This is the madlads stack — the real one, built and run in production by Scott long before "AI coding" was a phrase anyone used. It did not come out of a generator. It was designed, shipped, broken, fixed, and hardened the hard way: in production, under load, by one engineer who owns every layer.
The V in this MEVN stack is Vanilla JS — no Vue, no React, no framework runtime shipped to the browser. Every service is server-rendered with EJS and driven by hand-written JavaScript. That was a deliberate call years ago, and it still pays off every day: fast pages, less to break, and nothing between the engineer and the machine.
Open-source, all the way down — the tools the madlads stack is built on.
The layers, and what each one does
- M — MongoDB. A document store per service, accessed through a mix of Mongoose schemas and the native driver. Users, content, world state, and sessions live here. Sessions persist to Mongo, so logins survive restarts and scale across the fleet.
- E — Express. The backbone of every service, with a consistent project shape — routes, services, models, views, public — so any service is legible the moment you open it. Middleware is layered deliberately: compression, logging, CORS, security headers, sessions, then auth.
- V — Vanilla JS. The deliberate choice. The client is plain JavaScript — including a full Three.js 3D renderer and Tone.js client-side audio — with zero framework overhead shipped to the user. No hydration tax, no virtual DOM, no framework churn.
- N — Node. Long-lived Node services, each pinned to its own port and managed as an isolated process. Real-time features run on Socket.IO; scheduled work runs on node-cron.
A fleet, not a monolith
madLadsLab runs as a constellation of independent Express services on a single VPS, each in its own tmux session on its own port. That buys isolation without the operational weight of containers everywhere.
- Process isolation — a crash or restart in one service never touches the others. Restarts are surgical and per-session, never a blunt process sweep.
- A watchdog layer keeps the fleet alive and brings it back cleanly after a reboot.
- A shared SSO platform centralizes authentication, so any service can defer to it for login and permissions instead of reinventing auth.
- A multi-tenant core resolves each request by domain to its own isolated database and brand — tenants never share data.
Security, layered in by default
Security here is not bolted on at the end — it is wired into the middleware stack of every service, the way years of running real sites teaches you to build.
- Hardened HTTP headers on the front of the request pipeline.
- Password hashing with bcrypt — credentials are never stored in the clear.
- Session integrity through Mongo-backed sessions, plus signed JSON Web Tokens for stateless contexts.
- Federated identity via Google OAuth, so users sign in through providers they already trust.
- Encryption at rest — per-tenant secrets are stored AES-256-GCM encrypted and only decrypted in memory.
- Abuse resistance with rate limiting on sensitive endpoints, plus honeypot and spam filtering on public forms.
- Strict authorization gating — admin surfaces sit behind explicit permission checks, not hidden routes.
- Secrets discipline — every credential lives in a gitignored environment file, never in code, docs, or commits. The repo is treated as public: if a secret ever lands in history, the rule is scrub and rotate.
Built by discipline, not by autopilot
This stack is the product of production discipline, not autocomplete. Schema design, middleware, auth, real-time rendering — all of it was built and proven by Scott across real deployments serving real businesses. The conventions baked in here — surgical restarts, secrets that never touch a commit, tenant data that never bleeds across boundaries — were earned in production, not handed over by a tool.
AI rides along as a support tool. It speeds up the typing, drafts the boilerplate, and rubber-ducks the edge cases — under Scott's direction, against his standards, on a stack and a set of production disciplines that existed long before it showed up. The judgment, the architecture, and the accountability stay human. AI supports the madlad; it is not the madlad.
Why it matters
The stack is a bet that fundamentals beat fashion. Server-rendered pages and vanilla JavaScript mean less to break and nothing between the engineer and the browser. A fleet of small Express services keeps problems contained. A security model baked into the middleware means safety is never optional. And a single owner who has run this in production for years means the whole thing moves fast without falling apart. MongoDB, Express, Vanilla JS, Node — this is the madlads stack, proven long before the hype, with AI now along for the ride. That is madLadsLab.