# Charles Jones — Senior Full-Stack Engineer > Personal portfolio and technical blog by Charles Jones. Twenty years shipping scalable, secure web apps with AI integration across React, Vue, TypeScript, Node.js, and .NET. Blog covers Claude Code plugins, MCP tools, n8n multi-agent workflows, OWASP security, enterprise CMS (Sitecore, Umbraco), infrastructure, and modern framework tradeoffs. Full markdown export of every post is available at https://charlesjones.dev/llms-full.txt. ## About - [About Charles Jones](https://charlesjones.dev/about): background, certifications, technical focus, and 20+ years of enterprise experience. - [Contact](https://charlesjones.dev/contact): direct contact form for consulting, collaboration, and speaking requests. - [Portfolio](https://charlesjones.dev/portfolio): shipped projects and client work. - [Privacy](https://charlesjones.dev/privacy): site privacy policy. ## Featured posts - [Your Claude Prompts Are an Audit Gap. LiteLLM Closes It.](https://charlesjones.dev/blog/litellm-enterprise-claude-audit-gateway): A staff engineer's case for putting LiteLLM in front of Claude to close the audit gap: PII filtering, secret detection, virtual keys per user, and a real log of every prompt. Config examples and an honest take on the tradeoffs. - [84 Malicious TanStack Versions Hit npm. My Portfolio Pulled Zero.](https://charlesjones.dev/blog/mini-shai-hulud-tanstack-locked-dependencies): On May 11, 2026, the Mini Shai-Hulud worm published 84 malicious versions across 42 TanStack packages in a six-minute window. My portfolio runs on TanStack Start. None of the bad versions ever touched it. Here is why, and what every project running npm should be doing right now. - [WordPress Was Already a Security Nightmare. AI Agents Are About to Make It Unlivable.](https://charlesjones.dev/blog/wordpress-plugin-backdoor-supply-chain-ai-agents-security): Someone spent six figures on 31 trusted WordPress plugins, planted a PHP deserialization backdoor, and sat on it for eight months before lighting it up in April 2026. That's not a WordPress bug. That's what WordPress is. Here is why the next wave of agentic AI turns every outdated install into a ticking clock, and what to move to instead. - [GEO is the New SEO: Optimizing for AI Answer Engines in 2026](https://charlesjones.dev/blog/geo-new-seo-ai-answer-engines-2026): Generative Engine Optimization (GEO) is the discipline of getting cited by ChatGPT, Perplexity, Claude, and Gemini. It overlaps with SEO about 40%. The other 60% is new territory, and it's worth learning now. - [Why I Rebuilt My Portfolio with TanStack Start](https://charlesjones.dev/blog/why-i-rebuilt-my-portfolio-with-tanstack-start): I previously wrote about choosing Nuxt over Next.js. Then I rewrote my entire portfolio in React. This isn't a framework war - it's about what TanStack Start gets right that Next.js doesn't, and why the rebuild was worth it. - [Stop Supply Chain Attacks: Why Your Build Pipeline Should Use Locked Dependencies](https://charlesjones.dev/blog/npm-supply-chain-attacks-ci-cd-locked-dependencies): A simple switch from npm install to npm ci in your CI/CD pipeline can prevent supply chain attacks by enforcing exact dependency versions. Learn why this matters and how to implement it in your build scripts. ## AI & Automation - [Your Claude Prompts Are an Audit Gap. LiteLLM Closes It.](https://charlesjones.dev/blog/litellm-enterprise-claude-audit-gateway): A staff engineer's case for putting LiteLLM in front of Claude to close the audit gap: PII filtering, secret detection, virtual keys per user, and a real log of every prompt. Config examples and an honest take on the tradeoffs. - [How Claude Code Auto Mode Replaced Permission-Skipping in My Workflow](https://charlesjones.dev/blog/claude-code-auto-mode-vs-dangerously-skip-permissions): --dangerously-skip-permissions removes every guardrail. Claude Code Auto Mode puts a permission gate in front of every tool call, scoped by default to the working directory and the current repo's remotes. After hours of work on a plan doc, that gate is what makes the execution phase safe to run unattended. - [GEO is the New SEO: Optimizing for AI Answer Engines in 2026](https://charlesjones.dev/blog/geo-new-seo-ai-answer-engines-2026): Generative Engine Optimization (GEO) is the discipline of getting cited by ChatGPT, Perplexity, Claude, and