Code & Capital ×

Code & Capital × RubberDuck AI Code Audit Challenge

What Did Your AI Agent Miss?

Participant Brief

A 60-minute challenge to test whether your AI agent actually understands your real codebase.

Required UC-01 Understand Your Code + UC-02 Codebase Audit

Submit transcript, findings writeup, codebase description, 60-second video

Prize 4-hour working session with Marco Marinucci or Jordan Greene, General Partners at Essentia Ventures

Agents generate code. RubberDuck makes it shippable.

Submission form: https://forms.gle/WuwvioB4QtK7uKcj9

Live setup support: https://join.slack.com/t/rubberduck-support/shared_invite/zt-3xfxqy0z4-8EPDZToPCqJliBQC3VprMg

RubberDuck docs: https://rubberduck.com/#docs

At a glance

Time required 45-60 minutes

Required baseline UC-01 Understand Your Code + UC-02 Codebase Audit / Security Audit

Optional add-ons Bug Localization, Code Review, Change Impact, Plan Features

Submit transcript, findings writeup, codebase description, 60-second video

Prize 4-hour working session with Marco Marinucci or Jordan Greene, General Partners at Essentia Ventures

Support RubberDuck Slack

The challenge

Your AI coding agent can generate code fast.

The harder question is whether it actually understands your codebase.

Most AI coding tools are good at producing plausible code. The failure mode is subtler: the agent misses hidden dependencies, invents APIs, ignores blast radius, stops at the first plausible bug cause, or suggests changes that look right locally but are risky in the real system.

That is what this audit is designed to test.

Code & Capital and RubberDuck are running a two-week AI Code Audit study to answer one question:

What does RubberDuck find in real founder and operator codebases that regular AI coding agents miss, cannot prove, or cannot ground as well?

This is not a survey. It is a live test on your own codebase.

If RubberDuck finds something meaningful, you get useful signal on your project. If it finds nothing, that is also useful: you now have a stronger reason to trust the current state of that part of your codebase.

Why this is worth doing

AI has made implementation cheaper. Verification has not gotten cheap at the same rate.

The bottleneck is no longer just "can I get an AI agent to write code?" The bottleneck is:

- Can I trust what it wrote?
- Can I understand what it touched?
- Can I see hidden downstream impact?
- Can I prove whether a risky path is reachable?
- Can I tell whether the suggested fix is minimal or overbroad?
- Can I ship faster without accumulating invisible review debt?

RubberDuck is built for that gap.

It gives your AI agent semantic intelligence over your actual codebase: call chains, data flows, dependencies, definitions, security paths, and change impact. Instead of asking your agent to guess from whatever context fits in the prompt window, you give it a tool layer that can inspect the codebase directly.

The practical test

You will install RubberDuck, connect it to a codebase you are authorized to use, and run the required baseline:

1. UC-01: Understand Your Code
2. UC-02: Codebase Audit / Security Audit

Optional add-ons if relevant:

- UC-03: Bug Localization
- UC-04: Code Review
- UC-05: Change Impact
- UC-06: Plan Features

A strong submission shows something specific:

"RubberDuck surfaced this issue, in this part of the codebase, using this evidence, and my normal AI agent either missed it, would likely have missed it, or could not prove it with the same confidence."

Good codebases to use

Use a codebase you know and are authorized to analyze.

Good options:

- Hackathon project
- Startup product codebase
- Side project
- Internal tool
- Open source repository
- Production codebase you are allowed to use

Python, TypeScript, and JavaScript are preferred.

You do not need to submit source code. Do not submit secrets, credentials, customer data, private source code, or anything you are not authorized to share.

What you get out of it

At minimum, you get a structured audit pass on your own codebase.

The best submissions may also be featured in a Code & Capital x RubberDuck recap or research note on what AI agents miss in real codebases.

Prize

One winner will receive a 4-hour working session with Marco Marinucci or Jordan Greene, General Partners at Essentia Ventures.

This is the continuation of the original Code & Capital / Essentia raffle concept: time with experienced deep tech investors to go deep on what you are building.

You can use the session for whatever is most valuable to you:

- Product and technical strategy
- Architecture and codebase review
- AI workflow and engineering roadmap
- Startup narrative and positioning
- Fundraising readiness
- Market, customer, and GTM feedback
- Hard questions about whether the thing you are building is venture-scale

Time required

Plan for 45-60 minutes total:

- 5-10 minutes: setup
- 20-30 minutes: run the audit
- 10-15 minutes: write the submission
- 5 minutes: record the video

RubberDuck is free to try during the challenge window. If you are serious about AI-assisted development, use this window to test it on a repo that actually matters.

