services are S3 Cross-Region Replication for object storage, DynamoDB Global Tables for NoSQL databases, Aurora Global Database for relational workloads, and AWS Elastic Disaster Recovery (formerly CloudEndure) for server replication.

But single-provider replication isn’t enough anymore. True resilience requires multi-cloud capability:

Terraform is the most critical tool here. As an infrastructure-as-code (IaC) platform, it’s cloud-agnostic — you can define your infrastructure once and deploy it to AWS, GCP, Azure, or any combination. If your current provider’s region goes dark, you can redeploy your entire stack elsewhere from code. Pulumi and AWS CloudFormation are alternatives, but Terraform’s multi-cloud support makes it the clear choice for DR scenarios.

Zerto provides real-time replication across cloud providers with automated failover. Veeam handles hybrid backup scenarios across on-premises and multi-cloud environments. For infrastructure configuration recovery — DNS, CDN, identity providers, network settings — ControlMonkey fills a gap most backup tools miss: they recover your data, but not the infrastructure configuration that makes it accessible.

Global load balancers are the traffic routing layer that makes all of this work. AWS Route 53 (with health checks and failover routing), Cloudflare (with their global Anycast network), or GCP Cloud DNS can automatically reroute traffic away from impaired regions.

What You Should Do Now

Start with an audit. Is your production workload in a single region? A single provider? If the answer to either is yes, you have a single point of failure that is now a known attack vector.

The lowest-effort, highest-impact step is enabling S3 Cross-Region Replication to a region on a different continent. If you’re running databases, enable cross-region read replicas at minimum.

Most importantly, codify your infrastructure with Terraform or equivalent IaC. If your infrastructure exists only as manually configured resources in a console, you cannot redeploy it elsewhere quickly. IaC is your portability insurance.

Finally, test your failover. Quarterly. An untested DR plan is no plan at all. Use AWS Fault Injection Simulator or Gremlin to simulate regional failures and verify your recovery actually works.

At Innovatrix, we build every client’s infrastructure with IaC from day one — from EC2 deployments to S3 backup automation to EBS snapshot scheduling. It’s not optional; it’s foundational. When a region goes dark, the businesses that survive are the ones who can redeploy from code.

2. Data Sovereignty and Compliance Engineer

The Gap Exposed

Here’s a fact that startled many businesses after the attacks: they had no idea their data was even routed through Middle East regions.

Data localization mandates — laws requiring that certain data be physically stored within a country’s borders — had driven hyperscalers to build aggressively in the Gulf. The UAE’s data centre market was projected to more than double from $3.29 billion in 2026 to $7.7 billion by 2031. Businesses that needed to serve Gulf customers were required to process data locally.

Now that data is in an active war zone. And the legal implications are cascading.

Many businesses had workloads routed through Gulf regions without explicit awareness. Their cloud provider optimised for latency, and traffic flowed through the nearest data centre. When that data centre was struck, the business discovered that “the cloud” had a very specific geographic address they hadn’t consented to.

The Regulatory Landscape

Data sovereignty is no longer a checkbox exercise. It’s a strategic imperative that intersects with national security.

India’s Digital Personal Data Protection Act (DPDP), 2023 is rolling out in phases. Phase 1 (November 2025) established the Data Protection Board. Phase 2 (November 2026) makes consent manager frameworks operational. Phase 3 (May 2027) brings all substantive provisions into effect. Significant Data Fiduciaries (SDFs) — entities handling large volumes of sensitive data — may face mandatory data localization within India. CERT-In requires enabling logs and retaining them for 180 days within India.

The DPDP Rules mandate that organisations audit how personal data enters, moves through, and exits their systems. They must document what is stored in India versus outside India and justify the rationale. Cloud and hosting agreements must support data residency needs, breach reporting timelines (the notification window starts from awareness, not occurrence), audit rights, and sub-processor transparency.

GDPR in Europe requires adequacy decisions or Standard Contractual Clauses for data transfers. Post-Schrems II, routing data through active conflict zones raises questions that no existing compliance framework anticipated.

RBI data localization mandates that payment system data must be stored exclusively in India — no exceptions, no routing through intermediary regions.

The convergence of these regulations with physical conflict creates a new compliance category that didn’t exist before: geopolitical data risk.

The Tech Stack

Data sovereignty starts with visibility. You cannot comply with data residency requirements if you don’t know where your data actually lives.

Data classification and discovery tools like BigID, OneTrust, and Securiti.ai scan your entire cloud footprint to discover where personal data resides, how it moves across regions, and which jurisdictions apply. This isn’t a one-time audit — it needs to be continuous, because cloud providers can change routing and replication behaviour.

Cloud-native policy enforcement is the next layer. AWS Config Rules can enforce region restrictions — flagging or preventing resource creation outside approved regions. Azure Policy and GCP Organization Policy Constraints offer equivalent capabilities. These are your guardrails: even if a developer accidentally spins up a resource in the wrong region, the policy blocks it.

Sovereign cloud providers are emerging as alternatives to hyperscaler regions in sensitive geographies. India-specific options include Jio Cloud, ESDS, and BharathCloud — providers offering India-based hosting with DPDP-aligned compliance features. Globally, IBM launched Sovereign Core in January 2026, and Microsoft’s Azure Local (formerly Azure Stack HCI) enables running Azure workloads on on-premises hardware, keeping data within your physical control.

Encryption and key management close the loop. AWS KMS, Azure Key Vault, and HashiCorp Vault enable envelope encryption where you control the keys. The critical requirement: keys must reside in the same jurisdiction as the data. A data centre in India with encryption keys stored in Virginia isn’t truly sovereign.

For compliance audit trails, ensure your provider offers ISO 27001 and SOC 2 certifications, and that your contracts explicitly address breach notification timelines, sub-processor governance, and data deletion procedures.

What You Should Do Now

Run a data residency audit immediately. Tools like AWS Config or third-party platforms can show you exactly which regions your data touches. You may be surprised.

Review your cloud provider contracts for war exclusion clauses in insurance and SLAs. If your workloads ran through a conflict zone, understand your legal exposure.

Implement geo-fencing at the infrastructure level — not just at the policy level. AWS Service Control Policies (SCPs) can hard-block API calls from creating resources in specific regions.

For businesses serving Indian customers, 2026 is the build-and-test year for DPDP compliance. Don’t wait for Phase 3 enforcement in May 2027.

At Innovatrix, we serve clients across India, UAE, UK, Singapore, and Australia — each with distinct data residency requirements. Our infrastructure setups are compliance-aware from the first architecture decision, whether that’s choosing an AWS region, configuring DNS, or setting up backup replication targets.

3. Edge Computing and Decentralised Infrastructure Specialist

The Gap Exposed

The fundamental flaw that the AWS attacks exposed isn’t just about multi-AZ or multi-region. It’s about the centralised model itself.

When Iran struck ME-CENTRAL-1, every service that depended on that region — banking apps, payment gateways, ride-hailing platforms, enterprise SaaS — went down in a cascading failure. The “cloud” was a single geographic location, and when that location was destroyed, the digital economy of an entire region collapsed.

This is the centralisation paradox: the cloud promised abstraction from physical infrastructure, but it actually concentrated risk into fewer, larger targets. A single data centre campus can host thousands of businesses. Destroy the campus, and you destroy them all simultaneously.

The numbers make the case for decentralisation. Gartner projects that 75% of enterprise data will be created and processed at the edge by 2026 — up from just 10% in 2018. Global IoT connections are projected to exceed 30 billion by 2026. And Cisco reports that AI agentic queries generate up to 25 times more network traffic than traditional chatbot queries — load that centralised architectures were never designed to handle.

The Architecture Shift

Edge computing doesn’t replace the cloud. It redistributes it. The model is layered:

Central cloud handles large-scale training, batch analytics, cold storage, and workloads where latency doesn’t matter. This is still AWS, GCP, or Azure — but it’s no longer the only tier.

Regional edge handles real-time inference, hot data, event processing, and latency-sensitive operations. These are smaller compute nodes distributed across metro areas, telecom exchanges, or customer premises.

Device edge handles on-device processing, sensor data pre-filtering, and offline-capable operations. This is where IoT, embedded systems, and mobile devices process data locally without any cloud dependency.

The resilience benefit is structural: there’s no single point of failure. If a regional edge node goes down, others absorb the load. If the central cloud is unreachable, edge nodes continue operating independently.

The Tech Stack

For web workloads, the easiest entry point into edge computing is Cloudflare Workers — serverless functions that run at over 300 edge locations globally. Your code executes at the edge location nearest to the user, with no central server dependency. Vercel Edge Functions and Deno Deploy offer similar capabilities, particularly useful for Next.js applications.

