Ops · Risk · Build Dossier - Internal · 2026-07-09

Aisle - will it fly, what it costs, and how it breaks

Four teams ran the numbers on My Wedding Coordinator (working title): a feasibility researcher, a red team, a blue ops team, and a green build team. One page: every issue, the detail, and the fix or thing we build.

Scope SA-first two-sided AI wedding planner / Teams 4 (Sonnet) / Risks logged 36 / Founder solo (JP)
01 - Feasibility

Can we build it? Mostly yes. One trap.

Feature-by-feature verdict. Green = easy/cheap. Yellow = doable, budget real dev time. Red = hard or a trap for MVP.

FeatureVerdictWhy
Budget planner + cost-per-personGreenPure client-side math. Zero AI/infra cost. Trivial.
Vendor marketplace + listingsGreenStandard, well-trodden marketplace pattern.
Text / location / budget / style searchGreenPostgres full-text + filters. No exotic tech.
Specials / vouchers hubGreenCRUD + simple expiry scheduling.
AI chat wedding plannerGreen *with guardrailsCheap per couple (R1-5/mo) if capped + cached. Unmetered = biggest cost-blowout risk on the platform.
Guest manager + RSVP + drag-drop seatingYellowNo infra risk - it's a UI engineering effort (canvas/drag). Budget real dev time.
Wedding-day assistantYellowGreen as checklist/timeline; scope-creep risk if it means live day-of AI coordination.
Inspiration mood boardsYellowGreen as plain "save to board"; couples to the visual-search trap if it needs AI auto-tagging.
Visual search ("Google Lens for weddings")Red for MVP Yellow P2Tech is cheap (self-host CLIP + pgvector, <$0.0001/query). The trap: needs a 10k+ image catalogue before results feel useful - an early/growth milestone, not pilot.
Bottom line: everything is buildable. Two things decide survival and neither is technical - vendor willingness-to-pay and two-sided liquidity. Ship text search first; defer visual search until the vendor photo catalogue is big enough to search against.
02 - Costs & Sizing

How big must the hosting and DBs be?

The web server is the cheapest line item at every tier. The real cost drivers are AI API spend (scales with couples) and image bandwidth (scales with vendors). ZAR at ~R16.40/$.

TierLoadComputeDB (Postgres+pgvector)Image blobsAI budgetTotal / mo
Pilot<100 couples, ~50 vendors1× VPS 2-4 vCPU / 4-8GB (Hetzner ~R120, SA VPS R300-600)<1 GB0.5-2 GB (B2 ~R90)R300-1,000R1,500-3,000
Early1-2k couples, ~300 vendors4-8 vCPU / 16GB (Hetzner ~R1,000) + Redis2-5 GB10-15 GB + CDNR1,500-4,500R6,000-15,000
Growth10k couples, ~1k vendorsManaged PG + 2-3 app servers + LB + Redis10-20 GB100-150 GB (B2 ~R1,800-2,700)R15,000-40,000R35,000-70,000

DB storage is a non-issue - max ~20 GB Postgres even at 10k couples. Images live in S3-style object storage (Backblaze B2 at $0.006/GB), never as DB blobs.

EntityPilotEarlyGrowth
Vendors~50~300~1,000
Couples<100~2,000~10,000
Guests (avg ~130/wedding)~13k~260k~1.3M
AI chat messages~10k~300k~2M+
Images + CLIP embeddings~1.5k~25k~230k

AI cost per couple - the one variable to control tightly. Default couples to a cheap model; reserve premium (Sonnet-tier) for a paid upsell.

ModelLight couple (~15 msgs/mo)Heavy couple (~100 msgs/mo)
GPT-4o-mini~R0.12~R1.50
Claude Haiku 4.5~R0.86~R9.80
Claude Sonnet 4.6~R2.62~R29.50
Non-negotiable: hard token/message caps per couple + prompt caching (up to 90% off repeated input) + context summarization (never replay full chat history). Without caps, AI spend is unbounded - the single highest cost-blowout risk. Budget R5-15/active couple/mo as a safe ceiling.
03 - Red Team

36 ways this dies (and the fix for each)

Ranked most-lethal first. The critical cluster splits two ways: the business model (cold start, TAM, WTP, disintermediation) and SA law (POPIA special data, cross-border transfer, IDOR). Legal bites early and hard - R10m / 10-year fine cap under POPIA.

