Personal notes · May 2026

The Principal Full-Stack Engineer

I built this note to map what changes when full-stack scope grows into staff/principal leverage — from browser to database to cloud, with end-to-end ownership and the judgment to design coherent systems across every layer.

Author: Linh Truong, MA (Harvard), MBA · Source: LinhTruong.com · Email: Linh@Alumni.Harvard.edu

The question behind this note: when a feature crosses every layer of the stack, where do I place the cache, the contract, and the failure boundary — and can I defend that choice in writing? What follows is the map I use.
Frontend & UX Engineering Backend & APIs Data & AI-Native DevOps & Cloud Technical Leadership ✍️ By Linh Truong

01What Defines a Principal Full-Stack Engineer

Full-stack work, for me, means owning the entire vertical slice — from a pixel in the browser to a row in the database to the pipeline that deploys it. At staff/principal scope, that breadth becomes leverage: judgment to design coherent end-to-end systems and multiply an organization across every layer.

Vertical Ownership

Where specialists optimize a layer, I optimize the seam between layers — the API contract, the data flow, the latency budget that crosses the whole stack.

Coherence over Components

The hardest bugs and best wins live between frontend, backend, and data. Owning the whole path lets you remove entire classes of complexity, not just shift them.

Product & Velocity Sense

I try to ship features, not tickets — translating product intent into an end-to-end design and de-risking it before a team commits months to it.

How I define it

Someone trusted to design and own a feature or product end-to-end — making the highest-stakes cross-layer decisions correctly, and raising the bar for every layer the team touches.

Browser → DB
Span of ownership
T-shaped
Broad + 1–2 deep specialties
Org-wide
Sphere of influence
~30–40%
Time still hands-on

02The Competency Framework

I think of full-stack mastery as six dimensions. The goal is not deepest expert in each — it is balanced strength, with no layer weak enough to bottleneck an end-to-end design.

Frontend / UX Backend / APIs Data DevOps / Cloud Architecture Leadership

1 · Frontend / UX

Modern UI frameworks, rendering strategies, performance, accessibility, and genuine product/design taste.

2 · Backend / APIs

Service design, API contracts, auth, business logic, concurrency, and integration patterns.

3 · Data

Modeling, SQL/NoSQL trade-offs, indexing, caching, migrations, and increasingly vectors & search.

4 · DevOps / Cloud

CI/CD, containers, edge/serverless, IaC, and production observability across the stack.

5 · Architecture

End-to-end system design, cross-layer trade-offs, and keeping the expensive decisions reversible.

6 · Leadership

Multiplying others through writing, mentoring, standards, and aligning teams without authority.

03The IC Career Ladder & Scope Progression

The full-stack IC track grows by widening span and raising stakes — from owning a feature, to a product surface, to the end-to-end architecture an organization builds on. This is the ladder I use to calibrate scope.

L3 · Entry
Engineer
Builds well-scoped features with guidance across one or two layers.
L4 · Mid
Engineer II
Ships features end-to-end, frontend through database, with low supervision.
L5 · Senior
Senior Engineer
Owns a product surface end-to-end; sets local patterns; mentors.
L6 · Staff
Staff Engineer
Owns a domain across teams; drives shared architecture & platforms.
L7 · Principal
Principal Engineer
Owns the org's end-to-end technical direction & standards across the whole stack.
L8+ · Distinguished
Distinguished / Fellow
Company & industry-level technical influence.

Breadth is the moat

My edge is seeing the whole path of a request. Where specialists optimize locally, I spot the global win — and the global failure mode — that crosses every layer.

Depth still required

"Full-stack" never means shallow everywhere. Stay deep in 1–2 layers (the ones that differentiate you) so experts respect your judgment in those rooms.

The title follows the work

The title is granted on visible evidence you already operate at that scope: shipped end-to-end systems, standards others adopt, teams you unblocked. I document and broadcast impact deliberately.

04The Full-Stack Technology Map

The surface area I keep current, layer by layer. I aim to stay conversant across all of it without pretending to be deepest everywhere.

