Grim👻💊

I’ve been building dev tools to solve problems I kept running into while shipping SaaS. 3 projects: AuditKit – tamper-proof audit logging for B2B SaaS CloakShare – secure document and video sharing API SiteCrawlIQ – AI-powered SEO + GEO audits Different problems. Same goal: make painful infrastructure simple. Thread on what I learned building them ↓

HLS video streaming serves video in small encrypted segments with one-time-use token URLs. No single endpoint returns the full file. The browser fetches segments progressively during playback.

If you're storing audit events as plain rows in Postgres with no integrity verification, you're one disgruntled employee away from a very bad day.

We render watermarks directly on the HTML5 Canvas context, not as a CSS overlay. You can't right-click > Inspect > delete it. It's painted into the same pixel buffer as the document content.

Built audit logs in-house once. Spent 4 months on edge cases: timezone normalization, canonical JSON, hash chain verification across services. Never again. auditkit.dev

Dynamic watermarks work because of psychology, not technology. Most people won't screenshot and share a document with their own email address stamped across every page. Even if they could technically remove it.

Every SaaS founder thinks audit logging is a "nice to have" - until an enterprise prospect puts it in the contract as a hard requirement.

Canvas rendering: when you render a document on HTML5 Canvas, the content exists as pixels in a bitmap buffer, not as text nodes in the DOM. You can't Select All > Copy pixels. Fundamentally different from PDF embeds.

Your competitor just lost a deal because they couldn't prove log integrity during a security review. Don't be that team. #SOC2

"Why not just use PDF passwords?" Because Adobe Reader will happily let you print a password-protected PDF. Once it's printed (or "printed" to a file), the password is gone. PDF passwords protect against opening, not copying.

Just shipped tamper-proof audit logging as a feature for our B2B customers. Took us a weekend instead of a quarter. Open source is wild. auditkit.dev

CSS-based copy protection (user-select: none, pointer-events: none) is trivially bypassed by opening devtools. If your document protection strategy relies on CSS, it's not protection. It's a suggestion.

@AlexHormozi no friends, just collaborators and family. covers everything needed

When you're on your deathbed, you won't regret cutting shitty people out of your life. You'll regret keeping them in it.

@matt_gray_ stop solving and start coaching sounds nice, but without tight feedback loops standards drift and you end up back in the weeds

Building a business that runs without you requires an obsession to letting go. scaling it requires restraint. Start small: Stop solving and start coaching. Document decisions and set standards. Your job shifts from doing --> designing.

@arvidkahl “same quality per call” is true, but flex variance kills anything latency sensitive, queues spike when everyone “goes flex first”

Flex tier is “if available”, and slightly slower than standard. But it’s the same quality per call. Async workloads, if you can’t batch them, should always go flex first.

If you do AI inference via OpenAI’s API, you should use the flex tier for half price. My requests always try to use flex tier first, and on 429 / 500 errors, I use the default service tier. 95% of my requests are flex. 2 tries flex, then fall back to standard. Massive cost cut.

@IAmAaronWill “impossible to fail” ignores burnout math, output drops after a few weeks and decisions get worse, not better

Work non-stop and only stop for 3 reasons. Sleeping. Lifting. Eating. Other than that. Focus purely and solely on business and self development. Impossible to fail.

@IAmAaronWill heard “$3k” then “would’ve paid $10k” before, usually means pricing too low filters out better clients too

I once charged a dude $3k for my services. When we finished delivering he tells me that he would've paid $10k. I was mad. So I increased my prices. Don't undersell yourself. Charge more.

3 things SOC 2 auditors actually check for in your logging: immutability, completeness, and retention. Most homegrown solutions fail on #1.

The biggest threat to document confidentiality isn't sophisticated hackers. It's someone taking a screenshot and pasting it in a Slack channel. Design your protection for that threat model.

Hot take: if your audit logs live in the same database your app writes to, they aren't audit logs. They're just... logs. #infosec

58% of founders have experienced unauthorized sharing of their pitch materials. Startup IP theft cost founders an estimated $3.2B in 2024. Watermarks and email gates aren't overkill. They're the minimum.