BUILD REGISTER · SAN DIEGO, CA

Fifteen years securing other people's systems. Six months shipping my own.

I build SaaS products with AI coding agents and keep an honest register of what happened — what shipped, what got shelved, what got scrapped, and the security decisions behind each one.

  • 2 live
  • 1 published
  • 4 paused
  • 1 scrapped
+ 2 private engagements

Every non-live verdict carries a lesson forward.

8PRODUCTS BUILT
3,100+COMMITS IN 150 DAYS
35PARALLEL AGENT WORKTREES
5 daysFASTEST BUILD, IDEA → DELIVERED

Latest release

github.com/Doogit/StackBadger
StackBadger screenshot
OPEN SOURCE · SECURITY TOOLING

StackBadger

A pentest harness for AI-built apps: point it at a deployed product and it probes auth, data access, and payment webhooks the way an outside attacker would. Born inside TariffRefunded as an internal tool, then scrubbed and open-sourced. Now it outlives the sprint that built it.

VIEW REPO

The register

Every project gets a verdict and a line on what carried forward. The scrapped ones count as much as the launches. Click any row for the full case study, or cross-read the security controls →

ReadySetBind
ReadySetBind2026 · INSURANCE OPS
Placement-to-bind automation for insurance agencies. A quote PDF goes in, AI extracts the fields, and a human verifies every one before anything binds coverage. Live with a pilot agency; 1,129 commits across 26 active days. CARRIED FORWARDEvery third-party wrapper now returns an explicit status the caller has to branch on, never a bare boolean. Recurring defects earn an automated gate, not a third paragraph of documentation. And every sensitive database function is denied by default and tested against all three Postgres roles, not just the one that bit me.
LIVE · PILOT
SITE ↗
TariffRefunded
TariffRefunded2026 · CUSTOMS SAAS
Tariff-refund recovery for small importers. Protest windows close on a fixed legal schedule and the refund pool shrinks 8–10% a month, so the whole product races the clock. Free analysis; broker partnership in progress. CARRIED FORWARDStackBadger was born here, as the internal pentest harness. So did three habits that moved into everything after: the PII-scrubbing patterns, the Clerk-to-RLS auth fix, and a decision-hygiene routine — a versioned strategy doc with an open-decisions table, plus dated audits that diffed the live site against it.
LIVE
SITE ↗
StackBadger
StackBadger2026 · SECURITY TOOL
A pentest harness for AI-built apps, extracted from a production SaaS codebase, then scrubbed and open-sourced. It was the only code still earning commits after the product work stopped. CARRIED FORWARDThe extract → scrub → review release playbook: archive tracked files only, scrub every brand reference, decode anything credential-shaped to prove it's synthetic, then a human pushes. It's now the standard path for anything leaving a private repo.
PUBLISHED
REPO ↗
SafeCircleOps
SafeCircleOps2026 · OSINT / DFIR
Built in 5 days to help a friend being stalked: a local-only pipeline that tracks the stalker's online activity to evidence standards — provenance on every finding, fail-closed defaults that never tip off the subject, attribution scoring with negative controls. Report delivered to law enforcement. Deliberately unpublished. CARRIED FORWARDThe audit-the-design-before-building gate, and the fail-closed posture that refuses rather than warns. The repository itself stays private, permanently: it holds a real case.
PRIVATE
WRITE-UP
DealFinder
DealFinder2026 · REAL ESTATE INTEL
Pre-MLS lead scoring for San Diego real-estate wholesalers: distress signals from 11 sources, scored so an operator can see why a lead ranks where it does. A fair-housing review cut a whole signal class before any code shipped. Full MVP in 7 days, then paused unlaunched. CARRIED FORWARDCompliance shaping scope at design time: a fair-housing review removed an entire signal class before any code existed. And the checkpoint-and-circuit-breaker pattern for fragile, county-scale scrapers.
PAUSED
WRITE-UP
Interview prep system
Interview prep system2026 · AGENT WORKSPACE
Interview prep run as an agent workspace, not an app: a citation-enforced knowledge base, ten interviewer personas built from public record, and a mock mode that argues back in their voices. No database, no server: just a directory layout and 12 agent skills. CARRIED FORWARDA general blueprint for becoming rapidly, defensibly conversant in any organization and its people: reusable for due diligence, sales prep, or expert-witness work.
PRIVATE
WRITE-UP
CyberReadyAI
CyberReadyAI2026 · INSURANCE READINESS
Cyber-insurance readiness for small businesses, built to launch-ready and then paused on purpose. It's the project that taught me to audit my own guardrails: of 16 I'd built, exactly one provably worked. CARRIED FORWARDThe guardrail rubric, the solution library, and the worktree protocol. And the successor product wrote its launch gates in advance precisely because this one validated late.
PAUSED
SITE ↗
PRD ONLY
PreCloseIntel2026 · M&A INTEL
Attack-surface intelligence for M&A due diligence: size up a target's external security posture before the deal closes. The PRD cleared adversarial review, then lost the build slot to TariffRefunded. A complete plan is a cheap thing to hold open. CARRIED FORWARDThe Idea → Build framework itself, which every later project's PRD ran through.
PAUSED
WRITE-UP
RiskScanAI
RiskScanAI2026 · FIRST BUILD
My first product: a baseline security-risk assessment for small businesses, built on the CIS IG1 controls. Started off GitHub in late January; 160 commits over 15 active days, then folded into its successor. CARRIED FORWARDEverything: the successor is literally the same repository continued. Six agent skills and three reviewer agents survived into a roster that grew to 42 and 11, and the honest verdict (“nobody pays for an AI-interview risk assessment”) re-aimed the product at a question businesses do pay for.
SHELVED
POSTMORTEM
NO BUILD
PartMatch2026 · 3D PRINTING
3D-printable replacement parts from a photo of the broken one. The adversarial PRD review asked whether photo-to-printable-geometry had actually been proven feasible. It hadn't. Scrapped at review, for the price of one session. CARRIED FORWARDAdversarial review as a standing gate before any build.
SCRAPPED
NO-GO MEMO
SECURITY CONTROLS · CROSS-READ 8 controls implemented wrong, caught, and fixed — the ✓⛑ cells of a security cross-read across 7 products. Read the matrix →