Client / Frontend
HTML / CSS / TypeScriptReact · Vue · Svelte · Angular State (Redux/Zustand/Signals)Tailwind · CSS-in-JS Design systemsA11y (WCAG 2.2)PWA · Web APIs
Meta-Framework / Render
Next.js · Remix / React RouterSvelteKit · Nuxt · Astro SSR · SSG · ISR · RSCStreaming & islands Vite · TurbopackEdge rendering
API / Transport
REST · OpenAPIGraphQLgRPC tRPCWebSockets · SSE WebhooksAPI gateway · BFF
Server / Backend
Node · Deno · BunGo · Rust Python · Java · .NETAuth (OAuth2 / OIDC / JWT) Queues & background jobsCaching · rate limiting
Data & Storage
PostgreSQL · MySQLMongoDB · DynamoDB RedisPrisma · Drizzle (ORM) Elasticsearch / searchVector DBs (pgvector)Object storage (S3)
AI Layer
LLM APIs & SDKsRAG & embeddings Streaming AI UIsAgents & tool-use (MCP) Evals & guardrailsAI-assisted dev
Platform / DevOps
Docker · KubernetesServerless · Edge functions CI/CD & preview deploysIaC (Terraform/Pulumi) CDNObservability (OTel)
Cross-Cutting
Security (OWASP)Performance (Core Web Vitals) Testing (unit→e2e)Type-safety (TS end-to-end) Accessibilityi18n / l10n

05The End-to-End Request Lifecycle

My signature full-stack mental model: follow a single user interaction through every layer. Owning this whole path is what lets me place a latency budget, a cache, or a failure boundary where it actually belongs.

Browser UI · interaction hydration Edge / CDN cache · TLS WAF · routing SSR / RSC render · stream BFF API Gateway authn/z rate limit Service business logic validation Cache (Redis) hot reads · sessions Database source of truth Queue / Jobs async · events response · stream HTML/JSON

Latency budget

Allocate the user's perceived budget across hops; the network round-trips dominate, not your code.

Cache where it counts

Push reads as close to the edge as correctness allows; invalidate deliberately.

Move work async

Anything not needed for the response goes to a queue — keep the request path short.

Fail at the boundary

Timeouts, retries, and degradation belong at each hop, not buried in business logic.

06Frontend Architecture & Strategy

The frontend is now a distributed system of its own. The defining decision, for me, is rendering strategy — where and when HTML is produced — because it dictates performance, SEO, cost, and complexity.

Rendering strategies — choose per route, not per app

CSR

Client renders everything. Best for highly interactive, auth-gated apps (dashboards). Weak SEO & first paint.

SSR / Streaming

HTML per request, streamed. Fresh data + good SEO; costs server time. Default for dynamic pages.

SSG / ISR

Pre-render at build, revalidate incrementally. Fastest & cheapest for mostly-static content.

RSC / Islands

Server Components & partial hydration ship less JS. Where I look first for the best of both worlds.

Performance — Core Web Vitals

  • LCP < 2.5s — largest contentful paint
  • INP < 200ms — interaction to next paint (replaced FID in 2024)
  • CLS < 0.1 — layout stability
  • Code-split, lazy-load, optimize images, ship less JS

Architecture & state

  • Component-driven + a real design system
  • Server state (TanStack Query) vs. client state (Zustand/Signals)
  • Co-locate data fetching; avoid prop-drilling & waterfalls
  • Type-safe from API to component props

Accessibility & quality

  • WCAG 2.2 AA as the baseline, not an afterthought
  • Semantic HTML, keyboard nav, ARIA only when needed
  • i18n / l10n designed in early
  • Component & visual-regression testing

Heuristic I use

Most "frontend performance problems" are architecture problems: too much JavaScript shipped, data fetched in waterfalls, or the wrong rendering strategy for the route. Fix the architecture before reaching for micro-optimizations.

07Backend & API Design

The API is the contract that holds the stack together — the most expensive thing to get wrong, because every client depends on it. Design it deliberately and version it carefully.

Choosing an API style

StyleUse it when…Trade-off
RESTPublic APIs, broad compatibility, simple resourcesOver/under-fetching; many round-trips
GraphQLMany clients with varied data needs; complex graphsCaching & complexity cost; N+1 risk
gRPCInternal service-to-service, low latency, streamingNot browser-native; tooling overhead
tRPCTypeScript monorepo, end-to-end type-safety, one teamTS-only; couples client & server

API discipline

  • Versioning & backward compatibility
  • Pagination, filtering, sorting conventions
  • Consistent error shapes & status codes
  • Idempotency keys for writes
  • OpenAPI / schema as source of truth

Auth & access

  • OAuth2 / OIDC for delegated auth
  • JWT vs. server sessions — know the trade-off
  • RBAC / ABAC for authorization
  • Authorize on every request, server-side
  • Short-lived tokens + refresh rotation

Resilience & scale

  • Rate limiting & quotas
  • Caching (HTTP, app, CDN) with clear invalidation
  • Timeouts, retries with jitter, circuit breakers
  • Background jobs & the outbox pattern
  • Graceful degradation under load

The cardinal backend rule

Never trust the client. Validate & authorize on the server for every request — UI-level checks are UX, not security. The frontend is fully under the attacker's control.