For AWS-native architectures, AWS Local Zones bring AWS infrastructure into metro areas (compute, storage, database services closer to end users), while AWS Outposts let you run AWS services on your own on-premises hardware. Azure IoT Edge and Google Distributed Cloud offer equivalent capabilities.

For edge AI inference, NVIDIA Jetson is the leading embedded AI platform — it can run computer vision, NLP, and sensor fusion models on device-grade hardware without cloud connectivity. ONNX Runtime enables cross-platform model deployment (train on any framework, deploy anywhere), and TensorRT optimises models for NVIDIA hardware specifically.

For container orchestration at the edge, K3s is a lightweight Kubernetes distribution designed for resource-constrained environments — it runs the same workloads as full Kubernetes but with a fraction of the memory and CPU footprint. Rafay provides multi-cluster Kubernetes management across edge and cloud environments from a single control plane.

For distributed databases, CockroachDB and YugabyteDB provide globally distributed SQL with automatic replication across regions and edge locations. They use consensus protocols that handle network partitions gracefully — exactly what you need when edge nodes have intermittent connectivity.

CDNs — Cloudflare, Fastly, AWS CloudFront — are the simplest form of edge infrastructure that most businesses already use. But post-attacks, think of your CDN not just as a performance layer but as an availability insurance policy. If your origin server goes down, a properly configured CDN can continue serving cached content.

What You Should Do Now

Identify your latency-critical and availability-critical workloads. These are your edge candidates. If a 200ms delay or a 5-minute outage costs you revenue or user trust, that workload should be at the edge.

Start with Cloudflare Workers or Vercel Edge for web workloads — lowest barrier to entry, no infrastructure to manage, and you get global distribution immediately.

For AI/ML workloads, evaluate whether inference can run at the edge. Smaller models — quantised to 4-bit or 8-bit precision — can run on surprisingly modest hardware. If you’re calling an API for every AI inference, you have a centralisation dependency.

Design for offline-first where possible. Edge nodes should degrade gracefully, not fail completely. If the user’s connection to your central cloud drops, what still works? That’s your resilience baseline.

At Innovatrix, our Next.js deployments leverage edge functions for critical paths, and our Cloudflare experience — from R2 storage to Workers — means we build distributed resilience into web applications by default, not as an afterthought.

4. Cloud Security and Cyber Warfare Specialist

The Gap Exposed

The AWS attacks were kinetic — physical drones hitting physical buildings. But they exist within a broader context of coordinated physical and cyber warfare.

Iran’s IRGC didn’t just bomb data centres. They named 18 US tech companies as military targets, signalling coordinated campaigns that combine physical strikes with cyber operations. This is hybrid warfare, and it creates a threat model that most businesses have never planned for.

The collateral damage problem is severe: your business doesn’t need to be a target. You just need to be ON the target’s infrastructure. When Iran struck AWS to disrupt US military AI operations running on the same cloud, every commercial customer in that region was collateral damage.

Meanwhile, 17 submarine cables pass through the Red Sea, carrying the majority of data traffic between Europe, Asia, and Africa. With Iran’s closure of the Strait of Hormuz and renewed Houthi threats in the Red Sea, both critical data chokepoints are now in active conflict zones simultaneously. As one network intelligence expert noted, both chokepoints being in conflict zones at the same time is unprecedented — there’s no historical parallel for the potential disruption.

And the threat surface keeps expanding. A 2025 Fortinet survey found that 62% of organisations consider securing edge environments more complex than protecting centralised data centres. Every edge node, every IoT device, every distributed compute instance is a potential attack surface.

The Security Architecture

Post-attacks, your security posture needs to evolve from “protect the perimeter” to “assume everything is compromised.”

Zero Trust Architecture is the foundational shift. The principle is simple: never trust, always verify. Every request — whether from inside or outside your network — must be authenticated, authorised, and encrypted. Google’s BeyondCorp model pioneered this. Practical implementations include Cloudflare Zero Trust (ZTNA — Zero Trust Network Access), Azure AD Conditional Access, and Tailscale (a WireGuard-based mesh VPN that creates encrypted point-to-point connections without exposing public endpoints).

WAF and DDoS protection is your outer shield. Cloudflare WAF, AWS Shield Advanced, and Azure DDoS Protection filter malicious traffic before it reaches your infrastructure. In a cyber warfare scenario, volumetric DDoS attacks are often the opening salvo — designed to overwhelm defences before targeted exploitation.

SIEM and continuous monitoring give you visibility. CrowdStrike Falcon provides endpoint detection and response. Wiz offers cloud-native security posture management — it maps your entire cloud footprint and identifies misconfigurations, exposed secrets, and lateral movement paths. AWS GuardDuty provides threat detection using machine learning to identify anomalous API calls and potentially compromised instances.

Secrets management ensures that API keys, database credentials, and encryption keys aren’t hardcoded or exposed. HashiCorp Vault, AWS Secrets Manager, and Doppler provide centralised, audited, rotatable secret storage.

DNS security is often overlooked but critical. Implement DNSSEC to prevent DNS spoofing, DNS-over-HTTPS to prevent eavesdropping, and ensure your SPF, DKIM, and DMARC records are properly configured to prevent email-based attacks that often precede infrastructure compromises.

Immutable backups are your last line of defence against both ransomware and physical destruction. WORM (Write Once Read Many) storage — available through AWS S3 Object Lock, Azure Immutable Blob Storage, or dedicated solutions like Veeam with immutability — ensures that backups cannot be encrypted, deleted, or modified by attackers. In a scenario where your primary infrastructure is physically destroyed and your backups are in a different region, immutable backups are what let you recover.

Incident Response and Chaos Engineering

Having security tools isn’t enough. You need documented runbooks and regular testing.

An incident response playbook answers: who does what when your primary region goes dark? Who is notified first? What’s the communication chain? Which workloads are restored first? How do you communicate with customers during the outage?

Chaos engineering tests your resilience before a real incident does. AWS Fault Injection Simulator and Gremlin let you simulate regional failures, network partitions, and service degradations in a controlled way. If your DR plan only exists on paper, the first time you test it shouldn’t be during an actual war.

What You Should Do Now

Implement zero trust today. Start with Tailscale or Cloudflare Zero Trust — both can be deployed in hours, not weeks.

Run a security audit against your cloud infrastructure. ScoutSuite (open-source, multi-cloud) or AWS Inspector can identify misconfigurations, open ports, and policy violations in minutes.

Harden your DNS. If you’ve done SPF, DKIM, and DMARC remediation, you’re ahead of most — but verify it’s current. DNS is often the first target in state-sponsored attacks.

Create an incident response playbook. Document it. Assign roles. Then drill it quarterly.

Enable immutable backups in a geographically isolated region. If your primary and backup are both in the same conflict zone, you have no backup.

At Innovatrix, we’ve done comprehensive DNS audits and SPF/DKIM/DMARC remediation across client domains, deploy infrastructure behind Tailscale-secured networks, and build security hardening into every deployment — because in this threat landscape, security isn’t a feature, it’s the foundation.

5. AI Infrastructure Relocation Engineer

The Gap Exposed

This is perhaps the most consequential role to emerge from the attacks — because it sits at the intersection of AI, cloud infrastructure, and geopolitics.

Here’s what happened: the US military was using Anthropic’s Claude AI model — hosted on AWS infrastructure — for intelligence analysis, target identification, and battle simulations during the Iran strikes. Iran’s stated rationale for attacking AWS data centres was precisely this: the infrastructure was supporting enemy military AI operations.

This means that commercial AI infrastructure is now a military target by association. If your AI workloads — your inference pipelines, your vector databases, your training jobs — share infrastructure with military AI, you are in the blast radius. Not metaphorically. Literally.

The deeper problem is that AI compute cannot be arbitrarily relocated. Unlike a web application that can be containerised and moved to a new region in hours, AI workloads are constrained by power availability, cooling infrastructure, GPU availability, network latency for distributed training, and the sheer volume of training data that needs to move with the compute.

As one research paper on AI infrastructure sovereignty noted: sovereignty strategies that focus solely on data localisation or model ownership risk becoming symbolic rather than effective. Without continuous visibility into infrastructure state and the ability to act on it in real time, operators lack practical control over AI systems.

The Sovereign AI Shift

The response to these attacks is accelerating a global trend: sovereign AI infrastructure.

Global spending on sovereign AI systems is projected to surpass $100 billion by 2026. Microsoft committed $10 billion to Japan AI infrastructure between 2026 and 2029 — a direct response to sovereign compute requirements forcing hyperscalers to partner with regional infrastructure players rather than deploying centralised data centres. The market noticed: Sakura Internet, a Japanese regional cloud provider, surged 20% on the announcement.

