Whiteboard sketch: a printed prompt scroll feeds into an AI agent which loads numbered crates onto a cargo ship

A single prompt, pasted into a coding agent, that walks a production codebase from no instrumentation to shipped system, in an afternoon.

One prompt per setup. One afternoon to ship.

Each piece in this series is built around one copy-pasteable prompt. Phase 0 forces the agent to discover the actual stack before writing code. Phase 1 names the anti-patterns we shipped and then had to fix. Phase 2 demands verification before the PR merges. The prompt is the whole technical artefact. The article is the business case and the gotchas.

  1. 01 Have you got proper funnel tracking in GA4?
    Do you know where signups leak on their way to paying?
    Article: Your GA4 Doesn’t Know Where You’re Losing Customers: Here’s the One-Prompt Fix 9 min read
  2. 02 Have you got a single document listing every secret you run?
    Could you rotate your Stripe key at 4pm on Friday?
    Article: Your Stripe Key Lives in Six Places. Most Teams Can’t List Three of Them. 10 min read
  3. 03 Have you got six-layer security scanning wired into your repo?
    Do you know which scanners belong on every PR and which belong on a weekly cron?
    Article: The Security Scanning Stack: The Prompt, Six Layers, and the GitHub Bill Most Teams Don’t See Coming 10 min read
  4. 04 Have you got an OWASP review your scanners can’t do?
    Do your JWT tokens actually expire?
    Article: Your Security Scanner Can’t See Your CORS Config. Here’s the One-Prompt OWASP Review That Can. 11 min read
  5. 05 Have you got rate limiting on every public endpoint?
    Does your throttle actually hold under 100 concurrent requests?
    Article: Rate Limiting Without Redis or Cloudflare Pro: The Postgres Pattern That Actually Holds Under Load 10 min read
  6. 06 Have you got slow-query logging on every Supabase connection role?
    Can you tell which Next.js route fired the eight-second query?
    Article: Your Supabase Project Is Flying Blind on Performance: Here’s the One-Prompt Fix 12 min read
  7. 07 Have you got a dry-run guard on your email sender?
    Do you know if CI is firing real emails at fixture addresses every night?
    Article: Your Playwright Suite Might Be Quietly Burning Your Sender Reputation 9 min read
  8. 08 Have you got audit logging at every 3rd-party boundary?
    Can you prove a Stripe call actually went through last Tuesday?
    Article: Your 3rd-Party Integrations Don’t Leave Receipts. One Log Line Per Call Fixes That. 10 min read
  9. 09 Have you got a per-tenant activity feed?
    Can you tell who disabled this backup, and when?
    Article: Your App Doesn’t Remember What Anyone Actually Did. Here’s the One-Prompt Fix. 12 min read
  10. 10 Have you got browser-side error capture across all four sources?
    Are you finding bugs from user screenshots?
    Article: Stop Finding Bugs From Screenshots: a Next.js Frontend Error-Trapping Setup With No New Vendors 14 min read
  11. 11 Did the LLM scaffold Prisma without asking where your authz lives?
    Are you sure your RLS policies are actually firing on every query?
    Article: Prisma Is the Right Default Until Your Authz Lives in Postgres: the One-Prompt Decision Tree 13 min read

None of these prompts are clever. All name the architecture upfront so the agent does the mechanical work in the right shape the first time.

Start with Part 1 →
made with bernard