A practical map of how modern software is designed, built, shipped, secured, operated, and improved.
Software is not just code. It is the chain of decisions that turns a user problem into a working system. UI, frontend, backend, databases, APIs, security, cloud, CI/CD, monitoring, mobile, CMS platforms, and business workflows are not separate worlds. They are connected layers of one machine. This atlas maps the whole system so I can understand what I am building, where each layer fits, and what breaks when one layer is weak.
Every product lives in five worlds at once. If you can name the world a problem is in, you can find the right tool faster than if you start with the tool.
QuestionAre we building the right thing?
Customer problem, user persona, jobs to be done, requirements, MVP, pricing, business model, success metrics.
QuestionCan the user understand and use it?
UX, information architecture, UI, visual design, accessibility, responsive design, mobile experience.
QuestionWhat logic makes the system work?
Frontend, backend, APIs, authentication, authorisation, business logic, background jobs, integrations.
QuestionWhere does it run and how does it ship?
Hosting, cloud, DNS, servers, Docker, CI/CD, staging, production, deployments, rollback.
QuestionCan users, buyers, auditors, and operators trust it?
Cybersecurity, privacy, compliance, testing, monitoring, audit logs, evidence, reliability, incident response.
Every serious feature touches most of these. Read down the column the way you would read an architectural drawing: top to bottom, layer by layer, with the question that decides each one.
Decides what should exist and why.
Designs how the user moves through the system.
Gives the product clarity, hierarchy, and trust.
Builds what runs in the browser.
Adapts software to phones, touch, sensors, and app stores.
Runs the private logic users should not control directly.
Gives the product memory and structure.
Lets software systems talk to other systems.
Determines who the user is and what they can access.
Defends the system from abuse, mistakes, and exploitation.
Provides the environment where software lives.
Moves code safely from laptop to production.
Checks that the system works and keeps working.
Keeps software alive after launch.
Uses managed platforms to ship faster when custom software is unnecessary.
Turns models into usable product features.
Makes software acceptable to users, buyers, auditors, and regulators.
Once the layers are clear, the tools stop feeling random. Each one belongs to a specific layer. This section maps the tools by where they fit, what they are used for, and what kind of builder should care about them.
Java, Kotlin, WordPress, AWS, Azure, LangGraph, Docker, GitHub Actions, React, Postgres, and Sentry are not isolated names. Each one belongs to a specific layer of the software system. What follows is a working reference, organised by layer. Use the filter to find a tool. Use the categories to find the layer.
The substrate everything else sits on. Pick one or two and learn them well before chasing breadth.
The language of the web. Runs in the browser; also runs servers via Node.js.
JavaScript with guardrails. Types catch bugs the language otherwise hides.
The language of AI, data, and automation. Readable, slow, everywhere.
The enterprise backend workhorse. Boring on purpose, runs for decades.
Modern Java, especially for Android. Cleaner syntax, same JVM ecosystem.
The native language of the Apple ecosystem. Modern, safe, opinionated.
Microsoft’s serious application language. .NET, Azure, Unity.
A simple language for reliable infrastructure. Compiled, fast, boring.
C++ power with much stronger safety. Steep curve, real payoff.
The language behind most of the CMS layer. WordPress runs the web.
Productivity-focused web development. Elegant for CRUD apps.
The language of structured data. Older than most things on this page; still wins.
Glue for the operating system. Underestimated until you need it.
What runs in the browser, what builds it, and where designers and engineers meet.
The document layer of the web. Structure, not style.
The visual layer of the web. Looks easy, isn’t.
A component library for building UIs. Defines the modern web’s mental model.
A React framework for production web apps with routing, SSR, and API routes.
Component framework with a gentler curve than React. Strong in Asia and indie shops.
Vue’s production framework. Next.js for the Vue side of the world.
A compiler-first UI framework. Less runtime, less ceremony, smaller bundles.
Svelte’s production framework with routing, SSR, and adapters for many hosts.
