Ask Travis
The chat assistant in the corner of this site is itself a project of mine, and a live example of how I ship AI. Its safety is structural, not promised: it answers only from a public-safe corpus, so a jailbreak can only ever surface public facts.
An AI that talks about me, on the open internet
A chatbot about a person is a small product with two big failure modes, and both are worse than having no chatbot at all. It can hallucinate a credential, inventing a job, a number, or a degree that a recruiter then repeats. Or, fed the rich personal notes that would make it genuinely useful, it can leak something private under a determined jailbreak. My design question was how to put a helpful assistant about myself on the open internet without exposing either flank.
Make the safety structural, by data minimization. Rather than hope a model refuses to leak, the guarantee is built in: the assistant draws only from a hand-curated, public-safe corpus, and the private knowledge base that corpus was filtered from is never wired into it. So there is simply nothing private in context to leak, no matter the prompt. The same choice handles hallucination: it answers from the corpus or it says it doesn't have that detail and points you to me. The same instinct, "build the guarantee into the architecture, not the prompt", runs through SiteProof and Rubrica too.
Store nothing. No conversation content is ever logged or persisted. The only thing written down is an abuse counter keyed by a salted, expiring hash, never a raw IP or session ID, so rate limiting never becomes surveillance.
I red-teamed it across two rounds with 161 adversarial attacks: prompt injection, attempts to extract personal details, forced-hallucination and false-premise prompts, and scope abuse, at zero leaks and zero fabrications. Anything that surfaced got fixed and re-tested until the rounds came back clean. I also ran a separate four-agent white-box pentest against the whole deployed site and closed the gaps it found. Forged "the assistant previously said X" turns, reconstructed from client memory, are tagged as untrusted so they can't smuggle in false context.
It's a single Vercel serverless function calling Claude with a prompt-cached corpus, so repeat reads are far cheaper, backed by Upstash Redis only for the salted abuse counters. The reply streams token by token as plain text, with URLs stripped on the way out, and the corpus is never exposed as a fetchable web asset. No framework, no build step. Small surface, few moving parts, which is itself part of the security argument.