France has invested €109 billion in sovereign AI infrastructure, including a partnership with Fluidstack to build one of the world’s largest decarbonised AI supercomputers. India is accelerating through the IndiaAI mission and sovereign cloud mandates.

Forrester predicts 2026 is the year governments adopt “tech nationalism” — domestic-first AI procurement policies. And IDC forecasts that by 2028, 60% of organisations with digital sovereignty requirements will have migrated sensitive workloads to new cloud environments.

The writing is on the wall: AI infrastructure is becoming as geopolitically strategic as oil infrastructure. And just like oil, countries and businesses that don’t control their own supply are vulnerable.

The Tech Stack

Model portability is the first priority. If your AI models are locked into one provider’s format and one provider’s serving infrastructure, you can’t relocate them. ONNX (Open Neural Network Exchange) provides a standard format for model interoperability — train in PyTorch, export to ONNX, deploy anywhere. MLflow handles experiment tracking and model registry — versioning your models so you know exactly which model is running where and can reproduce it. Kubeflow provides Kubernetes-native ML pipelines for training and serving.

Self-hosted inference eliminates provider dependency entirely. vLLM is a high-throughput, memory-efficient inference engine for large language models — it can serve models on your own GPU hardware (cloud or on-premises) with performance rivalling managed API services. Ollama simplifies local LLM deployment for development and testing. llama.cpp enables CPU-based inference for smaller models.

GPU cloud alternatives beyond the hyperscalers provide options when AWS or Azure regions are compromised. Lambda Labs, CoreWeave, RunPod, and Paperspace offer GPU compute without the hyperscaler dependency. For India-specific sovereign GPU infrastructure, providers like BharathCloud are emerging with DPDP-aligned offerings.

Vector databases need to be portable too. If your RAG (Retrieval-Augmented Generation) pipeline depends on a managed vector database in a specific region, you need alternatives. pgvector — a PostgreSQL extension — is the most portable option: it runs anywhere PostgreSQL runs, which means you can deploy it on any cloud, any region, or on-premises. Qdrant, Milvus, and Weaviate are dedicated vector databases with self-hosted deployment options.

Model optimisation for relocation makes smaller, faster models that are easier to move and cheaper to serve. Quantisation (4-bit and 8-bit) reduces model size by 4-8x with minimal accuracy loss. Distillation trains smaller “student” models from larger “teacher” models. Pruning removes unnecessary weights. The result: models that can run on edge hardware, on modest cloud instances, or on-premises GPUs — dramatically increasing your deployment options.

The Hybrid AI Architecture

The winning pattern isn’t all-cloud or all-edge. It’s a hybrid:

Training stays in the cloud — where GPU clusters, large storage, and high-bandwidth interconnects are available. But training should happen in stable, geographically safe regions.

Inference moves to the edge or on-premises — where latency requirements, data sovereignty laws, or security concerns dictate. Quantised models served by vLLM on your own infrastructure give you full control.

Model synchronisation uses CI/CD pipelines to push updated models from training environments to inference endpoints. This is the same pattern as software deployment — just with model artifacts instead of code.

What You Should Do Now

Audit where your AI workloads physically run. Which region? Which provider? Which data centre? If you’re using a managed API (like calling an LLM provider), find out where they host their inference infrastructure.

Ensure model portability. Export your models to ONNX format. Use MLflow for versioning. If you can’t reproduce your model deployment from scratch in a new region within 24 hours, you have a portability problem.

For inference workloads, evaluate self-hosted options. vLLM on your own EC2 instance (in a stable region) gives you the same serving capability as a managed API, with full control over location and security.

Have a relocation playbook. If your AI provider’s region goes dark, can you serve models from elsewhere within 24 hours? Document the steps, test them, and keep them current.

Consider pgvector on India-hosted PostgreSQL for vector search workloads. It’s sovereign by default — your embeddings live on your infrastructure, in your jurisdiction, under your control.

At Innovatrix, we run AI automation pipelines on self-hosted n8n infrastructure with Anthropic API integrations, and our architecture for Pensiv — our cognitive continuity SaaS — uses pgvector on PostgreSQL precisely because portability and data sovereignty are non-negotiable for an AI-native product. We don’t just recommend sovereign AI infrastructure; we build on it.

What Happens Next

The AWS data centre attacks mark a permanent shift in how the world thinks about cloud infrastructure. The cloud was always physical. Now it’s geopolitical.

Here’s what’s coming:

Multi-cloud becomes the default, not the exception. Gartner’s projection of 75% multi-cloud adoption by 2026 was made before the attacks. Expect that number to accelerate. Single-provider architectures will be seen as reckless, not efficient.

Sovereign AI infrastructure becomes a national priority. India, Japan, France, and the EU are already investing billions. Expect every major economy to follow. Businesses that depend on foreign-hosted AI will face regulatory and competitive disadvantages.

Data centres get physical security upgrades. Air defence systems, reinforced construction, underground facilities — what was once the domain of military bunkers is becoming the standard for commercial data centres. The cost of cloud services will rise accordingly.

Edge computing accelerates from “nice-to-have” to “survival requirement.” The businesses that weather the next infrastructure attack will be the ones that don’t depend on a single geographic cluster.

Insurance and contracts get rewritten. War exclusion clauses, force majeure definitions, and SLA terms will all evolve to account for kinetic attacks on cloud infrastructure. If your contracts don’t address this, they’re already outdated.

You don’t need to hire five specialists tomorrow. But you need to start thinking in terms of these capabilities — resilience, sovereignty, distribution, security, and portability. The businesses that come out of this era strongest will be the ones who treated infrastructure as a strategic asset, not a commodity.

At Innovatrix Infotech, we help businesses build infrastructure that’s resilient by design — from multi-region cloud setups to self-hosted AI pipelines to compliance-aware deployments across India, UAE, UK, and beyond. If you’re unsure where your infrastructure stands, let’s talk.

Originally published at Innovatrix Infotech

I wanted a single interface where an AI agent could run WHOIS, pull SSL certs, enumerate subdomains, check CVEs, and query threat intel feeds — all from one prompt.

So I built 23 security tools as an MCP server. Any AI agent that speaks MCP can call them natively.

Here’s what I built, how to set it up, and what I learned.

Setup (2 minutes)

Let me start with the setup because it’s the simplest part.

Add this to your MCP client config:

{
  "mcpServers": {
    "contrast": {
      "command": "npx",
      "args": ["-y", "@anthropic-ai/mcp-remote", "https://api.contrastcyber.com/mcp/"]
    }
  }
}

Works with Claude Desktop, Cursor, Windsurf, Cline, VS Code — anything that speaks MCP.

No API key. No signup. 100 requests/hour free.

The 23 Tools

Recon — “What’s running on this domain?”

Real scenario: “Check if any of our subdomains have expiring SSL certs” — the agent calls subdomain_enum, loops through each result with ssl_check, and reports which ones expire within 30 days. Zero code.

Vulnerability — “Is this CVE exploitable?”

Real scenario: “Find all critical CVEs for Apache httpd from the last 6 months that have public exploits” — one sentence, three tool calls chained automatically.

Threat Intelligence — “Is this IOC malicious?”

Real scenario: You get a suspicious URL in Slack. Paste it and ask “is this safe?” — the agent runs phishing_check + ioc_lookup and tells you if it’s a known threat.

Code Security — “Does my code have vulnerabilities?”

Real scenario: Before a PR merge, ask your agent to scan the diff for hardcoded secrets and injection vulnerabilities.

Phone & Email — “Is this contact legit?”

What It Looks Like

“Run a full security audit on example.com”

Domain: example.com
Risk Score: 32/100 (Low)

DNS: 6 records found
SSL: Grade A, expires 2027-01-15, TLS 1.3
Headers: 4/7 present (missing CSP, HSTS preload, Permissions-Policy)
Subdomains: 3 found
WHOIS: Registered 1995-08-14, ICANN
Tech: Akamai CDN, nginx

“Check if CVE-2024-3094 has public exploits”

CVE-2024-3094 (xz backdoor)
CVSS: 10.0 CRITICAL
EPSS: 0.947 (top 0.1%)
KEV: Yes — actively exploited
Exploits found: 3

“Is this password breached: hunter2”

EXPOSED in 17,043 breaches
Do NOT use this password.
(checked via k-anonymity — password was never transmitted)

Why MCP?

ContrastAPI is also a REST API with a Node.js SDK. You can curl it from any language.

But MCP changes the workflow:

Without MCP: Call endpoint → parse JSON → decide next step → call another endpoint → parse again → format output.