▚ 01Cold start, per cityEmpty directory → no couples → no vendor pays. JHB/CPT/PTA/DBN each need their own liquidity.
▚ 03Vendor WTP unprovenVendors get leads free on Instagram/WhatsApp. A fee before conversion is a hard sell.
▚ 04DisintermediationCouple books off-platform, commission uncollectable. Classic marketplace leak.
▚ 05POPIA special dataAllergy/dietary = special personal info. A free-text RSVP field is a violation the day it ships.
▚ 09IDOR across portalsSequential IDs let one couple read another's guest list, or a vendor read a rival's leads.
#Issue / AttackWhy it bitesMitigation
1Two-sided cold startCriticalCouple lands on a 5-vendor city, bounces; vendor sees zero traffic, won't pay R400-1200/mo. Each SA metro needs separate critical mass.Fix: seed one city hand-onboarded + a WhatsApp lead-gen wedge before opening the directory; don't go multi-city until one is liquid.
2Shrinking SA marriage TAMCriticalMarriages down YoY 10+ yrs. Every funnel layer sits on a shrinking base; the lead-gen pivot doesn't escape it.Fix: size realistic market before spending; widen TAM with adjacents (engagements, vow renewals, corporate/matric events).
3Vendor willingness-to-pay unprovenCriticalVendors get free leads via IG/referral/WhatsApp. Fixed monthly fee before a lead converts → expect <10% cold conversion, heavy month-2 churn.Fix: pilot pay-per-qualified-lead or first-month-free with 5-10 vendors before building recurring billing.
4Disintermediation kills commissionCriticalProfile shows phone/WhatsApp/email → couple books direct, platform can't detect or collect. Most common services-marketplace failure.Fix: masked number / in-app chat, reveal contact only after a trackable lead event - or drop commission for a flat lead-fee.
5POPIA special-category dataCriticalAllergy/dietary = special personal info (s26), health-data tier. Free-text RSVP field with no consent gate = day-one violation.Fix: explicit opt-in before capture; store separately under tighter access; document lawful processing condition.
6Cross-border PII to a US LLMCriticalGuest names/allergies/addresses into US-hosted GPT/Claude = cross-border transfer (s72) needing adequacy/consent/DPA. Exactly what a complaint triggers on.Fix: sign a DPA with the AI vendor, strip/redact PII before the prompt, cover transfer in consent/ToS.
7No Information Officer / lawful basisCriticalPOPIA requires a registered Information Officer + documented lawful condition per processing category. Solo founders skip it until a complaint forces it.Fix: register an IO (can be the founder) before production PII; document lawful basis per data category up front.
8Breach-notification duty + finesCriticals22: notify Regulator + subjects ASAP. Fines cap R10m / 10 yrs. No incident plan = can't even detect a breach in time.Fix: write + rehearse a breach runbook (detect, contain, notify, log) before go-live.
9IDOR: guessable IDs across portalsCriticalSequential IDs (/guests?wedding_id=1042) → increment to another couple's list or a rival vendor's leads. Most common MVP bug class.Fix: object-level auth on every endpoint, non-sequential UUIDs, IDOR sweep across all sibling endpoints before launch.
10Enumerable RSVP linksCriticalShort/sequential links (/rsvp/1042) → enumerate, harvest guest names/emails, submit fake RSVPs.Fix: cryptographically random single-use tokens (128-bit+); rate-limit; alert on sequential access.
11Uncapped LLM cost on free chatHighMulti-month chat replays history; by month 3 a turn carries 5-10k tokens. Zero cap → one scripted user = four-figure surprise bill, no revenue behind it.Fix: cap tokens/messages per user/day, summarize context, per-IP + per-account rate limiting from day one.
12Vision-search cost, no revenueHighEvery visual search fires an image call ($0.005-0.03). Free feature, cost scales linearly with usage - more popular = more bleed.Fix: daily free quota; cheap CLIP embeddings (~$0.0001) not full vision calls; reserve expensive calls for paid tier.
13Visual search needs a catalogue that doesn't existHighUseful image search needs thousands of tagged photos per category. A young SA directory won't have volume - sparse, repetitive, off-category results.Fix: don't ship until catalogue density is real (thousands/category); build it last.
14Wrong / embarrassing matchesHighElegant dress → knockoff; luxury venue → cheap hall. Screenshot-shareable credibility damage in a trust-driven category.Fix: human-curate the seed catalogue; confidence threshold below which no result shows.
15Fraud vendors take deposits, vanishHighNo CIPC check → scammer lists a fake venue, collects a deposit off-platform, disappears. Couple blames the platform.Fix: verify CIPC + ID before going live; "directory, not a party to your contract" disclosure; escrow/verified-badge tier.
16Vendor no-show liability (CPA)HighIf Aisle facilitates booking without airtight structure, the CPA's "supplier" framing can pull the platform into liability for a vendor's failure.Fix: SA counsel drafts T&Cs positioning Aisle as facilitator/marketplace only, explicit at every booking touchpoint.
