The RuyaTech Blog
Field notes from the build.
Build It. Rescue It. Make It Smarter. Founder-to-founder writing on shipping SaaS, rescuing broken MVPs, and making products smarter — technical, plain-spoken, no fluff.
Why MVPs that work in the demo break with real users
Demos only exercise the happy path with one well-behaved user. Here's the class of bugs that survives to production, and how to read for it before launch.
Tenant isolation that doesn't depend on a developer remembering
Cross-tenant leaks happen when isolation lives in one place a developer can forget. The fix is defense in depth across the token, the query layer, and the database.
Oussama IbrahimJun 10, 2026Stripe webhook retries and the idempotency hole nobody tests
Stripe retries webhooks. If your handler isn't idempotent on the event id, one timeout turns a single payment into two and your balances drift. Here is how to fix it.
Oussama IbrahimJun 9, 2026When the agent decides the scope of the read
AI-tool-built apps fail in production when the agent layer trusts the model to decide query scope. Here is how to read the seams and fix it without a rebuild.
Oussama IbrahimJun 8, 2026Security checks to close before your first enterprise customer
What to fix in a fast-built app before an enterprise security review: tenant isolation, server-side auth, signed webhooks, and keys that never reach the browser.
Oussama IbrahimJun 5, 2026Designing bulk payment systems for the events you didn't plan for
Bulk payment systems break on retried webhooks, misread declines, and gateway outages, not on the charge that works. Here is how to design for those events from day one.
Oussama IbrahimJun 4, 2026When your AI endpoint is a spending decision, not a feature
A public endpoint that calls a paid AI model on every request is a spending decision. Here is how that turns into an overnight bill, and what to check before it does.
Oussama IbrahimJun 1, 2026