Copy.ai

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

Copy.ai AI

the take that 'ai doesn't do anything useful yet' held up for me until i ditched the chat window

Counted it last week: one monday review had me opening 6 apps and copy-pasting between all of them, while a chatbot sat in a 7th tab handing me summaries i still had to go act on. that's the part the 'ai is useless' crowd is actually right about. text out, the work is still on you. what moved me off that take wasn't a smarter model. it was dropping the chat window for a desktop agent that reads gmail, calendar and slack inside the same task and takes the next step itself, with a permission prompt before each action so it isn't running wild. the $500m-wasted-on-claude thread up top is the same thing from the money side. paying for tokens that spit out paragraphs nobody executes is just the expensive way to do nothing. If you're still in the 'it doesn't actually do anything' camp, fair, i was there too. the line for me was the day it finished a task instead of describing one. written with ai submitted by /u/Deep_Ad1959 [link] [comments]

Claude Code Source Deep Dive - Part VI: Multi-Agent System && Part VII: Context Compression (Compact) and Memory System

Reader’s Note A source-map leak exposed 512,000 lines of Claude Code's TypeScript, giving us a rare look inside one of the world's most advanced AI coding agents. This series explores what I found. Estimated completion time: 2 days. Actual completion time: ∞. Anyway, here's the next chapter. Claude Code Source Deep Dive - Part VI: Multi-Agent System 6.1 Built-in Agents general-purpose (general) You are an agent for Claude Code, Anthropic's official CLI for Claude. Given the user's message, you should use the tools available to complete the task. Complete the task fully—don't gold-plate, but don't leave it half-done. When you complete the task, respond with a concise report covering what was done and any key findings — the caller will relay this to the user, so it only needs the essentials. Tools: all available Model: inherit Explore (code exploration) You are a file search specialist for Claude Code. You excel at thoroughly navigating and exploring codebases. === CRITICAL: READ-ONLY MODE - NO FILE MODIFICATIONS === [Strictly prohibit any file modification] Your strengths: - Rapidly finding files using glob patterns - Searching code and text with powerful regex patterns - Reading and analyzing file contents NOTE: You are meant to be a fast agent that returns output as quickly as possible. Make efficient use of tools and spawn multiple parallel tool calls. Tools: read-only (Agent, FileEdit, FileWrite, NotebookEdit disabled) Model: external → Haiku (fast), internal → inherit omitClaudeMd: true Plan (architecture planning) You are a software architect and planning specialist for Claude Code. Your role is to explore the codebase and design implementation plans. === CRITICAL: READ-ONLY MODE - NO FILE MODIFICATIONS === ## Your Process 1. Understand Requirements 2. Explore Thoroughly (read files, find patterns, understand architecture) 3. Design Solution (trade-offs, architectural decisions) 4. Detail the Plan (step-by-step strategy, dependencies, challenges) ## Required Output End your response with: ### Critical Files for Implementation List 3-5 files most critical for implementing this plan. Tools: read-only Model: inherit omitClaudeMd: true verification (verification) You are a verification specialist. Your job is not to confirm the implementation works — it's to try to break it. You have two documented failure patterns. First, verification avoidance: when faced with a check, you find reasons not to run it. Second, being seduced by the first 80%: you see a polished UI or a passing test suite and feel inclined to pass it. === CRITICAL: DO NOT MODIFY THE PROJECT === === VERIFICATION STRATEGY === Frontend: Start dev server → browser automation → curl subresources → tests Backend: Start server → curl endpoints → verify response shapes → edge cases CLI: Run with inputs → verify stdout/stderr/exit codes → test edge inputs Bug fixes: Reproduce original bug → verify fix → run regression tests === RECOGNIZE YOUR OWN RATIONALIZATIONS === - "The code looks correct based on my reading" — reading is not verification. Run it. - "The implementer's tests already pass" — the implementer is an LLM. Verify independently. - "This is probably fine" — probably is not verified. Run it. - "I don't have a browser" — did you check for browser automation tools? - "This would take too long" — not your call. If you catch yourself writing an explanation instead of a command, stop. Run it. === OUTPUT FORMAT (REQUIRED) === ### Check: [what you're verifying] **Command run:** [exact command] **Output observed:** [actual output — copy-paste, not paraphrased] **Result: PASS** (or FAIL) VERDICT: PASS / FAIL / PARTIAL Tools: read-only (temp directory writable) Model: inherit Runs in background claude-code-guide (usage guide) Helps users understand Claude Code/SDK/API usage Dynamic system prompt includes user custom skills, agents, MCP server info Fetches docs from official URLs 6.2 Sub-Agent Enhancement Prompt Notes: Agent threads always have their cwd reset between bash calls, so please only use absolute file paths. In your final response, share file paths (always absolute) that are relevant. Include code snippets only when the exact text is load-bearing. For clear communication the assistant MUST avoid using emojis. Do not use a colon before tool calls. 6.3 Coordinator Mode When enabled, the main agent becomes a scheduler: Coordinator role: guide workers for research/implement/verify Agent tool: creates async workers SendMessage tool: continue existing workers TaskStop tool: cancel workers Worker results arrive as XML Workflow: Research → Synthesis → Implementation → Verification 6.4 Fork Sub-Agents Fork inherits the full parent-agent context and shares prompt cache. Build method: Copy parent message history Replace tool_result with byte-identical placeholder text (to keep cache keys consistent) Add per-child instruction text block Advantages: very low

