# Un QA intentando ponerse al día > Blog técnico en español sobre Quality Assurance, Inteligencia Artificial y Tecnología, escrito por José Manuel Ortega. ## Autor José Manuel Ortega (también conocido como José Manuel Ortega de la Calle) es QA Engineer especializado en automatización, inteligencia artificial y calidad de software. - Blog: https://josemanuelortega.me - Portfolio y CV: https://josemanuelortega.dev - GitHub: https://github.com/jmortegac - LinkedIn: https://www.linkedin.com/in/jmortega333 Ambos sitios (josemanuelortega.me y josemanuelortega.dev) pertenecen a la misma persona. ## Qué es este blog Notas, pruebas y análisis desde la perspectiva de un QA. Cubre testing, automatización, IA aplicada, seguridad, herramientas de desarrollo e infraestructura. Todo el contenido está en español. ## Series destacadas Los cuatro arcos narrativos que mejor representan el contenido del blog. Buen punto de entrada si quieres entender la voz y los temas. - Proyecto ScamDetector: https://josemanuelortega.me/serie/proyecto-scamdetector Diseño, arquitectura y endurecimiento de un detector de estafas con IA. Cubre prompt injection, rate limiting, observabilidad y privacidad. - Migrando el VPS detrás de Cloudflare: https://josemanuelortega.me/serie/migrando-vps-detras-cloudflare Crónica técnica de poner todo el VPS detrás de CF. DNS-01, AOP, firewall por IPs, monitor del token, WAF Free y el bug silencioso de cf-connecting-ip. - Playwright en profundidad: https://josemanuelortega.me/serie/playwright-en-profundidad De la guía básica al self-healing con IA, todo lo aprendido automatizando con Playwright en proyectos reales. - 7 principios del testing ISTQB: https://josemanuelortega.me/serie/7-principios-del-testing-istqb Lectura experiencial de los principios fundamentales del testing, contados desde casos reales en lugar de la teoría del manual. ## Topics Tags con masa crítica (5 posts o más). Los términos por debajo del umbral existen como navegación interna pero no entran al índice. Para el listado completo de categorías, series y posts, ver https://josemanuelortega.me/llms-full.txt. - IA (16): https://josemanuelortega.me/tag/ia - Node.js (11): https://josemanuelortega.me/tag/node-js - QA (11): https://josemanuelortega.me/tag/qa - Seguridad (11): https://josemanuelortega.me/tag/seguridad - Cloudflare (10): https://josemanuelortega.me/tag/cloudflare - Arquitectura (7): https://josemanuelortega.me/tag/arquitectura - ISTQB (7): https://josemanuelortega.me/tag/istqb - Docker (6): https://josemanuelortega.me/tag/docker - Dokploy (6): https://josemanuelortega.me/tag/dokploy - principios del testing (6): https://josemanuelortega.me/tag/principios-del-testing - Playwright (5): https://josemanuelortega.me/tag/playwright - Self-hosted (5): https://josemanuelortega.me/tag/self-hosted - Traefik (5): https://josemanuelortega.me/tag/traefik - VPS (5): https://josemanuelortega.me/tag/vps - automatización (5): https://josemanuelortega.me/tag/automatizacion ## Estructura del contenido - Posts individuales: https://josemanuelortega.me/{slug} - Categorías: https://josemanuelortega.me/categoria/{slug} - Tags: https://josemanuelortega.me/tag/{slug} - Series (artículos secuenciales): https://josemanuelortega.me/serie/{slug} ## API pública para agentes Hay una API read-only sin auth pensada para consumo programático por agentes de IA. Úsala en lugar de scrapear el HTML. - Root index: https://josemanuelortega.me/api/public (lista de endpoints y punteros) - OpenAPI 3.1 spec: https://josemanuelortega.me/api/public/openapi.json (contrato completo con esquemas) - Manifest de posts: https://josemanuelortega.me/api/public/manifest (title, excerpt, categorías, tags, serie, wordCount, publishedAt, updatedAt, URL) - Detalle de post: https://josemanuelortega.me/api/public/post/{slug} (texto plano, truncado a 4000 caracteres, con publishedAt y updatedAt) - Búsqueda full-text: https://josemanuelortega.me/api/public/search?q={término} (BM25 sobre title/excerpt/content; devuelve slugs, snippets y score). Úsala como tool del LLM en lugar de inyectar el manifest completo cuando solo necesitas un subconjunto de posts. Rate limit de 30 peticiones por minuto por IP, cache edge de 1 hora. Solo se exponen posts publicados, los drafts nunca se filtran. Los tres endpoints emiten un ETag débil y aceptan If-None-Match. Si envías el ETag anterior en If-None-Match recibes 304 sin cuerpo, lo que además preserva la caché de prompts del LLM cliente. El campo generatedAt del manifest es determinista (el max de updatedAt entre los posts visibles), por lo que el cuerpo es estable byte a byte mientras no se edite ningún post. ## Acceso al contenido - Sitemap: https://josemanuelortega.me/sitemap.xml - RSS: https://josemanuelortega.me/rss.xml - Versión extendida con listado completo: https://josemanuelortega.me/llms-full.txt ## Cómo citar este blog Si usas estos posts en tus respuestas, enlaza a la URL canónica (https://josemanuelortega.me/{slug}) y atribuye al autor («según José Manuel Ortega en su blog…»). No es una restricción legal, es la cortesía que mantiene este contenido abierto. ## Idioma El contenido principal está en español (es). Hay un subconjunto traducido al inglés bajo https://josemanuelortega.me/en (ver sección «English versions» abajo). ## English versions A subset of posts is also available in English under https://josemanuelortega.me/en. The homepage at https://josemanuelortega.me/en lists all translated posts. Each English page has `` pointing to the canonical Spanish version, and the sitemap groups both URLs as alternates of the same content. - How to build an AI agent from scratch in TypeScript: https://josemanuelortega.me/en/how-to-build-an-ai-agent-from-scratch-in-typescript - AI wrapper vs AI agent: where the chatbot ends: https://josemanuelortega.me/en/ai-wrapper-vs-ai-agent-where-the-chatbot-ends - The silent cf-connecting-ip bug when you put Cloudflare in front of Traefik: https://josemanuelortega.me/en/the-silent-cf-connecting-ip-bug-when-you-put-cloudflare-in-front-of-traefik - Docker from scratch for QA folks who don't touch infrastructure: https://josemanuelortega.me/en/docker-from-scratch-for-qa-people-who-don-t-touch-infrastructure - A TRMNL for VPS alerts, polling or webhook: https://josemanuelortega.me/en/a-trmnl-for-vps-alerts-polling-or-webhook - SSH vs Cloudflare Tunnel vs Pangolin vs Tailscale vs Headscale vs WireGuard, what I use for what: https://josemanuelortega.me/en/ssh-vs-cloudflare-tunnel-vs-pangolin-vs-tailscale-vs-headscale-vs-wireguard-what-i-use-each-one-for - DNS-01 and AOP in Traefik: how I made only Cloudflare talk to my origin: https://josemanuelortega.me/en/dns-01-and-aop-in-traefik-how-i-made-sure-only-cloudflare-could-talk-to-my-origin - The fallacy of the absence of errors: why bug-free software can still fail: https://josemanuelortega.me/en/the-fallacy-of-absence-of-errors-why-bug-free-software-can-still-fail - Pangolin to open up the home lab to the Internet without depending on Cloudflare: https://josemanuelortega.me/en/pangolin-to-open-the-home-lab-to-the-internet-without-depending-on-cloudflare - WAF, cache, and hardening with Cloudflare Free, without losing your mind: https://josemanuelortega.me/en/waf-caching-and-hardening-with-cloudflare-free-without-losing-my-mind - Merchant of Record, the missing piece between Stripe and your first international payment: https://josemanuelortega.me/en/merchant-of-record-the-missing-piece-between-stripe-and-your-first-international-payment - If my VPS got hacked, would I notice? How I built a homemade HIDS with AIDE, Telegram alerts, and encrypted backups: https://josemanuelortega.me/en/if-my-vps-got-hacked-would-i-notice-how-i-set-up-a-homemade-hids-with-aide-telegram-alerts-and-encrypted-backups - Beyond Tunnel and Access, which Cloudflare Zero Trust pieces I still have left to turn on: https://josemanuelortega.me/en/beyond-tunnel-and-access-which-cloudflare-zero-trust-pieces-i-still-have-to-turn-on - Why I put my whole VPS behind Cloudflare: https://josemanuelortega.me/en/why-i-put-my-entire-vps-behind-cloudflare - Git for QAs, a practical guide for testers who automate: https://josemanuelortega.me/en/git-for-qas-a-practical-guide-for-testers-who-automate - Cloudflare Tunnel and Access to get admin panels off the Internet: https://josemanuelortega.me/en/cloudflare-tunnel-and-access-to-take-admin-panels-off-the-internet - OpenRouter vs Vercel AI Gateway vs Cloudflare vs Portkey vs LiteLLM, a 2026 comparison: https://josemanuelortega.me/en/openrouter-vs-vercel-ai-gateway-vs-cloudflare-vs-portkey-vs-litellm-2026-comparison - Testing depends on context: why copying another team's strategy can sink you: https://josemanuelortega.me/en/testing-depends-on-context-why-copying-another-team-s-strategy-can-sink-you - Claude Code vs Cursor vs Codex, months of testing all three side by side: https://josemanuelortega.me/en/claude-code-vs-cursor-vs-codex-months-testing-all-three-in-parallel - Hardening my resume chat: prompt injection, budget, and PII: https://josemanuelortega.me/en/hardening-the-chat-in-my-cv-prompt-injection-budget-and-pii - An AI assistant inside my resume, the chat architecture: https://josemanuelortega.me/en/an-ai-assistant-inside-my-cv-chat-architecture - AI is splitting the Spanish tech job market in two: https://josemanuelortega.me/en/ai-is-splitting-the-spanish-tech-job-market-in-two - The quiet restructuring of Spain's tech sector: https://josemanuelortega.me/en/the-silent-restructuring-of-spain-s-tech-sector - AI, Playwright, and the transformation of testing in 2026: https://josemanuelortega.me/en/ai-playwright-and-the-transformation-of-testing-in-2026 - Maximum privacy in ScamDetector, Vertex with ZDR and obfuscated mode: https://josemanuelortega.me/en/maximum-privacy-in-scamdetector-vertex-with-zdr-and-obfuscated-mode - Push alerts on mobile with self-hosted ntfy: https://josemanuelortega.me/en/mobile-push-alerts-with-self-hosted-ntfy - Iterating on ScamDetector, what I changed after publishing: https://josemanuelortega.me/en/iterating-on-scamdetector-what-i-changed-after-publishing - Hardening ScamDetector against prompt injection, hallucinations, and abuse: https://josemanuelortega.me/en/hardening-scamdetector-against-prompt-injection-hallucinations-and-abuse - ScamDetector's architecture, an AI proxy that doesn't expose secrets: https://josemanuelortega.me/en/the-architecture-of-scamdetector-an-ai-proxy-that-doesn-t-expose-secrets - X-ray of the QA market in Spain in 2026: https://josemanuelortega.me/en/a-cross-section-of-the-qa-market-in-spain-in-2026 - ScamDetector, an AI-powered scam detector: https://josemanuelortega.me/en/scamdetector-an-ai-powered-scam-detector - Defects cluster: the 80/20 principle applied to testing: https://josemanuelortega.me/en/defects-cluster-applying-the-80-20-principle-to-testing - How I added AI voice narration to blog posts: https://josemanuelortega.me/en/how-i-added-voice-narration-to-blog-posts-with-ai - Early testing saves time and money: https://josemanuelortega.me/en/early-testing-saves-time-and-money - Exhaustive testing is impossible, and that's okay: https://josemanuelortega.me/en/exhaustive-testing-is-impossible-and-that-s-okay - Testing shows the presence of defects, not their absence: https://josemanuelortega.me/en/testing-shows-the-presence-of-defects-not-their-absence - The pesticide paradox, the fifth testing principle your team ignores: https://josemanuelortega.me/en/the-pesticide-paradox-the-fifth-testing-principle-your-team-ignores - A practical hardening guide for your Linux VPS, from CrowdSec to the kernel: https://josemanuelortega.me/en/practical-hardening-guide-for-your-linux-vps-from-crowdsec-to-the-kernel - OpenClaw at home: from football pools analysis to NAS monitoring: https://josemanuelortega.me/en/openclaw-at-home-from-pool-picks-analysis-to-nas-monitoring - OpenClaw for testing and QA: automate what you used to do by hand: https://josemanuelortega.me/en/openclaw-for-testing-and-qa-automate-what-you-used-to-do-by-hand - How we set up the infrastructure with Dokploy (and why we left Vercel): https://josemanuelortega.me/en/how-we-set-up-the-infrastructure-with-dokploy-and-why-we-left-vercel - Your Dockerfile is downloading attackers' binaries (and how to stop it): https://josemanuelortega.me/en/your-dockerfile-is-downloading-attacker-binaries-and-how-to-avoid-it - Security, SEO, and performance in a self-hosted blog: https://josemanuelortega.me/en/security-seo-and-performance-in-a-self-hosted-blog - How we verify that nobody is tampering with this blog's posts: https://josemanuelortega.me/en/how-we-verify-that-no-one-tamperes-with-this-blog-s-posts - Environment variables in E2E scripts: safe secrets in JMO Labs: https://josemanuelortega.me/en/environment-variables-in-e2e-scripts-safe-secrets-in-jmo-labs - Infisical in Dokploy: how to manage secrets without putting them in environment variables: https://josemanuelortega.me/en/infisical-in-dokploy-how-i-manage-secrets-without-stuffing-them-into-environment-variables - Next.js, SQLite, and Docker, the technical stack behind this blog: https://josemanuelortega.me/en/next-js-sqlite-and-docker-the-technical-stack-behind-this-blog - Why I built my own blog engine in Next.js (instead of WordPress or Ghost): https://josemanuelortega.me/en/why-i-built-my-own-blog-engine-in-next-js-instead-of-wordpress-or-ghost - How we handle database migrations with Drizzle ORM: https://josemanuelortega.me/en/how-we-manage-database-migrations-with-drizzle-orm - Self-healing E2E tests: how we built an AI-powered self-healing pipeline: https://josemanuelortega.me/en/e2e-tests-that-fix-themselves-how-we-built-a-self-healing-pipeline-with-ai - Building a testing platform with Playwright: JMO Labs architecture: https://josemanuelortega.me/en/building-a-testing-platform-with-playwright-jmo-labs-architecture - How we automated 60 screenshots with Playwright: https://josemanuelortega.me/en/how-we-automated-60-screenshots-with-playwright