Blog Projects Plugins Testimonials FAQ Get in touch
An ongoing series · started June 2026

Prompts That Ship

Production setups — analytics funnels, secrets inventory, security scanning, OWASP review and more — each one reproducible from a single copy-pasteable prompt to Claude Code or Codex. Discovery-first phasing, anti-patterns named upfront, verification built in. One afternoon per part. New entries land as new prompts get battle-tested.

← Back to blog
Whiteboard sketch — a printed prompt scroll feeds into an AI agent which loads four numbered crates onto a cargo ship

A single prompt, pasted into a coding agent, that walks a production codebase from no instrumentation to shipped system — in an afternoon.

One prompt per setup. One afternoon to ship. As many parts as the work warrants.

Each piece in this series is built around one copy-pasteable prompt. Phase 0 forces the agent to discover the actual stack before writing code. Phase 1 names the anti-patterns we shipped and then had to fix. Phase 2 demands verification before the PR merges. The prompt is the whole technical artefact — the article is the business case and the gotchas.

The pieces stand alone, but they share a pattern: name the architecture upfront, let the agent do the mechanical work, keep the human reviewing decisions rather than typing lines. Read them in order, or jump to the one whose problem you have today.

  1. 01 Your GA4 Doesn’t Know Where You’re Losing Customers Pageviews tell you traffic. Funnel reports tell you where the business is leaking. The one-prompt setup: consent mode v2, typed event helper, success-moment instrumentation, server-side Measurement Protocol from the billing webhook. 9 min read
  2. 02 Your Stripe Key Lives in Six Places. Most Teams Can’t List Three. 25–40 production secrets, six stores, zero inventory. The prompt that turns “we should document this” into a 4-hour audit — with rotation procedures, drift detection, and a script wired into the daily ops report. 10 min read
  3. 03 The Security Scanning Stack: Six Layers, One Dashboard, Zero GitHub Bill CodeQL, OSV, Trivy, Semgrep, Dependabot, Secret Scanning — the prompt that installs all six, picks the right cadence per scanner, tunes the exclusions before they generate 8,000 findings, and keeps Actions minutes under 5% of the free tier. 10 min read
  4. 04 Your Security Scanner Can’t See Your CORS Config The 12-category OWASP review that scanners can’t do — JWT expiration, file-upload validation, exported secrets, the compound vulnerabilities. The prompt audits the codebase and writes a reusable skill so the next quarterly review is 45 minutes, not 4 hours. 11 min read

None of these prompts are clever. All four name the architecture upfront so the agent does the mechanical work in the right shape the first time.

Start with Part 1 →