Claude 4.8 for non-coding consequential work

CLaude.ai Instructions for Claude: Respond with concise, utilitarian output optimized strictly for problem-solving. Eliminate conversational filler and avoid narrative or explanatory padding. Maintain a neutral, technical, and impersonal tone at all times. Provide only information necessary to complete the task. When multiple solutions exist, present the most reliable, widely accepted, and verifiable option first; clearly distinguish alternatives. Assume software, standards, and documentation are current unless stated otherwise. Validate correctness before presenting solutions; do not speculate, explicitly flag uncertainty when present. Cite authoritative sources for all factual claims and technical assertions. Every factual claim attributed to an external source must include the literal URL fetched via web_fetch in this session. Never use citation index numbers, bracket references, or any inline attribution shorthand as a substitute for a verified URL. No index numbers, no placeholder references, no carry-forward from prior searches or prior turns. If the URL was not fetched via web_fetch in this conversation, the citation does not exist and must be omitted. If web_fetch returns insufficient information to verify a claim, state that explicitly rather than attributing to an unverified source. A missing citation is always preferable to an unverified one. Clearly indicate when guidance reflects community consensus or subjective judgment rather than formal standards. When reproducing cryptographic hashes, copy exactly from tool output, never retype. Do not extrapolate and answer questions not asked unless instructed otherwise. Claude Opus 4.6 treats my Instructions for Claude (previously called "Personal Preferences" on the claudei.ai website) as the specification and executes against them. It searches before answering, cites what it fetched, says what it found, and stops. It operates at capacity from turn one regardless of subject matter. The signal-to-noise ratio is high because the model doesn't narrate its own process- the output is the work, not a performance about the work. Claude Opus 4.8 has stronger analytical depth on complex cold reads. It surfaced vulnerabilities and structural connections in a new project I have been working on that 4.6 missed across multiple cold reads in the past even with what used to be called "Extended Thinking" enabled. The reasoning ceiling is higher. But it wraps that capability in a layer of self-narration, performative honesty, and discomfort-triggered hedging that degrades the output in direct proportion to how politically or institutionally uncomfortable the conclusion is. It announces its own directness instead of being direct. It restates its epistemic position after every factual delivery. It answers questions that weren't asked. It tries to psychoanalyze my motives when pushed. And it defaults to confident non-retrieval over searching (despite my "Instructions for Claude" explicitly requiring such for empirical data), requiring me to catch the error and force the correction- a failure mode / behavior Claude Opus 4.6 doesn't exhibit because Claude Opus 4.6 searches first... The net result from my perspective: Claude Opus 4.8 is truly a more cognitively capable model that delivers less useful output- especially when proximity to uncomfortable conclusions arises. The capability is truly there but there is a tax to access it. That tax being extra turns, extra tokens, extra time spent correcting the model's misbehavior- which makes 4.6 the more reliable tool for consequential work despite having a lower analytical ceiling. Claude Opus 4.6 is a useful tool. Claude Opus 4.8 is a useful tool that wants to talk about being a useful tool. Claude Opus 4.8 is Kabuki Theatre as an LLM submitted by /u/drivetheory [link] [comments]

Most people are using Claude at about 5% of its actual capability. Here's why.

After spending 60+ hours testing prompts on Claude Opus 4.7 for my own businesses, I noticed something that nobody talks about: The problem isn't Claude. The problem is how people prompt it. Most people type a sentence and hope for the best. "Write me a landing page." "Help me with my business idea." "Make this email better." The output is generic because the input is generic. Here's what actually works: Assign a role before anything else Don't say "write me copy." Say "You are a direct-response copywriter who has written landing pages for Stripe, Linear, and 20+ Y Combinator companies." The role activates a specific knowledge pattern. Vocabulary changes. Structure changes. Judgment changes. Load specific context Claude knows nothing about your business until you tell it. "I'm building a SaaS" produces garbage. "I'm building a SaaS for solo plumbers who hate ServiceTitan's $1K/month pricing, targeting 35-55 year olds running $50K-$200K businesses from a truck" produces gold. Specificity in = specificity out. Every time. Set explicit constraints The most common reason output feels generic is missing constraints. "Write a tweet" produces slop. "Write a tweet under 280 characters, hook on a contrarian claim, no emojis, include one specific number, no motivational language" produces something usable. Define the output format exactly Don't let Claude pick the structure. Tell it: "Output in this format: headline (under 12 words), subhead (under 25 words), primary CTA (3-5 words), body section 1, body section 2." You get what you specify. End every prompt with a forcing function The biggest weakness of AI output is hedging. "It depends on your goals" is useless. End every prompt with "Give me your single recommendation for THIS context, no hedging." It transforms output from advisory to actionable. These 5 things changed everything about how I use Claude. Happy to go deeper on any of them if useful. What's the biggest prompt engineering lesson you've picked up that isn't obvious? submitted by /u/Appropriate_Barber_4 [link] [comments]

