the adversarial audit

What the audit actually found.

"80 agents, 14 facets, zero criticals" — that's the headline. Here's what's behind it: every finding was refuted by a separate agent before it counted, then fixed and redeployed. Three of the real ones:

three of the real ones

HIGH Import CPU-DoS

The website importer's JSON-LD scan went quadratic on a page of unclosed <script> tags — a crafted 2 MB page froze the single-worker gateway for minutes. Fixed: a bounded, linear scan — 70s → 4ms.

HIGH Crisis behind the meter

The billing check ran before the crisis check, so a distressed customer messaging an out-of-credits business got "unavailable" instead of a crisis line. Fixed: the crisis check now runs before billing on every surface, served free.

HIGH Render DoS

A per-tenant social-card render (Pillow) re-ran on every cache-busting request. Fixed: memoized by content, so a URL loop can't re-trigger it.

14 facets: isolation · auth · injection · money · governance · concierge · booking · channels · customisation · site-generator · frontend · ops · layout · data. Verdict: zero critical; the XSS surface and tenant isolation came back clean; no live auth bypass — every confirmed edge fixed.

the honest numbers

Every number, with the asterisk already attached.

Most builders pad. I'd rather you trust the parts that are real than be impressed by parts that aren't.

1builder* not a team
819tests green* not a formal proof
80 → 0adversarial agents, zero criticals* self-run, not third-party
1production instance* by choice — I haven't had to learn scale yet
2 → 1residents, one spine* composition, proven by lint

The system is honest because the person who designed it is. I made sure of that from the start — built in, not bolted on.

the invitation

The numbers hold. Asterisks included.

If you want a builder who attacks his own work this hard before anyone asks, let's talk.