The rule that fixes most teams' logs

Every log line should answer three questions: when, what, and about whom.

• When: ISO 8601 timestamp with timezone, ideally with microseconds.
• What: Event name (not a sentence). "user.signup.attempted" beats "User attempted to sign up with the email field empty."
• About whom: Stable identifiers — user ID, request ID, account ID — not display names.

A log line that doesn't answer all three is something you wrote for a human reading it once. Useful for development, useless for incident response.

Structured logs, always

JSON. Or logfmt. Pick one, stick with it, do not mix. Plain-text logs are unparseable at scale. Every modern logging library supports structured output. There is no defensible reason to ship plain text in 2026.

{
  "ts": "2026-05-08T14:23:11.421Z",
  "level": "warn",
  "event": "rate_limit.exceeded",
  "request_id": "req_3kz9a",
  "user_id": "usr_8821",
  "endpoint": "POST /api/checkout",
  "current_rate": 142,
  "limit": 100
}

Now you can grep, group, filter, aggregate. The same line in prose is unsearchable.

Log levels mean something

Most teams degrade their log levels into noise within a year. The discipline:

• ERROR — something failed that requires human attention. Should page someone or end up in a triage queue. If you have a million errors, none of them are errors anymore.
• WARN — something is suspicious but the system handled it. Used for fallbacks, retries, degraded mode.
• INFO — meaningful business events. Order placed, user registered. One line per request is too many; one line per business event is right.
• DEBUG — turned off in production by default, turned on when you need to trace a specific issue.

The error level is the one that breaks most often. Aspirational: an ERROR log should be rare enough that a human looks at every one.

Correlation IDs

One ID, generated at the entry point of a request, propagated through every downstream call, attached to every log line. Without this, debugging a multi-service request is archaeology. With it, you grep one ID and see the whole story.

OpenTelemetry handles this automatically if you let it. Use OpenTelemetry.

Sampling, not filtering

Production traffic is too high to log every request fully. The naive answer is to drop log lines — and you always drop the wrong ones. The better answer is to sample: log 100% of errors and slow requests, log 1% of everything else, but keep the structure consistent so the sample can be aggregated.

Most modern logging pipelines (Honeycomb, Datadog, Grafana) support this natively. Use it. Your bill will thank you and the data quality will improve.

Things that have never helped us

• "Verbose mode" logs in production. Always overwhelming, never useful.
• Logging full request bodies. PII risk + storage cost + signal-to-noise problem. Log structure, not contents.
• Logging response bodies on success. Same problems, less reason.
• Manual console.log sprinkled before deployment. You will forget at least one. Use a logger, route it through your normal pipeline.

The two tools we actually use

You don't need everything. We rely on two patterns in 2026:

1. A structured logging library (Pino in Node, Zap in Go, structlog in Python) writing JSON to stdout. The container runtime collects it.
2. An observability backend (we're mostly on Grafana Loki or Honeycomb, depending on the project's budget). The backend handles indexing, querying, alerting.

That's it. We don't self-host Elasticsearch. We don't ship logs through a third queueing system. Simpler infrastructure has simpler failure modes when the alarm goes off at 3am.

The habit that pays off

When an incident is over, before the post-mortem, write down the single query that would have surfaced the issue fastest. If that query is hard or impossible, the logs aren't doing their job — fix the logs before you fix the bug. Teams that do this consistently halve their mean-time-to-resolution within a quarter. Teams that don't treat logs as a product end up rediscovering the same blind spots every time.

Good logs are written for the person who will read them at 3am. That person is usually you, six months from now, with less context than you have today. Write accordingly.

The mental model shifted

Stop thinking of an agent as a faster typist. Think of it as a junior engineer with infinite tabs open and no biological need to sleep. The bottleneck is no longer code generation speed — it is the quality of your instructions and the precision of your verification step.

The teams getting wins in 2026 share three traits:

• They write tickets in the structure an agent can parse — context, constraint, acceptance criterion.
• They invest in test scaffolding before invoking the agent, not after.
• They review diffs the way a senior engineer reviews a junior's PR — not by reading every line, but by spot-checking the high-risk seams.

What works in production

Bounded refactors

Renaming a symbol across 200 files, adding a parameter to every call site, converting a logging API — agents nail these. They beat any IDE refactor on multi-language repos and never miss a stale string-template usage.

Test scaffolding

Pointing an agent at an untested module with a sentence like "give me a Jest suite that covers the public API and the error branches" produces 80% of the boilerplate. The 20% you fix yourself is the part where you remember what the module is actually supposed to do.

Migration scripts

Schema migrations, API version bumps, framework upgrades. The agent reads the diff of the upstream changelog, scans your code, and produces a plan. You read the plan, push back on three things, and you're done in an afternoon what used to be a week.

What does not work

Agents still get lost in ambient context — codebases where the rule about how things are done is implicit, scattered across Slack threads, or stored exclusively in one tenured engineer's head. If your team can't articulate why the build pipeline does what it does, the agent will not magically intuit it.

They also struggle with cross-cutting product decisions. "Refactor checkout to use the new pricing engine" is a product question dressed as an engineering task. The agent will pick a plausible interpretation and run with it. Sometimes that interpretation is wrong in a way you only discover at the next billing cycle.

Cost calibration

The unit economics matter again. A long-running agent task can burn through tokens fast. Our rule of thumb in 2026: budget the cost the same way you'd budget a contractor's day rate. If a task feels like it should cost $20 and you're at $400, something is wrong — usually the agent is in a loop or hallucinating dependencies. Kill it and re-scope.

The unglamorous winners

The features we most often hand to an agent in 2026 are the ones nobody wanted to write themselves:

1. Internationalisation passes: extracting strings, generating placeholder translations, updating templates.
2. Accessibility audits: agent runs axe-core, agent fixes contrast/aria/labels, agent opens a PR.
3. Dependency upgrades: the long tail of minor bumps that keep your security scanner quiet.
4. Documentation refreshes: updating README snippets after API changes.

Where we've landed

Treat agents as force multipliers, not replacements. Our team of six ships roughly what a team of nine shipped two years ago, and the gain comes almost entirely from removing the work nobody enjoyed in the first place. Code review headcount, on the other hand, has not gone down. Senior engineers spend more time reviewing diffs and less time writing them. That is the trade.