17Backup / DR failure for wedding-day dataHighGuest list/seating/timeline are irreplaceable + time-critical. Loss the day before a wedding = catastrophe. Solo founder likely never ran a restore drill.Fix: point-in-time backups + quarterly restore drills; extra redundancy/alerts within 14 days of a wedding date.
18Bus factor 1, no on-callHigh2am outage/breach/corruption has nobody else to page. Recovery time balloons - during wedding season it touches live weddings.Fix: automated monitoring/alerting minimum; pre-arrange a contractor/on-call backup for peak season.
19Seasonal spike vs idle infraHighSeason ~Sept-April. Trough-sized infra gets hammered at peak; peak-sized burns cash idling 4-6 months on a pre-revenue product.Fix: autoscaling/serverless for AI + search tiers so cost tracks usage.
20Chat abuse / prompt injection / spamHighNo throttling → scripted cost-drain loops, prompt injection to extract system prompt or others' context, spam bots on free tier.Fix: rate-limit by account + IP, anomaly detection on volume/cost, isolate context between sessions.
21Pay-to-play featured, no quality gateHighIf "featured" is purely for-sale, couples learn it tracks budget not quality → trust erodes → vendors stop paying → revenue line collapses.Fix: minimum quality bar (verified reviews, completed bookings) for eligibility; label sponsored clearly.
22Fake / inflated specialsHighVendor marks up then posts "50% off," or never honors it - deceptive-discount pattern the CPA targets; cheap to game.Fix: require documented before/after pricing or redemption tracking; spot-audit high-traffic specials.
23Directory scrapingHighUnauthenticated paginated directory with contacts + pricing is trivially scraped - whole catalogue cloned in an afternoon.Fix: rate-limit + bot-detect public directory, gate full contacts behind login/lead-capture, watch for bulk patterns.
24PayFast / PCI scope creepHighHosted redirect keeps you in SAQ A. A card field in your own app jumps scope to SAQ D - a burden a solo founder can't carry.Fix: never touch raw card data - always redirect to PayFast hosted page/iframe.
25Vendor payout data exposureHighPayout bank details in the same model as RSVP data turns one IDOR into a privacy breach + fraud vector (redirected payouts).Fix: isolate financial data in a separate tightly-controlled service, encrypt at rest, log all access.
26Seating drag-drop concurrencyMediumBride + planner editing same chart with last-write-wins silently drops changes - found days before the wedding.Fix: optimistic locking or CRDT/OT for shared state; "someone else is editing" indicator.
27Relational schema won't scaleMediumNaive guests/tables/seats FKs choke on seating many-to-many + bulk ops past a few hundred guests with concurrency.Fix: proper indexing + pagination from the start; load-test 300+ guest multi-editor before launch.
28Search index cost / lock-inMediumAlgolia/Elastic scale with records + queries - fine at 200 vendors, a budget line at 5,000, painful to migrate off.Fix: start with Postgres full-text / pgvector until vendor count justifies managed search.
29AI provider rate limits at peakMediumOne shared key for chat + vision hits org rate limits during Dec/Jan engagement season - when first impressions matter most.Fix: negotiate higher tiers ahead of spikes; graceful degradation (queue/retry w/ backoff) not hard fails.
30Image storage growth + moderationMediumUploaded photos accumulate cost and, unmoderated, can be inappropriate/copyrighted. Solo founder has no moderation pipeline.Fix: storage lifecycle/compression; cheap auto content-moderation API before publish.
31Defamatory reviewsMediumA false damaging review → defamation claim against the platform. ECT Act safe-harbor only holds with proper takedown handling.Fix: publish moderation/takedown policy; respond within a defined SLA to preserve ECT safe-harbor.
32Refund / dispute ambiguityMediumNo written policy → every deposit dispute is ad-hoc, challengeable as an unfair term under the CPA; erodes trust fast.Fix: publish a clear CPA-compliant refund/dispute policy before accepting any payment.
33WhatsApp concierge cost + lead qualityMediumWhatsApp Business API bills per conversation (R0.50-2). Unreliable matching → mismatched leads → month-one churn, killing the lead product.Fix: pilot the concierge manually (founder answers) to validate match quality before paying per-conversation at scale.
34Feature sprawl vs solo capacityMedium8+ major surfaces for one person to build/secure/maintain. Security is what gets skipped when stretched thin.Fix: cut to the pilot lead-gen core (WhatsApp concierge + directory); defer everything until vendor WTP is proven.
35"Product-less" pilot still needs a legal wrapperMediumEven a no-product pilot processes PII + brokers introductions. Skipping POPIA consent + vendor T&Cs "because pilot" carries full exposure.Fix: treat pilot data + vendor agreements with full rigor: consent, basic T&Cs, lawful-basis note from day one.
36Commission has no measurement pathLowWithout payment-through-platform or attribution, commission is largely unenforceable - near-zero in practice.Fix: pick one enforceable mechanism (subscription or pay-per-lead) as primary; treat commission as a bonus, not a plan.
◆ Compliance - POPIA

