After this lesson, you will be able to: Pick one of three passion project briefs (research agent, security automation agent, code review agent) and ship a production-grade agent with deployed web UI, evals, and case study.
This is the formal passion project for the Code-First Agents sub-track per Curriculum-Upgrade.md. Pick a brief, ship it end-to-end with the production discipline you learned in aa-cf-08, and write the case study that proves the work.
Each brief maps to a real category of agent that companies actually pay for in 2026: research assistants, security automation, and code review. Picking one of these means your portfolio piece lands in a job-interview vocabulary the hiring manager already speaks.
Takes a topic, searches the web, reads sources, produces a structured report.
Inputs: a topic prompt and optionally a target audience
Tools: web search (Tavily, Brave, Serper free tier), URL fetcher, embeddings + summariser
Output: a 1-2 page report with sections, citations, and confidence-rated claims
UI: a simple Next.js page with a topic field and a streaming report area
Evals: 10 topics with expected sources and claim-coverage criteria
Bonus: deduplicate sources; flag low-confidence claims; export to PDF
Monitors a feed, classifies alerts by severity, drafts incident summaries. Ties AI Agents to Cybersecurity.
Inputs: a stream of mock alerts (or a real RSS feed like CISA KEV)
Tools: classifier prompt (severity + category), context retrieval (MITRE ATT&CK lookup), draft generator (incident summary), Slack / email notify
Output: a per-alert structured object: severity, category, ATT&CK techniques, draft summary, recommended next step
UI: a dashboard listing recent alerts with status and one-click 'mark as triaged'
Evals: 30 mock alerts with hand-labelled severity; measure agreement; measure draft quality via LLM-as-judge
Bonus: human-in-the-loop approval gate before any outbound action (PagerDuty integration, etc.)
Takes a GitHub repo URL, reads the code, produces a review report.
Inputs: a public GitHub URL and optionally a PR number
Tools: GitHub API (fetch tree / files / diff), Semgrep CLI, AST-based file walker, LLM reviewer prompt
Output: a structured report with categorised findings (security, performance, style), severity per finding, suggested fixes
UI: paste-a-URL form; streaming review output; downloadable markdown report
Evals: 5 known-vulnerable test repos with hand-labelled findings; measure recall (% of known bugs found) and precision (% of findings that are real)
Bonus: post the review as a PR comment via the GitHub API
The shape is identical regardless of brief; only the tools and the prompt differ.
// Next.js app (App Router) + Anthropic SDK// app/api/agent/route.tsimport Anthropic from "@anthropic-ai/sdk";import { runAgentLoop } from "@/lib/agent";export async function POST(req: Request) {const { input } = await req.json();const stream = await runAgentLoop({client: new Anthropic(),model: "claude-sonnet-4-6",systemPrompt: SYSTEM_PROMPT, // brief-specifictools: TOOLS, // brief-specificmaxTurns: 12,onToken: (t) => writer.write(t),});return new Response(stream.toReadableStream(), {headers: { "Content-Type": "text/event-stream" },});}// lib/agent.ts implements the canonical ReAct loop:// 1. Call Claude with system + history + tools// 2. If response includes tool calls, execute them, append results, repeat// 3. If response is text only, stream it and exit// 4. Always cap at maxTurns to prevent infinite loops
Treat as a real product launch with a fixed scope and date.
M1, Spec: 1-page spec covering brief, user, success metric, cost target. Peer sign-off.
M2, Single-agent baseline: build the simplest version without web UI; test on 5 inputs.
M3, Eval set: 15-30 cases with hand-labelled outputs.
M4, Tools + prompt iteration: tune until pass rate is acceptable.
M5, Web UI: Next.js page, streaming output, copy/download.
M6, Observability: log every tool call, every token; cost + latency dashboard.
M7, Deploy: Vercel for the UI + API; Railway/Fly for any heavier backend (web fetcher, etc.).
M8, Three real users: watch each use it; take notes; ship two fixes per user.
M9, Case study: README + blog post covering architecture, prompt design, failure modes, cost numbers, eval results.
Skipping the eval set. The whole portfolio piece collapses without it. Skipping the deploy. Local-only is invisible to hiring managers. Hardcoding the API key in client code. Always proxy through the Next.js server route. Building all three briefs at once. One shipped beats three half-finished. Glossing over the cost story. 'I built an AI feature' is everywhere; 'I built and economically engineered an AI feature' is rare and hireable.
Sign in and purchase access to unlock this lesson.