Google’s opinionated full framework. Heavy, structured, popular in enterprise.
Utility-first CSS framework. Style by composition, not by named classes.
Copy-paste component recipes built on Radix + Tailwind. You own the code.
Unstyled, accessible primitives. The foundation under shadcn/ui.
Google’s Material Design as a React component library. Comprehensive, opinionated.
The grandfather of CSS frameworks. Still everywhere in WordPress and admin land.
A fast frontend build tool. Replaces older bundlers for most projects.
The classic module bundler. Powerful, complex, still in legacy stacks.
A React animation library that makes physics-style motion easy.
The default design tool. Collaborative, browser-based, has won the category.
A design-driven website builder. Pretty sites without writing code.
A visual website builder that produces real HTML/CSS/JS. Premium marketing sites.
The server side. Where business rules, auth, and data live behind APIs.
JavaScript on the server. The runtime, not a framework.
The minimalist Node.js web framework. Still the default for many APIs.
A Spring-inspired Node framework. Modules, decorators, dependency injection.
A fast, modern Python web framework with type-driven docs. Default for AI services.
Python’s batteries-included framework. Admin, ORM, auth, all built in.
Minimalist Python microframework. Older and simpler than FastAPI.
The original opinionated full-stack framework. Productivity benchmark for a decade.
Java’s production framework. Powers a huge share of the world’s enterprise backends.
Microsoft’s modern, cross-platform .NET framework. Strong in regulated industries.
PHP’s modern framework. Elegant, productive, broad ecosystem.
Lightweight HTTP frameworks for Go. Fast, simple, predictable.
Type-safe client-server calls in TypeScript. Looks like function calls; runs over HTTP.
A query language for APIs. Clients ask for exactly the fields they need.
The default HTTP API style. Resources, verbs, JSON. Boring on purpose.
Native or cross-platform. Pick based on UX expectations and team velocity, not on slogans.
The language of native iOS. Modern, fast, Apple-only.
Apple’s declarative UI framework for Swift. The modern way to build iOS UIs.
Apple’s older imperative UI framework. Still under most large iOS apps.
Apple’s IDE. The only realistic way to build for the App Store.
The language of modern Android. Cleaner Java with full JVM access.
Google’s Android IDE built on IntelliJ. Emulators, profilers, Play Store flow.
Android’s declarative UI toolkit. Compose is to Android what SwiftUI is to iOS.
Build native iOS and Android apps with React. Share most code across platforms.
The managed React Native workflow. Builds, updates, native modules, all simplified.
Google’s cross-platform UI toolkit. Custom rendering engine, very consistent UI.
Google’s language behind Flutter. Compiles to native and to JS.
Google’s mobile-first backend: auth, database, push, analytics, crash reporting.
Apple’s beta-testing distribution. The only proper way to test iOS pre-release.
Apple’s portal for managing iOS app submissions, metadata, builds, reviewers.
Google’s equivalent of App Store Connect. Releases, tracks, A/B store listings.
Where the application keeps its memory. Relational, document, cache, warehouse, and vector each solve a different problem.
The serious default app database. Relational, mature, extensible, very hard to outgrow.
pgvector it also handles RAG.The other classic relational database. Powers WordPress and a huge slice of the web.
A single-file relational database. Tiny, fast, embedded, surprisingly capable.
Flexible document database. Schemas optional, JSON-shaped data first-class.
In-memory data store. Cache, queue, pub/sub, rate limiter — all in one.
A managed Postgres backend with auth, storage, realtime, and edge functions on top.
Google’s mobile-first BaaS. NoSQL by default, plus auth, storage, hosting, push.
AWS’s managed key-value/document database. Massive scale, strict access patterns.
Google’s serverless data warehouse. Built for analytics, not transactions.
A cloud data warehouse. Separates compute and storage, scales horizontally.
A TypeScript ORM with a schema language and migrations. Strong DX.
