I deleted three million database records last week. On purpose. And I slept better that night than I have in months.
For two years, everything I built wrote to MongoDB Atlas. Managed database. Hosted in Virginia. Every visitor to every one of my sites — fifteen of them, across three continents — triggered a transatlantic round-trip. Helsinki to us-east-1 and back. Forty milliseconds minimum. Every single time.
I was paying per operation. For writes that never needed to leave my rack. For analytics data that nobody outside my infrastructure would ever read. For visitor IPs and scene metadata that — under GDPR — probably should not have been crossing borders at all.
The architecture was wrong. Not broken. Wrong.
The replacement took a week to build and deploy. DuckDB. Embedded. Runs inside the application process. Zero network dependency. Zero external vendor. Zero cost.
I wrapped it with TreeChain’s encryption layer. Every record encrypted at rest using the Glyph Rotor — the same HMAC-keyed position-dependent encoding that drives the Polyglottal Cipher. The records look like Unicode characters from 180 language traditions. They are not readable without two independent 256-bit keys.
WAL replication pushes provenance records to three geographic nodes — Oregon, Singapore, Ashburn — within sixty seconds. Each node runs its own cipher instance generated by the Cipher Factory. Compromise one, the others do not care.
Then I deleted everything from Atlas. Three million documents. Gone.
Three thousand three hundred twenty-eight remain. Cross-node API interop records. The stuff that actually needs to be in a shared database. Everything else is local now.
The numbers are simple.
Latency: zero milliseconds versus forty. DuckDB is local disk. Atlas is Virginia.
Cost: zero versus per-operation billing. DuckDB is free.
Data sovereignty: PII never leaves the rack. Encrypted at rest. Per-node cipher instances.
Resilience: four-node mesh versus one vendor cluster. Any node can decrypt independently.
I wrote a recovery script. Not because I thought I would need it. Because systems that do not have tested recovery are not systems. They are hopes.
The script runs seventeen checks. Store availability. WAL replication status. Live encrypt and decrypt round-trip. Encrypted scene verification across 2,151 scenes. Recovery artifact integrity.
Seventeen of seventeen pass.
That is the part that lets me sleep. Not the architecture. Not the key sizes. The fact that the system can prove it is working. Every time. Automatically.
There is a version of this essay where I talk about how clever the architecture is. How the two-layer defense-in-depth model eliminates the usefulness of partial compromise. How the Cipher Factory generates unique instances for each node.
That version exists. I wrote it for TreeChain’s blog.
This version is about something different. It is about the feeling of deleting three million records from a vendor you no longer need. The feeling of watching your infrastructure shrink to the things that actually matter.
I have spent years adding complexity. More services. More vendors. More dependencies. More things that could break at three in the morning when nobody who built them is awake.
This week I removed complexity. And the system got better.
The strongest thing I can say about what I built is not that it is clever. It is that it holds up when reality gets messy.
When a key is partially exposed. When a node is compromised. When someone who did not build it has to operate it. When I am not in the room.
That is the difference between a breakthrough and a system.
The sites are live. The records are encrypted. The mesh is replicating. The audit passes.
And I am still here. Sober. Building. Paying attention.