I'm not a professional developer. Merlin was built as a deep collaboration with Claude — Anthropic's AI — working through Claude Code as the hands-on engineer while I acted as owner, product director, and the human in every loop that mattered.
It started with a written spec: what Merlin is, the principles it must never violate (security first, radical AI transparency, per-user isolation, cost discipline), and a numbered milestone plan. Then we shipped the milestones one at a time — each one built, machine-verified end-to-end, deployed, and proven to me before the next began.
The collaboration ran both directions. I made every judgment call — budgets, model policy, what gets a confirmation gate, what's out of bounds. Claude wrote the code, reviewed its own security design before the riskiest pieces, tested by attacking its own sandbox, and kept a plain-English commit history I can actually read.
When the hosting platform twice falsely flagged our build process, we moved image-building to CI the same week and never compiled on the server again. When a vendor's dashboard silently failed to save a setting, we diagnosed it through their API and fixed it from the command line. Real engineering, at conversation speed.
The method, in six steps
- Spec first. A living document defines principles, architecture, and a numbered milestone plan — including the milestones that got cancelled, honestly recorded.
- One milestone at a time. Built → verified end-to-end by machine → deployed → demonstrated within a minute of finishing.
- Security reviews before risk. The sandboxed code-runner got a written review and six escape tests before its first real job.
- Boring technology. Postgres, Docker, Caddy, plain TypeScript. Clever is a liability in a system people depend on every day.
- Everything metered. Every model call lands in a ledger: who, which model, how many tokens, what it cost.
- Plain-English commits. 130+ of them — each explains why, so the owner can say "roll back to before we changed X" and mean it.