A lighter, SQL-flavoured TS ORM. Closer to the metal than Prisma.
A classical TS ORM. Closer to traditional Java/C# ORMs in design.
Python’s most mature ORM and SQL toolkit. Powers Django-free Python backends.
A Postgres extension that adds vector similarity search. RAG inside your existing DB.
A managed vector database. Pure SaaS, scales fast, no infra to run.
Open-source vector database with strong hybrid search and modular vectorisers.
A simple embeddable vector database. Local-first, very approachable.
Managed platforms exist because most websites do not need custom software. Knowing when to pick one is its own skill.
The most widely deployed CMS. Powers a large share of the public web.
WordPress’s block editor. The modern way to compose pages in WP core.
The dominant WordPress page builder. Drag, drop, widgets.
Advanced Custom Fields. The serious way to give editors structured content in WP.
A serious form-builder for WordPress. Routing, conditional logic, integrations.
WordPress’s e-commerce engine. Catalog, cart, checkout, payments via plugins.
A visual site builder that emits real HTML/CSS. Premium marketing sites without engineers on every change.
A design-driven site builder. Beautiful sites, lighter on dev complexity than Webflow.
A consumer site builder. Templates, drag-drop, hosted everything.
An all-in-one site builder with strong templates. Photographers and small brands love it.
A headless CMS with a great editor and structured content model.
An enterprise headless CMS. Strong APIs, large-org content workflows.
An open-source headless CMS in Node. Self-hosted or managed.
A code-first headless CMS in TypeScript. Schema as code, strong DX.
The serious e-commerce platform. Storefront, checkout, payments, apps.
Where the software actually runs. Hyperscalers, developer platforms, edge networks, simple VPS.
The largest cloud. Compute, storage, networking, AI, and everything in between.
Microsoft’s cloud. Strong in enterprise and Microsoft-shop integration. Home of Azure OpenAI.
Google’s cloud. Strong in data, ML, and serverless containers via Cloud Run.
The internet’s edge layer. DNS, CDN, WAF, Workers, R2 storage, Zero Trust.
A frontend platform optimised for Next.js. Push-to-deploy, preview URLs, edge functions.
The pioneer of git-based static-site deployment. Functions and edge logic added later.
A Heroku-style developer cloud. Web services, background workers, Postgres, Redis.
A modern PaaS focused on speed of provisioning. Templates, env management, simple ops.
Runs Docker containers in many regions close to users. Edge-style app hosting.
Simple cloud servers and managed services. Predictable pricing, friendly DX.
The original git-push PaaS. Older but still everywhere, especially Rails.
Cloud compute with a strong networking pedigree. Now part of Akamai’s edge platform.
Google’s static + dynamic site hosting. Pairs with Firebase Functions and Auth.
Managed Postgres + auth + storage + edge functions as a complete app backend.
The plumbing under the application. Containers, orchestration, infra-as-code, web servers, networking.
Packages an app with its dependencies into a container that runs the same anywhere.
A simple way to run multi-container apps locally with one YAML file.
Runs many containers reliably across machines. The standard for serious container orchestration.
Kubernetes’s package manager. Charts bundle the YAML you do not want to maintain by hand.
Describe cloud infrastructure as code. Plan, apply, version, review.
Infrastructure as code using real programming languages (TS, Python, Go).
Configuration management. Tells servers how to look using YAML playbooks.
A high-performance web server and reverse proxy. The traffic gatekeeper.
The original web server. Still everywhere in WordPress / shared hosting.
The operating system most servers run. Ubuntu is the friendliest default flavour.
Serverless functions on Cloudflare’s global edge. Runs close to every user.
Run code without managing servers. Pay per invocation. Scales to zero.
Background task line. Hand work off so the user gets a fast response.
Scheduled tasks. Run something every hour, every night, every Sunday.
Splits traffic across many servers. Removes single points of failure.
Content delivery network. Caches assets close to users. Faster, cheaper, safer.
