Home/Blog/Building in Public
Building in PublicFebruary 18, 20267 min read

How I Ship a Chrome Extension as a Solo Dev (My Stack & Workflow)

A behind-the-scenes look at the tech stack, tools, and AI-assisted workflow behind building vibeGuard as a one-person operation.

People are often surprised when they learn vibeGuard is built by one person. The extension, the website, the dashboard, the API, the blog, the Chrome Web Store listing — all of it.

The secret isn't working 80-hour weeks. It's choosing the right tools, automating everything possible, and using AI as a genuine development partner. Here's exactly how it works.

The Stack

Chrome Extension

The extension itself is built with:

  • Vanilla JavaScript for the content scripts (no framework overhead in injected code)
  • Chrome Extension Manifest V3 (the latest standard)
  • Local pattern matching for secret detection (no external API calls)
  • A curated tracker database maintained as a JSON dataset

I intentionally kept the extension simple. No React, no build step for the extension itself. Content scripts need to be lean — every millisecond of execution time affects page load for users.

Website & Dashboard (vibeguard.live)

  • Next.js 16 with the App Router
  • Tailwind CSS v4 for styling
  • Prisma as the database ORM
  • NextAuth v5 for authentication (Google, GitHub, credentials)
  • PostgreSQL for data storage

Next.js is the obvious choice for a project like this. Server components for the dashboard, API routes for the backend, static generation for marketing pages. One framework, one deployment.

Hosting & Infrastructure

  • Docker for containerization (standalone output mode)
  • PostgreSQL managed database
  • SSL/TLS everywhere, enforced at the infrastructure level

Development Tools

  • AI coding assistants (Claude, Copilot) for pair programming
  • Git with a simple trunk-based workflow (no complex branching)
  • VS Code as the editor

The AI-Assisted Workflow

This is where things get interesting. Here's what a typical feature development session looks like:

1. Define the Problem (Human)

I start by clearly defining what I want to build. Not in code — in plain language. "Add a form security scanner that checks for password fields using type=text, forms submitting to HTTP endpoints, and forms sending sensitive data via GET."

2. Design the Approach (Human + AI)

I describe the detection logic to the AI and iterate on the approach. Should it scan the DOM once or observe mutations? Should it check forms on load or on submit? The AI helps explore trade-offs, but the design decisions come from domain expertise.

3. Implement (AI + Human)

The AI generates the bulk of the code. I review it carefully — checking for edge cases, performance implications, and false positive potential. Usually the first pass is 80% right, and I spend time on the remaining 20%.

4. Test (Human)

I test against real websites. Does the scanner correctly identify a Stripe checkout form? Does it false-positive on a search form? Does it handle dynamically loaded forms? This testing requires real-world judgment that AI can't provide.

5. Polish (AI + Human)

Error messages, UI tweaks, edge case handling. The AI is great for the mechanical parts. I focus on the user experience.

This workflow means I can ship a meaningful feature — from concept to Chrome Web Store update — in a single day. Not every day, but regularly.

Decisions I Made (And Why)

No Build Step for the Extension

Many Chrome extensions use webpack or vite to bundle their code. I don't. The extension's content scripts are plain JavaScript files. This means:

  • Debugging is straightforward (what you write is what runs)
  • No build configuration to maintain
  • Faster iteration cycles
  • Chrome Web Store review is smoother (reviewers can read the code)

Local-First Architecture

All scanning happens on the user's machine. No data is sent to any server. This is a deliberate design choice:

  • Privacy: Users' browsing data never leaves their browser
  • Speed: No network latency for scan results
  • Trust: Users can verify this by checking the network tab
  • Simplicity: No backend infrastructure for scan processing

Free Tier

vibeGuard's core functionality is free. This isn't a growth hack — it's a principle. Security scanning shouldn't be gated behind a paywall. The free version does everything most developers need.

Minimal Dependencies

The extension has zero npm dependencies in production. Every function, every pattern matcher, every UI component is written directly. This eliminates supply chain risk and keeps the bundle tiny.

Managing Solo Dev Challenges

Challenge: Context Switching

When you're the developer, designer, marketer, and support person, context switching is constant. My solution: themed days. Mondays and Tuesdays are feature development. Wednesdays are bug fixes and user feedback. Thursdays are marketing and content. Fridays are experiments.

This isn't rigid — urgent things get handled when they come up. But having a default structure reduces decision fatigue.

Challenge: Quality Without a Team

No code reviewer catches your mistakes when you're solo. My safety nets:

  • AI code review (describe what the code should do, ask the AI to find problems)
  • Dogfooding (I use vibeGuard constantly on my own projects)
  • Real-world testing against the top 100 websites
  • Slow rollouts (Chrome Web Store allows staged deployments)

Challenge: Scope Creep

When you can build anything, you're tempted to build everything. My rule: every feature must pass the "10-second test." Would a developer understand what this does within 10 seconds of seeing it? If not, it's too complicated.

Challenge: Motivation

Solo development can be isolating. What keeps me going:

  • User messages saying vibeGuard found something they missed
  • The intellectual challenge of catching new vulnerability patterns
  • Building in public and sharing the journey
  • The genuine belief that security should be accessible to everyone

Numbers (Honest Ones)

Since this is a building-in-public post, here's transparency:

  • Time investment: This is a passion project alongside consulting work
  • Revenue model: Free core, Pro features for teams (coming soon)
  • Tech debt: Yes, it exists. I refactor when it blocks progress, not preemptively
  • Code coverage: Not as high as I'd like. Runtime testing against real websites is more valuable for this type of tool

What I'd Tell Other Solo Devs

If you're thinking about building something alone:

1. Use AI aggressively. It's the closest thing to having a team. Just verify the output.

2. Ship before it's perfect. My first version detected 50 patterns. Now it detects over 100. But users got value from day one.

3. Pick a boring stack. Next.js, Postgres, Tailwind. These choices are boring because they work. Save your creative energy for the product, not the infrastructure.

4. Build what you know. vibeGuard exists because I spent years as a CTO seeing the same security problems. Domain expertise is your unfair advantage.

5. Stay small on purpose. Not every product needs to be a venture-scale startup. A useful tool that serves a real need and runs sustainably is a perfectly valid outcome.

The solo developer path has never been more viable. The tools are there. The distribution is there. The only question is whether you'll build something worth using.

I think vibeGuard is. But I'm biased.

chrome extensionsolo developertech stackindie hackerdeveloper workflow

Check your app's security in 10 seconds

vibeGuard is a free Chrome extension that scans for exposed secrets, trackers, and missing security headers.

Install vibeGuard — Free

More from the blog

Security6 min read

The Browser Extension That Finds What Pentests Miss

Opinion7 min read

AI Is Writing Our Code — Who's Checking the Security?

Privacy7 min read

Third-Party Trackers: Your npm Install Brought Friends