08The Data Layer

Schema and data model are the longest-lived, most expensive decisions in the stack. I design them to evolve safely under live traffic.

SQL vs. NoSQL — the honest default

Start with a relational database (PostgreSQL) for almost everything: ACID, joins, constraints, and decades of tooling. Reach for NoSQL when you have a specific access pattern it serves better — extreme write scale (wide-column), flexible documents, or key-value caching. "We might need scale" is not a reason; a measured access pattern is.

The skills that prevent outages

  • Indexing — the #1 lever for query performance
  • Avoid N+1 — the most common full-stack data bug
  • Transactions & isolation levels — know what you're getting
  • Migrations — expand/contract, zero-downtime, reversible
  • Connection pooling — serverless makes this critical

Caching layers

Redis for hot reads, sessions, rate limits, and queues. Decide TTL & invalidation up front — stale cache bugs are brutal.

Search & vectors

Full-text & relevance via Elasticsearch / Postgres FTS; semantic search & RAG via pgvector or a vector DB.

ORM vs. raw SQL

Prisma/Drizzle for type-safety & velocity; drop to SQL for hot, complex queries. Know what the ORM emits.

09End-to-End Type-Safety & Developer Experience

The modern full-stack superpower: a single type definition that flows from the database, through the API, to the React component — so a schema change becomes a compile error, not a production incident.

DB schema Postgres · Drizzle/Prisma Generated types inferred models API contract tRPC · GraphQL · Zod Client types typed fetch / hooks UI components typed props

One source of truth → types propagate everywhere. Break the contract and the build fails before users do.

TypeScript everywhere

Shared types across client & server. strict mode on. Validate untrusted input at the edge with Zod/Valibot.

Monorepo tooling

Turborepo / Nx / pnpm workspaces to share code & types, cache builds, and coordinate releases.

DX as leverage

Fast feedback loops, preview deploys, generators, and good defaults multiply every engineer on the team.

10AI-Native Full-Stack Engineering

AI now touches every layer — a feature in the product, a streaming UI in the browser, a new system to operate in the backend, and a force-multiplier in the dev loop. I set standards for all four.

AI as a product feature

  • RAG grounded on your data (pgvector / vector DB)
  • Streaming UIs — token-by-token via SSE; optimistic UX
  • Agents & tool-use over your APIs (incl. MCP)
  • Structured outputs validated with schemas
  • Cost / latency / quality model routing

AI as a system to operate

  • Evals — measure quality offline & online
  • Guardrails — validate inputs & outputs
  • Defend against prompt injection & data exfiltration
  • Handle non-determinism & hallucination gracefully
  • Observability, versioning, and cost ceilings

How I think about the AI mandate

I decide when to use a model vs. deterministic code, where the guardrails live, and how quality is measured — and keep humans accountable for AI-generated output. In the dev loop, AI coding agents raise volume, so I raise the bar on review and verification. Velocity without verification is just faster bugs.

11Quality, Testing & Performance

Quality is engineered across the stack with a deliberate testing strategy and performance budgets — not bolted on before release.

The testing strategy (trophy, not just pyramid)

  • Static — TypeScript, ESLint, type-checks catch most bugs free
  • Unit — pure logic, fast & focused
  • Integration — the highest-value layer for full-stack (API + DB)
  • E2E — Playwright / Cypress for critical user journeys
  • Contract — keep frontend & backend in sync

Performance across the stack

  • Frontend: Core Web Vitals, bundle size, lazy-loading
  • Network: fewer round-trips, compression, HTTP/2-3, CDN
  • Backend: p95/p99 latency, profiling, connection pools
  • Database: indexes, query plans, caching, read replicas
  • Measure first; optimize the proven bottleneck only

DORA — the language of delivery performance

Lead Time
Commit → production
Deploy Freq
How often you ship
CFR
Change failure rate
MTTR
Time to restore

12Security Across the Stack

Full-stack means a full-stack attack surface. I try to make the secure path the easy path, and stay aware of vulnerabilities at every layer.

Frontend

XSS (escape output, CSP), CSRF tokens, secure cookies (HttpOnly/SameSite), no secrets in client code.

API / Backend

Authz on every request, input validation, SQL injection prevention (parameterized queries), rate limiting, CORS.

Data

Encrypt in transit & at rest, secrets in a vault, PII minimization, least-privilege DB access.

Supply chain

Dependency & secret scanning in CI, lockfiles, SBOMs. Your npm tree is your attack surface.

Know the OWASP Top 10 — and the LLM Top 10

Broken access control, injection, cryptographic failures, SSRF, security misconfiguration, vulnerable components, auth failures, and more. For AI features, add the OWASP Top 10 for LLM Applications: prompt injection, insecure output handling, and sensitive-information disclosure.

13DevOps, Deployment & Operations

A full-stack engineer ships and operates. Owning deployment and production health closes the loop — you build it, you run it.

Ship safely

  • CI/CD with automated tests & checks
  • Trunk-based dev, small frequent PRs
  • Preview deploys per pull request
  • Feature flags & progressive rollout
  • Fast, automated rollback

Run it

  • Containers (Docker) & orchestration (K8s) or serverless/edge
  • Infrastructure as Code (Terraform/Pulumi)
  • Environments: dev → staging → prod parity
  • Secrets & config management
  • Cost awareness (FinOps)

Observe & respond

  • Logs, metrics, traces (OpenTelemetry)
  • SLOs & error budgets
  • Real-user monitoring (RUM) + alerts
  • On-call & incident response
  • Blameless postmortems

"You build it, you run it"

The full-stack ethos extends to production. Owning the deploy and the pager makes you design for operability from the start — and gives you the feedback loop that makes every future design better.

14Decision-Making Frameworks

My core deliverable at this level is good decisions, made at the right time, documented well — frameworks turn judgment into something teachable.

One-way vs. two-way doors

Reversible decisions should be made fast and delegated. Irreversible ones (the data model, the API contract, the core framework) deserve deliberation. Spend your judgment on the one-way doors; never bottleneck the two-way ones.

Architecture Decision Records (ADRs)

Capture context, decision, alternatives, consequences in a short versioned doc. ADRs are the institutional memory that stops teams re-litigating "why did we pick Next.js / Postgres / tRPC?"

The end-to-end design process

1

Start from the user & the data

What does the user do, and what's the shape of the data behind it? Both ends anchor the design.

2

Define the API contract

The seam between frontend and backend. Get it right and both sides move independently.

3

Choose rendering & state strategy

Per route: CSR/SSR/SSG/RSC, and where state lives.

4

Trace the failure modes

What happens when each hop is slow or down? Place timeouts & degradation.

5

Plan the rollout

Migrations, flags, backward compatibility, observability before launch.

6

Keep it reversible

Build options to undo. Boring tech by default; innovate only where it differentiates.

Disagree & commit

Once a decision is made — even one you argued against — commit fully and visibly. Re-litigating in the hallway erodes the whole team's velocity and trust.

15Technical Leadership & Influence

The bottleneck is rarely my code — it's aligning, persuading, and multiplying people I don't manage. Influence without authority is the defining skill.

Writing is the superpower

Design docs, RFCs, and ADRs scale your thinking across teams and time. If you can't write it down clearly, you don't understand it yet.

Multiply, don't hoard

Mentor, sponsor, unblock. Give away the interesting work. Your impact is what the engineers around you accomplish.

Set the standards

Own the tech radar, design reviews, and conventions so many teams make consistent choices without you in the room.

Translate up & sideways

Turn technical reality into business risk for execs, and business goals into engineering plans for teams. You are the bridge.

Pick the right battles

Political capital is finite. Spend it on the decisions that matter for years; let the rest go.

Stay technical & credible

Prototype the risky part, read the code, debug the gnarly outage. Credibility is the currency of influence.

The leadership inversion

As a senior, you're rewarded for being the smartest person solving the problem. At staff/principal scope, you're rewarded for making yourself unnecessary to it — building the systems, standards, and people that solve it without you.

16Full-Stack Engineering Maturity Model

A diagnostic ladder I use for an organization's full-stack practice. Find the bottleneck capability, move it one level, then re-assess.

Capability L1 · Reactive L2 · Managed L3 · Defined L4 · Optimizing
DeliveryManual, risky releasesScheduled, some automationCI/CD, preview deploysContinuous, progressive rollout
Type-safetyLoose JS, runtime errorsTS in patchesStrict TS, shared typesEnd-to-end inferred, build-time safety
Frontend perfNo budgets, slow pagesAd-hoc fixesCWV tracked & gatedBudgets enforced in CI, RUM-driven
API designInconsistent, undocumentedSome conventionsSchema-first, versionedContract-tested, self-documenting
TestingManual QA onlySome unit testsTrophy: integration + e2eShift-left, prod testing, high trust
AI adoptionUngoverned tool useApproved tools, guidelinesEval'd patterns & guardrailsAI-native workflows, measured leverage

17Full-Stack Anti-Patterns & Antidotes

Failure modes I've seen stall people at this level. Most get tripped by the left column.

✗ Anti-patterns

  • Jack of all, master of none: shallow everywhere, deep nowhere — no expert respects your judgment.
  • Trusting the client: validation/authz only in the UI.
  • Distributed monolith: microservices that must deploy together.
  • N+1 everywhere: the ORM hides a query storm.
  • Resume-driven stack: newest framework over fit.
  • Shipping JS by the megabyte: ignoring the bundle & CWV.
  • Hero / bottleneck: the team can't function without you.

✓ Antidotes

  • T-shaped: broad literacy + real depth in 1–2 layers.
  • Server-side authority: validate & authorize every request.
  • Modular monolith first; split only when forced.
  • Watch the queries: eager-load, batch, and read the SQL.
  • Boring tech by default; innovate where it differentiates.
  • Performance budgets; ship less JS, pick the right rendering.
  • Write it down, delegate, mentor; make yourself replaceable.

18The 90-Day & Ongoing Strategy

The operating cadence I use when entering a new full-stack scope — and how I sustain impact once I'm there.

Days 0–30 · Listen & map

  • Read the code top-to-bottom: UI, API, schema, pipeline
  • Trace a real request end-to-end
  • Meet teams; map the org & its pain
  • Earn trust with a small, real shipped fix

Days 30–60 · Diagnose & align

  • Write a "state of the stack" memo
  • Propose a prioritized technical strategy
  • Build coalitions; pressure-test with skeptics
  • Pick one high-leverage end-to-end initiative

Days 60–90 · Drive & multiply

  • Ship a visible end-to-end win
  • Establish standards (types, API, testing) that outlast you
  • Mentor & sponsor deliberately
  • Set the metrics that prove ongoing impact

Sustaining impact: the continuous loop

Sense problems Frame & prioritize Decide & document Drive & delegate Reflect & teach

Continuous learning curriculum

Foundational books

DDIA (Kleppmann), A Philosophy of Software Design (Ousterhout), The Staff Engineer's Path (Reilly), Refactoring (Fowler). Annotated citations: §19 References.

Build & operate

Ship real end-to-end products; run them in prod; read post-mortems; contribute to OSS across layers.

Stay current

Framework release notes, web.dev, MDN, the tech radar, AI SDK docs. Filter hype from signal.

Meta-skills

Writing, public speaking, mentoring, product sense, and managing your own focus & energy.

19References & Sources

Annotated bibliography behind the full-stack principal overview, competency framework, career ladder, technology map, request lifecycle, frontend and backend architecture, data layer, type-safety pipeline, AI-native features, quality and testing, security, DevOps, decisions, leadership, maturity model, anti-patterns, and 90-day roadmap. Section tags (e.g. §06) show where each source is used. Stack diagrams, lifecycle SVGs, and synthesis tables are my own unless noted.

Scope. Synthesis of books, RFCs, W3C/WCAG standards, vendor documentation, peer-reviewed papers, and industry frameworks (May 2026). Framework names (Next.js, tRPC, Prisma, etc.) illustrate patterns — not endorsements. Level titles (L3–L8) vary by employer. Not HR, compensation, or promotion advice.

Citations are numbered continuously [1]–[n] within this section.

