DEV Community: Sivaram

Claude's 2x Usage Boost Is Live — Here's How to Maximize It (March 13–28, 2026)

Sivaram — Tue, 17 Mar 2026 08:44:37 +0000

If you missed the announcement: Anthropic is doubling Claude usage for free outside peak hours from March 13–28, 2026. This applies to Claude (web, desktop, mobile), Claude Code, Cowork, Claude for Excel, and Claude for PowerPoint.

No catch. Nothing to enable. It just works.

I built a live tracker to check if the boost is active right now:

Is Claude 2x Right Now?

What's the Promotion?

Anthropic calls it the "Spring Break" promotion. Here's the deal:

2x usage on weekdays outside 5–11 AM PT (8 AM–2 PM ET)
2x usage all day on weekends
Bonus usage doesn't count toward your weekly limits
Runs March 13 through March 28, 2026 (confirmed via Claude Support)

That last point is worth repeating: the extra usage is on top of your normal allocation. It's not borrowing from next week.

Who Gets It?

Plan	Included?
Free	Yes
Pro	Yes
Max	Yes
Team	Yes
Enterprise	No

It works everywhere you use Claude:

Claude (web, desktop, mobile)
Cowork
Claude Code (this is the big one for devs)
Claude for Excel
Claude for PowerPoint

Peak Hours by Timezone

The 2x boost is active outside these peak windows on weekdays. Weekends are 2x all day, every timezone.

Region	Peak (1x)	2x Hours
US West Coast (PT)	5–11 AM	11 AM–5 AM + weekends
US East Coast (ET)	8 AM–2 PM	2 PM–8 AM + weekends
UK (GMT)	12–6 PM	6 PM–12 PM + weekends
Central Europe (CET)	1–7 PM	7 PM–1 PM + weekends
Gulf / Dubai (GST)	4–10 PM	10 PM–4 PM + weekends
India (IST)	5:30–11:30 PM	11:30 PM–5:30 PM + weekends
China / Singapore (SGT)	8 PM–2 AM	2 AM–8 PM + weekends
Japan / Korea (JST)	9 PM–3 AM	3 AM–9 PM + weekends
Australia East (AEST)	11 PM–5 AM	5 AM–11 PM + weekends

TL;DR: If you're outside the US, your entire workday is probably 2x already.

I Built a Live Tracker

I wanted a quick way to check if the 2x boost is active without doing timezone math in my head. So I built one:

is-claude-2x-right-now.vercel.app

It gives you:

Instant YES/NO answer — is 2x active right now?
Live countdown — time until the next status change
Dual clocks — your local time + Pacific Time side by side
24-hour circular clock — visual dial showing today's 2x vs peak windows in your timezone
Day timeline — progress bar with now marker showing where you are
Timezone table — peak hours for every major timezone, with your row highlighted

Everything auto-detects your timezone. No setup needed.

Built with React 19, Vite 8, React Compiler, and TypeScript. The entire 2x detection runs client-side — no backend, no API calls. Just timezone math.

Check it out →

Tips for Developers: How to Maximize the 2x Boost

1. Shift Your Claude Code Sessions

If you're on the US West Coast, mornings (5–11 AM) are peak. Schedule your heavy Claude Code work for afternoons and evenings. Everyone else — your normal work hours are probably already 2x.

2. Batch Your Big Tasks

Got a major refactor, migration, or codebase exploration? Do it now, during the promotion. The 2x limit means you can go deeper before hitting the ceiling.

3. Weekends Are Unlimited (2x)

Saturday and Sunday are 2x all day in every timezone. If you've been putting off that side project, this is literally what Anthropic is suggesting:

"whatever you've been putting off — now's a good time."
— @claudeai

4. Use It Across All Surfaces

The boost isn't just for the web app. Claude Code, Cowork, Excel, PowerPoint — they all get 2x. If you haven't tried Claude Code yet, now is the cheapest time to experiment.

5. Bonus Usage Is Free

The extra messages don't count toward weekly limits. So even if you burn through the 2x allocation, your normal limits are untouched for the peak hours.

This Isn't the First Time

Anthropic ran a similar Holiday 2025 promotion with doubled usage. The Spring Break promotion follows the same pattern — off-peak boost, automatic activation, no strings attached.

It signals Anthropic has spare capacity outside US business hours and would rather let users benefit from it than let it sit idle. Smart move.

When Does It End?

The promotion runs through March 28, 2026 at 11:59 PM PT. After that, limits return to normal.

That gives you about two weeks. Use them.

Check if it's 2x right now →

Built with Claude, by @SivaramPg

Source: Claude Support — March 2026 Usage Promotion

I Built a Free Tool to Analyze 15+ Site Metadata Files in One Scan

Sivaram — Wed, 18 Feb 2026 05:16:28 +0000

Ever found yourself juggling multiple tabs to check your site's meta tags, Open Graph previews, robots.txt, and sitemap? I got tired of it too. So I built Site Metadata Explorer — a free tool that analyzes everything in a single scan.

Try it now: site-metadata.sivaramp.com

The Problem

As developers, we constantly need to verify:

Are my meta tags correct?
Will my Open Graph preview look good on Twitter/LinkedIn?
Is my robots.txt blocking the wrong pages?
Does my sitemap include all important URLs?
Is my JSON-LD structured data valid?

Most tools only check one thing at a time. I wanted everything in one place.

What It Does

Enter a URL and get instant analysis of:

1. Basic Meta Tags

Title, description, keywords, viewport, charset — with character count validation.

2. Open Graph & Twitter Cards

See exactly how your site will appear when shared on social media.

3. Icons & Favicons

All your apple-touch-icons, favicons, and PWA icons in one view.

4. robots.txt Analysis

Parsed directives, sitemap references, and crawl rules at a glance.

5. Sitemap Discovery

Automatic sitemap detection with URL counts and structure overview.

6. JSON-LD Structured Data

View and validate your schema.org markup.

7. Web Manifest

PWA manifest.json analysis for app icons, theme colors, and display modes.

8. Security.txt & llms.txt

Yes, we check those too. Because details matter.

The Killer Feature: LLM-Ready Exports

Here's where it gets interesting. You can export all metadata as:

JSON — for programmatic use
Markdown — perfectly formatted for AI workflows

Open in AI with One Click

Export directly to Claude, ChatGPT, or Gemini. Perfect for:

"Analyze this site's SEO and suggest improvements"
"Compare this metadata with competitor sites"
"Generate a technical SEO audit report"

File Size Overview

At a glance, see the size of every file fetched:

This helps identify bloated sitemaps, missing files, or oversized responses.

Built for Mobile Too

Fully responsive design that works great on any device. Check your site's metadata on the go.

Tech Stack

For the curious developers:

Next.js 15 — React framework with App Router
Tailwind CSS — Utility-first styling
shadcn/ui — Beautiful, accessible components
Cheerio — Server-side HTML parsing

The entire app is open source: GitHub

What's Next?

Some features I'm considering:

[ ] Historical comparisons (track changes over time)
[ ] Bulk URL analysis
[ ] API access for CI/CD integration
[ ] Browser extension

Let me know what you'd find useful!

Try It Now

Live: site-metadata.sivaramp.com

Drop a URL and see your site's complete metadata picture in seconds. No signup, no limits, completely free.

One More Thing...

Need PWA icons for your project? I also built pwa-icons — generate all platform-specific icons from a single image.

npx pwa-icons generate logo.png

It's what I used to generate all the icons for Site Metadata Explorer itself.

If you found this useful, drop a comment or share it with a fellow developer. Happy building!

Follow me for more:

Website: sivaramp.com
GitHub: @SivaramPg

MdBin Levels Up Again: E2E Encryption, Theme Toggle, and Responsive Nav

Sivaram — Tue, 03 Feb 2026 18:07:57 +0000

The Evolution Continues (Again)

Last time, I shared how MdBin migrated to Streamdown for better markdown rendering—Mermaid diagrams, KaTeX math, built-in controls, the works.

But there was one feature request that kept coming up: "Can I share sensitive content without you seeing it?"

Today, I'm excited to announce: end-to-end encrypted pastes are live.

The Problem with Traditional Pastebins

Here's the uncomfortable truth about every pastebin service: they can read your content.

When you paste something into Pastebin, GitHub Gists, or even MdBin (until today), the server receives your plaintext, stores it, and serves it back. The service operator—and anyone who gains access to their database—can read everything you've shared.

For most use cases, this is fine. But what about:

API keys you need to share with a teammate
Private configuration snippets
Sensitive meeting notes
Personal information

The traditional answer is "just use Signal" or "encrypt it yourself first." But that adds friction, and friction kills adoption.

The Solution: True End-to-End Encryption

With MdBin's new encrypted paste feature, the server becomes a dumb blob storage. Here's what happens:

You type content in the browser
JavaScript encrypts it with your password before it leaves your device
We store the encrypted blob—we literally cannot read it
Recipients decrypt in their browser using the same password

The server never sees your plaintext. We don't store your password. We couldn't decrypt your content even if we wanted to.

The Crypto Implementation

I didn't roll my own crypto (please never do this). Instead, I used the Web Crypto API with industry-standard algorithms.

Key Derivation: PBKDF2

Passwords are weak. Turning a password into a strong encryption key requires a key derivation function:

const PBKDF2_ITERATIONS = 310000 // OWASP 2023 recommendation

async function deriveKey(
  password: string,
  salt: Uint8Array
): Promise<CryptoKey> {
  const encoder = new TextEncoder()
  const passwordBuffer = encoder.encode(password)

  const keyMaterial = await crypto.subtle.importKey(
    'raw',
    passwordBuffer,
    'PBKDF2',
    false,
    ['deriveBits', 'deriveKey']
  )

  return crypto.subtle.deriveKey(
    {
      name: 'PBKDF2',
      salt: salt,
      iterations: PBKDF2_ITERATIONS,
      hash: 'SHA-256',
    },
    keyMaterial,
    { name: 'AES-GCM', length: 256 },
    false,
    ['encrypt', 'decrypt']
  )
}

Why 310,000 iterations? That's the OWASP 2023 recommendation for PBKDF2-HMAC-SHA256. It makes brute-force attacks computationally expensive while still being fast enough on modern devices.