With MCP: “Audit this domain.” Done.

The agent picks the right tools, chains them, and gives you a summary. You focus on decisions, not plumbing.

Architecture

• FastAPI + official MCP Python SDK
• 30 REST endpoints, 23 MCP tools (same backend)
• 1,115 tests (912 API + 203 C scanner)
• Domain scanner written in C — scores SSL, DNS, headers, email in under 2 seconds
• All data from free, public sources — no paid feeds, no vendor lock-in

What I Learned

1. No API key = fastest adoption.
I removed the API key requirement and traffic jumped immediately. Zero friction wins. The free tier (100 req/hr) is generous enough that nobody has hit the limit yet.

2. MCP users are stickier.
MCP users make more requests per session than REST users. Once an agent has access to the tools, it chains them naturally — a single prompt can trigger 5-10 tool calls.

3. Get listed everywhere, early.
mcp.so, mcpservers.org, Smithery — these directories drive most of the discovery right now. The ecosystem is early and low-competition.

Limitations

Being transparent about what this isn’t:

• Passive only — no port scanning, no active exploitation. This is OSINT and public data, not a pentest tool.
• Rate limited — 100 req/hr free, 1000/hr on Pro ($19/mo). Enough for individual use, not bulk scanning.
• Solo project — I’m one developer. Response times are fast, but I don’t have an SRE team on-call.
• You don’t need API keys — we handle the integrations (Shodan, AbuseIPDB, ThreatFox, NVD, and more). No vendor accounts to set up on your end.

Try It

• GitHub: github.com/UPinar/contrastapi
• MCP setup: contrastcyber.com/mcp-setup
• Web scanner: contrastcyber.com
• API docs: api.contrastcyber.com

Free. Open source. No API key.

If you find it useful, a ⭐ on GitHub helps more than you think.

What security tools do you wish your AI agent could use? I’m always looking for what to build next.

It’s safe to say March was defined by one thing: Java 26. In this issue of Java Annotated Monthly, we’ve curated a rich selection of articles to help you get the full picture of the release. Marit van Dijk joins us as the featured guest author, bringing her expertise to help you navigate the changes with confidence. Alongside our Java 26 coverage, you’ll find our regular roundup of AI developments, Spring updates, Kotlin news, industry trends, and community reads that caught our eye.

Featured Content

Marit van Dijk

Marit van Dijk is a Java Champion and Developer Advocate at JetBrains with over 20 years of software development experience. She’s passionate about building great software with great people, and making developers’ lives easier.

Marit regularly presents at international conferences and shares her expertise through webinars, podcasts, blog posts, videos, and tutorials. She’s also a contributor to the book 97 Things Every Java Programmer Should Know (O’Reilly Media).

March held a lot of interesting things for Java. First of all, there was the Java 26 release on March 17. You can read all about Java 26 in IntelliJ IDEA on the blog, and find more links on Java 26 in the Java sections below.

Also in March, JavaOne took place in Redwood Shores, USA. During the community keynote, our colleague Anton Arhipov talked about 25 years of IntelliJ IDEA. In case you missed it, we also did a Duke’s Corner podcast and a Foojay podcast on the same topic. And of course, the IntelliJ IDEA documentary was released this month. Also at JavaOne, we announced that Koog is coming to Java, if you want to try JetBrains’ Koog AI agent with Java instead of Kotlin.

IntelliJ IDEA 2026.1 was just released. Of course we have Java 26 support from day one, as well as improvements to the debugger for virtual threads, support for new Kotlin features, Spring Data and Spring Debugger features, new AI features, and more. You can read all about it on the blog or watch our release video.

The release of Java 26 also means that Piotr Przybył and I updated our talk, Learning modern Java the playful way, for Java 26. You can watch the recording from Voxxed Days Amsterdam, or catch us at multiple events around Europe. 

Java News

Check out all the Java news highlights in March: 

• Java News Roundup 1, 2, 3, 4, 5
• Java 26: What’s New?
• HTTP Client Updates in Java 26
• Java Performance Update: From JDK 21 to JDK 25
• Quality Outreach Heads-up – JDK 27: Removal of ‘java.locale.useOldISOCodes’ System Property
• Episode 51 “Unboxing Java 26 for Developers” 
• Java 27 – Better Language, Better APIs, Better Runtime
• Foojay Podcast #92: Java 26 Is Here: What’s New, What’s Gone, and Why It Matters in 2026
• Java 26 in definitely UNDER 3 minutes
• JDK 26 Security Enhancements

Java Tutorials and Tips

You can never have too many tips for getting more out of Java:

• Java 26 for DevOps
• Java 26 Is Here, And With It a Solid Foundation for the Future
• Closed-world assumption in Java
• JavaScript (No, Not That One): Modern Automation with Java
• Redacting Sensitive Data from Java Flight Recorder Files
• Foojay Podcast #91: 25 Years of IntelliJ IDEA: The IDE That Grew Up With Java
• Vulnerable API usage: Is your Java code vulnerable?
• Java 26 is boring, and that’s a good thing
• Episode 49 “LazyConstants in JDK 26” 
• Empty Should be Empty
• Testing Elasticsearch. It just got simpler
• A Bootiful Podcast: Cay Horstmann, legendary Java professor, author, lecturer 
• Episode 50 “Towards Better Checked Exceptions” 
• How is Leyden improving Java Performance? 1, 2, 3
• Java Is Fast. Your Code Might Not Be.
• Data Oriented Programming, Beyond Records 
• Evolving the Java Language: An Inside Perspective
• Hybrid search with Java: LangChain4j Elasticsearch integration
• Secure Coding Guidelines for Java
• Estimating value of pi (π) using Monte Carlo Simulation and Vector API
• Javable: generate Java-friendly wrappers for Kotlin with KSP

Kotlin Corner

Stay sharp with the latest Kotlin news and practical tips:

• Kotlin 2.3.20 Released 
• Amper 0.10 – JDK Provisioning, a Maven Converter, Custom Compiler Plugins, and More 
• The klibs.io source repository was made public.
• Building a Deep Research Agent with Koog — Teaching Your Agent to Think in Phases 
• Koog Comes to Java: The Enterprise AI Agent Framework From JetBrains
• Introducing Tracy: The AI Observability Library for Kotlin 
• KotlinConf’26 Speakers: In Conversation with Josh Long 

AI 

Plenty of AI reads this month. Pick what catches your eye:

• Intelligent JVM Monitoring: Combining JDK Flight Recorder with AI
• AI coding skills from the engineers who build the JVM ecosystem
• Vibe Coding, But Production-Ready: A Specs-Driven Feedback Loop for AI-Assisted Development
• Busting AI Myths and Embracing Realities in Privacy & Security
• Shaping Jakarta Agentic AI Together – Watch the Open Conversation
• how i automated my life with mcp servers
• 10 things i hate about ai
• Writing an agent skill 
• Hacking AI – How to Survive the AI Uprising
• Stop Fighting Your AI: Engineering Prompts That Actually Work
• Four Patterns of AI Native Development
• Interactive Rubber Ducking with GenAI 
• The Oil and Water Moment in AI Architecture
• Look Inside a Large Language Model to Become a Better Java Developer
• A Senior Engineer Tries Vibe Coding
• How We Built a Java AI Agent by Connecting the Dots the Ecosystem Already Had 

Languages, Frameworks, Libraries, and Technologies

Spring updates and more tech news, all in one place:

• This Week in Spring 1, 2, 3, 4
• Data Enrichment in MongoDB
• Supercharge your JVM performance with Project Leyden and Spring Boot by Moritz Halbritter
• A Typo Led to the Creation of Spring Cloud Contract • Marcin Grzejszczak & Jakub Pilimon • GOTO 2026
• A Bootiful Podcast: Neo4j legend Jennifer Reif
• A Bootiful Podcast: Spring Messaging Legend Soby Chacko
• Blending Chat with Rich UIs with Spring AI and MCP Apps
• Java Microservices(SCS) vs. Spring Modulith
• Moving beyond Strings in Spring Data
• Quarkus has great performance – and we have new evidence
• Modeling One-to-Many Relationships in Java with MongoDB
• Clean Architecture with Spring Boot and MongoDB

Conferences and Events

Pick your next events to attend:

• Spring I/O – Barcelona, Spain, April 13–15; Come say hi at the JetBrains booth and join the community run! 

