u/maloik

Hi everyone,

Over the past couple of months I've tried bootstrapping applications a few times with AI. I would typically spar with chatGPT a few times and then get it to output text documents that give information about the product or business, and another that contains a plan. I then get a coding agent to implement the plan phase by phase.

My most recent attempt is something I will probably end up releasing for real. I tried even harder to keep some guardrails in place, to really come up with a structured approach for building out various features for an MVP - all while still trying to get AI to do most of the work autonomously. The plan was to review the product first, and then once the product is acceptable, review the code behind it.

The other day I started that review, and oh boy this thing is quite the monstrosity.

There's a ton of taglines and copy all over the application that's unnecessary and sounds really try-hard, clearly AI written.

There's things on nearly every page that looks like a feature, however it turns out it's hardcoded. A user is displayed with a title behind their name, but there's no title field anywhere in the database (and we don't even need to display a title, it makes no sense). There's a "readiness check" somewhere that could be interesting at some point... but not for an MVP, and not if it's hardcoded in the markup.

The list goes on.

I'm just curious, how does everyone else start these projects from scratch and ensure that the things that get built are real, and necessary for an MVP to begin with?

My current plan is to move it all into a "legacy" folder or something, so it can be references... but otherwise just start over and hold it's hand. I'd go through it like a real user would, from registration and sign-in, through onboarding, and really using the application. Basically laying out the rails in front of a moving train, building the next thing a user would use but doesn't exist yet.

It's quite unfortunate because none of this stuff is really that mind blowing, but I just can't seem to stop AI from building mockups rather than proper services. I need better guardrails, or a better approach.

EDIT:

In case the problem I'm running into wasn't clear, here's an example I posted in a comment:

Let's pretend I'm building a social network. There's a phase for registration and authentication, a phase for "friends", etc. We then get to the phase for a timeline, and at that point AI might implement a model for posts, the views to create a post, and the timeline view. However for some reason it seems it might then also start adding sections on the timeline with stuff like engagement statistics... which is great and all except that's a feature that is so far out of scope of an MVP I'm not even thinking about it at all, but what's worse is that the statistics are simply hardcoded - based on nothing. It's just text on the page.

Hi folks,

When hospitals, large enterprises, or other regulated companies are looking to buy software, they need to do some due diligence on this potential vendor. That can come in all sorts of formats, but my understanding is that smaller vendors that are not themselves fully regulated are likely to receive some sort of questionnaire in order to collect evidence of how their security practices work.

I'm hoping to collect some of these documents, whether they're already filled in or still blank.

Would anyone be willing to email me some of these examples, whether they're documents you've received or perhaps even sent to your own (prospective) suppliers?

Is this something that you've received before?

Thank you!

Hi folks,

My understanding is that if you're a SaaS vendor or IT shop that is looking to become a supplier for NIS2 entities, you are highly likely to receive some sort of questionnaire so your prospective customer can do their due diligence.

In other words: the company receiving the documents I'm after are not themselves considered an Essential or Important entity under NIS2, but they would like to become a vendor to a company that is.

I'm hoping to collect some of these documents, whether they're already filled in or still blank.

Would anyone be willing to email me some of these examples, whether they're documents you've received or perhaps even sent to your own (prospective) suppliers?

Thank you!

I only recently started looking into how MCP servers really work and one of the things AI said that stood out to me is that MCPs are more about workflows and outcomes, whereas API's are more low-level building blocks that make up a service. One of the "symptoms" of this is that API's are fairly likely to expose the very resources/classes that make up the service in a very CRUD-like manner.

As I was thinking about this a bit more I realized that for a lot of these workflows, there are big differences in how risky they are. I'll give an example: let's say your company offers a pretty classic SaaS that is mostly CRUD, and it has an API. You want your (often non-technical) customers to be able to interact with your service in their LLM of choice, whether it be claude desktop or chatGPT for example. So you build an MCP.

Reading information is pretty straight forward, and not super risky necessarily. But creating a record is a bit riskier, so perhaps instead of just making that change immediately you have the LLM first explain what it intends to do, and then ask for confirmation.

Deleting resources are another story. Maybe you want to pull that out of the LLM altogether, or even have an "admin" kind of person approve the requested action.

So immediately I thought, maybe that'd be a cool and useful thing to build. I vibe-coded a simple web application, a fake api, and an MCP server to try things out. I came up with a schema of sorts to define all this, and a little inbox kind of page for the requests to be approved, either by the same user who requested them or even an admin in their team.

Then as I started wiring things up I started finding the rough edges, which is where my understanding of such a system fell apart quickly: not only would the MCP server need to be installed with the customer's personal API key to this service, they would also need to authenticate themselves with this approval service. And then since the approvals live in that service, it would in turn ALSO have to know this customers API key, and their identity on the LLM level.

You'll probably see by that fuzzy last paragraph why my understanding fell apart.

I'm hoping anyone can explain how that could technically fit together, and whether or not there's the possibility for that to be solved in a way that the UX isn't terrible.

Is there a way to make something like that that is sort of plug and play, without a whole bunch of difficult configuration for the user of the LLM?

EDIT: I wanted to clarify something - I am mostly talking about HOSTED/remote mcp servers, to make it easier to deploy changes everywhere - the approval service, the capabilities of the mcp itself, and the service the mcp is for. And after all, I think if there's an easy way for people to add these, that's likely much easier than having people configure local mcp servers or dealing with configuration and what not