Gemini. It overlaps with SEO about 40%. The other 60% is new territory, and it's worth learning now. - [Your AI Forgets Everything. Mine Doesn't. Meet the Claude Code Knowledge Base.](https://charlesjones.dev/blog/claude-code-ai-knowledge-base-plugin-persistent-memory): AI conversations are ephemeral. You solve a real problem, close the tab, and the knowledge disappears. I built a Claude Code plugin that captures what you learn during development, organizes it into a persistent knowledge base, and loads the right context automatically in future sessions. - [Anthropic Dropped Subscription Support for OpenClaw. OpenRouter Is the Fix.](https://charlesjones.dev/blog/openclaw-openrouter-migration-anthropic-billing-change): Anthropic's April 2026 billing change dropped subscription support for OpenClaw and other third-party harnesses. OpenRouter is the cleanest migration path: same models, automatic failover, and freedom to switch providers without reconfiguring anything. - [Agent Teams Shipped in Claude Code 2.1.32. Here's When They Beat Subagents.](https://charlesjones.dev/blog/claude-code-agent-teams-vs-subagents-parallel-development): Claude Code 2.1.32 introduced Agent Teams, a new way to coordinate multiple Claude sessions that can communicate directly with each other. I've been using subagents for months through my ai-workflow plugin. Agent Teams solve a fundamentally different problem, and the distinction matters more than I expected. - [Secure Vibe Coding is Possible](https://charlesjones.dev/blog/semgrep-ai-assisted-development-security-scanning): AI coding tools generate code faster than ever, but security scanning hasn't kept pace. Learn how to integrate Semgrep into your AI-assisted workflow with automatic preflight checks, the Semgrep MCP server for real-time vulnerability detection, and GitHub Actions for CI enforcement. - [Why Token-Aware Planning Transforms Claude Code Results](https://charlesjones.dev/blog/claude-code-ai-workflow-plugin-token-aware-planning): Claude Code's creator plans before coding. My ai-workflow plugin systematizes this approach with properly-sized phases that prevent context exhaustion. Learn how token-aware planning turned a multi-day OAuth implementation into minutes of actual coding work. - [From Git Commits to Azure DevOps Tasks in Seconds: The AI-Powered Workflow Every Developer Needs](https://charlesjones.dev/blog/claude-code-ai-ado-plugin-azure-devops-automation): Discover how AI-powered Azure DevOps integration transforms end-of-day work logging from a 10-minute manual process into a 30-second automated workflow. Learn about the new ai-ado plugin that detects git commits, generates professional work items, and ensures no development detail gets lost. - [How I Cut Security Audits from 8 Hours to 3 Minutes Using AI](https://charlesjones.dev/blog/claude-code-ai-security-plugin-automated-audits): Discover how AI-powered security auditing transforms manual security reviews from an 8-hour task into a 3-minute automated process. Learn about the new Claude Code plugin ecosystem and my open-source security auditor that provides reproducible OWASP Top 10 compliance reports. - [Cut LLM Context Usage by Up to 90%: Filter Azure DevOps MCP Tools with a Proxy Server](https://charlesjones.dev/blog/azure-devops-mcp-proxy-filter-context-optimization): The Azure DevOps MCP server exposes 70 tools consuming 55,125 tokens of Claude's context window. Learn how to build a filtering proxy server that reduces this to just the tools you need, reclaiming up to 90% of your context for actual work. - [Building MCP Tools on Umbraco 13 and N8N AI Chat Workflows](https://charlesjones.dev/blog/mcp-tools-umbraco-13-n8n-ai-workflow): Learn how I built a production-ready AI assistant using Model Context Protocol (MCP) tools integrated with Umbraco 13 CMS and N8N single-agent workflow architecture. A developer-focused guide to connecting AI agents to complex, domain-specific data while maintaining performance, security, and reliability. - [Master Multi-Agent AI Workflows with n8n's New AI Agent Tool](https://charlesjones.dev/blog/n8n-multi-agent-ai-workflows-guide): Build cost-effective multi-agent AI workflows with n8n's AI Agent tool. Route routine work to a fast-tier model and reserve premium-tier reasoning for synthesis to cut workflow cost by an order of magnitude. ## Security - [84 Malicious TanStack Versions Hit npm. My Portfolio Pulled Zero.](https://charlesjones.dev/blog/mini-shai-hulud-tanstack-locked-dependencies): On May 11, 2026, the Mini Shai-Hulud worm published 84 malicious versions across 42 TanStack packages in a six-minute window. My portfolio runs on TanStack Start. None of the bad versions ever touched it. Here is why, and what every project running npm should be doing right now. - [WordPress Was Already a Security Nightmare. AI Agents Are About to Make It Unlivable.](https://charlesjones.dev/blog/wordpress-plugin-backdoor-supply-chain-ai-agents-security): Someone spent six figures on 31 trusted WordPress plugins, planted a PHP deserialization backdoor, and sat on it for eight months before lighting it up in April 2026. That's not a WordPress bug. That's what WordPress is. Here is why the next wave of agentic AI turns every outdated install into a ticking clock, and what to move to instead. - [Secure Vibe Coding is Possible](https://charlesjones.dev/blog/semgrep-ai-assisted-development-security-scanning): AI coding tools generate code faster than ever, but security scanning hasn't kept pace. Learn how to integrate Semgrep into your AI-assisted workflow with automatic preflight checks, the Semgrep MCP server for real-time vulnerability detection, and GitHub Actions for CI enforcement. - [How I Cut Security Audits from 8 Hours to 3 Minutes Using AI](https://charlesjones.dev/blog/claude-code-ai-security-plugin-automated-audits): Discover how AI-powered security auditing transforms manual security reviews from an 8-hour task into a 3-minute automated process. Learn about the new Claude Code plugin ecosystem and my open-source security auditor that provides reproducible OWASP Top 10 compliance reports. - [Stop Supply Chain Attacks: Why Your Build Pipeline Should Use Locked Dependencies](https://charlesjones.dev/blog/npm-supply-chain-attacks-ci-cd-locked-dependencies): A simple switch from npm install to npm ci in your CI/CD pipeline can prevent supply chain attacks by enforcing exact dependency versions. Learn why this matters and how to implement it in your build scripts. - [OWASP Top 10 Security Priorities for Vue.js Developers](https://charlesjones.dev/blog/owasp-top-10-vuejs-security): Essential security guide for Vue.js developers covering the OWASP Top 10 vulnerabilities with practical examples, Vue 3 Composition API security patterns, and actionable mitigation strategies. - [OWASP Top 10 Security Priorities for Umbraco 13 Developers](https://charlesjones.dev/blog/owasp-top-10-umbraco-13-security): Essential security guide for Umbraco 13 developers covering the OWASP Top 10 vulnerabilities with practical .NET examples, CMS-specific security patterns, and actionable mitigation strategies. ## Developer Tooling - [Why I Chose Nuxt Over Next.js for AccessHawk](https://charlesjones.dev/blog/why-i-chose-nuxt-over-nextjs-for-accesshawk): I built AccessHawk with Nuxt instead of Next.js. Vue's reactivity model and auto-imports made me faster, and I didn't have to give up TypeScript or testing to get there. - [Doppler Fixed My .env Syncing Problem Across Windows and Mac](https://charlesjones.dev/blog/doppler-secrets-management-cross-platform-development): I develop on a Windows desktop during the day and a MacBook in the evening. Keeping .env files in sync across three projects was tedious and error-prone. Doppler stores secrets in the cloud and injects them at runtime, so I stopped thinking about it. - [Streamlining Email Integration with Resend API in Node.js](https://charlesjones.dev/blog/resend-email-integration-nodejs): Learn how to implement reliable email functionality in your applications using Resend API. Real examples from portfolio and enterprise projects. ## Infrastructure - [Anthropic Dropped Subscription Support for OpenClaw. OpenRouter Is the Fix.](https://charlesjones.dev/blog/openclaw-openrouter-migration-anthropic-billing-change): Anthropic's April 2026 billing change dropped subscription support for OpenClaw and other third-party harnesses. OpenRouter is the cleanest migration path: same models, automatic failover, and freedom to switch providers without reconfiguring anything. - [I Built an API So My AI Agent Could Read My RSS Feeds](https://charlesjones.dev/blog/openclaw-rss-ai-agent-infrastructure-monitoring): I follow around 35 RSS feeds for