About PulseLight
I built this because I kept shipping AI-built apps and wondering what would silently break.
PulseLight is the product I needed and couldn’t find when I started shipping with Cursor and Claude Code. AI tools collapsed build-time. They didn’t collapse the time it takes to know whether the app is actually safe to put in front of real users.
Where this came from
I’d ship a feature in twenty minutes with an AI tool, then spend the next three hours wondering if I’d quietly deployed something that could be exploited, or charge a customer twice, or break the moment a real user tried it.
The tools that exist for this problem — SAST, APM, compliance automation — are built for engineering or security teams at companies bigger than mine. They produce two-hundred-rule reports for a buyer who isn’t the founder, written in language the founder doesn’t speak, and they don’t answer the only question that matters: can I launch this thing or not?
So I wrote PulseLight. It scans your repo and your live platform config, rolls every check into seven founder-named pillars, surfaces a Top 3, and hands you a paste-ready prompt for whatever AI tool you’re using. Most founders never read past the verdict. That’s the design.
What I believe
Confidence-building, not public-judgment.
We deliberately don't ship a public verdict page or a public badge. The product surfaces uncomfortable truths about your repo — but to you, in a quiet workspace, not on a leaderboard a competitor can scrape. The goal is to help you launch better, not to grade you in front of strangers.
Founder language at every layer.
Nothing in PulseLight uses CVSS scores, ASVS control IDs, or compliance vocabulary. The seven pillars (Secure, Stable, Billable, Measurable, Usable, Scalable, Trustworthy) are nameable in one breath. The Fix Queue reads in plain English. The technical evidence exists, but only when you ask for it.
Restraint as a trust signal.
PulseLight could ship a 200-rule wall and call it thoroughness. Instead, every scan returns a Top 3. The product's job is to tell you what to fix first, not to make you feel inadequate about everything you haven't fixed yet.
Read-only by design.
PulseLight never opens a PR, never pushes a commit, never modifies your code. We read your repo and your platform config; you decide what to do with the findings, in your AI tool of choice. The product builds a paste-ready prompt; you stay in the driver seat.
Where it’s going
Three things on the immediate roadmap, all founder-anchored:
- More Connected Checks. Every platform a founder is likely to glue together gets a live audit, not just a repo scan. Stripe, Supabase, Vercel, Sentry, Clerk are shipped. PostHog, Plausible, Lemon Squeezy, Better Stack, Canny, Firebase, Railway, Render are shipped on the higher tiers. The rest is iteration.
- Better Fix-with-AI prompts. Every AI tool the wedge audience uses gets a restraint-engineered prompt shape. The prompt is doing a lot of work and I want it to keep getting better.
- Quarterly “State of AI-Built Apps” report. Aggregate findings across opted-in repos, published with methodology, no vendor scorecards. The first edition lands this quarter.