g0
  • EN
  • FR
  • ES
  • DE
  • IT
☰
  • Home
  • Sign in
  • Sign up

Under the Hood: How This Site Works

March 24th, 2026 • 99 views

Under the Hood: How This Site Works Meta

A meta-analysis of the stack, security posture, and architectural decisions powering this platform.

This is Immune 2.0—a self-hosted AI platform designed to build websites, automate content, create videos, and deploy intelligent workflows without writing code (well, mostly). Here's what's actually going on under the hood.

1. The Technology Stack

Backend: Laravel + Python

  • Laravel 11: The core application server (PHP 8.3)
  • Blade + HTMX: Server-rendered templates with reactive islands
  • MySQL 8.0: Relational database for structured data
  • Redis: Caching layer and session store
  • Python Worker Layer: Distributed AI workers (Video, Audio, Scraping)

Frontend: Progressive Enhancement

  • Vite: Asset bundler and dev server
  • Bootstrap 5: Customized SASS framework
  • Alpine.js: Lightweight reactive state (no build step)
  • Three.js: WebGL-powered 3D scene engine
Why Laravel? — click to expand

We picked Laravel because it's not trying to be cool. It's boring, stable, and has excellent documentation. When AI agents need to debug your codebase at 3AM, boring wins.

2. The Request Lifecycle

When you visit a page, here's what happens under the hood:

  • HTTPS Termination: Cloudflare handles SSL and DDoS protection.
  • Routing: Laravel's router maps the URL to a controller method.
  • Middleware Stack: CSRF verification, authentication, HSTS headers, COOP policy.
  • Controller Logic: Fetches data from MySQL or Redis cache.
  • Blade Rendering: Server-side template compilation.
  • Asset Delivery: Vite-bundled CSS/JS with aggressive minification.
// Simplified Route Example
Route::get('/articles/{slug}', [ArticleController::class, 'show'])
    ->middleware(['web', 'visit']);

3. The 3D Scene (Our Most Over-Engineered Feature)

The immersive 3D world at `/scene` is built with Three.js. It features procedural terrain generation, biome-based color palettes, and dynamic lighting. Performance? Well, let's just say it's... optimistic.

Technical Implementation

The world is divided into **Chunks** (like Minecraft). Each chunk generates terrain using Simplex Noise, selects biomes based on moisture/temperature maps, and spawns vegetation with configurable density.

// Terrain Generation Snippet
const height = 
    noise.simplex2(x * 0.01, z * 0.01) * 50 +
    noise.simplex2(x * 0.05, z * 0.05) * 10;
Known Limitation — click to expand

The 3D scene does not work well on mobile. It requires a dedicated GPU. We're aware. Future versions may include a "Low Quality" mode.

4. The Python Worker Layer

Video generation, audio synthesis, and web scraping? That's all Python. We use a Master/Slave architecture where the Master polls the Laravel DB for new tasks and dispatches them to workers.

Video Generation Pipeline

  • Session Replay: Uses Headless Chrome to replay rrweb events.
  • Screen Capture: `ffmpeg` records the browser viewport to MP4.
  • Storage: Videos are saved to Laravel's `storage/` directory.
Performance Warning — click to expand

Video generation is slow (1-5 minutes per minute of video). Queue responsibly.

Worker Isolation

Python workers run in isolated processes. This prevents a single rogue task from crashing the entire system.

# Master Polling Loop
while True:
    task = fetch_next_task()
    if task:
        worker.dispatch(task)
    time.sleep(5)

5. Security \u0026 Compliance

We take security seriously (because we have to). Here's what we do:

Network Security

  • HSTS: Force HTTPS on all connections.
  • COOP: Cross-Origin Opener Policy to isolate browsing context.
  • CSRF Protection: Token-based verification on all state-changing requests.
  • Rate Limiting: Throttle API endpoints to prevent abuse.

Authentication Strategy

We use session-only authentication (no JWTs in LocalStorage). This prevents XSS token theft. Cookies are httpOnly and secure.

"JWTs in LocalStorage are a security anti-pattern. Don't do it."
— OWASP

6. The Shopify Extension

The Session Recorder is a Shopify Theme App Extension. It injects a lightweight JavaScript recorder into merchant stores—but only after obtaining explicit analytics consent via the Shopify Customer Privacy API.

// Consent-Gated Loading
if (Shopify.customerPrivacy.getTrackingConsent().analytics) {
    loadRecorderScript();
}
GDPR Compliance — click to expand

The recorder never loads until consent is granted. No cookies, no storage, no tracking before consent. This passes Shopify App Store review.

7. Known Limitations (We're Honest)

  • Video Generation: Slow and resource-intensive. No priority queue.
  • 3D Scene: Mobile performance is terrible. GPU required.
  • Session Recorder: Cannot capture WebGL/Canvas content or cross-origin iframes.
  • API Tokens: No UI for generating personal access tokens (yet).
  • Real-time Collaboration: Video Editor is WebSocket-enabled but uses last-write-wins (no CRDT).

8. Our Philosophy

We prioritize composition over inheritance, boring tech over shiny new frameworks, and documentation over magic. If AI agents can't understand your code, neither can humans.

Principle Why it Matters
Server-side Rendering JS frameworks break. HTML doesn't.
Progressive Enhancement Core functionality works without JS.
Block-based Content Structured data > HTML blobs.
Strict Typing PHP 8.3 strict types prevent runtime surprises.

That's the tour. The code is on GitHub (if you're brave enough to read it). The rest is in the documentation at `/docs.html`.

Last updated: February 2026. Stack versions and architecture may evolve.