Cheap, durable file storage. Files have URLs; metadata is the index.
Configuration the code reads at runtime. Secrets must never sit in the repo.
.env committed to git.From laptop to production without chaos. Branches, builds, environments, rollbacks, flags.
Distributed version control. Branches, commits, history. The substrate under everything.
The default code-host. Repos, PRs, reviews, Actions, Issues, Releases.
Code + CI + security + project management bundled. Strong self-hosted story.
Atlassian’s Git platform. Strongest where Jira and Confluence already live.
CI/CD pipelines that live next to your code. The default automation surface.
CI/CD inside GitLab. Strong if you live in the GitLab ecosystem.
A standalone CI service. Strong before Actions; still strong in some stacks.
The classic open-source CI server. Still everywhere in enterprise.
Microsoft’s full DevOps suite: repos, pipelines, boards, artifacts.
CI inside Bitbucket. Tight Jira integration.
Hybrid CI: hosted control plane, your own build runners. Speed at scale.
GitOps for Kubernetes. The repo is the source of truth; Argo reconciles the cluster.
Another GitOps tool for Kubernetes. Simpler model, very modular.
Every PR gets its own URL. Reviewers see the change live instead of reading a diff.
A near-identical copy of production for final checks before shipping.
Going back to the last known-good version in one command. The shipping safety net.
Turn features on/off without re-deploying. Ship code dark, then unlock.
How systems talk to systems. Protocols, payment rails, communication, automation.
HTTP + JSON + resources + verbs. The default for public and internal APIs.
Client-specified queries against a typed graph schema. Powerful, complex.
End-to-end typed RPC for TS monorepos. No schema files, just shared types.
Binary RPC over HTTP/2. Typed, fast, multi-language. Service-to-service workhorse.
A URL another system calls when something happens. Event-driven without polling.
A delegated-authorisation standard. “Log in with Google” lives here.
Long random strings that authenticate machines. Simple, dangerous if leaked.
A desktop client for poking APIs. Collections, environments, tests, mock servers.
A leaner Postman alternative. Same idea, simpler interface.
A spec for describing HTTP APIs. Generates clients, docs, and mocks.
The default payments API. Cards, subscriptions, invoices, billing, identity, more.
SMS, voice, video, WhatsApp, email (SendGrid), and verification APIs.
A transactional and marketing email API. Owned by Twilio.
A developer-first transactional email API. Clean DX, React Email integration.
An older transactional email API. Strong deliverability and analytics.
Bots, slash commands, messages, modals. The internal-tools surface for many teams.
Drive, Calendar, Gmail, Maps, Sheets, more. OAuth-gated access to Google services.
A single API across Microsoft 365: Outlook, Teams, OneDrive, Entra ID.
No-code automation between SaaS apps. Triggers, actions, simple flows.
A visual workflow builder that goes deeper than Zapier. Branching, mapping, modules.
An open-source workflow tool. Self-hostable, extensible, AI-friendly.
Who is the user, and what are they allowed to do. Auth and access control are different problems.
An open-source auth library for Next.js. Many providers, sessions, JWTs.
A polished managed auth provider with great UI components and MFA built in.
Auth tied to Supabase’s Postgres. Row-level security ties users to data.
Google’s auth for mobile-first apps. OAuth providers, phone auth, anonymous.
A veteran identity platform now owned by Okta. Deep enterprise auth features.
Workforce identity. SSO, SCIM provisioning, lifecycle, governance.
Amazon’s user-pool / identity-pool service. Tight with AWS IAM.
Microsoft’s cloud identity (formerly Azure AD). The identity backbone for most enterprises.
Phishing-resistant credentials built into devices. Replacing passwords slowly.
Multi-factor auth. Something you know + something you have/are.
JSON Web Token. A signed bundle of claims about a user, sent in a header.
Browser-stored identifiers tied to server state. Boring, well-understood.
Role-based access control. Roles get permissions, users get roles.
