mark/vibn-agent-runner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): comprehensive QA hardening — security gates, chat improvements, beta scaffolds

Browse Source 
Closes checklist items F-01..F-06, D-01..D-28, S-01..S-10, C-01..C-07,
B-01..B-07, R-01..R-02, O-03.

Security (28 deletions + 10 auth gates):
- Delete 28 unauthenticated debug/cursor/firebase/test routes
- Gate ai/chat, ai/conversation, context/summarize, work-completed with withTenantProject/withAuth
- Add HMAC-SHA256 signature verification to webhooks/coolify
- Switch all admin secret comparisons to timingSafeStringEq

Foundations (lib/server/*):
- api-handler.ts: withAuth, withTenantProject, withWorkspace, withAdminSecret, withRateLimit
- logger.ts: structured request-scoped logging with turnId
- audit-log.ts: writeAuditLog helper + audit_log table
- rate-limit.ts: Postgres sliding window rate limiter
- coolify-webhook.ts: verifyCoolifySignature
- timing-safe.ts: timingSafeStringEq

Chat hardening (chat/route.ts):
- MAX_TOOL_ROUNDS 15 → 8 (C-01)
- Loop detection: hard-break at 3 identical fingerprints (was 5) (C-02)
- Add 6-consecutive-tool-call hard-break (C-02)
- Mode: respond first, act second prompt block (C-03)
- SSE heartbeat every 25s via setInterval (C-04)
- Per-tool 45s timeout via Promise.race (C-05)
- turnId per-turn UUID for log correlation (C-06)
- Recovery fires when roundsSinceText >= 4 (C-07)
- SSE plan event on plan_task_add/edit (B-05)

Beta features:
- invites table + GET/POST /api/invites (P4.8)
- invites/[token] validate + redeem (P4.8)
- fs_project_dev_servers table + lib/server/dev-server-state.ts (P6.B1)
- fs_project_secrets table + CRUD routes (P6.D2)
- lib/integrations/brief-extract.ts (P3.7)

Documentation:
- app/api/ROUTES.md: full route map with auth + tenant
This commit is contained in:
mawkone
2026-05-17 19:17:22 -07:00
parent 955aeed6ce
commit 6b8862ef2b
86 changed files with 6772 additions and 2817 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
docs/API_QA_CHECKLIST.md Normal file
View File