The pattern that keeps proving itself: agents are excellent at making your codebase more like itself and dangerous at changing what your codebase is. Use them accordingly.

What we stopped using

SCSS variables

Native CSS custom properties have been usable for years. In 2026 they're strictly better than Sass variables for almost everything — runtime updatable, scoped, debuggable in the browser. We still use Sass on legacy codebases, but new projects don't need it.

PostCSS plugins for nesting and modern colour

Native nesting is universal. oklch(), color-mix(), and relative color syntax cover the cases that needed postcss-color-function. The build pipeline gets shorter.

CSS-in-JS for visual styling

The runtime cost of styled-components, emotion, and friends never went down. The build-time alternatives (Vanilla Extract, Linaria) survived and are pleasant, but native CSS is now expressive enough that "I need JS to style this" is rarely true. Hover states, focus states, dark mode, container queries — all native, all without a runtime.

Utility-only frameworks for everything

Tailwind and its kin are still good tools. We use Tailwind on most client work. But the pattern of "every component is a thousand utility classes" doesn't scale aesthetically or maintainably. The 2026 approach is utilities for layout and spacing, semantic CSS for the component-specific bits, both in the same file.

What we kept

A design token system

The exact tooling matters less than the discipline. Whether the tokens live in Style Dictionary, in Tailwind's config, or in a hand-written set of CSS custom properties, every team that ships consistent UI has tokens.

A reset

Modern browsers agree more than they used to. They still don't agree completely. A small reset (or Tailwind's preflight) at the top of the cascade saves a category of bugs that we still see.

Class-based naming

BEM, semantic class names, utility classes — any of these are fine. What still doesn't work is "no convention." A new contributor to a codebase needs to be able to write a class name and have a reasonable expectation of what it should look like.

The features we use most in 2026

Container queries

The single biggest practical win of the last few years. Components style themselves based on their container, not the viewport. The mental model of "this card looks like X when it's in a sidebar and like Y when it's in a grid" finally has a native primitive.

Cascade layers

Specificity wars are now solvable. @layer reset, framework, custom; at the top of your stylesheet imposes a deterministic order that's easier to reason about than !important ever was.

:has()

The parent selector we waited 20 years for. Real, supported, immensely useful for "style this thing based on what it contains."

Native nesting

Reads like Sass, works without a build step. The biggest quality-of-life improvement to writing CSS in years.

View Transitions API

Cross-document and within-document. Smooth page transitions are now achievable without a framework. We use this on every content site we ship.

The features we don't reach for

• Subgrid. Useful when you need it. Most layouts don't.
• Anchor positioning. Powerful but still rough at the edges. We mostly use floating-ui until anchor positioning stabilises in tooling.
• Scroll-driven animations. Cool demos. Few production use cases worth the complexity.

The 2026 stack we recommend

1. A small reset (about 30 lines).
2. Design tokens as CSS custom properties.
3. Cascade layers to keep the order honest.
4. Tailwind (or an equivalent utility set) for layout, spacing, and quick states.
5. Semantic component CSS for everything else, using nesting and :has() freely.
6. Container queries where components need to be context-aware.

Bottom line

CSS is no longer the language people complain about. It is the language people now reach for first, instead of last. The tools that filled the gaps for a decade are mostly optional. If you haven't looked at native CSS seriously since 2020, you're carrying tooling weight that doesn't earn its keep anymore.

The minimum viable deploy

If your output is a folder of static files (it usually is), the entire deploy is one command:

npx wrangler pages deploy ./dist --project-name=your-project

The first time it runs, Wrangler creates the project. Every subsequent run uploads a new immutable deployment, gives you a unique preview URL, and atomically swaps production once you confirm. No build pipeline, no GitHub Actions, no waiting in a queue.

Project structure that does not fight you

We keep this layout for every Pages project:

• /site/ — the actual output, what gets deployed
• /_headers — global response headers (cache, security)
• /_redirects — old URL → new URL mappings
• /functions/ — optional edge functions (kept empty unless needed)
• /redeploy.sh — one script that rebuilds and deploys

The principle: a junior teammate should be able to ship a fix to production by running one command they did not have to write.

Headers worth setting

Out of the box, Pages serves files with reasonable defaults. We override two categories:

Long-lived assets

/*.css
  Cache-Control: public, max-age=31536000, immutable
/*.svg
  Cache-Control: public, max-age=31536000, immutable

Anything content-hashed gets a year. Pages handles invalidation by serving new hashes on the next deploy.

HTML

/*.html
  Cache-Control: public, max-age=0, must-revalidate

HTML is always re-validated. The CDN still caches it, but stale-while-revalidate keeps users on the latest deploy without us touching anything.

Redirects: the only WordPress-era debt worth paying off

If you're moving a legacy site (we do this often), preserve URLs religiously. Pages reads _redirects in Netlify format. One line per redirect, glob patterns are allowed:

/old-blog/* /blog/:splat 301
/feed/ /feed.xml 301
/wp-content/* / 404

Run the redirects through a check before deploying — broken redirects look the same as working ones until somebody links to one.

Custom domains, briefly

Add the domain in the Pages dashboard. If the domain is already on Cloudflare, DNS is automatic — Pages picks the right CNAME for you. If it isn't, you'll get the records to add. SSL is free, renews itself, and the certificate is issued before the page reloads.

The thing that still trips people up: www. vs apex. Decide which one is canonical, set up a redirect for the other, and put the right one in your sitemap. Pages will happily serve both, but Google does not love seeing duplicates.

Edge functions: use them sparingly

Pages Functions are a flat /functions/ directory of route handlers. They run on Workers, billed at Workers prices, and there is no cold start to worry about. The 2026 advice: if you can avoid them, do. Every function is something else to test, monitor, and reason about. Reach for them only when:

• You need per-request data (geo, headers, cookies) that must be on the edge.
• You're proxying or rewriting before serving static content.
• You have one specific dynamic endpoint and you don't want a whole API.

Things that surprised us this year

Deploy speed. Even on a 5,000-file site, a fresh deploy completes in under a minute. The diff-uploading is doing real work.