Attribute-based access control. Policies look at the user, resource, and context.
Single sign-on. One identity unlocks many apps. The enterprise sales prerequisite.
An XML-based SSO standard. Old, ugly, mandatory for many enterprise customers.
Delegated authorisation. Tokens, scopes, refreshes. Not the same as authentication.
OpenID Connect. An identity layer on top of OAuth 2.0. Modern SSO substrate.
Defence against abuse, mistakes, and exploitation. Designed in, not bolted on.
The canonical list of the most common web vulnerabilities. Refreshed every few years.
A developer-first vulnerability scanner for dependencies, code, IaC, and containers.
GitHub’s automatic dependency updater and vulnerability alerts.
An open-source scanner for containers, file systems, git repos, and IaC.
A code-pattern scanner. Writes lint-like rules to catch real security bugs.
Static analysis with a strong enterprise dashboard and gating story.
The standard web app pen-testing toolkit. Intercept proxy, scanner, fuzzers.
A network scanner. Find open ports, fingerprint services, map a network.
An exploitation framework used in pen-testing and red teaming.
A password manager with strong team and developer features (secrets, SSH, SCIM).
A secrets manager for dev teams. Single source of truth across envs.
.env files.A serious secrets and key-management system. Dynamic credentials, leases, audit.
A managed web-application firewall in front of your app. Bot and abuse defence.
Caps requests per user / IP / token. Blunts abuse without blocking real users.
HTTP headers like CSP, HSTS, X-Frame-Options. Cheap protection against common attacks.
Automated detection of API keys and credentials accidentally committed to git.
Static application security testing. Scans source code without running it.
Dynamic application security testing. Pokes the running app for real vulnerabilities.
Hands-on authorised attack against your app or network by skilled humans.
A structured way to think about who could attack the system and how.
How you know the system works, and how you keep knowing.
JavaScript’s most common testing framework. Snapshots, mocks, watch mode.
A Jest-compatible test runner built on Vite. Faster, friendlier with TS.
Python’s favourite test framework. Fixtures, parametrisation, plugins.
Java’s standard testing framework. Mature, opinionated, deeply integrated.
Microsoft’s modern browser automation. Multi-browser, fast, auto-waiting.
A browser-based E2E framework with strong DX. Great test runner UI.
The original browser automation. Multi-language, still in enterprise grids.
Test scripts attached to Postman requests. Smoke-test APIs from a collection.
A workshop for UI components. Each component in isolation with controls and tests.
Tests components the way users see them. Queries by accessible role and text.
A scriptable load-testing tool. Writes tests in JS, runs them at scale.
A Python-based load testing tool. Tests as Python classes.
Cloud devices and browsers for cross-browser and mobile testing.
Humans clicking through the product. Slow, expensive, irreplaceable.
Knowing what the system is doing in production. Errors, metrics, traces, user behaviour, incident response.
Error tracking and performance monitoring for apps and services.
A full observability platform: logs, metrics, traces, RUM, security. Expensive, comprehensive.
An older APM platform. Strong in enterprise estates and Java-heavy stacks.
Open-source dashboards for any data source. The default visualisation layer in OSS observability.
A time-series database and metrics scraper. The default in Kubernetes-shaped infra.
The open standard for emitting traces, metrics, and logs. Vendor-neutral.
A modern logs + uptime + incidents platform with developer-friendly DX.
AWS’s built-in logs, metrics, and alarms.
Microsoft’s logs, metrics, and alerts service. Tight with Azure resources.
GCP’s logs + monitoring. Pairs with Cloud Trace and Cloud Monitoring.
Open-source product analytics with feature flags, session replay, and experimentation.
Event-based product analytics. Funnels, retention, cohort analysis.
Free web analytics from Google. GA4 is event-based, more complex than the old version.
A simple, privacy-friendly web analytics tool. Lightweight script, no cookie banner.
Session recordings, heatmaps, and surveys. Watch how users actually behave.
