7 Days, 117 Commits: The Full Story
A 10-slide visual recap of building cryptoflexllc.com from zero to production in one week with Claude Code.
AI-Augmented Development
7 Days.
117 Commits.
One Production
Website.
From zero to production-grade with custom analytics, newsletters, 410 tests, and a 4-agent security audit — all built with Claude Code.
Chris Johnson
CryptoFlex LLC · Feb 7–14, 2026
By The Numbers
The Numbers
Timeline
From Zero to Live
Days 1–3 · 7 commits
Friday night sprint. Scaffolded Next.js 16 + React 19, deployed to Vercel, published first blog post. Live on the internet in ~4 hours.
Analytics & Paranoia · 12 commits · PRs #1–4
Built custom analytics dashboard, completely unauthenticated. Scrambled to add HMAC-SHA256 auth, rate limiting, input validation, and IP lookups.
Design System · 22 commits · PRs #5–7
Timeline
Newsletter & 10 PRs in One Day
Days 4–5 · 22 commits · PRs #8–17
The 5-PR Welcome Email · 17 commits · PRs #18–24
5 pull requests to send one email. WAF blocked POST, switched to GET, WAF blocked again, moved endpoint, WAF blocked again, fixed regex pattern. Also patched CVE-2024-56243 (XSS in next-mdx-remote).
The 5-PR Timeline
Timeline
The Reckoning: Testing & Security
Days 6–7 · 24 commits
Wrote 410+ tests in a single day. Ran a 4-agent security audit that found 60 issues in code that was "working fine."
Polish & Ship · 13 commits
Commits by Day
Security Audit
Security Findings
4 AI agents. 30 minutes. All in code that was "working fine."
Agent 01: Input Validation
Unsanitized user input in query params
Missing input length limits
Unvalidated redirect URLs
Agent 02: Auth & Authorization
Unauthenticated API endpoints
Missing CSRF protection
Overly permissive CORS policy
Agent 03: Dependencies
CVE in next-mdx-remote v6.0.0
Outdated packages with known issues
Unpinned dependency versions
Agent 04: Info Disclosure
DB queries leaked in error messages
console.log in production code
Verbose stack traces exposed
WAF Chronicles
Blocked YOU More Than Attackers
3 self-sabotage incidents · 0 blocked attackers
Day 3: Wrong Syntax Nukes the Site
Used "rules" instead of "routes" in vercel.json configuration. Result: SITE DOWN.
Day 4: Newsletter API Blocked
Subscribe, confirm, and unsubscribe endpoints weren't whitelisted. Took 2 PRs to fix.
Day 5: The 5-PR Email
Welcome email endpoint blocked five times. POST→GET→path move→regex fix. The email finally sent on the 5th PR.
"It's easy to block everything. It's hard to block just the bad stuff while allowing legitimate traffic through."
Tech Stack
Architecture
MVP
Features
Hardened
Ship
Full Stack — All Free Tier
Total Monthly Cost: $0/mo
Lessons Learned
6 Key Takeaways
Free Infra Is Insanely Capable
Production site with DB, analytics, newsletters, and CI/CD. All on free tiers. What cost $20+/mo a decade ago is now $0.
Your WAF Will Block YOU First
3 self-sabotage incidents, 0 blocked attackers. Finding the balance takes many failed deploys.
Write Tests Before You Need Them
0→410 tests in one day. Immediately caught a race condition, bad user-agent handling, and template edge cases.
AI Doesn't Replace Vision
Claude Code asked a dozen clarifying product questions. AI implements brilliantly, but you need to know what to build first.
Devs Now Move Faster Than Security
AI-assisted shipping velocity is unprecedented. Guardrails need to be in place before the velocity kicks in.
Sleep Is the Best Debugger
Multiple hour-long bugs solved in 5 minutes the next morning. Your brain does critical work while you rest.
"If you're adopting AI-assisted development in your enterprise, your guardrails, alerting, and security automation need to be in place before the velocity kicks in, not after."
The capability is real. The productivity gains are real. But so are the risks. Read the full story: every triumph, face-palm, and WAF incident.
cryptoflexllc.com
Chris Johnson
CryptoFlex LLC
Open to feedback · Happy to share what I've learned · Always down to help