1. What is the actual problem we are solving?
2. What are the fundamental constraints?
3. What are all the possible ways to satisfy those constraints?
4. Which way best fits our specific context?

• What is the real problem? Our service A needs to communicate with service B, but they run at different speeds and we cannot afford to lose requests.
• What are the fundamental needs? Decoupling (A should not crash if B is down), buffering (absorb traffic spikes), async processing (A should not wait for B).
• What solutions exist? In-memory queue, database-backed queue, Redis streams, RabbitMQ, Kafka, cloud-managed queues (SQS, Pub/Sub).
• What fits our context? We process 500 messages/second with a 3-person team. Kafka’s operational overhead is not justified. SQS or RabbitMQ fits better.

• “We need microservices because Amazon uses them” — Amazon has 10,000+ engineers. You have 12.
• “We need Kubernetes” — for a single service with predictable traffic, a managed PaaS may be simpler.
• “We need a NoSQL database because it scales” — your relational database handles your load perfectly fine and gives you ACID guarantees you actually need.

• What specific problems is the monolith causing? (Deploy speed? Team coupling? Scaling bottlenecks?)
• Are there simpler solutions? (Modular monolith? Extracting only the bottleneck service?)
• What is the cost of microservices? (Network complexity, distributed transactions, operational overhead)
• What is our team size and operational maturity?
• Can we do an incremental extraction (strangler fig pattern) instead of a full rewrite?

• What evidence would change your mind? If deploy frequency is the bottleneck and you can show that a modular monolith with independent deploy pipelines achieves the same result, the microservices argument collapses.
• What artifact do you produce before writing code? A one-page RFC comparing modular monolith vs strangler fig vs full rewrite, with estimated cost, timeline, and rollback plan for each. The act of writing that document kills most premature microservices proposals.
• What would you do first in production? Extract exactly one service — the one causing the most pain — and run it for 90 days. Measure deploy frequency, incident rate, and operational overhead. That single extraction teaches you more about your org’s readiness than any whiteboard discussion.

• What problem does GraphQL solve? (Over-fetching, under-fetching, multiple round trips)
• Do we actually have those problems? (If we have 3 endpoints consumed by 1 frontend, probably not)
• What does GraphQL cost? (Learning curve, caching complexity, N+1 query risks, schema management)
• Is there a middle ground? (BFF pattern, optimized REST endpoints, sparse fieldsets)

• What is the rollback plan if GraphQL adoption goes badly? If you have external consumers on your REST API, you are running two API surfaces forever. That is a one-way door disguised as a two-way door.
• How do you measure success? Track frontend developer velocity (time from design to working API call), payload sizes, and number of API round trips per page load. If none of those improve after 60 days, the migration is not paying for itself.

• Failure mode: GraphQL’s flexibility lets clients craft arbitrarily expensive queries. Without query complexity analysis and depth limiting, a single malicious or careless query can take down the backend. You need a query cost budget before going to production.
• Rollout: Run the GraphQL gateway alongside REST for at least 60 days. Internal consumers migrate first; external consumers stay on REST until the gateway is proven.
• Rollback: Since REST still exists, rollback means reverting clients to the REST endpoints. The cost is wasted frontend migration effort, not a data problem.
• Measurement: Frontend time-from-design-to-working-API-call, aggregate payload sizes, API round trips per page load, and p99 query execution time on the GraphQL server.
• Cost: GraphQL gateway adds a hop, compute for query parsing, and potentially a schema registry. At high traffic, the gateway itself becomes a scaling concern.
• Security/governance: GraphQL’s introspection feature exposes your entire schema by default. Disable introspection in production and implement field-level authorization — a detail most teams miss until their first security audit.

• Direct effect: that endpoint is faster.
• Second-order effect: the endpoint now handles more traffic, which increases connection pool usage.
• Third-order effect: other endpoints sharing the connection pool start timing out.
• Fourth-order effect: users retry those endpoints, creating a thundering herd problem.

• Server slows down → requests queue up → more load → server slows down more → cascading failure
• Retry storms: a failed request triggers a retry, which adds load, which causes more failures, which triggers more retries
• Alert fatigue: too many alerts → engineers ignore alerts → real incidents get missed → more alerts

• Auto-scaling: load increases → more instances spin up → load per instance decreases
• Circuit breakers: failures increase → circuit opens → failing service gets relief → recovers → circuit closes
• Rate limiting: traffic spikes → excess requests get rejected → backend stays healthy

• The Thundering Herd: Caches expire at the same time. Every server hits the database simultaneously. No single server decided to overload the database — the behavior emerged from the interaction.
• The Metastable Failure: The system is stable under normal load, but a brief spike pushes it into a degraded state it cannot recover from, even after the spike ends. The degraded state sustains itself through positive feedback loops.
• Split-Brain: Two nodes each believe they are the leader. Neither is “wrong” given their local view — the emergent behavior (data corruption) arises from the network partition between them.

• What would you do first in production? Check the error rate dashboard and the request count metric side by side. If request count dropped proportionally to CPU, traffic is being rejected or redirected before reaching your service — check the load balancer and DNS.
• What artifact would you create after confirming the cause? A Grafana dashboard panel that correlates CPU utilization with request count, error rate, and response code distribution. The next time CPU drops unexpectedly, the on-call engineer sees the correlation immediately instead of guessing.

• What evidence would change your analysis? If the dependencies are called in parallel with independent failure modes and any 3 of 5 succeeding is sufficient (quorum), the math changes dramatically. Architecture decisions alter the reliability equation.
• What is the security and governance angle? If one of those 5 dependencies is an auth service, its failure mode is not “request fails gracefully” — it is “request succeeds without authorization.” Reliability and security failure modes are different beasts.

• What would you do first in production? Pull the DORA metrics dashboard for the last 6 months. Plot deploy frequency, lead time, change failure rate, and mean time to recovery on the same timeline. The correlation pattern tells you which metric degraded first — that is the root cause, not the symptoms.
• What artifact would you create? A “Deploy Health” Grafana dashboard that shows deploys per week, average changeset size, rollback frequency, and time-from-merge-to-production. Set an alert if deploy frequency drops below 4 per week for 2 consecutive weeks. The goal is catching the boiling frog before the water boils.
• What evidence would change your mind about the feedback loop theory? If deploy size remained constant while frequency dropped, the cause is not fear — it is something else. Check whether the CI pipeline got slower, whether a new approval gate was added, or whether the team lost headcount. Same symptom, completely different root cause.
• What is the security implication? Infrequent deploys mean security patches sit in the queue longer. If your deploy cadence is 2 per week and a critical CVE drops on Wednesday, the patch might not reach production until next Monday. Deploy frequency is a security metric that most teams do not track.

• First 30 minutes: identify which metrics I can trust. If CPU and memory on the database host are instrumented correctly, start there. If connection pool utilization is reliable, that is my second signal. Work with what you have, not what you wish you had.
• Next 30 minutes: run pg_stat_activity (or equivalent) to see active queries, waiting queries, and lock contention right now. This is real-time ground truth that does not depend on dashboard configuration.
• Next 30 minutes: characterize the workload. Is this read-heavy (read replica helps), write-heavy (vertical scale or schema optimization), or connection-heavy (connection pooler like PgBouncer)? The answer determines the solution.
• Final 90 minutes: propose the solution with the lowest blast radius and fastest rollback. Vertical scaling is a one-click operation with 5 minutes of downtime. A read replica takes hours to provision but zero downtime. A caching layer is a code change with the highest risk of introducing bugs. Under time pressure with incomplete data, I optimize for reversibility.

• What evidence would change your solution ranking? If the slow query log shows 80% of load from 3 queries that scan full tables, none of the three options is right — the answer is indexing. Always check whether the problem is the engine or the fuel before replacing the car.
• What artifact comes out of this decision? An ADR titled “Database scaling decision under incomplete observability — [date].” It documents: what data we had, what data we lacked, what we decided and why, and a trigger condition to revisit. It also includes an action item: “Fix misconfigured dashboards within 2 weeks so this decision can be validated with real data.”
• How would you use AI tooling here? Paste the pg_stat_activity output and slow query log into an LLM with the prompt: “Given this PostgreSQL workload profile, which scaling strategy — read replica, caching layer, or vertical scaling — addresses the bottleneck most directly? Show your reasoning.” The LLM can pattern-match against thousands of similar workload profiles faster than you can reason through it manually. But verify its recommendation against your specific constraints — the LLM does not know your deployment topology or change management process.

• Scale: 100 users vs 100 million users demand different architectures.
• Team size and expertise: A 3-person team cannot operate 20 microservices. A 200-person org cannot share a single monolith.
• Timeline: A startup racing to product-market fit needs different trade-offs than a bank migrating a core system.
• Requirements clarity: If requirements will change significantly, optimize for flexibility. If they are well-understood, optimize for performance.
• Regulatory constraints: GDPR, HIPAA, SOX — these are non-negotiable and override other preferences.
• Budget: A managed database at $500/month might be better than a self-hosted one requiring 20 hours/month of DBA time.

