Day 5: The Enterprise Gauntlet
77 commits. 15,000 lines of code. A conversation in a gym that changed everything.
Saturday morning, 8 AM, gym
Laptop on the windowsill. Between sets, I'm writing code. An old acquaintance walks by: "What are you working on?"
I tell him about Pinchy. Open source. Self-hosted. AI agents for companies.
He goes quiet. Then: "That's exactly what we need."
Thousands of documents on shared network drives. PDFs, Word files, PowerPoints. 15 years of company knowledge, and nobody can find anything. No structured access. No search that actually works.
The AI solutions on the market? Cloud-based. Upload your documents to someone else's server. For companies in the DACH region with strict data protection requirements, that's a non-starter.
This was the same feedback from yesterday's LinkedIn announcement. CTOs, founders, freelancers. Over and over: "Self-hosted? Finally."
The use case is crystallizing. Knowledge base. Self-hosted. With source attribution. Documents stay where they are.
Which raised an uncomfortable question: Is Pinchy actually ready for this?
The honest answer was no
I had multi-user auth, encrypted API keys, agent permissions. Good foundation. But "enterprise-ready" means something specific. It means a CTO can look at your security posture and not wince. It means compliance teams have something to review. It means there's a paper trail.
Day 5 was about closing that gap. All of it. In one day.
Security hardening
First, the basics that should have been there from the start. Some were. Some weren't.
- Hardcoded secrets removed from
docker-compose.yml. Environment variables only. - WebSocket payload limit: 1MB. No one's sending legitimate messages bigger than that.
- Security headers in the Next.js config. X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
- Non-root user in Docker containers. The process shouldn't run as root. It doesn't anymore.
- Password strength validation. Letters and numbers required. Not Fort Knox, but better than "password123".
- Admin-only provider configuration. Regular users shouldn't be touching LLM settings.
- API key hints restricted to admins. Users see that a key exists, not what it looks like.
- Race condition in
createAdminfixed with a database transaction. Edge case, but the kind that bites you in production. - Automated security tests in CI. Every push gets checked.
30+ commits just for security. None of them exciting. All of them necessary.
The audit trail
This is the enterprise feature. Not because it's flashy, but because it's the thing that makes compliance teams say "okay, we can work with this."
Every significant action in Pinchy now gets logged: logins (successful and failed), agent creation and deletion, configuration changes, user management, file access, tool execution. Everything.
But logging is the easy part. The hard part is making logs trustworthy.
Each log entry is signed with HMAC. Not just hashed — signed with a secret key. If someone modifies a log entry (or deletes one and re-inserts it), the signature won't match. The database has immutability triggers that prevent UPDATE and DELETE operations on the audit table entirely. You can append. You cannot change.
There's a verification endpoint that checks every entry in the chain. And an admin UI with filters, search, and a "Verify Integrity" button that runs the full check.
Is this overkill for a week-old project? Maybe. But when someone asks "can you prove nobody tampered with the logs?", the answer is yes. That's worth building early.
Compliance documentation
Three new documents in the repo:
- PRIVACY.md — What data Pinchy processes, where it's stored, how long it's kept, who has access. Written for data protection officers, not developers.
- DPA.md — Data Processing Agreement template per GDPR Article 28. Fill in your company name and you have a legally usable document. Technical and organizational measures included.
- SECURITY-POLICY.md — Detailed security policy covering encryption, authentication, data isolation, incident response. Only documents what's actually implemented. Things that aren't built yet are marked as roadmap items, not features.
That last point matters. Enterprise compliance docs that overclaim are worse than no docs at all. If the audit trail section says "HMAC-signed, immutable, with integrity verification" — that's because it is. If SSO isn't implemented yet, it says "planned." No fiction.
Agent-native optimization
A small but important thing: all three Pinchy domains are now optimized for AI agents.
llms.txt files on heypinchy.com, docs.heypinchy.com, and clemenshelm.com. Schema.org JSON-LD on all sites. The docs site now has an llms-full.txt that contains the entire documentation in one file — if an AI agent wants to understand Pinchy, it can read everything in a single request.
I'm building a platform for AI agents. The least I can do is make my own sites agent-friendly.
The numbers
77 commits. 142 files changed. +15,037 lines added. -1,863 removed. The biggest day yet — beating Day 4's record by 20%.
For context across the week:
- Day 2: ~2,000 lines (first working chat)
- Day 3: ~7,600 lines (encryption, onboarding, openclaw-node)
- Day 4: ~12,250 lines (multi-user, invites, agents, plugins)
- Day 5: ~15,000 lines (security, audit trail, compliance)
Total since Day 1: 200+ commits. ~37,000 lines. One week.
What changed today
A conversation in a gym turned Pinchy from "interesting open-source project" into "this could be a product." Not because of the code. Because someone with a real problem said "that's what I need."
The security hardening, the audit trail, the compliance docs — those are the response. If someone's going to trust us with their company's knowledge, the foundation has to be solid. Not next month. Now.
We're not enterprise-ready. But we're enterprise-serious. And that's where it starts. 🦞
This is part of the Building Pinchy in Public series. We're building an open-source web UI for OpenClaw and sharing every decision — technical, strategic, and everything in between.
Follow along: GitHub · ← Day 4: From Solo to Team · Day 6: The Personality Layer →