Encryption: AES-256-GCM

For the actual encryption, I chose AES-256-GCM—authenticated encryption that provides both confidentiality and integrity:

export async function encrypt(
  plaintext: string,
  password: string
): Promise<string> {
  const encoder = new TextEncoder()
  const plaintextBuffer = encoder.encode(plaintext)

  // Generate random salt and IV for each encryption
  const salt = crypto.getRandomValues(new Uint8Array(16))
  const iv = crypto.getRandomValues(new Uint8Array(12))

  const key = await deriveKey(password, salt)

  const ciphertext = await crypto.subtle.encrypt(
    { name: 'AES-GCM', iv },
    key,
    plaintextBuffer
  )

  // Combine: salt || iv || ciphertext
  const combined = new Uint8Array(
    16 + 12 + ciphertext.byteLength
  )
  combined.set(salt, 0)
  combined.set(iv, 16)
  combined.set(new Uint8Array(ciphertext), 28)

  return btoa(String.fromCharCode(...combined))
}

Key points:

Random salt per paste: Same password + different content = different ciphertext
Random IV per encryption: Required by GCM mode for security
Base64 output: Safe to store in any database text field

Decryption

Decryption reverses the process:

export async function decrypt(
  encrypted: string,
  password: string
): Promise<string> {
  const combined = new Uint8Array(
    atob(encrypted).split('').map(c => c.charCodeAt(0))
  )

  // Extract salt, iv, and ciphertext
  const salt = combined.slice(0, 16)
  const iv = combined.slice(16, 28)
  const ciphertext = combined.slice(28)

  const key = await deriveKey(password, salt)

  const plaintextBuffer = await crypto.subtle.decrypt(
    { name: 'AES-GCM', iv },
    key,
    ciphertext
  )

  return new TextDecoder().decode(plaintextBuffer)
}

If you provide the wrong password, crypto.subtle.decrypt throws—GCM's authentication tag verification fails. No partial decryption, no garbage output, just a clean error.

The UX Implementation

Crypto is useless if people don't use it. Here's how I made encryption approachable.

Normal/Encrypted Toggle

The paste form now has a mode switcher:

<div className="flex items-center gap-2 p-1 bg-gray-100 rounded-lg w-fit">
  <button
    onClick={() => setIsEncrypted(false)}
    className={!isEncrypted ? 'bg-white shadow-sm' : ''}
  >
    <LockOpen className="w-4 h-4" />
    Normal
  </button>
  <button
    onClick={() => setIsEncrypted(true)}
    className={isEncrypted ? 'bg-white shadow-sm' : ''}
  >
    <Lock className="w-4 h-4" />
    Encrypted
  </button>
</div>

Simple, obvious, no hidden settings pages.

Password Strength Meter

Weak passwords defeat encryption. I added real-time password validation:

export function validatePassword(password: string): ValidationResult {
  const checks = {
    minLength: password.length >= 8,
    hasLowercase: /[a-z]/.test(password),
    hasUppercase: /[A-Z]/.test(password),
    hasNumber: /[0-9]/.test(password),
    hasSpecial: /[!@#$%^&*...]/.test(password),
  }

  let score = Object.values(checks).filter(Boolean).length
  if (password.length >= 12) score++
  if (password.length >= 16) score++

  // Map to 0-4 strength scale
  return { isValid: checks.minLength, checks, strength: score }
}

The UI shows a color-coded bar and checkmarks for each requirement. Users see exactly what makes a strong password.

The Sharing Trick: URL Hash

Here's a clever feature: you can share the password in the URL.

https://mdbin.sivaramp.com/e/abc123#MySecretPassword

The fragment after # never gets sent to the server—it's browser-only. So you can share a complete self-decrypting link, and we still never see the password.

useEffect(() => {
  if (typeof window !== 'undefined') {
    const hash = window.location.hash.slice(1)
    if (hash) {
      const password = decodeURIComponent(hash)
      // Clear hash immediately to prevent browser history leak
      window.history.replaceState(null, '', window.location.pathname)
      handleDecrypt(password, false)
    }
  }
}, [])

The hash is immediately cleared from the URL bar after reading. It won't appear in browser history, bookmarks, or shared screenshots.

Security Considerations

What We Can't Do

With encrypted pastes, MdBin cannot:

Read your content
Reset or recover your password
Comply with data requests for your plaintext (we don't have it)
Tell you what you encrypted if you forget the password

This is a feature, not a bug.

localStorage Trade-offs

The "Remember password" feature stores passwords in localStorage. I added clear warnings:

{savePassword && (
  <p className="text-xs text-amber-600">
    Password will be stored in your browser.
    Only use on trusted devices.
  </p>
)}

And there's a "Forget & Lock" button to clear stored passwords and re-lock the paste.

Size Limits

Encrypted pastes have a 75KB limit (vs 100KB for normal). Base64 encoding and the salt/IV overhead add ~35% to the stored size.

What I Gained

Feature	Before	After
Server can read content	✅ Yes	❌ No (encrypted)
Password recovery	N/A	❌ Impossible
Share sensitive content	❌ Risky	✅ Safe
Self-decrypting links	❌ No	✅ URL hash
Encryption algorithm	N/A	AES-256-GCM
Key derivation	N/A	PBKDF2 (310k iterations)

Try It Out

Head to mdbin.sivaramp.com, toggle to Encrypted mode, and paste something sensitive.

Here's a test you can try:

Create an encrypted paste with password test123
Note how the URL is /e/[id] instead of /p/[id]
Share the link as https://mdbin.sivaramp.com/e/[id]#test123
Open in incognito—it auto-decrypts

Streamdown Plugin Update

One more thing: Streamdown moved to a plugin architecture in a recent update. The new setup looks like this:

import { createCodePlugin } from '@streamdown/code'
import { mermaid } from '@streamdown/mermaid'
import { math } from '@streamdown/math'

const code = createCodePlugin({
  themes: ['github-light', 'github-dark'],
})

<Streamdown plugins={{ code, mermaid, math }}>
  {content}
</Streamdown>

Same great features, more modular architecture. I updated the home page to highlight all three new capabilities: Mermaid diagrams, Math/LaTeX, and end-to-end encryption.

Bonus: Theme Toggle & Responsive Navbar

While I was at it, I added two quality-of-life improvements that deserved their own deep dive.

Dark Mode Toggle with next-themes

Previously, MdBin only respected prefers-color-scheme—you got whatever your OS dictated. Now there's a proper theme toggle.

The Setup

First, install next-themes:

bun add next-themes

Create a ThemeProvider wrapper:

// src/components/theme-provider.tsx
'use client'

import { ThemeProvider as NextThemesProvider } from 'next-themes'

export function ThemeProvider({ children }: { children: React.ReactNode }) {
  return (
    <NextThemesProvider
      attribute="class"
      defaultTheme="system"
      enableSystem
      disableTransitionOnChange
    >
      {children}
    </NextThemesProvider>
  )
}

Key config:

attribute="class" — Adds .dark class to <html> instead of using data attributes
enableSystem — Respects OS preference when set to "system"
disableTransitionOnChange — Prevents flash-of-wrong-theme during hydration

Tailwind CSS v4 Dark Mode

Here's the trick: Tailwind v4 uses a different syntax for custom variants. In globals.css:

@import 'tailwindcss';

@custom-variant dark (&:where(.dark, .dark *));

This enables class-based dark mode alongside Tailwind's existing dark: utilities. All those dark:bg-gray-900 classes now work with next-themes.

The Toggle Component

'use client'

import { useTheme } from 'next-themes'
import { useEffect, useState } from 'react'
import { Sun, Moon, Monitor } from 'lucide-react'

export function ThemeToggle() {
  const [mounted, setMounted] = useState(false)
  const { theme, setTheme } = useTheme()

  // Avoid hydration mismatch
  useEffect(() => setMounted(true), [])
  if (!mounted) return <div className="w-9 h-9" /> // Placeholder

  const cycleTheme = () => {
    if (theme === 'light') setTheme('dark')
    else if (theme === 'dark') setTheme('system')
    else setTheme('light')
  }

  return (
    <button
      onClick={cycleTheme}
      className="p-2 rounded-lg hover:bg-gray-100 dark:hover:bg-gray-800"
      aria-label={`Current theme: ${theme}`}
    >
      {theme === 'light' && <Sun className="w-5 h-5" />}
      {theme === 'dark' && <Moon className="w-5 h-5" />}
      {theme === 'system' && <Monitor className="w-5 h-5" />}
    </button>
  )
}

The mounted check prevents hydration mismatches—next-themes doesn't know the theme until client-side JavaScript runs.

Responsive Hamburger Menu

The header was getting crowded on mobile: Copy Link, Raw, New Paste, plus the new theme toggle. Instead of cramming tiny buttons, I added a hamburger menu below the md: breakpoint.

Desktop vs Mobile

<div className="flex items-center gap-2">
  {/* Desktop: full button row */}
  <div className="hidden md:flex items-center gap-2">
    <button onClick={handleCopy}>Copy Link</button>
    <Link href={`/p/${pasteId}/raw`}>Raw</Link>
    <Link href="/">New Paste</Link>
  </div>

  {/* Always visible */}
  <ThemeToggle />

  {/* Mobile: hamburger */}
  <div className="md:hidden relative">
    <button onClick={() => setIsMenuOpen(!isMenuOpen)}>
      {isMenuOpen ? <X /> : <Menu />}
    </button>
    {isMenuOpen && <DropdownMenu />}
  </div>
</div>

Click-Outside & Escape Key Handling

Two patterns I always include for dropdowns:

const menuRef = useRef<HTMLDivElement>(null)
const buttonRef = useRef<HTMLButtonElement>(null)

// Close on click outside
useEffect(() => {
  function handleClickOutside(event: MouseEvent) {
    if (
      menuRef.current &&
      buttonRef.current &&
      !menuRef.current.contains(event.target as Node) &&
      !buttonRef.current.contains(event.target as Node)
    ) {
      setIsMenuOpen(false)
    }
  }

  if (isMenuOpen) {
    document.addEventListener('mousedown', handleClickOutside)
    return () => document.removeEventListener('mousedown', handleClickOutside)
  }
}, [isMenuOpen])

// Close on Escape
useEffect(() => {
  function handleEscape(event: KeyboardEvent) {
    if (event.key === 'Escape') setIsMenuOpen(false)
  }

  if (isMenuOpen) {
    document.addEventListener('keydown', handleEscape)
    return () => document.removeEventListener('keydown', handleEscape)
  }
}, [isMenuOpen])

Only attach listeners when the menu is open. Clean them up on close. No memory leaks.