• Choosing a logging library
• API response format (if you version your API)
• UI layout changes
• Feature flag experiments

• Database schema for a core entity with billions of rows
• Public API contract (once external clients depend on it)
• Choice of programming language for a core system
• Data deletion policies

• Building a plugin system for an internal tool used by 5 people
• Adding Kafka when your throughput is 10 events/second
• Implementing CQRS when you have a single database with straightforward read/write patterns
• Creating an abstraction layer “in case we switch databases” when you have never switched databases

• More code to maintain
• More indirection to debug
• More complexity for new team members to learn
• Abstractions built without real use cases often have the wrong API

• What are the access patterns? (Relational joins? Key-value lookups? Document retrieval?)
• What are the consistency requirements? (Financial transactions need ACID. Social media feeds tolerate eventual consistency.)
• What is the schema stability? (Rapidly evolving schema favors document stores. Stable, relational data favors SQL.)
• What scale are we targeting? (At moderate scale, PostgreSQL handles almost everything. At extreme write throughput, you might need DynamoDB or Cassandra.)
• What does the team know? (Operational expertise matters — a team skilled in PostgreSQL will run it better than a team learning MongoDB.)

• What evidence would make you switch databases mid-project? If write latency at p99 exceeds your SLA for 3 consecutive weeks despite optimization, and profiling shows the bottleneck is the storage engine itself (not queries), that is evidence — not just a feeling — that you need a different database.
• What is the cost dimension nobody talks about? DBA time. A self-hosted Cassandra cluster that saves $2K/month over Aurora but requires 30 hours/month of operational attention is not saving money — it is spending more through a different budget line.

• What artifact documents the shortcuts? An ADR (Architecture Decision Record) titled “Temporary: [Feature] shipped with [shortcut] — revisit by [date].” It lists: what was skipped, what breaks if we do not fix it, and the trigger condition (traffic threshold, user count, or date) that forces the follow-up.
• What is the rollback plan? Feature flag with a kill switch. If the 2-week version causes production issues, one engineer can disable it in 30 seconds without a deploy.
• What would you measure to know the shortcut is becoming a problem? Set a Datadog alert on the specific dimension that was compromised. Skipped pagination? Alert on response payload size exceeding 1MB. Skipped rate limiting? Alert on requests per user per minute exceeding 100.

1. Security vulnerability first — even if it affects zero users today, an unpatched vulnerability is a ticking bomb. If the bug bounty reporter goes public, the blast radius becomes infinite. One engineer starts here immediately.
2. P1 bug second — 5% of users affected means real revenue impact right now. But “P1” needs validation: is it truly 5%, or is that a noisy metric? The second engineer verifies the impact while the first works on the security fix.
3. Partner integration last — a 48-hour deadline is a business commitment, but it is negotiable. A security breach and a P1 outage are not. I call the partner and explain a 24-hour delay, which buys the second engineer time to address the P1 and then pivot. The meta-principle: never let a deadline override a security issue or an active outage. Deadlines can be renegotiated. Breaches and customer trust cannot.

• A charge goes through but we do not record it (money lost, customer charged twice on retry)
• We record it but the charge did not actually go through (revenue leakage)
• The same payment processes twice (double-charge)
• The system is down during peak checkout (lost revenue, lost trust)
• A partial failure leaves the order in an inconsistent state (charged but no order, or order but no charge)
• An attacker replays a payment request (fraud)

• Instead of “Does this code work?” ask “How could this code break?”
• Instead of “Is this test good?” ask “What bugs would this test NOT catch?”
• Instead of “Is this API well-designed?” ask “How could a consumer misuse this API?”

• Instead of “How do we deliver on time?” ask “What would cause us to miss the deadline?”
• Common answers: unclear requirements, key person unavailable, dependency on another team, underestimated migration complexity.
• Now mitigate each risk before starting.

• Instead of “How do I get promoted?” ask “What behaviors would guarantee I do NOT get promoted?”
• Common answers: only doing assigned work, never writing design docs, avoiding cross-team visibility, not mentoring others.
• Stop doing those things.

• Before a major deploy, run a pre-mortem: assume the deploy has already failed catastrophically. Now work backward — what went wrong? This surfaces risks that optimism hides. Amazon, Google, and many other companies use pre-mortems as a standard practice before high-stakes launches.

• Large uploads fail midway — use chunked uploads with resumability so users do not restart from zero.
• Storage fills up — set per-user quotas, implement lifecycle policies, monitor disk usage with alerts.
• Malicious files uploaded — scan uploads asynchronously with antivirus, validate file types, sandbox processing.
• Two users upload the same filename — use unique storage keys (UUIDs), not user-provided filenames.
• Upload succeeds but metadata write fails — write metadata first as ‘pending’, update to ‘complete’ after storage confirms. With those failure modes covered, the core architecture is: chunked upload API, object storage (S3) for files, database for metadata, async processing pipeline for validation.”

• What is the rollout plan? 1% canary for 1 hour, 10% for 4 hours, 50% for 24 hours, 100%. At each stage, check: error rate, p99 latency, storage usage growth rate, and antivirus scan completion rate.
• What artifact comes out of this design? A runbook page: “File Upload Service — Operational Guide.” Sections: architecture diagram, failure modes and mitigations, alerting thresholds, escalation contacts, and the exact curl command to check health.
• What is the cost dimension? Storage costs are the hidden killer for file upload services. At 5GB per file, 1,000 uploads per day means 5TB per day. At S3 standard pricing, that is roughly $115/TB/month. Within a month, you are storing 150TB at$17,250/month. Without lifecycle policies that move cold files to Glacier or delete them after retention periods, your storage bill grows linearly forever. The inversion question “what if storage fills up?” should really be “what is our storage cost at 10x current usage and do we have a lifecycle policy?”
• What is the security consideration beyond antivirus? File uploads are a classic attack vector for server-side request forgery (SSRF) and path traversal. If the upload path includes user-provided filenames without sanitization, an attacker can overwrite system files. If the upload triggers server-side processing (thumbnail generation, document preview), a malicious file can exploit image library vulnerabilities. Always process uploads in a sandboxed environment isolated from your main application.
• How would you use AI-assisted tooling in this design? Ask an LLM: “Given these file upload failure modes, generate the Terraform configuration for an S3 bucket with lifecycle policies, event notifications for antivirus scanning, and CloudWatch alarms for storage growth rate.” The infrastructure-as-code generation is where AI saves the most time — the YAML/HCL boilerplate is tedious for humans but well-suited for LLMs. Review the generated IAM policies carefully, though — AI frequently generates overly permissive policies (s3:* instead of s3:PutObject).

• What document does the pre-mortem produce? A launch checklist with go/no-go criteria. Example: “Go if: error rate < 0.5%, p99 latency < 500ms, no P1 bugs open. No-go if: on-call engineer is unfamiliar with the feature, rollback was not tested in staging, or support FAQ is not published.”
• What is the rollback plan, and have you tested it? A feature flag kill switch that has been tested in staging by actually toggling it and verifying the feature disappears cleanly without data corruption. Untested rollback plans are not plans — they are hopes.
• What would you measure for 72 hours after full rollout? Error rates, latency, conversion rate (if applicable), support ticket volume, and — critically — the absence of expected behavior. If the feature is supposed to increase engagement and engagement is flat, that is a signal the feature may not be working even though nothing is technically broken.

1. Transistors and logic gates — electrical signals, binary math
2. CPU instructions — registers, memory addresses, opcodes
3. Operating system — processes, threads, virtual memory, file systems
4. Runtime / VM — garbage collection, JIT compilation, event loop
5. Language and standard library — syntax, data structures, I/O abstractions
6. Framework — routing, middleware, ORM, templating
7. Application code — your business logic, domain models
8. API surface — the contract your service exposes to consumers
9. System architecture — how services interact, data flows, infrastructure topology
10. Product / business — what the user experiences, what the business needs

• During system design — you need the 30,000-foot view
• When a bug seems to involve multiple services
• When discussing trade-offs with product or leadership
• When evaluating whether a project is worth doing at all

• During performance optimization — the bottleneck lives in specifics
• When debugging a production issue — you need the exact failure path
• When reviewing security-sensitive code — the devil is in the details
• When the abstraction is leaking — something at a lower layer is violating the assumptions of the layer above

• TCP abstracts away packet loss — but when packets are lost, your “reliable” connection stalls and latency spikes. The abstraction leaks.
• An ORM abstracts away SQL — but when you write a complex query through the ORM, it generates horrifically inefficient SQL. The abstraction leaks.
• A managed Kubernetes service abstracts away infrastructure — but when a node runs out of memory, your pods get OOM-killed and your “self-healing” system enters a crash loop. The abstraction leaks.
• Garbage collection abstracts away memory management — but when GC pauses cause latency spikes in your real-time system, the abstraction leaks.