Principal full-stack role, scope & leverage (§01, §15)

  1. Larson, W., Staff Engineer: Leadership Beyond the Management Track. Independent, 2021. Vertical ownership and influence without authority — §01 overview and §15 leadership cards. staffeng.com — §01, §03, §15, §18.
  2. Reilly, T., The Staff Engineer's Path. O'Reilly, 2022. End-to-end IC scope and operating cadence — §01 leverage framing and §18 roadmap. — §01, §15, §18.
  3. Richards, M., & Ford, N., Fundamentals of Software Architecture. O'Reilly, 2020. Cross-layer trade-offs and architect judgment — §01 definition callout and §02 framework. — §01, §02, §14.
  4. Brooks, F. P., The Mythical Man-Month (anniv. ed.). Addison-Wesley, 1995. Coherence vs. accidental complexity — §01 vertical-ownership theme. — §01.

Competency framework & career ladder (§02, §03)

  1. Bass, L., Clements, P., & Kazman, R., Software Architecture in Practice (4th ed.). Addison-Wesley, 2021. Architect competencies — §02 six-dimension radar. — §02.
  2. Larson, W., "Staff archetypes." Staff Engineer, ch. 2–3. Tech Lead, Architect, Solver, Right Hand — §03 ladder context cards. — §03.
  3. Google Engineering leveling rubrics (industry reference). L3–L8 IC scope progression — §03 ladder diagram (synthesized from common big-tech ladders). — §03.
  4. Emerson, T., "The T-Shaped Person." IDEO / design-thinking literature, 1990s+. Broad + deep specialty — §01 T-shaped metric and §03 depth-still-required card. — §01, §03.

Full-stack technology map & request lifecycle (§04, §05)

  1. MDN Web Docs (Mozilla). HTML, CSS, JavaScript, Web APIs — §04 client/frontend layer tags. developer.mozilla.org — §04.
  2. Kleppmann, M., Designing Data-Intensive Applications. O'Reilly, 2017. Data stores, caching, replication, queues — §04 data/platform layers and §08 data section. — §04, §05, §08, §18.
  3. Dean, J., & Barroso, L. A., "The Tail at Scale." Communications of the ACM, 56(2), 74–80, 2013. Latency budgets across hops — §05 lifecycle diagram and latency-budget card. DOI: 10.1145/2408776.2408794 — §05.
  4. Nygard, M. T., Release It! (2nd ed.). Pragmatic Bookshelf, 2018. Timeouts, retries, circuit breakers at boundaries — §05 fail-at-the-boundary card. — §05, §07.
  5. Cloudflare / Akamai / AWS CloudFront documentation. CDN edge caching — §05 Edge/CDN hop in lifecycle SVG. — §05, §13.
  6. Richardson, C., "Pattern: Backends for Frontends." microservices.io. BFF layer — §05 SSR/BFF hop. microservices.io — §05, §07.

Frontend architecture, rendering & Web Vitals (§06)

  1. React Team, "React Server Components." React documentation / RFC. RSC rendering model — §06 RSC/Islands card and §04 meta-framework layer. react.dev — §04, §06.
  2. Next.js documentation — App Router, SSR, SSG, ISR, streaming. Rendering strategies table — §06 CSR/SSR/SSG/RSC cards. nextjs.org — §04, §06.
  3. Google, Web Vitals & Chrome UX Report. LCP, INP (replacing FID), CLS thresholds — §06 Core Web Vitals list. web.dev/vitals — §06, §11, §16.
  4. W3C, Web Content Accessibility Guidelines (WCAG) 2.2. W3C Recommendation, 2023. A11y baseline — §04 WCAG tag and §06 accessibility card. w3.org/TR/WCAG22 — §04, §06.
  5. Malte Ubl, "Islands Architecture." 2019+. Partial hydration — §06 RSC/Islands card context. — §06.
  6. TanStack Query documentation. Server-state management — §06 architecture & state card. tanstack.com/query — §06.

Backend, APIs & auth (§07)

  1. Fielding, R. T., Architectural Styles and the Design of Network-based Software Architectures (REST dissertation). UC Irvine, 2000. REST constraints — §07 REST row. ics.uci.edu — §07.
  2. OpenAPI Initiative, OpenAPI Specification 3.x. Schema-first REST — §07 API discipline / OpenAPI bullet. spec.openapis.org — §07, §16.
  3. GraphQL Foundation, GraphQL Specification. Client-shaped queries — §07 GraphQL row. spec.graphql.org — §07.
  4. Google, gRPC documentation. Protobuf RPC — §07 gRPC row. grpc.io — §07.
  5. tRPC documentation. End-to-end TypeScript RPC — §07 tRPC row and §09 type pipeline. trpc.io — §07, §09.
  6. Hardt, D., RFC 6749: The OAuth 2.0 Authorization Framework. IETF, 2012. OAuth2 — §07 auth card. datatracker.ietf.org — §07.
  7. OpenID Foundation, OpenID Connect Core 1.0. OIDC identity layer — §07 OIDC bullet. openid.net — §07.
  8. Richardson, C., "Pattern: Transactional Outbox." microservices.io. Outbox pattern — §07 resilience card. — §07.

