Skip to content

Instantly share code, notes, and snippets.

View louzt's full-sized avatar
🦇
Hard solutions over loose assumptions, always.

David Mireles louzt

🦇
Hard solutions over loose assumptions, always.
View GitHub Profile
@louzt
louzt / bypass-tls-direct-de-deadlocks-de-proxy.md
Last active June 30, 2026 21:39
Evasión de deadlocks por lazy-upstream bajo DPI con estado: cadena SSH de 5 capas (QUIC · Hysteria2 · gost · tls-direct · direct-ssh) reemplaza gost-client con dial Go crypto/tls eager. CA-pinned, sin InsecureSkipVerify. 92.4ms p50 handshake vs ∞ deadlock bajo DPI de carrier. Matemática formal: TCP Cubic · BBR · Hysteria2 Brutal CC · escalada RT…

Evasión de Deadlocks por Lazy-Upstream: Race-Pattern Probe de 5 Capas Bajo DPI con Estado

Cómo un race-pattern probe + dial nativo Go crypto/tls hace que cualquier operador hostil sea transitable para un plano de control agentic AI distribuido.

Stack: Go 1.25, túnel QUIC, Hysteria2 Brutal CC, OpenSSH ProxyCommand, CA auto-firmada, DPI de grado operador, inferencia de modelo frontier, triplestore local Virtuoso. Problem class: Carreras lazy-upstream / eager-client en cadenas SSH de fallback multi-capa bajo DPI stateful de capa 4/7, más blackhole UDP en la última milla residencial, más el requisito operacional de mantener vivo un plano de control agentic distribuido a través del mismo operador hostil. Outcome: Una cadena de fallback de 5 capas que hace que SSH sea alcanzable desde cualquier red, con TLS pinned por CA para la ruta de bypass, handshakes deterministas sub-200 ms bajo inspección DPI, y un substrato resiliente para sync de contexto de sub-agentes, tráfico LSP y sincronización d

@louzt
louzt / tls-direct-bypass-of-lazy-proxy-deadlocks.md
Last active June 30, 2026 21:39
Bypassing lazy-upstream proxy deadlocks under stateful DPI: a 5-tier SSH fallback chain (QUIC · Hysteria2 · gost · tls-direct · direct-ssh) replaces gost-client with eager Go crypto/tls dial. CA-pinned, no InsecureSkipVerify. 92.4ms p50 handshake vs ∞ deadlock under carrier DPI. Math formalism: TCP Cubic · BBR · Hysteria2 Brutal CC · Linux kerne…

Bypassing Lazy-Upstream Proxy Deadlocks: A 5-Tier Race-Pattern Probe Under Stateful DPI

How a race-pattern probe + native Go crypto/tls dial makes any hostile carrier passable for a distributed agentic AI control plane.

Stack: Go 1.25, QUIC tunnel, Hysteria2 Brutal CC, OpenSSH ProxyCommand, self-signed CA, ISP-grade DPI, frontier-model inference, local Virtuoso triplestore. Problem class: Lazy-upstream / eager-client race conditions in multi-tier SSH fallback chains under stateful L4/7 DPI, plus UDP blackholing on the residential last-mile, plus the operational requirement to keep a distributed agentic control plane alive across the same hostile carrier. Outcome: A 5-tier fallback chain that makes SSH reachable from any network, with CA-pinned TLS for the bypass path, deterministic sub-200 ms handshakes under DPI inspection, and a resilient substrate for sub-agent context sync, LSP traffic, and bare-metal hardening synchronization between laptop and VPS — with zero SaaS dependencies and

@louzt
louzt / soberania-datos-ia-compactacion-determinista-contexto.md
Last active June 30, 2026 20:20
Fundamento matemático para compactación determinista de contexto en O(1): FNV-1a 128-dim + normalización L2 + similitud coseno. Traducción auditor-cada-KPI (72x speedup, 6x storage, σ=±0.18s). Patrón adaptive buffer pool (sin RAM hard-locked). 6 referencias. 4.14s sobre 4,458 docs. Zero SaaS. Bitwise-determinista.

Fundamento matemático para compactación determinista de contexto en O(1): FNV-1a 128-dim + normalización L2 + similitud coseno. Traducción auditor-cada-KPI (72x speedup, 6x storage, σ=±0.18s). Patrón adaptive buffer pool (sin RAM hard-locked). 6 referencias. 4.14s sobre 4,458 docs. Zero SaaS. Bitwise-determinista.

Soberanía de Datos para IA: Compactación Determinista de Contexto en O(1) Sin Dependencias de Terceros

Cómo feature hashing + normalización esférica L2 + similitud coseno le dan a un VPS de $5/mes la capacidad de indexación de un SaaS comercial de observability — sin el SaaS, sin el embedder por documento, y sin el egress de telemetría.

