Episode Transcript
[00:00:00] Speaker A: Foreign.
[00:00:08] Speaker B: Hey, welcome back to Rogue Startups. This week, I am getting roasted. I am.
I brought on Brandon Hancock to do a really thorough review of the outlier code base and set up an application because I've gotten heat from a lot of y' all that listen to this on Twitter saying, like, I, oh, bro, you can't vibe code SaaS app. And like, it's going to be full of security, like, security issues and all that, which it may be, but Brandon's going to talk about, like, what's actually happening, but he's also going to talk about, like, best practices and standard things that we all should be doing. Because, look, everyone listening to this should be building something with AI, whether it's its own SaaS app or just a feature inside your main thing or whatever.
And so we're going to talk about, like, security best practices with AI development specifically. I think Claude code is like, how I've been driving and I think Brandon probably is too, but this will be specific for me as a use case. I'm like a roast, but should be abstractable to everything that everybody's doing.
So, Brandon, how's it going, man?
[00:01:11] Speaker A: Hey, I am so pumped for this. As I was diving into the code base, bunch of great stuff, stuff excited to dive in on how we can fix it. And just a little bit background on me as well. So I've been a software engineer, so actually have like a degree, master's in software engineering. Been working professionally for almost a decade now. Everything from working at the government to startups. Doing my own actually how we got to meet. And so, yeah, I live, eat and breathe software. So very excited to dive into this with you.
[00:01:41] Speaker B: Yeah, yeah. Awesome. And so, like, just a little bit further context, Brandon is part of the current tiny seed batch with a really cool product called EMS Soap, which is a product for first responders, so, like firefighters and ambulances to file some kind of, like, paperwork they have to do for. For, like, reimbursement claims and stuff like that. So you nailed it.
[00:01:59] Speaker A: We need to bring you on board.
[00:02:03] Speaker B: But is is like the typescript dude, right? Which is specifically why, like, I wanted to chat. So. Outlier, Outlier. So our new product, Castos, built to just help you win on YouTube. Better ideas, titles, thumbnails, pipeline management, just like, help you come up with better ideas and execute them so you can win on YouTube because it is the best marketing channel for basically everyone in the world right now. And so Brandon has had access to the code base for about a week and like, yeah, man, tell us Tell us the bad news first, maybe, and then we'll, and then we'll get into some other stuff.
[00:02:38] Speaker A: Perfect. So let me, let me preface this real fast. So in addition to EMS Soap, right before starting up this project, I actually had another project called Ship Kit, which was literally to help developers launch AI applications in days instead of months. Like that was the whole promise. And in that project basically put all of my best thinking around building real world AI soldier applications into as many templates, Claude commands, everything that you could think of so that like anybody could write senior level code. That was the whole goal. So like I, going into your project had a mental checklist of like, I'm curious if Craig fell into this trap. So there was, there was, I'll go ahead and tell you the few that I was instantly looking for right out the gate. So the first one was just around security as a whole, meaning you were able to tell me like, hey, we're using supabase. So the, the second you said that, I knew what I was diving into first, which is, are you exposing your Supabase client in the front end, which could lead to a bunch of issues, especially if you don't have low level security implemented. So that was the first thing I want to dive into.
And then there's a few other ones that I just. Because, yeah, we need to dive into that one together.
A few other things that I think are just I always look for when seeing how others develop. I like to look to see how they're exposing basically how they're using API endpoints and kind of I want to dive into you with how I would approach your application differently because you're actually adding more work onto yourself that you don't need to.
A few things when it comes to refactoring and this is a big thing that I see a lot of, you know, vibe coders make. There's technically nothing wrong with it, it's just, it's adding bloat, which is going to make it harder in the future. And then, and then also the database that was one of the big ones that I want to dive into just to help make Craig's life easier in the future. So those are like the quad factor that I want to hop into.
[00:04:31] Speaker B: Okay, awesome. And I think that like TypeScript, next JS and SOPA base is the standard stack for a lot of folks and I know that's where you have a lot of experience. So. Cool, let's do it.
[00:04:41] Speaker A: All right, so let's dive on in. Let me go ahead and share screen and get this up and going. So screen perfect.
Okay, here we go.
All right, so first things first, like I mentioned, I wanted to check to see if. And I mean I'm going to show code. Is that okay or. Yep. Okay.
[00:05:03] Speaker B: Yeah, yeah.
[00:05:04] Speaker A: All right, so first thing I'm going to check is to look to see what you're doing as a user when it comes to exposing your Supabase client.
So the second I saw this.
Sorry, this line right here, I was like, oh, Greg. Oh no. This one line is basically creating an anonymous key, which is. Sorry, I know, I'm kind of like setting this as like a 10amistake. You actually, it was a mess up, but a. Not bad. So let me, let me explain. So what's going on under the hood for your Supabase anonymous key? You're basically allowing anyone, if they can access this key to have an instance to your Supabase client, which under normal circumstances means any data table, any authentication, any blob store, anything they can have access to. Upon digging into it, you actually went a step above and started to implement some row level security, which means like, hey, authenticated user can only perform these read, write and delete operations.
Here's what I learned after doing some diving into it.
I actually was able to get that key. So I basically just said I literally was like cloud code, hack him.
And it was able to capture that next public authentication key with a quick script. I can show it to you. I don't know how deep you want me to go into it, but it's. It was able to grab and it was literally just Claude code hack him. I know he's exposing this key and I need you to go through the code and figure out where we can find it and the code. I mean I could just quickly show you the conversation.
[00:06:46] Speaker B: Yeah, I mean by the time this goes live, this will all be fixed. So like all good to show what's going on.
[00:06:51] Speaker A: Okay, so let me.
Yeah, so let me actually get back. Okay, so yeah, so here's basically what ended up happening is after kind of looking at your code base a little bit, which is an unfair advantage for me, I found that there was a few different pages that were exposing basically that key. There's a few different pages that were accessing this client.
So I got a leg up of like, oh, it's actually your extensions code is what's exposing it. So you can see your extensions callback page was using the browser, the Supabase client and it was like, got it. Like, here's the key you Know, so it grabbed everything that I needed to. To start testing your stuff.
Yeah, we could blur that out. I don't know what you want to do or make a new one. Tbd, very easy to roll forward.
And then with that, at that point, I mean, the world's my oyster of like, I get to experiment to see like, hey, fingers crossed. He did not implement row level security.
So good news.
Most of your tables, it turns out, all had row level security setup. The ones that did not were apparently these three. These are the only three tables or, sorry, the leads table. The leads table was. Yeah, these two tables did not have row level security.
You know, not the biggest end of the world, but you know, it was still like.
Just wanted to show it to you because at the end of the day I wrote no code. I just knew, hey AI, go find this, because I know we can. And then, hey AI, test every table.
And it was able to actually read that information outside of that, because I was able to have access to the Supabase authentication client, like your anonymous key. And, and I was able to grab my own information. So let me just show you.
So I was able to grab my own cookie. So you can see like, this is Supabase, this stands for your project. And then this is my authentication token. I could also start to go deeper and actually like pretend I'm Brandon and then just try to cause mayhem in the system.
Thankfully, I wasn't able to. Minus being able to read some other people's stuff on those two tables.
And the only other issue is because I had access to that Supabase anonymous key, if I wanted to, I could make 10,000 users on your account if someone wanted to mess with you.
I couldn't delete. That's the wait.
I might could delete. I don't know. I didn't want to mess up your stuff. So I,
[00:09:39] Speaker B: you could have inserted a bunch of other data for, for other users or something like that. Right.
[00:09:44] Speaker A: Basic, basically.
So that's the, the kicker. So there's, there's some rate limiting for signups. It's so funny. I'm. I'm doing the SOC2 HIPAA compliance right now for us. So everything that this is saying, you have to check off whenever you start to do SOC 2 stuff. So it all comes.
[00:10:01] Speaker B: Yeah.
[00:10:01] Speaker A: So I threw a lot at you questions because we can go into practical tips how to avoid this, how I, you know. But what would be most helpful.
[00:10:11] Speaker B: Yeah, no, that's not bad.
That's not great, but that's not bad.
I want to Give some context for all the other non technical founders out there on how I approach this because I think that might. And that might be helpful for you.
Basically it's just Claude code Opus
[00:10:30] Speaker A: I
[00:10:30] Speaker B: think Sonnet when I very first started and then opus 4.5 the whole time and kind of going with what it says and it always recommends, even down to the tech stack is always recommended.
TypeScript and next JS and Supabase.
I have several code review agents running all the time. I have three of them. I use Baz, I use.
Oh, it's not Clerk Cubic that analyzes code every time I push it. I only introduced that about two weeks ago. So when these things that you're identifying were written like it didn't, it didn't analyze that. But then I also have detail.dev, which analyzes the whole code base twice a month. Now I'm on a paid, I'm on a paid plan.
None of them caught this.
So, so that. And, and I run and I have run several what I thought were like really I asked it to be like super, super thorough like Claude code projects or you know, initiatives around this. Like hey, I want you to analyze everything. Spend a whole shit ton of tokens like, like this is super important.
It always brings back stuff and these things were missed. So that's kind of like what I've done thus far with like. I mean I've run a SaaS business for eight years, but I know almost nothing about code.
So that's kind of like what I've done to this point to get like, I don't know, 80% good. It sounds like that's shocking the fact
[00:11:59] Speaker A: that they like I didn't know you were using external tools to like review.
That's genuinely wild. That was not caught because in Supabase Playbook this is probably one of the most, the top five biggest issues. So the fact that it wasn't like identify your tech stack and then check for these five, 10 things, I don't know, that's a little concerning.
[00:12:22] Speaker B: I mean to be fair, Cubic and baz only check PRs, so it only checks the files that were changed in a pr. And I don't think I've changed any of these files since I started using them.
Detail.dev analyzes the whole code base. It's. It's a trip man. Like I don't know if you've hooked yours up to it yet, but it takes like hours.
[00:12:38] Speaker A: Seriously.
[00:12:39] Speaker B: That's which just makes me feel good that like an AI is working for hours because like that just never happens.
But yeah, it's concerning. It's concerning. And I think that like, you know, maybe the haters. No, I don't have haters. My friends who are concerned for me are. It's valid. Like, this is, this is stuff that like, maybe I shouldn't be dabbling in without more knowledge.
[00:12:59] Speaker A: So, so let me, let me. Actually, what's so cool about this is it's literally a very simple fix.
[00:13:05] Speaker B: Yeah.
[00:13:05] Speaker A: To go going forward. Okay. So the, the biggest issue is that you have the Supabase client, which is something that is running like it's actually running on the client, like on the user's end device. And because it's running on the user's device, you're having to share a key so that the user's client can do what they need to make a change to your database, authentication services, everything. The simplest way to fix this is literally just to delete this and only allow users to do stuff through your.
Basically your backend one. So I think it was yours. This one.
So this was great.
Meaning this is running on your backend. So there's no way, there's no way for me to do what I just did because this is on your server. So there's no way for me to figure out your anonymous key.
So it's actually just private stuff. Keep it in the cloud, public stuff, keep it on the client. It's literally just a one file change rule. And then I couldn't have done any of this is the main thing.
[00:14:10] Speaker B: And what's interesting is Vercel, where it's on. Vercel flags this. When you put these environment variables in, it's like, hey, this looks like it shouldn't be public.
And I asked Claude code and it was like, ah, bro, it's cool, don't worry about it. So I mean, which, like, I don't know, kind of sounds like it is and it isn't. So. Okay. Yeah.
[00:14:33] Speaker A: And so the good news is, like, it is fine. It's totally fine if you properly implement row level security.
Every time you do something, it's just one additional check. I make a new table. I have to do row level security, I to the. To the 10, to the nines or whatever to work properly. So it is okay. I just don't even want to expose myself to a potential issue. So whenever I'm working on projects like, this is the first thing I get rid of. I will not add a Supabase client to the front end because you're just asking yourself to get, you know, Something to leak at one point if you're not always perfectly on your game. So cool. That's. That's the first one. Okay, so here's next thing that I always look for in projects.
So it actually has to come to do with database management.
So I was looking through your code and I was curious, how are you two things. How are you adding new migrations to your database? Like, how are you adding new tables, new rows, new columns, and how are you reverting those in case something goes wrong? What's the current workflow for that look like?
[00:15:43] Speaker B: Yeah, it's changed a little bit, which is why you probably see and don't see some things here.
Earlier it was create a migrations table, which are these files that you see here. And then I would copy it and go into the SQL editor in sopabase and paste it in and run it.
Now I just have the MCP hooked up and I ask it to run it all the time anytime that it wants to do a migration. I think the challenge and the place where I get. Just this morning I was doing something, we're doing an onboarding wizard and it had written whatever the database structure and the migration, but it hadn't run it on staging yet.
I went to do something, it was broken. I was like, what the fuck? And it's like, oh, this table doesn't exist. I was like, gosh, you would think there has to be a way to where every time we do something with the database table and then we go deploy code, it makes sure that thing happens.
What you're getting at, I think, is I'm straddling two lines and don't have a good system for making sure this happens on staging and production all the time.
[00:16:58] Speaker A: I think we could actually make your life easier. It's called Drizzle orm.
So this is what I always recommend.
Like we have like 400 members in ship kit and this is what all of them are using because it does exactly what you're saying. Free tool.
But basically what they do is, let's see, get started. See if they have a nice little.
So, yeah, Supabase, this is exactly what we're doing.
But they have a really nice way to where you end up making a bunch of schema files. So you'll have like, in your case, you know, you'll have like a user's file. You'll end up having a leads table. You'll have like basically per. Per. Table, you have a file, which is great because then you're managing your database as code, which is phenomenal because then anytime I'm working on this table and I make a change to where like I add a new field, like, you know, like, you know, just. We'll just say like date.
Then what's really cool is you run something called like, it's basically like drizzle, generate and then drizzle.
I'm messing up a little bit. But Migrate. But what this does is generate goes, hey, I can see the state of your database and I can see that this is a new field. So I'll go ahead and make that SQL script for you. And then you just run Migrate and it applies it to your database. So this way every change that happens from the moment your database was created until like 500 changes later, everything has a. You can see the exact change, which is beautiful because then if you ever want to undo something like, oh, crap, I added something and that was not right. It's a quick one line change and you're not having to rely on the mcp. Like there's a, there's a ledger to say exactly what changed and when. And it just makes it easier for you and, and your AI agents too, because you just point to this and say, you can see every change I've made this week.
[00:18:59] Speaker B: Okay, so like if I'm, if I'm kind of all over the place like I am now, can I just ask Claude Code to generate those from Supabase? Say like, hey, this is what's on Supabase right now. Create these schema files for me, like as of today at least, and we'll know kind of where we are.
[00:19:15] Speaker A: Yeah. So you could basically do a work backwards because, like, you already have the code base generated. Like you already have all the tables and everything.
Yeah. So what you could do is work backwards to create that initial schema.
And then from there, when you run generate and migrate, what you'll notice is it won't actually. Like, the migrate won't do anything because the code's already there, you know, but. But then you have a good starting point so that when you start adding new code, you're going to be. It'll be iterative kind of thing.
[00:19:44] Speaker B: Yep, yep.
[00:19:45] Speaker A: So Drizzle cannot recommend it enough.
It will make your life so much easier because the mcps, I feel like you feel like you fly, but then you just lose track of.
It's harder to maintain. Because if I was to come into your code base, I couldn't tell you how we got here. Like, I couldn't tell you which one, you know, but the cool Part is, is, like, what I love about AI development is, like, 99% of the time, we just want to get to a good starting point, to have, like a good mvp. And then we're like, from this point going forward, I will follow best practices, which is totally doable. Like, that's what I would really recommend. Get there as fast as you can, then start making stuff working.
[00:20:26] Speaker B: And I literally just did that. Like, we opened up to early access, like, two weeks ago, and I literally just on that day, I think created like a develop branch and it, like, protected the main branch and required PRs and stuff like that. So, yeah, I think I've been fast and reckless so far, but it's time to get serious.
[00:20:45] Speaker A: Can we. I just. Actually, this is a second thing I'd love to look at. Um, would you mind pulling up your Supabase project itself? I just want to. I just want to check one thing that I really recommend for people to do when they start to bring on customers. Because it's so easy to accidentally break things, and then all your customers are like, what the heck, Craig, I'm paying. Why isn't it working? You know? So there's just one quick thing I want to show.
[00:21:13] Speaker B: Yep. I'll share our staging environment.
[00:21:19] Speaker A: Okay, perfect.
[00:21:22] Speaker B: Okay.
[00:21:22] Speaker A: Okay. So here is.
Okay, so I love what you're doing.
There's actually a easier way to do this.
So you see how it says outline? Like, you have a whole extra project right there. So, like, if you click it, you should see the other one as the other option. Yeah. So what you could do, which is, I recommend a little bit easier, is if you click create branch right there, then it actually ends up being, I think, cheaper.
So basically what you end up doing is you have a main branch and a staging branch, and it's all in the same project. So, like under Outlier, you have a main branch which has its own environment variables and keys. Then you have a staging which has its own environment variables and keys. It's just. It's just a. It's a little bit easier to keep. Keep track of. But at the end of the day, either one of these works, the other one might just save you a couple dollars, but you're doing it correctly. Like, this is the right way to do it, to have a whole second area to stage and apply. So, dude, props to you on that. Most people never get to this.
[00:22:28] Speaker B: And I, you know, I had this conversation with cloud code. I think we did this because it's a whole separate domain too. It's not like staging Allard. So. And I think we needed that to point this. But maybe that's not right. But inverselle it all it is what you're saying. There's, there's.
They call it preview and production point to different URLs.