1. Browser parses the URL, checks its local cache (application layer)
2. DNS resolution — browser cache, OS cache, recursive resolver, authoritative nameserver (network layer)
3. TCP handshake — SYN, SYN-ACK, ACK. If HTTPS, TLS handshake on top (transport layer)
4. HTTP request sent to the server (application protocol layer)
5. Server-side: load balancer routes to an application server, which processes the request (infrastructure layer)
6. Application logic executes — reads from database, applies business rules, renders a response (application layer)
7. HTTP response sent back, browser parses HTML, fetches CSS/JS/images (rendering layer)
8. Browser constructs the DOM, applies styles, executes JavaScript, paints the screen (browser engine layer)

• What is the failure mode at each layer? DNS failure returns NXDOMAIN and the user sees “site not found.” TCP failure means the connection hangs for the OS timeout (usually 30-75 seconds) — the worst user experience because there is no feedback. TLS failure shows a browser security warning. HTTP 5xx shows an error page. Application bugs return wrong data with a 200 status — the most dangerous failure because it is silent.
• What is the security layer you did not mention? TLS certificate validation. If the certificate is expired, self-signed, or does not match the domain, the browser blocks the connection. This is the layer that protects against man-in-the-middle attacks. A surprising number of production outages are caused by expired TLS certificates — an artifact that should be monitored.
• What would you measure end-to-end? Real User Monitoring (RUM) that captures DNS lookup time, TCP connection time, TLS handshake time, time-to-first-byte, and time-to-interactive. Most teams only measure time-to-first-byte from the server’s perspective, missing everything that happens before the request reaches their infrastructure.

• Network layer: Are other services on the same network also slow? Check ping times, packet loss.
• Infrastructure layer: Is the host resource-constrained? Check CPU, memory, disk I/O.
• Runtime layer: Is garbage collection pausing? Are threads exhausted?
• Application layer: Did a recent deploy change anything? Are specific endpoints slow or all of them?
• Data layer: Is the database slow? Check slow query logs, connection pool saturation.
• Dependency layer: Is an external API timing out, causing our requests to back up? I would use distributed tracing to see exactly where time is being spent in a request, which immediately tells me which layer to investigate.”

• What would you do first in production? Open the distributed tracing dashboard, find a single slow request, and look at the span breakdown. If 90% of the time is in one span, that is the layer. This takes 60 seconds and eliminates guessing. If you do not have distributed tracing, that is the real problem to solve after the incident.
• What artifact should exist before this happens? A “Service Latency Investigation” runbook with a decision tree: “If all endpoints are slow, check infrastructure. If one endpoint is slow, check its specific dependencies. If the database is the bottleneck, check these 3 things. If an external dependency is the bottleneck, check these 3 things.” The runbook saves 15 minutes per investigation for every engineer on the team.
• How would you use AI-assisted tooling? Export the last hour of distributed traces for slow requests (p99 > 2s) and feed them to an LLM: “Analyze these trace spans and identify the common bottleneck layer and specific operation causing latency.” LLMs are excellent at finding patterns across 50 trace files that a human would take an hour to manually correlate. But always verify the identified span against the actual code path.

• A deploy went out
• A config was updated
• Traffic patterns shifted
• A dependency released a new version
• A certificate expired
• A cloud provider had an incident

1. Recent deployments (git log, deploy dashboard)
2. Configuration changes (feature flags, environment variables)
3. Infrastructure changes (scaling events, cloud provider status)
4. Dependency updates (package lock file changes)
5. External factors (traffic spike, time-based event like daylight saving time or month-end batch job)

• Disable half the middleware. Problem persists? It is in the other half. Problem gone? It is in the disabled half.
• Route traffic to half the servers. If one set has errors and the other does not, the problem is environmental (host-specific).
• Comment out half the configuration. Narrow down which config block is causing the issue.

1. Read the entire error message. Not just the first line. Stack traces, context fields, and “caused by” chains contain the actual answer.
2. Read it literally. “Connection refused on port 5432” means nothing is listening on that port. Not “the database is slow” — it is not running or not reachable.
3. Check the line number. Most error messages tell you exactly where the problem is.
4. Decode the error code. HTTP 429 is not “server error” — it is rate limiting. HTTP 503 is not “it’s broken” — the server is explicitly telling you it is overloaded.

• Forces sequential reasoning. Your brain can hold contradictory beliefs simultaneously. Speaking forces you to linearize your thoughts, exposing contradictions.
• Activates different cognitive pathways. Reading code silently uses visual processing. Explaining it aloud engages verbal and auditory processing, sometimes revealing what the visual path missed.
• Exposes assumptions. When you say “this variable is always positive,” you sometimes immediately realize — wait, is it? What if the input is negative?

1. Define “slow” — which pages/endpoints? For all users or some? Since when?
2. Check metrics — p50, p95, p99 latency. Is it a general degradation or tail latency?
3. Ask “what changed?” — recent deploys, config changes, traffic patterns.
4. Check infrastructure — CPU, memory, disk I/O, network. Is any resource saturated?
5. Trace a slow request end-to-end — where is time being spent? Database? External API? Application code?
6. Form a hypothesis based on the data and test it.

• OS, language version, dependency versions (check lock files)
• Environment variables, config files
• Timing-dependent code (flaky tests often involve race conditions or time zones)
• File system differences (case sensitivity, temp directory paths)
• Network access (CI may not reach external services)
• State leakage from other tests (test execution order may differ)

• What artifact prevents this class of bug from recurring? A CI environment parity checklist in the repo’s CONTRIBUTING.md. It documents: required environment variables, expected OS behavior (case sensitivity, line endings), network access assumptions, and test isolation requirements. When a new environment-specific flake is found, it gets added to the checklist.
• How would you use AI-assisted tooling here? Paste the CI failure log into an LLM with the prompt: “Compare this CI environment failure against these local test results. What environmental differences could explain the discrepancy?” LLMs excel at pattern-matching across log outputs that humans skim too quickly. But verify every hypothesis the LLM suggests — it will confidently propose plausible-sounding causes that are wrong 30% of the time.

• You are the go-to person for this area on your team.
• You understand not just how to use the tools, but how they work internally.
• You can debug problems in this area that others cannot.
• Examples: distributed systems, frontend performance, database internals, ML infrastructure.

• You can read and understand code in languages you do not primarily write.
• You can have intelligent conversations about areas outside your specialty.
• You can identify when a problem falls outside your expertise and know who to ask.
• Examples: basic understanding of networking, security fundamentals, business domain knowledge, product thinking.

• Go deep by working on the hardest problems in your area, reading source code, and writing technical deep-dives.
• Go broad by rotating across teams, reading architecture docs, attending cross-team design reviews, and working on side projects in unfamiliar areas.

• Open source libraries you use daily. Read the Express.js source to understand middleware. Read React’s reconciliation algorithm. You will become dramatically better at using these tools.
• Code from senior engineers on your team. Notice their patterns, naming conventions, how they structure error handling, and how they write tests.
• Code in languages you do not know. Expands your mental model of what is possible. A Python developer reading Go learns to think about concurrency differently.
• Rejected pull requests and design docs. Understanding why something was NOT done teaches you as much as understanding why something was done.

• Code review from world-class engineers. Maintainers of popular projects give detailed, high-quality feedback.
• Reading unfamiliar codebases. Forces you to develop code navigation and comprehension skills.
• Writing for a broad audience. Your code must be understandable to strangers, which improves your clarity.
• Public portfolio. Contributions are visible proof of your skills.

1. Fix documentation or typos (low barrier, high value to maintainers).
2. Tackle issues labeled “good first issue.”
3. Add tests for uncovered code paths.
4. Graduate to bug fixes and small features.

• When asked something you do not know, say: “I haven’t worked with that directly, but here is how I would approach learning it…” Then describe your learning process.
• When facing an unfamiliar problem, say: “I don’t have experience with this specific situation, but based on what I know about [related area], I would start by…”

• Describe a real decision and the reasoning behind it at the time.
• Explain what happened and how you discovered you were wrong.
• Focus on what you learned — both the specific technical lesson and the meta-lesson about your decision-making process.
• Show that you updated your mental model, not just fixed the immediate problem.

• What evidence would change your learning priorities? If I kept encountering the same class of production incident (e.g., Kubernetes networking issues), that is a signal my learning should shift toward container orchestration internals — even if it is not “exciting.” Production pain is the most honest curriculum advisor.
• How has AI changed your learning process? I use LLMs to compress the “awareness” phase of learning. Instead of spending 2 hours reading documentation to understand what a technology does, I spend 20 minutes in a conversational session: “Explain Raft consensus assuming I understand Paxos but have never implemented a consensus protocol.” But I never trust the LLM’s explanation as complete — I always follow up by reading the actual paper or source code for the areas that matter. AI accelerates the map; you still have to walk the territory.

