<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Xin Qi</title>
    <description>The latest articles on DEV Community by Xin Qi (@ethan_0422).</description>
    <link>https://dev.to/ethan_0422</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4033101%2Fba51d96e-7c9c-4809-b464-1894d3361fbe.jpg</url>
      <title>DEV Community: Xin Qi</title>
      <link>https://dev.to/ethan_0422</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/ethan_0422"/>
    <language>en</language>
    <item>
      <title>Six months ago I couldn't code. Now I run 12 companies' software on Claude Code. Here's what production taught me.</title>
      <dc:creator>Xin Qi</dc:creator>
      <pubDate>Fri, 17 Jul 2026 04:58:31 +0000</pubDate>
      <link>https://dev.to/ethan_0422/six-months-ago-i-couldnt-code-now-i-run-12-companies-software-on-claude-code-heres-what-56d4</link>
      <guid>https://dev.to/ethan_0422/six-months-ago-i-couldnt-code-now-i-run-12-companies-software-on-claude-code-heres-what-56d4</guid>
      <description>&lt;p&gt;&lt;em&gt;What actually breaks when you take an AI coding agent from demos to production — and what held up.&lt;/em&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  How I got here
&lt;/h2&gt;

&lt;p&gt;I'm not an engineer. In January I was a business owner who couldn't write a line of code and didn't know what a database schema was. Six months later, the complete software stack of 12 small companies — multi-tenant ERPs handling live purchase orders and inventory, customer-facing SaaS products, PWAs running on shop-floor tablets, e-commerce sites — runs on software built and operated almost entirely through Claude Code.&lt;/p&gt;

&lt;p&gt;This is not a "look how easy AI makes everything" post. The agent writes better code than I ever will. What it doesn't do — what nothing does for you — is build the &lt;em&gt;habit of verification&lt;/em&gt;. Every painful incident I've had traces back to a check that nobody (me) thought to run. The agent is rarely the bottleneck; the absence of an audit habit is.&lt;/p&gt;

&lt;p&gt;Here are the three lessons that cost me real production incidents, and the boring, repeatable procedures that now prevent them.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lesson 1: Staging environments lie the moment you stop enforcing them
&lt;/h2&gt;

&lt;p&gt;Early on I did what the tutorials say: spin up a staging clone, test there, then deploy. For a while it worked.&lt;/p&gt;

&lt;p&gt;Then a release passed staging clean and broke production anyway. Root cause: weeks earlier, a manual fix had been run directly on staging and never back-ported. The schema had quietly diverged three migrations back. The clone wasn't a clone anymore — it was a diorama.&lt;/p&gt;

&lt;p&gt;The fix wasn't "maintain staging harder." Parity is a discipline, not an environment, and a solo operator will always lose that discipline race. What actually holds up:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Feature flags&lt;/strong&gt; so risky changes ship dark and enable separately from deploying&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A pre-flight check that fails loudly&lt;/strong&gt; if migration state doesn't match expectations before anything runs&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A fast, rehearsed rollback path&lt;/strong&gt; — not a theoretical one&lt;/li&gt;
&lt;li&gt;Testing against &lt;strong&gt;production under guardrails&lt;/strong&gt;: tagged test emails, zero-amount or sandboxed payments, and a baseline snapshot so every piece of test data is identifiable and removable afterward&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A "safe" environment nobody audits is worse than no safe environment, because it manufactures false confidence.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lesson 2: Silent mutation failures are the #1 trust killer
&lt;/h2&gt;

&lt;p&gt;The incident that burned the most goodwill wasn't a crash. It was a save button.&lt;/p&gt;

&lt;p&gt;It returned success. The UI looked fine. But the write had failed a validation check three layers down, and the error was swallowed — caught, logged nowhere useful, surfaced to no one. The user assumed their data was saved. They found out a week later when a number on an invoice was wrong.&lt;/p&gt;