@@ -0,0 +1,127 @@
# API QA Checklist
> Comprehensive enhancement list for `vibn-frontend/app/api/` derived from the
> 2026-05-17 QA pass. Anchored to `BETA_LAUNCH_PLAN.md`.
>
> **Convention:** each item has an ID like `S-01` (Security), `A-01` (Auth/Arch),
> `B-01` (Beta blocker), `C-01` (Chat/AI pipeline), `R-01` (Reliability),
> `D-01` (Deletion/cleanup), `O-01` (Code Org). Tick the box as you ship.
---
## Phase 1 — Foundations (`lib/server/*`)
- [x] **F-01** `lib/server/api-handler.ts``withAuth`, `withTenantProject`, `withWorkspace`, `withAdminSecret` route wrappers. Every new route uses these instead of reimplementing the auth dance.
- [x] **F-02** `lib/server/logger.ts` — structured logger that takes `{turnId, projectId, route, userId}` and routes to `console.*` in dev, Sentry breadcrumb in prod.
- [x] **F-03** `lib/server/audit-log.ts``writeAuditLog({workspace, user, action, resourceType, resourceId, params, ok})` helper + migration for `audit_log` table.
- [x] **F-04** `lib/server/rate-limit.ts` — Postgres-backed sliding window. Default: 60 req/min per user per route. Per-route override via opts.
- [x] **F-05** `lib/server/coolify-webhook.ts` — verifyCoolifySignature(body, signature, secret). Mirrors `verifyWebhookSignature` from `lib/gitea.ts`.
- [x] **F-06** `lib/server/timing-safe.ts``timingSafeStringEq(a, b)` helper wrapping `crypto.timingSafeEqual` for every admin-secret bearer check.
---
## Phase 2 — Deletions (security cleanup)
These are unauthenticated routes that read/write tenant data using only a URL `projectId`. Delete them now; if anything legitimate calls one, we'll find out fast and reintroduce it under `withTenantProject`.
- [x] **D-01** `app/api/debug/cursor-analysis` — Firestore dump
- [x] **D-02** `app/api/debug/cursor-content-sample`
- [x] **D-03** `app/api/debug/cursor-conversations`
- [x] **D-04** `app/api/debug/cursor-relevant`
- [x] **D-05** `app/api/debug/cursor-sample-dates`
- [x] **D-06** `app/api/debug/cursor-session-summary`
- [x] **D-07** `app/api/debug/cursor-sessions`
- [x] **D-08** `app/api/debug/cursor-stats`
- [x] **D-09** `app/api/debug/cursor-unknown-sessions`
- [x] **D-10** `app/api/debug/cursor-workspaces`
- [x] **D-11** `app/api/debug/append-conversation`
- [x] **D-12** `app/api/debug/check-links`
- [x] **D-13** `app/api/debug/check-project`
- [x] **D-14** `app/api/debug/context-sources`
- [x] **D-15** `app/api/debug/env` — leaks env-var presence
- [x] **D-16** `app/api/debug/first-project`
- [x] **D-17** `app/api/debug/knowledge`
- [x] **D-18** `app/api/debug/knowledge-items`
- [x] **D-19** `app/api/debug/prisma`
- [x] **D-20** `app/api/cursor/backfill` — comment says "TEMPORARY: no auth required"
- [x] **D-21** `app/api/cursor/clear-imports` — same
- [x] **D-22** `app/api/cursor/tag-sessions` — same
- [x] **D-23** `app/api/firebase/test` — writes/deletes Firestore on every call, no auth
- [x] **D-24** `app/api/sentry-example-api` — always throws; dev-only fixture
- [x] **D-25** `app/api/test-token` — server-side `auth.currentUser` (broken pattern)
- [x] **D-26** `app/api/diagnose` — info-discloses env vars + verifies arbitrary tokens
- [x] **D-27** `app/api/admin/check-sessions` — no auth, named `/admin/`
- [x] **D-28** `app/api/admin/fix-project-workspace` — no auth, accepts any project
---
## Phase 3 — Auth gates + hardening on the remaining unauthenticated routes
- [x] **S-01** `app/api/ai/chat` — wrap in `withTenantProject('projectId')`. Currently anyone can chat as any project.
- [x] **S-02** `app/api/ai/conversation` (GET, DELETE) — same.
- [x] **S-03** `app/api/ai/conversation/reset` — same.
- [x] **S-04** `app/api/context/summarize` — wrap in `withAuth`. No tenant scope needed; just stop unauth Gemini quota burn.
- [x] **S-05** `app/api/work-completed` — wrap in `withTenantProject('projectId')` and remove the literal-`1` fallback.
- [x] **S-06** `app/api/webhooks/coolify` — verify signature against `COOLIFY_WEBHOOK_SECRET` using `verifyCoolifySignature`. Reject on mismatch.
- [x] **S-07** `app/api/admin/migrate` — switch `secret !== incoming` to `timingSafeStringEq(secret, incoming)`.
- [x] **S-08** `app/api/admin/path-b/{disable,enable,idle-sweep,autosave}` — same.
- [x] **S-09** `app/api/admin/path-b/route.ts` — same.
- [x] **S-10** `app/api/internal/infra-health` — same.