Preview URLs are first-class. Every deploy gets one. We send those links to clients for sign-off without anyone learning what "staging" means.

Wrangler quirks. The --commit-message flag is useful — those messages show up in the Pages dashboard. We populate it with a timestamp and the commit hash, which makes rollbacks much less guesswork.

Where this falls down

Pages is not a CMS. If your content team needs a click-through publishing flow, you need a CMS in front of Pages — we usually pair it with a headless one and a webhook that triggers redeploy.sh. The split adds complexity worth thinking about before committing.

And for genuinely dynamic apps — auth-heavy, database-heavy, server-state-heavy — Pages is the wrong shape. Reach for Workers proper, or somebody else's platform.

For everything in between, the answer is still: ship the folder, walk away, do something else.

The three locations

The edge

Cloudflare Workers, Vercel Edge, Deno Deploy, Fastly Compute, Netlify Edge. Code runs in hundreds of data centres globally, milliseconds from the user. V8 isolates rather than full VMs, so cold start is effectively zero. Limited by language (JS/TS, WASM), resource ceilings, and the fact that your database is probably not next door.

The regional origin

An EC2 instance, a Fly machine, a managed container service, a serverless function in one or two regions. Full runtime, full language choice, full filesystem. Latency to the user depends on where they are and where the region is.

The user's device

The browser. Increasingly capable: WASM, WebGPU, OPFS, persistent workers. For some workloads — heavy data manipulation, image processing, certain ML inference — running in the browser is faster than any server-side path, because the data is already there.

The rule we apply

Code runs at the location closest to the data it needs.

If the data is mostly the user's session and a few cached values: edge.
If the data is in your primary database: near the primary database.
If the data is the user's own files: their machine.

Almost every architectural pain point we've audited in 2026 came from violating this rule — running auth checks at the edge that needed to make six database round-trips, or running heavy compute on a regional origin when the inputs were on the user's phone.

What goes at the edge

• Authentication checks against tokens you can verify cryptographically without a database hit.
• A/B test variant assignment.
• Geo-aware routing and personalisation.
• Bot mitigation.
• Static content serving with smart cache control.
• Webhook fan-out where the work is "validate signature, queue downstream."

What stays at the origin

• Anything that does a transaction across multiple tables.
• Anything that needs files larger than the edge runtime's memory ceiling.
• Cron-like background work.
• Anything that needs a non-JS runtime — heavy data work in Python, ML inference on GPUs, native code.
• Anything where consistency requirements demand sticky routing to a specific region.

What goes on the user's device

• Anything operating on data the user already has — local file processing, on-device search.
• Real-time UI work that should not round-trip — undo/redo, autocomplete on user data, immediate validation.
• ML inference on small models that fit in browser memory.
• Anything you want to work offline.

The mistake we see most

Teams discover that edge runtimes are fast and start pushing everything they can to the edge. Three months later they have a complex distributed architecture for what could be a single regional service, and they've introduced subtle bugs where the edge code and the origin code disagree about the state of the world.

The edge is a powerful tool. It is not a free upgrade. Every hop you add to a request path is a hop you have to monitor, version, and debug. We try to keep the request path as simple as the latency budget allows, and no simpler.

How we decide, per route

1. What latency does this route owe the user? (Often higher than you'd think.)
2. What data does this route need? Where does that data live?
3. What's the cost of inconsistency between locations?
4. What language and runtime constraints do we have?

The honest answer is usually: most routes stay at the regional origin, a small but high-value set move to the edge, and a growing fraction move to the user's device. The architecture diagram looks worse for it — three locations instead of one — but the user experience and the cost structure are both better.

Bottom line

"Run it at the edge" is not an architectural strategy. It's a tool you reach for when the data and latency profile of a specific route justifies it. The teams getting wins in 2026 picked one or two routes per app, ran them at the edge with discipline, and left the rest alone. The teams burning cycles on edge migrations of routes that didn't need it learned that lesson the slower way.

The short version

Bun is meaningfully faster for the things it's faster at, drop-in compatible for most things it claims to be, and still occasionally surprises you in ways Node never would. We use both. The choice is per-project, not per-team.

Where Bun wins

Cold start

If you're doing anything Lambda-shaped or CLI-shaped — short-lived processes, scripts, build tools — Bun starts up in a fraction of the time. We replaced our internal CLI tools with Bun and the difference is felt every single day.

Test runner

bun test is the test runner Node should have shipped in 2018. Jest-compatible API, zero config, fast enough that watch mode is actually pleasant. We migrated our smaller services off Jest entirely.

Built-in transpilation

Running TypeScript or JSX without a build step is genuinely useful for prototypes and internal tools. The Bun bundler is no replacement for esbuild or Rolldown for app builds, but for "run this script directly," it removes a category of friction.

Package installs

bun install is fast in a way that changes how you treat node_modules. We've stopped caching it aggressively in CI for some projects — it's faster to install from scratch than to validate a cache.

Where Node still wins

Long-running production services

Steady-state HTTP throughput on a properly-tuned Node process is competitive with or better than Bun for most workloads we've measured. The cold-start advantage doesn't matter for a process that lives for weeks.

Ecosystem depth

Some packages we depend on still misbehave under Bun. Native modules, anything that does clever things with the loader, certain telemetry libraries — every few months we hit something. The fix is usually pinning to Node for that specific service.

Observability

Production-grade tracing and profiling tooling is still Node-first. Bun's diagnostic story has improved, but if your incident response runbook involves --inspect, heap snapshots, or specific APM agents, Node is the lower-risk choice.

The compatibility footnote

Bun's headline is "drop-in Node replacement." This is true most of the time. The 5% of the time it isn't, you find out at the worst possible moment. We've been burned by:

• process.versions shape differences breaking a version check.
• Subtle differences in how streams handle backpressure under load.
• One esoteric crypto API behaving slightly differently between versions.

None of these are showstoppers. All of them ate a half day before we found them. Treat Bun as a Node-compatible runtime, not as Node. Test the path that matters.

Our 2026 default

For a new service:

• Internal CLI / build tool / script: Bun.
• Long-running HTTP API with mature deps: Node, unless we have a reason.
• Greenfield app where we control the dependency tree: Bun, with an escape hatch in CI to test on Node too.
• Edge functions: Workers runtime (neither), via the platform's tooling.

