The latest articles on DEV Community by Oleksandr Voievodin (@sszz01). https://dev.to/sszz01 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3901510%2F37bc5d3c-b411-4b5f-b4ec-2cf592e45743.jpeg https://dev.to/sszz01 en Oleksandr Voievodin Tue, 28 Apr 2026 04:04:27 +0000 https://dev.to/sszz01/i-built-14000-lines-of-code-before-talking-to-a-single-user-heres-what-i-learned-3c17 https://dev.to/sszz01/i-built-14000-lines-of-code-before-talking-to-a-single-user-heres-what-i-learned-3c17 <p>10 weeks ago I was convinced I was building something nobody else had.</p> <p>The idea: a GitHub App that reads every changed Python function in a PR, infers what it should always do — "the total should never be negative", "the result should never be None" — then attacks it with adversarial inputs in a hardened Docker sandbox. Only posts a comment when it has concrete proof something broke. No guessing. No noise. Just:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>LogoMesh found 1 issue Negative quantity bypasses checkout validation Property: Order total should always be ≥ 0 I called: checkout(item_id=1, qty=-5) Got: Order created with total -$49.95 </code></pre> </div> <p>207 unit tests passing. Docker sandbox with nobody user, --network=none, memory caps, randomized filenames. Time-Travel Trace that captures exact variable state at the crash frame. 14,000 lines of code.</p> <p>Zero customer conversations.</p> <p>Then I looked at the real numbers. 90% silence rate on real PRs. Of the findings it did post, most were sandbox artifacts — the tool generating tests that hit its own scaffolding, not real bugs. A validator that drops 86% of raw findings just to keep the noise low. p95 latency of 394 seconds against a 60 second target.</p> <p>Classic mistake. Built first, validated never.</p> <p>So I stopped and started talking to people. What I kept hearing wasn't "I need adversarial testing on my PRs." It was something simpler:</p> <p>"When a prod bug hits I spend 30-45 minutes just writing the repro test before I can even start fixing."</p> <p>Read the Sentry trace. Reconstruct the state. Write a test. Run it. Wrong inputs. Fix the test. Run it again. By the time it reproduces you've lost the whole debugging flow.</p> <p>That's the actual pain. Not catching future bugs — dealing with the ones already in production.</p> <p>So now I'm building something much simpler. Paste a Sentry URL, get a failing pytest that reproduces the exact crash, runs against your current branch, tells you "still reproduces" or "your branch fixed it." One command. Under a minute.</p> <p>The engine I spent four weeks on isn't wasted - the Docker sandbox, the frame locals injection, the binary verdict reliability - those are exactly what make this work. The positioning just changed completely.</p> <p>The question I'm still trying to answer:</p> <p>Is the 30-45 minute manual repro step a universal pain or just my workflow being slow? Do you write a reproducing test before fixing a prod bug, or do you just read the trace, push the fix, and monitor?</p> <p>Genuinely trying to figure out if I'm solving a real problem this time before writing another 14,000 lines nobody asked for.</p> learning python showdev testing