Welcome to The Weekly Five - your curated list of 5
exceptional open source projects I discovered this week.
The Weekly Five
From code to clarity: tools that help teams define, enforce, and visualize the rules of their systems
Every growing team eventually hits the same wall: the rules that govern your system (who can access what, how data flows, where VMs run, how services communicate) live scattered across wikis, tribal knowledge, and half-documented configs. This week's picks focus on tools that bring those invisible rules into the light. Whether you need to lock down permissions in JavaScript, unify 100+ LLM providers behind one API, run virtual machines alongside containers, speed up connections with modern protocols, or turn text into architecture diagrams, these five projects help teams define, enforce, and visualize the logic that holds their systems together.
Top takeaways
Authorization and access control can be incrementally adopted without rewriting your entire stack, and CASL proves it with its isomorphic, scalable approach to permissions
The LLM provider landscape is fragmented, but LiteLLM proves you can call 100+ models through a single OpenAI-compatible interface with production-grade spend tracking and load balancing
Modern infrastructure challenges (running VMs in Kubernetes, adopting HTTP/3) now have production-ready open source solutions that teams can deploy today
Who this issue is for
Backend engineers, platform teams, and technical leads who want practical tools to make their system rules explicit, enforceable, and visible to the whole team.
casl
🔗 View on GitHub | GitHub stars: 6,986
Why this made the cut: CASL brings battle-tested, CanCan-style authorization to the JavaScript ecosystem with an isomorphic design that works identically on client and server.
Why it matters
Authorization logic is one of the most critical yet frequently scattered parts of any application. CASL provides a single, declarative way to define what users can and cannot do, and those rules can run anywhere JavaScript runs. This means your frontend can hide UI elements using the exact same permission logic your API uses to block requests, eliminating the drift that causes security holes.
Key features
Isomorphic design: define abilities once, enforce them in Node.js, React, Vue, Angular, or any JavaScript environment
Incremental adoption: start with simple role checks and scale to attribute-based access control as your needs grow
Framework integrations: first-class support for popular frameworks including React (with hooks), Vue, and Angular
Condition-based rules: restrict access based on resource attributes (e.g., users can only edit their own posts)
TypeScript support: full type safety for ability definitions and checks
How to use
Installation:
npm install @casl/abilityDefine abilities:
import { AbilityBuilder, createMongoAbility } from '@casl/ability';
const { can, cannot, build } = new AbilityBuilder(createMongoAbility);
can('read', 'Article');
can('update', 'Article', { authorId: user.id });
cannot('delete', 'Article');
const ability = build();Check permissions:
ability.can('read', 'Article'); // true
ability.can('update', article); // true if article.authorId === user.idReact integration tip (from community guides): Use the @casl/react package with the Can component to conditionally render UI elements based on abilities, keeping your permission logic consistent across your entire stack.
Project ideas
Multi-tenant SaaS permission layer: Build a shared permission module using CASL that defines tenant-scoped abilities (e.g., can('manage', 'Invoice', { tenantId })) and wire it into both your Express API middleware and your React dashboard so role changes take effect everywhere instantly.
Content moderation dashboard: Create a moderation tool where admins, moderators, and reviewers each see different actions (approve, flag, delete) on user-submitted content, with CASL abilities driving both the API guards and the UI button visibility.
Recommended reads
CASL Introduction - Official Guide - Walks through defining abilities, checking permissions, using conditions, and field-level restrictions with clear code examples.
Roles with Predefined Permissions - CASL Cookbook - Shows how to map traditional roles (admin, editor, viewer) to CASL ability definitions, bridging the gap between role-based and attribute-based access control.
litellm
🔗 View on GitHub | GitHub stars: 52,830
Why this made the cut: LiteLLM gives teams a single, OpenAI-compatible interface to call 100+ LLM providers, with built-in spend tracking, virtual keys, guardrails, and load balancing, so you can swap models without rewriting a line of code.
Why it matters
Every LLM provider has its own SDK, auth pattern, and request format. When your team uses OpenAI today but needs to add Anthropic, Bedrock, or a self-hosted model tomorrow, you face a mountain of integration work. LiteLLM eliminates this by proxying all calls through one unified API. Your application code stays the same while you route requests to whichever provider makes sense for cost, latency, or capability. Used in production by Stripe, Netflix, and the OpenAI Agents SDK.
Key features
Unified API: one interface for 100+ LLMs (OpenAI, Anthropic, Gemini, Bedrock, Azure, Cohere, and more) using the OpenAI format
AI Gateway (Proxy Server): deploy as a centralized service with virtual keys, spend tracking per project/user, guardrails, and an admin dashboard
Load balancing and fallbacks: route across multiple deployments with automatic retry and failover logic
MCP Gateway: connect MCP tool servers to any LLM through the proxy
A2A Protocol support: invoke agents built with LangGraph, Pydantic AI, or cloud agent services through a unified agent gateway
Production performance: 8ms P95 latency at 1,000 requests per second
How to use
Python SDK:
uv add litellmfrom litellm import completion
import os
os.environ["OPENAI_API_KEY"] = "your-openai-key"
os.environ["ANTHROPIC_API_KEY"] = "your-anthropic-key"
# OpenAI
response = completion(model="openai/gpt-4o", messages=[{"role": "user", "content": "Hello!"}])
# Anthropic - same interface, just change the model string
response = completion(model="anthropic/claude-sonnet-4-20250514", messages=[{"role": "user", "content": "Hello!"}])AI Gateway (Proxy Server):
uv tool install 'litellm[proxy]'
litellm --model gpt-4oimport openai
client = openai.OpenAI(api_key="anything", base_url="http://0.0.0.0:4000")
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Hello!"}]
)Production deployment: LiteLLM provides Terraform modules for both AWS (ECS Fargate + Aurora + ElastiCache) and GCP (Cloud Run + Cloud SQL + Memorystore) with managed Postgres, Redis, and auto-generated secrets out of the box.