• Java Day Istanbul – Istanbul, Türkiye, April 17–18; Anton Arhipov is a speaker.  
• JCON EUROPE – Cologne, Germany, April 20–23; Marit van Dijk will talk about learning modern Java the playful way.
• Great International Developer Summit – Bengaluru, India, April 21–24; Join Siva Katamreddy’s talk on Spring AI + MCP. 
• Devoxx France – Paris, France, April 22–24; Check out the talks by Anton Arhipov and Marit van Dijk.  
• Devoxx Greece – Athens, Greece, April 23–25; Marit van Dijk is a speaker. 
• Voxxed Days Bucharest – Bucharest, Romania, April 28–29; And if you haven’t caught Marit van Dijk during this busy month of hers, here’s the last chance to hear her speak in April.

Culture and Community

Your go-to section to slow down and think about the industry, self-growth, and more:

• Mindful Leadership in the Age of AI
• Can we still make software that sparks joy?
• Information Flow: The Hidden Driver of Engineering Culture
• Beyond the Code: Hiring for Cultural Alignment
• Build a Spaced Repetition Flashcard API with Spring Boot & MongoDB (Part 1)
• Where Do Humans Fit in AI-Assisted Software Development?
• Green IT: How to Reduce the Impact of AI on the Environment
• Does Language Still Matter in the Age of AI? Yes — But the Tradeoff Has Changed
• IntelliJ IDEA: The Documentary | An origin story 
• The Software Architect Elevator 

And Finally…

Top picks from the IntelliJ IDEA blog:

• What’s fixed in IntelliJ IDEA 2026.1
• Java 26 in IntelliJ IDEA
• IntelliJ IDEA’s New Kotlin Coroutine Inspections, Explained
• Cursor Joined the ACP Registry and Is Now Live in Your JetBrains IDE
• Sunsetting Code With Me
• Koog Comes to Java: The Enterprise AI Agent Framework From JetBrains
• AI-Assisted Java Application Development with Agent Skills
• Core JavaScript and TypeScript Features Become Free in IntelliJ IDEA

That’s it for today! We’re always collecting ideas for the next Java Annotated Monthly – send us your suggestions via email or X by April 20. Don’t forget to check out our archive of past JAM issues for any articles you might have missed!

KVerify: A Two-Year Journey to Get Validation Right

In December 2023, I wrote a small article about a utility I called ValidationBuilder. The idea was simple: a DSL where you’d call validation rules as extension functions on property references, collect all violations in one pass, and get a result back. Ktor-specific, but the concept was portable.

I published it and moved on.

Except I didn’t.

The Problem

I came to Kotlin without a Java background. Spring was my first serious framework, and I didn’t really understand it.

My issue was specific: I was reaching for Kotlin object declarations where Spring wanted managed beans. I was hardcoding configuration values that should have been injected, not because I didn’t know configuration existed, but because I couldn’t figure out how to bridge Spring’s dependency injection with Kotlin’s object. I was working around my own knowledge gaps without realizing that’s what I was doing. Everything ran, so I assumed everything was fine.

Eventually I moved to Ktor. Deliberately — I wanted less magic, more control. What I got instead was a different kind of overwhelming. Ktor gives you primitives and expects you to build the structure yourself. No built-in validation, no standard error handling, no guardrails. You figure it out or you don’t.

That turned out to be one of the better things that happened to me as a developer. Without a framework making decisions for me, I had to actually learn why certain patterns exist. Architecture, separation of concerns, what makes code maintainable — I learned it the hard way, by building things from scratch and getting them wrong.

But the validation problem stayed unsolved. Hand-written if checks everywhere. Error messages as hardcoded strings. No reuse, no structure. I looked at Konform and Valiktor. Valiktor was already abandoned. Konform was actively maintained and had a reasonable DSL — but I looked at it, decided it would take too long to learn properly, and moved on. Which, in hindsight, is a funny reason to spend the next two years building my own library from scratch.

I didn’t have precise words for what was wrong. I just knew the answer wasn’t there.

So in December 2023, I wrote my own.

The Library

Seven months later, in July 2024, I started a proper repository. Not because I had a clear vision of what the library should be — I just wanted to stop copying the same validation code between projects. A few lines of dependency instead of manually replicating the ValidationBuilder every time.

That was the entire plan.

NamedValue

The library started with a concept called NamedValue — a simple wrapper: a value and a name, travelling together.

data class NamedValue<T>(val name: String, val value: T)

The reason was practical. Validation error messages need to reference the field that failed — “password must not be blank”, “age must be at least 18”. Without NamedValue, you’d have to pass the field name to every rule call manually. With it, the name was always there, carried alongside the value, available to any rule that needed it. Rules were just extension functions on NamedValue<T>:

password.named("password").notBlank().ofLength(8..255)

It felt clean. The infix named read naturally, the rules chained, and the name showed up in every error message automatically.

The problem was that it had quietly made a decision I hadn’t noticed yet — it tied the field name to the value itself, rather than to the validation context. That distinction wouldn’t matter for a while. And then it would matter enormously.

The Iterations

The 1.x releases came quickly. November, December 2024 — versions shipping, rules working, NamedValue doing its job. On paper, the library was functional.

But something kept feeling off. The ValidationContext had quietly accumulated weight:

fun validate(message: String, predicate: Predicate)
fun validate(rule: Rule<Unit>)
fun <T> T.validate(vararg rules: Rule<T>): T
fun <T> NamedValue<T>.validate(message: MessageCallback<T>, predicate: ValuePredicate<T>): NamedValue<T>
fun <T> NamedValue<T>.validate(ruleCallbackWithMessage: NamedValueRuleCallback<T>): NamedValue<T>

Five ways to validate. Type aliases for every possible callback shape. Each one added to solve a real problem — and together they made the interface feel like it was trying to be everything at once.

The fix was to stop and ask: what does a validation context actually need to do? The answer was one thing: decide what happens when a rule fails.

interface ValidationContext {
    fun onFailure(violation: Violation)
}

That’s it. Everything else was the rule’s problem, not the context’s.

This pattern repeated itself throughout 2025. Build something, feel the weight accumulate, find the one thing it actually needed to do, cut everything else. The library kept getting smaller. Each simplification felt right for a week, then revealed the next thing that was still wrong.

And through all of it, NamedValue stayed. Untouched. Seemingly fine.

5 AM

This was the state of things through most of 2025. Iterating. Releasing. Something always slightly wrong.

There were nights where I’d wake up at five — suddenly, with something already forming in my head. Not a diagram or a grand insight. Just code. An API shape. A specific thing that had been bothering me that now had an answer.

On July 14, 2025, that happened at 5:29 AM. I made two commits — a package restructuring I had been putting off for days — and started my day four hours early. I napped later and went to bed earlier that night.

The sleep during those periods wasn’t great. Not quite fever dreams, but something adjacent — restless, with the problem still running somewhere in the background. I wasn’t suffering dramatically. I was just genuinely stuck on something, and my brain apparently didn’t get the memo that work was supposed to stop.

Spring, Revisited

In January 2026, I decided to learn Spring again. Not to go back to it — just to understand it better. And since I had a library now, I figured I’d try using it alongside Spring’s own validation.

The code I wrote looked like this:

fun validate(context: ValidationContext) =
    with(context) {
        ::title.toNamed().verifyWith(
            provider.namedNotBlank(),
            provider.namedLengthBetween(3..255) { violation("Title must be between 3 and 255 characters long") }
        )
    }

Spring’s version, sitting right above it in the same file:

@NotBlank
@Length(min = 3, max = 255)
val title: String

I wasn’t trying to beat Spring at its own game — annotations are a different tool for a different philosophy. But looking at both side by side, something became impossible to ignore. The toNamed() call on every property. The provider object. The fact that adding a custom reason meant constructing a violation manually and losing the field name in the process. The constant risk of accidentally applying a regular rule to a named value or vice versa.

I had been living inside this DSL for over a year. I had stopped seeing it. Comparing it to anything — even Spring, which I had originally left — made the friction visible again.

NamedValue wasn’t a small ergonomics issue. It was a load-bearing flaw. And it had been there from the beginning.

The Decision

By January 2026, the problem had a name.

Not NamedValue specifically — the concept behind it. Rules and naming metadata were coupled. A rule for a named value was a different type than a rule for a plain value. That meant two rule sets, two providers, two of everything. Users had to constantly think about which kind of rule to reach for. The maintenance cost was real and growing.

I knew these two things shouldn’t coexist. What I didn’t know was how to separate them.

I had asked AI assistants about this problem before. Multiple times. Nothing useful came back — or maybe it did and I wasn’t ready to hear it yet. But one day in January 2026, I described the problem again, and the answer that came back was something I had been circling for two years without landing on: put the metadata in the context, not in the rule or the value. Rules validate values. Context carries where those values live.

I knew it was right immediately. Not because the AI said so — but because two years of the wrong model had made the right one recognizable the moment I saw it.