&lt;p&gt;Here's the thing about non-technical users (I was one, six months ago): they cannot distinguish "broken" from "slow" from "fine" without an explicit signal. A quiet data loss with no error banner doesn't read as a bug — it reads as &lt;em&gt;the new system can't be trusted&lt;/em&gt;, and that reputation never fully recovers.&lt;/p&gt;

&lt;p&gt;The rule that came out of it: &lt;strong&gt;every write path surfaces success or failure to the user, no exceptions.&lt;/strong&gt; No silent 200s on failed writes. No bare &lt;code&gt;catch {}&lt;/code&gt;. During testing, loud and annoying beats quietly wrong, every single time.&lt;/p&gt;

&lt;p&gt;The audit for this is mechanical enough that an agent does it well: inventory every mutation entry point (server actions, API handlers, RPC calls, form submits), classify each one as surfaced or silent, fix the silent ones with one consistent error-to-UI convention — then verify by &lt;em&gt;forcing&lt;/em&gt; failures (kill the network, revoke a permission, send bad input) and confirming red state actually appears.&lt;/p&gt;

&lt;h2&gt;
  
  
  Lesson 3: Permission bugs live in the corners nobody clicks
&lt;/h2&gt;

&lt;p&gt;None of my access-control bugs were in main flows. Main flows get exercised hundreds of times a day; they self-correct fast.&lt;/p&gt;

&lt;p&gt;The bugs were in the corners: the settings page nobody visits, the admin route that got a new sibling page months later which never inherited the guard, the API endpoint a button used to call — the button is gone, the endpoint is still live. One of those had been quietly exploitable for months.&lt;/p&gt;

&lt;p&gt;The only thing that catches these is a &lt;strong&gt;full route × role sweep&lt;/strong&gt;, done systematically: enumerate every route (crawl the running app — static analysis misses dynamically-registered pages), enumerate every role, drive a real logged-in session through every combination, and attempt the &lt;em&gt;forbidden writes directly&lt;/em&gt; — not just checking whether a button is hidden, but whether the server actually refuses the request. Then persist the harness in the repo so the next sweep is one command instead of an archaeology project.&lt;/p&gt;

&lt;p&gt;"I think I tested that" is not a security model.&lt;/p&gt;

&lt;h2&gt;
  
  
  What made this scale to 12 companies instead of collapsing at 3
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Checklists beat cleverness.&lt;/strong&gt; The same five or six audit types, applied identically everywhere. Nothing bespoke.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The agent's output is a draft until verified.&lt;/strong&gt; Every time. Not just when something feels risky — feelings are exactly what miss the corner cases.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A human stays in the loop for the irreversible:&lt;/strong&gt; production data mutations, money, anything touching customer PII.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  If you're starting this today
&lt;/h2&gt;

&lt;p&gt;Start the audit habit before the first incident, not after. Small, boring, repeatable checks — schema drift, silent errors, route permissions, migration safety — beat heroic one-off code reviews every time.&lt;/p&gt;

&lt;p&gt;I eventually packaged the exact workflows I run into 12 Claude Code skills (drop-in &lt;code&gt;.claude/skills/&lt;/code&gt; folders). The deploy-failure-diagnosis one is &lt;a href="https://qxplorer7.gumroad.com/l/deploy-doctor" rel="noopener noreferrer"&gt;free — pay what you want, $0 is fine&lt;/a&gt; if you want to see the format. The &lt;a href="https://qxplorer7.gumroad.com/l/claude-production-pack" rel="noopener noreferrer"&gt;full pack is $29&lt;/a&gt;. One line of pitch and no more: it's the audits I actually run, not a course.&lt;/p&gt;

&lt;h2&gt;
  
  
  Disclosure
&lt;/h2&gt;

&lt;p&gt;This article was drafted with Claude's help and edited by me. The incidents are real and happened on real systems; details are genericized to protect the businesses involved. If you have questions about any specific failure mode, ask in the comments — that's the part I actually enjoy talking about.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>productivity</category>
      <category>programming</category>
      <category>devops</category>
    </item>
  </channel>
</rss>
