Design for 2 AM
I read an internal RFC from the creator of Flask - "Engineering for Breathing Room." It's about building systems that stay controllable when things go wrong, not systems that never fail, but systems you can actually operate during a failure.
If something breaks at 2 AM, you should be able to stabilize in minutes, apply a mitigation without touching code, and go back to sleep. Fix it properly in the morning.
Start dumb
Every clever abstraction adds operational cost and new failure modes. Start with one queue, one write path, one clear flow. Add complexity only when production signals demand it - not because an architecture diagram suggests it.
Design data before writing code
Bad keys, unbounded joins, and unplanned fanout - no framework will fix them later. Work out access patterns and growth expectations before the first line of application code. It's easy to skip when you're moving fast, and it always shows up later.
Learn to crash safely
Crashes happen regardless of how carefully you build. Don't try to keep a broken process alive - crash fast and restart from a durable state. Silent corruption is worse than a visible failure.
Have your controls ready before you need them
Feature flags, queue pause, circuit breakers, dead letter queues. Every critical system needs levers you can pull without a code deploy. If you're designing these during an incident, you're too late.
Instrument what matters
During an incident you need to answer four things fast: what failed, who is impacted, since when, and where. Structured logs, correlation IDs, latency visibility, counters for retries, failures, and dead letters. If your system can't answer those, you're guessing.
The RFC ends with: "Reading recommendations alone won't make you internalize or apply them." That's true. This post is here so I have something to come back to.
Full RFC: rfc.earendil.com/0020.