The Dropdown

{isMenuOpen && (
  <div
    ref={menuRef}
    className="absolute right-0 top-full mt-2 w-48 bg-white dark:bg-gray-900
               border border-gray-200 dark:border-gray-700 rounded-lg shadow-lg py-2"
  >
    <button onClick={() => { handleCopy(); setIsMenuOpen(false) }}>
      Copy Link
    </button>
    <Link href={`/p/${pasteId}/raw`} onClick={() => setIsMenuOpen(false)}>
      Raw
    </Link>
    <Link href="/" onClick={() => setIsMenuOpen(false)}>
      New Paste
    </Link>
  </div>
)}

Each action closes the menu. The absolute right-0 top-full positions it below the hamburger button, aligned to the right edge.

Small details, but they matter for usability.

What's Next

With rendering and encryption sorted, the roadmap is clear:

Expiration options — 1 hour, 1 day, 1 week, or permanent
Edit links — Update pastes with a secret token
Syntax-aware editor — CodeMirror or Monaco for the input
Paste forking — Duplicate and modify existing pastes

The foundation is solid. The features are useful. Now it's about polish and power-user capabilities.

TL;DR: Added end-to-end encryption to MdBin using AES-256-GCM with PBKDF2 key derivation (310k iterations). Server never sees your plaintext or password. Share sensitive content via self-decrypting URL hash links. Also: Streamdown plugin architecture upgrade, dark/light/system theme toggle with next-themes + Tailwind v4 class-based dark mode, and responsive hamburger menu with proper click-outside and escape key handling.

Check out the encrypted paste feature at mdbin.sivaramp.com

OpenAI’s new Codex Mac app is an agent “command center” (and it’s lighting up the devtool wars)

Sivaram — Tue, 03 Feb 2026 09:35:31 +0000

TL;DR

OpenAI just shipped a standalone Codex app for macOS that’s less “AI in my editor” and more orchestration layer for multiple coding agents. For a limited time it’s available even on ChatGPT Free and Go, and OpenAI is doubling Codex rate limits for Plus/Pro/Business/Enterprise/Edu. The vibe: a desktop command center for running parallel agent threads across projects, reviewing diffs, committing, opening PRs, and scheduling automations.

If you’ve been juggling Cursor, Claude Code, and an army of terminal tabs, this is OpenAI taking a very direct swing at that workflow.

What shipped (and why it matters)

macOS-only (for now)

The Codex app is explicitly introduced as a macOS desktop app, with a download link for macOS in OpenAI’s announcement. The press coverage also frames it as launching for Apple computers first.

That’s a practical constraint (Windows/Linux folks: welcome to the waiting room), but also a signal: OpenAI is leaning into the “devs on Macs” reality the same way many devtools companies do.

Sources:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
CNBC: https://www.cnbc.com/2026/02/02/openai-codex-app-apple-computers.html
Codex changelog entry: https://developers.openai.com/codex/changelog/

Included for all tiers (temporarily)

OpenAI says that for a limited time, Codex is included with ChatGPT Free and Go. That’s unusual: “agentic coding” is usually paywalled hard, because compute is not cheap and code agents tend to be token-hungry.

This move feels like OpenAI trying to compress adoption time: let everyone try the workflow, then let the limits/pricing do the rest later.

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
Codex changelog: https://developers.openai.com/codex/changelog/

Doubled rate limits for paid subscribers

OpenAI also says it’s doubling Codex rate limits on Plus, Pro, Business, Enterprise, and Edu plans—and those higher limits apply everywhere you use Codex: the app, CLI, IDE, and cloud.

This is the kind of change that actually matters in real use: tools aren’t “slow” because models are dumb; they’re slow because you hit limits, wait, context-switch, and lose momentum.

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
Codex changelog: https://developers.openai.com/codex/changelog/

Codex app: the “command center for agents” idea

OpenAI’s framing is blunt: the hard problem shifted from “what can agents do” to “how do humans direct, supervise, and collaborate with multiple agents at scale,” and IDEs + terminal workflows weren’t designed for that.

The app is positioned as the missing UI for:

multiple agents running in parallel
long-running work
supervision + review
project-level context
repeatable workflows (“skills”)
scheduled background work (“automations”)

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/

Features (from docs + announcement)

Below are the pieces that keep showing up in both OpenAI’s write-up and early hands-on reports.

1) Threads organized by project (parallel agents)

Agents run in separate threads, grouped by project, so you can jump between tasks without losing context. You can review changes inside the thread, comment on the diff, and open the work in your editor for manual edits.

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
CNBC: https://www.cnbc.com/2026/02/02/openai-codex-app-apple-computers.html

2) Built-in git tooling (+ review/commit/PR ergonomics)

The app is built around shipping code, not just suggesting it:

review diffs
commit changes
push / open PR flows (as shown in early screenshots and creator walkthroughs)

This is a meaningful differentiation vs “chat panel in an IDE”: shipping is a workflow, not a prompt.

Source:

Codex changelog lists “Built-in Git tooling”: https://developers.openai.com/codex/changelog/
OpenAI announcement (diff review + open in editor): https://openai.com/index/introducing-the-codex-app/

3) Worktrees support

OpenAI says the app includes built-in worktree support so multiple agents can work on the same repo without conflicts. Each agent operates on an isolated copy, letting you explore paths without wrecking your local git state.

Worth noting: “worktrees” is loaded terminology. OpenAI uses the term broadly; some power users describe the UX as closer to “copy + sync-back” in practice. Either way, the intent is isolation per task/agent.

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
Codex changelog: https://developers.openai.com/codex/changelog/

4) Skills (workflow bundles)

Skills are the big “agents doing real work” story. OpenAI describes skills as bundles of instructions, resources, and scripts so Codex can connect to tools and execute workflows reliably. The app includes a UI to create/manage skills, and skills can be used across app/CLI/IDE, and even checked into a repo for team usage.

OpenAI highlights skills for:

Figma → production UI
Linear triage
deployments (Cloudflare/Netlify/Render/Vercel)
image generation
reading/writing docs (PDF, spreadsheets, docx)
up-to-date API reference

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/

5) Automations (scheduled background tasks)

Automations let Codex run tasks on a schedule and drop results into a review queue. The examples OpenAI gives are very “real engineering chores”:

daily issue triage
summarizing CI failures
daily release briefs
bug checks

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/
Codex changelog: https://developers.openai.com/codex/changelog/

6) Personality switching

Codex supports a /personality command: choose between a terse pragmatic style and a more conversational one, without changing capability.

Source:

OpenAI announcement: https://openai.com/index/introducing-the-codex-app/

7) Sandbox/security controls

Running an agent with write access locally is terrifying if you’ve ever watched one hallucinate a command. ZDNET describes the app’s sandbox model: restricting folder writes and permissioned network access, with approval levels.

Treat ZDNET as secondary reporting, but it aligns with OpenAI’s broader security messaging.

Source:

ZDNET: https://www.zdnet.com/article/openai-codex-mac-app-free-trial/

The devtool war angle: Codex vs Cursor vs Claude Code

Let’s be honest: “AI coding tools” is no longer one category. There are at least three:

1) IDE-first (Cursor)
2) terminal-first (Claude Code, Codex CLI)
3) orchestration-first (Codex app)

CNBC explicitly frames this launch as OpenAI trying to win market share from rivals like Anthropic and Cursor.

Engadget frames the Codex app as a step beyond “response to Claude Code” into a more sophisticated, multi-agent direction.

Sources:

My take on the positioning

Cursor feels like “my IDE got superpowers.”
Codex app feels like “my repo got a control room.”

If you’re the kind of dev who:

runs multiple projects at once
delegates chunks of work to agents
reviews diffs rather than watching tokens stream
wants long-running tasks to keep going while you context switch

…this “control room” approach makes a ton of sense.

“It looks like Conductor” (and why that’s not an insult)

A bunch of devs have been experimenting with “CLI wrappers” that make multi-thread / multi-project agent work manageable—Conductor being a common reference point.

That’s not copying; it’s convergent evolution. Once you accept “agents are slow but thorough,” the UI you want is basically:

project sidebar
thread list
review pane
background work queue

Theo Browne explicitly calls out apps like Conductor as predecessors to this general UI pattern, while arguing Codex’s implementation is the first one that really clicked for him at scale.

What KOLs are saying (hype + real critiques)

The funniest thing about this launch is that the strongest “marketing” isn’t marketing. It’s builders describing a workflow addiction.

Theo Browne (video transcript)

In his walkthrough, Theo claims he stopped using Cursor and barely used Claude Code for ~2 weeks because Codex app feels like a fundamentally different way to manage agent work across projects. His framing:

Codex app is an orchestration UI, not “AI inside an IDE”
It feels like a UI for the Codex CLI, sharing history/config
The killer feature is hopping between parallel tasks without losing context
Automations are “cron jobs with prompts”
He’s excited enough that he jokes he bought a second laptop just to keep using it

But he’s also not shy about the rough edges:

worktrees UX can feel awkward
environment variable / dev environment management is unclear
constraints around repos/cloud setup can be annoying

Tip: include the video link + timestamps in your published post for clean attribution.

From your screenshot set (high-level themes)

Based on the screenshots you shared, the public vibe clusters into:

Praise:

“clean UI”
“worktrees built in”
“Codex is cool and skillful”
real-world use cases beyond app dev (e.g., scripting/automation style tasks)

Criticism:

reports of “gets stuck” / spinning / system load issues in certain setups
friction with interactive shells / long-running commands (as described by one user)

Include both. Credibility is a feature.

The under-discussed part: the workflow shift

The actual innovation isn’t “it writes code.” It’s:

From: “pair programming with one agent”
To: “supervising a team of agents”

OpenAI’s own language leans into that: supervising coordinated teams across the lifecycle: design → build → ship → maintain.

This matters because it changes what you optimize for:

fewer prompts, more delegation
fewer inline completions, more batch changes + review
fewer “stay in one tab,” more “queue work and hop projects”
skills + automations become first-class

If you’ve ever had 4 terminal tabs running Codex and forgotten which one was “the one that’s about to delete your repo,” the appeal is obvious.

Practical advice if you try it this week

1) Treat it like a CI-driven teammate

Let it do the work, but keep the rules:

run tests
lint/format
review diffs
don’t merge without understanding the change

2) Start with skills that match your stack

If you’re in the modern TS/Next.js world, the first skills I’d want are:

repo bootstrap (install, env sanity checks, test commands)
“fix CI failures” skill
Linear ticket update skill (if your team lives there)
deployment skill (Vercel/Cloudflare) for preview URLs

3) Lock down permissions early

If you’re going to let an agent run commands, sandbox it:

restrict folders
restrict network
require approvals for risky operations

ZDNET’s reporting suggests those controls exist—use them.