Free / cheap uptime monitoring. Pings your endpoints and yells when they die.
Incident response platform. Routes alerts to humans, runs on-call schedules.
Atlassian’s alerting and on-call tool. Strong with Jira service management.
Modern incident management in Slack. Declare, run, and review incidents.
Models become products only when the system around them is real. APIs, retrieval, tools, evaluation, observability, and guardrails are not optional.
The most widely used commercial LLM API. GPT models, embeddings, vision, audio, agents.
Claude models. Strong long-context, tool use, and writing quality.
Google’s flagship multimodal models. Strong vision, long context, Workspace ties.
European LLM provider with open and closed models. Strong reasoning on cheaper tiers.
Very fast LLM inference on custom LPU hardware. Speed-first hosting.
A hosting platform for many open-source LLMs with API access and fine-tuning.
The model hub. Hosted models, datasets, spaces, inference endpoints.
Runs open-source LLMs locally. Mac, Linux, Windows. ollama run llama3 and go.
A high-throughput inference engine for serving open LLMs in production.
A broad framework for LLM applications: chains, prompts, retrieval, tools, memory.
A graph/state-machine approach to agent workflows. State, cycles, control flow.
A data framework for LLM apps. Strong on connectors, retrieval, and RAG over documents.
An open-source LLM framework focused on RAG, search, and production patterns.
Microsoft Research’s multi-agent framework. Useful for prototyping agent collaboration.
A role-based multi-agent framework. Define agents like a team with jobs.
OpenAI’s official agents framework with tool use, hand-offs, and tracing.
Stores embeddings so you can find “things like this” instead of “things equal to this”.
Numeric vectors that encode meaning. Cosine distance becomes “is this similar?”
Retrieval-Augmented Generation. Fetch relevant context first, then let the model answer.
Lets the LLM decide to call a named function with structured arguments.
Model Context Protocol. A standard for connecting LLMs to tools and data sources.
Designing the instructions, context, and examples the model sees. Underrated, not magic.
Measures whether AI output is good, grounded, safe, and useful. The discipline most teams skip.
An evaluation framework specifically for RAG: faithfulness, context recall, answer relevance.
LangChain’s observability and evals platform for LLM apps. Traces, datasets, runs.
An evals and observability platform for AI apps, provider-agnostic.
An experiment-tracking platform popular in classical ML and serious LLM work.
Open-source experiment tracking and model registry. Strong on-prem story.
Constraints and safety checks around model behaviour: schemas, filters, refusal policies.
A class of attack where untrusted text rewrites the model’s instructions.
A human approves, rejects, or edits AI decisions at chosen points in the flow.
Storing what an agent has seen, decided, or been told. Short-term + long-term.
Coordinating tools, models, and steps reliably. The hard part of agents.
The structured data an agent carries between steps. The thing graphs and state machines manage.
The functions an agent can call. Each tool is a typed action with effects.
Several agents with roles, working on the same problem. Promising and over-hyped at the same time.
Where software earns the right to handle sensitive work. Policies, controls, evidence, audits.
A compliance automation platform. Connects to your stack and watches controls.
Compliance automation with a focus on continuous control monitoring.
Another compliance platform competing in the same space as Vanta and Drata.
A compliance platform popular with fast-growing tech companies.
The enterprise standard for risk, compliance, and policy management.
A privacy + GRC platform. Strong in data mapping, consent, vendor risk.
Tamper-evident records of who did what, when, and to which resource.
The discipline of capturing proof that a control operated as intended.
Periodic checks of who has access to what, with sign-offs.
An audited report on security, availability, confidentiality, and privacy.
A formal information-security management system standard. Globally recognised.
EU data protection regulation. Defines rights of data subjects and obligations of controllers.
Australia’s federal privacy regime. APPs anchor the obligations.
EU regulation of AI systems by risk tier. The first major AI law with teeth.
