A story about Ahimsa in software, 190 lines vs 1,400, and why the rod matters more than the fish.
It was 3am. Commit number 42.
I'm building CrowdBooks — a collaborative book platform on IPFS. No cloud. No vendor lock-in. No surveillance. Just people writing books together.
We had a cookie problem. Not a legal one. A philosophical one.
The Cookie Was a Lie
Most web apps carry cookies like luggage. CSRF tokens, tracking pixels, session sprawl. Every cookie is a small compromise: "We need to remember you — trust us."
We replaced the whole thing with one sentence in our tagline:
"We don't sell the fish — we give you the rod."
That sentence forced a decision. If we're giving people the rod, we can't be secretly netting their data in the background.
So we ripped out the CSRF cookie. Replaced it with HMAC-signed tokens. Now there's exactly one cookie: session. That's it.
Smaller attack surface. Cleaner architecture. And honest.
Two hours after pushing that commit, I opened Umami analytics. One visitor from India. 25% of our traffic.
I don't know who it was. But I like to think the principle found its people.
What Is ForgeStudio?
Before the numbers make sense, you need to know what we're building.
ForgeStudio is an Android app with two souls.
The first soul: a CrowdBooks reader and editor. You load a book from the decentralized store, read it, edit your own chapters, push back to the repo. Markdown preview built in. The book is yours — locally, always.
The second soul: an app builder. On a tablet with a touchscreen, you drag controls, resize them, wire up logic — and you're building a real app. Not a prototype. The UI runs live in the same app, interpreted via SMS scripts. When you're ready, you compile — that goes through our SaaS build service — and you have a native Android app.
Same runner. Same SMS interpreter. Read a book or ship an app.
And because the runner loads SMS scripts via HTTP too, ForgeStudio can also act as a thin client for business applications — whatever a company needs to run on a tablet, without deploying a new app.
This isn't a promise. It's the direction the rod is pointing.
The Real Story: 190 Lines vs 1,400
That same night, we integrated Speech-to-Text into ForgeStudio.
8 hours of work. And when it was done, I realized: no other developer has to go through this again.
Here's why that matters.
ForgeStudio uses SMS — a scripting language I built for the Forge 4D framework. Inspired by Kotlin, running on a C++ VM. The app runs on Android — native, almost. In a few days: fully native.
For Android STT we use Google's speech recognition via a Kotlin plugin and a MessageBridge between the native layer and the SMS runtime. It looks roughly like this on the SMS side:
fun onVoiceInput(text: String) {
var clean = filterGlitches(text)
postToEditor(clean)
}
The STT integration in SMS: ~190 lines.
The equivalent — Kotlin plugin, MessageBridge wiring, permission handling, lifecycle, UI callbacks: ~1,400 lines.
And here's the honest part: Codex couldn't finish it. It kept getting tangled in the bridge layer. After hours of going in circles, I handed it to Claude CLI. Cleaned up in one pass.
That's not a flex. That's a data point. Some problems have enough architectural context that a fresh, capable read matters more than iteration.
86% less code. One AI handoff. Shipped.
Why This Is the Rod
Every hour I spend building ForgeStudio is an hour no one else has to spend on the same problem.
The STT battle is over. Done. It's in the framework now. The next developer who needs voice input in their app writes 190 lines of SMS — and ships.
That's the rod.
Not the fish. Not "here's a SaaS that handles your voice input for $29/month and owns your data." A tool you hold. A tool you understand. A tool that doesn't expire.
This is what I mean by Ahimsa in software development:
- Don't trap your users (no dark cookies)
- Don't trap other developers (no proprietary black boxes)
- Don't make people fight battles you've already won
The Numbers That Made Me Pause
- 42 commits — yes, the Hitchhiker's number
- 1 session cookie — down from a cookie jar
- 190 lines — to speak to your app
- 8 hours — so you don't have to spend them
- 4 visitors — India, USA, Germany, Bulgaria. Day one analytics. The right people find you.
What's Actually Next
Books were just the beginning. The reason we ripped out every unnecessary cookie is simple: this thing might run a thousand times, all over the world.
Every instance on a €1 VPS. Every instance independent. None of them switchable off.
CrowdBooks becomes a store. Not Amazon. The opposite of Amazon.
A farmer near Valencia sitting on an orange plantation can list her oranges. A craftsman in Wittenberg can offer his hours. A developer in India can publish his tool. All of it priced in something like Minuto — not a currency really, more like a voucher. Work-time as value. No banks. No corruption vector. No tax on doing something good.
Books first — because books carry truth that media can no longer twist. That's Wikipedia 3.0, except the incentive to lie has been engineered out. No ad revenue. No editorial pressure. Just people writing what they actually know.
Then apps. Then services. Then oranges.
And because it runs everywhere — on IPFS, on cheap VPS instances, on phones — there's no single throat to choke. You can't call up the CEO. There is no CEO. There's just the protocol, and the people who chose to run it.
That's why the session cookie is the only cookie.
Because something that might run everywhere shouldn't carry any weight it doesn't need.
If you're an indie dev who's tired of building on sand — come look at the rod.
Repo: codeberg.org/CrowdWare/ForgeCrowdBook
Aho. 🌱
Top comments (0)