Stack: Go 1.25, FNV-1a 64-bit, feature hashing 128-dim, normalización esférica L2, similitud coseno, SQLite FTS5, triplestore local Virtuoso, inferencia MiniMax M3. Problem class: Indexar miles de documentos (MANIFESTs, entradas de memoria, fragmentos de hardening, issues/PRs de GitHub) para búsqueda semántica sub-milisegundo a través de un plano de

@louzt
louzt / mathematics-sovereign-rag-o1-local-context-compaction.md
Last active June 30, 2026 20:19
Mathematical foundation for O(1) local context compaction in agentic AI control planes: FNV-1a 128-dim + L2 normalization + cosine similarity. Auditor-impact translation of every KPI (72x speedup, 6x storage, σ=±0.18s). Adaptive buffer pool pattern (no hard-locked RAM). 6 references. 4.14s index over 4,458 docs. Zero SaaS. Bitwise-deterministic.

Mathematical foundation for O(1) local context compaction in agentic AI control planes: FNV-1a 128-dim + L2 normalization + cosine similarity. Auditor-impact translation of every KPI (72x speedup, 6x storage, σ=±0.18s). Adaptive buffer pool pattern (no hard-locked RAM). 6 references. 4.14s index over 4,458 docs. Zero SaaS. Bitwise-deterministic.

The Mathematics of Sovereign RAG: O(1) Local Context Compaction for Autonomous AI Agents

How feature hashing + L2 spherical normalization + cosine similarity give a $5/month VPS the indexing capability of commercial observability SaaS — without the SaaS, without the per-document embedder, and without the telemetry egress.

Companion document: This mathematical formalization is the RAG substrate that powers the agentic control plane described in [Zero-Trust Edge Transport: Bypassing Lazy Proxy Concurrency Deadlocks Under Stateful DPI Interception](https://gist.github.com/louzt/3991f144c7d67726045af3cefc60f42a#file-zero-trust-edge-transport-stateful-dp

@louzt
louzt / nvidia-7.0-vma.patch
Created June 17, 2026 10:06
RFC: C Patch + instructions for NVIDIA 550.x/580.x DKMS on Linux Kernel 7.0+. Wayland USB-C D3cold fix + strlcpy→strscpy note included.
--- a/nvidia/nv-mmap.c
+++ b/nvidia/nv-mmap.c
@@ -29,6 +29,16 @@
#define __NO_VERSION__
#include "os-interface.h"
+
+/*
+ * Kernel 7.0+ compatibility: VMA_LOCK_OFFSET was removed from mm_types.h
+ * and __is_vma_write_locked() signature changed from 2 args to 1 arg.
@louzt
louzt / nginx-runtime-crlf-injection-evidence.md
Last active June 2, 2026 04:41
NGINX runtime CRLF injection evidence and branch-split validation

NGINX Runtime CRLF Injection Evidence

This note summarizes local evidence for CRLF injection through runtime-expanded variables in NGINX output paths, with a focus on upstream-friendly reproduction rather than broad parser policy changes.

Scope

The narrow question is whether NGINX should refuse to serialize CR/LF/NUL or invalid field names when it is generating HTTP/1.x output from runtime variables.

This is separate from:

@louzt
louzt / evernote-to-local-archive-and-obsidian.md
Last active May 25, 2026 17:58
How to Export Evernote and OneNote to Local Markdown & Obsidian

How to Export Evernote and OneNote to Local Markdown & Obsidian

Local-first migration guidance for Linux, Windows, Microsoft Graph, ENEX, Markdown, and documentation-heavy workflows.

If you want to leave Evernote without losing your archive, do not aim for a one-time export. Build a repeatable local-first pipeline.

That is the difference between:

  • downloading a snapshot once
  • and actually owning your notes long term
@louzt
louzt / shell-token-boundaries-desktop-automation.md
Created May 20, 2026 15:10
Shell token boundaries in desktop automation

Shell Token Boundaries In Desktop Automation

Audience: maintainers, platform engineers, and defensive security teams
Scope: user-configurable desktop automation that invokes shell commands

Summary

Desktop tools often expose a setting like a post-action command: after the app changes a file, a theme, a wallpaper, or a workspace state, it runs a user-defined shell command.

That feature is useful. Users may intentionally rely on shell behavior such as pipes, redirects, &&, environment variables, and small scripts.

@louzt
louzt / zero-overhead-kernel-triage.md
Last active May 20, 2026 14:49
Zero-Overhead Kernel Triage & Remote Runtime Hardening

Zero-Overhead Kernel Triage & Remote Runtime Hardening

Prepared by: LOUST.PRO Infrastructure & Security
Author: David Mireles
Keywords: Linux Kernel, PSI, cgroups v2, inotify, Redis, PM2, systemd, Remote Development, Wayland, DMS

Abstract: This case study documents a redacted infrastructure hardening engagement across a sovereign VPS and a local Linux operator workstation. The work separated transport, runtime, observability, queue orchestration, and desktop notification concerns while preserving live production services. The core lesson is simple: observability and automation must be cheaper than the incident they are meant to control.

Publication Boundary

@louzt
louzt / swww-awww-filter-waypaper.md
Last active May 19, 2026 07:07
Waypaper swww/awww filter support note

Exposing swww and awww --filter in Waypaper

Status: implemented in Waypaper PR #286 and merged.

swww and awww both support a --filter option for image scaling. Exposing that option in Waypaper gives users a backend-supported way to choose the tradeoff between speed, softness, and sharpness for their displays.

Why It Matters

Scaling filters are visible when wallpaper sources and outputs do not match exactly: