Overview
A cyber-insurance readiness platform for small businesses: a guided snapshot, an AI interview across 56 baseline security safeguards, an evidence vault with AI review, and exportable reports, all backed by a 206-row matrix of what nine carriers actually require. 747 commits to a launch-ready state with a formal go decision, then paused with intent.
Project Design
This is where the agent harness matured: enforced rules instead of advisory ones, parallel worktrees with an isolation protocol, an end-to-end test suite, and a 52-session analysis that converted recurring friction into a permanent solution library.
Key modules
Snapshot engine
An 18-question adaptive intake that derives 30+ risk signals across security domains.
Interview engine
A multi-turn Claude interview over CIS IG1 safeguards with contradiction detection and follow-ups.
Evidence vault
Document uploads with tier-aware Claude review and pass/fail/clarify verdicts per control.
Report generation
An async pipeline synthesizing snapshot, interview, and evidence into action-plan and broker reports (PDF/PPTX).
Subscription gating
Three-tier access (free / insurance-ready / remediation) enforced per endpoint with Stripe.
Carrier matrix
Nine carriers mapped to a ~206-row control-requirement matrix with knockout controls.
Key features
Two-phase interview — fast turns, async AI
An LLM interview feels slow if every answer waits on a model call. CyberReadyAI splits each turn in two. Phase A is deterministic: it stores the answer, checks it against contradiction rules, and returns the next question in well under a tenth of a second. Phase B opens a streamed connection in the background, where Claude composes an acknowledgment and decides whether to dig deeper. The user keeps moving while the model thinks, and the conversation still adapts — the interview personalizes itself to about thirty minutes instead of a generic two-hour questionnaire.
Security & ops decisions
- A hard rule enforced in code, not prose: never generate documentation implying a control exists when it doesn't — unconfirmed uploads are rejected and unconfirmed policies earn no maturity score.
- A post-hoc audit of 16 agent guardrails found one provably effective (the hard block), three brittle, and roughly nine warning-only theater — the rubric now: block, red-team it day one, or don't ship it.
- Referral fees are fixed-amount only — the safe harbor that avoids insurance-producer licensing — with regulatory counsel budgeted as a gate before the next pricing tier.
- The row-level security policies were implemented incorrectly for Clerk-issued tokens; production paths re-enforced ownership in code as a working layer, and the fix — keying policies on the JWT subject claim — was applied properly in the successor product. No real users or data were on the site at the time.
Builder notes
- Codebase-first pentest scoping caught eight attack-surface gaps that memory-based scoping missed.
- The agent-settings file was the highest-churn file in the repo — 30 commits, ~17 fixes — and every major guard was added after its motivating incident.
- The post-mortem inventoried 42 portable modules with a ~78-hour extraction estimate, and asks the honest question: does extraction beat rebuilding?
- The last production commit fixed dashboard 500s caused by select(*) dragging oversized JSON payloads into list views — explicit column selects only.
Lessons learned
- Build discipline outran demand validation. A launch-ready product and a deep feature set, against roughly six paid subscribers: the bottleneck was upstream of every feature.
- Of 16 agent guardrails built, one provably worked. The audit's rubric (block don't warn, red-team it on day one, no false-positive patches) was worth more than the guardrails.
- The planned pivot died on one wrong technical assumption, found by investigation after the strategy was written but before any code: most carrier applications are flat, unfillable PDFs.
- Knowledge compounds, workarounds don't: the same six problems had been re-solved more than twenty times across sessions before they were captured permanently.
What carried forward
The guardrail rubric, the solution library, and the worktree protocol. And the successor product wrote its launch gates in advance precisely because this one validated late.
Posts from this project
1 of 16: auditing my own guardrails
I built sixteen guardrails to stop my AI coding agents from destroying work. Then I audited them like a consultant would. One actually worked.
Knowledge compounds, workarounds don't
I analyzed 52 of my own AI coding sessions. The same six problems had been “solved” more than twenty times — and every solution evaporated when the session ended.