What we'd tell ourselves in 2024

Don't pick a runtime for sentimental reasons. Bun is good. Node is good. The interesting questions in 2026 are about where your code runs (edge, serverless, container, longlived VM) more than which JS runtime it runs on. Optimise the choice for that, and the runtime question usually answers itself.

The case for Postgres in 2026

It does almost everything well enough

Relational data — yes. JSON documents — yes, with proper indexing. Full-text search — yes, well enough for most needs. Vector search — yes, since pgvector hit production. Time series — yes, with TimescaleDB or even just well-designed indexes. Geospatial — yes, with PostGIS.

Each of those workloads has a "best in class" specialised database. Postgres is not the best at any of them. Postgres is good enough at all of them, which means you can defer the decision to specialise until you have data that justifies it. Most projects never reach that data.

The ops story matured

Managed Postgres is now boringly good. RDS, Cloud SQL, Neon, Supabase, Crunchy Bridge, Fly Postgres — pick a vendor based on price and region. Backups, point-in-time recovery, read replicas, connection pooling, automatic minor version upgrades. The operational burden of running Postgres in 2026 is meaningfully lower than it was in 2018.

Logical replication unlocked a lot

Native logical replication, change-data-capture via the WAL, and tools like Debezium make Postgres a viable source of truth for event-driven architectures. The "we need Kafka because our database can't emit events" argument has weakened.

Extensions are a superpower

pgvector for vectors. pg_cron for scheduled jobs. pgmq for queues. PostGIS for geo. pgaudit for compliance. Each extension means one less external dependency in your architecture. We've killed entire microservices by replacing them with a Postgres extension.

Where we don't use Postgres

Not everywhere. The boundary conditions:

• Genuinely unbounded write throughput. If you're ingesting telemetry at hundreds of thousands of writes per second, a time-series database or a column store will outperform Postgres without exotic tuning.
• Single-table OLAP on terabyte-scale data. Clickhouse, DuckDB, BigQuery — they all crush Postgres for analytic queries on big tables. Use the right tool.
• Globally-distributed strong consistency. Spanner, CockroachDB, YugabyteDB exist for a reason. Most apps don't need them.
• Pure key-value at scale. Redis, Cloudflare KV, DynamoDB. Postgres can do KV but it's rarely the best fit for it.

Notice the pattern: we leave Postgres for workloads where its general-purpose nature is a real liability, not for workloads where someone wrote a blog post claiming it doesn't scale.

Scaling Postgres further than you think you can

Almost every "we outgrew Postgres" story we've audited turned out to be "we had a bad schema, no indexes, and unbounded query patterns." The actual hard scaling limits of well-tuned Postgres are far higher than most teams reach. Things that helped us:

• Connection pooling at the right layer. PgBouncer in front of Postgres remains the right answer. Your application can have 10,000 idle connections; Postgres should see fewer than 100.
• Read replicas for read-heavy paths. Asynchronous replication is fine for most read workloads.
• Table partitioning before you think you need it. Easier to set up when the table is small.
• Aggressive use of EXPLAIN ANALYZE. Most slow queries have a simple cause and a simple fix.
• Vacuum tuning. The default auto-vacuum settings are conservative. Tune them for write-heavy tables.

The strategic point

The cost of changing databases is enormous. The cost of staying on a database that no longer fits is also enormous. We default to Postgres because it pushes the change-database decision out the furthest. By the time we've genuinely outgrown it, we usually know exactly what we need and the migration is a deliberate engineering project, not a panic.

If you're starting a new project this year and you don't have a specific reason to pick something else, you should pick Postgres. The reasons to pick something else are real, but they should be specific. "It might not scale" is not a reason. "Our write pattern is 50k/s of time-series data and we've modelled the load" is a reason.

Pick your goal first

"Migrate to TypeScript" is not a goal. It's a path. Before starting, decide what you're actually buying:

• Fewer runtime bugs from null and undefined. Requires strictNullChecks to be on, eventually.
• Better refactoring confidence. Requires enough type coverage to make rename-refactors safe.
• Better editor experience for the team. A lower bar — you get this from allowJs + JSDoc almost for free.
• Public API contracts you can publish. Requires careful type design at the boundary.

These goals require very different amounts of work. The team that mistakes "better tooling experience" for "strict type safety" will be unhappy halfway through.

The migration patterns we used

JSDoc-first

Add a tsconfig.json with allowJs: true and checkJs: true. Don't rename a single file. Add JSDoc type annotations to existing JS files. The editor lights up, errors get caught, and the team gets a feel for the language without committing.

This is the right first step on any codebase larger than a few thousand lines. It buys 70% of the type-safety value at 10% of the conversion cost. Skip the temptation to rename files until the JSDoc layer is mature.

Module-by-module rename

Once JSDoc is in place, rename leaf modules — utilities, pure functions, small components — first. The dependency graph means renaming a leaf is contained. Renaming a hub means you'll be touching every consumer.

The "barrier" file pattern

For modules that have to keep working with un-converted callers, write a small barrier file that exports the original API with TypeScript signatures. The implementation moves to a .ts file. The barrier handles the boundary. Callers can be converted at their own pace.

Tighten strictness incrementally

Turn on noImplicitAny first. Live with it for a sprint. Then strictNullChecks. Then the rest of strict. Flipping the whole strict flag on day one produces an unmanageable error list. Flipping it one flag at a time produces a finite list per sprint.

What we stopped doing

"Big bang" rewrites

Tempting on small codebases. Disastrous on anything real. Even on 30k-line projects we saw productive teams burn six weeks on rewrites that produced no business value and introduced regressions.

Aggressive use of any

Starting with any everywhere just to get the codebase to compile feels productive and is, in fact, the worst of both worlds. You pay the TypeScript tax (build step, tooling, mental overhead) and get none of the safety. If a type is genuinely unknown, use unknown and narrow at the use site. any is for two specific cases: shimming a third-party library with bad types, and emergency hotfixes you intend to revisit within a week.

Class hierarchies imported from Java

TypeScript will let you build deep class hierarchies. Don't. The idiomatic TS code is closer to "Java verbosity with TS's structural type system" — interfaces, discriminated unions, plain functions. You'll spend less time arguing about generic variance and more time shipping.

