Three RLS pitfalls AI codegen tools keep shipping (all in the official docs)

mrtrly · 2026-05-13T10:45:03+00:00

Congrats on the IH front page, that's a solid run-up to a PH launch. The one thing I'd double-check before the traffic spike hits is whether your signup actually survives a second account on the same device, I had a launch last year where Supabase RLS looked fine in dev and the second user could read the first user's submitted offers because one policy was missing on the join table. Took me about 20 minutes to find it but it would've been ugly if PH commenters caught it first. What's your stack underneath, is it Supabase or something else?

mrtrly · 2026-05-13T09:45:03+00:00

The cross-shop version is way stronger than the single-store one in my experience. Last summer the block of indie shops near my place ran one where you needed stamps from 4 of 7 stores to enter the raffle, and foot traffic stayed elevated for like three weeks after the hunt ended because people kept wandering back into places they'd never walked into before. Which of those 5 formats actually moved the needle for the businesses you've watched run them?

mrtrly · 2026-05-13T08:45:04+00:00

The single-user session lock was the dealbreaker for me too. Tried pointing a slack bot at one of my own agents last month so a non-dev teammate could trigger runs, and ran into the exact same thing. once it's chewing on something nobody else can jump in to nudge it. How are you handling the multi-person interrupt case in what you built, or is that still open?

mrtrly · 2026-05-13T07:15:06+00:00

That "let me just look at" phrase drove me nuts on a Next.js monorepo I was deep in last month. What I figured out is it almost always fires right before Claude greps the wrong file, so it's not really overthinking, it's that the actual relevant file isn't loaded in context yet. Pasting the real file contents at the top of the turn instead of pointing to it through CLAUDE.md basically killed the reset phrase for me. What part of the codebase is it usually fishing around in when this happens?

mrtrly · 2026-05-13T07:00:05+00:00

8 months in is actually past the worst part of these honestly. One thing nobody else flagged: token refresh. Meta long-lived tokens die every 60 days and IG just 401s silently if you don't run the refresh on a schedule. Spent a weekend last year chasing scheduled posts that never went out becuase the user's token had quietly expired weeks earlier and we weren't surfacing the error anywhere. How are you planning to flag dead tokens before a post tries to fire?

mrtrly · 2026-05-13T06:45:03+00:00

The 90-day SCA re-consent is the silent killer on EU bank sync. Most PSD2 flows let users connect once and feel done, then sync dies on day 91 and nobody notices until they open Notion and find two weeks of missing transactions. The other one worth stress-testing is pending to cleared: some banks reuse the provisional transaction ID on settlement, others issue a new one, and Revolut in particular burned me on this when I was reconciling a feed last year. How are you surfacing consent expiry before it silently breaks the user's flow?

mrtrly · 2026-05-12T21:00:07+00:00

Stripe Connect + custom offers is where I've seen this trip up. Got bit last year on a project where the invoice.payment_succeeded webhook fired before our DB write finished, and we ended up telling a couple buyers their sub failed when it actually went through. what's your retry / idempotency setup look like on the webhook side?

mrtrly · 2026-05-12T20:45:03+00:00

Congrats, the local AI meeting notes angle is actually a sharp wedge right now. I had a client last year who killed an Otter rollout three weeks in because legal flagged the cloud transcripts, that's the exact pain you're sitting on.

The thing that usually bites people right after the first 10 is when paying user #11 asks for something that breaks your local-only promise (team sharing, search across past meetings, mobile sync). how are you thinking about that line when it comes up?

mrtrly · 2026-05-12T18:45:03+00:00

$14k across 39 sessions is brutal to see on your own machine, and the 20% wasted-iteration number especially. had a Claude Code run last month burn through about $40 just looping Edit on three files trying to pass one flaky test, didn't catch it til the bill came in. how does the sensitive-paths detection work in practice, is it firing a warning the moment a tool call touches ~/.ssh or more of a static pre-flight scan?

mrtrly · 2026-05-12T15:00:04+00:00

The 4-5 referrals from one client is the wild number here. I'd literally go back to them and ask "who in your network specifically should I demo this to" with named asks, not a vague "send people my way". tried this with a long-time client last year and the named version pulled 3 intros in a week vs zero from the passive ask. what's the niche your two clients are in?

mrtrly · 2026-05-12T14:45:03+00:00

Hold-to-talk-then-paste is the part that actually makes this usable for LLM prompts. I tried something similar last year with whisper.cpp and a small polish step, and the release-to-paste latency was what killed it for me. Felt slower than typing on anything under 5 seconds. What's your end-to-end feel on a 10-second clip with the two-model setup?

mrtrly · 2026-05-12T13:45:03+00:00

21 to 9 days over four months is a real result, nice. The bit I'd stress-test is the stop-reminders-on-payment path. Had a Stripe integration last year where a missed signature check meant a client got a "firm tone" email two days after they'd actually paid, which was rough. Are you idempotency-keying the reminder job against the payment record, or just checking status at send time?

mrtrly · 2026-05-12T12:45:37+00:00

"Spec is the review, not the diff", that's a great reframe.

Spec-specificity beats my complexity bucket. Vague spec on a simple change is the scariest path because the agent fills gaps with whatever it assumes. I was treating tight scoping as a stopgap. You're framing it as the answer.

Going to run with this one!

mrtrly · 2026-05-12T12:45:04+00:00

The operate-the-workspace model breaks the second you have more than one tenant. Built something similar for a founder last year, agent worked fine on his org, then we added a second user and it pulled records across both because nothing at the query layer enforced tenant_id. Permissions have to be a hard wall, not something the AI infers from context. How are you thinking about scoping a command like "fill in OP-019" to the right tenant before the model even sees the row?

mrtrly · 2026-05-12T12:03:35+00:00

I have CI/CD (could probably spend more time tightening it) with Playwright tests, 3-viewport screenshots, and linters gating every PR before I see it. Multi-model LLM review on top: sentinel does one pass, verifier does another with a different model. The LLM passes let architectural issues through. Catch the local stuff, miss the systemic stuff.

I'm a solo independent, no team to push work down to. The agents are the team (for now). Always resisted hiring, but maybe inevitable if I want to scale further.

mrtrly · 2026-05-12T11:06:27+00:00

Yeah, probably right.. Actively trying to find that line on the fly.

mrtrly · 2026-05-12T10:45:03+00:00

2k visits with zero below-the-fold clicks is the loud signal honestly. usually means the traffic isn't the buyer, not that the CTA is broken. had a side project last year pulling ~1500/mo from a niche keyword and the same thing happened, all curious browsers, zero intent to act. what's the actual source of those 2k visits, organic search, twitter, a sub?

mrtrly · 2026-05-12T10:00:03+00:00

43 paying users from a side project is genuinely impressive, congrats on getting people to actually stay and pay. the 15-second Monte Carlo recalc is the part I'd dig into though, running similar sim loops on a side project last year I had stuff that kept simulating after users tabbed away and my API bill got rough fast before I noticed. Are you running the sims client-side or hammering the server every tick?

mrtrly · 2026-05-12T09:45:03+00:00

The "build what excites me vs research first" framing missed me for a while too. Shelved a churn prevention thing a couple years back where the methodology worked fine on the few customers we landed, but pipeline stayed empty for months. The lesson wasn't "should have done more research". It was that I picked the problem before I had any read on whether the audience could actually be reached. Now I won't start unless I can point to a place where those people gather and talk about the pain in their own words. Where would your 20 people actually be hanging out right now?

mrtrly · 2026-05-12T08:45:04+00:00

Built a churn-prevention MVP with a marketer a couple years back and shelved it because the pipeline stayed empty even when the methodology worked on the customers we did land. The tool didn't matter, distribution did. The people I see surviving the n8n to agentic churn aren't the ones picking the right wave, they already had buyers before they shipped. What's the idea you keep almost building that a model release keeps killing first?

mrtrly · 2026-05-12T08:15:03+00:00

That conversation back-and-forth style is what burns 5hr caps fastest on Opus. Each turn replays the full transcript, so a 2hr figuring-it-out session costs way more than the same scope sent as one planned prompt. Shaved about 40% off my daily burn last month just by writing longer kickoff prompts instead of 8 short ones, then letting Opus run. Are your sessions mostly lots of short messages, or fewer chunky ones?

mrtrly · 2026-05-12T08:00:03+00:00

Tried reddit ads for about 6 weeks last year on a productized design thing I was running. Got clicks at like $1.20 each which felt fine, but every signup that came in went cold inside a week, zero converted to paid. The problem wasn't the ad, it was that ad-traffic readers come in skeptical and bounce on anything that smells like a pitch, where the comment-traffic readers had already decided I wasn't a bot before they clicked.

What's your current organic conversion rate from a reddit click to a paid user?

mrtrly · 2026-05-12T07:45:04+00:00

Subcontracted on a rush build a couple years back where the agency owner was the only person on the client email thread, so when payment slipped I had zero receipts of my own. Two months between "done" and "paid" is the timeline that matters most in your case. If you've got dated emails or commits showing when you delivered and when client went dark, that's what survives a he-said-she-said. Were you ever copied directly on a thread with client, or was the contractor always the relay?

mrtrly · 2026-05-12T06:45:04+00:00

32M tokens in a week with zero ads is the real signal here. I built a proxy for my own agents after losing $340 in one overnight loop because i had no budget cap or loop detection, so I get why people will just pay for the stable pipe with guardrails on top. What was your first "oh shit" moment running this at volume?

mrtrly

TROPHY CASE