Here's a little CLI that generates itself from Lexicon and calls XRPC APIs. github.com/agentio/slink

Auth scopes are great but they don't always restrict access as much as we want. Here's an IO configuration that *only* allows a couple of authorized API key users to call a few named methods of the Digital Ocean DNS API using a token that it gets from Hashicorp Vault.

Here's IO running on MacOS agent.io/decisions/ma...

Are you familiar with the XDG Base Directory Specification? Here's how we used it to improve IO: agent.io/decisions/xdg/

Recently we started building our own Envoy binaries and IO container images. agent.io/decisions/co...

Envoy requires libc, so it doesn't make sense for IO to make performance sacrifices to avoid depending on libc itself. That lets us build IO with CGO and use the native SQLite library, which has big performance benefits. agent.io/decisions/cgo/

This week IO's configuration language got a revamp and a reference agent.io/io/config/

Tempted by Alpine Linux: agent.io/decisions/al...

In September we created Sidecar, a new Go gRPC implementation that focuses on clarity, simplicity, and security for apps that run with sidecars. It's now how IO does gRPC. Here's a discussion of our decision to switch. agent.io/decisions/si...

Is it an SDK... or a monster infesting your app? agent.io/posts/sdks/

If you use Go, gRPC, and sidecar proxies, I wrote this for you github.com/agentio/sidecar

Echo is a simple gRPC service that we wrote to test and experiment with gRPC and ConnectRPC agent.io/posts/echo/

How IO uses gRPC: agent.io/posts/grpc/

IO was created to work with a set of API management APIs from Google called Service Infrastructure, but now we think we've outgrown it. agent.io/decisions/dr...

What's it like to run an application with Nomad and IO? Here's an example with bonus info about gRPC: agent.io/posts/memos/

Here's a practical benefit of our exploration of @hashicorp.com's Nomad and Vault: all of the configuration for this Nomad-hosted ATProto PDS is now read from secrets in Vault.

I'm getting more and more hooked on Nomad. With the raw_exec driver, I can run pretty much anything on my Nomad-running laptop. Here's how I use it to automatically unseal Vault. agent.io/posts/laptop...

"The caller never sees this secret." IO can read and apply API keys so that applications can securely use secrets without ever directly possessing them. agent.io/posts/vault

Here's IO using an API key that it read from Vault using its Nomad workload identity.

We've been working a lot with HashiCorp's Nomad and Vault. Here's an easy way to run them both on an Ubuntu laptop. agent.io/posts/laptop...

Our preferred JWx library is @lestrrat.bsky.social‬'s lestrrat-go/jwx agent.io/decisions/jwt/

A more general idea behind "No SDKs" and other design decisions is that we work to keep the number of third-party dependencies low and their quality high. agent.io/decisions/de...

Finally (for now), we've been picky about limiting dependencies and controlling the network connections that IO makes. This seems worth noting as a decision, i.e. "No SDKs". agent.io/decisions/sd...

Now we have a small fleet of droplets running Nomad and IO to use for testing and demos. We can manage them all over SSH, and quickly went from bash scripts to a small Go tool that can do things like check versions and trigger restarts. agent.io/decisions/fl...

When we initially thought of adding analytics to the preview, we added a small custom API for sending them. But a little bit of investigation led to Open Telemetry, which we're using in a very basic and direct way (with no SDKs). agent.io/decisions/ot...

Once we had images on DockerHub, we started getting warnings about security vulnerabilities in the standard Envoy releases that we were using as base images. This led us to switch to the Envoy "distroless" images that are published by a team at Google. agent.io/decisions/di...

At this point, the realization that "we've made so many decisions" forced me to stop, come up with a structure, and put as many past decisions that I could think of in it. agent.io/decisions/re...

The preview is based on IO Docker images, and setting up a paid DockerHub account seemed to be the best way to directly manage these and other images that we wanted to publish. agent.io/decisions/do...

Adding SSH support made it clear that it would be easy to add SFTP/SCP support, which has been a great way to read and write configuration of remote IOs. More uses are coming. agent.io/decisions/scp/

Honestly, THIS IS SO COOL. As soon as we discovered that we could use Charm's wish package to SSH into remote running IOs, we had to do it. agent.io/decisions/ssh/

Our first step from the homelab to the cloud was to use Digital Ocean. The big draw was the simplicity of the console experience and Digital Ocean's APIs. agent.io/decisions/di...

We're using Google Workspace for email and docs. agent.io/decisions/wo...

What's the least-commitment way to make IO available to other users? I wasn't ready to go through any "one-way doors", so we decided to start with a private preview. agent.io/decisions/pr...

IO manages secrets so applications never see them. But where should secrets be kept? IO can store them in local storage, but to increase security, we wanted to integrate with a secrets manager. We decided to start with Vault. agent.io/decisions/va...

Importing generated code from other people's repos is a recipe for suffering, so we don't do it. agent.io/decisions/pr...

Zig seems like a language that we'll be using in the future, but maybe not just yet. agent.io/decisions/zig/

"We do these things not because they are easy, but because we thought they were going to be easy." ATProto OAuth is just a small add-on to OAuth, right? agent.io/decisions/at...

After building ACME into IO's ingress mode, we realized that we could also add OAuth support by having IO intercept OAuth callbacks, and IO's calling mode could apply the auth tokens, making OAuth-based applications *much* simpler. So how could we resist? agent.io/decisions/oa...

Maybe the best argument for using Nomad is Kubernetes. But if you haven't used either, and especially if you're looking for something that you can start running on just a few nodes and easily understand, try Nomad. You don't need Nomad to use IO but they work great together. agent.io/decisions/no...

Interactive configuration is great, but for reproducibility, IO needed a configuration language. YAML? The experience of using Envoy's YAML config was a pretty strong argument against that. Hashicorp's HCL had an appealing directness and a great Go support library. agent.io/decisions/hcl/

The idea to build ingress into IO came when I replaced the Kubernetes in my homelab with Nomad. ACME support in IO was surprisingly easy to add and has been much easier to troubleshoot than k8s cert-manager. agent.io/decisions/ac...

Coming into web development cold, Hugo and the Blowfish theme made it easy to get a content-rich site off the ground. But easy to customize? IDK. agent.io/decisions/hu...

Google App Engine has some flaws, but it's a great way to put up a web site and forget about it. For now it's being used to run our main site. agent.io/decisions/ap...

When IO needed persistent storage, SQLite was the clear choice. Not only was it well-proven, the sqlite3 command-line tool made it easy to manage state outside of IO. agent.io/decisions/sq...

With one look at Bubble Tea we were sold. Adding a TUI opened up exciting possibilities of visibility and dynamic control of IO. agent.io/decisions/bu...

Google's Go gRPC library is solid, but it also contains some things that we don't need for a local gRPC service running over Linux abstract sockets, so instead we use Buf Connect for our gRPC connections. agent.io/decisions/bu...

What's in a name? Ours is "IO". agent.io/decisions/io/

Linux Abstract Sockets provide a simple and fast way for IO to communicate with the local Envoy that it controls. agent.io/decisions/ab...

IO uses Envoy in the same way that it uses Go: as a powerful component that unlocks a higher level of usefulness. agent.io/decisions/en...

Rust can be a great language for a lot of applications, but for us, the lack of mature infrastructure convinced us that it would be too much work. agent.io/decisions/ru...