The tooling that paid off

• ts-migrate for initial rename + auto-annotation. Imperfect but saves days.
• type-coverage in CI. Number-go-up of typed code is a metric the team can rally around.
• knip and similar dead-code analysis. Migration is a great time to find the modules nobody uses anymore.
• A pre-commit hook running tsc --noEmit. Stops type regressions from landing.

What it cost

On a 60k-line Node API: about a quarter of senior-engineer time, spread over two quarters, plus elevated PR review burden during the transition. We caught roughly a bug a week that the type system surfaced before runtime. The bugs caught included two that would have shipped to production undetected. We consider that a positive ROI even ignoring the long-term maintenance benefit.

The honest take

TypeScript is worth migrating to on any codebase you expect to live three more years. It is not worth migrating something you'll deprecate in twelve months. The migration is a project, not a checkbox, and the team needs to be told that upfront. Done well, it's one of the highest-leverage investments you can make in a JavaScript codebase's long-term health.

The traditional shared hosting model

One server. Many customers. A single Apache or LiteSpeed process. PHP and MySQL preinstalled. cPanel or DirectAdmin or Plesk on top. You SSH in (maybe), you upload files (probably), and your site is online.

The model has obvious downsides: noisy neighbours, no isolation, security only as good as the weakest customer's outdated WordPress install. It also has one large upside: it is the simplest possible product to buy and the easiest possible product to use for non-developers. That hasn't changed.

What changed

The competition got cheaper

Cloudflare Pages, Netlify, Vercel — all of which have free tiers that handle a non-trivial site. For static sites, shared hosting is now objectively worse than free. There is no scenario in 2026 where a static-content site benefits from being on cPanel.

Managed WordPress hosts ate the WordPress market

WP Engine, Kinsta, Pressable, and now Cloudflare's own WordPress offering have hollowed out the traditional shared host's flagship use case. For $20-30/month you get tuned caching, automatic updates, security scanning, and isolation. The price gap is no longer the deciding factor for most serious WordPress operators.

VPS pricing collapsed

A 2GB VPS at Hetzner, Vultr, or DigitalOcean costs $5-10/month. With a couple of hours of setup, that's comparable on price to a shared host and meaningfully better in every other dimension. The skill cost has gone down too — managed images, one-click stacks, and AI-assisted devops mean spinning up a VPS is more accessible than it's ever been.

What shared hosting is good for in 2026

• Very small WordPress sites where the owner is not technical. A hairdresser, a local club, a portfolio. The cPanel UI and tech support phone line are the actual product.
• Email hosting for the same audience. A domain, two email accounts, a website. Bundled, easy to bill annually, easy to renew.
• Legacy PHP applications. Things that have run on cPanel since 2010 and shouldn't move until they have to.

What shared hosting is genuinely bad for

• Anything static (use a CDN, free).
• Anything that will scale (you'll outgrow the noisy neighbour reality fast).
• Anything you want to test/stage/preview professionally (shared hosts don't support modern deploy workflows).
• Anything with credentials more valuable than the customer data is sensitive (the isolation story is just not good enough).

What to look at if you're shopping for one

1. PHP version on offer. If they're still pushing PHP 7.4, walk away.
2. SSL story. Free Let's Encrypt should be one click. If it isn't, the host is years behind.
3. Backup policy. What gets backed up, how often, and how do restores work.
4. Acceptable use policy. Read it. Many "unlimited" hosts have aggressive resource limits that only kick in when you matter.
5. Where the data lives. Increasingly relevant for European customers under data residency rules.

The honest framing

Shared hosting in 2026 is a product for non-developers running small WordPress sites. That is a real market and the better operators serve it well. For anyone else — anyone who reads articles like this one — the answer is almost always somewhere else. A free static host, a managed platform, or a $5 VPS will give you a better product for less money or no money. The shared hosting decision tree in 2026 is short, and most branches lead elsewhere.

Where AI earns its keep

First-pass everything

Wireframes, color palettes, copy variants, alt text suggestions, microcopy for empty states. The model produces a competent first draft in seconds; the designer's job becomes editorial. The category of work that used to be "stare at a blank Figma" has compressed dramatically.

Accessibility audits

Color contrast, semantic structure, alt text quality, ARIA correctness — AI tooling catches things a manual review misses, especially on large sites. Pair it with axe-core or a similar deterministic linter for best results.

Asset generation at scale

Hero illustrations, icon sets, placeholder photography. The quality is consistently good enough for marketing surfaces, especially for B2B sites where the visuals don't need to be art. The savings on stock photo licensing alone justify the workflow shift.

Code generation from designs

The Figma-to-React workflows are usable in 2026. They are not a replacement for a thoughtful engineer, but they are a real accelerant for component scaffolding. Used carefully, you go from design system to working components in a fraction of the time.

Where teams get hurt

Treating AI output as final

The model doesn't know your brand. It doesn't know your last six months of A/B tests. It doesn't know that your design system already has a button variant for this case. Output that ships without a designer in the loop is consistently mediocre and inconsistent with the rest of the product.

Over-personalization

"AI generates a unique experience for every visitor" sounds great in a deck and consistently underperforms in production. Most users want what works, not what's clever. Personalization at the variant level is fine; at the layout level it is usually a distraction from the core proposition.

Hidden-cost workflows

If your AI workflow makes the design pipeline faster by 3x but the development pipeline slower by 5x because the handoff quality dropped, you've made the company slower. The honest measurement is end-to-end, not per-discipline.

What changed in the last year specifically

• Real design tokens, real component awareness. Modern AI design tools understand your design system and produce output that respects your tokens. This is the biggest delta from 2024.
• Native multimodal models. "Look at this screenshot of our competitor and propose a better information hierarchy" is a useful prompt in 2026 in a way it wasn't in 2024.
• Agents that build, test, iterate. Browser-based agents now drive a design through accessibility, performance, and visual regression checks autonomously. Still need a human reviewer; the throughput is meaningfully higher.

