Tuesday, July 7, 2026
KeyCloak Security
Sunday, June 28, 2026
LLMs in Java - part 1
Interpretability of LLMs is important in many real world situations. For instance, there is an EU law that says if a bank's model refuses a loan then the client has the right to know why. But neural nets are notoriously hard to interpret.
There are a few techniques:
Activation Patching: this is basically A/B testing a neural net where the activations from a clean prompt are transplanted to that of a corrupted prompt and we check if that fixes the corruption.
Logit lens: take the residual stream vector (that is, the vector that represents the working memory) and apply it to the vocabulary logits at each layer. This way, we can see where an output word (probably) starts to form.
Sparse Auto Encoders: the auto encoder is trained on the model's input and output, and deliberately made sparse for low values so prominent features become clear.
The neural net itself
Most of the Java code that iterates over the tokens lives in InferenceEngine.generateTokensGPULlama. In turn, this delegates to the Tornado graphs that are executed in TornadoVMMasterPlan.tornadoVMForwardExecuteLayered. Note that the positionHolder is an IntArray that has a single element.
Saturday, June 6, 2026
Production ready Polaris
Sunday, May 17, 2026
R-squared
yt = εt + φεt-1 + φ2εt-2 + ... where |φ|<1
1. note that the joint probability distribution of x and y if they're independent is f(x,y) = f(x)f(y)2. integrate the expected values, that is integrate xy.f(x,y) = x f(x) y f(y)3. When you do that, you'll find E[XY] = E[X]E[Y].4. Substituing this into the formula for covariance above, Cov(X,Y) = 0 if X and Y are independent.
Friday, May 15, 2026
Polaris and Cloud tokens
- the token only allowing access to a single directory and its subfolders, not the whole bucket
- the token is no good after X minutes (where the default valu of X is 60)
Wednesday, May 6, 2026
The state of Polaris
"When the client requests credential vending, Polaris forwards the request to the remote catalog, but mints temporary credentials itself and vends them to the client. IOW, a PolarisStorageConfigurationInfo must have been configured when declaring the external catalog in Polaris, and it's this storage config that will be used for vending credentials."
My GcpCatalogFederationIntegrationIT lives in runtime/service/src/cloudTest/ and unlike their counterparts in runtime/service/src/, they need to run against an already started Polaris instance (the latter start their own and run out of the box).
Monday, April 20, 2026
Cloud Topologies and Azure
- a VPN (virtual private network) that is an entirely isolated environment
- subnets that are divided into public and private IP spaces by using non-overlapping CIDR blocks
- an internet gateway that allows access to the outside world and performs the NAT
- Route tables that permit traffic flows by typically bringing together subnets and security groups. If subnets are rooms in a building, route tables are the corridors between them and the Network ACLs (NACLs) are the bouncers on the door. Security groups are more identity based and they do a similar job to NACLs albeit at the vNIC level.
- a load balancer that allows incoming traffic from the internet. This differs from the load balancer as it's more the receptionist directing people rather than the security guard on the front door.
- the computers/VMs on which Kubernetes runs, called nodes.
- Create the Resource Group
- Create an identity for this group.
- Create a network for this group and identity.
- Create the Virtual Network compatible with the resource group
- Create the subnet for the Virtual Network
- Create a Network Security Group for the resource group. This defines the inbound and outbound rules. Funnily enough, the rules in the NSG are of higher priority the lower the number.
- We associate the subnet with the Network Security Group
- We assign a role to the subnet.
- Assign the subnet to a K8s Node Pool
- Create a network profile