Security on Chen Kai Blog

Product Thinking (2): Security Engineering — Defense Without Paranoia

Sun, 31 May 2026 09:00:00 +0000

The Kind of Security That Disappears#

I used to think security was something you bolted on: a checklist before release, a penetration test once a quarter, a code review with “security” in the title. I was wrong. The systems I have built over the past two years taught me a different lesson — the best security is the kind you forget about because it is already woven into the system itself.

Alibaba Cloud Full Stack (6): RAM, KMS, and Cloud Security

Sun, 03 May 2026 09:00:00 +0000

I once found a DashScope API key hardcoded in a public GitHub repo. It was mine. Someone had forked a demo I pushed months earlier, and the key was sitting in a config file I forgot to gitignore. By the time I noticed, the key had been used to generate 14,000 Qwen API calls in a single weekend. The bill was not catastrophic — DashScope per-token pricing is forgiving — but the lesson was. I had treated cloud security as something I would figure out later. “Later” arrived as a billing alert at 2 AM on a Sunday.

Claude Code Hands-On (7): Ten Hooks I Actually Use, with the Code

Fri, 24 Apr 2026 09:00:00 +0000

Chapter 5 provided a conceptual tour of hooks. This chapter is the field guide. From the 100-script reference repo, ten scripts earn their place in every serious project I run. I’ll walk through these ten with code.

All examples assume Node 18+, save scripts to ./hooks/, mark them chmod +x, and wire them in .claude/settings.json like:

1
2
3
4
5
6
7


{
 "hooks": {
 "PreToolUse": [
 { "matcher": "Read|Grep", "hooks": [{ "type": "command", "command": "node ./hooks/block-env-read.js" }] }
 ]
 }
}

Before we dive in, here’s the hook lifecycle to make the following code clear:

Terraform for AI Agents (3): A Reusable VPC and Security Baseline

Mon, 16 Mar 2026 09:00:00 +0000

This article builds the single most copied piece of Terraform in my agent projects: a vpc-baseline module that gives every later component (ECS, RDS, OpenSearch, ACK) a sane place to land. It’s about 200 lines of HCL all-in. Worth typing once, refer to it forever.

By the end you’ll have:

A VPC across three availability zones in one region
Six vSwitches (one public + one private per zone) with non-overlapping CIDRs
A NAT Gateway with EIP for private-subnet outbound to LLM APIs
Three security groups stacked by tier (ALB → agent runtime → memory)
Three KMS customer master keys, one per data domain (memory, secrets, logs)
A clean module interface: name + CIDR + zones in, IDs out
Drift detection in CI, semver-pinned module references, and a per-line cost model

The mental model#

Before code, the picture:

Docker and Containers (7): Security — Running Containers Without Giving Away the Keys

Thu, 22 Jun 2023 09:00:00 +0000

Docker’s default configuration prioritizes convenience over security. Containers run as root, have access to a broad set of Linux capabilities, and can write to their entire filesystem. This is fine for development but dangerous for production. A container escape vulnerability in a root-privileged container means an attacker can take over the host. Let’s fix that.

The Threat Model#

Before securing your setup, understand what you’re defending against: