Start here
New here? These show the security work most directly — a real vulnerability and its fix, a compliance gate, a recurring bug finally stopped by automation.
The regulation in my build pipeline
A federal statute constrains what my product is allowed to say. An audit found 18 violations in my own copy — so I wired the forbidden phrasings into the build and made shipping one impossible.
The email that shipped three times
I let AI agents build my own email plumbing on top of Resend. The same bug — marking undelivered mail as “sent” — shipped three times before a build gate finally stopped it.
The REVOKE that didn't
I locked a sensitive database function, verified the lock, and a Supabase default grant to the anonymous role left it open to the internet for three days.
All posts
1 of 16: auditing my own guardrails
I built sixteen guardrails to stop my AI coding agents from destroying work. Then I audited them like a consultant would. One actually worked.
Compile-green, deploy-broken
Every test passed and it worked on my laptop. In production, placing PDF signature fields failed four different ways — pdf.js in a serverless runtime — each one invisible until the previous fix.
The regulation in my build pipeline
A federal statute constrains what my product is allowed to say. An audit found 18 violations in my own copy — so I wired the forbidden phrasings into the build and made shipping one impossible.
The email that shipped three times
I let AI agents build my own email plumbing on top of Resend. The same bug — marking undelivered mail as “sent” — shipped three times before a build gate finally stopped it.
Five days, 140 commits, one detective's report
A friend was being stalked. I built an investigation tool to evidence standards in five days — and chose never to publish it.
Knowledge compounds, workarounds don't
I analyzed 52 of my own AI coding sessions. The same six problems had been “solved” more than twenty times — and every solution evaporated when the session ended.
Building for a market with an expiration date
A Supreme Court ruling created a multi-billion-dollar refund pool — one that shrinks every month on a fixed legal schedule. A decaying market changes every product decision.
Never make a user wait on an AI
My first product's worst bug wasn't the AI being wrong. It was awaiting the model inside a web request that dies at 26 seconds.
StackBadger: the tool that outlived its sprint
I built a black-box security harness to attack my own product. The product sprint ended. The tool kept earning commits — so I generalized it and published it.
The register: eight products in 136 days
What shipped, what got shelved, what got killed — and why the kills are documented as carefully as the launches.
The REVOKE that didn't
I locked a sensitive database function, verified the lock, and a Supabase default grant to the anonymous role left it open to the internet for three days.