Overview
A cyber-insurance readiness platform for small businesses: a guided snapshot, an AI interview across 56 baseline security safeguards, an evidence vault with AI review, and exportable reports — backed by a 206-row matrix of what nine carriers actually require. 747 commits to a launch-ready state with a formal go decision, then paused with intent.
Project Design
This is where the agent harness matured: enforced rules instead of advisory ones, parallel worktrees with an isolation protocol, an end-to-end test suite, and a 52-session analysis that converted recurring friction into a permanent solution library.
Key modules
Snapshot engine
An 18-question adaptive intake that derives 30+ risk signals across security domains.
Interview engine
A multi-turn Claude interview over CIS IG1 safeguards with contradiction detection and follow-ups.
Evidence vault
Document uploads with tier-aware Claude review and pass/fail/clarify verdicts per control.
Report generation
An async pipeline synthesizing snapshot, interview, and evidence into action-plan and broker reports (PDF/PPTX).
Subscription gating
Three-tier access (free / insurance-ready / remediation) enforced per endpoint with Stripe.
Carrier matrix
Nine carriers mapped to a ~206-row control-requirement matrix with knockout controls.
Key features
Two-phase interview — fast turns, async AI
An LLM interview feels slow if every answer waits on a model call. CyberReadyAI splits each turn in two. Phase A is deterministic: it stores the answer, checks it against contradiction rules, and returns the next question in well under a tenth of a second. Phase B opens a streamed connection in the background, where Claude composes an acknowledgment and decides whether to dig deeper. The user keeps moving while the model thinks, and the conversation still adapts — the interview personalizes itself to about thirty minutes instead of a generic two-hour questionnaire.
Security & ops decisions
- A hard rule enforced in code, not prose: never generate documentation implying a control exists when it doesn't — unconfirmed uploads are rejected and unconfirmed policies earn no maturity score.
- A post-hoc audit of 16 agent guardrails found one provably effective (the hard block), three brittle, and roughly nine warning-only theater — the rubric now: block, red-team it day one, or don't ship it.
- Referral fees are fixed-amount only — the safe harbor that avoids insurance-producer licensing — with regulatory counsel budgeted as a gate before the next pricing tier.
- The row-level security policies were implemented incorrectly for Clerk-issued tokens; production paths re-enforced ownership in code as a working layer, and the fix — keying policies on the JWT subject claim — was applied properly in the successor product. No real users or data were on the site at the time.
Builder notes
- Codebase-first pentest scoping caught eight attack-surface gaps that memory-based scoping missed.
- The agent-settings file was the highest-churn file in the repo — 30 commits, ~17 fixes — and every major guard was added after its motivating incident.
- The post-mortem inventoried 42 portable modules with a ~78-hour extraction estimate, and asks the honest question: does extraction beat rebuilding?
- The last production commit fixed dashboard 500s caused by select(*) dragging oversized JSON payloads into list views — explicit column selects only.
Lessons learned
- Build discipline outran demand validation: a launch-ready product and a deep feature set against roughly six paid subscribers — the bottleneck was upstream of every feature.
- Of 16 agent guardrails built, one provably worked. The audit's rubric — block don't warn, red-team it on day one, no false-positive patches — was worth more than the guardrails.
- The planned pivot died on one wrong technical assumption, found by investigation after the strategy was written but before any code: most carrier applications are flat, unfillable PDFs.
- Knowledge compounds, workarounds don't: the same six problems had been re-solved more than twenty times across sessions before they were captured permanently.
What carried forward
The guardrail rubric, the solution library, and the worktree protocol — and the successor product wrote its launch gates in advance precisely because this one validated late.
Posts from this project
1 of 16: auditing my own guardrails
I built sixteen guardrails to stop my AI coding agents from destroying work. Then I audited them like a consultant would. One actually worked.
Knowledge compounds, workarounds don't
I analyzed 52 of my own AI coding sessions. The same six problems had been “solved” more than twenty times — and every solution evaporated when the session ended.