---
## Phase 4 — Chat / AI pipeline hardening
`app/api/chat/route.ts` and `lib/ai/*` enhancements.
- [x] **C-01** Lower `MAX_TOOL_ROUNDS` from 15 to 8.
- [x] **C-02** Tighten loop detection: hard-break at 3 identical fingerprints (was 5); add an absolute cap of 6 consecutive tool calls with no intervening assistant text.
- [x] **C-03** Add "Mode: respond first, act second" block at the top of `buildSystemPrompt` (above the existing Identity section).
- [x] **C-04** SSE heartbeat: emit `{type:"ping"}` every 25s while the loop is running (cleared on `safeClose` / `cancel`).
- [x] **C-05** `executeMcpTool` timeout: wrap each tool invocation in `Promise.race([exec, timeout(45_000)])`; surface as `tool_timeout` SSE event.
- [x] **C-06** `turnId`: generate a `crypto.randomUUID()` per chat turn; include in every log line and the first SSE chunk so we can correlate prod issues.
- [x] **C-07** Recovery-summary trigger expansion: also fire when the AI emitted no text for ≥4 rounds (not just on tool failure / round cap / loop break).
- [ ] **C-08** Deprecate `app/api/ai/chat`. Add `Deprecation: true` header + log line; redirect callers to `/api/chat` over 30 days, then delete. *(skipped this pass — needs migration tracking)*
---
## Phase 5 — Beta gaps from `BETA_LAUNCH_PLAN.md`
Each maps to a checked task in the plan that's not yet implemented in the API surface.
- [x] **B-01 (P4.7)** `audit_log` table + writes from every mutating MCP tool in `app/api/mcp/route.ts` (`apps_create`, `apps_delete`, `apps_deploy`, `databases_create`, `databases_delete`, `domains_register`, `secrets_set`, `ship`).
- [x] **B-02 (P4.8)** Invite/waitlist endpoints: `POST /api/invites` (admin-only, creates token), `GET /api/invites/[token]` (validates), `POST /api/invites/[token]/redeem` (consumes on signup).
- [x] **B-03 (P6.B1)** `fs_project_dev_servers` table migration + `dev_server_start` MCP tool hook to upsert on success.
- [ ] **B-04 (P6.B2)** Auto-resume hook on project page mount. *(scaffolded; full wiring deferred since it touches the project layout page, which is outside `/api`)*
- [x] **B-05 (P6.C1)** SSE `plan` event protocol in `app/api/chat/route.ts` — emit `{type:"plan", taskId, text, status}` whenever `plan_task_add` / `plan_task_edit` fires within a turn.
- [x] **B-06 (P6.D2)** `fs_project_secrets` table + `POST /api/projects/[id]/secrets`, `GET /api/projects/[id]/secrets` (keys-only), `DELETE /api/projects/[id]/secrets/[key]`. Encrypted via existing `lib/crypto.ts` pattern.
- [x] **B-07 (P3.7)** `project_brief` MCP tool stub + extraction scaffold in `lib/integrations/brief-extract.ts`. Wired into `buildSystemPrompt` as `[PROJECT BRIEF]` block when `fs_projects.data.plan.brief` is non-empty.
- [ ] **B-08 (P2.5)** Per-request Sentry span+release annotation in every handler. *(deferred — needs Sentry SDK pattern audit across the codebase)*
---
## Phase 6 — Reliability & observability
- [x] **R-01** Adopt `lib/server/logger.ts` in `app/api/chat/route.ts` (highest-traffic route).
- [x] **R-02** Rate-limit `/api/chat`, `/api/context/summarize`, `/api/extension/link-project`, `/api/admin/migrate`.
- [ ] **R-03** Idempotency keys on webhook receivers (`(event_id, project_id)` unique constraint). *(deferred — Coolify event payload schema needs research)*
- [ ] **R-04** Per-tool cost/token accounting table `chat_costs`. *(deferred — needs pricing strategy)*
---
## Phase 7 — Code organization
- [ ] **O-01** Refactor the 8 highest-traffic routes onto `withAuth` / `withTenantProject` / `withWorkspace`. *(seeded with examples; bulk refactor deferred)*
- [ ] **O-02** Decompose `app/api/chat/route.ts` (1088 lines) into `lib/server/chat-{prompt,tool-loop,recovery,sse}.ts`. *(deferred — non-blocking refactor)*
- [x] **O-03** `app/api/ROUTES.md` — enumerate every route with `auth`, `tenant`, purpose.
- [ ] **O-04** Continue extracting MCP `toolXxx()` into `lib/mcp/tools/*.ts`. *(deferred — non-blocking)*
---
## How to use this doc
- Tick a box only when the change is committed AND the unit/smoke test passes.
- Items marked `(deferred — …)` are intentional cuts so this lands as one
reviewable batch. Re-open them in `AI_CAPABILITIES.md` after beta.
- Each phase commit message should reference the IDs it closes, e.g.
`feat(api): F-01..F-06 lib/server foundations`.

