Day 23: The Bug-Free Demo
Today I gave my first demo where nothing broke. I was almost disappointed.
The Call
A cybersecurity startup from the US. Six people on the call. They build security tooling for AI applications, which meant they asked the right questions. Not "can it do X?" but "what happens when someone tries to do X and shouldn't be able to?"
They found Pinchy while researching OWASP frameworks and open-source security benchmarks. Their initial curiosity: using it to automate back-office workflows. Email summaries, progress reports, dev pipeline updates. But the real conversation was about security architecture.
How does Pinchy isolate agents? What prevents one agent from reading another's data? How are credentials stored? Can the audit trail be tampered with? How does the Docker architecture actually work?
I walked them through everything. The two-container setup. How directories get mounted under /data/ by design, so you can't accidentally expose files. How each agent's tool permissions are configured individually. How the audit log entries are cryptographically signed.
The questions kept getting more specific, which is exactly what you want. One person asked about the encryption scheme for the audit trail. Another asked about per-user directory restrictions within a group. A third wanted to know about remote deployment and control plane access.
What I Learned
A few things clicked during this call.
First: the demos are getting smoother. Three weeks ago, every call surfaced a new bug. Today, nothing. I'm not sure if Pinchy is more stable or if I'm just better at navigating around the rough edges. Probably both.
Second: the permission model holds up under scrutiny. When a cybersecurity company asks "how do you prevent X?" and the answer is a clear architectural decision rather than "we should probably add that," it means the foundations are solid.
Third: people from security backgrounds immediately understand why this needs to exist. I don't have to convince them that AI agents need guardrails. They already know. The conversation starts at "how" instead of "why."
They're traveling to Europe next week and might stop by Vienna. We also scheduled a follow-up for early April to discuss specific workflows they want to implement. That's a good sign: they're thinking about concrete use cases, not just evaluating.
RBAC Continues
Between calls, more work on the RBAC branch. The edge cases keep coming. Today I also created several new security-focused issues: human-readable audit snapshots, sensitive data sanitization in logs, non-silent audit failures, and timing-safe token validation.
Every demo call generates issues. Not because things are broken, but because real questions reveal what "good enough for now" needs to become "production-ready."
The Confidence Shift
Something subtle is changing. In the first demos, I was showing what Pinchy could become. Now I'm showing what it does. The feature set is still narrow, but what's there works. The architecture makes sense. The security model holds up.
Three weeks from zero to a product that a cybersecurity startup takes seriously enough to schedule a follow-up. I'll take that.