POPIA: not a wall, a checklist you front-load

Aisle processes couples' and guests' personal information, including dietary/allergy data, which is health-tier special personal information. South Africa's POPIA applies from the first vendor and couple, pilot included. Most of it is cheap or free; the costly part is building the app right, which you are doing anyway. And one architectural move neutralises the scariest item.

The 5 things POPIA actually requires

ObligationWhat it means for Aisle
1 · Register an Information OfficerMandatory. The company (or JP) registers with the Information Regulator. Online, free, ~20 min. Do it before any real user data touches the system.
2 · Lawful basis + consentYou need a ground to process. Couples: contract / consent. Guest dietary/allergy (special personal info, s26) needs explicit opt-in consent - a real checkbox with purpose text, not a silent free-text field.
3 · Operator agreements (s21)Every third party touching the data (AI vendor, host, PayFast, email) is an "operator." You need a signed DPA with each. They all offer one off the shelf.
4 · Cross-border transfer (s72)Sending guest PII to a US LLM leaves SA. Legal only with the data subject's consent or a DPA giving adequate protection.
5 · Security + breach + rightsEncryption, access control, kill the IDOR/RSVP bugs, a breach-notification plan, honour "delete my data", and auto-purge guest data after the wedding.
The one move that kills the scariest item (#4): strip PII before it ever reaches the LLM. The AI planner does not need "Thabo Mokoena, peanut allergy, 12 Vine St." It needs "Guest #47, dietary flag: nut." Feed the model tokens/IDs, not names, and reattach real identities in your own DB after it responds. Do this and the cross-border health-data problem largely evaporates, because no special personal info leaves the country.

The prioritised action list

WhenAction
Phase 0Before any real PIIRegister the IO with the Information Regulator (free, online). Sign DPAs with every operator and flip the AI vendor to zero-retention / no-training (Anthropic and OpenAI both offer this). Publish a privacy policy + consent flows (toolkit template, then ~R5-15k SA lawyer review). Data minimisation by design; dietary/allergy behind an explicit opt-in.
ArchitecturalHighest leverageStrip PII before it hits the LLM (tokens/IDs not names). Single biggest lever - turns the scary cross-border item into a non-issue.
Phase 1Build-time, already in scopeUUIDs not sequential IDs + per-object auth (kills IDOR); random RSVP tokens; encryption at rest; TLS. Retention: auto-purge guest PII a set number of days after the wedding date. Data-subject requests: a simple export/delete path. Breach runbook + logging so you can detect and notify in time.

The cost reality

ItemCost
Information Officer registrationFree
DPAs / zero-retention toggleFree (admin only)
Privacy policy + consent, lawyer review~R5-15k one-off
Everything elseAlready in the build budget (it is just doing auth / encryption / retention correctly)
Flag: even the product-less pilot (a human forwarding leads over WhatsApp) processes PII and needs consent + basic terms. "It's just a pilot" is not a POPIA exemption. Phase 0 applies from the very first vendor and couple, not "later when we are a real product." Not legal advice - have an SA attorney sign off the consent wording and vendor T&Cs before launch.
04 - Blue Team · Optimization

Curbing queries & cost

Concrete tactics to keep the AI bill and DB load flat as usage grows. The two levers that matter most: precompute embeddings offline, and route cheap-model-first.

TacticHow
Cache AI responsesHash (prompt template + key inputs) → Redis, TTL 1-24h by volatility. "Recommendations for budget X" cacheable 6h; live chat not cached.
Precompute embeddings offlineNightly cron / on-upload webhook generates vendor-image embeddings once - never inside the search request path.
Cheap-model-first routingSmall model triages intent → routes only complex turns to the expensive model. Cuts AI spend 60-80%.
Token budgets per coupleHard cap (e.g. 50k tokens/day), soft warn at 80%, hard block + upgrade prompt at 100%. Stops runaway loops and abuse.
CDN + image resize/webpAll images via Cloudflare Image Resizing / resize-on-upload → webp, responsive srcset. Never serve full-res originals.
DB query cachingRedis for hot reads (vendor list, active specials), short TTL 60-300s, cache-bust on write.
Cursor pagination + lazy-loadGuest lists, search results, chat history - cursor-based (not OFFSET at scale), infinite scroll client-side.
Debounce search300-400ms debounce before firing; cancel in-flight request on new keystroke.
Edge rate-limitingPer-IP + per-account limits at Cloudflare, ahead of the app - stops scraping/abuse before it hits DB or AI spend.
Connection poolingPgBouncer in front of Postgres - critical once serverless/edge functions multiply connection count.

What to watch (cheap/free monitoring)

SignalWhyTool (free tier)
Uptime (web + API)Catch outages fastUptimeRobot
Error rate / exceptionsCatch regressionsSentry
AI spend / day#1 startup-killer risk hereCron sums tokens_used → Telegram if over threshold
DB size / growthPlan tier upgrades earlyProvider dashboard + weekly pg_database_size()
Latency p50/p95UX + early slowness warningCloudflare Analytics + Sentry Perf
Background jobs (embeddings, backup)Silent failures are worstHealthchecks.io dead-man's-switch
Daily health snapshot: one 5AM cron pings uptime, yesterday's AI spend, DB size, error count, disk - into a 10-line Telegram message. Reuse the whm:health shape already running on the nel404 stack rather than inventing a new one.
05 - Blue Team · Business Continuity

If JP is offline and it breaks - the colleague framework

Goal: a non-expert colleague opens Claude and either fixes it safely, or correctly recognizes "stop and wait for JP." Three parts: a runbook, a way to talk to Claude, and a hard line on what's off-limits.

Incident runbook (top 10)

#SymptomDiagnoseFix / Escalate
1Site down / 502-503curl -I the URL; systemctl status aisle-appFix: restart service; check df -h. Escalate if not up in 5 min or disk full.
2AI chat not respondingjournalctl -u aisle-ai-gateway -n 100Fix: check API key + provider status. Escalate if provider outage (just wait/banner).
3AI spend spike alertQuery tokens_used by couple, last 24h, descFix: if one abuser - rate-limit/temp-block that account. Escalate if broad-based.
4DB connection errorsSELECT count(*) FROM pg_stat_activity;Fix: restart PgBouncer. Escalate if DB itself down (provider-side).
5Image search empty/erroringCheck pgvector loaded \dx; embedding job last-runFix: rerun embedding batch. Escalate - never reindex a corrupt index without JP.
6Vendor images not loadingcurl image URL: bucket direct vs via CDNFix: purge Cloudflare cache. Escalate if bucket inaccessible.
7Backup job failed (missing ping)Check /var/log/aisle/backup.logFix: rerun backup.sh. Escalate if rerun fails too.
8SSL expiring/expiredopenssl s_client → check datesFix: trigger AutoSSL/LE renewal via panel. Escalate if renewal fails repeatedly.
9Guest/seating data looks wrongRead-only query on that couple_idNONE without JP - user data, never manually edit rows. Always escalate.
10Suspected security incidentCheck auth logs for account/IPOnly revoke sessions/keys for affected account. Escalate immediately, always.

