The RuyaTech Blog
Field notes from the build.
Build It. Rescue It. Make It Smarter. Founder-to-founder writing on shipping SaaS, rescuing broken MVPs, and making products smarter — technical, plain-spoken, no fluff.
Why MVPs that work in the demo break with real users
Demos only exercise the happy path with one well-behaved user. Here's the class of bugs that survives to production, and how to read for it before launch.
Tenant isolation that doesn't depend on a developer remembering
Cross-tenant leaks happen when isolation lives in one place a developer can forget. The fix is defense in depth across the token, the query layer, and the database.
Stripe webhook retries and the idempotency hole nobody tests
Stripe retries webhooks. If your handler isn't idempotent on the event id, one timeout turns a single payment into two and your balances drift. Here is how to fix it.
When the agent decides the scope of the read
AI-tool-built apps fail in production when the agent layer trusts the model to decide query scope. Here is how to read the seams and fix it without a rebuild.
Security checks to close before your first enterprise customer
What to fix in a fast-built app before an enterprise security review: tenant isolation, server-side auth, signed webhooks, and keys that never reach the browser.
Designing bulk payment systems for the events you didn't plan for
Bulk payment systems break on retried webhooks, misread declines, and gateway outages, not on the charge that works. Here is how to design for those events from day one.
When your AI endpoint is a spending decision, not a feature
A public endpoint that calls a paid AI model on every request is a spending decision. Here is how that turns into an overnight bill, and what to check before it does.