• Why was the human able to make that error? Was there no validation, no guard rail, no confirmation step?
• Why did the system not detect the error before it reached production? Was there no staging environment, no canary deploy, no automated test for this scenario?
• Why did the team not recover faster? Was there no runbook, no rollback mechanism, no alert that caught the impact early?

• What artifact should every postmortem produce? At minimum: (1) a specific, assigned, time-bound action item that addresses the systemic gap, (2) an update to the relevant runbook, and (3) a new or improved alert that would have caught this incident earlier. If the postmortem does not produce all three, it was a catharsis exercise, not a learning exercise.
• What is the failure mode of postmortem culture itself? Action item fatigue. If postmortems produce 8 action items and only 2 get completed, the team learns that postmortems are performative. Track postmortem action item completion rate as a meta-metric. If it drops below 70%, reduce the number of action items per postmortem rather than letting them pile up unfinished.
• What would you do first after this postmortem? Schedule a 30-minute session where the on-call engineer walks through the incident timeline and identifies the single moment where better tooling, documentation, or automation would have cut the time-to-resolution the most. That single improvement is more valuable than a list of 10 action items.

1. Prompt with constraints. Do not ask “write a retry function.” Ask “write a retry function with exponential backoff, jitter, a maximum of 5 attempts, and circuit breaker integration that matches our existing CircuitBreaker class in src/resilience/.” Constraints eliminate the most common failure modes.
2. Read every line. AI-generated code that you do not read is worse than code you did not write yourself — at least your own code reflects your mental model. Unread AI code is someone else’s assumptions embedded in your system.
3. Test it yourself. Do not trust “this code should work.” Run it. Write a test. The 5 minutes you spend verifying saves the 2 hours you would spend debugging a subtle AI-introduced bug in production.
4. Use AI for the artifact layer. Where AI truly shines in the engineering mindset: generating first-draft ADRs, runbooks, postmortem templates, and dashboard configurations. These artifacts (Section 9) are high-value but often skipped because of the writing effort. AI removes the effort barrier.

• What evidence would make you trust AI more for critical code paths? If AI tools developed verifiable formal proofs alongside their generated code — not just “this compiles” but “this satisfies these correctness properties” — I would trust them for more sensitive work. Until then, AI is a first-draft tool, not a final-draft tool.
• How do you handle an engineer on your team who uses AI to write code they do not understand? The same way I handle any code review where the author cannot explain their code: I reject it. “Walk me through what this does” is the test. If the answer is “the AI generated it and the tests pass,” that is a red flag. Tests pass for wrong code all the time.

• What evidence would change your position? If AI systems could reliably explain why their generated code works — not just produce it, but trace the reasoning through system constraints, failure modes, and production considerations — I would trust them more for critical paths. Current LLMs generate plausible code; they do not reason about the production context that code will run in.
• What is the concrete engineering moment where this matters most? Schema migrations. An LLM can generate a migration script in 30 seconds. But it does not know that your orders table has 80 million rows, that adding a column with a default value will lock the table for 15 minutes in PostgreSQL versions before 11, or that your SLA requires zero downtime. The engineer who blindly runs the AI-generated migration takes down production. The engineer who understands the underlying storage engine knows to use ALTER TABLE ... ADD COLUMN ... DEFAULT NULL followed by a backfill — and the LLM never mentions this unless specifically prompted.
• What is the artifact-thinking angle? AI is most transformative for the artifacts that engineers should produce but do not because of writing friction: ADRs, runbooks, postmortem drafts, onboarding documentation. An LLM that generates a first-draft runbook from your service’s code and configuration saves 2 hours and produces a document that would otherwise never exist. The engineering mindset shift is: use AI to eliminate the excuses for missing artifacts.

• Check for hardcoded secrets, API keys, or credentials that the LLM might have hallucinated from training data
• Look for common vulnerability patterns: SQL injection via string concatenation, XSS through unescaped user input, insecure deserialization, overly permissive CORS headers
• Verify that authentication and authorization checks are present on every endpoint — LLMs frequently generate functional code that skips authz because the prompt did not mention it
• Run the code through SAST (static analysis security testing) tools before committing

• What is the rollout consideration? AI-generated security-sensitive code should go through the same review process as any security-critical change: a second engineer reviews it, ideally someone with security expertise. The speed advantage of AI generation is in the first draft, not in skipping review.
• What would you measure? Track the ratio of security findings in AI-generated code versus human-written code in your SAST reports. If AI-generated code has a higher vulnerability density, tighten the review process. If it is comparable or lower, you can calibrate trust accordingly.

• You learn from real users, not hypothetical ones.
• Requirements change. Your “perfect” solution may solve the wrong problem.
• Speed compounds. Faster iterations mean faster learning, which means a better product sooner.

• The core functionality works correctly.
• Edge cases are handled gracefully (even if not optimally).
• The code is clean enough to iterate on.
• You have observability to detect problems quickly.

• Prevents analysis paralysis. Without a deadline, investigation expands to fill all available time.
• Forces prioritization. You focus on the highest-signal questions first.
• Makes “good enough” information acceptable. You stop seeking certainty and start seeking sufficiency.
• Creates a forcing function for group decisions. Everyone knows the decision point is coming.

• Choosing between technologies: 2 hours of research, then decide.
• Investigating a production issue: 30 minutes of focused debugging, then escalate if unresolved.
• Designing a new feature: 1-day spike to prototype the riskiest part, then review as a team.

• The decision and its context.
• The options you considered.
• The trade-offs you weighed.
• What you expected to happen.
• The confidence level (low/medium/high).

• Defeats hindsight bias. Six months later, you can review what you actually thought at the time, not what you think you thought.
• Accelerates learning. Comparing predictions to outcomes reveals systematic biases in your decision-making.
• Improves team knowledge transfer. New team members can understand why the system is the way it is by reading the decision log.

1. State what you are trying to do.
2. State what you have already tried.
3. State your current best hypothesis.
4. Ask a specific question, not “this doesn’t work.”

• Team-level decisions (library choices, internal API design, testing strategy): The team decides. No approval needed.
• Cross-team decisions (shared API contracts, platform choices, data schema changes): Affected teams collaborate. An RFC or design doc may be warranted.
• Org-level decisions (programming language adoption, cloud provider, build system): Broader consensus needed. Architecture review board or tech lead council.

1. Define the evaluation criteria based on our specific requirements (not generic benchmarks).
2. Time-box a spike: build a small prototype with each option, focused on the riskiest aspect.
3. Consult with team members who have experience with either technology.
4. Document the decision (ADR) including context, options considered, and trade-offs.
5. Choose the option that is the best fit for our constraints, with a preference for the more reversible choice if the options are close.

• First, ensure both sides have clearly articulated their reasoning (not just preferences).
• Identify the specific criteria where they disagree and try to get data on those points.
• If the decision is reversible, choose one and set a review date (“Let’s try A for 2 sprints and evaluate”).
• If irreversible, invest more time: prototype both, or bring in an outside perspective.
• Avoid design-by-committee (merging both solutions into a Frankenstein). Pick one coherent approach.
• The worst outcome is not picking the “wrong” solution — it is not deciding at all.

• What artifact resolves this structurally? An RFC with a formal “Decision” section where one approach is selected and the “Consequences” section explicitly states what the rejected approach would have provided. This prevents relitigating the decision 3 months later when someone forgets why option B was rejected.
• What evidence would change your mind after committing? Define specific, measurable criteria before implementation begins. “If approach A’s p99 latency exceeds 200ms after 30 days in production, we revisit.” Without pre-committed criteria, teams either never revisit (sunk cost bias) or revisit every time someone is frustrated (decision instability).

• What is the rollback plan for the halfway deploy? It depends on what kind of deploy. For a stateless service with blue-green deployment, roll back by shifting traffic to the old fleet — 30 seconds, zero risk. For a database migration that is halfway through, rolling back may be impossible or more dangerous than rolling forward. Know your deploy type before deciding.
• What artifact prevents this chaos next time? An incident response playbook that separates roles: Incident Commander (triage and communication), Investigator (root cause), and Mitigator (stopping the bleeding). When the same person does all three, nothing gets done well.
• What is the cost dimension people miss in incidents? Engineering hours. A 90-minute incident with 4 engineers responding costs 6 engineer-hours in direct response time, plus another 8-10 hours in postmortem, follow-up action items, and context-switching recovery. That is 2 full engineering days for one incident. When leadership asks “why is the roadmap slipping,” this is often the hidden answer.

1. Title: A short descriptive name — “Use PostgreSQL over Kafka for event storage”
2. Status: Proposed, Accepted, Superseded, Deprecated
3. Context: What situation prompted this decision? What constraints exist?
4. Decision: What did we choose and why?
5. Consequences: What trade-offs did we accept? What becomes easier? What becomes harder?
6. Trigger conditions for revisiting: Under what circumstances should this decision be re-evaluated?