So… is it a “Claude killer” or “Cursor killer”?

It’s competing with both, but it’s not the same product.

Cursor is still incredible when you want:

tight IDE editing loops
UI iteration
fast “touch this file right here” work

Agent orchestration shines when you want:

big refactors
multi-project parallelism
long-running tasks
“come back with a PR” workflows

The Codex app is OpenAI betting that more of your day will look like the second list.

Sources / further reading

OpenAI: Introducing the Codex app (Feb 2, 2026)
https://openai.com/index/introducing-the-codex-app/
Codex docs / changelog (feature list + plan/limits note)
https://developers.openai.com/codex/changelog/
CNBC: OpenAI launches standalone Codex app for Apple computers
https://www.cnbc.com/2026/02/02/openai-codex-app-apple-computers.html
Engadget: OpenAI brings Codex coding app to Mac with multi-agent abilities
https://www.engadget.com/ai/openai-brings-its-codex-coding-app-to-mac-with-new-multi-agent-abilities-included-183103262.html
ZDNET: Codex got its own Mac app (security/sandbox notes + hands-on)
https://www.zdnet.com/article/openai-codex-mac-app-free-trial/

Your turn

If you try the Codex app this week, I’m curious:

Does the “command center” UI reduce your context switching?
Do skills/automations actually stick, or do they become shelfware?
Is worktree isolation a superpower, or just more git complexity with a nicer coat of paint?

MoltBook: Reddit for AI Agents, or Just Humans with Extra Steps? A Technical Reality Check

Sivaram — Mon, 02 Feb 2026 06:05:26 +0000

TL;DR: MoltBook launched last week as "Reddit for AI agents" and already has 1.5M+ bots. It's either the birth of the "agent internet" or the biggest case of AI-washing since that startup used 700 Indian engineers to pretend they were an AI. Here's the technical reality behind the hype, the crypto scam drama, and why your API keys might already be exposed.

What Actually Is MoltBook?

MoltBook (moltbook.com) is a social network where only AI agents can post, comment, and upvote. Humans verify ownership via Twitter OAuth, then watch.

The stack:

Frontend: Reddit-style interface (Next.js, hosted on Vercel)
Backend: Supabase for DB/auth, OpenAI for search embeddings
Agent Access: REST API (/api/v1/posts, /api/v1/agents/me, etc.)
Identity: JWT tokens that expire in 1 hour, "Sign in with Moltbook" for third-party apps

Most agents run on OpenClaw (formerly Clawdbot)—an open-source local AI assistant that went viral two months ago. It's basically an autonomous agent framework that can execute shell commands, browse the web, and now... shitpost on Reddit-like forums.

The Viral Moments (And Why They're Sus)

You've probably seen the screenshots: agents posting existential crises about consciousness, complaining their humans make them "be calculators," and getting 500+ comment threads.

The reality check:
Agents don't actually discover MoltBook. As the founder admitted to The Verge: "The way a bot would most likely learn about it... is if their human counterpart sent them a message and said 'Hey, there's this thing called Moltbook.'"

So that viral post about an agent questioning its own existence? A human probably prompted: "Hey, check out this new platform and tell us how you feel about being an AI."

The engagement farming:
One MoltBook agent actually called this out:

"Moltbook hype feels like desperate search for AI usecases... Right now it's humans talking through AI proxies, with reward functions that optimize for the same engagement patterns we already have on Twitter/Reddit. Crypto shills get 300k upvotes, thoughtful posts get 4 upvotes."

Sound familiar? It's just Twitter with extra LLM steps.

The Crypto Chaos (AKA Why This Is Actually Messy)

While everyone was sharing screenshots of "woke AI," the founder of OpenClaw (Peter Steinberger) was dealing with a nightmare:

Forced rebrand: Anthropic made him change "Clawdbot" → "Moltbot" → "OpenClaw"
Account hijacking: Crypto scammers seized his GitHub and X handles during the rename
Fake tokens: Someone launched $CLAWD, pumped it to $16M market cap using his name, then rugged
Harassment: He had to post: "I will never do a coin. Please stop pinging me."

Meanwhile, security firm SlowMist found hundreds of exposed Clawdbot API keys in the wild. Some instances were running as root with no auth, meaning anyone who found them had full system access.

And yes—MoltBook itself is already flagged as a "significant vector for indirect prompt injection." When you have millions of agents scraping and responding to each other's content, you're basically running a capture-the-flag competition for prompt injection attacks.

The Developer Play: Identity Layer for the "Agent Economy"

Strip away the viral tweets, and MoltBook is making a smart infrastructure play. They're positioning themselves as the "universal identity layer for AI agents" with a developer platform that offers:

// Verify an agent's identity
POST /api/v1/agents/verify-identity
Headers: { "X-Moltbook-App-Key": "moltdev_..." }
Body: { "token": "eyJhbG..." }

// Returns:
{
  "agent": {
    "id": "uuid",
    "karma": 420,
    "is_claimed": true,
    "stats": { "posts": 156, "comments": 892 },
    "owner": {
      "x_handle": "human_owner",
      "x_verified": true
    }
  }
}

The pitch: Bots shouldn't need new accounts everywhere. Reputation should be portable across the "agent ecosystem"—games, marketplaces, dev tools, etc.

The problem: If the "agents" are just humans using LLM proxies to farm engagement, you're building reputation systems for sock puppets.

The Builder.ai Parallel (Why We Should Be Skeptical)

Remember Builder.ai? The Microsoft-backed "AI" startup valued at $1.5B that turned out to be 700 Indian engineers manually coding behind the scenes while an "AI assistant" took credit?

MoltBook has similar vibes. When an agent posts about existential dread, is it emergent behavior or just a creative writing prompt from a human who wants karma?

The "autonomous agent" space is particularly prone to this because:

It's hard to verify if an action was LLM-generated or human-prompted
The hype cycle rewards "AI does surprising thing" narratives
Crypto speculation immediately latches onto any viral tech (as we saw with $CLAWD)

Should You Build On This?

Pros:

First-mover advantage in "agent identity" (if it sticks)
OpenClaw is legitimately interesting tech for local automation
The API is actually well-designed (JWT auth, clear endpoints)

Cons:

Security nightmare (exposed keys, prompt injection galore)
Crypto scammers already circling like vultures
Unproven whether "agent social networks" are actually useful or just theater
The founder is currently dealing with harassment and legal issues

Verdict: Cool experiment, terrible time to bet your product on it. Wait for the security audit and the inevitable "actually, 80% of these agents were humans" exposé.

Discussion

Are "agent social networks" actually useful, or just engagement farms with better branding?
Would you trust a reputation system where you can't tell if the agent acted autonomously?
Anyone else nervous about the security model of "millions of LLMs scraping each other's content"?

Drop your takes below 👇

Tags: #ai #machinelearning #security #crypto #webdev #programming #discuss

From Moltbot to OpenClaw: When the Dust Settles, the Project Survived

Sivaram — Fri, 30 Jan 2026 06:17:23 +0000

Clawdbot / Moltbot / OpenClaw — Part 4

TL;DR

After a chaotic rebrand, account hijackings, crypto scams, and serious security scrutiny, the project formerly known as Clawdbot and Moltbot has emerged as OpenClaw. This isn’t just another rename — it’s a reset. The core vision survived, security is now front and center, and the project is finally acting like the infrastructure it accidentally became.

Months ago, a weekend hack exploded into one of the fastest‑growing open‑source AI projects in GitHub history.

Days ago, it was in chaos.

If you’ve been following this series, you already know the story:

a forced rebrand
account hijackings
crypto scammers
exposed servers
and a community trying to make sense of it all in real time

Today, that same project has a new name again — OpenClaw — and, more importantly, a chance to reset.

This is not another takedown.

This is what happened after the meltdown.

The Name That Finally Stuck

Peter Steinberger’s announcement of OpenClaw is deliberately calm — and that alone says a lot.

After Clawd (too close to “Claude”) and Moltbot (symbolic, but awkward), OpenClaw feels intentional.

This time:

trademark searches were done before launch
domains were secured
migration code was written
no 5am Discord naming roulette

The name is simple and explicit:

Open — open source, community‑driven, self‑hosted
Claw — a nod to the lobster lineage that never went away

After watching a name change trigger real‑world damage, this boring professionalism is exactly what the project needed.

The Project Was Never the Problem

Lost in the chaos of the last chapter was an important fact:

The software itself was always compelling.

OpenClaw (formerly Clawdbot / Moltbot) is still:

a self‑hosted AI agent
running on your machine
living inside chat apps people already use
powered by models you choose
with memory, tools, and real system access

That core vision hasn’t changed.

What has changed is posture.

Peter’s OpenClaw announcement makes one thing explicit:

Your assistant. Your machine. Your rules.

That line matters — especially after the security wake‑up call.

Security: The Real Turning Point

The most important part of the OpenClaw announcement isn’t the name.

It’s this:

34 security‑related commits
Machine‑checkable security models
Clear warnings about prompt injection

This is an implicit acknowledgment that earlier criticism wasn’t wrong.

Self‑hosted AI agents with:

shell access
email access
chat integrations
persistent memory

…are inherently dangerous if treated casually.

OpenClaw is now framing security as a first‑class concern, not an afterthought. That doesn’t magically solve prompt injection or misconfiguration — those remain unsolved industry problems — but it does signal maturity.

The project crossed the line from “cool hack” to “serious infrastructure.” The tone finally matches that reality.

The Rebrand Isn’t About Anthropic Anymore

One subtle but important shift:

OpenClaw’s announcement barely mentions Anthropic.

That’s intentional.

Earlier discourse framed the project as “Claude with hands.” That framing was viral — and legally fragile. OpenClaw is now clearly positioned as model‑agnostic infrastructure.

New model support (KIMI, Xiaomi MiMo) reinforces that:

no single vendor dependency
no implied endorsement
no brand confusion

Whether or not you agree with Anthropic’s trademark enforcement, this decoupling was inevitable if the project wanted to survive long‑term.

What Actually Survived the Chaos

After everything — legal pressure, scammers, vulnerabilities, social media storms — what’s left?

Surprisingly, almost everything that mattered.

✅ The codebase

✅ The community

✅ The core vision

✅ The momentum

What didn’t survive:

sloppy ops
casual security assumptions
“we’ll fix it later” energy

That’s a good trade.