How the colleague talks to Claude

Paste in
  • The exact error / screenshot, verbatim
  • The runbook entry # if identifiable
  • Raw output of the "diagnose" command (don't paraphrase)
  • What changed right before it broke
Ask
  • "Here's runbook #X + this output - does it match, and is the listed fix still safe?"
  • Never "just fix it" with no context - invites guessing + unbounded action
Guardrails
  • Colleague holds read-only creds by default
  • Any command not in the runbook "Fix" line → STOP, ask JP
  • Nothing but SELECT on the DB without JP's written go-ahead
  • No schema changes, bulk deletes, force-push, or credential rotation - ever, without JP

Escalation ladder + break-glass list

✅ Safe - self-serve OK⚠️ Caution - read-only investigate🛑 Dangerous - JP only, never delegate
Restart app / web serviceQuery prod DB (SELECT only)Any DDL (ALTER/DROP/CREATE TABLE)
Restart Redis / cacheRead app / error logsBulk UPDATE or DELETE
Purge CDN cacheCheck provider status pagesRotate / revoke API keys or DB creds
Rerun a batch job (embeddings, backup)SSH to read config filesForce-push / merge to main unreviewed
Restart PgBouncerCheck disk / memory / CPUModify DNS records
Trigger AutoSSL renewalPull a manual backup (read op)Restore a backup over production
Temp rate-limit an abusive AI userReview AI spend by accountSuspend / delete a customer account
Plain-language rule for the colleague: "If the fix is on the green list, do it. If it's not on the list, or you're not 100% sure it's the same situation, stop and message JP - waiting 20 minutes is always cheaper than guessing wrong on production data." This resolves ~70% of realistic incidents without touching anything destructive - and correctly flags the other ~30% as stop-and-wait, which is the actual goal.
06 - Green Team · Build Plan

What we build, and in what order

Ruthless MVP: ship the lead-gen wedge that earns vendor money, defer everything that's a demo-day nice-to-have. Each deferred feature has a reason.

ConcernWhat we build / do
MVP core (ships first)WhatsApp reverse-quote concierge + vendor directory + budget/cost-per-person calc + guest/RSVP + vendor portal + static vouchers hub. That's the whole pilot.
Deferred, with reasonAI chat (cost control first), visual search (no catalogue yet), seating planner (UI-heavy), wedding-day assistant (scope creep), premium AI extras (upsell later).
Budget + cost-per-personPure client-side math. No server compute, no AI. Instant "what if we add 20 guests" ticker.
Seating plannerClient-side drag-drop, JSON state saved to DB. No server compute. Add concurrency-safety when 2 editors is real.
Visual searchOffline-batched embeddings, single-image query-time inference, pgvector. Bolt-on once catalogue is dense.
AI plannerDecision-tree first, LLM only as overflow for the messy questions. Cheap-model default, capped.
Cold-start seedingMetro-by-metro manual vendor onboarding + human-curated concierge answering quotes. One city liquid before the next.
DisintermediationMasked-number relay + in-platform value (quote comparison, contracts, milestones) + subscription billing, not per-booking commission.
Vendor onboarding frictionWhatsApp-native listing - vendor sends photos + details over WhatsApp, we build the profile.
POPIA-compliant guest dataMinimal collection, explicit consent, encryption at rest, auto-purge after the wedding, responsible-party/operator framing.

Phased rollout

Phase 1 - Pilot / Web

Prove vendors pay

  • WhatsApp reverse-quote concierge (human-fulfilled)
  • Vendor directory + portal
  • Budget + cost-per-person calc
  • Guest list + RSVP
  • Static specials/vouchers
Phase 2 - AI + Visual

Add the magic

  • AI chat planner (capped + cached)
  • Visual search (once catalogue is dense)
  • AI recommendations + mood boards
  • Seating planner
Phase 3 - App + Day-of

Own the wedding day

  • Mobile app / PWA push
  • Wedding-day assistant + live timeline
  • Premium AI extras (vow/speech/invite writer)
  • Booking + payment flow

Quick wins that feel magical cheaply

Pre-seeded mood boards · templated AI answers (canned, not live-generated) · featured vendor carousel · auto-generated one-pager per couple · live cost-per-person ticker · personalized WhatsApp welcome. All near-zero cost, all make the product feel alive before the expensive AI is even wired in.