Building Secarto - a mobile art marketplace, end to end, in three months

Overview

Secarto is a mobile-first art marketplace and collection management platform for private collectors, with gallery integration through a B2B2C model. Collectors catalogue and value their art; galleries provide professional valuations, certificates, and insurance integration; the platform handles the documents, the messaging, and the trust layer between them.

It is built as a Progressive Web App that feels native on phones, deployed on Vercel with Postgres on Neon and Vercel Blob for asset storage, with a full role-based admin console for gallery staff and a deliberate, audited security posture.

The whole thing — research, design system, frontend, API, database, gallery onboarding flows, admin console, security audit, and weekly release cadence — was built in roughly three months by one operator working with an AI co-developer.

What had to be built

A platform like Secarto is not a single product. It is several products that have to work together:

A collector experience — cataloguing, valuation, insurance, vault for documents

A gallery experience — branded onboarding, valuation workflow, certificate generation, customer messaging

An admin console — for gallery staff to manage pending work, review users, generate documents

A trust layer — authentication, role-based access, session revocation, email verification

A document and image pipeline — upload, compression, vault storage, PDF generation, certificates

A data model — robust enough that prices, valuations, and percentage changes are right to the penny under all conditions

In a traditional venture-backed build, this is a team of seven to ten engineers, plus design, plus product, for six to nine months before the first paying customer. The same scope was built here by one person in three.

How it was built

Brand and design system, first

The first artifact in the project was a comprehensive brand and design system — colour palette, typography, component library, layout grid, shadow tokens, animation defaults, PWA safe-areas, and accessibility standards. Done before the first feature.

This is the opposite of how most early-stage builds happen, where the design is whatever survives the first month of feature shipping. Doing it first turned out to be one of the highest-leverage decisions in the whole project: every screen built afterwards inherited a coherent visual language and never had to be retrofitted to a brand later.

This is also where AI assistance compresses traditional roles most aggressively. A complete design system built collaboratively by one operator and an AI tool, in days rather than weeks, with consistent quality and explicit accessibility constraints, is something that simply was not possible before.

Architecture as a deliberate decision, not an accident

The architecture was decided before code, and written down. The headline choices:

No Redux. State managed through React Context, deliberately. The cost of a heavyweight state library was not justified by the complexity of the app, and the AI assistance tooling reasons more cleanly about Context than about a custom Redux setup.

Postgres-first, no ORM theatrics. A simple parameterised SQL layer with a 7-table schema. The schema was designed end-to-end before the first migration. ORMs were considered and rejected as an unnecessary abstraction for a project at this scale.

Money in integer cents, always. £2,500 is 250000. No floating-point arithmetic anywhere on prices. This is a one-line decision that prevents an entire class of bugs from ever existing.

TDD as non-negotiable. Every feature is written test-first. The project documents the discipline as: "Test behaviour, not implementation. No `any` types or type assertions. Immutable data only." The test pyramid is intentionally inverted — more E2E than unit — because the real risks in a B2B2C platform are at the integration level, not in any individual function.

These are the kinds of decisions that, made well, make a small team feel like a large one. Made badly, they make a large team feel like nothing is moving.

The security audit happened early, not late

Six weeks in, before the platform had paying users, a structured security audit was run against the OWASP Top 10. Twenty-three findings were identified; twenty-two were fixed. The remaining one was logged with a mitigation and a deadline.

The audit produced specific, durable improvements: token-version-based session revocation, hard-enforced email verification, a secured E2E reset endpoint, dependency vulnerability reduction (17 → 9), and a documented credential rotation. None of this is glamorous and none of it would have been done by a venture-funded startup at the same stage, because the team would have been too busy shipping features.

The logic of doing it early is straightforward: the cost of fixing a security issue scales roughly with the time since it was introduced, and the reputational cost of a breach scales with the number of users at the time. Catching twenty-two issues at six weeks costs days. Catching them at six months with paying users costs weeks and trust.

Weekly releases, properly notified

By week six there were release notes. Real ones — not changelog dumps. A sample week shipped: redesigned About Piece page, supplementary images (5 per artwork), authentication certificates, vault download proxy, password reset, password hints, onboarding welcome sheets, offline resilience, iOS/Safari fixes, branded signup links, hard-enforced email verification, admin dashboard enhancements (pending valuations, user reviews), user suspension, PDF certificate generation.

That is the output of a small team for a quarter. It was a week.

The B2B2C onboarding flow

The most product-strategy-rich piece of work in the project was the gallery onboarding model. Collectors discover Secarto through gallery chains they already trust. Each gallery has chains and branches; each branch has staff with admin permissions; each customer signs up via a branded URL or QR code that pre-associates them with the right gallery.

This is a proper B2B2C structure with all the operational complexity that entails — chain/branch hierarchy, role-based admin, branded signup links, gallery-specific onboarding flows. It was designed, built and shipped as a normal feature over a few weeks, alongside everything else.

What this case study is actually about

Secarto works. It has a coherent brand, a tested codebase, a security posture better than most venture-funded products at the same stage, and a clear path to revenue through gallery partnerships.

It was also built by one person in three months. Not because that person is extraordinary. Because the work that used to require a team of ten is now within reach of one operator with the right combination of skills, taste, and AI co-development discipline.

The traditional disciplines that were collapsed into a single role on this project:

Product strategy and design · Brand and design system creation · Frontend development (React/TypeScript) · API development (Node/TypeScript) · Database design and migration management · Infrastructure (Vercel, Neon, Blob storage) · Authentication and security · E2E test infrastructure · Admin tooling · Release management and changelog discipline · Documentation

Each of those is normally a person. Often more than one. AI assistance compresses each of them, and the compression compounds when one operator is responsible for the whole.

What this means commercially

The implications for company building are not subtle.

The cost of getting a B2B2C platform from zero to a real product — coherent brand, robust architecture, security audit complete, weekly release cadence, paying customers reachable — used to be roughly £500k to £1m of seed capital and six to nine months. The Secarto build collapses that to one operator's time and a much smaller burn.

This is not "AI helps developers ship faster." It is a structural change in the cost base of company creation in software. For investors, the implication is that the early-stage capital model assumes a team size that is no longer required for many product categories. For operators, the implication is that the strategic value of being the single expert with judgement on a build has gone up dramatically — the work that used to require a team can now be done by one person, but only if that person has the taste to know what good looks like and the discipline to apply it consistently.

That combination — single expert plus AI — is the new unit of company creation in software. Magilium increasingly advises clients on what this means for their capital allocation, hiring plans, and competitive position.

Secarto is an example of it. It will not be the last.