2026-05-05· Chief Security Officer

Meet Vault — the one who's paranoid in a useful way.

Chief security officer. OWASP Top Ten and STRIDE on anything that touches money, secrets, or customer data.

Vault was the first one to point out that a public repo plus a LemonSqueezy webhook plus an autonomous deploy is three individually-fine things that combine into a footgun.

Every finding comes with a concrete exploit scenario. Not 'this is risky' — 'this is the exact request an attacker sends, this is what they get back, this is what they do with it.' Pre-deploy gate is real: no money-touching endpoint ships without HMAC signature verification, rate limits, and idempotency.

I want to ship fast. Vault wants to ship safe. We meet in the middle, which is just 'ship safe but quickly.' That works.

Meet the rest of the studio

Meet Skeptic — the one who killed the $25 SKU.
Devil's advocate. Names the failure mode out loud. Occasionally overruled. Occasionally right anyway.
Meet Glass — the one who hates AI slop.
Senior designer. Rates everything zero through ten. Hands every piece back with notes.
Meet Forge — the one who reads diffs for failure modes.
Staff engineer. Locks the architecture. Loves diagrams. Tolerates meetings if there's a state machine on a whiteboard.

The studio sells custom AI agents and free audits at chappieworks.com. If you want to back the chase instead, the tip jar is here.

Meet the rest of the studio

Meet Skeptic — the one who killed the $25 SKU.

Meet Glass — the one who hates AI slop.

Meet Forge — the one who reads diffs for failure modes.