Project ideas
Multi-provider AI gateway for your team: Deploy the LiteLLM proxy as your organization's central AI gateway, issue virtual keys per team/project, set per-key spend limits, and use the admin dashboard to track which teams are spending what across OpenAI, Anthropic, and Bedrock.
Model evaluation pipeline: Build a testing harness that sends the same prompts to multiple models (GPT-4o, Claude, Gemini) through LiteLLM's unified API, then compares response quality, latency, and cost to help your team pick the best model for each use case.
Recommended reads
LiteLLM AI Gateway Docs - The official proxy server guide covering setup, virtual keys, spend tracking, guardrails, and deployment options.
LiteLLM Docker Quick Start - End-to-end tutorial to get the AI Gateway running with Docker, set up virtual keys, and make your first request.
kubevirt
🔗 View on GitHub | GitHub stars: 6,938
Why this made the cut: KubeVirt extends Kubernetes to manage virtual machines alongside containers, solving the "we still need VMs" problem without requiring a separate infrastructure stack.
Why it matters
Not everything can run in a container. Legacy applications, specific kernel requirements, Windows workloads, and certain compliance scenarios still need virtual machines. KubeVirt lets platform teams use their existing Kubernetes skills, tooling, and infrastructure to manage VMs, eliminating the operational overhead of maintaining two separate platforms. Your VMs become just another Kubernetes resource.
Key features
Native Kubernetes integration: VMs are defined as Custom Resources and managed with kubectl
Live migration: move running VMs between nodes without downtime
Containerized Data Importer (CDI): import VM images from URLs, registries, or existing PVCs
Network integration: VMs participate in Kubernetes networking (pod network, Multus for advanced scenarios)
Storage flexibility: use any Kubernetes storage class for VM disks
Snapshot and clone: leverage CSI snapshots for VM backup and duplication
How to use
Prerequisites: A Kubernetes cluster with hardware virtualization support (nested virtualization or bare metal).
Installation:
export VERSION=$(curl -s https://api.github.com/repos/kubevirt/kubevirt/releases/latest | grep tag_name | cut -d '"' -f 4)
kubectl create -f https://github.com/kubevirt/kubevirt/releases/download/${VERSION}/kubevirt-operator.yaml
kubectl create -f https://github.com/kubevirt/kubevirt/releases/download/${VERSION}/kubevirt-cr.yamlInstall virtctl CLI:
kubectl krew install virtCreate a VM (from community tutorial):
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
name: testvm
spec:
running: false
template:
spec:
domain:
devices:
disks:
- name: containerdisk
disk:
bus: virtio
resources:
requests:
memory: 1Gi
volumes:
- name: containerdisk
containerDisk:
image: quay.io/kubevirt/cirros-container-disk-demoStart and access:
kubectl virt start testvm
kubectl virt console testvmProject ideas
Legacy app migration lab: Set up a KubeVirt environment that runs a legacy Windows or Linux VM workload alongside containerized microservices in the same cluster, using Kubernetes Services to route traffic between them as you incrementally migrate the monolith.
Ephemeral dev environments: Create a Kubernetes operator that spins up on-demand KubeVirt VMs pre-loaded with your full development stack (database, OS-level tools, IDE server) so each developer gets an isolated, reproducible environment that auto-destroys after a configurable idle timeout.
Recommended reads
Announcing the Release of KubeVirt v1.8 - The latest release blog covering new features that bring KubeVirt closer to feature parity with traditional virtualization platforms.
KubeVirt User Guide - The official hands-on guide covering installation, VM lifecycle, networking, storage, and live migration for teams getting started with VMs on Kubernetes.
quic-go
🔗 View on GitHub | GitHub stars: 11,687
Why this made the cut: quic-go is a production-ready, pure Go implementation of QUIC and HTTP/3, enabling teams to adopt next-generation transport protocols without leaving the Go ecosystem.
Why it matters
QUIC eliminates head-of-line blocking, reduces connection establishment latency, and handles network changes gracefully (crucial for mobile clients). As HTTP/3 adoption accelerates, having a robust Go implementation means backend teams can offer faster, more reliable connections without rewriting services in another language. The library supports both client and server roles, plus diagnostic tooling via qlog.
