the adversarial audit
"80 agents, 14 facets, zero criticals" — that's the headline. Here's what's behind it: every finding was refuted by a separate agent before it counted, then fixed and redeployed. Three of the real ones:
The website importer's JSON-LD scan went quadratic on a page of unclosed <script> tags — a crafted 2 MB page froze the single-worker gateway for minutes. Fixed: a bounded, linear scan — 70s → 4ms.
The billing check ran before the crisis check, so a distressed customer messaging an out-of-credits business got "unavailable" instead of a crisis line. Fixed: the crisis check now runs before billing on every surface, served free.
A per-tenant social-card render (Pillow) re-ran on every cache-busting request. Fixed: memoized by content, so a URL loop can't re-trigger it.
14 facets: isolation · auth · injection · money · governance · concierge · booking · channels · customisation · site-generator · frontend · ops · layout · data. Verdict: zero critical; the XSS surface and tenant isolation came back clean; no live auth bypass — every confirmed edge fixed.
the honest numbers
Most builders pad. I'd rather you trust the parts that are real than be impressed by parts that aren't.
The system is honest because the person who designed it is. I made sure of that from the start — built in, not bolted on.
the invitation
If you want a builder who attacks his own work this hard before anyone asks, let's talk.