1. Latency — how long requests take (p50, p95, p99)
2. Traffic — how many requests per second
3. Errors — what percentage of requests fail
4. Saturation — how full are your resources (CPU, memory, connection pool, disk)

• Checkout completion rate, not just API success rate
• User login success rate, not just auth service uptime
• Search result relevance (click-through rate on first result), not just search latency

• Action items say “improve testing” without specifying what test, who writes it, and by when
• The same root cause appears in postmortems 6 months apart
• Postmortems are only written for P1 incidents, missing the near-misses that teach just as much
• Nobody reads old postmortems — they are write-only documents

• Action items are specific, assigned, and time-bound: “Add integration test for partial refund edge case — Alice — by March 15”
• New engineers are assigned to read the last 10 postmortems during onboarding
• Near-misses get “mini postmortems” — a 15-minute write-up, not a 2-hour meeting
• A quarterly review checks which postmortem action items actually got completed

1. A dashboard with the four golden signals plus at least one business-outcome metric
2. A runbook covering: what the service does, its dependencies, what healthy looks like, known failure modes, and mitigation steps
3. Alerting rules tied to actionable thresholds (not just “CPU > 80%” but “connection pool utilization > 90% for > 2 minutes, which historically precedes an outage”)
4. An ADR documenting the key design decisions, especially the ones where we chose simplicity over completeness, with trigger conditions for when to revisit

• What evidence would tell you the dashboard is being used? Check Grafana access logs or add a simple counter. If nobody has viewed the dashboard in 30 days, it is not serving its purpose — either the panels are wrong or the team does not know it exists.
• What is the governance angle? For services handling PII or financial data, the artifact list includes a data flow diagram showing where sensitive data enters, transits, and rests. Compliance teams need this during audits, and building it at service creation time is 10x cheaper than reconstructing it during an audit crunch.

• The change affects more than one service or team — RFC required
• The change involves a database schema migration on a table with more than 1M rows — RFC required
• The change introduces a new dependency or removes an existing one — RFC required
• The change is a new endpoint on an internal service with one consumer — no RFC, just a design discussion in the PR

• 80% of bugs come from 20% of the code. Focus code reviews and testing on the most complex, most-changed files.
• 80% of performance gains come from 20% of optimizations. Profile first. Optimize the hot path. Do not micro-optimize cold code.
• 80% of user value comes from 20% of features. Build the critical features well. The rest can be good enough.
• 80% of outages come from 20% of failure modes. Identify and harden against the most common failures first.

• The production outage is more likely a bad config deploy than a kernel bug.
• The API failure is more likely a network issue than a race condition.
• The “impossible” bug is more likely a wrong assumption in your mental model than a compiler error.

• A typo in a variable name
• An off-by-one error
• A null value where you assumed non-null
• A stale cache
• A missing environment variable

• A colleague’s “bad” code is more likely written under time pressure than incompetence.
• A broken API from a partner team is more likely an oversight than sabotage.
• A manager’s “unreasonable” deadline is more likely based on business context you do not have than disrespect for engineering.

• In code reviews, assume the author had reasons. Ask “What was the thinking behind this?” before criticizing.
• In incident response, focus on fixing the problem, not finding someone to blame.
• In cross-team interactions, assume positive intent. “Can you help me understand this decision?” works better than “Why did you break this?”

• If your frontend and backend teams are separate, you will end up with a clear API boundary between them (which may be good).
• If your payment team and notification team do not talk, the payment system and notification system will not integrate well (which is bad).
• If you want microservices, you need small, autonomous teams. If you have one big team, you will build a monolith regardless of your stated architecture.

• Code coverage as a target: Teams write meaningless tests that execute code without asserting anything, just to hit the coverage number. Coverage goes up. Quality does not.
• Lines of code as productivity: Engineers write verbose code, avoid refactoring that reduces lines, and split simple changes into multiple commits. Output goes up. Value does not.
• Story points as velocity: Teams inflate estimates. Velocity increases every sprint. Actual throughput stays the same.
• Mean Time To Resolve (MTTR) as a target: Engineers close incidents prematurely or reclassify them to lower severity. MTTR improves. Reliability does not.

• You cannot change “internal” behavior safely at scale. Every observable behavior is a potential contract.
• Versioning is essential. Once behavior exists, the only safe way to change it is to create a new version.
• Be deliberate about what you expose. The less observable surface area your system has, the more freedom you have to change internals.
• Shadow testing is critical for migrations. Run the old and new systems in parallel and compare outputs — you will discover dependencies you did not know existed.

• That “weird” code block with no comments — before you delete it, figure out what it does. It might handle a race condition that only occurs under high concurrency. It might be a workaround for a third-party library bug. It might compensate for a quirk in how a specific browser renders a component. If you cannot figure out why it exists, that is a reason for caution, not confidence.
• That “unnecessary” configuration flag — before you simplify it away, check if a specific customer or deployment environment depends on it. Hyrum’s Law (above) guarantees that someone does.
• That “overcomplicated” deployment process — before you streamline it, ask the person who built it what failure it was designed to prevent. You may discover that the “extra” step exists because the simpler version caused a production outage two years ago.
• That “redundant” database index — before you drop it for write performance, check if it supports a critical monthly reporting query that you have never run yourself.

• The dangerous zone is peak confidence with limited experience. A developer who has built one CRUD app and declares “microservices are easy” is at the peak of the Dunning-Kruger curve. They have not yet encountered distributed transactions, network partitions, service discovery failures, or the operational overhead of running 50 services with a 10-person team.
• The productive zone is calibrated confidence. The senior engineer who says “I have built three distributed systems and I am still nervous about this one” is not being modest — they have an accurate model of what can go wrong.
• Estimating work: Junior engineers consistently underestimate tasks because they do not know what they do not know. They estimate the happy path. Experienced engineers estimate the happy path plus error handling, plus testing, plus edge cases, plus deployment, plus documentation — and they are still often short.

• In design discussions, the loudest voice is often the most confident — and the most confident person may be the least qualified to judge complexity. Seek out the quiet engineer who says “I am not sure, but here is what worries me.” Their worry is often worth more than the confident person’s certainty.
• When interviewing, beware of candidates who have strong opinions about technologies they have barely used. Probe depth: “Tell me about a time that technology surprised you.” If they cannot name a surprise, they are likely at the peak of the curve.

• “Netflix uses microservices, so microservices work.” Survivorship bias. You are looking at the companies that succeeded with microservices. You are not seeing the hundreds of startups that adopted microservices prematurely, drowned in operational complexity, and failed before anyone wrote a blog post about them. The survivors get conference talks. The failures get silence.
• “This architecture has been running for 3 years without issues.” Maybe it is well-designed. Or maybe your traffic has never actually stressed it. The absence of failure is not proof of resilience — it might be proof that the failure conditions have not occurred yet.
• “Our hiring process works — look at our great engineers.” You are only seeing the people you hired. What about the great engineers you rejected? You have no feedback loop on false negatives.
• “We never need feature flags — we have never had a bad deploy.” You might have been lucky, not skilled. The distinction only becomes clear when your luck runs out.

• Pareto Principle: 80% of notifications are email. Design that path first and make it excellent. SMS, push, and webhook can be handled in less detail.
• Conway’s Law: If the notification system will be maintained by the same team as the main app, a library is fine. If it will be owned by a separate team, it should be a separate service with a clear API contract.
• Hyrum’s Law: If we expose delivery timestamps, someone will depend on their precision. Decide upfront what guarantees we actually want to make.
• Goodhart’s Law: If we measure “notifications sent,” teams will send more notifications (spam). Measure “notifications acted on” instead.
• Occam’s Razor: Start with the simplest architecture that works (a queue and a worker). Add complexity only when you hit specific limitations.
• Chesterton’s Fence: If there is an existing notification system, understand why it was built the way it was before redesigning. That “weird” batching logic might exist because sending notifications one-at-a-time overwhelmed the email provider’s rate limit.
• Survivorship Bias: “Slack’s notification system uses X” — but you are only hearing about the architecture that survived. Ask what alternatives they tried and abandoned.
• Dunning-Kruger Effect: If the team says “notifications are easy, we’ll have it done in two weeks,” probe for experience. Have they handled delivery guarantees, retry logic, user preference management, and unsubscribe compliance before?