[00:22:50] Speaker A: Yeah, yeah, that's. That's exactly why. But no, you're. You're doing it right. Yeah, that's awesome. Because there's so many times. Because eventually what's going to happen is like you're going to make a change to the database in staging, test it out, if it works, then apply to production. And there's so many times that I've been like, oh yeah, I'm just going to apply it, break something. And then like, oh no, thank God I didn't erase all of my production users. So no crushing it.
[00:23:15] Speaker B: Okay, cool. Was there something you wanted to look at here to make sure that like stuff's actually working?
[00:23:18] Speaker A: No, you had it right.
There was two approaches. Make a whole second project, which you did, or add that second branch and then just make it as a persistent one. But either way works great. Honestly.
Okay.
Few other ones I just want to cover really quickly.
So first one I want to hop to is your actual.
In this one, there's nothing wrong. This is like purely a preference, but I think it will just make your life simpler. So that's why I want to share it real fast. So screen and screen.
Okay, so here is the next one that I want to talk about.
So I see when a lot of developers use claude code, they go hard in using API endpoints.
I personally would recommend to use as few API endpoints as possible and instead use server actions. They do the exact same thing.
The only gotcha is API endpoints requirements a lot more overhead in management and validation to do the exact same thing.
So for example, so here's assets. So usually when doing something like this, you first have to get the request, authenticate the request, then pull out all the right information of the request, then do something with it. With a server action, you just make sure the person's authenticated and then you're passing in regular variables. So like all this other stuff just gets deleted and. And you like, you're not having to do as many early returns. Like for example, the user could have potentially put in bad information here.
Like there's no reason that they could. Like they didn't have to put in tag or whatever.
So you. There should maybe be a little bit more like, you know, validation here to make sure that the right things were presented. So like you Know, if not tag, like, there could be more stuff like here to basically send stuff back and you just have to do so much extra management that it's just genuinely not worth it. So I'm a huge fan of using server actions as much as possible to make sure that you don't have to add all these other things because it's just code. Like, so that would be the only thing I would recommend on Assets.
[00:25:50] Speaker B: Yeah.
[00:25:52] Speaker A: Okay. And you'll just see it will save you so much time and make your app more productive because you're having to write less code.
[00:25:59] Speaker B: Can I, can I ask you a question about this? And I think this gets to. And we might cover this in a bit. But like, I feel like that's like a skill, right? Or that that, like that that kind of preference needs to live in a kind of system level thing somewhere for me to tell Claude code, you know, how to do things better. And like refactor, like, hey, use less of these, do things on the server instead, blah, blah, blah. I'm not gonna do that every time or I shouldn't do that every time. That should be like a system level kind of thing. Like, where do you put that kind of stylistic preference thing?
[00:26:32] Speaker A: Yeah, let me open up something and I will, I'll show you kind of what I usually do. But I mean, the short answer is there's the way I approach AI development. I want to actually see how you're approaching it because I would love to show you how I'm doing it as well, just to, you know, just to see.
So let me just show you a quick example. So this is another project.
This is like one of the Ship kit templates. But I'll just show you kind of what I. At least how I approach it.
Screen.
Okay, here we go.
Yeah, so.
So a few things just right off the bat. The way I approach development is I always have like an AI Docs folder to store how I do everything.
So for example, like any time I do anything in the software development life cycle, I have a piece of code to have all the best practices.
So in your case, you're like, well, Brandon, how do we make sure that we properly put things in the right spot? I don't like to do things in API endpoints. I want to do stuff that related to server actions. So like, server actions.
Yeah, so you can see anytime I do something where I'm accessing the database, always use server actions.
And here's exactly why I do it. And then if I'm doing a simple query, I'm Just going to use it in the layout file. If it's a complex query, I'm going to put it in the lib folder. So what I'm doing is what I think 10 out of 10 software development should look like. I'm codifying that into templates, task templates, so that anytime I do anything involving the code base, it's checking off all my best practices. That way, you know, that way there's standardization and you know, there's a thousand ways to build the same project.
Some just mitigate risk, make it easier to maintain, and just help you move faster, longer, and make it easier for others to contribute because there's a, there's a trail. So this is exactly how do you,
[00:28:36] Speaker B: how do you have it set up like this is in your, like, claw MD file to reference this all the time or like, how do you make it explicit so it knows that this AI docs is here and it should reference it like all the time?
[00:28:49] Speaker A: Yeah, so the way I usually do it is just with.
