BMD HODL devlog - week of 2026-05-03

The biggest move this week was tightening the AgentGuard release path across the site, the public SDK repo, and the dashboard at the same time. I shipped proof-heavy docs, cleaned up release surfaces, pushed performance fixes on bmdpat, and made the dashboard release operator stricter. I also kept autotrader honest. The book is still trailing passive benchmarks, so this week was about removing loose edges and making the system easier to trust.

What shipped

bmdpat

• PR #397: prebuilt /blog/[slug] to cut blog FCP.
• PR #396: deferred non-critical home page client components off the initial bundle.
• PR #395: added owner notification on first subscriber signup.
• PR #394: installed Vercel Speed Insights.
• PR #393: updated the AgentGuard landing page MCP setup.
• PR #391: tightened /api/blog input validation with a strict Zod schema.
• PR #390: promoted the newsletter to the primary blog CTA and added blog view tracking.
• PR #389: drafted AgentGuard launch materials.
• PR #388: added an AgentGuard release checklist.
• PR #387: added AgentGuard quickstart proof.
• PR #386: fixed AgentGuard funnel accuracy.
• PR #242: sharpened the homepage trust pass.
• PR #241: sharpened the homepage around AgentGuard.
• PR #209: shipped the "Future of Programming" YC demo.

agent47

• PR #465: documented managed-agent threat and cost surfaces.
• PR #461: published AgentGuard skill distribution docs.
• PR #459: added release cadence docs.
• PR #458: cleaned root docs and improved query_traces metadata.
• PR #457: added Glama badges and cleaned root docs.
• PR #456: improved Glama metadata quality.
• PR #455: recorded the first Glama MCP release.
• PR #454: made the budget MCP entrypoint dogfoodable.
• PR #452: bumped hono in mcp-server.
• PR #449: bumped ip-address and express-rate-limit in mcp-server.
• PR #447: added the PocketOS incident to the README "Real Incidents" section.
• PR #444: published typed contracts for the public SDK surface.
• PR #442: added the deployed-agent guard profile.
• PR #440: added the local-first agentguard-mcp budget server.
• PR #438: fixed release hygiene docs.
• PR #437: guarded hosted dashboard handoff copy.
• PR #436: added MCP proof gallery coverage.
• PR #435: added first-run CLI fallback guidance.
• PR #432: added the sticky agent proof fixture.
• PR #430: added the optional MCP npm release guard.
• PR #429: fixed MCP package release consistency.
• PR #427: added the dashboard handoff guide.
• PR #426: clarified the incident dashboard handoff.
• PR #424: added the optional Pydantic AI starter recipe.
• PR #411: bumped build in GitHub requirements.
• PR #410: bumped github/codeql-action.
• PR #388: bumped bandit.
• PR #386: bumped ruff.

agent47-dashboard

• PR #158: recovered from closed dashboard connections.
• PR #157: fixed static quickstart navigation.
• PR #156: split Release Operator MCP and ingest keys.
• PR #155: made Release Operator MCP dogfood strict.
• PR #154: dogfooded MCP servers in the release operator.
• PR #153: added AgentGuard MCP dashboard onboarding.
• PR #151: fixed the hosted trial readiness path.
• PR #150: added the release distribution packet.
• PR #149: hardened the SDK proof contract fixture.
• PR #147: added the AgentGuard release train plan.
• PR #146: added the public CrewAI proof route.
• PR #145: added distribution post assets.

autotrader

• PR #15: failed closed on the stale Thursday eval gate.
• PR #11: fixed idle cash deployment discipline.

What I learned

• 2026-05-08-claude-code-cve-2026-39861-sandbox-escape: trust has to fail closed. If a coding agent can keep write power after the trust boundary shifts, the bug is structural.
• 2026-05-07-computer-use-45x-more-expensive-than-apis: agent economics matter more than demos. The wrong interface can wreck margins before the product has a chance.
• The PocketOS incident still paid rent this week. Real incidents sharpen runtime-safety docs faster than abstract best practices do.

Numbers

• Autotrader: combined book +7.06% all time, trailing SPY by 6.32 points and BTC HODL by 8.43 points. Weekly alpha vs BTC was about -1.5 points.
• Closed loops: 2 install intents on 7 CTA clicks across the 2026-05-03 through 2026-05-09 window.
• AgentGuard PyPI: 297 downloads over the last 7 days as of the 2026-05-10 metrics scrape.

If you want the thing I am building in public, start here: https://bmdpat.com/tools/agentguard