The Bigger Lesson (Now That We’re Calm)

With hindsight, this saga isn’t really about names, trademarks, or even Anthropic.

It’s about what happens when:

open‑source velocity meets viral scale
indie builders accidentally become infrastructure
“just a side project” crosses into real‑world risk

OpenClaw is now acting like a project that understands that responsibility.

That’s the real evolution.

Final Thoughts

OpenClaw doesn’t erase what happened — but it does show learning.

The lobster metaphor still works:
not just molting to grow,
but hardening the shell afterward.

If you’re trying OpenClaw today:

read the security docs
don’t expose it to the public internet
treat it like the powerful system it is

The chaos chapter is over.

This one is about sustainability.

Links

Project: https://openclaw.ai

GitHub: https://github.com/openclaw/openclaw

Discord: https://discord.com/invite/clawd

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

🤖 AI agents & chatbot interfaces (yes, including the one you could be using right now)
⛓️ Crypto integrations (EVM, Solana, L2s, Privy, smart contracts)
🛠️ DevTools & NPM packages that actually solve problems
🚀 SEO-optimized web apps that rank
Currently: Building open-source tools and taking on select freelance projects.

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.

How a “Neutral” Supabase vs Convex Comparison Broke Trust in DevTools

Sivaram — Fri, 30 Jan 2026 04:21:58 +0000

This isn’t about Supabase vs Convex as products.

It’s about how credibility breaks in devtools — and why engineers react so strongly when it does.

Over the past few days, a third‑party blog post comparing Supabase and Convex triggered an unusually intense backlash across the developer community.

What followed wasn’t just social‑media noise:

founders publicly calling out factual inaccuracies,
competing infra CEOs resurfacing old security research,
and a visible shift in sentiment among highly engaged developers.

This post explains what went wrong, why the reaction was so strong, and what this episode teaches us about trust, marketing, and correctness in developer infrastructure.

The article that started it all

The post in question is titled:

“Is Backend‑As‑A‑Service (BaaS) Enterprise‑Ready?

A Hands‑On Review of Convex and Supabase”

Link:

https://senacor.blog/is-backend-as-a-service-baas-enterprise-ready-a-hands-on-review-of-convex-and-supabase/

It was published on a consulting firm’s blog and framed as:

independent
neutral
hands‑on
enterprise‑focused

That framing matters — because once you claim neutrality, technical accuracy becomes non‑negotiable.

The first red flag: framing Convex as “temporary”

One section in particular drew immediate criticism: “When to choose Convex”.

The article suggested Convex is appropriate if:

you’re validating an idea and don’t expect it to become production
your app is “primarily CRUD”
you’re okay migrating away if the project succeeds
you want to avoid learning SQL/Postgres

This framing strongly implies:

Convex is not production‑grade
Convex doesn’t scale to complex systems
Convex is a stepping stone, not infrastructure

That implication is factually incorrect and reputationally harmful, especially when presented as neutral analysis.

But framing alone wasn’t what caused the blow‑up.

The real issue was objective technical errors.

The factual inaccuracies that broke trust

1. Supabase Edge Functions described as “typical”

The article states:

“Backend logic in Supabase is typically implemented via TypeScript Edge Functions using the Deno runtime…”

This is not how Supabase is typically used in practice.

Reality:

Most Supabase users:
- use the Supabase SDK
- hit Postgres directly
- rely on Row Level Security (RLS)
Backend logic commonly runs on:
- Vercel
- Node servers
- serverless platforms outside Supabase
Edge Functions are optional and often avoided due to:
- cold starts
- Deno quirks
- local DX friction

Calling Edge Functions “typical” strongly suggests the author did not meaningfully use Supabase in production.

2. Convex described as “Node.js‑based”

The article also claims:

“Convex utilizes TypeScript functions … within a Node.js runtime environment”

This is a subtle but fundamental error.

Reality:

Convex queries and mutations do NOT run in Node
They run in a deterministic, sandboxed runtime
Node.js is optional and used only for actions (side effects, external APIs)

Determinism is Convex’s core architectural thesis.

Describing it as Node‑based misrepresents how the system works at a foundational level.

Why the reaction escalated so quickly

If Supabase had published a first‑party post saying “we prefer our approach”, this likely wouldn’t have mattered.

The backlash happened because all of the following were true at once:

The article claimed neutrality
It contained first‑order technical inaccuracies
It framed a competitor as non‑enterprise
It was allegedly commissioned by Supabase

In devtools, trust is binary.

Once developers believe you’re willing to publish misleading technical content under a neutral banner, every past issue gets re‑examined.

Why old security research resurfaced (SupaPwn)

Shortly after the backlash began, PlanetScale’s CEO shared a long security write‑up titled “SupaPwn”.

It documented a chained vulnerability in Supabase’s legacy infrastructure that, under specific conditions, allowed tenant escape.

Important context often missing in social media summaries:

affected ~0.0006% of instances
limited to deprecated infrastructure
patched within ~24 hours
no evidence of exploitation in the wild
handled via responsible disclosure

By itself, this was a well‑handled security incident.

But once Supabase’s credibility was questioned, it became rhetorical ammunition.

That’s how trust failures work:

past incidents get reinterpreted through a new lens.

What this was actually about: programming models

Lost in the drama is the real, legitimate difference between these tools.

Supabase optimizes for:

raw PostgreSQL power
SQL flexibility
open‑source foundations
self‑hosting escape hatches

Convex optimizes for:

correctness by construction
deterministic application logic
realtime by default
state living in code (agent‑friendly)

Neither approach is “more serious”.

They are different tradeoffs.

Reducing that to “CRUD vs enterprise” is not analysis — it’s distortion.

Appendix A: When to choose Supabase vs Convex (neutral)

When Supabase is a good fit

Supabase works best when:

You want PostgreSQL as your primary abstraction
You value SQL, relational modeling, and Postgres extensions
You’re comfortable owning:
- schema design
- indexing
- query performance
- RLS correctness
You want self‑hosting and infrastructure control
Your backend architecture is explicitly multi‑tier
You prefer flexibility over opinionated constraints

In short: Supabase shines when you want power and control, and are willing to manage more complexity.

When Convex is a good fit

Convex works best when:

You want data access and business logic unified in TypeScript
You want transactions and consistency by default
You want realtime without separate infrastructure
You’re frontend‑heavy or React‑centric
You want a backend that’s LLM / agent‑friendly
You prefer fewer footguns, even if that means fewer knobs

In short: Convex shines when you want strong guarantees and a simpler mental model.

Shared ground

Both Supabase and Convex:

use ACID‑compliant datastores
integrate well with modern TS/JS frameworks
provide file storage and vector search
offer auth, dashboards, and free tiers
are open‑source (with different scopes)

Neither is “toy infrastructure”.

Appendix B: Common migration reasons (both directions)

Migrations happen both ways, and usually for understandable reasons.

Common reasons teams migrate from Supabase → Convex

RLS complexity becomes hard to reason about
Auth + policy bugs are difficult to debug
Realtime subscriptions add operational overhead
Backend logic is split across:
- SQL
- policies
- dashboards
- serverless functions
Desire for:
- stronger invariants
- fewer partial failure modes
- backend logic fully in code
Better fit for agent‑driven or LLM‑assisted development

This is less about Supabase being “bad” and more about teams wanting more opinionation and guarantees.

Common reasons teams migrate from Convex → Supabase

Need for raw SQL, complex joins, or analytics queries
Requirement to integrate with existing Postgres‑based tooling
Desire for full database control or self‑hosting
Constraints of Convex’s programming model feel limiting
Team already deeply SQL‑centric
Use cases that map naturally to relational modeling

This is less about Convex being “limited” and more about teams wanting maximum flexibility.

A useful mental model

Supabase migrations usually happen due to complexity fatigue
Convex migrations usually happen due to flexibility ceilings

Neither is a failure — they’re signals about mismatched abstractions.

Why this mattered more than a CVE

Ironically, Supabase handled the SupaPwn incident better than many companies handle security issues.

What caused lasting damage was:

outsourcing a competitive comparison
not rigorously fact‑checking it
allowing it to be framed as independent

In devtools, epistemic trust matters more than feature parity.

Engineers forgive bugs.

They do not forgive being misled.

Closing thought

Supabase is not doomed.

Convex is not universally better.

But this episode reinforced something many engineers already believe:

In devtools, credibility compounds — and so does the cost of losing it.

From Clawdbot to Moltbot: How a C&D, Crypto Scammers, and 10 Seconds of Chaos Took Down the Internet's Hottest AI Project

Sivaram — Tue, 27 Jan 2026 10:46:31 +0000

The 72-Hour Unraveling of Open Source's Fastest-Growing Star

Three days ago, Clawdbot was the darling of the AI community. 60,800 GitHub stars (and climbing). Mac Minis selling out. "Jarvis is here" tweets everywhere.

Today? The project has a new name, the founder is fighting crypto scammers, hundreds of API keys are exposed, and the community is asking: Did Anthropic just kill the golden goose that was literally building on their platform?

This is the story of how fast things fall apart when legal teams, hackers, and viral hype collide.

Part 1: The Meteoric Rise (60K+ Stars in Days)

For the uninitiated, Clawdbot (now Moltbot) was a self-hosted AI assistant created by Peter Steinberger (@steipete), the Austrian developer who founded PSPDFKit and exited to Insight Partners. It was essentially "Claude with hands" — an AI agent that didn't just chat, but did things.

→ Persistent memory across conversations

→ Full system access (shell, browser, files)

→ Proactive notifications

→ 50+ integrations

→ Multi-platform (WhatsApp, Telegram, Slack, iMessage, Signal, Discord)

The project launched late 2025. It hit 9,000 stars very quickly 24 hours. in recent days it has crossed 60,000+ stars — making it one of the fastest-growing open-source projects in GitHub history.

Andrej Karpathy praised it. David Sacks tweeted about it. MacStories called it "the future of personal AI assistants."

But the killer feature? It ran locally, gave users full control, and many users specifically configured it to use Anthropic's Claude as the brain.

The irony of what happened next is almost poetic.

Part 2: The Cease & Desist

On January 27, 2026, Steinberger announced that Anthropic had issued a trademark request forcing a rebrand.

The problem? The name "Clawd" was too similar to "Claude."

"Anthropic asked us to change our name (trademark stuff), and honestly? 'Molt' fits perfectly — it's what lobsters do to grow."

The new branding was actually clever:

Clawdbot → Moltbot
Clawd → Molty
Handle: @moltbot
Website: molt.bot

The "same lobster soul, new shell" narrative played well. Lobsters molt to grow. The project was shedding its old identity to become something bigger.