infrastructure security, DevOps, and full-stack engineering. Most of it is noise. I built a JSON API for SereneReader so my OpenClaw agent could check my feeds three times a day and tell me what actually matters. - [I Built an RSS Reader Because Every Alternative Kept Getting in the Way](https://charlesjones.dev/blog/serenereader-rss-reader-focused-reading-productivity): Most RSS readers have become bloated dashboards full of popups, AI summaries nobody asked for, and upgrade banners that follow you around. I built SereneReader to do one thing well: let you read. Keyboard-first navigation, a focused reading mode that strips away every distraction, and an interface that respects your attention. - [I Replaced Google Analytics with Umami. I'm Not Going Back.](https://charlesjones.dev/blog/umami-analytics-replace-google-analytics-enterprise): I migrated all my SaaS products and personal sites from Google Analytics to a self-hosted Umami instance on Railway. No cookies, no consent banners, GDPR/CCPA compliant by default, and an API good enough that I built my own real-time multi-site dashboard around it. Here's why enterprise teams should pay attention. - [Railway Is My Go-To Infrastructure. Here's Why I Recommend It to Enterprise Clients](https://charlesjones.dev/blog/railway-infrastructure-choice-non-serverless-deployments): I run three production projects on Railway, from SaaS platforms with background workers to simple marketing sites. After years on AWS and Azure, Railway cut my go-to-live time from days to minutes. Config-as-code, built-in databases, non-serverless deployments by default, and a platform that ships meaningful features weekly. ## Enterprise CMS - [Make Sitecore 10.3 → 10.4 Upgrades Easier with Central Package Management](https://charlesjones.dev/blog/sitecore-central-package-management-upgrade): Discover how implementing NuGet Central Package Management transforms Sitecore upgrade processes from painful multi-file update nightmares into simple single-file changes. Learn the complete implementation strategy that streamlines workflows and eliminates version conflicts. - [Building MCP Tools on Umbraco 13 and N8N AI Chat Workflows](https://charlesjones.dev/blog/mcp-tools-umbraco-13-n8n-ai-workflow): Learn how I built a production-ready AI assistant using Model Context Protocol (MCP) tools integrated with Umbraco 13 CMS and N8N single-agent workflow architecture. A developer-focused guide to connecting AI agents to complex, domain-specific data while maintaining performance, security, and reliability. - [Fix Safari Goal Tracking Issues in Sitecore with the Beacon API](https://charlesjones.dev/blog/sitecore-beacon-api-goal-tracking): Safari cancels analytics requests during page navigation, breaking Sitecore goal tracking. Learn how the Beacon API ensures reliable conversion tracking across all browsers. - [OWASP Top 10 Security Priorities for Umbraco 13 Developers](https://charlesjones.dev/blog/owasp-top-10-umbraco-13-security): Essential security guide for Umbraco 13 developers covering the OWASP Top 10 vulnerabilities with practical .NET examples, CMS-specific security patterns, and actionable mitigation strategies. ## Other posts - [That Accessibility Widget Isn't Protecting You. It's a Lawsuit Waiting to Happen.](https://charlesjones.dev/blog/accessibility-overlays-not-wcag-compliance-legal-risk): Accessibility overlays like AudioEye and accessiBe promise WCAG compliance with a single line of JavaScript. The FTC, the courts, and the disability community all disagree. I dig into why overlays fail, what legal exposure they actually create, and what it takes to build accessibility into your source code. - [Your Pipeline Has Linting and Security Scans. Why Not Accessibility?](https://charlesjones.dev/blog/accesshawk-api-accessibility-testing-cicd-pipeline): AccessHawk was a paste-a-URL-and-scan tool. The public API now lets you run WCAG audits from your CI/CD pipeline and fail builds before accessibility issues hit production. ## Feeds - [RSS feed](https://charlesjones.dev/feed.xml): all posts, RSS 2.0. - [Atom feed](https://charlesjones.dev/atom.xml): all posts, Atom 1.0. - [Sitemap](https://charlesjones.dev/sitemap.xml): XML sitemap for search engines. ## Optional - [Full content export](https://charlesjones.dev/llms-full.txt): every post's raw markdown concatenated for bulk LLM retrieval.