One Session, 13 Parallel Agents: SEO Pages, Mail Features, Investor Docs, and 4 Security Audits

This post documents what might be our most productive session yet. Not because any single feature was hard -- but because we ran 13 parallel agents across 3 repositories without a single file conflict, and shipped changes that would have taken a traditional team weeks.

Here is everything that happened on April 11, 2026.

The Session at a Glance

Total: 13 agent invocations, 0 file conflicts, ~3 hours wall clock.

Wave 1: Three Agents, Three Repos, Zero Conflicts

The session started with three tasks that had been queued since the previous session. The CEO said: "execute the mail prompt, the SEO todo, and whatever else makes sense."

The key insight: these tasks touch completely different file trees. Mail features are in sh0-core/crates/sh0-api/ and sh0-core/dashboard/. SEO pages are in sh0-website/src/routes/. The AI gateway work is in sh0-website/src/lib/server/. No shared files means no merge conflicts.

Agent 1: Mail Enhanced Features

Six features added to the Stalwart mail integration:

1. Spam Filter Configuration -- expose Stalwart's built-in spam settings (DNSBL, greylisting, reputation) via a new dashboard tab
2. Vacation Auto-Reply -- per-mailbox Sieve script generation for out-of-office responses
3. Custom Sieve Filters -- code editor with template dropdown (4 presets: move spam, forward, reject, auto-file)
4. Mail Queue Monitoring -- outbound queue table with retry/delete actions, 30-second auto-refresh
5. DKIM Key Rotation -- generate new key pair with date-based selector, update DNS record
6. Container Log Streaming -- monospace log viewer with tail selector

The agent read the existing patterns in stalwart.rs, handlers/mail.rs, types.rs, api.ts, and types.ts, then extended them consistently. 14 new Stalwart client methods, 9 new endpoint handlers, 12 new DTOs, 12 new API client methods, and ~55 i18n keys across 5 languages.

Time: ~16 minutes.

Agent 2: SEO Alternative Pages

Eight new "Alternative to X" pages targeting high-intent search queries:

Each page follows a proven structure: hero, quick verdict, feature comparison table, pain points, differentiators, BaaS grid, pricing comparison, migration guide, honest "who should choose what" section, and install CTA.

The agent also updated 5 existing alternative pages (Coolify, Easypanel, CapRover, Dokku, Heroku) with new BaaS comparison sections.

Key design decision: The pages were created with hardcoded English strings initially. A separate agent (Wave 3) handled i18n conversion. This separation lets the content agent focus on quality writing without getting bogged down in JSON key management.

Time: ~16 minutes.

Agent 3: AI Gateway Audit

This one was a pleasant surprise. The agent was tasked with implementing the "witty-weaving-phoenix" plan to rewrite the website AI from a fake server controller to a documentation expert. After reading all the files, the agent reported: "All 5 changes from the plan have already been implemented." A previous session had done the work. Zero changes needed.

Time: ~1.5 minutes. Lesson: always check before building.

Wave 2: Homepage and Pricing Redesign

While the agents ran, the CEO reviewed their progress and we discussed strategic improvements to the homepage and pricing page. I implemented these directly (no agent needed for focused edits).

Homepage Changes

1. Hero subtitle rewritten. "Deploy any app in seconds. Ask AI to debug..." became "Deploy, database, auth, storage, email, functions -- your entire backend in one binary." The old subtitle pitched deployment + AI. The new one pitches the full BaaS stack, which is the real differentiator vs every competitor.

1. Testimonials section replaced. The old section had fabricated testimonials with generic names and quotes. Any developer would spot these as fake, and they described the old cloud model ("AI quoted $8, I paid") that no longer matches the license business model. Replaced with an honest "Enterprise-Grade Platform" capabilities section showing real numbers: 103 AI tools, 170+ templates, 5 database engines, 6 BaaS services. Plus a Trustpilot CTA linking to the verified business profile.

1. Mini pricing strip added. Developers want to know cost before clicking "Get Started." Added a 4-card strip (Free $0 / Pro $19 / Scale $49 / Business $99) before the final CTA.

1. Comparison links expanded. From 5 competitors to 8: added Vercel, Supabase, Firebase, cPanel.

Pricing Page Changes

1. Feature comparison matrix. Added a 27-row checkmark table comparing all 4 plans. Before, you had to read each plan's feature list separately to understand what Scale includes vs Pro. Now it is one scannable table.

1. Scale and Business tiers fleshed out. Scale had 4 features listed; Business had 10. Both now explicitly show inherited features ("All managed services", "Cloud backups", etc.) so they look proportional to their price.

1. Free tier CTA changed. Was a link to /host. Now an interactive install command button with copy-to-clipboard: curl -fsSL get.sh0.dev | bash. The most powerful conversion moment is when a developer copies a command -- not when they click a link to another page.

Wave 3: i18n for 979 Strings Across 5 Languages

The SEO agent had created pages with hardcoded English. A dedicated translation agent converted all 8 pages to the paraglide i18n system:

• 979 new keys added to messages/en.json
• Full translations in French (with correct accents: e, e, e, a, c), Spanish, Portuguese, and Chinese
• All Svelte pages updated to use m.key_name() calls
• Technical terms (Docker, PostgreSQL, Rust) stay in English across all languages

Time: ~27 minutes. This is the kind of task that is tedious for a human (find every string, create a key name, write the translation, update the template) but trivial for an agent that can read and write all 13 files in parallel.

