Writing
Field notes on shipping safely.
What I find when I tear down real launches — security, readiness, and the things AI coding tools quietly leave out.
Security · Featured
The 7 security holes in every vibe-coded app
The feature work is fine. The security is almost always the same seven holes — and any one can end a company on launch day.
- Launch
What “launch-ready” actually means: the 9-point checklist
It doesn't mean the features work. It means the app survives careless, hostile users on the worst day — not the demo day. The nine checks I run before press-go.
- Security
Your API keys are in your frontend. Here's how I find them in 4 minutes.
The most common finding in a launch teardown: a secret key shipped to every visitor. How I find it, what's actually safe, and the three-step fix.