How Crowkis earned the right to sit in your critical path
347 integration tests, a smoke suite that kills the process on purpose, and a Docker image hardened before anyone asked. The receipts behind 'production-ready.'
Infrastructure earns trust one boring proof at a time. This post is the receipts: what we test, what we break on purpose, and what ships hardened by default — so 'production-ready' is a claim you can audit rather than a vibe.
The test pyramid is bottom-heavy on purpose
The further down the stack a bug could hide, the more tests sit on top of it.
We kill it on purpose
The smoke suite doesn't just check happy paths. It writes data, kills the container, restarts it, and verifies every entry survived — WAL replay proven end to end, not assumed. It checks that unauthenticated management reads bounce when auth is on, that migration leases hold across restarts, and that gRPC and RESP agree about the same cache.
CSET "k1" "v1" ... → OK docker kill crowkis # no graceful shutdown docker start crowkis CGET "k1" # → "v1" or the gate fails curl -i :6380/api/metrics # unauthenticated → rejected
Hardened because defaults are destiny
Most security incidents in self-hosted software are default-configuration incidents. So the stock deployment is the hardened one: non-root user, read-only filesystem, every Linux capability dropped, no-new-privileges, pids limit, localhost-only published ports, and a health endpoint wired into the image. If you expose Crowkis past loopback without auth configured, it locks the management plane rather than opening it — misconfiguration fails closed.
The whole supply-chain argument, in one box.
The standing rule
Every release passes the same gate: full Rust suite, Docker build, boot, health, auth boundary, durability drill. A release that lowers any of those bars doesn't ship. That rule is the product as much as any feature is — because a cache is only worth using if you stop thinking about it.