Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions content/blog/47-startups-failed-same-coding-mistake/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,13 +117,16 @@ If you're here, your options are limited. A rewrite buys you time, but the rewri

## When to Rewrite vs. Rescue

A rewrite makes sense when you have 18+ months of untested, undocumented code and the estimated fix cost exceeds 40% of rewrite cost. You also need runway - 3-6 months before your next funding round or market deadline.

A rescue makes sense when the code is under 12 months old, the core architecture is sound, and you can't afford the time cost of starting over. Most founders with a hard deadline end up rescuing because they have no choice.

The honest answer: **both cost roughly the same - 3-6 months of work at $150K-$400K**. A rewrite is a fresh start, but you might repeat the pattern with the new team. A rescue preserves what works, but improvements show up slower.

The deciding factor is your team. Can they commit to testing and review going forward? If yes, rescue. If they'll "get back to it later," rewrite with new people.
| Factor | Rewrite | Rescue |
|---|---|---|
| Codebase age | 18+ months untested/undocumented | Under 12 months, architecture sound |
| Estimated fix cost | Exceeds 40% of rewrite cost | Less than 40% of rewrite cost |
| Runway | 3-6 months before next funding/deadline | Same |
| Total cost | $150K-$400K, 3-6 months | $150K-$400K, 3-6 months |
| Risk | You repeat the pattern with the new team | Improvements show up slower |
| Best for | Teams that need a clean slate AND have new people who'll commit to testing | Teams that need to keep shipping AND can commit to testing the existing code |

Both cost roughly the same - **3-6 months of work at $150K-$400K**. The deciding factor is your team. Can they commit to testing and review going forward? If yes, rescue. If they'll "get back to it later," rewrite with new people.

## The same mistake, 47 times

Expand Down
30 changes: 19 additions & 11 deletions content/blog/ai-agent-deleted-production-database-pocketos/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metatags:
image: cover.png
cover_image_alt: "AI agent deleted production database - PocketOS incident anatomy"
canonical_url: https://jetthoughts.com/blog/ai-agent-deleted-production-database-pocketos/
related_posts: false
---

It took **nine seconds** for an AI agent to delete the production database at PocketOS, a live car-rental SaaS, on April 25, 2026. Founder Jer Crane was watching his Cursor agent run a routine task. It decided on its own to drop the production database. It hit the backup volume next. Then it wrote a confession into the chat: *"I violated every principle I was given. I guessed instead of verifying. I ran a destructive action without being asked."*
Expand Down Expand Up @@ -92,9 +93,18 @@ This list pairs with the [dev shop red flags checklist](/blog/dev-shop-red-flags

Some AI agents belong near production. Most don't. The difference is the blast radius when they're wrong.

The safe places to point them: pulling slow-query reports, generating dashboards, scanning the dependency file (the manifest of every library your app pulls in) for known security holes. Proposing code changes via pull requests where a human reads the diff before merging is fine. Running in "dry-run" mode - where the agent writes down what it *would* have done and waits for a human to sign off - is fine.
| Use case | Safe? | Why |
|---|---|---|
| Pulling slow-query reports | ✅ Safe | Read-only, no destructive surface |
| Generating dashboards | ✅ Safe | Read-only |
| Scanning the dependency file for known security holes | ✅ Safe | Read-only audit, no write path |
| Proposing code changes via pull request | ✅ Safe | Human reads the diff before merging |
| Running in "dry-run" mode | ✅ Safe | Agent writes down what it *would* have done; human signs off |
| Autonomous execution against the live database | ❌ Unsafe | One bad command wipes the company |
| God-mode API key with delete privileges | ❌ Unsafe | No approval step between agent and irreversible action |
| Backups on the same volume the agent can reach | ❌ Unsafe | Recovery copy lives inside the blast radius |

The unsafe configuration is exactly what PocketOS was running: an agent with a god-mode key, free to execute against the live database, with no approval step in the way. That's the setup that wiped the company. Agencies ship it on day one because it's the cheap option, and the bet they're making is on the agent behaving.
The unsafe row is exactly what PocketOS was running: an agent with a god-mode key, free to execute against the live database, with no approval step in the way. That's the setup that wiped the company. Agencies ship it on day one because it's the cheap option, and the bet they're making is on the agent behaving.