• What would you do first in production? Send a test notification to yourself through every channel before opening the system to real users. The number of “notification systems” that pass all automated tests but send malformed emails or silent push notifications is embarrassingly high. Manual smoke tests for notification delivery are not optional.
• What is the rollout plan? Start with a single notification type (e.g., “order confirmation”) for 1% of users. Monitor delivery rate, bounce rate, and user complaint rate for 48 hours. Then expand to 10%, then 100% for that type. Only then add additional notification types. This isolates “is the infrastructure working?” from “is the notification content correct?”
• What is the rollback plan? A feature flag that disables the notification service entirely and falls back to whatever existed before (even if “before” was “no notifications”). If the new system sends 1,000 duplicate notifications at 3 AM, you need a kill switch that works in under 60 seconds.
• What evidence would change your mental model rankings? If analytics show that 60% of notification engagement is via push, not email, the Pareto analysis shifts. Design push notification delivery first, not email. Most teams default to email because it is the easiest channel to implement, not because it is the highest-value channel. Data should override implementation convenience.
• What is the cost consideration? Third-party notification services (SendGrid, Twilio, Firebase) charge per message. At 10 million notifications per month across email, SMS, and push, costs range from $5,000 to$50,000/month depending on the channel mix. SMS is 10-100x more expensive per message than email. The cost model should influence the architecture: if SMS costs $0.0075 per message, deduplication is not just a UX feature — it is a cost control mechanism.

• “We need this microservice to be separate.” — Do we? What problem does the separation solve? Is the operational cost worth it at our current scale?
• “This endpoint needs to be real-time.” — Does it? Would a 5-second delay actually matter to users?
• “We cannot change this table schema.” — Why not? What would a migration actually cost?
• “Users need to see this data immediately.” — Do they? What if we showed stale data with a refresh button?

• No hand-waving. If you say “it basically does…” — stop. What does it actually do?
• No jargon shortcuts. If you say “it uses pub/sub,” expand: “There is a publisher that sends messages to a topic. Subscribers listen on that topic and process messages independently. The publisher does not know or care who the subscribers are.”
• If you get stuck, that is the exercise working. The place where you cannot explain clearly is the place where your understanding has a gap.

• Root cause: Was it a code bug, a configuration error, a process failure, or a systemic design flaw?
• Detection: How was the problem discovered? Monitoring? User reports? Sheer luck?
• Blast radius: How many users were affected? How long was the impact?
• The Five Whys: Does the postmortem go deep enough? If it stops at “an engineer deployed a bad config,” push further in your head: why was that possible?
• Action items: Are they systemic fixes or band-aids?

• Include the data stores. Where does state live?
• Include the failure points. What happens when each arrow breaks?
• Include the scale numbers. How many requests per second flow through each arrow?
• If you do not know a number, write a question mark. Those question marks are the gaps in your understanding.

• “What if this gets 10x the expected traffic?”
• “What if this external API starts returning errors?”
• “What if a user does this in an order we did not expect?”
• “What if this runs concurrently with itself?”
• “What if the clock skews between these two services?”
• “What if the deploy rolls out to half the fleet and then fails?”

• What artifact do you produce before writing code? The requirements resolution doc becomes an ADR-lite: “Payments Feature — Requirements Decisions.” It captures which interpretation was chosen, who approved it, and what the rejected alternatives were. When someone asks “why does it work this way?” in 6 months, the answer exists.
• What evidence would change your approach to the conflicts? Revenue data. If Stakeholder A’s interpretation serves 90% of payment volume and Stakeholder B’s serves 10%, that is a clear signal for prioritization that opinion-based discussions will not resolve. Always ask: “Do we have data that makes this decision for us?”
• What is the security consideration that ambiguity hides? In payments, ambiguous requirements about retry behavior can create charge-without-record or record-without-charge scenarios. Before shipping, I would verify: does every payment state transition end in a consistent state? Ambiguity in payment flows is not just a product risk — it is a financial and compliance risk.
• What would you measure after shipping? Payment success rate, reconciliation match rate (do charges in our system match charges in the provider’s system), and support ticket volume for payment-related issues. Set alerts on all three with thresholds defined before launch.

• I run a lightweight postmortem — not because something failed, but because learning from a feature that did not resonate is as valuable as learning from an outage. The postmortem asks: what was our assumption about user need, what did we validate before building, and what does the usage data tell us about the assumption?
• I give Product 2 weeks and a specific hypothesis to test. Not ‘iterate until it works’ — that is an open-ended investment. ‘We believe that if we move the entry point from the settings page to the main dashboard, adoption will increase to X% within 2 weeks.’ If it does not, we kill it.
• I do NOT delete the code immediately. I feature-flag it off, document the decision in an ADR, and schedule a code cleanup for next quarter. Rushing to delete code that took weeks to build creates resentment and discourages future experimentation.”

• What evidence would convince you to keep iterating beyond the 2-week test? Qualitative signal. If 5% of users who discover the feature use it daily and give enthusiastic feedback, that is a distribution problem, not a product problem. Low adoption with high engagement among adopters is the signature of a feature that needs better marketing, not deletion.
• What is the cost angle nobody discusses? The ongoing maintenance cost. Even feature-flagged-off code occupies mental space during refactors, shows up in dependency audits, and creates confusion for new engineers. If the feature is dead, schedule a specific date for code removal — do not let it haunt the codebase indefinitely.
• What artifact prevents repeating this? A “Feature Experiment Template” that every new feature fills out before engineering begins: target audience, success metric, measurement plan, and kill criteria. If the team cannot fill this out, the feature is not ready for engineering investment.

1. Why did the machine stop? — Because the fuse blew due to an overload.
2. Why was there an overload? — Because the bearing was not sufficiently lubricated.
3. Why was it not lubricated? — Because the lubrication pump was not working properly.
4. Why was the pump not working? — Because the pump shaft was worn out.
5. Why was the shaft worn out? — Because there was no strainer attached, and metal scrap got in.

1. Set the scene — what was the assumption, and why was it widely accepted?
2. Explain what made you question it — was it data, intuition, or experience from a different context?
3. Describe how you raised the concern — did you bring data? Run an experiment? Write a proposal?
4. Share the outcome — even if the team did not change course, show that the process of questioning led to a better-informed decision.
5. Reflect on what you learned about challenging assumptions effectively.

• Telling a story where you were right and everyone else was wrong (comes across as arrogant).
• Not explaining how you raised the concern (the process matters as much as the outcome).
• Choosing a trivial example that does not demonstrate real risk in challenging the status quo.

1. Explain the factors you weigh — severity, recurrence likelihood, blast radius, time pressure, and the cost of the workaround becoming permanent.
2. Describe your decision heuristic — not a rigid rule, but a mental model for how you balance these.
3. Give a concrete example of each choice — one where you investigated, one where you shipped a workaround, and why each was correct in context.
4. Emphasize documentation — if you ship a workaround, how do you ensure the real fix does not get forgotten?

• Dogmatically always choosing one path (“I always investigate fully” or “I always ship fast”).
• Not mentioning documentation of the workaround and follow-up plan.
• Ignoring the team and business context (deadlines, on-call burden, customer impact).

1. Describe your criteria for depth vs breadth — what signals tell you something deserves deep investment vs surface-level awareness?
2. Explain your actual learning process — not just “I read docs.” Do you build prototypes? Teach others? Read source code? Write about it?
3. Give a concrete recent example of something you learned deeply and something you deliberately chose to only skim.
4. Show awareness of opportunity cost — time spent learning one thing is time not spent on another.

• Listing technologies learned without explaining the system for deciding what to learn.
• Implying you learn everything deeply (not believable and signals poor prioritization).
• Not mentioning how you identify what is important to learn (reactive vs proactive).

​

The Question

​

Strong Answer

• What is the blast radius of the known gaps? If the unhandled edge cases affect 0.1% of requests and fail gracefully with a clear error rather than silently corrupting data, that is shippable. If they could cause data loss or inconsistent state, it is not.
• Is the failure mode observable? If I have logging and alerting in place so I will know within minutes when an edge case hits, I am comfortable shipping earlier. If I am flying blind and will only learn about problems from angry user reports three days later, I need to invest in observability before shipping.
• Is the technical debt conscious and documented? I would create specific tickets for the missing integration tests and unhandled edge cases, with clear descriptions of the risk each one carries. Then I would have an honest conversation with the PM: ‘We can ship Wednesday with these known gaps. Here is what each gap means in terms of user impact. I recommend we allocate the following sprint to close the critical ones before we scale up traffic.’

• Most candidates: ‘I would have a conversation with the PM about trade-offs and ship an MVP.’ (Vague, no framework for deciding what to cut.)
• Great candidates: ‘I would classify each gap by blast radius — silent data corruption is a ship-blocker, graceful error returns are shippable, missing integration tests are an acceptable risk if I have monitoring. Then I give the PM a concrete menu: ship Wednesday with gaps A, B, C, or ship next Monday with only gap C remaining. Let them pick.’

​

Follow-up: How do you handle the case where management pressures you to skip the observability investment too?

​

Follow-up: How do you calibrate differently for a greenfield service versus adding a feature to an existing production system?

​

Going Deeper: How does the concept of ‘reversibility’ change your threshold for shipping?

​

Unexpected Tangent: How do you handle the situation where your ‘good enough’ shipped service becomes the permanent solution because nobody ever goes back to fix it?