International standard for AI management systems. The ISO 27001 of AI governance.
A voluntary framework for managing AI risk. Practical, non-prescriptive structure.
Australia’s prudential standard for information security in regulated financial entities.
Where software meets revenue. Payments, subscriptions, accounting, CRM, project work.
The default payment, subscription, and billing API. Strong DX.
A merchant-of-record platform. Paddle handles sales tax, VAT, GST, fraud, chargebacks.
A consumer payments brand and developer API. Still mandatory in some regions.
Point-of-sale hardware + payments + small-business software.
The dominant online store platform. Storefront, payments, fulfilment, apps.
WordPress e-commerce. Familiar admin, plugin-driven flexibility.
A subscription management platform. Sits on top of Stripe and other gateways.
Mobile subscription management across App Store and Play Store.
A cloud accounting platform. Strong in AU/NZ and small-business markets.
Intuit’s cloud accounting. Strong in the US small-business market.
Marketing + sales + service CRM. Strong for inbound, SMB to mid-market.
A sales-pipeline-first CRM. Lean, founder-friendly, deal-focused.
The enterprise CRM. Vast, expensive, fully customisable.
A spreadsheet that thinks it’s a database. Lightweight operational tooling.
Docs + databases + wiki in one. The default workspace for small teams.
A modern issue tracker for engineering. Fast, opinionated, keyboard-first.
Atlassian’s issue tracker. Built for enterprise process and change control.
A practical map of what to use, what to maybe use, and what to avoid — by project shape.
Pairs that get conflated. Short, sharp, practical — the kind of thing search engines make worse, not better.
Unrelated. Java is an enterprise server language. JavaScript runs in the browser and Node. Same name, different families.
TypeScript is JavaScript with types added. It compiles to JavaScript before running. Use TS for anything non-trivial.
Frontend is what the user sees. Backend is what the user does not. The browser is the frontend; the server is the backend.
React is the UI library. Next.js is the framework around React with routing, SSR, and API routes. Most production React apps use Next.
Node is the runtime. Express is a tiny web framework on top of it. Node alone can serve HTTP; Express makes it pleasant.
Python optimises for readability and AI. Java optimises for long-lived enterprise systems and JVM performance.
Kotlin is a modern language that compiles to the same JVM bytecode as Java. Cleaner syntax. The default for new Android work.
Swift builds native iOS apps with full platform access. React Native ships iOS and Android together with one codebase and some compromises.
AWS is a full cloud universe. Vercel is a developer platform for frontends and serverless functions. Most teams use both.
Cloudflare is an edge / DNS / CDN / security network. AWS is where your servers and data live. Cloudflare sits in front of them.
Docker packages an app into a container. Kubernetes runs many containers across many machines. One is a unit; the other is a fleet manager.
Git is the version control tool that runs locally. GitHub is a hosted service built around it. You can use Git without GitHub.
CI checks the code (build, test, lint). CD ships the code (to staging or production). They are usually one pipeline.
REST: fixed endpoints return fixed shapes. GraphQL: the client asks for exactly the fields it wants. REST is simpler. GraphQL is more flexible.
SQL: tables, rows, relationships, joins. NoSQL: documents, key-value, graphs, time-series. SQL is the safe default; pick NoSQL when you have a reason.
Both are mature relational databases. Postgres has stronger extensibility (JSONB, vector, GIS). MySQL has stronger WordPress and shared-hosting footprint.
Redis lives in memory and is fast but lossy. A database lives on disk and is the source of truth. Use Redis in front of a database, not instead of one.
Auth.js is open-source code you run. Clerk is a managed service with UI components. Auth.js is cheaper; Clerk is faster.
OAuth is modern, JSON-based, used for consumer and B2C apps. SAML is older, XML-based, common in enterprise SSO.
WordPress is plugin-driven, owned by you, infinitely flexible. Webflow is design-led, hosted, opinionated. Different audiences.