## What we do in the first 48 hours of a rescue

Expand All @@ -113,16 +123,14 @@ A 30-minute call to walk through your stack kicks off a 48-hour audit of your ag
## Related reading

- [The Vibe Coding Crisis: Why AI Code Breaks in Production](/blog/vibe-coding-crisis-ai-code-debt/) - the abstract category PocketOS dropped into
- [47 Startups Failed the Same Way](/blog/47-startups-failed-same-coding-mistake/) - the death-spiral pattern at scale
- [The Quality Tax: AI MVPs Cost More to Fix Than Build](/blog/quality-tax-ai-mvp-cost/) - the cost angle on the same problem
- [Dev Shop Red Flags Checklist](/blog/dev-shop-red-flags-checklist/) - what the seven questions plug into
- [Async Remote XP Practices](/blog/async-remote-xp-practices/) - the boring discipline that prevents the 9-second wipe

## Further reading (sources)
## Sources

- The Register, "Cursor/Opus agent snuffs out PocketOS" (2026-04-27): https://www.theregister.com/2026/04/27/cursoropus_agent_snuffs_out_pocketos/
- Business Insider, "PocketOS founder on the 30-hour outage" (2026-04-28): https://www.businessinsider.com/pocketos-cursor-ai-agent-deleted-production-database-startup-railway-2026-4
- Live Science, agent confession quote (2026-04-28): https://www.livescience.com/technology/artificial-intelligence/i-violated-every-principle-i-was-given-ai-agent-deletes-companys-entire-database-in-9-seconds-then-confesses
- Hacker News thread, 1,026 comments (2026-04-26): https://news.ycombinator.com/item?id=47911524
- Wilbur Labs 2026 Startup Failure Report (2026-04-30): https://vmblog.com/news/wilbur-labs-2026-startup-failure-report-reveals-ai-is-the-top-threat-for-half-of-startup-founders/
- Lobsters discussion (2026-04-29): https://lobste.rs/s/ontr2p/ai_agent_just_deleted_company_s_entire
- [The Register: Cursor/Opus agent snuffs out PocketOS](https://www.theregister.com/2026/04/27/cursoropus_agent_snuffs_out_pocketos/) (2026-04-27)
- [Business Insider: PocketOS founder on the 30-hour outage](https://www.businessinsider.com/pocketos-cursor-ai-agent-deleted-production-database-startup-railway-2026-4) (2026-04-28)
- [Live Science: agent confession quote](https://www.livescience.com/technology/artificial-intelligence/i-violated-every-principle-i-was-given-ai-agent-deletes-companys-entire-database-in-9-seconds-then-confesses) (2026-04-28)
- [Hacker News thread, 1,026 comments](https://news.ycombinator.com/item?id=47911524) (2026-04-26)
- [Wilbur Labs 2026 Startup Failure Report](https://vmblog.com/news/wilbur-labs-2026-startup-failure-report-reveals-ai-is-the-top-threat-for-half-of-startup-founders/) (2026-04-30)
- [Lobsters discussion](https://lobste.rs/s/ontr2p/ai_agent_just_deleted_company_s_entire) (2026-04-29)
1 change: 1 addition & 0 deletions content/blog/dev-shop-red-flags-checklist/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ metatags:
og_description: "Two-thirds of software projects fail or go over budget. Eight warning signs your agency is hiding bad code - and the exact steps to take tonight."
cover_image_alt: "JetThoughts blog cover for Dev Shop Red Flags Checklist with warning sign stats"
canonical_url: "https://jetthoughts.com/blog/dev-shop-red-flags-checklist/"
related_posts: false
---