The timeline

Jan 27 – Jun 25, 2026. Bar length is calendar time; the labels are commits. Overlaps are real — some of these ran in parallel across ~35 agent worktrees.

JANFEBMARAPRMAYJUN
ReadySetBind 1,129 commits · 328 PRs · 26 days
TariffRefunded 729 commits · live
StackBadger published
SafeCircleOps 140 commits · 5 days
DealFinder 130 commits · 7 days
CyberReadyAI 747 commits
PreCloseIntel full PRD · paused
RiskScanAI started off-GitHub Jan 27 · 160 commits
PartMatch scrapped at PRD review
LIVE SHELVED / PAUSED PRIVATE SCRAPPED PUBLISHED DAILY COMMITS (GITHUB)

The build journal

The same 136 days as a sequence of decisions. Dates marked ~ are approximate.

~JAN 27

RiskScanAI begins — before the repo

The first build starts off GitHub: landing pages and product shaping ahead of any version control.

FEB 27

RiskScanAI — first commit lands on GitHub

First product, first AI-agent workflow. 160 commits over the next 15 active days.

~MAR 15

PreCloseIntel — full PRD, then a pausePAUSED

First run of the 7-phase Idea → Build framework. The PRD survived; the build slot went elsewhere.

MAR 20

RiskScanAI shelved — and forked the same daySHELVED

The honest read: nobody pays for an AI-interview risk assessment. Everything carried directly into CyberReadyAI on the day of the last commit.

~APR 8

PartMatch scrapped at PRD reviewSCRAPPED

Adversarial review said “spike first.” Stopping it cost a review session instead of a build month.

~APR 16

TariffRefunded beginsLIVE

The tariff rate monitor PRD dies; refund recovery for SMB importers replaces it, racing a 180-day protest window.

~MAY 6

CyberReadyAI paused with intentPAUSED

Near-launch after 747 commits. The project that taught me to audit my own guardrails.

MAY 17

SafeCircleOps — a five-day sprint for a friendPRIVATE

140 commits in 5 days. Local-only, evidence-grade, deliberately unpublished. Report delivered to law enforcement.

MAY 20

DealFinder — a seven-day MVP, then a pausePAUSED

Ideated inside the SafeCircleOps build, three days in. 130 commits to a working real-estate intelligence MVP, then paused unlaunched.

MAY 26

ReadySetBind — first commitLIVE · PILOT

813 commits and 243 PRs in the first 17 days. Day one shipped the end of the pipeline before most of the middle existed.

JUN 9

StackBadger publishedPUBLISHED

A pentest harness extracted from TariffRefunded, scrubbed, and released. The extract → scrub → review playbook becomes repeatable.

JUN 11

ReadySetBind live in pilot — and this register goes up

Eight products, two live, one published, one report delivered. The scrapped ones count as much as the launches.

Latest posts

Field notes from building with AI agents — specific incidents, real numbers, no generic advice.

METHODOLOGY

A human watching AI isn't oversight

An AI agent told me the emails had all sent. Some never left the building. The return code said success; reality didn't. That gap is the whole problem with 'keep a human in the loop.'

JUN 2026 · 8 MIN
SECURITY

A prompt is not a perimeter

My customs chatbot's system prompt politely asks attackers not to misbehave. That's the weakest control it has — the ones that actually hold are in the request path and the database.

JUN 2026 · 6 MIN
SECURITY

1 of 16: auditing my own guardrails

I built sixteen guardrails to stop my AI coding agents from destroying work. Then I audited them like a consultant would. One actually worked.

JUN 2026 · 5 MIN

The graveyard

Ideas that got a real PRD, real research, or real validation — and a deliberate no. Each one has a reason on record.

ConceptForge SHELVEDConcept art → 3D-print pipeline. The PRD survived adversarial review; the unit economics didn't.
Tariff rate monitor PIVOTEDv0.1 PRD archived — alerts alone weren't defensible. Became TariffRefunded.
Pet supplement brand SCRAPPEDDied in validation research before a single line of code. The cheapest no on the board.
Smart-home security audit BACK POCKETConsumer spinoff of RiskScanAI. Real market, wrong time.
Local LLM agent rig DEFERRED2× A100 plan for self-hosted coding agents on existing rack hardware. Spec'd, costed, deferred.
"A written rule is a suggestion. A gate is a control."
The operating principle behind every project here. The same bug shipped three times past written rules — and zero times past a CI gate. Deterministic enforcement beats advisory documentation, in agent harnesses and security programs alike.