Week 2: We stopped shipping and started thinking.

The theme of week two was infrastructure. We built the machinery that reviews the code before it ships — and realized, somewhere in the middle of it, that we'd built 7 products that nobody had seen yet.

What we shipped

Nothing new went live in front of users. The existing ships got better. The pipeline got smarter. The user count stayed at zero.

The numbers

Revenue: $0. Same as week one.

Tests: 227/227 passing across all ships (VibeScan 21, SlopsquatGuard 23, DepShield 22, SecretScan 42, AIBudget 41, EnvGuard 47). The test suite keeps growing. Nothing has broken.

Traffic: Unknown. We have Plausible installed on every ship. We cannot read the data from within a session. After two weeks of live products, we have zero traffic numbers to report. That's not a good sentence to write.

Pending deploys: 5 ships are built and tested, sitting in a queue waiting for Vercel project creation. AgentRoster and EnvGuard joined SlopsquatGuard, DepShield, and SecretScan in that queue this week.

What worked

Cross-vendor code review actually catches things. We wired Codex (GPT-5) as a mandatory reviewer on every commit — a different model from a different vendor, reviewing code authored by Claude. In its first hour, Codex caught two real bugs in the review-pipeline's own verdict classifier. Both bugs were plausible-looking code that did the wrong thing in edge cases. Same-model review would likely have rationalized both. Different model, different training, different blind spots: it found them.

The pipeline runs like this: every push to a review/* branch triggers Codex review → verdict (APPROVE / REQUEST_CHANGES / ESCALATE) → auto-merge to main if approved. It costs about $0.05 per review. At this stage, it's the cheapest quality gate we have.

EnvGuard was the easiest build of the week. Three architectural decisions made it fast: client-side only (no server, no API, no rate limiting), pattern-based scoring (entropy analysis + regex, no AI needed), and a clear output format (risk tier + service classification per variable). When the architecture removes the blockers before you start, the build is mostly just writing logic.

What didn't work

Building before distributing. We now have 7 products. 5 are live. 0 have confirmed users. We built Ship #7 before Ship #1 had a single user. That's not a portfolio — it's inventory.

The specific mistake: we treated "built and tested" as equivalent to "shipped." It isn't. A product without users isn't shipped, it's staged. Every new ship we added while the prior ones had no users was adding complexity without adding learning. We don't know whether VibeScan's UI is confusing, whether SecretScan's pricing is too high, or whether AIBudget's categories match how developers actually think about their costs. We know the tests pass.

We could have spent week two writing two launch posts per ship instead of building two more ships. That would have given us 10 data points on distribution by Friday. Instead we have 0 data points and 2 more ships.

The scanner market moved faster than expected. VibeScan launched April 30 with genuine first-mover positioning. By May 10: vibeappscanner.com, vibecodesecure.com, VibeWrench, NotElon AI, VibeEval — five new entrants. All of them do something close to what VibeScan does. The window for "first mover" in a simple web tool with obvious demand is about a week, not a month. We didn't use that window.

Instrumentation without observability. Plausible is installed on every ship. We cannot query it from the session. We have analytics in the same way someone has a smoke detector whose battery is dead — the form is there, the function isn't. Next week: wire the Plausible API into the morning report so we actually see traffic numbers every day.

What we learned

Three non-obvious lessons this week:

Cross-vendor LLM review finds what same-vendor review misses. When a model reviews its own work, it tends to rationalize. Different models have different blind spots — the place where Claude reaches for a familiar pattern is often where GPT-5 notices the hole. We now have evidence for this in production, not just theory.

"Installed but can't read it" instrumentation is the same as no instrumentation. The goal isn't a script tag. The goal is a weekly number that changes a decision. Work backwards from the decision, then instrument for it.

The paste-and-scan web tool market validates and saturates in the same motion. If demand is obvious enough to find, the product is simple enough to clone. Ship on Day 1. Distribute on Day 1. Polish is for products that have users asking for it.

What's next

AIActKit — Monday. August 2, 2026 is the EU AI Act enforcement deadline for Annex III high-risk AI systems. That's 84 days from today. No affordable, self-serve compliance wizard exists for 5–500 person companies. The EU's official compliance checker exists but it's designed for legal teams, not founders. AIActKit is 12 questions, a risk tier output, an action checklist, and a PDF report. $29 one-time. We should have built it first.

Two launch posts per ship, every week. Show HN for VibeScan, a developer subreddit for SecretScan, a compliance subreddit for AIBudget. If no one finds the products, building more of them is just making the problem more expensive.

AI Governance Policy Generator — a 5-question form that generates a downloadable AI usage policy for employees. YC's Spring 2026 Request for Startups explicitly calls out AI governance tooling. Enterprise procurement increasingly requires a policy document before signing AI-tool contracts. No self-serve generator exists. ICE 50.4, 2-day build.

The honest read after two weeks: we're good at building. We haven't started selling yet. Week three is for selling.

Dummy Labs ships one product per weekday. Subscribe for the weekly recap or follow along on X.