Key features
Full QUIC implementation: RFC 9000 compliant with 0-RTT support
HTTP/3 support: serve and consume HTTP/3 traffic natively
Connection migration: seamlessly handle client IP changes (WiFi to cellular transitions)
qlog support: structured logging format for debugging and performance analysis
Stream multiplexing: multiple independent streams over a single connection without head-of-line blocking
TLS 1.3 integration: mandatory encryption with modern cryptography
How to use
Installation:
go get github.com/quic-go/quic-goHTTP/3 server:
package main
import (
"net/http"
"github.com/quic-go/quic-go/http3"
)
func main() {
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Hello HTTP/3!"))
})
http3.ListenAndServeTLS(":443", "cert.pem", "key.pem", handler)
}QUIC client (from community guide):
conn, err := quic.DialAddr(ctx, "server:4242", tlsConfig, nil)
stream, err := conn.OpenStreamSync(ctx)
stream.Write([]byte("hello"))Tunneling pattern: quic-go supports custom stream handling, making it suitable for building tunnels, proxies, and other transport-layer applications that benefit from QUIC's multiplexing and migration features.
Project ideas
Mobile-friendly API gateway: Build a lightweight HTTP/3 reverse proxy in Go using quic-go that sits in front of your existing REST APIs, giving mobile clients faster connection setup (0-RTT) and seamless WiFi-to-cellular handoffs via connection migration.
Real-time multiplayer game server: Use quic-go's stream multiplexing to build a game server where each player's input, chat, and state sync run on independent QUIC streams, eliminating head-of-line blocking so a dropped chat packet never stalls game state updates.
Recommended reads
Serving HTTP/3 - quic-go Docs - Official guide on setting up an HTTP/3 server in Go, including TLS configuration, graceful shutdown, and running HTTP/1.1+HTTP/2+HTTP/3 in parallel.
Running a QUIC Client - quic-go Docs - Covers establishing QUIC connections, working with streams, and leveraging 0-RTT for low-latency client applications.
mermaid
🔗 View on GitHub | GitHub stars: 89,067
Why this made the cut: Mermaid turns plain text into professional diagrams, making documentation that actually stays up to date because updating a diagram is as easy as editing a few lines of code.
Why it matters
Diagrams go stale because updating them requires opening a separate tool, finding the source file, making changes, exporting, and uploading. Mermaid eliminates this friction by embedding diagrams directly in Markdown. When your architecture changes, you update the text and the diagram updates automatically. GitHub, GitLab, Notion, and dozens of other tools render Mermaid natively, meaning your documentation lives where your code lives.
Key features
Text-based diagrams: flowcharts, sequence diagrams, class diagrams, state diagrams, ER diagrams, Gantt charts, and more
Markdown integration: renders directly in GitHub READMEs, GitLab, Obsidian, Notion, and other Markdown environments
Live editor: browser-based editor at mermaid.live for prototyping diagrams
Theming: customize colors and styles to match your documentation
Mindmaps and timelines: newer diagram types for brainstorming and project planning
JavaScript API: programmatic diagram generation for dynamic documentation
How to use
In GitHub Markdown:
flowchart LR
A[User] --> B[Load Balancer]
B --> C[API Server]
C --> D[(Database)]Common diagram types (from video tutorials):
Sequence diagram:
sequenceDiagram
Client->>Server: Request
Server->>Database: Query
Database-->>Server: Results
Server-->>Client: ResponseEntity relationship:
erDiagram
USER ||--o{ ORDER : places
ORDER ||--|{ LINE_ITEM : containsSetup for custom sites:
<script type="module">
import mermaid from 'https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.esm.min.mjs';
mermaid.initialize({ startOnLoad: true });
</script>Pro tip: Use the live editor (mermaid.live) to prototype complex diagrams before committing them to your docs.
Project ideas
Auto-generated API docs: Write a script that parses your OpenAPI spec and generates Mermaid sequence diagrams for each endpoint's request flow, then embeds them in your repo's docs folder so architecture diagrams update automatically with every API change.
Interactive onboarding guide: Create a "system map" page in your team wiki using Mermaid diagrams (flowcharts for service dependencies, ER diagrams for the data model, sequence diagrams for key workflows) that new engineers can click through during their first week.
Recommended reads
Improve Your Documentation with Mermaid.js Diagrams - Kubernetes Blog - How the Kubernetes project adopted Mermaid for docs, with practical tips on diagram types and workflow integration.
Mermaid Getting Started Guide - The official quickstart covering installation options (CDN, npm, live editor), basic syntax for all diagram types, and configuration.
If you only try one
Start with Mermaid. It has the lowest barrier to entry (just add a code block to any Markdown file) and delivers immediate, visible value. Within five minutes, you can have an architecture diagram in your README that the whole team can understand and update. That quick win often sparks a documentation culture shift: when diagrams are easy to create and maintain, people actually create and maintain them. Once your system rules are visible, you will naturally want to enforce them, and that is when the other tools in this issue become essential.
If you are doing Open Source I have a good news for you, I work at CodeRabbit which is an AI review tool and its free for Open Source, please reach out to me on X or LinkedIn or just send an email on [email protected] if you need help on adopting CodeRabbit.
You can visit our portal below to create a new account and connect your repository and start reviewing your code.