Data layer, ORMs & migrations (§08)

  1. PostgreSQL Global Development Group, PostgreSQL Documentation. Default relational store — §08 SQL default and §04 PostgreSQL tag. postgresql.org — §04, §08.
  2. Prisma documentation; Drizzle ORM documentation. Type-safe ORMs — §04 Prisma/Drizzle tags and §08 ORM card. prisma.io — §04, §08, §09.
  3. Stripe Engineering, "Online Migrations at Scale." Expand/contract pattern — §08 migrations bullet. Widely cited industry pattern — §08.
  4. Redis documentation. Caching, sessions, rate limits — §08 caching layers card. redis.io — §05, §08.
  5. pgvector / Elasticsearch documentation. Vector and full-text search — §08 search & vectors card. — §08, §10.

End-to-end type-safety & developer experience (§09)

  1. Microsoft, TypeScript Handbook — strict mode. Shared client/server types — §09 TypeScript everywhere card. typescriptlang.org — §04, §09, §16.
  2. Colinhacks, Zod — TypeScript-first schema validation. Runtime validation at API edge — §09 pipeline diagram and Zod mention. zod.dev — §09.
  3. tRPC documentation. Inferred types across client and server — §09 type-safety pipeline SVG. — §07, §09.
  4. Vercel, Turborepo documentation; Nx documentation. Monorepo tooling — §09 monorepo card. turbo.build — §09.

AI-native full-stack features (§10)

  1. Lewis, P. et al., "Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks." NeurIPS, 2020. RAG pattern — §10 AI as product feature. arxiv.org/abs/2005.11401 — §10.
  2. WHATWG / W3C, Server-Sent Events. Streaming token UIs — §10 streaming UIs bullet. html.spec.whatwg.org — §10.
  3. Anthropic, Model Context Protocol (MCP) specification. Agent tool-use standard — §10 agents & MCP bullet. modelcontextprotocol.io — §10.
  4. OWASP, Top 10 for Large Language Model Applications. Prompt injection, insecure output — §10 guardrails and §12 LLM Top 10 callout. owasp.org — §10, §12.
  5. Sculley, D., et al., "Hidden Technical Debt in Machine Learning Systems." NeurIPS, 2015. Operating AI systems — §10 AI as system to operate. — §10, §16.

Quality, testing trophy & DORA (§11, §16)

  1. Dodds, K. C., "The Testing Trophy and Testing Classifications." Kent C. Dodds blog, 2018+. Static → unit → integration → E2E — §11 testing strategy card. kentcdodds.com — §11, §16.
  2. Microsoft, Playwright documentation. E2E testing — §11 E2E bullet. playwright.dev — §11.
  3. Forsgren, N., Humble, J., & Kim, G., Accelerate. IT Revolution, 2018. DORA four keys — §11 DORA metrics row. — §11, §13, §16.
  4. DORA / Google Cloud, State of DevOps Reports. Delivery performance research — §11 DORA section. dora.dev — §11, §16.
  5. Cypress documentation; Pact / contract-testing practice. E2E and contract tests — §11 contract-testing bullet. — §11, §16.

Security across the stack (§12)

  1. OWASP Foundation, OWASP Top Ten. Web application risks — §12 OWASP callout and §04 cross-cutting tag. owasp.org — §12.
  2. OWASP, Cross Site Scripting (XSS) & CSP guidance. Frontend XSS prevention — §12 frontend security card. — §12.
  3. OWASP, Cross-Site Request Forgery (CSRF) prevention. CSRF tokens — §12 frontend card. — §12.
  4. NIST, SP 800-207 Zero Trust Architecture. Least privilege — background for §12 backend authz. csrc.nist.gov — §12.
  5. CNCF / OpenSSF, SLSA framework. Supply-chain signing — §12 supply chain card. slsa.dev — §12, §13.