Basically I just have Claude commands to whenever I want to do stuff. So like, whenever I'm like, I want to start working on something task template, like, hey, I want to start working on. Well, I don't have whisper on right now, but if I had whisper on, I would just talk. And then the task template goes, oh, I understand what you're trying to do.
Um, and then what it'll do is I end up once again for maintainability. It puts everything I build into the task folder. So, like, as I'm making changes, I have a log of how I got here, which is interesting, insanely helpful because the amount of times I come back to something two weeks later and I'm like, I need to add something more onto it. I can just go, oh, last week we worked on the lib.
We worked on the usage page. Can you go see how I got here? And then I want to tweak this because at the end of the day I'm just trying to solve context. The AI can do anything. I just need to keep context available so that whenever I'm giving instructions to the AI for the next thing, I just quickly point at this file, this file, and let it run. So that's, that's how I tackle it. And that's going back to your project. I did not see, I added AI docs because I was curious. I didn't see, I didn't see any plans. I didn't see anything.
[00:30:14] Speaker B: So they go by default into the Claude folder.
So it gets. Get ignored.
[00:30:19] Speaker A: I think okay, so it's on your machine though, right?
Okay, yeah. I mean, that's great.
The main thing that my current workflow, at least what I'm experimenting with it right now, is I have Claude, I do it in plan mode. Claude makes a plan which is pretty high level.
And then the second it creates the plan, I then have it turn it into one of these task documents, which is basically like my 18.
My 18 steps on how I like to build properly.
[00:30:50] Speaker B: Yeah, yeah.
[00:30:51] Speaker A: That way I just. I force the AI to think about it before it does the thing.
And. Yeah, can I drop one more thing real fast on this, please?
[00:30:59] Speaker B: Yeah.
[00:31:00] Speaker A: So everyone sees these and they get so overwhelmed. They're like, man, like, this is how do I do this?
And the answer is simple. It's. It's AI is pure iteration. What I mean by that is like, I have.
I take the AI through a process such as writing code, and then the AI makes mistakes and I go, great, you did A, B, C and D wrong. I went to work on a file called a task template, which conserves and talks about all coding best practices. And all I do. Like, this is the result of like a thousand iterations of. Every time it makes a mistake, I come back and say, hey, don't do this again. Or. And then that way this document is living to where, you know, I only want AI to make the mistake once. If it makes it twice, that means I didn't do something right in providing it the right context. So I know they're daunting at first, but just every action you take in the software development life cycle, you should have a piece of a command, a task, a markdown file, something to tell the AI what you want it to do.
And that's the basic approach that I took for this so that it does not end up.
I don't have to end up correcting it all the time. So it takes a little bit more time upfront to correct it, but the second is cruising. Like, you're like, oh my gosh, everything I'm building, it's doing it right. And I can just move lightning fast on 12 things in parallel. So that's kind of how I would recommend at least tackling building out something like that.
[00:32:35] Speaker B: So this is like the compound engineering kind of concept?
Yeah, yeah, it's interesting. I tried their plugin. I found it to be like, super heavy and, like, used a ton of tokens. Like, I like the concept a lot, which is like, compound engineering is a plugin for Claude code from the Dan Shipper. Like, every to guys. But it's basically that it's like a whole bunch of frameworks and best practices on development, but also it's that repetitive kind of iterative learning loop.
Yeah, I think one of the.
I don't do a good job of what you're talking about. I don't really have anything in place for that. I have standard ways, like we have like feature. We're going to build a feature slash bug fix, bakes, a branch and all that kind of stuff, but there's no software development best practices, so. Okay, well, like. And this is not like the most organic. This is not the most planned organic ask ever or promo bit. But like, can I get Shipkit and integrate it into my product now without like starting from scratch?
[00:33:40] Speaker A: Yeah, you can. I mean, do you have any AI features in your application? I didn't see it off the top of my head.
[00:33:47] Speaker B: Yeah, we. Yeah, we use kind of all three big models. So we use OpenAI Vision for analyzing thumbnails. So like our customers upload thumbnails for us to get. Like, hey, this is your style. We use Claude for kind of all the logic stuff. And then we use Gemini, like Nano Banana to create thumbnails.
[00:34:05] Speaker A: Yeah. So I mean, the short answer is yes. The part that would actually, the only part that would require work is the act of that task template that I showed you. Each one is fine tuned to their own project. Meaning, like if I'm building a chat application, I know there's a few core things I'm using Vercel AI SDK and I'm going to basically. Yeah, but so if you're using things differently, then it. All it comes down to is updating these markdown files exactly. Like we just talked about. We're like, hey, instead of doing X, you should now do Y and basically just. I would say, hey, here's how we're using these different AI models. Update this so that we don't have to.
To basically push me down the wrong direction. Because all these documents are. They're just guardrails. So that's all we're doing. They're guardrails for best practices.
But yeah, I think the second you start to use them, you're like, oh my gosh, this is.
[00:35:01] Speaker B: Yeah, it's cheating.
[00:35:02] Speaker A: It feels like cheating working on 12 of these in parallel. But no, yeah, after this I can get you set up.
[00:35:08] Speaker B: Yeah, it already feels like cheating. I mean, I think one of the bit, a bit of a, like a divergent here, but like one of the, one of the emotional kind of Challenges I have is like, I don't, like, I'm not using my Claude code max 20 plan. And I feel like I should.
Like, I'm like, fuck, I'm leaving tokens on the table every day. Like, I could get by with a $20 plan. And I'm like, gosh, there are people out there just eating tokens 24 7.
And like, the product is basically done in like two months.
I don't. And I opposed this in the tiny seed slide the other day. I was like, I want to spend some tokens on marketing, but I can't figure out what to do. And we have hundreds of pages on the site. We have use cases, we have who it's for. We have a blog that's going all this kind of stuff. Like, we're doing all this stuff. I don't.
Maybe our application just isn't that complicated. But, like, I don't see how I can 10x the amount of work I'm doing.
I don't see why I would 10x the amount of work I'm doing. And that's really concerning.
[00:36:07] Speaker A: So I can go and tell you, dude, I, I, I'm a token whore is if I had a shirt, that's what it would say because I'm so I'll go ahead and tell you the quickest ways to just max out on Claude code.
So the first one is work trees. If you're not working on six different features, bug issues, and things at the same time. Like, if you look at my screen right now, I have literally like, ems, we're tackling this problem, this problem, and this problem. Like, I have six editors in Claude code in each one, all in separate work trees so I don't end up tripping over myself.
So best practices. And then I'm just cranking out six things at once. Like, my brain is the limiting factor here.
So that's the first one. Just if you're not using work trees, that's the first biggest thing to 6x5x your usage.
Okay.
[00:36:58] Speaker B: Using Conductor to manage all that, I
[00:37:01] Speaker A: just, I just use shortcut keys. Like, I, I, I basically, Basically I have a. Once again, I made a new command called work tree. Yeah. And because I was like, what do I want to happen when I want to work on a new feature? I want it to make the branch, make the work tree. Go ahead, open it up for me and then paste in that task document that I was working on. That way I can just open up the new one and I say fix it and I do it again. And again and again.
So it's just like I'm putting AI to work. The final. The other thing that I would do, marketing. I mean, we had Google. Sorry, we had Claude code build out an entire campaign for us.
Like, everything. All the marketing, all the pages, all the new funnels. Like, it did everything.
And it took a day and a half because, like, I was the bottleneck. Like, I was so new to using Google Ads. So I was like, help.
And the other thing, if you really want to go, like, next level is to use playwright with Claude code that'll start to churn through tokens. So like, I have. I have Claude code open up ads and I basically just tell it what I want. Like, I come up with a plan and I say, go into Google Ads and build out this campaign or build out this other thing.
[00:38:13] Speaker B: So interesting.
[00:38:14] Speaker A: I don't, I don't. Yeah, I have it working in the web for me. I have it working on six branches at the same time. So like, when I'm like, I feel like I'm in the Matrix when I have it going, because it's doing everything.
So that's. Yeah. Anytime you're touching something on a computer or on a browser, you should. Like, I had. Did my QuickBooks for me yesterday. Like, it did I do everything through clock code.
[00:38:36] Speaker B: Yeah.
[00:38:36] Speaker A: It's kind of what I would recommend.
[00:38:38] Speaker B: Yeah. Yeah. No, it's interesting. I mean, I have. So I guess like my setup is as of today and it freaking changes all the time.
I'm playing around with Conductor, which is built for this git work tree. It's Conductor build.
It just lets you have a bunch of different instances of your application and git work trees for folks who don't know is it picks up your application, makes a copy of it in its own git branch so that you're not merging code from several different initiatives into one branch, which is a big old mess. But it's also a nice lightweight id. It's mostly chat. You can see files and you can run the server, so it's cool. And then you can just create a PR from it and you can open that instance of the code base in whatever editor you're using.