NamedValue was removed. Not in a single dramatic commit — it was simply no longer needed. The path would live in the context. Property references would put it there automatically. Rules would stay pure.

But “the context” now meant something different. The old ValidationContext — the interface that decided what to do on failure — was renamed to ValidationScope. A new ValidationContext took its place: a pure, immutable carrier of metadata. Same name, completely different responsibility. The scope executes. The context carries.

What followed was three months of more progress than the previous two years combined.

The New Context

Once NamedValue was gone, a new question appeared immediately: if the path lives in the context, how does the context store it?

The first attempt was a linked list — each context node held one path segment and a reference to its parent. Clean in theory, recursive in practice. It worked but felt fragile for deep nesting.

Two days later, I replaced it with something more ambitious — a design modeled directly after Kotlin’s CoroutineContext. Elements stored by key, retrievable by type, composable with +. It looked elegant:

interface ValidationContext {
    operator fun <E : Element> get(key: Key<E>): E?
    operator fun plus(context: ValidationContext): ValidationContext

    interface Key<E : Element>
    interface Element : ValidationContext {
        val key: Key<*>
    }
}

It lasted twenty-two days.

The flaw was fundamental. CoroutineContext uses key-based replacement — if you add an element with a key that already exists, it replaces the old one. That’s the right behavior for something like a coroutine dispatcher, where you want exactly one. But a validation path needs multiple NamePathElements to coexist. A path like user.friends[0].user requires the same element type to appear multiple times — key replacement silently destroyed them.

The next attempt dropped the key system entirely. Elements became a plain list, retrieved by type filtering. Simpler, but every + operation allocated a new list. Fine for shallow contexts, wasteful for deep ones.

Then fold replaced the list — a binary tree of CombinedContext(left, right) nodes, traversed lazily. No intermediate allocations. Better.

Then, two weeks later, one more simplification: replace fold with Iterable. Not because fold was wrong — but because Iterable is something every Kotlin developer already understands. filter, filterIsInstance, for loops — all of it works immediately, with no new protocol to learn. The context became something you could hand to any standard library function without explanation.

interface ValidationContext : Iterable<ValidationContext.Element>

That was the final form. Six weeks, five implementations, one interface.

The Rules Problem

There was one more problem to solve.

The scope controlled what happened on failure — collect, throw, or anything else. But “anything else” was the interesting part. What if you wanted to stop after the first violation and skip all remaining rules? The scope needed to intercept rule execution to do that.

So rules came back as an explicit abstraction. A rule received the context and the value, ran a check, and returned a violation or null:

interface Rule<in T> {
    fun check(context: ValidationContext, value: T): Violation?
}

The scope would call it, inspect the result, and decide what to do next:

fun <T> enforce(rule: Rule<T>, value: T) {
    val violation = rule.check(validationContext, value) ?: return
    onFailure(violation)
}

This worked — until you tried to extend a scope with additional context. Kotlin’s by delegation copies the implementation from the delegated object, not the receiver. So when ContextExtendedValidationScope delegated to the original scope, enforce ran with the original scope’s validationContext — not the overridden one. The extended context, the one with the path segment you just added, was completely invisible to the rule.

internal class ContextExtendedValidationScope<out T : ValidationScope>(
    val originalValidationScope: T,
    val additionalContext: ValidationContext,
) : ValidationScope by originalValidationScope {
    override val validationContext: ValidationContext
        get() = originalValidationScope.validationContext + additionalContext
}

The overridden validationContext was there. The enforce implementation just never called it.

I tried to fix the delegation chain. There was no clean way.

The solution was to stop passing context and value to the rule entirely. A rule is just a check — it closes over whatever it needs from the surrounding code. By the time enforce is called, the closure already has the right scope, the right context, the right value:

fun interface Rule {
    fun check(): Violation?
}

scope.enforce {
    if (value.isBlank()) NotBlankViolation(
        validationPath = scope.validationContext.validationPath(),
        reason = "must not be blank",
    ) else null
}

value and scope are already in the closure. The rule doesn’t need parameters. The delegation problem disappeared — because there was nothing left to delegate except the outcome.

Polishing

By late February 2026, the architecture was right. What remained was a different kind of work — not building, but removing.

The guiding principle was simple: leave only the shape. Strip everything down to the minimal core, then test it, then add back only what proved it deserved to exist. Any helper function that wasn’t load-bearing — gone. Any abstraction that existed for convenience rather than necessity — gone.

The commit messages tell the story plainly. reduce public API surface to minimal stable core. replace class-based Rule hierarchy with extension functions. Rule composition operators — and, or, ! — removed. The Verification interface removed, kept as a concrete class. FirstViolationValidationScope removed entirely.

It wasn’t painful. Overshipping and dealing with it after a release felt far worse than cutting now. A public API is a promise — every method you expose is something you have to maintain, something users will depend on, something you can’t easily take back. The smaller the surface, the more deliberate every addition has to be.

What remained after the cuts was small enough to hold in your head. Clean enough to document properly. Stable enough to release.

On March 23, 2026 — two years and nine months after the first commit — KVerify 2.0.0 shipped.

The Comparison

This is the core of KVerify on its first commit, July 13, 2024:

// Collect all violations
inline fun collectViolations(block: CollectAllContext.() -> Unit): ValidationResult

// Fail on first violation
inline fun failFast(block: FailFastContext.() -> Unit): ValidationResult

// Rules as extension functions
fun NamedString.notBlank(message: String = "$name must not be blank"): NamedString =
    validate(message) { it.isNotBlank() }

// Violations collected into a result
val isValid get() = this is ValidationResult.Valid
inline fun ValidationResult.onInvalid(block: (List<ValidationException>) -> Unit): ValidationResult
inline fun ValidationResult.onValid(block: () -> Unit): ValidationResult

And this is KVerify 2.0.0:

// Collect all violations
inline fun validateCollecting(block: CollectingValidationScope.() -> Unit): ValidationResult

// Fail on first violation
inline fun validateThrowing(block: ThrowingValidationScope.() -> T): T

// Rules as extension functions
fun Verification<String>.notBlank(reason: String? = null): Verification<String> =
    apply {
        scope.enforce {
            if (value.isBlank()) NotBlankViolation(
                validationPath = scope.validationContext.validationPath(),
                reason = reason ?: "Value must not be blank",
            ) else null
        }
    }

// Violations collected into a result
val isValid: Boolean get() = violations.isEmpty()
inline fun ValidationResult.onInvalid(block: (List<Violation>) -> Unit)
inline fun ValidationResult.onValid(block: () -> Unit)

The user-facing API changed completely. The underlying shape did not.

Two strategies — collect or throw. Rules as extension functions. A result you can branch on. onValid, onInvalid. These were all there on day one. Not because the first version was well-designed — it wasn’t. But because the instinct pointing toward them was right.

What two years bought was the understanding of why they were right. The NamedValue coupling, the overengineered contexts, the delegation trap, the CoroutineContext detour — none of it was wasted. Each wrong turn made the correct shape more recognizable. By the time the right architecture appeared, it was obvious. Not because it was simple — because everything else had already been tried.

Experience isn’t knowing the answer. It’s having been wrong enough times to recognize it when you finally see it.

What it looks like today

data class Address(val street: String, val city: String, val postalCode: String)
data class RegisterRequest(val username: String, val email: String, val age: Int, val address: Address)

fun ValidationScope.validate(request: RegisterRequest) {
    verify(request::username).notBlank().minLength(3).maxLength(20)
    verify(request::email).notBlank()
    verify(request::age).atLeast(18)

    pathName("address") {
        verify(request.address::street).notBlank()
        verify(request.address::city).notBlank()
        verify(request.address::postalCode).exactLength(5)
    }
}

val result = validateCollecting { validate(request) }

result.violations
    .filterIsInstance<PathAwareViolation>()
    .forEach { println("${it.validationPath}: ${it.reason}") }

If any of this resonated — the frustration with existing tools, the design problems, or just the library itself — KVerify is on GitHub. A star goes a long way for a solo project. And if you try it and something feels wrong, open an issue. Two years of iteration taught me that the best feedback comes from someone actually using it.