​

The Question

​

Strong Answer

• Most candidates: ‘I would check the logs and look at the database.’ (Single-layer thinking, no systematic approach.)
• Great candidates: ‘I would bracket the problem. First, I confirm where time is being spent using distributed tracing or manual timing instrumentation — is it pre-database, database, or post-database? That tells me which layer to investigate. Then within that layer, I reach for the layer-appropriate tool: EXPLAIN ANALYZE for the database, flame graphs for the application, perf top or vmstat for the OS.’

​

Follow-up: How did you decide to look at the flame graph instead of continuing to investigate the database?

​

Follow-up: How would you prevent this category of problem from recurring?

​

Going Deeper: How do you think about observability costs versus observability value?

​

Unexpected Tangent: When have you seen observability itself cause an outage?

​

The Question

​

Strong Answer

• Most candidates: Give a textbook explanation, then say ‘I would simplify it for the CEO.’ (They cannot actually do the simplification in real time.)
• Great candidates: Deliver all three explanations fluently, with different vocabulary, different levels of detail, and different calls to action for each audience. The CEO explanation contains zero technical terms and ends with a business outcome.

​

Follow-up: What if the CEO then asks ‘Why did this happen in the first place?’

​

Follow-up: When you are explaining something technical, how do you know you have picked the wrong level of abstraction?

​

Unexpected Tangent: How do you explain a decision that you believe is wrong but was made by someone above you?

​

The Question

​

Strong Answer

• Most candidates: ‘I would take responsibility and fix it.’ (Correct direction, but no framework for how to analyze what went wrong or prevent recurrence.)
• Great candidates: ‘I would pull up the original design doc, identify which specific assumptions changed, propose both an immediate stabilization and a migration path, and add a scaling-assumptions section to the doc showing at what thresholds the new design will also need revisiting. I treat every design as having an expiration date — the question is whether you label it.’

​

Follow-up: How do you prevent this from becoming a pattern — designing things that need redesign in six months?

​

Follow-up: How do you balance ‘own the mistake’ with ‘defend the original reasoning’?

​

Going Deeper: When is it correct to NOT redesign, even though the original design is showing strain?

​

Unexpected Tangent: Have you ever seen a design decision fail in a way that was actually better than if it had succeeded?

​

The Question

​

Strong Answer

• Most candidates: ‘I would read the documentation and try to understand the architecture first.’ (This is studying, not incident response. Documentation is often outdated or nonexistent.)
• Great candidates: ‘I would follow the failing request, not the architecture. Find the error in the logs, trace it to the responsible code, and diagnose from there. I treat the system like a crime scene — follow the evidence, not the map. And I would ask for help within 10 minutes, not 60.’

​

Follow-up: How do you distinguish between ‘I need to understand more context’ and ‘I am going down a rabbit hole’?

​

Follow-up: After the incident is resolved, what do you do differently as the new person versus what a veteran team member would do?

​

Unexpected Tangent: What is the worst debugging mistake you have seen someone make during a production incident?

​

The Question

​

Strong Answer

• Most candidates: ‘I would research both options thoroughly and pick the better one.’ (No framework for how to decide, no acknowledgment of team dynamics or irreversibility.)
• Great candidates: ‘I would map the decision across five dimensions: operational expertise, failure modes we understand, ecosystem fit, reversibility, and team morale. I would write an ADR with a trigger-conditions-for-revisiting section. And I would give meaningful ownership to the engineers whose preference was not selected, because a one-way door that the team half-heartedly walks through is worse than a two-way door.’

​

Follow-up: How do you know when you have done ‘enough’ analysis before committing to a one-way door?

​

Follow-up: What would you have done differently if the decision turned out to be wrong — say PostgreSQL hit a wall at 200 million events?

​

Going Deeper: How do you handle the social dynamics when your one-way-door decision faces team resistance?

​

Unexpected Tangent: What is a one-way-door decision that most engineers treat as a two-way door?

​

The Question

​

Strong Answer

• Most candidates: ‘I would add tests and monitoring.’ (Correct direction, but no prioritization framework. Adding tests to a system you do not understand produces false confidence.)
• Great candidates: ‘I would spend the first week in pure discovery — reading code, tracing request paths, talking to consumers, and looking at real production traffic patterns. I do not write a single test until I understand what correct behavior looks like. Then I prioritize: observability first (because I cannot improve what I cannot measure), kill switch second (because I need to be able to stop it safely), critical-path integration tests third, and documentation fourth.’

​

Follow-up: How do you convince leadership that spending 6-8 weeks on a service that ‘works fine’ is worth it?

​

Follow-up: You discover during your exploration that the system has a significant bug that nobody knows about because there is no monitoring. Do you fix it immediately or stick to your plan?

​

Unexpected Tangent: How do you handle the political dimension — the original author is gone, and the current team sees the system as ‘not their problem’?

​

The Question

​

Strong Answer

• Most candidates: ‘I would think about what could go wrong before implementing the change.’ (Correct instinct, but no method. How do you systematically identify second-order effects?)
• Great candidates: ‘I use a three-step framework: trace the data flow (where does this data appear across the system?), check the feedback loops (does this change alter any auto-scaling, caching, or retry behavior?), and run a cross-team impact review (a 30-minute meeting with representatives from adjacent teams asking: what could go wrong from your perspective?). The cross-team review catches 80% of the effects I would miss on my own.’

​

Follow-up: Is it possible to systematically predict second-order effects, or is it always reactive?

​

Going Deeper: How do you think about second-order effects at the organizational level, not just the technical level?

​

Unexpected Tangent: Can second-order effects ever be deliberately engineered as a positive force?

​

The Question

​

Strong Answer

• Most candidates: ‘The most important skill is understanding the system.’ (True but circular — understanding the system is the goal of debugging, not the skill that enables it.)
• Great candidates: ‘Precise observation — the ability to separate what I see from what I assume. I treat every fact as unverified until I have evidence. Did the deploy go out? Let me check the deploy dashboard, not assume it did. Is the database slow? Let me check the slow query log, not infer from latency numbers. Every debugging dead end I have ever gone down started with an unverified assumption that felt like a fact.’

​

Follow-up: How do you apply this skill when you are debugging under time pressure during an incident?

​

Follow-up: What is the difference between a developer who is ‘good at debugging’ and one who is just ‘experienced’?

​

Unexpected Tangent: How do you debug problems that are not reproducible?

​

The Question

​

Strong Answer

• Most candidates: ‘I would evaluate the options based on features and pick the best fit.’ (No framework for evaluation, no mention of operational cost, team expertise, or long-term maintenance.)
• Great candidates: ‘I evaluate across five dimensions: requirements coverage (does it do 80%+ of what we need?), operational cost (who runs it, patches it, debugs it at 3 AM?), team expertise (do we know how to operate this, or are we learning a new system under production pressure?), lock-in risk (what does it cost to leave?), and evolution speed (how fast are our requirements changing?). For most teams, I have a strong bias toward managed services for non-differentiating infrastructure.’

​

Follow-up: What is the difference between healthy skepticism of third-party tools and NIH syndrome?

​

Going Deeper: How does the build-vs-buy calculus change when the component in question is your company’s core competency?

​

Unexpected Tangent: How do you evaluate a third-party tool’s actual reliability versus its claimed reliability?

​

The Question

​

Strong Answer

• Most candidates: ‘I would respectfully share my opinion and defer to seniority.’ (Too passive. Also suggests seniority equals correctness, which is cargo-cult thinking.)
• Great candidates: ‘I would start by genuinely trying to understand their reasoning — they may have context I lack. If I still disagree after understanding their position, I would produce data: a prototype, a benchmark, a cost analysis, or concrete failure scenarios with estimated financial impact. Evidence beats authority. And I would classify the disagreement: if it is a reversible decision, I would express my concern, document it, and commit fully. If it is irreversible and high-stakes, I would push harder and involve additional perspectives.’

​

Follow-up: What if you present data and the senior engineer still disagrees?

​

Follow-up: How do you create a team culture where junior engineers feel safe disagreeing with you?

​

Unexpected Tangent: How do you handle the situation where you disagree with the senior engineer and they turn out to be right?

​

The Question

​

Strong Answer

• Most candidates: ‘I believe in continuous improvement, so I would always try to improve the system.’ (Sounds proactive but is actually undisciplined — it does not distinguish between improvement that delivers value and improvement that is wasted effort.)
• Great candidates: ‘I evaluate three things before acting: the actual operational cost of the status quo (not the perceived cost), the total cost of the proposed change (including migration risk, re-learning edge cases, and opportunity cost), and whether the change delivers business value or just engineering satisfaction. Some of the best engineering decisions I have made were choosing not to act when there was pressure to do something.’

​

Follow-up: How do you distinguish between ‘healthy inaction’ and ‘dangerous complacency’?

​

Follow-up: How do you manage the team’s frustration when they want to build something and you are saying no?

​

Going Deeper: What signals tell you it is time to reverse the ‘do nothing’ decision?

