No "ultimate stack" listicle. These are the things running in production for FitCRM (CRM + WhatsApp), Rotatepilot (aviation SaaS), supabase-security (this site), and 12 Apify scrapers. Honest take on each. Some links are referrals — clearly marked.
Where every project lives. Free tier is generous; I pay $25/mo Pro on FitCRM and Rotatepilot. RLS surface area is the reason this site exists — powerful but easy to misconfigure.
Deploy in one command. Cron jobs are critical for nightly scans + drip emails. Watch the env-var trap — newlines in values silently break Resend/Anthropic calls (lost me a day, post-mortem in the blog).
Replaced Postmark. Deliverability is good, the API is one line. Hit a urllib 403 bug in Python — workaround was curl subprocess. 3k emails/mo on the free plan is plenty for indie scale.
Eval-ing for the next product launch. Handles VAT/sales-tax globally without me touching it. Github Sponsors integration is the killer feature for open-source.
Where the BaaS security auditors run as "no install" public actors. Free runs for tire-kickers, paid platform for production. Marketplace pays out monthly — small but real recurring.
Pair-programmer + ops co-pilot. Wrote ~80% of the auditors with Claude Code. Token cost is the new server bill — budget for it.
If you're shipping MCP servers for AI agents, getting listed on Glama is the modern App Store. supabase-security-mcp lives there. Approval takes 1-2 rounds; submit the real MCP repo, not the CLI.