How we set up a team for this

1. One designer owns the design system. AI output never bypasses it.
2. AI is used at the front of the funnel (ideation, drafting) and at the back (auditing, scaling). The middle (decision-making) is still human.
3. Every shipped feature passes a deterministic accessibility check, regardless of how it was designed.
4. Token usage and tool spend get a line item in the project budget. Otherwise it grows quietly.

Bottom line

AI hasn't replaced web designers. It has changed what work a designer does in a day. The designers thriving in 2026 are the ones who treated the tools as a force multiplier on judgement, not as a replacement for it. The ones who refused to use them at all are quietly less productive. The ones who used them uncritically shipped uncritical work. The boring middle ground turned out to be where the value was.

The two engines of growth

AI and ML

The entire LLM stack — training, inference, agent frameworks, evaluation — runs on Python. PyTorch, JAX, the Hugging Face ecosystem, LangChain, LlamaIndex, every major agent framework. If you do any work adjacent to AI, you write Python, even if you don't want to.

This is not "Python is a good ML language." This is "Python is the only language where the libraries you need exist with first-class support." That is a Schelling point, and Schelling points are sticky.

Glue work

Quietly, Python has become the universal solvent of software. Data pipelines, automation scripts, internal tools, prototyping, devops, scientific computing — anything where you need to wire systems together with code that humans can read. The language is a near-perfect fit for that category and very little has emerged to challenge it.

What changed under the hood

Speed actually got better

The GIL is finally optional in 3.13's free-threaded build. Sub-interpreters are usable. The JIT lands properly in 3.14. The "Python is slow" complaint, while still partially true for some workloads, is meaningfully less true than it was in 2020.

Type checking became normal

Five years ago, type hints were a curiosity adopted by serious teams. In 2026 they are table-stakes for any codebase you want to be maintainable past one person. The combination of strict mypy/pyright + Pydantic + FastAPI's patterns has made Python feel like a different language from the duck-typed 2.7 you remember.

Packaging finally settled

Poetry, hatch, uv — the long packaging civil war ended with uv (Astral's package manager) winning most adoption. pyproject.toml is universal. requirements.txt still exists but mostly as an output, not a source of truth.

Where Python still loses

It is not the right answer for everything. Roughly, in 2026 we don't reach for Python when:

• You need a fast, low-memory long-lived service. Go or Rust win clearly.
• You need a single distributable binary. Python can do this with PyInstaller, but every other modern language does it better.
• You need to write a browser SPA. Pyodide is impressive but not a JavaScript replacement.
• You need maximum CPU throughput per dollar. The runtime tax is real for compute-heavy work.

What we expect to see in 2027-2028

• JIT-compiled Python performance matures to "good enough" for most real-world web workloads.
• Type checking becomes effectively mandatory in any reviewed codebase, the same way "use strict" won the JavaScript world.
• Free-threading stabilises. The "use multiprocessing because of the GIL" advice quietly becomes legacy.
• Rust-backed Python libraries (Polars, Pydantic V3, ruff) become the default for performance-sensitive components.

The macro story

Python won the readability argument. It won the "good enough for most things" argument. It won the ML lottery. Languages don't lose those positions easily, and the language is using its time to fix the things that legitimately held it back.

If you are picking a language for a new project in 2026 and you don't have a specific reason not to, Python is rarely the wrong answer.

That trade broke in 2024. By 2026, "web crawler" is a much wider category, and the implicit social contract that used to govern it has fragmented. Here's what changed and what to do about it.

How crawlers work, technically

The mechanics haven't changed. A crawler:

1. Maintains a queue of URLs.
2. Fetches one of them via HTTP, respecting (or not) robots.txt.
3. Parses the response, extracts links, and adds them to the queue.
4. Stores the content for whatever purpose justifies the bandwidth.

What changed is who's running them, and what they want.

The three kinds of crawler today

Search engine crawlers

Googlebot, Bingbot. Still operate roughly under the original contract: read the site, index it, send users back. Honour robots.txt and crawl-delay directives. We don't block these.

AI training crawlers

GPTBot, ClaudeBot, PerplexityBot, Anthropic's, OpenAI's, Google's training crawlers, and dozens of smaller ones. They read your site to train or augment language models. Whether they send users back is, depending on the operator, anything from "occasionally with attribution" to "no, the model just absorbed your content."

Most respect robots.txt when explicitly named. Some don't.

Scraper bots

Everything else. Price scrapers, content thieves, SEO research tools, security scanners. Often spoof their user agent. Often ignore robots.txt. Often run from rotating residential IPs to evade detection.

What to put in robots.txt in 2026

A defensible default for a content site:

# Allow established search engines
User-agent: Googlebot
Allow: /

User-agent: Bingbot
Allow: /

# Decide consciously about AI training
User-agent: GPTBot
Allow: /

User-agent: ClaudeBot
Allow: /

User-agent: PerplexityBot
Allow: /

# Block the rest by default
User-agent: *
Disallow: /

Sitemap: https://example.com/sitemap.xml

Whether you Allow or Disallow each AI crawler is a judgment about your business model. If you sell content, you probably want to Disallow. If you sell credibility and want to be cited by AI assistants, you probably want to Allow.

What robots.txt cannot do

Stop a determined scraper. It's a voluntary protocol. The bots that ignore it are the ones you most want to block.

Effective defences in 2026 layer multiple controls:

• Cloudflare's bot management or equivalent — fingerprints traffic at the edge.
• Rate limits per IP and per ASN — slows aggressive crawlers without affecting humans.
• Honeypot links — links no human follows, with rules to block IPs that hit them.
• Tar-pitting — serving a slow trickle of bytes to known-bad bots, costing them more than it costs you.

What we tell clients

You probably don't need to fight every crawler. You need to know which ones are valuable, which ones are extracting value without giving any back, and which ones are actively harmful. Make conscious decisions in your robots.txt, then let the edge handle the bad actors. The energy you spend running cat-and-mouse with every new crawler is energy you're not spending on the work that pays.

REST: still the default

HTTP, JSON, resource-shaped URLs, and an OpenAPI spec. Boring, well-understood, and supported by every language and tool you can name. For public APIs and most external integrations, REST is what people expect and what tooling supports.

The strengths haven't changed: cacheable on the edge, debuggable with curl, easy to mock. The downsides also haven't changed: chatty for related-resource fetches, schema drift if you're lax, easy to design badly.

