Field Notes

A practice of one is a studio where the same person who plans your website also builds it — no account managers, no hand-off to junior staff. Goliathus takes on six engagements a year so each one receives undivided attention. It is the opposite of the agency model, where the people who sell the work are rarely the people who do it.

Six is the number of website engagements one craftsman can give full attention to in a year without diluting the work. Capacity is published openly and updated weekly. The scarcity is not a sales tactic — it is the direct consequence of building by hand.

Fixed price is better for most website projects because it aligns the studio with the outcome rather than the clock. Goliathus quotes a fixed price per Statement of Work, so the cost is known before work begins and you are never billed for thinking time. Hourly billing quietly rewards slowness; fixed price rewards judgment.

Because writing code was never the hard part — deciding what to build, and judging whether it is right, is. AI can produce code quickly, but it has no stake in your business and no accountability for the result. You are paying a craftsman for judgment, ownership, and a single name that answers for the work — the things software cannot supply.

Goliathus builds in five named phases — Foundation, Connections, Floors, Cladding and Cabin — each with two rounds of revision. Foundation sets structure and the content model; Connections wires data and integrations; Floors and Cladding build and dress the pages; Cabin is the final fit-out before handoff. Naming the phases makes progress legible to the client.

The client owns all custom code written for their project once final payment is made and the Handoff Certificate is signed. The reusable tools, libraries and methods the studio uses across projects remain the studio’s. In plain terms: you own your site completely after handoff.

A typical Goliathus engagement runs eight to ten weeks, depending on scope and how quickly the client supplies content and approvals. The timeline is fixed in the Statement of Work and only shifts if the client’s inputs are late. Fewer, well-sequenced phases beat an open-ended schedule.

Use a template when your needs are common and budget is the priority; commission custom work when the website is central to how the business is found and judged. Templates are faster and cheaper up front but tie you to someone else’s decisions and plugins. Goliathus builds custom because a site that carries the brand should not be a lightly recoloured copy of ten thousand others.

AI will replace the parts of the job that were always mechanical — boilerplate, first drafts, repetitive markup — not the judgment that makes a site worth building. The studios that vanish will be the ones that only ever did the mechanical parts. A practice built on taste, accountability and care becomes more valuable as generated mediocrity becomes free.

For a quick personal page or a test, yes; for the website your business depends on, be careful. AI builders are excellent at producing something that looks finished in an hour, and poor at the unglamorous parts — security, performance, accessibility, maintainability — that decide whether it survives contact with real customers. The danger is mistaking “looks done” for “is done.”

Vibe coding is building software by prompting an AI and accepting what it produces without fully understanding it. It is wonderful for prototypes and genuinely risky for production, because no one on the project can explain how the system works or fix it confidently when it breaks. The code runs until it doesn’t — and then there is no one who actually understands it.

Only once a competent human has read, understood and tested it. AI routinely produces code that looks correct and is subtly wrong — leaking data, mishandling edge cases, or pulling in insecure dependencies. The code is a draft; safety comes from the person who reviews and owns it, not from the model that wrote it.

Almost certainly not. A weekend AI site is easy to produce and easy to tell apart from considered work — customers feel the difference even when they cannot name it. Speed is only an advantage if the thing built is right; a fast site that erodes trust is a liability, not a head start.

Worry about the boring, real things: security holes, sites no one can maintain, generic work that blends in, and data handled carelessly. Do not lose sleep over science-fiction fears like AI “stealing your idea” or replacing human judgment wholesale. The genuine risks are mundane and manageable; the dramatic ones are mostly noise.

They ship what they cannot explain. The common failures are missing security basics, no plan for maintenance, copy-pasted dependencies no one vetted, and an inability to debug the system when it misbehaves. It works in the demo and falls over in the real world, where there are no retries.

AI agents confidently produce plausible-but-wrong code, invent functions and libraries that do not exist, ignore edge cases, and quietly introduce security and performance problems. They optimise for an answer that looks complete, not one that is correct. Used well they are a fast apprentice; left unsupervised they are a liability — the value is entirely in the human reviewing the output.

Because they are drawn from the same training data and the same default prompts, so they converge on the same layouts, fonts and phrases. The result is competent and forgettable — a look the eye now recognises as “made by a machine.” Distinctiveness comes from deliberate choices a model will not make for you.

Usually because no one was responsible for it after launch. Dependencies age, integrations change, security patches go unapplied, and a site no one understands has no one to maintain it. Cheap up front often means expensive later — the bill simply arrives as downtime instead of an invoice.

Technical debt is the future cost of shortcuts taken today — rushed or messy work that makes every later change slower and riskier. You care because it shows up as a site that becomes harder to improve, easier to break, and eventually cheaper to rebuild than to repair. Careful building is simply paying down that debt before it accrues.

The person who directs it — never the tool. AI can hold the pen, but a named human must make the decisions and answer for the result. At Goliathus one craftsman directs every line and signs off on what ships; the software extends the hands, it does not carry the responsibility.

Not by default. Security is a discipline of judgment — deciding what to expose, what to lock down, how data flows — and that judgment belongs to a person, not a prompt. AI can help implement security once a human has decided what “secure” means here; on its own it will cheerfully build a fast door with no lock.

Through deliberate, human-led practice: least-privilege access, encryption in transit and at rest, vetted dependencies, secrets kept out of the code, regular updates, and a plan for when something goes wrong. None of this is exotic, and none of it is automatic — it is the founder directing the hands. Security is a posture maintained, not a feature installed.

You can trust the system only as far as the person who designed it understands it. Data should be collected sparingly, stored where you know its jurisdiction, shared only with named processors under contract, and deletable on request. The safeguard is not the software — it is a human who decided, on purpose, how your customers’ data is treated.

Treating security as something that comes in the box. The frequent failures are reused passwords with no two-factor on the accounts that matter, plugins and dependencies left un-updated, and sensitive keys pasted into code. They are failures of attention, not technology — which is exactly why a responsible owner matters more than any tool.

No — Google rewards helpful, reliable content regardless of how it was produced, and penalises unhelpful content whether a human or a machine wrote it. The rule has not changed: write for people and show real experience. What gets penalised is thin, generic content made to game search — which AI simply makes easier to mass-produce.

You own what you commission and pay for, but the copyright status of purely AI-generated material is still unsettled in law. Human creative direction is what makes a work cleanly ownable. Goliathus treats every deliverable as human-authored and directed, so the rights that pass to you are clear.

It is legally uncertain, not a simple yes. Many jurisdictions deny copyright to works with no human author; the UK is unusual in having a provision for computer-generated works, but how it applies to modern generative AI is unsettled and under government review. The safe path is meaningful human authorship — which is what makes a work clearly ownable and defensible.

Not a blog for its own sake, but you do need substance worth citing. A few genuinely useful, well-structured pages on what you know earn more AI citations than a stream of thin posts. Depth beats volume — one authoritative page outperforms ten shallow ones.

A cognitive system, in how Goliathus uses the term, is a website built to do a little thinking — to adapt, guide and respond rather than sit there as a static brochure. In practice that means considered structure, useful interactivity, and being legible to both people and machines. It is a way of saying the site should do work, not merely exist.

Structured data (also called schema) is a hidden, machine-readable summary of a page that tells search engines and AI exactly what it is — who you are, what you sell, where you are. It does not change what visitors see; it changes how confidently machines understand and cite you. Think of it as a label on the box, written for robots.

A headless website separates the content from the design, so the same content can be published anywhere and the design can change without disturbing the words. It is more flexible and future-proof than a traditional all-in-one system, at the cost of more setup. Whether you need it depends on how widely your content has to travel.

A website mainly presents information; a web app lets people do things — log in, transact, manage something. Most businesses need an excellent website first, and an app only when there is a genuine task to perform. Building an app for something a website handles well is a common and expensive mistake.

Most sites should allow AI search-and-citation crawlers and decide separately about training crawlers, because the two are now different bots. Blocking a citation crawler such as OAI-SearchBot or PerplexityBot removes you from AI answers entirely; blocking a training crawler such as GPTBot only opts you out of model training. Goliathus configures robots.txt to keep clients visible in AI assistants by default.

llms.txt is a short markdown file at the root of a site that gives AI models a curated, plain-text map of your most important pages and facts. It does not replace a sitemap or structured data — it complements them by reducing the effort a model spends understanding you. It is a low-cost addition that improves how clearly AI systems can read your site.

SEO optimises for ranking in a list of links; AEO (Answer Engine Optimisation) and GEO (Generative Engine Optimisation) optimise for being quoted inside an AI-generated answer. The mechanics overlap — clean structure, fast pages, accurate facts — but AEO leans harder on structured data, answer-first writing and machine-readable summaries. A modern site needs both.

To be cited, a site must be crawlable by the citation bots, carry accurate structured data (JSON-LD), and state its facts plainly in answer-first prose. AI models recall structured data as a source of truth, so who you are, what you offer and how to reach you should be explicit in the markup. Consistency between visible content and structured data is what earns confident citations.

Yes — more than ever, because AI answers are assembled from the same well-structured, trustworthy pages that classic SEO rewards. The work converges: clean structure, fast pages, accurate facts and clear authority serve Google and AI alike. SEO did not die; it grew a second audience made of machines.

Look in two places: referrals in your analytics from AI assistants, and the answers themselves — ask the assistants the questions your customers would and see whether you are cited. AI referral traffic is still small for most businesses but growing, and it tends to convert well because the visitor arrives already informed. Measure it on purpose, because it will not appear in an old SEO dashboard.

The agentic web is the emerging layer where AI agents do not just read websites but act on them — browsing, comparing, booking and buying on a person’s behalf. It runs in parallel with the human web rather than replacing it. The practical question for a business is no longer only “can people find my site?” but “can an agent use it?”

Increasingly, yes — AI assistants are beginning to complete tasks like research, booking and purchase for their users. Today it is early and uneven, but the direction is clear, and high-intent traffic is the first to move. The businesses that prepare now are the ones agents will choose later.

A site is agent-ready when an AI agent can understand and use it without a person clicking through — its content, prices and actions are exposed in clean, machine-readable form rather than buried in heavy JavaScript. In practice that means server-rendered pages, semantic structure, accurate structured data, and a simple, legible flow. A site that looks great to a person can still be useless to an agent.

MCP is an open standard, introduced by Anthropic, that lets AI agents discover and call tools a system exposes — for example to search a catalogue or check availability. Most small businesses do not need their own MCP server yet; the higher-leverage work today is making the ordinary website clean, fast and machine-readable. Build the foundations now and add agent endpoints when there is real agent traffic to serve.

Because many agents do not fully render JavaScript the way a browser does — they read the page’s underlying HTML. A site that assembles itself in the browser can look empty or broken to an agent, and to some search crawlers too. Server-rendered, semantic HTML is the safer foundation for being read by machines and people alike.

Do the boring, durable things first — they serve people, search and agents at once. Clean structured data, fast server-rendered pages, accessible markup, a clear llms.txt and simple flows cover most of the value. The exotic protocols can wait until there is measurable agent demand; readiness is mostly good engineering done early.

Do both, in the right order: get clear, well-structured content right first, then design it beautifully for people. Machines read structure and facts, not visual polish, so a page that is legible to an AI is usually clearer to a human too. Format-first does not mean ugly — it means the meaning is solid before the styling, so both audiences are served by the same work.

For both, because they now arrive at the same front door. The public, money-making surface — your storefront and key pages — must be beautiful for people and machine-legible for agents at once. Treating them as a conflict is a false choice; clean structure, fast pages and honest content satisfy a customer and an agent in the same stroke.

Optimise your public storefront for visibility, trust and machine-readability, and optimise your internal tools for the speed and clarity of the person using them. The storefront earns the revenue and must be found, understood and cited; a dashboard or admin panel exists to make an operator’s judgment faster. Different audiences, different goals — design each for the job it actually does, not to one universal standard.

Format-first for the surfaces machines consume, and design-first for the moments humans feel. Product data, prices, policies and facts should be exposed as clean structure an agent can lift; the hero, the story and the craft are where human design earns its keep. The skill is keeping the two coherent, so a person and an agent come away with the same truth.

Probably not wholesale, but roles are being restructured around judgment rather than volume. The emerging pattern is small teams where each person owns an outcome and directs AI for the repetitive parts — keep people for relationships, taste and accountability, and let software handle scale. Reorganise deliberately around who is responsible for what, rather than letting AI quietly absorb tasks no one is watching.

Not automatically — and the bill can surprise you. Even the largest technology companies have found that usage-based AI costs climb as the tools become more useful, in at least one well-publicised case forcing a pull-back after budgets were exhausted. To replace a person, AI has to deliver equal or better work for genuinely less money, and for many jobs that sum does not yet add up. Treat AI as a cost to be measured, not a free win.

The hype is “fire everyone, the machine does it all”; the path is “keep judgment human, automate the volume, and measure the result.” The durable winners pair a responsible person with AI leverage, watch the real costs, and redesign workflows on purpose. Anything that promises to remove humans from accountability is noise; anything that makes good judgment go further is signal.

Do not rebuild for hype, but do not let your site rot either. The work that pays off is durable whichever protocol wins — clean structure, fast server-rendered pages, accurate facts, accessibility and a clear llms.txt. Do that now, and treat the exotic, still-settling standards as things to watch rather than chase.

A website needs a cookie banner only if it sets non-essential cookies, such as advertising or third-party tracking. A site that uses privacy-first, cookieless analytics has nothing to consent to under PECR and needs no banner. Goliathus builds cookieless by default, so the question usually disappears.

Privacy-first analytics measures traffic without cookies or personal data, recording aggregate, country-level visits rather than identifying individuals. Goliathus uses Plausible, hosted in the EU, which means no cookie banner and no personal data leaving the site. You still learn what is working; visitors keep their privacy.

Fast pages rank better, convert better, and are crawled more thoroughly by both search engines and AI agents. Core Web Vitals measure loading, interactivity and visual stability — the felt experience of a page. A beautiful site that loads slowly fails the only test that matters: whether a real person stays.

An accessible website can be used by everyone, including people who rely on a screen reader or keyboard. The working standard is WCAG 2.2 level AA: sufficient colour contrast, semantic structure, a visible focus indicator and content that reflows when zoomed. In the UK, accessibility is also a duty under the Equality Act 2010.

A good launch is a handover, not a goodbye — you receive the code, the accounts and documentation, and the site is yours to run or to have maintained. Websites need occasional care: updates, backups and the odd fix as the web changes around them. Plan for maintenance from the start, not as an afterthought.

Handoff is the moment the work becomes fully yours. A proper handover includes:

• The complete source code, transferred to you
• Every account and credential, in your name
• Documentation a new developer can follow
• A signed Handoff Certificate marking completion
• Ownership of the custom code passing to you on final payment

Keep your facts current, add genuinely useful pages over time, and update a page when its content changes. Freshness is a trust signal for both search engines and AI retrieval. Small, real updates beat large, cosmetic rewrites.

Sometimes — a chatbot earns its place only when it answers real questions faster than a clear page would. Bolted onto a confusing site, it becomes a tax on the visitor and a source of confident wrong answers. Fix the content first; add a bot only where it genuinely removes friction.

Look for judgment and accountability, not just a portfolio of pretty screens. Ask who actually does the work, who you will speak to, what happens after launch, and whether you will own and be able to move what you pay for. In an era when anyone can generate a passable mock-up, the differentiator is whether a real person stands behind the result.

Ask the questions whose answers reveal accountability and ownership. The ones that matter most:

• Who actually writes the code, and will I own it outright?
• Who will I speak to — and is it the person doing the work?
• How do you handle security and my customers’ data?
• What happens if you become unavailable mid-project?
• Can another developer take this over later without a rebuild?

The clearest warning sign is that no one can plainly explain how your site works. Others to watch for:

• You don’t own the code, or can’t get a copy
• Everything lives in accounts you can’t access
• No plan for maintenance after launch
• Lock-in — you can’t move the site without rebuilding it
• Vague “we’ll handle it” answers instead of specifics

Ask who is accountable, what you will own, how it is kept secure, and what happens when it breaks. If the honest answer is “the AI did it,” there is no one to call when something goes wrong. The presence of a responsible human is the thing you are actually buying.

No — you need to own it, hold the accounts, and have it built on standard foundations any competent developer can read. Ownership is about control and portability, not personal technical knowledge. A good studio hands you something legible to the next person, not a black box.

With good practice, nothing catastrophic — you own the code, hold the accounts, and any competent developer can pick it up. Goliathus writes a successor protocol into its terms and hands over a documented, standard codebase, precisely so the work outlives the studio. Dependence on one irreplaceable person is itself a risk to design out.

You should refuse anyone who locks you in. At Goliathus you own your custom code on final payment, the site is built on standard, portable foundations, and the accounts are yours. A studio should earn the next project by being good, not by holding your website hostage.

A bespoke site is priced per project, not per hour, against the value it carries — a shopfront that wins customers is a different brief from a single brochure page. Goliathus fixes the price in a Statement of Work before any work begins, so there are no surprises. Beware the cheapest quote: with websites, the lowest number up front is often the highest cost over the life of the site.