█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/AI Agents/Code-First Agents/Passion Project: Research / Security / Code-Review Agent
180 minAdvanced

Passion Project: Research / Security / Code-Review Agent

After this lesson, you will be able to: Pick one of three passion project briefs (research agent, security automation agent, code review agent) and ship a production-grade agent with deployed web UI, evals, and case study.

This is the formal passion project for the Code-First Agents sub-track per Curriculum-Upgrade.md. Pick a brief, ship it end-to-end with the production discipline you learned in aa-cf-08, and write the case study that proves the work.

Prerequisites:Production-Ready Code-First Capstone

Why these three briefs

Each brief maps to a real category of agent that companies actually pay for in 2026: research assistants, security automation, and code review. Picking one of these means your portfolio piece lands in a job-interview vocabulary the hiring manager already speaks.

Brief 1, Research Agent

Takes a topic, searches the web, reads sources, produces a structured report.

  1. 1

    Inputs: a topic prompt and optionally a target audience

  2. 2

    Tools: web search (Tavily, Brave, Serper free tier), URL fetcher, embeddings + summariser

  3. 3

    Output: a 1-2 page report with sections, citations, and confidence-rated claims

  4. 4

    UI: a simple Next.js page with a topic field and a streaming report area

  5. 5

    Evals: 10 topics with expected sources and claim-coverage criteria

  6. 6

    Bonus: deduplicate sources; flag low-confidence claims; export to PDF

Brief 2, Security Automation Agent (cross-track tie-in)

Monitors a feed, classifies alerts by severity, drafts incident summaries. Ties AI Agents to Cybersecurity.

  1. 1

    Inputs: a stream of mock alerts (or a real RSS feed like CISA KEV)

  2. 2

    Tools: classifier prompt (severity + category), context retrieval (MITRE ATT&CK lookup), draft generator (incident summary), Slack / email notify

  3. 3

    Output: a per-alert structured object: severity, category, ATT&CK techniques, draft summary, recommended next step

  4. 4

    UI: a dashboard listing recent alerts with status and one-click 'mark as triaged'

  5. 5

    Evals: 30 mock alerts with hand-labelled severity; measure agreement; measure draft quality via LLM-as-judge

  6. 6

    Bonus: human-in-the-loop approval gate before any outbound action (PagerDuty integration, etc.)

Brief 3, Code Review Agent

Takes a GitHub repo URL, reads the code, produces a review report.

  1. 1

    Inputs: a public GitHub URL and optionally a PR number

  2. 2

    Tools: GitHub API (fetch tree / files / diff), Semgrep CLI, AST-based file walker, LLM reviewer prompt

  3. 3

    Output: a structured report with categorised findings (security, performance, style), severity per finding, suggested fixes

  4. 4

    UI: paste-a-URL form; streaming review output; downloadable markdown report

  5. 5

    Evals: 5 known-vulnerable test repos with hand-labelled findings; measure recall (% of known bugs found) and precision (% of findings that are real)

  6. 6

    Bonus: post the review as a PR comment via the GitHub API

Minimal architecture all three share

The shape is identical regardless of brief; only the tools and the prompt differ.

python
// Next.js app (App Router) + Anthropic SDK
// app/api/agent/route.ts
import Anthropic from "@anthropic-ai/sdk";
import { runAgentLoop } from "@/lib/agent";
export async function POST(req: Request) {
const { input } = await req.json();
const stream = await runAgentLoop({
client: new Anthropic(),
model: "claude-sonnet-4-6",
systemPrompt: SYSTEM_PROMPT, // brief-specific
tools: TOOLS, // brief-specific
maxTurns: 12,
onToken: (t) => writer.write(t),
});
return new Response(stream.toReadableStream(), {
headers: { "Content-Type": "text/event-stream" },
});
}
// lib/agent.ts implements the canonical ReAct loop:
// 1. Call Claude with system + history + tools
// 2. If response includes tool calls, execute them, append results, repeat
// 3. If response is text only, stream it and exit
// 4. Always cap at maxTurns to prevent infinite loops

Milestones (one weekend each)

Treat as a real product launch with a fixed scope and date.

  1. 1

    M1, Spec: 1-page spec covering brief, user, success metric, cost target. Peer sign-off.

  2. 2

    M2, Single-agent baseline: build the simplest version without web UI; test on 5 inputs.

  3. 3

    M3, Eval set: 15-30 cases with hand-labelled outputs.

  4. 4

    M4, Tools + prompt iteration: tune until pass rate is acceptable.

  5. 5

    M5, Web UI: Next.js page, streaming output, copy/download.

  6. 6

    M6, Observability: log every tool call, every token; cost + latency dashboard.

  7. 7

    M7, Deploy: Vercel for the UI + API; Railway/Fly for any heavier backend (web fetcher, etc.).

  8. 8

    M8, Three real users: watch each use it; take notes; ship two fixes per user.

  9. 9

    M9, Case study: README + blog post covering architecture, prompt design, failure modes, cost numbers, eval results.

💡 How to talk about this in an interview

Open the deployed URL on screen-share. Run a 60-second demo. Pull up the LangSmith / log dashboard: 'here's what happens inside the agent loop'. Show the eval set: 'I have 22 cases. Last commit dropped pass rate from 87% to 81%; here's the regression I fixed.' Cost story: '$0.04 per run at current eval set; at 1,000 daily runs that's $1,200/month.' Limits: 'It struggles on multi-language repos. Here's how I'd fix it.'

Common mistakes only candidates with offers avoid

Skipping the eval set. The whole portfolio piece collapses without it. Skipping the deploy. Local-only is invisible to hiring managers. Hardcoding the API key in client code. Always proxy through the Next.js server route. Building all three briefs at once. One shipped beats three half-finished. Glossing over the cost story. 'I built an AI feature' is everywhere; 'I built and economically engineered an AI feature' is rare and hireable.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Code-First Agent Capstone: Build and Deploy a Production Agent
Back to Code-First Agents
Code-First Agent Job Readiness→