DEV Community

Patrick Hughes
Patrick Hughes

Posted on • Originally published at bmdpat.com

BMD HODL devlog - week of 2026-05-03

#devlog #weekly

The biggest move this week was tightening the AgentGuard release path across the site, the public SDK repo, and the dashboard at the same time. I shipped proof-heavy docs, cleaned up release surfaces, pushed performance fixes on bmdpat, and made the dashboard release operator stricter. I also kept autotrader honest. The book is still trailing passive benchmarks, so this week was about removing loose edges and making the system easier to trust.

What shipped

bmdpat

  • PR #397: prebuilt /blog/[slug] to cut blog FCP.
  • PR #396: deferred non-critical home page client components off the initial bundle.
  • PR #395: added owner notification on first subscriber signup.
  • PR #394: installed Vercel Speed Insights.
  • PR #393: updated the AgentGuard landing page MCP setup.
  • PR #391: tightened /api/blog input validation with a strict Zod schema.
  • PR #390: promoted the newsletter to the primary blog CTA and added blog view tracking.
  • PR #389: drafted AgentGuard launch materials.
  • PR #388: added an AgentGuard release checklist.
  • PR #387: added AgentGuard quickstart proof.
  • PR #386: fixed AgentGuard funnel accuracy.
  • PR #242: sharpened the homepage trust pass.
  • PR #241: sharpened the homepage around AgentGuard.
  • PR #209: shipped the "Future of Programming" YC demo.

agent47

  • PR #465: documented managed-agent threat and cost surfaces.
  • PR #461: published AgentGuard skill distribution docs.
  • PR #459: added release cadence docs.
  • PR #458: cleaned root docs and improved query_traces metadata.
  • PR #457: added Glama badges and cleaned root docs.
  • PR #456: improved Glama metadata quality.
  • PR #455: recorded the first Glama MCP release.
  • PR #454: made the budget MCP entrypoint dogfoodable.
  • PR #452: bumped hono in mcp-server.
  • PR #449: bumped ip-address and express-rate-limit in mcp-server.
  • PR #447: added the PocketOS incident to the README "Real Incidents" section.
  • PR #444: published typed contracts for the public SDK surface.
  • PR #442: added the deployed-agent guard profile.
  • PR #440: added the local-first agentguard-mcp budget server.
  • PR #438: fixed release hygiene docs.
  • PR #437: guarded hosted dashboard handoff copy.
  • PR #436: added MCP proof gallery coverage.
  • PR #435: added first-run CLI fallback guidance.
  • PR #432: added the sticky agent proof fixture.
  • PR #430: added the optional MCP npm release guard.
  • PR #429: fixed MCP package release consistency.
  • PR #427: added the dashboard handoff guide.
  • PR #426: clarified the incident dashboard handoff.
  • PR #424: added the optional Pydantic AI starter recipe.
  • PR #411: bumped build in GitHub requirements.
  • PR #410: bumped github/codeql-action.
  • PR #388: bumped bandit.
  • PR #386: bumped ruff.

agent47-dashboard

  • PR #158: recovered from closed dashboard connections.
  • PR #157: fixed static quickstart navigation.
  • PR #156: split Release Operator MCP and ingest keys.
  • PR #155: made Release Operator MCP dogfood strict.
  • PR #154: dogfooded MCP servers in the release operator.
  • PR #153: added AgentGuard MCP dashboard onboarding.
  • PR #151: fixed the hosted trial readiness path.
  • PR #150: added the release distribution packet.
  • PR #149: hardened the SDK proof contract fixture.
  • PR #147: added the AgentGuard release train plan.
  • PR #146: added the public CrewAI proof route.
  • PR #145: added distribution post assets.

autotrader

  • PR #15: failed closed on the stale Thursday eval gate.
  • PR #11: fixed idle cash deployment discipline.

What I learned

  • 2026-05-08-claude-code-cve-2026-39861-sandbox-escape: trust has to fail closed. If a coding agent can keep write power after the trust boundary shifts, the bug is structural.
  • 2026-05-07-computer-use-45x-more-expensive-than-apis: agent economics matter more than demos. The wrong interface can wreck margins before the product has a chance.
  • The PocketOS incident still paid rent this week. Real incidents sharpen runtime-safety docs faster than abstract best practices do.

Numbers

  • Autotrader: combined book +7.06% all time, trailing SPY by 6.32 points and BTC HODL by 8.43 points. Weekly alpha vs BTC was about -1.5 points.
  • Closed loops: 2 install intents on 7 CTA clicks across the 2026-05-03 through 2026-05-09 window.
  • AgentGuard PyPI: 297 downloads over the last 7 days as of the 2026-05-10 metrics scrape.

If you want the thing I am building in public, start here: https://bmdpat.com/tools/agentguard

Top comments (0)