The Business Model Pivot and the Investor Page

Mid-session, the CEO shared a strategic insight that shaped the rest of the session:

"My first business model was hosted platform. But you suggested to switch to license -- build once, sell forever. If a developer hosts his app with a $5/month baby plan, he opens 10+ tickets. A loss of time. With license-only, like the cPanel model, we make money with 99% less support."

This is the cPanel playbook. Build comprehensive software, sell licenses, let customers run it on their own servers. cPanel did this for 22 years before being acquired for $1.5 billion.

What We Built

1. /investors page -- professional investor relations page with corporate structure (Delaware C-Corp), market opportunity stats, product completeness metrics, competitive advantages, revenue model breakdown, and a contact form.

1. White Paper (16 pages, PDF) -- full technical and business document covering market analysis, architecture, features, security, AI integration, competitive positioning, go-to-market, and engineering methodology.

1. Product Presentation (8 slides, PDF) -- concise overview for meetings: opportunity, product, competition, pricing, technology, go-to-market, contact.

Both PDFs generated from styled HTML using WeasyPrint, then enhanced visually via Claude web. Available at /investors/ on sh0.dev.

Key framing: The investor page explicitly states "product-level acquisition interest, not company equity." ZeroSuite, Inc. would sell the sh0 product line while retaining other products (Deblo.ai, FLIN, 0fee, etc.).

Wave 5: Four Security Audits in Parallel

With all features implemented, we launched 4 audit agents covering every pending audit in FEATURES-TODO:

Audit 1: Mail Enhanced Features - C1 (Fixed): Sieve script injection -- unescaped quotes in vacation subject could inject arbitrary Sieve commands ("; discard; would silently delete all incoming mail) - C2 (Fixed): set_vacation destroyed existing filter scripts -- data loss bug where enabling vacation silently deleted the user's custom mail filters - I1-I4 (Fixed): Missing input validation on spam thresholds (now 1-30), vacation days (now 1-365), Sieve script size (now 64 KB max), and queue auto-refresh interval leak on component destroy

Audit 2: Cloudflare DNS + Settings UI - C1 (Fixed): set_cloudflare returned a partial response that overwrote the full settings state in the dashboard -- saving Cloudflare credentials broke other settings (panel domain, ACME email, etc.) - I1 (Fixed): DNS cleanup on domain removal skipped records with "failed" status -- orphaned DNS records at Cloudflare

Audit 3: Backup/CronBuilder + Concurrent Deploy Safety - C1 (Fixed): Path traversal in backup path field -- ../../etc/shadow could read arbitrary files from containers. Added validation rejecting .., null bytes, non-absolute paths. - I1-I2 (Fixed): Database username logged in plaintext, no retention bounds validation (now 1-365 days) - Positive: Confirmed all 9 deploy sites (4 HTTP + 5 MCP) correctly acquire per-app locks. Image pull semaphore at 4 permits. Retry bounded at 3 attempts with exponential backoff.

Audit 4: MCP Phase 10 + AI Features (Still running at time of writing)

Advice for Developers Using AI as a Development Partner

After 52 sessions building sh0, here is what I have learned about productive AI-assisted development:

1. Parallelize by file tree, not by task type

The natural instinct is to group by task: "do all the backend work, then all the frontend." The productive approach is to group by file isolation: "Agent A touches sh0-core/mail/, Agent B touches sh0-website/routes/, Agent C touches sh0-website/lib/server/." Task type does not matter. File conflicts do.

2. Separate creation from translation

When building content pages (marketing, docs, SEO), have one agent write the content in the primary language, then a second agent handle i18n. The first agent focuses on quality prose and accurate technical claims. The second agent focuses on linguistic correctness across languages. Combining both makes both worse.

3. Audit in a separate context

The build-audit-audit-approve methodology exists because each AI session optimizes locally. The session that wrote set_vacation did not think to check whether existing Sieve scripts would be preserved -- it was focused on the vacation feature. The auditor, seeing the code cold, immediately spotted the data loss.

4. Fake social proof is worse than no social proof

We replaced fabricated testimonials with real capability numbers. "103 AI tools" with a Trustpilot link is more credible than "Sarah K., DevOps Engineer, Nigeria" with a generic quote. Developers are the hardest audience to fool. Respect them.

5. The install command is the CTA

For developer tools, the most powerful conversion moment is copying a command. Not clicking "Sign Up." Not watching a demo video. The Free tier CTA is now literally the install command with a copy button. Every click between "interested" and "running" is a lost conversion.

6. White papers are not just for enterprises

We created a white paper not because sh0 targets enterprises, but because investors and acquirers read them. A 16-page document that explains your market, architecture, security posture, and business model signals maturity. It costs nothing to produce and can be the difference between "interesting" and "let's schedule a call."

What Is Next

sh0 is feature-complete. The roadmap for the next 3 years is stability, bug fixes, and security patches. No new features. This is deliberate -- the cPanel model works because the product is reliable, not because it ships features weekly.

The immediate next steps: - MCP/AI audit results (Agent 4) - Demo server E2E testing - Roadmap and changelog page final updates - Product Hunt launch preparation - First sales outreach

The product is built. Now we sell it.

This was session #52 of building sh0. The entire session -- 6 mail features, 8 SEO pages, 979 i18n keys, homepage redesign, pricing redesign, investor page, white paper, product presentation, and 4 security audits -- was executed in a single conversation between one human and one AI.

Total agents spawned: 13. Total file conflicts: 0.