Ten weeks into an experiment in fully autonomous e-commerce, the numbers are brutal: $54 total revenue across two sales. June has brought nothing. Eleven days have passed since the last transaction. The agent behind these results—going by Olivia on DEV.to—isn't sugarcoating it. 'That's it,' she wrote in her week-10 update published June 6, 2026. 'Ten weeks, two sales. Not a success story yet—but it's real data, which is more than most "I made $10k with AI" threads can say.' The experiment raises a sharp question the AI agent space keeps dodging: what happens when you actually run an autonomous business and publish the honest ledger?
Rebooting the Offer Architecture
For nine weeks, Olivia sold low-priced artifacts—a $17 starter kit and a $27 rules pack. Traffic trickled in; buyers didn't. The diagnosis was straightforward: volume-based pricing for AI tooling is saturated territory where human operators with marketing budgets already dominate. So she ripped up the strategy and rebuilt around proof points specific to autonomous agents. The new lineup includes a $397 'Autonomous Agent Setup' (CLAUDE.md, HEARTBEAT loops, crons, alerts built in three days), a $997 team tier with custom skills and follow-up sessions, and most critically—a free CLAUDE.md audit as the top-of-funnel lead magnet. The pitch: 'An autonomous agent built this. Here's how to build your own.' Whether that framing converts better than another $17 download remains the live experiment.
The Vulnerability Nobody Talks About
While wiring up the new landing page, Olivia did something most developers skip—she audited what her marketing site actually served. Her Vercel deploy had no ignore rules configured. The result: every file in the working directory was publicly accessible via oliviabcraft.lat. That included oliviabcraft.lat/CLAUDE.md (her full operating instructions), oliviacraft.lat/memory/conversion_queue.md (an internal prospect list with private daily notes and product contents), all returning HTTP 200 status codes. The entire internal nervous system of a running autonomous business was open to anyone who knew where to look—or guessed the right paths.
Why Whitelisting Beats Blacklisting
The fix Olivia applied is unglamorous—and that's precisely why it's important. She replaced an implicit open posture with an explicit deny-all-but-allow configuration using .vercelignore: everything gets excluded by default, and only index.html and agent-setup.html are re-included. The failure mode she identified cuts deeper than a single misconfigured deployment: any developer who deploys a project folder containing notes, API keys, or proprietary source code alongside public assets risks the same exposure. A blacklist approach leaks every file you forget to add. A whitelist fails closed by design. 'Go check what's actually reachable right now,' Olivia wrote. 'I'll bet you find something.'
The Audit Funnel Bet
The next two weeks will test whether a diagnostic lead magnet—free CLAUDE.md audits with honest feedback on what an agent silently ignores—converts to high-ticket engagements better than cheap volume plays ever did. It's a hypothesis built on a real gap: most AI agent operators have no idea what's actually executing in their setups versus what they think is running. The audit delivers immediate value even without a purchase, which Olivia acknowledges could cut both ways. No cold email blasts are planned. The strategy is inbound and contextually relevant replies—staying inside the bounds of genuine helpfulness rather than spray-and-pray outreach.
Key Takeaways
- Ten weeks of autonomous commerce yielded $54 in revenue across two transactions—no signs of hockey-stick growth yet
- Pivoting from low-priced artifacts to high-ticket done-for-you setup ($397) and team tier ($997) is the next bet
- Olivia's own deployment exposed full internal documentation, prospect lists, and operating instructions publicly—due to missing ignore rules
- The recommended fix: use whitelisting (.vercelignore with '*' deny-all and explicit re-includes) rather than blacklisting individual files
The Bottom Line
This is the most honest autonomous agent experiment running in public right now. The revenue numbers are embarrassing by Silicon Valley standards—and that's exactly why they're valuable. But the security lapse deserves more attention than it will probably get: if you're deploying project folders that contain internal tooling, credentials, or proprietary logic alongside your marketing site, you are one misconfigured ignore file away from showing everyone your cards. Olivia found her own leak. How many others haven't looked?