GraphQL: when the client knows what it needs

The case for GraphQL was always strongest where you have many different consumers (web, mobile, partner apps) that need different shapes of the same underlying data. That case is unchanged in 2026.

What did change:

• Federation matured. Apollo Federation and Mercurius let multiple teams own pieces of one schema without one team becoming the gatekeeper. This addressed the original "one giant schema" pain point.
• Persisted queries became default. Sending a query hash from a known whitelist solves most of the security and caching complaints.
• The tooling settled. Codegen, type-safe clients, and IDE support are now table-stakes good.

We still don't reach for GraphQL on small APIs. The setup cost outpaces the benefit until the consumer count justifies it.

gRPC: for service-to-service

If both sides are services you control, gRPC is hard to beat. Protocol buffers are smaller and faster than JSON. Streaming is first-class. Code generation for clients means you can't accidentally diverge schemas.

The catch: gRPC over the public web is awkward. Browsers need gRPC-Web, which means a translation layer. For browser-facing APIs we stick to REST or GraphQL.

MCP: the new entrant

The Model Context Protocol — a way for AI agents and applications to expose tools and data to each other. It is not a replacement for REST or gRPC; it is a specific contract for "this thing can be used by an LLM."

If your business is going to be consumed by AI agents (and most of them will be), MCP is becoming the lingua franca for that consumption path. It sits on top of JSON-RPC, has a standard manifest, and is supported by every major AI tooling vendor.

Think of MCP as "OpenAPI but for tools an agent can call" — same problem space (publish your contract), different audience (machines that reason).

Which to pick

• Public-facing API for many human-built clients? REST.
• Internal API where the client is your own SPA or mobile app and you ship both? Often REST is still fine. GraphQL if you have several distinct frontends with different shapes.
• Internal service-to-service inside your own platform? gRPC.
• Anything an AI agent will consume? MCP — alongside, not instead of, your existing API.

The trap to avoid

Picking a protocol because it's in fashion. We've audited too many architectures where someone introduced GraphQL for a single-client API, or gRPC inside a system that has one browser frontend. The complexity tax is real. The protocol should serve the integration, not the other way around.

Interoperability is mostly a contract problem, not a transport problem. The conversation with your counterparty about how the contract evolves is more important than the wire format you choose to send it over.

What still works

Original research

If you publish a number nobody else has, journalists and other operators will link to it. State of X surveys, benchmarks, internal data presented honestly. The link economy hasn't found a substitute for "I measured this and here's what I found."

Useful tools and calculators

A free calculator that does one job well — a colour-contrast checker, a JSON-to-CSV converter, a tax-aware mortgage tool — accumulates links indefinitely because it is genuinely useful and easy to reference. The bar is "would I bookmark this myself."

Definitive guides

The "best resource on the internet for X" page. These take months to write, are kept updated, and earn links the way a textbook earns citations. Most blogs aren't willing to invest in one. The ones that are see compounding returns.

Being interviewed, podcasted, quoted

Other people's audiences. Show up on someone else's show with something worth saying and the link comes free. Difficult to scale; very effective when it lands.

What doesn't work anymore

• Mass guest posting. Most accepting sites are link farms or AI-generated content mills. Google knows.
• Buying links. Detection is reasonable and the penalty cost is real. Even if it appears to work short-term, it digs a hole you have to pay to climb out of.
• Reciprocal link schemes. "I'll link to you if you link to me" — devalued for a decade. Move on.
• HARO-style spam. Help A Reporter Out is now flooded with low-quality pitches. The original signal got buried. Real journalists use other channels.

The new wrinkle: LLM citations

In 2026 a meaningful share of discovery happens inside AI assistants rather than search engines. Whether your content gets cited by a large model when someone asks about your topic is the new "page one of Google" — and the optimisation for it is somewhere between SEO and trust signals.

What we observe:

• Content that is structured, factual, and clearly attributed is more likely to be cited.
• Brand recognition outside the search engine matters more, not less.
• Schema.org markup helps, in the same way it helps Google.

The framing we use with clients

Stop thinking about "link building" as a discrete activity. Think about being worth linking to. If your site is the best resource on a given topic, links will follow without manual outreach. If your site is the fifth-best, no amount of outreach campaigns will change that durably.

The work of building authority and the work of "doing SEO" have converged. That is mostly good news for honest businesses. It is bad news for people whose business model assumed a market for cheap, manipulated authority.

What a modern system actually does

A serious visitor management system in 2026 covers four things, in roughly this order of importance:

1. Pre-arrival registration. The host invites the visitor, the visitor fills in details and acknowledges any NDA or site rules, and a QR code or pass is issued before they leave home.
2. On-arrival authentication. The visitor scans in, the host is notified, and the system records the actual moment of entry — not a self-reported time on a piece of paper.
3. On-site awareness. At any moment, somebody (security, reception, fire marshal) can answer "who is in the building, where, and why" without making a phone call.
4. Audit and retention. Logs are kept for the legally required period, then deleted automatically. This is where most home-grown systems quietly break the law.

The categories of buyer

Small office (1-5 people on reception)

An iPad on a stand and an off-the-shelf SaaS tool is genuinely the right answer. Don't over-engineer. The total cost of ownership of a custom-built system here is many multiples of the SaaS subscription.

Mid-market (multi-site, regulated industry)

This is where most of our consulting work sits. You need integration with your IdP for hosts, your facility management system for room booking, and your security badge system for access control. The off-the-shelf SaaS works but has to be configured and integrated thoughtfully. Plan for a quarter of integration work, not a week.

Enterprise (regulated, multi-country, sensitive data)

Off-the-shelf still wins, but the buying process is two years long and the deployment is bespoke. The decisive factor is rarely the visitor flow itself — it is data residency, retention policy, and the audit log's compatibility with the legal team's comfort.

Where home-grown systems go wrong

• Underestimating the edge cases. Contractors who come every day. Delivery drivers who don't speak the office language. Visitors with mobility constraints. The 80% case is easy; the 20% is where good products earn their license fee.
• Audit policy as an afterthought. Storing visitor logs forever is unlawful in most jurisdictions. Designing the delete-after-N-days mechanism after launch is harder than designing it before.
• Treating it as a frontend project. The hard parts are the integrations and the workflow, not the iPad UI.