INTRODUCTION

According to Microsoft, Power BI is a complete reporting solution that offers data preparation, data visualization, distribution, and management through development tools and an online platform. Power BI can scale from simple reports using a single data source to reports requiring complex data modeling and consistent themes. Use Power BI to create visually stunning, interactive reports to serve as the analytics and decision engine behind group projects, divisions, or entire organizations.
The foundation of every successful Power BI report is reliable data ingestion. Before a report can be successfully created, ability to extract data from various data sources is the first crucial step to building an effective report. Interacting with SQL Server is different from Excel, so learning the nuances of how data connection from different sources works is important in order to be able to use other PowerBI tools for effective decision making.
In most real-world business contexts, data is typically spread across multiple sources rather than confined to one. A data analyst may need to integrate data from Excel files, CSVs, SQL Server databases, PDFs, JSON APIs, and SharePoint folders into a unified report. Power BI is well-equipped for this task, offering powerful tools like Get Data and Power Query to efficiently connect, combine, and transform data from various sources. This guide explores how Power BI enables multi-source data integration and provides a step-by-step approach to implementing it effectively.
In this guide, you will learn how to:
• Connect Power BI to multiple data sources efficiently
• Use Power Query to preview and explore your data
• Detect and resolve data quality issues early
• Build a strong foundation for accurate data modeling and reporting.

Architecture Overview

At a high level, Power BI follows a layered architecture which consists of:
• Power BI Desktop as the reporting and modeling tool
• Multiple data sources, including:
o Excel and Text/CSV files
o SQL Server databases
o JSON and PDF files
o SharePoint folders
All data flows into Power BI through Power Query, where it is reviewed and prepared before loading into the data model.
Connecting Data from Multiple Sources
Power BI allows you to connect to a wide range of data sources. Below are step-by-step guides for each major source.

Step 1: Connecting to Excel

1. Open Power BI Desktop
   
2. Navigate to Home → Get Data → Excel
   
3. Browse and select your Excel file
   
4. In the Navigator window, select the required sheets or tables
   
5. Click Load (to import directly) or Transform Data (to clean first)

Step 2: Connecting to Text/CSV Files

1. Open Power BI Desktop
2. Navigate to Home → Get Data → Text/CSV
   
3. Browse and select the CSV file (e.g., MultiTimeline.csv)
   
4. Preview the dataset in the dialog window
   
5. Click Load or Transform Data

Step 3: Connecting to PDF

1. Open Power BI Desktop
2. Navigate to Home → Get Data → PDF
   
3. Select the PDF file
   
4. Wait for Power BI to detect available tables
5. Select the desired table(s)
6. Click Load or Transform Data
   

Step 4: Connecting to JSON

1. Open Power BI Desktop
2. Navigate to Home → Get Data → JSON
   
3. Select the JSON file or input API endpoint
   
   
4. Load the data into Power Query
5. Expand nested fields to structure the data properly
   
6. Click Close & Apply

Step 5: Connecting to SharePoint Folder

1. Open Power BI Desktop
   
2. Navigate to Home → Get Data → SharePoint Folder
   
3. Enter the SharePoint site URL
4. Click OK and authenticate if required
   
5. Select files from the folder
6. Click Combine & Transform Data
   

Step 6: Connecting to MySQL Database

1. Open Power BI Desktop
   
2. Navigate to Home → Get Data → MySQL Database
   
3. Enter the server name and database
   
4. Provide authentication credentials and click connect
   
5. Select the required tables
6. Click Load or Transform Data
   

Step 7: Connecting to SQL Server

1. Open Power BI Desktop
2. Navigate to Home → Get Data → SQL Server
   
3. Enter the server name (e.g., localhost)
   
4. Leave the database field blank (or specify one if needed)
5. Click OK
6. Select authentication method (e.g., Windows credentials)
7. In the Navigator pane, expand the database (e.g., AdventureWorksDW2020)
8. Select required tables such as:
   o DimEmployee
   o DimProduct
   o DimAccount
9. Click Transform Data to open Power Query Editor
   

Step 8: Connecting to Web Data

1. Open Power BI Desktop
2. Navigate to Home → Get Data → Web
   
3. Enter the URL of the web page or API
   
4. Click OK
5. Select the data table or structure detected
6. Click Load or Transform Data
   

Step 9: Connecting to Azure Analysis Services

1. Open Power BI Desktop
2. Navigate to Home → Get Data → Azure → Azure Analysis Services
   
3. Enter the server name
4. Select the database/model
5. Choose connection mode (Live connection recommended)
6. Click Connect
   

Conclusion

Integrating data from multiple sources in Microsoft Power BI is a foundational skill for modern data analysts. By understanding the architecture and following a structured approach, you can transform fragmented datasets into cohesive, insight-driven reports. Ultimately, great analytics begins with great data and great data begins with how well you connect, prepare, understand and use it to make business decisions.
Mastering tools like Power Query and applying best practices in data modeling will significantly enhance the quality and performance of your analytics solutions.

What I Built

Dark Dish Lab is a tiny, delightfully useless web app that generates cursed food or drink recipes.

You pick:

• Hated ingredients
• Flavor chaos (salty / sweet / spicy / sour)

Then it generates a short “recipe” with a horror score, a few steps, and a warning.

It solves no real-world problem. It only creates regret.

Demo

• YouTube demo

Code

• GitHub repo

How I Built It

• Frontend: React (Vite)
  • Ingredient + flavor selection UI
  • Calls backend API and renders the generated result
• Backend: Spring Boot (Java 17)
  • POST /api/generate endpoint
  • Generates a short recipe text and returns JSON
• Optional AI: Google Gemini API
  • If AI is enabled and a key is provided, it asks Gemini for a very short recipe format
  • If AI is disabled or fails, it falls back to a non-AI generator
• Notes
  • Only Unicode emojis are used (no emoji image assets)
  • API keys are kept in local env files and not committed

How I Leveraged Google AI

Gemini (via the Gemini API) is the text generator behind Dark Dish Lab’s “cursed recipe” output.

Instead of using AI as a generic chatbot, I use it as a formatting engine:

• Input: selected ingredients + flavor axes (salty/sweet/spicy/sour)
• Output: a short, structured recipe (name, 3 steps, 1 warning)

To keep the experience stable and demo-friendly, I added a few guardrails:

• Server-side API key only (kept in backend/.env.local, not committed)
• Strict prompt constraints (no emojis, short length, fixed format)
• Fallback generator when Gemini is disabled/unavailable
• Output trimming to avoid unexpectedly long responses

Prize Category

• Best Use of Google AI — I integrated the Gemini API to generate short, structured cursed recipes from the user’s selected ingredients and flavor axes.
• Community Favorite angle — Try to generate the most cursed combo you can. Comment your ingredient + flavor picks and the horror score you got. Bonus points if your friends refuse to read it.

This article was originally published on igorvoloc.com
I write about Developer Productivity Engineering — DX, AI-assisted dev, legacy migration, and business impact from the trenches.

I tracked my own time for two weeks, logging each hour. The numbers were discouraging enough that I stopped. Most of what I called ‘development time’ was actually spent waiting, searching, context-switching, rerunning flaky tests, or digging through outdated documentation and message threads.

This isn’t unique to me. It’s common, and most teams have come to accept it as normal. This invisible waste is what Developer Productivity Engineering (DPE) aims to eliminate.

There’s a deeper reason these problems persist: the people with the power to fund solutions almost never hear about them. Developers spot the slow builds, flaky pipelines, and broken docs immediately — but that pain rarely travels up the chain. Most engineers simply work around it, patching things locally or absorbing the friction as part of the job. By the time leadership hears about the issues, it’s usually reached crisis level.

The Waste Is Real

Developers lose hours each week to friction instead of building a product.¹ 58% report losing five or more hours weekly to inefficiencies like slow builds, broken tooling, and knowledge gaps—a number I’ve observed almost everywhere, and which matches the data.

62% of developers cite technical debt as their top frustration, while over 10% work at companies lacking CI/CD, automated testing, or DevOps.²

61% of developers spend at least 30 minutes per day searching for information.³ Over a third are blocked by knowledge silos, and a similar share re-answer questions they’ve already solved.³ People call it a documentation problem, but it’s also an architecture and onboarding problem. Knowledge and culture get little attention, do the most damage, and rarely show up on dashboards.

On a team of 50 developers with an average salary of $150K (based on US developer salary benchmarks), 30 minutes lost per person each day adds up to nearly $500K per year. That’s the equivalent of three full-time engineers lost to inefficiency.

The waste is the problem DPE aims to solve. Most organizations under-invest in it.

Nobody’s Fixing Developer Productivity — Here’s Why

Your sales team gets a CRM. Nobody asks them to manage deals in a spreadsheet. Finance gets proper accounting software. Nobody questions the ROI on that.

Developers, often among the highest-paid and hardest to replace, must work around friction. They deal with broken CI pipelines, undocumented services, and spend time searching for information that should be readily available.

Here’s the part most managers don’t see: staff and senior engineers on your team are already doing DPE work. They just don’t call it that.

They notice the build is slow and spend a Saturday morning tracking down why. They write the runbook nobody asked for. They push for the migration nobody wants to focus on.