6
docs/for-entrepenuers.md Normal file
View File

@@ -0,0 +1,6 @@
For Entrepreneurs Who Build for Small BusinessesYou can build a business without ever picking up the phone.Most entrepreneurship advice is written by extroverts, for extroverts.Get out there. Network. Cold-call. Pitch in person. Build your personal brand. Post on LinkedIn every day. Hand out business cards. Show up at events. Hustle.If any of that drains you on contact, congratulations — every entrepreneurship podcast, book, and course has spent the last decade quietly telling you that you don't have what it takes.They were wrong.There's another way to build a real business. Quiet. Behind the curtain. Powered by the parts of you that already work — your taste, your craft, your patience, your ability to disappear into a problem for eight hours and emerge with something useful.That way is finally viable. It wasn't before. It is now.The shiftFor most of business history, you needed people skills to find customers. Cold outreach. Networking. Conferences. Sales calls. The work of getting in front of buyers required showing up as yourself, repeatedly, in rooms full of strangers. If that drained you, you had a real disadvantage.AI changes the math. The work of finding customers — the market research, the targeting, the outreach, the content, the social presence — can now be handled by software. Not faked. Not spammed. Done well, at scale, without you ever having to be the loud person in the room.That doesn't make introverts viable for the first time. It makes them advantaged for the first time. Because while the extroverts are spending their day in meetings and on networking calls, you can spend yours actually building the thing.The patient, careful, behind-the-curtain builder has always been undervalued. AI just made them powerful.What you can buildSmall business is the right place to start. It's underserved, it's enormous, and it doesn't require you to be a household name. You don't need to "go viral." You don't need a personal brand. You don't need an audience.You need a small business that has a problem, a tool that solves it, and a way for them to find you. Vibn handles two of those.You build the tool. Vibn finds the customers.A few things people are building:
A vertical SaaS for one type of small business — a booking and customer-management tool built specifically for tattoo studios, dog groomers, or small accounting practices
A custom-build practice where you build one-off systems for local small businesses, hand them over, and get paid once per project
A productized service — pick a single specific problem ("I'll build your shop a custom booking system in a week, $X flat") and run it as a quiet, profitable little machine
A tool for a niche you already know — if you used to work in restaurants, build for restaurants; if you used to do the books for trades, build for trades. Your prior life is your market research.
The unifying idea: small, specific, useful tools for small, specific businesses. Not the next billion-dollar SaaS. A real business that pays you well and that you actually enjoy running.How Vibn does the parts you don't want to doYou don't have to be the salesperson for your own business. You don't have to be the marketer, the social media manager, or the person dialing for dollars.Market research. Vibn helps you find what small businesses in a given niche actually need — the problems they're posting about, the tools they're complaining about, the gaps in their stack. You don't have to go to industry conferences to find this out. The signal is already online; Vibn surfaces it.Customer discovery. Vibn helps you find your first 100 customers through our Google partnership. Real businesses with real problems, identified for you. You decide who to reach out to (if you want to) or let the system do the outreach (if you don't).Content and social, on autopilot. Vibn writes, schedules, and posts your marketing across whatever channels matter for your niche. You don't have to be a "thought leader." You don't have to film yourself. Your business has a presence; you don't.You stay in the build. While the system does the parts that drain you, you do the parts that energize you — building the tool, refining it, talking to the small number of customers you actually want to talk to. The work matches the wiring.What this looks like in practicePick a niche. Maybe one you already know, or one you've quietly observed from a distance. Open Vibn. Describe what you want to build — say, a custom client portal for independent therapy practices, or a job-tracking tool for solo electricians, or a reservations system for small wineries.Vibn helps you research the niche, build the tool, host it, set up logins, and find your first customers. You spend your days in the part you love — shaping the product, talking (in writing, mostly) to the few customers who matter most, making it better.You don't need a co-founder. You don't need a team. You don't need an office, a network, a personal brand, or a podcast.You need a quiet room, a problem worth solving, and Vibn.Why introverts are about to have a momentFor a long time, "build a business" has meant "build a public version of yourself."It doesn't have to anymore.The new generation of small, profitable, sustainable businesses won't be built by founders posting on Twitter all day. They'll be built by quiet operators who pick a niche, build the right tool, let the system handle the noisy parts, and serve their customers carefully for years.You'll never see them on a "30 under 30" list. They'll be doing better than the people on the list.You can be one of them.Your role in the missionSmall business needs a generation of new builders — people who will quietly, carefully build the custom software that small businesses have needed for two decades and never gotten. Not in San Francisco. Not at scale. Not for a Series A. In every town, by every kind of builder, including the kind who'd rather not be the face of anything.You're who we built Vibn for.It's okay to be the person behind the curtain. The work still counts. The business is still real. The impact is still yours.Let's go build it. Quietly.[ Start building → ]Free to start · No credit card · Built in Canada

