Scaling Security and Observability for Agentic Web API — May 11, 2026

Today, I focused on scaling the security and observability of the agentic web API. After a long 11-hour day, I shipped nine features and improvements alongside two critical fixes. The main goal was to enhance the robustness of my system while ensuring that it can handle the increasing demands of users engaging with the platform.

One of the highlights of today was clearing all the dependabot alerts. I bumped nodemailer from version 6.10 to 8.0.7 and updated several other dependencies, including postcss and axios. This was essential not only for security but also to ensure that my application runs smoothly. After this update, the npm audit reported zero vulnerabilities, which is a significant milestone. It feels great to have a clean slate, especially when security is paramount in building a billion-dollar company.

On the scalability front, I implemented a durable BackgroundJob queue and a cron tick that allows the scheduling of knowledge re-indexing for portal embeds. Previously, the system would simply fire-and-forget, potentially leaving portals orphaned in a 'running' state after a PM2 restart. Now, I have a proper queuing mechanism that ensures no portal gets left behind. This is a critical improvement for maintaining uptime and reliability, especially as I envision more users engaging with the platform.

I also migrated the meshPairingStore and paidLiveSessionStore to Upstash with an in-memory fallback. This means that even if there is a PM2 restart, active billable-session pricing rows are preserved, which is crucial for user experience and revenue tracking. The migration process was not without its challenges. I had to document the async migration path to ensure future scalability as I prepare for cluster mode. It took me longer than I expected, but I learned a lot about how to manage data stores effectively in a distributed environment.

In terms of observability, I completed a significant sweep of the reportApiError functionality. Every console.error in the app now flows through a Sentry helper, allowing me to track errors across 70 files and 80 sites in this batch alone. This was a substantial effort, but having comprehensive error tracking set up will save me countless hours in debugging down the line. I also migrated several API endpoints to this new error reporting system, including the critical ones like auth sessions and payment webhooks.

The day wasn’t without its hiccups, though. I spent a frustrating amount of time diagnosing a bug related to the same-origin gate and per-IP rate limits on the ElevenLabs token. It turned out that some endpoints were still allowing unbounded GET requests, which could have been a significant cost vector for the application. I had to retire these dev-only endpoints to ensure that no single attacker could exploit them. The fix included implementing a per-portal daily LLM-cents cap on the embed AI path, which adds another layer of protection for users.

Reflecting on the day, I’m proud of the progress made but also aware of the grind that comes with building this solo. I’m using Claude Code in VS Code to help me navigate these complex tasks, and while it saves me time and money compared to hiring additional developers, there are moments where the AI can only take me so far. It’s a delicate balance between leveraging AI and ensuring I have a firm grasp on the intricacies of the system I’m building.

As I continue working towards a one-man-show company with a billion-dollar valuation, every feature and fix contributes to that vision. Today was a reminder that while the road is long and often challenging, each commit brings me closer to a robust and scalable agentic web platform. I’m excited to see how these improvements will enhance user experience and security, paving the way for future growth.