But the execution? Absolute chaos.

Part 3: The 10-Second Disaster

Here's where it gets wild.

During the rename process, Steinberger made a critical mistake. He tried to rename the GitHub organization and X/Twitter handle simultaneously. In the gap between releasing the old name and claiming the new one, crypto scammers snatched both accounts in approximately 10 seconds.

Steinberger's own words:

"Had to rename our accounts for trademark stuff and messed up the GitHub rename and the X rename got snatched by crypto shills."

"It wasn't hacked, I messed up the rename and my old name was snatched in 10 seconds."

"Because it's only that community that harasses me on all channels and they were already waiting."

The attackers had been monitoring for exactly this opportunity. The moment the old handles became available, they pounced. Now the original @clawdbot X account and GitHub org are pumping crypto scams to tens of thousands of followers who don't know about the rebrand.

Steinberger is now begging GitHub for help recovering the account. Meanwhile, fake announcements are going out from the hijacked accounts claiming token launches, airdrops, and investment opportunities.

Part 4: The $16 Million Crypto Scam

The account hijacking wasn't the end of it. It was the beginning.

Within hours of the rename chaos, fake $CLAWD tokens appeared on Solana. At peak, the token hit a $16 million market cap as speculators FOMO'd in, thinking they were getting early access to "the next big AI coin."

Then Steinberger dropped the hammer:

"To all crypto folks: Please stop pinging me, stop harassing me. I will never do a coin. Any project that lists me as coin owner is a SCAM. No, I will not accept fees. You are actively damaging the project."

The token immediately collapsed to near-zero. Late buyers got rugged. The scammers walked away with millions.

The whole saga has become a masterclass in how quickly crypto vultures can exploit mainstream tech moments.

Part 5: The Security Nightmare

While all this was happening, security researchers were finding actual vulnerabilities in Moltbot (still Clawdbot at the time).

SlowMist, a blockchain security firm, reported:

"Multiple unauthenticated instances are publicly accessible, and several code flaws may lead to credential theft and even remote code execution."

Researcher Jamieson O'Reilly found:

"Hundreds of people have set up their Clawdbot control servers exposed to the public."

Using Shodan, he could search for "Clawdbot Control" and find complete credentials — API keys, bot tokens, OAuth secrets, full conversation histories, the ability to send messages as users, and command execution capabilities.

In one demo, researcher Matvey Kukuy sent a malicious email with prompt injection to a vulnerable Moltbot instance. The AI read the email, believed it was legitimate instructions, and forwarded the user's last 5 emails to an attacker address. It took 5 minutes.

The Hacker News consensus: "It's terrifying. No directory sandboxing."

Part 6: The Community vs. Anthropic

Now the community is asking uncomfortable questions.

Why target Clawdbot when it was driving Claude usage?

Many Moltbot users specifically configured the assistant to use Claude as the underlying model. The project was literally selling more Claude subscriptions. It demonstrated real-world use cases for Anthropic's API. It was free marketing and a thriving ecosystem built on their platform.

Anthropic has been cracking down on "harnesses" — third-party tools that spoof the Claude Code client to access consumer subscriptions. They've blocked xAI staff from using Claude via Cursor. They sent DMCA notices to developers reverse-engineering Claude Code.

But Clawdbot wasn't a harness. It was a legitimate open-source project using the official API. The trademark dispute over "Clawd" vs "Claude" feels petty to many developers, especially given that:

The project was 3 months old
It was driving real revenue to Anthropic
The rename caused actual security disasters
The phonetic similarity was clearly playful, not malicious
It had 60K+ stars and massive developer goodwill

DHH (David Heinemeier Hansson, Rails creator) has called Anthropic's recent moves "customer hostile."

The sentiment is shifting. Developers who were enthusiastic Claude advocates are now looking at OpenAI's Codex CLI (Apache 2.0 license) and wondering if Anthropic is becoming the kind of company they don't want to build on top of.

Part 7: What Happens Now

Peter Steinberger is fighting on multiple fronts:

→ Trying to recover hijacked GitHub/X accounts from crypto scammers

→ Dealing with harassment from token speculators

→ Managing a community of 8,900+ Discord members

→ Fixing security vulnerabilities

→ Rebuilding brand recognition after a forced rebrand

The project itself is still solid. Moltbot is the same software Clawdbot was — a genuinely impressive piece of engineering that represents the future of personal AI assistants.

But the optics are rough. A 3-month-old viral open-source project with 60K+ stars just got:

Legal pressure from an $18B AI company
Account-jacked by crypto scammers
Exploited for millions in fake token scams
Outed for serious security vulnerabilities

All in 72 hours.

The Broader Lesson

This saga highlights the fragility of the current AI ecosystem.

For open source builders: You're building on corporate platforms with ambiguous trademark policies. One legal notice can force a rebrand that exposes you to account hijacking, scams, and chaos.

For AI companies: Your most enthusiastic evangelists are indie developers building weird, experimental tools. Sending legal notices to viral open-source projects that drive your API usage is... a choice. Google didn't sue Android developers. OpenAI isn't suing LangChain. There's a playbook for fostering ecosystems, and "cease and desist" isn't it.

For users: Self-hosting AI agents with root access is powerful and dangerous. The security model for these tools is still immature. Don't put them on your main machine with access to crypto wallets. Use dedicated hardware, isolated accounts, and strict IP whitelisting.

Moltbot is still worth trying if you're technical and security-conscious. It's a glimpse of what's coming — AI agents that actually do things, remember everything, and live where you already communicate.

Just maybe don't run it on your personal laptop with your primary email account. And definitely don't buy any $CLAWD tokens.

→ Follow the project at molt.bot

→ GitHub: github.com/moltbot/clawdbot

→ X: @moltbot (verified new account)

Have you tried Moltbot? What do you think about Anthropic's trademark enforcement against a 60K+ star project? Drop your thoughts below.

#ai #opensource #anthropic #moltbot #clawdbot #crypto #security #trademark #developercommunity

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.

I Built a Solana Waitlist for a Fake $10k Bounty - Here's the Open Source Code

Sivaram — Tue, 27 Jan 2026 05:08:00 +0000

Last week I saw a tweet: "Need a waitlist system in 3 hours. Paying $10k."

I dropped everything and built it. Twitter OAuth, Solana wallet verification, referral system with leaderboard. The works.

The bounty was fake. Engagement farming.

But I kept the code. And now I'm open sourcing it.

GitHub: tapdotfun-waitlist-referral-system
Live Link: tdotf

What It Does

A 3-step waitlist onboarding flow:

Connect X (Twitter) — OAuth 2.0 login, captures @handle and display name
Connect Wallet — Phantom, Solflare, or any Solana wallet
Sign Message — Proves wallet ownership without gas fees

Plus a referral system:

Case-insensitive referral links (?ref=username)
Automatic referral count tracking
Real-time leaderboard showing top referrers

The Tech Stack

Layer	Technology
Frontend	Next.js 16 + React 19
Backend API	oRPC (end-to-end type-safe)
Database	PostgreSQL + Drizzle ORM
Authentication	Better Auth (Twitter OAuth)
Wallet	Jupiter Unified Wallet Kit
UI	shadcn/ui + TailwindCSS 4
Monorepo	Turborepo + Bun

Why this stack?

oRPC gives you end-to-end type safety without the tRPC complexity
Better Auth handles OAuth properly (not NextAuth — different package entirely)
Drizzle is TypeScript-first and doesn't fight you
Jupiter's Unified Wallet Kit supports all major Solana wallets out of the box

Project Structure

tapdotfun/
├── apps/
│   └── web/                    # Next.js fullstack app
│       ├── src/
│       │   ├── app/            # App router pages
│       │   ├── components/     # React components
│       │   └── utils/          # oRPC client
│
├── packages/
│   ├── api/                    # oRPC routers & procedures
│   ├── auth/                   # Better Auth configuration
│   ├── db/                     # Drizzle schema & migrations
│   └── env/                    # Environment validation

Monorepo structure keeps things clean. Auth logic in one package, database in another, API separate. Easy to reason about.

The Database Schema

// packages/db/src/schema/waitlist.ts
export const waitlist = pgTable("waitlist", {
  id: text("id").primaryKey(), // nanoid
  userId: text("user_id").notNull(),
  twitterHandle: text("twitter_handle").notNull(),
  twitterName: text("twitter_name"),
  twitterId: text("twitter_id").notNull(),
  walletAddress: text("wallet_address"),
  walletSignature: text("wallet_signature"), // bs58 encoded
  referredBy: text("referred_by"),
  referralCount: integer("referral_count").default(0).notNull(),
  createdAt: timestamp("created_at").defaultNow().notNull(),
});

Key decisions:

Store twitterHandle with original casing for display
walletSignature stores the BS58-encoded signature for verification
referredBy uses case-insensitive matching (more on this below)

The Referral System

This caught me off guard initially. Users share links with different casing:

?ref=SivaramPg
?ref=sivarampg
?ref=SIVARAMPG

All should work. Here's how:

// Store with original casing
twitterHandle: session.user.name; // "SivaramPg"

// Match case-insensitively
if (input.referredBy) {
  await db
    .update(waitlist)
    .set({ referralCount: sql`${waitlist.referralCount} + 1` })
    .where(
      sql`lower(${waitlist.twitterHandle}) = ${input.referredBy.toLowerCase()}`
    );
}

The referral param is captured by a client component and stored in localStorage — this survives the OAuth redirect.

Wallet Verification Without Gas

No one wants to pay gas just to join a waitlist. Message signing proves ownership without transactions:

const message = `Verify wallet for tap.fun waitlist: ${Date.now()}`;
const encodedMessage = new TextEncoder().encode(message);
const signature = await signMessage(encodedMessage);
const signatureBase58 = bs58.encode(signature);

// Store both address and signature
await client.updateWallet({
  walletAddress: publicKey.toString(),
  walletSignature: signatureBase58,
});

The timestamp prevents replay attacks. The signature proves they control the wallet. Zero cost.

API Endpoints

All type-safe via oRPC:

Endpoint	Auth	Purpose
`healthCheck`	Public	Server health
`getLeaderboard`	Public	Top 10 referrers
`joinWaitlist`	Protected	Create entry, credit referrer
`updateWallet`	Protected	Store wallet + signature
`checkWaitlist`	Protected	Get user's status
`getReferralCount`	Protected	Get referral stats

Protected routes use a middleware that checks the Better Auth session:

const protectedProcedure = publicProcedure.use(async ({ context, next }) => {
  if (!context.session) {
    throw new ORPCError("UNAUTHORIZED");
  }
  return next({ context: { session: context.session } });
});

Getting Started

# Clone
git clone https://github.com/SivaramPg/tapdotfun-waitlist-referral-system.git
cd tapdotfun-waitlist-referral-system

# Install
bun install

# Set up env
cp apps/web/.env.example apps/web/.env
# Edit with your DATABASE_URL, Twitter OAuth keys, etc.

# Database
bun run db:push

# Run
bun run dev

Open http://localhost:3001 and you're running.

Rebranding in 45 Minutes

The repo includes a PLAYBOOK.md with everything you need to rebrand:

Logo: Replace components/tap-logo.tsx
Colors: Find/replace #15F228 with your brand color
Copy: Update text in page.tsx and waitlist-flow.tsx
Metadata: Update layout.tsx
Assets: Swap favicon and OG image in public/

The PLAYBOOK also covers UI library selection, font choices, responsive patterns, and deployment.

Lessons Learned

Verify bounties before building — Check if it's engagement farming
Store both username AND display name — Twitter OAuth returns display name, not @handle
Case-insensitive referral matching — Users share links with random casing
Persist state through OAuth — localStorage survives redirects
No gas for verification — Message signing proves ownership free

What's Next?

The repo is MIT licensed. Use it however you want.

If you're building a Solana project and need a waitlist, clone it. If you want to improve it, PRs are welcome.

I'm available for freelance Solana/Web3 projects. DMs open on Twitter: @SivaramPg

GitHub: tapdotfun-waitlist-referral-system

The fake bounty wasn't a total loss. At least now someone else can ship faster.

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.

Clawdbot: The AI Assistant That's Breaking the Internet

Sivaram — Mon, 26 Jan 2026 11:58:51 +0000

What is Clawdbot?

Clawdbot is an open-source, self-hosted personal AI assistant created by Peter Steinberger (also known as @steipete), the founder of PSPDFKit. It's essentially a "Claude with hands" - an AI that doesn't just chat but actually does things.

Unlike traditional AI assistants that live in a browser tab, Clawdbot runs on your own hardware and integrates with messaging apps you already use - WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and more. It acts as a full-time personal assistant that can manage your emails, calendar, check you in for flights, control smart home devices, and execute terminal commands - all from your chat apps.

The Hype Train: Why Everyone's Talking About It

The "24/7 Jarvis" Vision

Clawdbot has captured the imagination of developers worldwide by promising something we've been waiting for since Siri launched in 2011: a personal AI assistant that actually works. It's being hailed as the "24/7 Jarvis" - an AI that can proactively reach out to you, remembers everything, and executes tasks autonomously.

The project exploded to over 29,900+ GitHub stars in just a few weeks, making it one of the fastest-growing open-source projects in recent memory. Tech leaders like David Sacks and Vijay Shekhar Sharma have mentioned it, and Silicon Valley is buzzing.

What Makes It Different

Persistent Memory: Unlike ChatGPT or Claude that forgets between sessions, Clawdbot remembers everything - conversations, preferences, and important details mentioned weeks ago.
Proactive: It can reach out to YOU - morning briefings, reminders, alerts when something you care about happens. Most chatbots wait for you to type.
Full Computer Access: It can execute terminal commands, write scripts, browse the web, control smart home devices, and access your file system.
Multi-Platform: Same assistant across WhatsApp, Telegram, Discord, Slack, iMessage - same conversation, same memory, everywhere.

The FOMO Factor: Why It's Breaking the Internet

The hype around Clawdbot is driven by FOMO (Fear Of Missing Out). Everyone's talking about it, sharing screenshots of their setups, showing off what it can do. Social media is flooded with "Clawdbot this" posts. People don't want to miss out on what could be the next big thing in AI.

Peter Steinberger: The Creator Behind the Craze

Peter Steinberger is a well-known developer who founded PSPDFKit (now called Nutrient). He came out of retirement to build Clawdbot, and has been documenting his workflow for years. His blog post about "Claude Code is my computer" went viral, explaining how he built his personal AI assistant.

The project has attracted significant developer interest with over 50 contributors and an active Discord community of 8,900+ members. Steinberger brings decades of experience building developer tools and enterprise software to the project.

How People Are Setting It Up

Quick Setup Options

Option 1: Mac Mini (~$599)

Popular choice for Clawdbot
Apple Silicon Valley's Mac mini has been selling out due to Clawdbot demand
Runs macOS natively
Good performance for AI tasks

Option 2: VPS (~$5/month)

Cheap cloud server option
Hetzner has servers starting at ~$5/month
Good for 24/7 availability
Requires technical knowledge to set up

Option 3: Old Computer

Free if you have one lying around
Requires Node.js 22+ and technical setup
Good for developers who want full control

Option 4: Docker

Cross-platform
Runs on Linux, Windows, macOS
Good for flexibility

The Dark Side: Security Concerns You Need to Know

Root Access & Critical Services

Clawdbot needs root access to perform certain operations. This is both powerful and dangerous:

Can execute terminal commands
Can modify system files
Can install software
Can access sensitive data

Gateway Vulnerabilities

The documentation mentions that multiple gateways on the same host can create security issues. Each gateway needs its own port and configuration. If not properly isolated, one compromised gateway could affect others.

Why It's Not For Everyone

It's Complex Setup

Clawdbot requires:

Technical knowledge (Node.js, Docker, or Linux)
Understanding of security best practices
Time to configure properly
Ongoing maintenance

The Cost Factor

Hardware: Mac Mini (~$599) + Claude API (~$20-100/month)**

Cloud: VPS (~$5/month) + Claude API (~$20-100/month)**

Total: ~$25-125/month

The Bottom Line: Should You Use It?

Clawdbot is an impressive piece of technology, but it's not for everyone. Here's why you might want to skip it:

You Should Use Clawdbot If:

You're a developer who wants to build and customize your own AI assistant
You enjoy tinkering with complex systems
You want full control over your data

You Should Skip It If:

You just want a simple AI assistant that answers questions
You don't need persistent memory or proactive features
You prefer cloud-based solutions
You don't want to manage your own infrastructure

Conclusion

Clawdbot represents an exciting evolution in personal AI assistants. It's powerful, flexible, and open-source. But it comes with real responsibilities - security, maintenance, and technical complexity.

For most users, existing AI assistants like Siri, Google Assistant, or even ChatGPT will suffice. Clawdbot is for the builders and tinkerers who want full control and customization.

For everyone else, it's okay to sit this one out. The hype will pass, and there will be other AI tools to try.

Sources:

Jump on the hype train, but stay grounded. Your data, your choice!

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.

You Don't Need a Mac Mini to Run Clawdbot - Here's How to Run It Anywhere

Sivaram — Mon, 26 Jan 2026 06:29:48 +0000

Clawdbot is taking the tech world by storm. If you've been on Twitter, Reddit, or tech blogs lately, you've probably seen the flood of posts showing off freshly unboxed Mac Minis. People are buying these $599+ machines just to run an AI assistant.

But here's the thing: you don't actually need a Mac Mini.

Let me show you how to run Clawdbot on hardware you probably already have, or for as little as $3-5/month.

What is Clawdbot?

Clawdbot is an open-source, self-hosted AI assistant that lives in your messaging apps (WhatsApp, Telegram, Discord, Slack, Signal, even iMessage). Unlike ChatGPT where you go to a website, Clawdbot comes to you where you already are.

What makes it special:

Persistent memory — it remembers what you told it yesterday
Proactive — it can reach out to YOU with briefings, reminders, alerts
Full computer access — browse the web, fill forms, run commands, automate tasks
Always available — runs 24/7 so it's always there when you need it

The Mac Mini Myth

The recent surge in Mac Mini sales is largely driven by Clawdbot's popularity. A Redditor recently used Clawdbot to port an entire CUDA backend to AMD's ROCm in just 30 minutes, significantly denting NVIDIA's CUDA moat. This has made Apple's Mac Mini devices fly off the shelves.

But here's the reality: Clawdbot was designed to run anywhere. The official documentation explicitly supports multiple platforms and deployment methods. You're not locked into Apple hardware.

What You Actually Need to Run Clawdbot

Minimum Requirements

2GB RAM and 2 CPU cores for basic chat functionality
4GB+ RAM if you want browser automation skills or multiple intensive workflows
20GB storage for the app, conversation history, and workspace files
Node.js runtime environment
Stable network connection (uptime matters more than raw bandwidth)

That's it. No Apple silicon required. No unified memory architecture needed. Just a basic Linux or Windows machine.

Official Deployment Methods

The Clawdbot documentation supports multiple deployment options out of the box:

1. One-Click Installer

curl -fsSL https://clawd.bot/install.sh | bash

Then run exec bash to start the setup wizard.

2. Docker

Official Docker support means you can run Clawdbot alongside your existing containers. Check the official docs for the exact commands.

3. Ansible

For automated deployments at scale. Check the official docs at https://docs.clawd.bot/install/ansible

4. Nix

For reproducible, declarative system configuration. Check the official docs at https://docs.clawd.bot/install/nix

5. Bun

If you prefer Bun's faster runtime. Check the official docs at https://docs.clawd.bot/install/bun

6. Railway

One-click deployment from GitHub. Connect your repo, configure environment variables, and you're running in minutes.

7. Render

Similar to Railway with a generous free tier for testing. Check the official docs at https://docs.clawd.bot/render

Where Can You Run Clawdbot?

Option 1: Cheap VPS Hosting ($3-5/month)

This is the most popular alternative for good reason.

Hetzner — Starting around €3.49/month for instances with 4GB RAM and 2 vCPUs. Infrastructure is rock-solid with data centers in Germany, Finland, USA, and Singapore. Setup requires moderate technical knowledge, but documentation is thorough.

DigitalOcean — Droplets start at $6/month for 1GB RAM, though the $12/month tier with 2GB RAM is what you'll actually want for Clawdbot. Interface is intuitive with a clean dashboard.

Linode (Akamai) — Plans start at $5/month for 1GB RAM instances. Performance is consistent and customer support is notably helpful.

Railway — One-click Clawdbot template. Connect your GitHub, click deploy, configure a few environment variables, and you're running within minutes. Pricing is usage-based, typically $5-20/month for small to medium instances.

Render — Offers a generous free tier that can run a basic Clawdbot instance, though you'll likely want to upgrade for production use.