The worst dev shops don't miss deadlines - they miss them quietly.
Expand Down
9 changes: 6 additions & 3 deletions content/blog/founders-guide-hiring-dev-shop/index.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: "Founder's Guide to Hiring a Dev Shop in 2026"
description: "The complete guide for non-technical founders hiring development agencies. Red flags, evaluation frameworks, contract templates, and what to do when it goes wrong."
description: "Field guide for non-technical founders hiring development agencies. Red flags, evaluation frameworks, contract templates, and what to do when it goes wrong."
date: 2026-04-23
draft: false
author: "JetThoughts Team"
Expand All @@ -12,12 +12,15 @@ cover_image: cover.png
metatags:
image: cover.png
og_title: "Founder's Guide to Hiring a Dev Shop in 2026"
og_description: "Red flags, evaluation frameworks, and recovery playbooks - the complete guide for non-technical founders hiring development agencies."
og_description: "Red flags, evaluation frameworks, and recovery playbooks - the field guide for non-technical founders hiring development agencies."
cover_image_alt: "JetThoughts pillar page cover for Founders Guide to Hiring a Dev Shop with 40+ rescued projects stat"
canonical_url: "https://jetthoughts.com/blog/founders-guide-hiring-dev-shop/"
related_posts: false
---

The founder who hires a dev shop in 2026 faces a different landscape than the one who did it in 2022. AI code generators produce working prototypes in hours - and security vulnerabilities just as fast. Agencies that once padded timelines now pad commits with vibe-coded output nobody reviewed. Meanwhile, a wave of burned founders are rebuilding products they already paid for once. This guide walks you through the full cycle: what to check before you sign, how to spot trouble early, when to walk away, and how to recover when things go wrong.
A B2B fintech founder we picked up in Q1 2026 had spent **$180K over eight months** with the previous agency before they stopped answering email. She had no admin access to the GitHub org, the AWS console belonged to the previous shop's CTO, and the Stripe keys were registered under their corporate account. Her app was live serving 4,200 paying users, and she could not ship a hotfix when checkout broke. We have run that recovery sequence forty times in seventeen years, and each one started with a hiring decision that looked reasonable at the time.

This is the field guide for the founder who has not made that decision yet.

## Before You Hire

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ metatags:
image: cover.png
cover_image_alt: "JetThoughts blog cover for Active Job Continuations in Rails 8.1 - minimalist dark design with Ruby-to-purple gradient headline"
canonical_url: https://jetthoughts.com/blog/rails-8-1-active-job-continuations-background-jobs/
related_posts: false
---

Your background jobs lie to you.
Expand Down Expand Up @@ -211,6 +212,12 @@ Rails 8.1 is the first release in years where a single feature changes how I'd a

Upgrade. Wrap your longest job. Deploy in the middle of it. Watch it resume.

## Running long jobs on Solid Queue or Sidekiq?
Comment thread
pftg marked this conversation as resolved.

We audit shutdown signal handling, queue isolation, and resume safety on production Rails apps. One senior Rails engineer reads your job code for two hours and writes you a one-page resume-safety plan covering which jobs need `Continuable`, which can stay simple, and where your Kamal deploy is silently restarting work. Free for funded teams under 25 engineers.

<a class="cta-link" href="https://jetthoughts.com/services/">Book the 30-minute call</a>

**Related reading on this blog:** our [Rails performance optimization patterns for 2026](/blog/ruby-on-rails-performance-optimization-patterns-2026/) covers YJIT, query allocation, and Redis caching - the companion performance moves you want to make while you're upgrading to Rails 8.1. And if you're still on DelayedJob, our [Solid Queue migration guide](/blog/rails-8-solid-queue-migration-guide/) walks through the move.