Want to stand out?

Make one concrete, quotable finding easy to understand:

What RubberDuck found
Where it appeared in the codebase
Why it mattered
What your regular AI agent missed or could not prove
What evidence RubberDuck used

Generic praise will not be competitive. Specific findings with evidence will be.

Step 1: Install RubberDuck

1. Go to https://rubberduck.com
2. Click Get install token or Install now.
3. Create an account.
4. Open the Setup Wizard.
5. Choose your IDE: Cursor, Claude Code, or Codex.
6. Choose Set up with a prompt.
7. Copy the setup prompt.
8. Paste it into your IDE's AI chat.
9. Restart your IDE.
10. Run the health check from the wizard.
11. Connect your codebase through GitHub or local code.
12. Wait for indexing to finish.

If setup fails, join the support Slack:

https://join.slack.com/t/rubberduck-support/shared_invite/zt-3xfxqy0z4-8EPDZToPCqJliBQC3VprMg

Step 2: Run UC-01, Understand Your Code

Open your AI coding environment with RubberDuck installed.

Run UC-01 from:

https://rubberduck.com/#docs

You are testing whether your agent can produce a real map of your codebase using RubberDuck's tools: major components, entry points, call chains, data flows, dependencies, and important structures.

Important: watch the tool calls. You should see rubberduck-* calls in your IDE. If you do not, tell your agent:

"Use RubberDuck's semantic intelligence and codebase intelligence tools. Do not answer from general knowledge or ordinary file reading."

Step 3: Run UC-02, Codebase Audit / Security Audit

Run UC-02 from:

https://rubberduck.com/#docs

Look for findings that would matter in the real world:

- Hidden downstream consumers
- Risky data flows
- Security concerns
- Dead or duplicated logic
- Fragile abstractions
- Missing validation
- Broken assumptions
- Surprising call paths
- Refactor or change-impact risk
- Anything your regular AI agent missed or could not prove

Step 4: Optional add-ons

Run one or more optional use cases if they fit your situation:

- UC-03 Bug Localization if you are chasing a known bug.
- UC-04 Code Review if you have a recent pull request or change.
- UC-05 Change Impact if you are planning a refactor, migration, or upgrade.
- UC-06 Plan Features if you are scoping a new feature.

Optional use cases are not required, but they often produce the strongest findings.

Step 5: Submit the audit

Submit here:

https://forms.gle/WuwvioB4QtK7uKcj9

You will submit four main things:

1. A 1-2 sentence description of what your codebase does.
2. Relevant IDE chat transcript excerpts or a private share link to the full transcript.
3. A one-page findings writeup.
4. A 60-second video link.

Your findings writeup should answer:

- What did RubberDuck surface?
- Where did it appear in the codebase?
- What evidence did RubberDuck use?
- What did your regular AI agent miss, likely miss, or fail to prove?
- Why does the finding matter?
- What would you do next?
- Which rubberduck-* tools did you see invoked?

Step 6: Record the 60-second video

Paste a Loom, YouTube unlisted, Google Drive, or similar link into the form.

Make sure view access is enabled.

Your video should be about 60 seconds and cover, in order:

1. Name, role, company or project.
2. What you are building and which AI agent you use day to day.
3. What you ran: UC-01, UC-02, and any optional use cases.
4. What RubberDuck found that your regular AI agent missed, would likely have missed, or could not prove as well.

Make it specific. "RubberDuck found a bug" is weak. "RubberDuck traced user-controlled input from this route to this sink and showed the missing validation path" is strong.

What makes a winning submission

The strongest submissions usually have:

- A real codebase, not a toy example.
- A concrete finding, not generic praise.
- Evidence from the transcript.
- Clear contrast with the participant's normal AI agent.
- A concise video that makes the finding easy to understand.
- Permission to quote or feature the finding publicly.

The goal is not to say RubberDuck is perfect. The goal is to show what deeper codebase intelligence changes in practice.

Confidentiality

Do not submit secrets, credentials, customer data, private source code, or anything you are not authorized to share.

The form asks for your publication and attribution preference. RubberDuck and Code & Capital may use aggregate findings for a recap or research note. Named quotes, company/project names, findings, or video excerpts will follow the permission preference you select.