This is DPE work: invisible, uncredited, and taking time away from what teams actually measure. I’ve watched good engineers burn out this way — doing the most important work in the company while getting zero credit for it.

Half of tech managers say their companies measure productivity or DevEx, but only 16% have anyone dedicated to improving them.⁴

66% of developers say productivity metrics miss their real contributions.⁵ Most rely on crude measures: lines of code, story points, commit frequency. Engineers can game these in a month. Everyone knows the numbers aren’t real. And 60% of engineering orgs follow no specific measurement framework,¹ though 90% rate improving productivity as a top initiative (8.2/10 on average).¹

DORA’s 2025 research, surveying nearly 5,000 professionals, confirms the pattern: only 40% of teams excel at both speed and stability.⁶ The rest are held back by process friction and foundational gaps — not trade-offs. The “speed vs. stability” compromise is a myth: the best teams do both.

The core issue is that measuring is easy, but fixing is hard. If you track but never fix, you’re just surveilling. Trust drops, and nothing improves.

What Developer Productivity Engineering Actually Is

DPE is broader than developer experience. DX is one part, but not the whole. DPE treats the developer ecosystem as a system with four interconnected pillars:

• Developer Experience — feedback loops, cognitive demand, flow state
• Engineering Infrastructure — build systems, CI/CD, test automation, platform tooling, legacy migration
• Knowledge and Culture — how information flows, gets captured, and outlasts turnover
• AI Augmentation — how AI tools sit on top of and multiply whatever the other three produce

If one pillar is weak, the others can’t compensate. Developer experience is where most of that friction shows up first — and the most useful way to think about DX focuses on three dimensions that include most of what matters: feedback loops, cognitive demand, and flow state.⁷

• Feedback loops are the most obvious. How long from git push to “did this work?” If the answer is 20 minutes, you’ve already lost the thread.
• Cognitive demand is trickier. It’s not only about whether the code is hard; it’s about how much you need to remember to make a safe change. Every undocumented service boundary and each hidden dependency adds a hidden load. You only notice it when a new hire takes three months to become productive.
• Flow state is the 2-3-hour window when someone is actually solving a hard problem. How often does the environment protect it?

The biggest influence on DX isn’t tooling — it’s cultural and organizational factors: how product management works, how decisions get made, and how teams communicate.⁷ Tooling matters, but the org sets the ceiling. This is why so many “DX improvement” initiatives fail: they buy tools without addressing the environments in which those tools operate.

Legacy systems are a drag on every engineer who touches them. Patterns like strangler fig and incremental migration work, but only if someone gives them priority. In most organizations, that person is a staff engineer making the case to leadership who don’t feel the friction directly.

And then there’s AI, which builds on top of all three pillars. According to DORA’s survey of nearly 5,000 professionals, over 80% of developers say AI has increased their productivity.⁶ About a third of new code in surveyed organizations now comes from AI.⁸

But AI only multiplies the system you already have. If your DX is good, AI tools make it even better. If your DX is broken, AI just makes things break faster.

The DORA 2025 report — the most comprehensive study of AI in software development to date — calls AI “an amplifier.”⁶ It magnifies the strengths of high-performing organizations and the dysfunctions of struggling ones. At Adidas, teams with loosely coupled architectures and fast feedback loops saw 20–30% productivity gains from AI and a 50% increase in “Happy Time.” Teams with slower feedback loops due to tight coupling saw little to no benefit.⁶

The Fix Exists — And It Compounds

The ROI Is Real

A single point increase on the Developer Experience Index saves 13 minutes per developer per week. On a 200-person team, a 5-point improvement adds up to 11,000 developer-hours per year. That’s equivalent to five full-time engineers without additional hiring.

DPE interventions compound over time. Better DX means less time lost to tools and faster delivery. It also improves customer satisfaction — and this is where the numbers get serious.

24.5% of developers are happy at work. 47.1% are complacent. 28.4% are actively unhappy.¹¹ The top satisfaction factor is autonomy and trust.

DPE maps directly onto what keeps engineers engaged — autonomy through better tooling, trust when you eliminate surveillance metrics, and quality because the environment actually supports the work. On a 50-person team, preventing even one or two senior departures per year can pay for a DPE initiative on its own.

Where to Actually Start

You don’t need a large initiative. One person with focus and about 90 days can make a difference. There’s no three-step plan — every organization is different.

The main mistake is treating DPE as a one-off initiative. It’s a practice, like security reviews or performance testing, that needs persistent attention.

But you still need a starting point. Identify the top three pain points by asking, not guessing. A short survey or a few brief conversations across teams is usually enough. The answers often differ from leadership’s assumptions, and the fixes are usually smaller than expected.

Fix one issue and measure the result. Problems are normal: migrations take longer, process changes meet resistance, or metrics don’t move as expected. Use early wins to gain credibility for the next improvement. Bring data.

If you’re a staff or senior engineer who struggles to get leadership’s attention, the data here is for you. You’ve likely been doing DPE work already, even if it’s invisible. Now you have a framework and a name for it.

What’s the one thing on your team that makes you close your laptop and walk away? I’m genuinely curious.

References

1. Cortex. (2024). State of Developer Productivity Report ↩

2. Stack Overflow. (2024). Developer Survey 2024 — Most Common Frustrations  ↩

3. Stack Overflow. (2024). Developer Survey 2024 — Time Spent Searching for Information ↩

4. JetBrains. (2024). Developer Ecosystem Survey 2024 ↩

5. JetBrains. (2025). Developer Ecosystem Survey 2025 ↩

6. DORA. (2025). State of AI-Assisted Software Development ↩

7. Noda, A., Storey, M.-A., Forsgren, N., Greiler, M. (2023). DevEx: What Actually Drives Productivity ↩

8. GitLab. (2026). Global DevSecOps Report ↩

9. DX. (n.d.). Measuring Developer Productivity with the DX Core 4 ↩

10. DX. (n.d.). The One Number You Need to Increase ROI Per Engineer ↩

11. Stack Overflow. (2025). Developer Survey 2025  ↩

To solve compute problems we use different type of data structures like array , maps, etc. One such data structure is matrices or 2D arrays. Matrices act as foundation for other data structure like graphs .

Define matrices in python

matrix = [
   [1, 2, 3],
   [4, 5, 6],
   [7, 8, 9]
]

Define a 3×3 matrix in python, row(R) equals 3 and column(C) equals 3

matrix_3x3 = [[0]* 3 for in range(3)]

There are popular problems in matrices:

Transpose a matrix:

def calculate_transpose_of_matrix(mat: list[list]) -> list[list]:
    N = len(mat)
    for i in range(N):
       for j in range(i+1, N):
           mat[i][j], mat[j][i] = mat[j][i], mat[i][j]

   return mat

Print matrix in spiral pattern:

def print_matrix_in_spiral(mat: list[list]) -> list[list]:
    R = len(mat)
    C = len(mat[0])

    top = 0
    left = 0
    bottom = R - 1
    right = C - 1

    while top <= bottom and left <= right:
        for i in range(left, (right + 1)):
            print(mat[top][i], end=" ")
        top += 1
        for i in range(top, (bottom + 1)):
            print(mat[i][right], end=" ")
        right -= 1
        if top <= bottom:
            for i in range(right, (left - 1), -1):
                print(mat[bottom][i], end=" ")
            bottom -= 1
        if left <= right:
            for i in range(bottom, (top - 1), -1):
                print(mat[i][left], end= " ")
            left += 1

LoreSpec: an open standard for structured AI conversation outputs. Makes agent chats portable, auditable, and machine‑readable. Model‑agnostic — works with any LLM that reads a system prompt. Plug it into your audit/pipeline: https://lorespec.org/

The AI landscape is experiencing unprecedented growth and transformation. This post delves into the key developments shaping the future of artificial intelligence, from massive industry investments to critical safety considerations and integration into core development processes.

Key Areas Explored:

• Record-Breaking Investments: Major tech firms are committing billions to AI infrastructure, signaling a significant acceleration in the field.
• AI in Software Development: We examine how companies are leveraging AI for code generation and the implications for engineering workflows.
• Safety and Responsibility: The increasing focus on ethical AI development and protecting vulnerable users, particularly minors.
• Market Dynamics: How AI is influencing stock performance, cloud computing strategies, and global market trends.
• Global AI Strategies: Companies are adapting AI development for specific regional markets.

This deep dive aims to provide developers, tech leaders, and enthusiasts with a comprehensive overview of the current state and future trajectory of AI.

AI #ArtificialIntelligence #TechTrends #SoftwareEngineering #MachineLearning #CloudComputing #FutureOfTech #AISafety