8:42 AM - Inbox triage
I open the admin dashboard first thing. Tuesday morning. Coffee still hot. The inbox on the Shipcheck home page shows 47 queued scans from overnight. Three of them are paying customers, eighteen are free-tier, the rest are trial users. I flip to the metrics tab. Last week we hit 280 signups total. Yesterday alone was 41. Small number, but the growth chart is not flat.
I pull up the notification queue in Slack. The agent pinged me at 6:18 AM with a warning: one of yesterday's scans failed to complete. A customer named Martin Li uploaded a monorepo, and the auto-detection got confused between the Rails API and the Next.js frontend. The agent defaulted to Rails rules and missed the React attack surface entirely. I marked that scan as incomplete and need to email Martin before he wakes up asking why his report never arrived.
Gmail is open in another tab. Sixteen messages since I went offline at 7 PM yesterday. Four of them are replies from customers, one is a churn notice from Carol Reyes at Reyes Family Practice (she ran one scan, decided it wasn't for her, asked for a refund). One email is from our payment processor Stripe flagging a failed charge from a customer in Bangalore. The rest are notifications and digest emails I'll scan later. I draft a reply to Martin first:
"Hi Martin - your scan started but our stack detector got tangled on your monorepo structure. Can you take thirty seconds to tell me which part you want me to focus on (the API or the frontend) and I'll rerun it manually today. I'm building better multi-service detection, but right now I need a nudge. Thanks, [me]"
I send it. It's honest and fast. That's usually enough.
10:15 AM - A flagged conflict
I'm back at the admin console reviewing the night's completed scans. The agent generates tiered reports automatically - ship-blockers in red, warnings in yellow, noise in green. My job is to spot false positives before customers see them and to catch anything the agent missed.
I open a scan from Morgan Zhang's startup, a FastAPI project with Stripe integration. The agent flagged a ship-blocker: hardcoded API key in the environment loader. I click into the file. I see it. Then I see why. The developer wrapped it in a try-except that never actually uses the key; it's dead code. Real vulnerability or not? The key is not actually exposed in the codebase that gets deployed, but it is in the source repository. Morgan could commit this to GitHub, someone could fork it, and the key is now live.
I mark it as a confirmed blocker and add a note: "This code path isn't active, but a future developer might use it. Safer to delete the whole block and add a comment explaining why." I bump the priority to the top of Morgan's report.
I also spot something the agent missed: a Supabase authentication library import that's there, but the corresponding RLS policy check is missing. The agent didn't flag it because there's no obvious SQL error, but the logic is wrong. I add it manually to the warnings section. The agent is good, but it's not omniscient. This is why I'm here.
12:30 PM - Lunch and the metrics check
I step away for thirty minutes, make a sandwich, check the analytics dashboard on my second monitor. Week-to-date numbers:
- 156 total scans
- 89 paid (4 recurring subscriptions at $29/month, 85 one-time scans at $19)
- Revenue this week: $1843
- Three new annual customers at $199/year (Shipcheck annual plan)
- Churn: Carol Reyes
I do the math. At this velocity, month-end will land around $7200 in MRR. That's not breakeven yet on the infrastructure and my time, but it's real money and it's growing. I notice Martin hasn't replied yet. I check Slack to see if there's any alert. Nothing. I make a mental note to follow up at 2 PM if he doesn't respond.
I open Linear, our issue tracker. I have seventeen items in my backlog. Today's priority is fixing the monorepo detection. I tag it as P1 and move it to the top of the sprint. I also notice I promised a customer two weeks ago that I'd add "Vite config scanning" to the Next.js rules. They've used the product three times now and mentioned it in their last feedback form. I move that to this week as well. That's the work of being a solo operator: I'm the product, the support, the sales, the delivery.
2:08 PM - Customer escalation
A notification hits Slack. It's from Alex Chen, who signed up five days ago and has run four scans. They've responded to my morning email with a Slack message asking if I can just scan both the API and the frontend in parallel and merge the results instead of making them pick. The answer is technically yes, but the agent was designed to focus. I reply: "I can do that, but it might bury the important stuff in noise. Let's start with the API - that's usually where the security issues live. We can scan the frontend next if you want."
He replies within two minutes: "You're right. Go with the API."
I manually trigger a rescan of his repo with the correct stack detection. In the admin console, I can override the agent's choices when I need to. This takes five minutes. I set it to rerun the Semgrep rules and the dependency audit, skip the LLM pass because he's already seen it, and hit go. I send him a Slack message: "Rescan is live. Should be done in two minutes. You'll get a fresh report."
I don't charge him for the rescan. He's a customer who's engaged, asking good questions, and learning how to use the product. That's worth more than nineteen dollars.
4:30 PM - Pipeline review
I switch to Stripe and check the day's payment status. The failed charge from Bangalore has a retry scheduled for tomorrow. I could reach out, but I'll wait to see if the retry works. Not every customer issue needs a manual touch; sometimes the system handles it.
I spend forty minutes going through the seventeen Linear issues again. I pick the three smallest ones: fixing a typo in an error message, updating a help doc that's out of date, and patching a bug where the agent sometimes reports CVEs twice if a dependency appears in multiple lockfiles. The double-CVE bug is the real one. I write a fix locally, test it against three sample repos, and push it to production. That takes two hours of focus, so I do it now while I still have energy.
I review the week's pipeline. Five leads who submitted the "book a call" form on the website. Three of them are actually operating AI-built apps right now and looking for a vibe-code scanner. One is a security researcher who wants to use Shipcheck for a research paper. One is someone trying to sell me an SEO service. I mark the SEO person as spam and send brief replies to the three real leads: "Happy to help. What's your tech stack?"
6:15 PM - Wrap
I close the Linear issues and glance at the Shipcheck dashboard one more time. Martin finally replied to my morning email. He told me to focus on the frontend. I trigger that scan and send him a note saying it's running. He'll have a report by 9 AM tomorrow.
I think about the day. I fixed a real bug. I helped a customer unblock themselves. I caught two issues the agent missed or got wrong. I reviewed the metrics and they didn't scare me. I refunded one customer and I'm okay with that. I spent maybe two hours on actual code, one hour on customer interactions, and the rest on triage, monitoring, and decisions.
This is not passive income. This is not automation. This is me running a small business with a really good assistant. The agent does the heavy lifting, but I'm the one who knows the product, knows the edge cases, and decides what matters. Some days that feels like the right bargain. Some days I wonder if I should have built something else. Today, though, I'm closing the laptop at a reasonable hour, the numbers are moving, and three customers are happier than they were this morning. That's enough.