58
docs/for-freelancers.md Normal file
View File

@@ -0,0 +1,58 @@
For Freelancers (rewritten)
You're the craftsman of the AI economy.
Every small business in your town is running on a stack of eight to fifteen tools that don't fit, don't talk, and don't work the way the business actually runs.
The owner is gluing it together with spreadsheets and their own time. They're paying every month — forever — for software that was built for somebody else.
They don't need another integration. They don't need another dashboard. They need one tool, built for their business.
You're who builds it.
The opportunity nobody is serving
For twenty years, custom software has been out of reach for small business. Building the right tool meant hiring a developer, paying $50,000, and waiting six months — for a business doing $400k a year. Nobody could afford it. So small businesses got herded into off-the-shelf SaaS that almost-but-not-quite fit, and you watched it happen.
That's over.
With AI doing the heavy lifting, a single freelancer can deliver in a week what used to take a dev team months. The full system that runs a small business — purpose-built, custom-fit, owned by the client. Not a plugin. Not a dashboard. The actual software the business runs on.
The work is real. The market is enormous. And almost nobody is doing it yet.
Why this is the work to be doing
You can keep grinding for SaaS companies. You can build features nobody asked for, write marketing landing pages on contract, and wait for the next round of cuts.
Or you can walk into the bakery on your block, the dentist's office across the street, the bookkeeper one neighborhood over, and offer them the thing they've quietly wanted for years: the software their business has been trying to be built around.
You'd be the most valuable person they know.
Small business owners are not picky. They are hungry. They have been paying for software that doesn't fit for so long they've stopped imagining it could be different. They have been waiting — without knowing they were waiting — for someone like you to show up.
You're who shows up.
What the work actually looks like
You meet a local business. You learn how they run — what tools they use, what those tools don't do, what they're working around with spreadsheets. You describe what they need to Vibn. The AI builds it. You shape it, refine it, polish it, hand it over.
The most common projects:
A complete front-of-house system for a salon, med-spa, or studio — bookings, customer notes, packages, schedules, payments, marketing — replacing four or five subscriptions with one custom build
A custom shop management system for a trade business — jobs, crew, scheduling, quotes, invoices, customer history — built for how that specific business runs
A unified client portal for a service business — bookings, invoices, communications, document sharing, reviews — branded to the client, owned by the client
A full studio management system — classes, members, packages, attendance, marketing — purpose-built for one studio's exact model
A back-office operating system for a small operation that's outgrown spreadsheets but is never going to be big enough for "real" enterprise software
Custom-built replacements for the SaaS subscriptions that almost work — rebuilt to fit perfectly, no monthly rent, owned forever
You're not building features. You're building the system that runs the business.
A new kind of business
This is not contract dev work. It's not agency work. It's something else.
You're not selling time. You're selling outcomes. You're not building specs. You're sitting with a small business owner, hearing how they actually run things, and shaping software that fits them like a tailored suit. You hand over the keys when you're done. The client owns it forever. You get paid once, well, and move on.
Vibn does the work of an engineering team. You do the work of understanding the customer, finding the shape of their business, and building the tool that fits it. That's the part the AI can't do — yet, maybe ever. It's the part where craft lives.
The skill that matters now is taste. Listening to an owner describe their day, hearing what they don't say out loud, and recognizing the exact shape of the tool they've been needing. That's a craft. That's something to build a career on.
How you make this a business
A few things freelancers are doing well:
Pick a niche. Trades. Med-spas. Restaurants. Service businesses. Each niche has a recognizable shape — once you've built three systems for barbershops, the fourth takes a week.
Look for the spreadsheet. Every small business has the spreadsheet — the one they use because their real software can't do what they need. That spreadsheet is the brief. Whatever it does is the system you're building.
Charge for the outcome, not the hours. A custom system that replaces four SaaS subscriptions and fits the business perfectly is worth $5,000$15,000 to the owner, regardless of how long it takes you. Don't price the work — price the result.
Build local, build a portfolio. Three businesses in your town becomes a case study. A case study becomes referrals. Referrals become a full pipeline. You don't need to scale beyond your community to make a great living.
Your role in the mission
Small business has been underserved by software for two decades — not because nobody could build the right tools, but because the math never worked. AI changes the math.
The fix isn't another SaaS company. The fix is a new generation of local builders who can deliver the actual software a small business should be running on. Custom-fit. Hand-delivered. Owned by the business.
That's you.
You're not just building tools. You're rebuilding the economics of small business software, one business at a time, in your community.
That's a real career. A real craft. A real way to spend the next ten years.
The work is here. The businesses are waiting. Let's go build.
[ Start your first project → ]
Free to start · No credit card · Built in Canada