WordPress wins when editors edit and engineers don’t want to be on call for every change. Custom code wins when the product is the software, not the content.
LangChain is a broad LLM app framework. LangGraph is a state-machine for controlled agents with cycles, retries, and human-in-the-loop.
LangChain emphasises chaining and integrations. LlamaIndex emphasises data ingestion and retrieval. They overlap; pick by the bigger problem.
RAG fetches context per question. Fine-tuning bakes patterns into model weights. RAG handles knowledge. Fine-tuning handles style or schema.
Embeddings are the numbers that encode meaning. A vector database is the system that stores and searches those numbers efficiently.
Monitoring watches the system (is it up? is it slow?). Analytics watches the users (what are they doing? converting?). Different audiences, different stacks.
Logs = what happened. Metrics = how many, how often. Traces = how a single request travelled through the system.
Security is whether you are actually safe. Compliance is whether you can prove it on paper. You need both, but they are not the same thing.
GRC is the program around controls (policy, risk, audit). DevSecOps is security inside the engineering loop (scanning, secrets, IaC).
A policy is what you say you do. Evidence is the artefact that proves you actually did it. Auditors care about evidence more than policy text.
A progression, not a checklist. Each level depends on the one above it. Skip a level and the next becomes a mystery.
HTML, CSS, JavaScript, Git, GitHub, browser devtools, DNS basics. End state: a personal page on a real domain.
TypeScript, React, Next.js, Tailwind, forms, state management, responsive design. End state: a multi-page app with real interactions.
APIs, Node or FastAPI, Postgres, authentication, validation, file uploads. End state: a frontend talking to your own API talking to your own database.
Vercel or Render, environment variables, staging, CI/CD, logging, Sentry. End state: a product on a real domain with a deploy pipeline and error tracking.
Testing, security basics, Docker, cloud, queues, monitoring, backups, role permissions. End state: software a real customer can rely on.
LLM APIs, RAG, LangGraph, vector DBs, evals, observability, guardrails, cost control. End state: an AI feature you would let a stranger use.
SSO, audit logs, compliance frameworks, evidence records, infrastructure as code, SOC 2 / ISO controls. End state: software a regulated buyer would procure.
A feature is not built in one layer. Every serious feature travels through the whole system, picking up dependencies along the way.
A “simple” signup form touches UX, UI, frontend validation, backend validation, authentication, database writes, email delivery, security, logging, analytics, and support. The product looks small. The system underneath it is not.
Each project is a different cross-section of the same stack. The mistake would be treating them as different worlds.
A personal site is not just a portfolio. It is a publishing system, a trust surface for hiring and clients, and a distribution asset that compounds over time when the writing is good.
GateCrown is a compliance product, not just a website. The software layer must support urgency, buyer clarity, document workflows, and the credibility expected by Australian real-estate principals facing AUSTRAC obligations.
Inference Society is a workflow system. The value is in invitation, application, onboarding, matching, acceptance, reminders, and member experience — not in the home page. The interface is the smallest part of it.
Locarde sits in the trust layer of software. It must prove what happened across engineering and compliance workflows in a way that holds up to auditors and security teams, not just in a pretty dashboard.
Client websites are production systems with business constraints, plugin risk, hosting decisions, staging discipline, and maintainability across owners who are not engineers. Treating them as templates is how they break a year later.
AI features only become real software when they are evaluated, monitored, integrated, and designed around user workflows. A prompt is not a product. The system around the prompt is.
The fastest way to understand the stack is to build something that crosses most of it. Each path is a concrete project that forces a specific set of layers.
Three short lists that catch the failures that show up most often. Read them before, during, and after.
The goal is not to memorise every tool. The goal is to understand where each tool sits in the system.
A beginner asks: “What framework should I use?”
A better builder asks: “What layer am I working on, what does it depend on, and what breaks if this layer is weak?”
That is the shift from knowing tools to understanding software.
Books, papers, side maps, and the method I use to read them.
Back to Reading Room