DevOps, deployment & operations (§13)

  1. Humble, J., & Farley, D., Continuous Delivery. Addison-Wesley, 2010. CI/CD, trunk-based development — §13 ship safely card. — §13, §16.
  2. Fowler, M., "Feature Toggles (aka Feature Flags)." Progressive rollout — §13 feature flags bullet. martinfowler.com — §13, §16.
  3. Amazon / Werner Vogels, "You Build It, You Run It." DevOps ethos — §13 callout and §13 observe card. All Things Distributed — §13.
  4. Google SRE Team, Site Reliability Engineering. O'Reilly, 2016. SLOs, error budgets, on-call — §13 observe & respond card. sre.google — §13.
  5. OpenTelemetry documentation. Logs, metrics, traces — §13 observability bullet. opentelemetry.io — §13.
  6. HashiCorp Terraform / Pulumi documentation. Infrastructure as Code — §13 run-it card. — §13.
  7. Kubernetes documentation. Container orchestration — §13 containers bullet. kubernetes.io — §04, §13.

Decision-making, ADRs & design process (§14)

  1. Bezos, J. (Amazon), "Type 1 vs. Type 2 decisions." One-way vs. two-way doors — §14 Bezos card. — §14.
  2. Nygard, M., "Documenting Architecture Decisions." Cognitect, 2011. ADR format — §14 ADR card. cognitect.com — §14.
  3. Thomson, J., "ADR: Architecture Decision Records." adr.github.io — §14. — §14.
  4. Amazon leadership principle, "Disagree and commit." Decision closure — §14 disagree & commit callout. — §14, §15.
  5. Beck, K., Extreme Programming Explained. YAGNI, boring tech by default — §14 design process step 6. — §14.

Technical leadership & anti-patterns (§15, §17)

  1. Winters, T., Manshreck, T., & Wright, H., Software Engineering at Google. O'Reilly, 2020. Design docs, code review culture — §15 writing superpower card. — §15.
  2. Larson, W., Staff Engineer. Multiplying others, tech alignment — §15 leadership cards. — §15.
  3. Fowler, M., "Who Needs an Architect?" IEEE Software, 2003. Ivory-tower anti-pattern context — §17 ivory-tower row. — §17.
  4. Fowler, M., "Resume Driven Development." bliki, 2015. Novelty over fit — §17 resume-driven design. martinfowler.com — §17.
  5. Brooks, F. P., The Mythical Man-Month. Hero/bottleneck pattern — §17 hero anti-pattern. — §17.

Maturity model & continuous learning (§16, §18)

  1. CMMI Institute, Capability Maturity Model Integration. Staged maturity (adapted in §16 matrix). My L1–L4 table is synthesis, not CMMI certification. — §16.
  2. Google, web.dev & Chrome DevTools documentation. CWV measurement — §16 frontend perf rows. web.dev — §16, §18.
  3. ThoughtWorks Technology Radar. Stay-current practice — §18 stay-current card. thoughtworks.com/radar — §18.
  4. Larson, W., & Reilly, T. (synthesis). First-90-days listen–diagnose–drive — §18 90-day cards. — §18.

Foundational canon cited in §18 curriculum

  1. Kleppmann, M., Designing Data-Intensive Applications. O'Reilly, 2017. — §18 foundational books. — §18 (+ §04–§08).
  2. Ousterhout, J., A Philosophy of Software Design. Yaknyam Press, 2021. — §18 list. — §18.
  3. Reilly, T., The Staff Engineer's Path. O'Reilly, 2022. — §18 list. — §18.
  4. Fowler, M., Refactoring: Improving the Design of Existing Code (2nd ed.). Addison-Wesley, 2018. — §18 list. — §18.

Author synthesis

  1. Truong, L., The Principal Full-Stack Engineer — personal working notes. May 2026. Technology map, request lifecycle diagram, type-safety pipeline, maturity matrix, anti-pattern grid, and synthesis prose. LinhTruong.com — all sections.

Before you cite externally

Framework versions, Core Web Vitals thresholds, and AI SDK capabilities change frequently — verify against current vendor docs. INP replaced FID as a Core Web Vital in 2024 (Google). Level titles and promotion rubrics differ by company. OWASP and LLM security guidance evolves quickly. Maturity model rows are my synthesis, not a formal assessment framework. Not HR, compensation, or promotion advice.