​

Unexpected Tangent: How do you deal with the resume-driven development impulse — engineers wanting to rewrite systems because they want to learn new technology?

​

The Scenario

​

Follow-up: The VP insists on Aurora because the board wants to see “cloud modernization” on the roadmap. Now what?

​

Follow-up: How do you estimate the 5-7 months for the full migration? Break down the work.

​

The Scenario

• Business-logic correctness. The API returns 200 OK, but the response payload is wrong — an empty cart, a zero-dollar total, a missing shipping option. The error rate metric counts HTTP status codes, not business logic validity. I would check a sample of actual API responses for the checkout endpoint.
• Client-side errors. The backend is fine, but a JavaScript error in the checkout form prevents the ‘Place Order’ button from working. This would show zero backend errors and zero backend latency impact while making checkout completely unusable. I would check our client-side error tracking (Sentry, LogRocket) if we have it — and if we do not, that is a major observability gap we just discovered the hard way.
• Third-party payment processor. Our service sends the payment request successfully (our metrics see a fast, successful outbound call), but the payment processor is rejecting or timing out silently. We might be logging the request as successful based on the HTTP 200 we get back, without checking that the response body contains a success status. I have seen this exact pattern: Stripe returns 200 with { status: 'failed', reason: 'card_declined' } and the service logs it as a successful request.
• A/B test or feature flag gone wrong. A percentage of users are in an experiment that broke checkout. Our aggregate metrics show low error rates because 80% of users are fine. But the 20% in the broken variant are all experiencing failures. I would check which experiments are active on the checkout flow.
• DNS or CDN partial outage. Some geographic regions cannot resolve our domain or are getting served stale or broken cached assets. Backend metrics are fine because the requests never reach the backend.

​

Follow-up: How do you build monitoring that catches problems dashboards miss?

​

Follow-up: After the incident, how do you build the case that the company needs to invest in better observability?

​

The Scenario

​

Follow-up: What if the 2-week pilot goes well and confirms the team’s enthusiasm? Do you change your mind?

​

Follow-up: How do you handle the social dynamics when you are the lone dissenter and it feels like the team resents your caution?

​

The Scenario

• The SLA was measured wrong. ‘99.5% success rate’ counted HTTP 200 responses, not actual order completion. The retry mechanism returned 200 after writing to the secondary store, so the metric said ‘success.’ This is a measurement problem, not a code problem.
• Nobody validated end-to-end. If we had a reconciliation job that compared orders placed vs orders fulfilled vs revenue booked, the discrepancy would have surfaced in week 1.
• The secondary data store was a ghost. A data store that nothing reads from should not exist. It is either dead code that should be removed, or it serves a purpose nobody remembers (Chesterton’s Fence). In this case, it became an accidental black hole for lost orders.

• Replace HTTP-status-based success metrics with business-outcome metrics. An order is successful when payment is confirmed AND the order appears in the fulfillment queue AND the customer receives a confirmation. Anything less is not success — it is an in-progress state.
• Add daily reconciliation between order intake, payment processing, and fulfillment. Any discrepancy over 0.01% triggers an alert.
• Audit every retry mechanism in our pipeline. Retries that silently swallow failures are time bombs. Every retry should either succeed on the primary path or raise a visible alarm.

​

Follow-up: How do you present this to leadership without it sounding like the engineering team was negligent?

​

Follow-up: After this incident, how do you audit other systems for similar hidden failures?

1. What does the SLA metric actually measure? Trace it back to the code. Does ‘99.9% success rate’ mean 99.9% of HTTP requests returned 200, or 99.9% of business transactions completed end-to-end? These are very different numbers.
2. Is there a reconciliation between the start and end of each pipeline? If money enters the system and products leave the system, do those numbers match?
3. Are there any ‘dead’ data stores or queues that might be silently accumulating lost records? Run a query on every table and queue that is not part of the primary data flow. If any of them have recent writes, investigate why.
4. For every retry mechanism: what happens to the data if the retry ultimately fails? Is there a dead-letter queue? Is the dead-letter queue monitored?

​

The Scenario

• If most incidents come from deploys: add a canary deployment step with automatic rollback. This costs engineers zero extra time per deploy but catches 60-70% of bad deploys before they go wide.
• If most incidents come from missing error handling: add a 30-minute ‘incident prevention’ code review checklist — not full code review, just a focused check for error handling on the critical path. Most teams can add this without materially slowing velocity.
• If most incidents come from config changes: put configs in version control with a review process. Config changes are the number one cause of outages at most companies, and they are usually completely unreviewed.

​

Follow-up: One of the senior engineers pushes back, saying the new practices are “red tape” and threatens to leave. What do you do?

​

Follow-up: How do you measure whether your cultural changes are working, without falling into Goodhart’s Law traps?

• Incident count per quarter — but paired with incident severity distribution. If incidents drop but the remaining ones are all P1s, we have not actually improved.
• Mean time to detect (MTTD) — how quickly we find incidents. This measures observability.
• Mean time to resolve (MTTR) — how quickly we fix incidents. But I pair this with mean time between incidents (MTBI) to make sure we are not just resolving faster by closing prematurely.
• Feature velocity — story points shipped, PRs merged, or whatever proxy the team already uses. This ensures we are not trading velocity for reliability.
• Team sentiment — quarterly anonymous survey asking ‘how confident are you in the stability of our systems?’ and ‘how much time do you spend on unplanned work vs planned work?’

​

The Scenario

1. The teams do not have a communication channel for shared infrastructure. There is no architecture review, no RFC process, and no shared Slack channel where someone would say ‘hey, we just built a retry library.’
2. The teams were incentivized to ship fast, not to collaborate. If the KPI is ‘features shipped per quarter,’ of course teams will build what they need locally instead of spending 3 weeks negotiating a shared solution with another team.
3. A platform team does not exist, and maybe it should not. Creating shared infrastructure requires someone to own it, maintain it, and support other teams using it. That is a full-time job. At a 30-person engineering org, a dedicated platform team may not be justified.

• Migration cost. Both teams have to rewrite their code to use the shared version. Both have tests, both have production behavior they depend on. The shared version needs to support both teams’ requirements, which are subtly different (Hyrum’s Law guarantees their code depends on implementation details of their current version).
• Ongoing coordination cost. A shared library means every change requires coordination. Team Alpha needs a new feature? They have to convince Team Beta it is worth the complexity. Team Beta finds a bug? They have to make sure the fix does not break Team Alpha’s usage. This coordination tax is real and ongoing.
• Bottleneck risk. Who owns the shared library? If it is Team Alpha, Team Beta’s requests get deprioritized. If it is a new platform team, you just increased your headcount for a library. If it is ‘everyone,’ nobody actually maintains it and it rots.

​

Follow-up: How do you decide when duplication crosses the line from ‘acceptable’ to ‘problematic’?

​

Follow-up: What organizational changes would prevent this from happening in the first place?

​

The Scenario

​

Follow-up: How do you design performance metrics that actually correlate with user experience?

​

Follow-up: Should you roll back the optimization while you investigate?

​

The Scenario

• Best case (everything goes smoothly, no surprises): 6 weeks. This assumes Elasticsearch integrates cleanly with our data model, our team ramps up on it quickly, and the product requirements do not change.
• Most likely (normal amount of surprises): 10-12 weeks. This accounts for learning curve on Elasticsearch, data migration complexity, iteration on relevance tuning (which is always harder than expected), and normal requirement clarification.
• Worst case (significant unknowns materialize): 16-18 weeks. This accounts for discovering that our data model is a poor fit for Elasticsearch, needing to redesign the data pipeline, and multiple iterations on search relevance because users do not find what they expect.

​

Follow-up: The PM says “the board wants a single number, not a range. Give me your best guess.”

​

Follow-up: How do you handle the situation when you are 6 weeks in and realize it will take 16 weeks instead of 10?

​

The Scenario

​

Follow-up: How do you handle the refactor if you cannot remove the feature? Does the refactor just stall?

​

Follow-up: What is the most common mistake you see teams make when deprecating features?

​

The Scenario

• Adding SMS later means touching every service.
• Changing the email provider means touching every service.
• Adding user preference checks means touching every service.
• Rate limiting and deduplication have to be implemented in every service.

• Message queue between services and notification service. For the launch, REST is fine. At our scale (probably fewer than 1,000 notifications per hour initially), we do not need async processing yet. We add the queue when we need it — and the services do not need to change because they just call the notification service’s API either way.
• Deduplication. We accept that in rare edge cases, a user might get a duplicate email for the first few months. This is annoying but not harmful. We add deduplication when it becomes a real problem.
• User preferences. For launch, everyone gets email. We add preferences when the product team asks for them — which is usually 2-3 months after launch, giving us time.

​

Follow-up: How do you prevent the “temporary” architecture from becoming permanent?

​

Follow-up: The CEO asks “why can we not just do the full thing in 6 weeks if we add more engineers?”