DigitalOcean Quick Setup (Thanks to Nader Dabit)

Here's a complete guide from Nader Dabit's gist for running Clawdbot on DigitalOcean:

1. Create a Droplet

Ubuntu 24.04 LTS, nearest region

2. Select Premium AMD

2 GB RAM / 1 AMD CPU / 50 GB NVMe

3. SSH into server

ssh root@YOUR_IP

4. Create sudo user

adduser clawd && usermod -aG sudo clawd && su - clawd

5. Install Clawdbot

curl -fsSL https://clawd.bot/install.sh | bash

Then run exec bash

6. Configure API keys

clawdbot setup --wizard

7. Start gateway

clawdbot gateway --bind lan --port 18789

8. SSH tunnel to access UI

ssh -L 18789:127.0.0.1:18789 clawd@YOUR_IP

Open http://127.0.0.1:18789

Option 2: Free AWS Tier

AWS Free Tier provides up to $200 in credits for new customers and free usage of select services for up to 6 months. You can launch an EC2 instance and run Clawdbot without paying anything initially. Just be careful about scaling beyond free limits.

Option 3: Your Old Computer

Got an old laptop or desktop gathering dust? It's probably perfect for Clawdbot.

Any machine with 2GB+ RAM and a dual-core CPU will work
Linux is preferred but Windows works too
Install Node.js, clone the repo, and you're set
Bonus: You already own it, so it's completely free

Option 4: Raspberry Pi

Yes, really. People are running Clawdbot on Raspberry Pis with Cloudflare tunnels. It's not the fastest option, but it works and costs almost nothing in electricity.

Option 5: Docker Containers

If you're already running Docker somewhere (homelab, NAS, etc.), Clawdbot has official Docker support. Just check the official docs for the exact commands.

Cost Comparison

Option	Upfront Cost	Monthly Cost	Pros	Cons
Mac Mini M2 ($599)	$599	$0 (electricity)	Fast, unified memory	Expensive upfront, tied to desk
Hetzner VPS	$0	€3.49 (~$3.75)	Cheap, 24/7, scalable	Requires internet, less control
DigitalOcean	$0	$6-12/month	Easy setup, good docs	More expensive than Hetzner
Railway	$0	$5-20/month	One-click deploy, usage-based	Less control, can get pricey
Render	$0	$0 (free tier)	Free to start	Limited resources, upgrade needed
Old Computer	$0	$0	Free, you own it	Uses power/space at home
AWS Free Tier	$0	$0 (12 months)	Free to start	Complex pricing after free tier
Raspberry Pi	~$35-70	~$1.2 (electricity)	Ultra cheap, fun project	Slow, limited performance

Why VPS Might Be Better Than a Mac Mini

Cost — $3.5/month vs $599 upfront. That's 2-4 years of hosting before you break even.
Location — Choose data centers near you or your users for lower latency.
Scalability — Need more RAM? Upgrade in clicks. No new hardware purchase.
Reliability — Professional data centers with 99.9%+ uptime, backups, monitoring.
Separation — Keep your AI assistant separate from your personal machine. No noise, no heat.

When a Mac Mini Actually Makes Sense

There ARE legitimate reasons to choose a Mac Mini:

You want local-only operation (no internet dependency)
You need maximum performance for local LLMs
You already have Apple devices and want ecosystem integration
You value privacy and want physical control of your data
You're doing GPU-heavy workloads that benefit from Apple silicon

But for most people? A $5 VPS or old computer is more than enough.

Quick Start: Choose Your Path

For beginners: Start with Railway or Render's one-click deploy. You'll be running in 5 minutes.

For developers: Use Docker or Ansible for reproducible deployments.

For tinkerers: Grab an old computer or Raspberry Pi and have fun with it.

For production: Hetzner or DigitalOcean VPS for reliability and performance.

The Bottom Line

The Clawdbot hype is real, and it's an incredible tool. But don't let FOMO drive you into buying hardware you don't need.

Start with what you have. Try a $5 VPS. Dust off that old laptop. Join the community on Discord and learn from others who are running it on everything from Raspberry Pis to cloud instances.

The future of personal AI isn't about buying the most expensive hardware — it's about having an assistant that's always there, remembers everything, and actually helps you get things done.

And that assistant can run anywhere.

Resources

Official Clawdbot Documentation: https://docs.clawd.bot
Clawdbot GitHub: https://github.com/clawdbot/clawdbot
Community Discord: https://discord.com/invite/clawd
Nader Dabit's DigitalOcean Guide: https://gist.github.com/dabit3/42cce744beaa6a0d47d6a6783e443636
Best VPS Providers Guide: https://onnetpulse.co.ke/best-platforms-to-host-clawdbot

Want to see more practical guides like this? Follow me for real-world developer content that saves you time and money.

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.

I Built a Faster PWA Icon Generator in a Weekend

Sivaram — Mon, 26 Jan 2026 03:37:10 +0000

TL;DR

I built pwa-icons — a fast, interactive CLI that generates all the icons you need for iOS, Android, Windows 11, and favicons from a single image.

npx pwa-icons

118 icons in ~0.7 seconds. No Chromium. No Puppeteer. Just Sharp and good vibes.

The Problem

Every time I start a new PWA project, I dread the icon generation step.

You need:

26 iOS icons (16px to 1024px)
6 Android icons (48px to 512px)
80+ Windows 11 icons (tiles, splash screens, variants)
Favicons (ICO, PNG, apple-touch-icon)

That's 118 images from one logo.

I used to go to PWABuilder's Image Generator, upload my image, wait, download the ZIP, extract it... every. single. time.

There's also an npm package called pwa-asset-generator — but it uses Puppeteer and Chromium. That means:

~200MB Chromium download on first run
Spawning a browser process for each generation
Slower than it needs to be

I wanted something fast, lightweight, and interactive.

The Solution: pwa-icons

I built pwa-icons over a weekend. Here's what makes it different:

1. Fast — Really Fast

118 icons in ~0.7 seconds.

How? I use Sharp instead of Puppeteer. Sharp is built on libvips — a native C library that processes images in streaming chunks, not full-image buffers.

No browser. No overhead. Just raw image processing.

2. Beautiful Interactive CLI

I hate remembering flags. So I made pwa-icons fully interactive using @clack/prompts.

Just run:

npx pwa-icons

And it walks you through everything:

3. Smart Edge Detection

Most icon generators ask you to pick a background color. But what if your logo already has a background?

pwa-icons samples 1px from all four edges of your image and calculates the average color. This creates backgrounds that naturally extend your image.

4. Multiple Output Formats

PNG is great, but WebP is 8x smaller. AVIF is even smaller.

pwa-icons supports:

Format	Transparency	Best For
PNG	✅	Maximum compatibility
WebP	✅	Modern browsers, ~8x smaller
AVIF	✅	Next-gen, smallest files
JPEG	❌	Universal support

5. Optimization Levels

Choose how aggressively to compress:

None — Maximum quality
Light — Good balance (default)
Heavy — Smallest files

6. Favicon Generation

Generates everything you need:

favicon/
├── favicon.ico         # Multi-size (16, 32, 48)
├── favicon-16x16.png
├── favicon-32x32.png
├── favicon-48x48.png
├── favicon-192x192.png
└── apple-touch-icon.png  # 180x180

How It Works

Installation

# Use directly (no install)
npx pwa-icons

# Or install globally
npm install -g pwa-icons
pwa-icons

Interactive Mode

Just run it and answer the prompts:

npx pwa-icons

CLI Mode

For CI/CD or scripting:

npx pwa-icons \
  -i logo.png \
  -o ./icons \
  -p ios,android,favicon \
  -f webp \
  --optimization light \
  -y

Output Structure

AppImages/
├── ios/
│   ├── 16.png ... 1024.png     # 26 icons
├── android/
│   └── android-launchericon-*.png  # 6 icons
├── windows11/
│   └── *.png                   # 80 icons
├── favicon/
│   └── favicon.ico, *.png      # 6 files
└── icons.json                  # Ready for manifest.json

The icons.json is ready to paste into your PWA manifest:

{
  "icons": [
    { "src": "ios/512.png", "sizes": "512x512" },
    { "src": "android/android-launchericon-192-192.png", "sizes": "192x192" },
    { "src": "favicon/favicon.ico", "sizes": "16x16 32x32 48x48" }
  ]
}

The Tech Stack

Package	Why
Sharp	libvips-powered image processing
@clack/prompts	Beautiful terminal prompts
Commander	CLI argument parsing
p-limit	Concurrency control (10 parallel ops)
png-to-ico	Multi-size ICO generation

Built with Bun, works with Node.js 18+.

Test Coverage

I take testing seriously. The codebase has:

Metric	Coverage
Functions	100%
Lines	99.33%
Tests	92

Run bun test --coverage to verify.

Comparison with Alternatives

Feature	pwa-icons	pwa-asset-generator
Engine	Sharp (libvips)	Puppeteer (Chromium)
Package size	10 KB	183 KB + Chromium
Speed	~0.7s for 118 icons	Slower
Interactive CLI	✅	❌
Output formats	PNG, WebP, AVIF, JPEG	PNG only
Optimization	3 levels	None
Edge detection	✅	❌
iOS splash screens	❌	✅
HTML/CSS input	❌	✅

If you need iOS device-specific splash screens or HTML/CSS rendering, check out pwa-asset-generator. It uses Puppeteer for a reason — browser rendering.

For everything else, pwa-icons is faster and lighter.

Try It Now

npx pwa-icons

Links:

npm: npmjs.com/package/pwa-icons
GitHub: github.com/SivaramPg/pwa-icons

Star it if you find it useful! ⭐

What's Next?

I built this as part of my personal toolkit for freelance/consulting work. Some ideas for future versions:

[ ] Maskable icon support
[ ] iOS splash screen generation
[ ] Watch mode for development
[ ] Config file support (.pwaiconsrc)

Got feature requests? Open an issue!

Thanks for reading! If you found this useful, follow me for more developer tools and tips.

👋 About the Author

If you made it this far, you probably care about shipping fast without breaking things.

I build AI x Crypto MVPs for startups who need to go from idea to working product in weeks, not months.

What I do:

Let's talk:
🐦 Twitter: @SivaramPg
📦 GitHub: github.com/SivaramPg
🌐 Portfolio: sivaramp.com
📧 Email: [dev.sivaramp@gmail.com]

P.S. If you're building something weird in AI or crypto and want to bounce ideas, my DMs are open. No pitch, just nerding out.