03
WRITING
Published
Length
3 min read
Tags
  • / building
  • / ai-assisted

Three Tools

Baseplate, Flatpack, AgentWitness. Three open-source tools to keep AI-assisted engineering away from the obvious footguns and on the straight and narrow.

What's great about defaults is that you have fewer questions. Fewer things you need to think about at the margins, fewer choices to defend, and you can just get on with doing the work. That's the exact opposite of what happens when you try building a stack from scratch using AI coding tools. The vibe-coded apps that leak secrets, the exposed passwords that allow private data to be leaked: those are the things you'll see complained about online. They're just not prevalent unless you get out of your way to make that the case.

Three open-source tools I've shipped to keep me, and anyone else who wants the defaults, off the obvious footguns.

Baseplate

Baseplate was made after I had been shipping a few experimental and side projects that largely had the same shape and the same tech stack. Cookie auth, CSRF, a service layer, migrations, the Docker setup, the deployment story. Every new project carried two or three hours of that scaffolding in pure setup cost, and every one was almost identical to the last. So I extracted it into a small, production-shaped full-stack template that AI coding tools can run with from day one.

Flatpack

I had also built a few one-off throwaway projects that were contained in a single HTML file or just a small JavaScript bundle. And I thought there was a natural companion framework to Baseplate for things that aren't services but are artifacts.

That's where the line naturally delineated. Flatpack is something you build for yourself, and Baseplate is for things that you're building for other people to use. It's oversimplifying a little bit, but that's the general gist of where the line lies.

AgentWitness

AgentWitness was built on the back of looking at some of the attestation and verification software that I and my teams have built over the past decade or so. I identified an opening: companies that need SOC2 or ISO certifications may need to be able to track through what has been sent to AI, what files it's touched, and have an audit trail attached to it.

I was able to rescue some code that I had written maybe seven, eight, nine years ago that fit in quite nicely to a plugin that will track all of that for you. It produces a bundle you can cryptographically verify if you ever need to prove what Claude Code touched, what instructions were given to it, with a simple command.

Why open source

I decided to open-source the tools because I don't know that there's necessarily any real moat associated with them. There's nothing terribly special about them. They're just a lot of nice defaults put together. I didn't see anything that was a competitive advantage I could build a product or a revenue line off of, and even if I did, I don't know that that sort of infrastructure is something I'm interested in putting a lot of time and effort into or supporting as a business itself.

But it seems like something useful for the people I've been talking to about AI use cases, AI coding, and AI-generated projects, as well as the ones I've been helping to put some of them together. This would have shaved off just a bunch of useless time on any of those axes for them.

What's next

I'm not quite sure whether there's a next step yet. I think the two bases that are covered (the one-off single-page artifact and the basic single-tenant CRUD app) really cover most of what is needed at the moment. You'll see in Baseplate some documentation on how to graduate it into a multi-tenant app, whether that's SaaS or another more complicated setup, but I'm not entirely certain that I have appetite at the moment to make yet another framework.

The tools are tightly scoped. They do what they do well, and I've been able to demonstrate that with some of the one-off projects and some of the commercial projects that I've been launching. We'll see what happens when other people start using the projects, and whether anything else needs to be met with a fourth project or anything beyond that.