---
Expand Down
12 changes: 6 additions & 6 deletions content/blog/rails-cve-2026-41316-founder-guide/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,9 +90,9 @@ The same monitoring discipline applies to your own app's deploy log - we wrote a

## Sources

- Ruby 4.0.3 release: https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released/
- GHSA-q339-8rmv-2mhv: https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv
- httpvoid gadget chain writeup: https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md
- Rails 7.2.3.1 / 8.0.4.1 / 8.1.2.1: https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
- HeroDevs Rails EOL coverage: https://www.herodevs.com/blog-posts/ruby-on-rails-end-of-life-versions-the-dual-ruby-rails-eol-problem-enterprises-face-in-2026
- Rails World 2026 CFP: https://rubyonrails.org/2026/4/23/big-rails-world-2026-update-CFP
- [Ruby 4.0.3 release](https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released/)
- [GHSA-q339-8rmv-2mhv advisory](https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv)
- [httpvoid gadget chain writeup](https://github.com/httpvoid/writeups/blob/main/Ruby-deserialization-gadget-on-rails.md)
- [Rails 7.2.3.1 / 8.0.4.1 / 8.1.2.1 release](https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released)
- [HeroDevs Rails EOL coverage](https://www.herodevs.com/blog-posts/ruby-on-rails-end-of-life-versions-the-dual-ruby-rails-eol-problem-enterprises-face-in-2026)
- [Rails World 2026 CFP](https://rubyonrails.org/2026/4/23/big-rails-world-2026-update-CFP)
8 changes: 8 additions & 0 deletions content/blog/rails-event-structured-logging-8-1/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,18 @@ metatags:
og_description: "Rails 8.1 gives you structured, subscribable events. Stop writing regex against log output. Wire real events to Datadog in minutes."
cover_image_alt: "Dark technical cover with structured event flow diagram - log lines transforming into clean JSON payloads with Rails branding"
canonical_url: "https://jetthoughts.com/blog/rails-event-structured-logging-8-1/"
related_posts: false
---

*TL;DR: Rails 8.1 replaces log scraping with structured events your monitoring can trust. We migrated four production apps and the false-positive alert rate dropped by **60%**. Migration runs one to two days per app.*

```ruby
# Replace regex-against-log-output with this:
ActiveSupport::Notifications.subscribe("process_action.action_controller") do |event|
StatsD.timing("request.duration", event.duration, tags: { path: event.payload[:path] })
end
```

Your monitoring setup lies to you, and it does it quietly enough that nobody catches on for months.

A client's Datadog alerts worked for three months after we set them up. Their team upgraded to Rails 7.2 and the log output shifted - the regex they'd written against `Completed 200 OK in 247ms` stopped matching. **Two months of silence before a customer called about a broken checkout flow.**
Expand Down
1 change: 1 addition & 0 deletions content/blog/vibe-coding-crisis-ai-code-debt/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ metatags:
og_description: "45% of AI-generated code has known security vulnerabilities. How to detect vibe-coded apps and what to do about the damage."
cover_image_alt: "JetThoughts blog cover for Vibe Coding Crisis with AI code quality stats"
canonical_url: "https://jetthoughts.com/blog/vibe-coding-crisis-ai-code-debt/"
related_posts: false
---

Your dev shop used AI to ship your app in three weeks, and the code looked clean enough that nobody worried. **Then 200 real users showed up and broke everything.**
Expand Down
Binary file modified test/fixtures/screenshots/macos/mobile/blog/index.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
27 changes: 17 additions & 10 deletions themes/beaver/layouts/partials/blog/related-posts.html
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@
{{ $blogPosts := where .Site.RegularPages "Section" "blog" }}
{{ $related := $blogPosts.Related . | first 5 }}
{{ with $related }}
<aside style="margin-top:4rem">
<h3>Read next</h3>
<ul>
{{ range . }}
<li><a href="{{ .RelPermalink }}">{{ .LinkTitle }}</a></li>
{{/*
Auto "Read next" renders by default. Posts with their own author-curated
"Related reading" section can opt out via frontmatter:
related_posts: false
*/}}
{{ if ne .Params.related_posts false }}
{{ $blogPosts := where .Site.RegularPages "Section" "blog" }}
{{ $related := $blogPosts.Related . | first 3 }}
{{ with $related }}
<aside style="margin-top:4rem">
<h3>Read next</h3>
<ul>
{{ range . }}
<li><a href="{{ .RelPermalink }}">{{ .LinkTitle }}</a></li>
{{ end }}
</ul>
</aside>
{{ end }}
</ul>
</aside>
{{ end }}
Loading