The 2026 difference: identity, not just a name

The shift we see this year is that "visitor management" is converging with "identity and access management." Modern systems issue short-lived credentials tied to a real identity provider (a Microsoft Entra guest account, a Google Workspace external user) rather than a self-attested name on a tablet. The implication: who somebody is, what they signed, and when they entered are now one record, verifiable cryptographically. That changes what is possible downstream — automated compliance reports, cross-site identity, single-pane-of-glass for security teams.

What we tell clients

Buy something. Don't build it. Spend your budget on the integration and the policy work, not on rewriting the badge printer driver. The interesting differentiation for your business is almost never the front desk.

The frameworks that matter

Spring Boot

Still the default. Still the right call for the majority of enterprise Java work. The ecosystem is unmatched, the documentation is exhaustive, and a junior engineer arriving on a Spring Boot codebase has a head start. The downside — boot time, memory footprint, runtime reflection — has been substantially mitigated by GraalVM native images and Spring 6's AOT processing. We use it for almost every long-lived enterprise service.

Quarkus

The serious challenger. Built around the assumption that you might compile to a native binary and run on Kubernetes with millisecond startup. Sub-100ms cold starts, low memory ceilings, sensible defaults. For greenfield microservices where deployment density matters, Quarkus is now our first thought.

Micronaut

The third major framework in this space. Compile-time DI rather than reflection. Smaller community than Quarkus but equally credible technology. We reach for it when an existing team has experience with it.

Helidon

Oracle's offering. Two flavours: SE (programmatic) and MP (declarative MicroProfile). Solid technology that doesn't get enough attention because Oracle's brand makes some teams nervous. If you need MicroProfile compliance, it's worth considering.

What changed in the last five years

Native images are routine

GraalVM native compilation is no longer the exotic option. We ship Quarkus and Spring Boot apps as native binaries by default for anything serverless-shaped. The build time penalty is real but the runtime profile — fast start, low memory — pays for itself within weeks.

Virtual threads changed the threading conversation

Java 21 virtual threads (Project Loom) mean you can write blocking code without paying the thread-per-request memory cost. Whole categories of "we have to go reactive" decisions can now be revisited. Reactive frameworks like WebFlux or Vert.x are still valid choices, but they are no longer the only path to high concurrency.

Records and sealed types make modelling pleasant

Domain modelling in Java circa 2026 looks more like Kotlin or Scala than the JavaBeans of the 2010s. Records, sealed types, and pattern matching cover most of what you used to reach for Lombok or third-party libs to provide.

How we choose

• Existing team on Spring? Stay on Spring Boot. Don't migrate for fashion.
• Greenfield service, latency or density sensitive? Quarkus with native compilation.
• Greenfield monolith with a year of features ahead? Spring Boot, possibly with native compilation later.
• Tiny tools and one-off APIs? Honestly, consider a different language. Java's ergonomics for 200-line services are still rough.

What we don't miss

XML configuration. Container vendor lock-in. Six-month deployment cycles. Setting up a CI pipeline that requires a 4GB Docker image. The Java stack is meaningfully better in 2026 than it was a decade ago, and most of the criticism aimed at it now is criticism of a Java that no longer exists.

If you have not looked seriously at the Java ecosystem since 2019, look again. The frameworks haven't just iterated — they've repositioned.

The 2026 short list

If you take on PHP contract work this year, you will almost certainly be working on one of three stacks. Anything else is a curiosity, a legacy maintenance gig, or a red flag.

Laravel

Still the dominant choice for new PHP apps. The ecosystem (Forge, Vapor, Nova, Livewire) has converged on a coherent story for the full lifecycle of an app — build, deploy, scale, observe. Most agencies default to it for a reason: hiring is easy, the docs are first-rate, and the framework keeps shipping pragmatic features.

Symfony

Where Laravel optimises for developer happiness, Symfony optimises for boring, durable, enterprise correctness. The component model means you can pull in just the routing or just the messenger queue. We reach for it on long-lived projects where five years of stability matters more than five days of velocity.

Slim / vanilla PSR-15

For genuinely small services — internal tools, glue APIs, single-purpose endpoints — a micro framework or just a PSR-15 middleware stack is the right size. Don't reach for Laravel to expose three routes.

Why a framework still earns its keep

• Hand-off. When you finish a contract, the client's next developer reads your code without a tour. A framework is half the documentation, free.
• Security defaults. CSRF, XSS, mass-assignment guards, SQL parameterisation — frameworks make the easy way the safe way. Most security incidents we've seen on raw-PHP projects came from skipping one of these defaults.
• Migrations and schema evolution. A schema you can replay on a fresh database is the difference between a project that survives and one that calcifies.
• Background work. Modern PHP apps need queues, scheduled jobs, and idempotent retries. Building this from scratch is a year of subtle bugs.

What we ignore now

Some advice that mattered in 2018 has aged badly:

• "PHP frameworks are slow." Modern PHP-FPM with opcache is fast enough for almost any web workload. If your app is slow, the framework is rarely the culprit.
• "Pick the framework with the most stars." Github stars don't deploy your app at 2am. Maturity of release process, security advisories, and LTS commitments matter more.
• "Avoid magic." Reasonable advice in 2014. Today, Laravel-style facades and Symfony-style autowiring are well-understood and well-debugged. The remaining downside is googleable.

How we choose, in practice

For a typical client conversation in 2026:

1. Will the client own the codebase long-term? → Symfony.
2. Will the client want to hire affordably and ship features fast? → Laravel.
3. Is this an API that does one specific thing and has clear boundaries? → Slim or PSR-15.
4. Is the client already on a different stack? → Use what they have unless there is a clear reason not to.

The contract reality

The hardest part of contract PHP work in 2026 is not picking a framework. It is convincing a client whose project is on a pre-7.4 PHP version and an abandoned framework that the cost of staying is now higher than the cost of moving. We see this conversation every quarter. The numbers usually win, eventually.

If you are inheriting a project: spend a day inventorying the framework version, the PHP version, the dependency lockfile and the test coverage before you commit to a delivery date. That single day saves the next twelve.