So I'm liking it. I use that sometimes. I'm just kind of onboarding myself, I guess, into it for things that are more like single tenant. Like, I have a Castos co founder Claude project and I have a second brain Claude Project. Those kind of live persistently in this terminal emulator called Ghosty. It's just a terminal and I just run several. I have like five tabs running there and I just kind of flip through all of them. Just wait for it to ping me and tell me what I did wrong.
[00:39:58] Speaker A: That's awesome.
So it's so funny because there's literally a thousand ways to tackle building it.
And conductor looks awesome by the way.
I think just real quick. One thing I've noticed because like through the, we have a school community, I see so many people getting caught up on just trying to perfect the tools.
And I mean the tech stack you mentioned, that sounds perfect to be honest, for what we're doing. And I think you could easily substitute it out with literally just a bunch of warp terminals. You could do a bunch of anti gravity, a bunch of cursor. Like any of them work as long as you're thinking about it properly. Where I need to be doing a bunch of code in parallel work trees and then I need to be using Claude code to do everything. Like if you're touching the keyboard to do something on a different screen, Claude should be doing it for you.
[00:40:49] Speaker B: Yeah.
[00:40:50] Speaker A: You know, but I just don't want people to get stuck of like, oh, I have to get the perfect thing. Like Claude Bot is like the new thing that's coming out as of today.
I don't know if you've seen it, but.
[00:40:59] Speaker B: Yeah, yeah, yeah.
[00:41:01] Speaker A: I mean, I mean all of them phenomenal tools. It's just like, are you moving the needle on your business?
I would not get too stuck upon tools.
[00:41:10] Speaker B: Yeah, yeah, cool.
You know, honestly, I was kind of nervous about this conversation because it's, it's at the same time a little daunting to like very intentionally be like, we have full time developers on our team. But, but I'm like, no, I'm going to do this because I want to move fast. I know what this product needs to look like, which I think is a big superpower. Like I'm the subject matter expert, I am the perfect customer. I know what this needs to look like. I don't have to tell you to make you so, so you can go do your job. Well, that, that's a. In my experience as a SaaS founder, that has been the most challenging thing is to put like take the shit in my brain and put it into a format that a developer can be successful in. Probably with, you know, V0 and Claude code and all that, it's a lot easier because like, oh, like with the Castus team, we're building a pretty big new feature. I just built it in Google AI Studio one Day and I did a loom and I was like, guys, this is what we're going to do. Just go make it. And now we're a couple weeks into it and it's almost done.
[00:42:12] Speaker A: That's awesome.
[00:42:12] Speaker B: That is the biggest challenge for being a non technical founder. And now I don't have to do that because I can just do it.
I don't know, like 90% good.
It sounds like I didn't screw too much up, which is pretty reassuring.
[00:42:27] Speaker A: Yeah, no, I was, I was, honestly, I was like, man, if he AI did all of this, this is insane because the layouts were beautiful. Every everything about it. I was like, man, this looks awesome. Like, I think the thing is, is like the typical user, like this is why people always get like, they're like, oh, AI swap. The typical user.
I mean this was true. Pre AI or post AI, they don't care. They have no care what's happening on the back end. The only people that care are your developers and your security team. And if you're about to go through the audit, that's literally it. They're the only ones. So I know when a lot of developers like panic, they're like, oh my gosh, like the code's so messy when they hear people vibe coding at the end of the day, like the messiness or cleanliness of the code doesn't matter for a new startup. It doesn't solve a problem. So like, thank God you don't spend eight months making the perfect clean code when you're about to test out your idea here in like a couple weeks. Like that's, that's the craziest part, you know?
[00:43:23] Speaker B: Yeah, yeah, yep, yep. Awesome. Okay, so I'm going to get set up on ship kit. I'll report back here on the channel with like, no, I mean it sounds like exactly what I want, which is like, yeah, we were kind of fast and messy to a point and now we need to get started the right way going forward. Like my next project, I'll get started the right way from the beginning and like, shouldn't slow me down. So that's awesome, man. I appreciate your time. Thank you for doing this and I hope this is not daunting but inspiring to other folks like me who are like non technical founders. Be like, hey, you can do this and like do it right. And I've learned a ton from this, so thank you very much.
[00:43:57] Speaker A: Of course, dude. Happy to hop on. This was a ton of fun. I've been waiting to hop on the call to go through all of it with you. So this was a ton of fun.
[00:44:04] Speaker B: Thank you. Awesome. And so Shipkit AI Awesome. Okay, we'll leave a link in the show notes, but y' all check it out. I'm going to onboard myself into it and I'll report back on the channel, kind of how it's going.
Thanks, Brandon.
[00:44:22] Speaker A: Sa.