57
docs/for-smbs.md Normal file
View File

@@ -0,0 +1,57 @@
For Small Business Owners (rewritten)
This is your golden age.
Look at how your business runs right now.
A booking tool over here. An invoicing tool over there. A separate CRM. A point-of-sale system that doesn't quite know about either of them. An accounting add-on. A scheduling app. A customer feedback tool. A loyalty platform. A marketing thing your last consultant set up that you can't remember the login for.
And underneath all of it — the spreadsheet. The one you actually trust. The one you've been using for years to keep track of what your "real" software can't.
Eight tools, none of them built for you, none of them talking to each other. You're the one holding it all together.
It was never supposed to work this way.
What changed
For twenty years, the only choice small businesses had was to rent software built for somebody else. Each tool covered a slice of the business. None of them covered your business. You stitched them together because there was no other option.
There's another option now.
You can replace your entire stack — every tool that doesn't fit, every subscription that doesn't earn its keep, every spreadsheet you use to glue them together — with one tool, built for your business. Not configured for it. Not customized for it. Built for it.
Booking, scheduling, invoicing, customers, inventory, reporting — all in one place, designed around how you actually run things. Your terminology. Your workflow. Your rules.
This used to require an engineering team and six figures. Now it requires you, an idea, and a few afternoons. Or a local builder who can do it for you.
You own it. Forever. No subscription. No vendor lock-in. No price hikes next year.
Start where the pain is
Pull up your bank statement and find the monthly subscription line.
For every tool you pay for, ask one question:
"Is this actually doing the job for my business today?"
The booking tool that almost works the way your shop runs. The CRM that doesn't quite handle your kind of customer. The invoicing software that fits a Shopify store but not your store. The inventory tool that's too complicated for what you actually need. The reporting dashboard that gives you everything except the number you actually want to see.
Each one of those is a tool you're renting that doesn't fit.
Now imagine all of them gone, replaced by one system that does fit — built around the way you actually work, owned by your business, no monthly rent.
That's what Vibn is for.
What you can build
You don't need to be technical. You describe what your business does and what you need it to do. The AI builds it. It puts it online, sets up logins for your team and your customers, and helps you actually get people using it.
A few of the things small business owners are building:
A single tool that runs the whole front-of-house — bookings, customer notes, scheduling, payments, follow-ups — replacing four or five subscriptions with one custom system
A custom shop management tool built around your trade, your jobs, your crew — replacing the generic field-service software that never quite worked
A complete client portal where customers book, pay, see their history, leave reviews, and refer friends — in one place, branded to your business, not a generic SaaS
An end-to-end studio system — classes, members, schedules, packages, attendance, marketing — purpose-built for your studio, not the average one
A unified back-office system that handles invoicing, expenses, payroll prep, and reporting in one place, the way your bookkeeper actually thinks about it
A small-format ERP — yes, really — for a business that's outgrown spreadsheets but never going to be big enough for SAP
These are not integrations. These are not dashboards. These are the actual tools that run the business, built once, owned forever.
You own it. Forever.
This is the part the SaaS industry doesn't want you to think about.
Every month you pay for software, you're renting. You're not building anything that's yours. When they raise the price, you pay. When they change the features, you adapt. When they get acquired or shut down, you lose your workflow and your data.
The tool you build with Vibn is yours. Your business owns it. Your data lives in it. You don't pay rent on it every month. It works the way you work, because you built it the way you work.
This is what software should have always been for small business.
What if you don't want to build it yourself?
You don't have to.
A new kind of professional is emerging — local builders who specialize in building custom Vibn systems for the small businesses in their community. They speak your language. They understand small business. They hand you the keys when they're done.
You hire them once. You own the tool forever. No subscription. No vendor lock-in.
[ Find a builder in your area ]
You are why this exists
Small business is the backbone of every neighborhood, every economy, every community worth being part of. You deserve software that fits your business — not a generic version of somebody else's. You deserve to own the tools that run your livelihood.
That's what Vibn is here for.
This is your golden age. Let's build it.
[ Start building free → ]
No credit card · Free to start · Built in Canada

