01
Research first
I work research-first so that what I build is grounded in real, up-to-date data from reputable professional and expert sources. That is what lets me build compliant, professional, enterprise-grade solutions instead of guessing.
The mistake that taught me the most was starting to build from an idea without doing research first, without even finding out whether it was worth starting. One search prevents ten wasted sessions.
02
Docs before code
Before I adopted this discipline I was burning too many tokens because I was building without a proper plan and structure. That caused too many iteration cycles that an effective plan would have prevented.
A structured implementation workflow guides the AI and serves as a guardrail for it. No code starts until the requirements and the user flows are written down, reviewed, and approved. This very page had a PRD and an app flow document before a single line of it was written.
03
Security on every line
Security is a constraint on every line, not a final checklist. It is a professional best practice and I treat it as a requirement for everything I build, so that what I ship is robust, safe, secure, compliant, and useful.
Security is not an afterthought. It is built into each step. Secret scanning and static analysis run on every pull request before anything merges. Every page ships security headers. The database enforces row level security. API keys never reach the frontend; every AI call goes through a serverless proxy that hides the key and forces the model.
04
The stack the problem deserves
This site is zero-dependency vanilla JavaScript because that is what its nature deserves: a light app that serves information about an IT professional's work and expertise, with a few complementary features. Nothing to break, nothing to audit, no supply chain to worry about.
TaskPilot is Next.js and TypeScript because it is more demanding. It is not an app that serves information; it is a SaaS that generates scripts and n8n workflows for sysadmins and IT professionals to automate their tasks. For simple, less demanding apps, zero-dependency vanilla JS is more suitable. For complex, more demanding apps, Next.js and TypeScript.
I learned this the hard way. I did not have a good experience building and deploying with Replit and Firebase; they are a much steeper learning curve compared to Vercel with Supabase. Replit is fine for MVP frontends but gets complicated for backend configuration and deployment. Firebase has many hurdles that Supabase simply does not.
05
What a real session looks like
A real session starts with me sharing what I am thinking. I ask Claude to advise and make a plan. I review the plan and approve it. Then Claude does the implementation. I review the output critically and give feedback, and Claude applies it. We iterate multiple times to fix bugs, improve functionality, and do security hardening.
Claude does the heavy lifting on research, implementation, security scans, and proposing fixes and refinements. We co-plan. I approve and review.
The hard rules: the AI never commits, pushes, deletes, or makes irreversible changes without my permission. It never touches personal data without my explicit consent.
06
AI output is a draft
AI makes mistakes. I treat its output as a draft and keep iterating to catch the issues and fix them together. The same AI is also very good at finding issues, researching solutions, proposing remediation, and implementing it. The back-and-forth is the method.
Working this way, we have caught and fixed real production bugs, hardened security, refactored the codebase, and kept improving through many pull requests. It is useful, motivating, and it genuinely augments my productivity.
07
Automate the review loop
The back-and-forth with AI has turned into skills, memories, routines, and triggers that automate the way I work. I get automatic email notifications and alerts on critical matters: weekly security monitors, dependency audits, and a scheduled workflow that audits Phoenix's own system prompt against the site content and files an issue when they drift.
Working with many agents this way has been genuinely useful and productive. The point is not to remove the human review; it is to make sure the review happens even when I am not looking.
Case study
Replacing my own AI-generated blog
July 2026 · Pull requests #27 to #33 · bio-two-eta.vercel.app/blog.html
Problem
The AI-generated blog was stale and did not refresh properly, while consuming a lot of tokens. It kept generating the same articles even after refreshing the page. It did not deliver what I asked or expected. As a user of my own blog, I felt that AI-generated posts are hype and not reliable.
Decision
I decided on a curated feed instead, after doing thorough research online with Claude's help: real headlines from trusted sources, fetched daily, with one Claude call per day to add context, cached in Supabase (PR #27). The frontend stayed zero-dependency and the whole thing runs on the serverless free tier.
What iteration caught
- The curation call timed out in production at 50 seconds. Caught and fixed in PR #28.
- The feed date shifted by a day for readers in negative UTC offsets. Caught and fixed in PR #29.
- A sweep removed AI tells like em dashes from all page copy (PR #30, PR #31).
Retrospective
The cleanup itself caused a new bug. The dash-removal sweep also stripped the minus signs out of CSS calc() expressions, silently invalidating three layout rules. Nothing crashed; the styles just stopped applying. We only caught it weeks later, during a refactor (PR #32), and the fix broke a CI audit that had to be repointed too (PR #33).
The lesson: run text sweeps on copy, never on code, and audit afterward. That lesson is now encoded in my workflow as a durable rule so the same class of mistake cannot happen again.
Outcome
One Claude call per day instead of generation on every visit. Real sources readers can actually click. Two production bugs found and fixed through iteration, not luck. And a permanent guard against the mistake the cleanup introduced.
Want to talk about how I would build for you?
I am open to full-time roles, contracts, consulting, and partnerships.