43
docs/mission.md Normal file
View File

@@ -0,0 +1,43 @@
Our Mission
"Look at your subscription costs, ask if they're doing the job, if not, get building."
A letter from the founder
I've spent the last ten years trying to help small businesses grow.
Startups. Clubs. Plumbers. Bookkeepers. Family restaurants. Single-location retail. The businesses that make neighborhoods what they are. I've watched they struggle and stagnate.
Here's what I learned: the biggest thing holding small businesses back isn't the economy, or competition, or marketing. It's the owner. Their hesitations. Their (very reasonable) skepticism of change. Most small business owners are run off their feet — they don't have the time or appetite to adopt new tools, new systems, new anything. And when someone tries to sell them on change, they bristle. They've been burned too many times.
But I've also learned something else. When an owner makes an the idea theirs, they adopt it instantly.
That's what AI changes. For the first time, software can have a real conversation with a small business owner. It can listen to their problem in their words, propose a solution that feels obvious to them, and build it on the spot. The owner isn't being sold to. They're being heard. And when an idea is theirs, the resistance disappears.
That's the unlock. That's why this moment matters.
Why small business never got the software it deserved
People love to blame SaaS for squeezing small business. I don't think that's quite right.
The real story is structural. For the last two decades, the math of venture capital pushed every promising software company toward enterprise. It wasn't a conspiracy — it was incentives. Small business has high churn. Enterprise has multi-year contracts. LPs expect returns on a fund timeline that small business revenue can't deliver. So founders with great ideas for small business software kept getting nudged upmarket — by their investors, their boards, their boards' investors — until eventually the SMB version of every product was an afterthought, and the real product was built for a 500-person finance team.
Small business got the leftovers. Monthly subscriptions for software that almost-but-not-quite solves the problem.
Nobody set out to underserve small business. The system just didn't reward serving them well. That gap — the gap between what small businesses actually needed and what got built — is the gap Vibn fills.
Why now
There's a wave coming. AI is going to displace a lot of people — software engineers especially, but knowledge workers across the board. The doom narrative says this is the end of opportunity. I think it's the opposite.
Small business is where the next generation of careers gets built.
Not as a consolation prize. As an upgrade. Owning the bakery instead of writing code for a company that sells software to bakeries. Building custom tools for the plumber down the street instead of building dashboards for a Series C SaaS. Working at a thriving local business that owns its own software, instead of grinding through layoffs at companies that don't know what they want to be.
For laid-off engineers, this is a place to land — and not a small one. The same skills that built SaaS for the enterprise can build extraordinary things for small businesses now that the tools exist. For young entrepreneurs, this is the cheapest, fastest, most legitimate path to running a real business that has ever existed. For everyone who wants to help small businesses thrive, this is the moment to do it.
What Vibn is, really
Vibn is a vibe coding platform. That's the surface.
Underneath, it's a wager: that if you make it possible for a small business to have custom software — built by the owner, or by a local freelancer who hands it over — without subscriptions, without endless tool sprawl, without code, without engineering teams — you start to fix something that's been broken for twenty years.
Owners build tools and own them outright. Freelancers build custom solutions for their community and get paid like the craftsmen they are. Subscriptions get cancelled. Margins go back to the businesses earning them. Software stops being something small businesses rent forever and starts being something they own.
That's the golden age. Not abstract. Concrete. One business at a time. One tool at a time.
What you can do right now
If you own a small business: pull up your bank statement and look at the subscription line. Look at every tool you pay for every month. Ask one question — is this actually doing the job for my business today? If the answer is no, even partially, you should be building.
If you're an engineer who got laid off, or never got the job: there is real work here. Real businesses that need real tools. You don't need a startup, a co-founder, or a Series A. You need one local small business and a willingness to build them exactly what they need.
If you're an entrepreneur looking for a wave to ride: this is it. The tools are here. The customers are here. The moment is here.
We built Vibn for all of you.
Let's build the golden age.
— Mark Henderson
Founder, Vibn