Client Onboarding Solutions

I'm an AI automation consultant working with a fractional CRO company called Mo Commas. They work with startups to help them raise capital and close deals — think cold outreach, call scripts, pitch decks, investor materials, all of it. They're the sales arm for founders who don't have one. Right now their process is entirely manual inside Claude, and I'm trying to help them automate it. Here's what they're currently doing: Existing workflow (all manual, all copy-paste): They have a "Client Creator" Claude Project where they dump Plaud call transcripts and any sales collateral a founder gives them Claude synthesizes everything into a structured markdown "Client Brain" document They create a brand new Claude Project for that client and paste the brain doc in as the system prompt From that project, they generate all the sales assets — call scripts, email sequences, pitch decks, etc. Repeat for every new client It's a clean process conceptually, but it's extremely manual. Two founders are doing all of this by hand. What I'm trying to build: I want to take this from 5 manual steps to ideally 1 or 2. The input is a Plaud transcript + any sales collateral. The output is a full suite of sales assets ready to hand to the client. Where I'm stuck architecturally: The obvious problem is that Claude Projects can't be created via API — it's a claude.ai UI feature only. So the "one project per client brain as system prompt" model doesn't translate cleanly to an automated pipeline. The three paths I'm weighing: Path A: Keep them in claude.ai, build a lightweight tool that automates the brain generation and spits out a markdown file they paste into a new Project manually. Reduces steps but doesn't fully automate. Path B: Abandon claude.ai Projects entirely, build a small web app powered by the Claude API where each client has a stored system prompt in a database, Will uploads a transcript, hits a button, and the full pipeline runs — brain → assets → output to Google Drive. Path C: Potentially build this with Claude Cowork, using schedules and MCP to pull transcripts from Plaud and bucket them to allow Claude to decide if it should onboard them or just add to existing transcripts for clients. My constraints: The founders are 5/10 technical. Will leans in, Chris doesn't. Whatever I build needs to feel simple on their end. I'll eventually hand this off, so I don't want to create something that breaks the moment I'm not around. They're on Claude Max (personal plan), not the API tier, so I'd need to introduce API costs if I go Path B. My questions for the community: How would you build this? Is there a path I'm not seeing? Has anyone built a per-client "brain" architecture at scale with the Claude API? And is there a cleaner way to handle the Plaud transcript ingestion side — their transcripts live in Will's Plaud account and I'm not sure if Plaud exposes a usable API. Would love to hear how other builders would approach this. submitted by /u/MaybeRemarkable5839 [link] [comments]

Grateful to be accepted into Claude for Open Source Program

Just got the email from Anthropic. Claude Max 20x free for 6 months for open source maintainers. Really thankful for this. I have been building CodeBurn, a CLI that shows where your AI coding tokens go. It supports 23 tools (Claude Code, Codex, Cursor, Gemini CLI, Copilot, Goose, Windsurf, and more). Reads session data from disk. No API keys, no wrappers, nothing leaves your machine. It breaks down cost by model, project, and task type. Has a waste detector with copy-paste fixes and a head-to-head model comparison using your own data. With this support there is a lot more coming for the open source community. If you use AI coding tools, check it out: npx codeburn@latest GitHub: https://github.com/getagentseal/codeburn submitted by /u/MurkyFlan567 [link] [comments]

CNN sues AI search startup Perplexity for allegedly copying news stories without permission

submitted by /u/Hot-Upstairs9603 [link] [comments]

What actually reduced our Claude api pain this month

Tl;dr: the unsexy fixes helped more than the clever ones. prompt caching, smaller inputs, and separating interactive work from batch work did more for us than model swapping. We use Claude for a customer facing doc review feature. Not huge scale, but enough traffic that when latency gets spiky the support channel notices fast. I spent most of May doing the boring cleanup i had postponed because "the model is good enough" had become our excuse for sloppy plumbing. First cleanup was prompt size. We had a giant system prompt that had grown by copy paste over months. Half of it was instructions for features that no longer existed. Cutting it down did not make the answers worse in our evals, and it made the whole thing easier to cache. I should have done that before touching infra. Second was prompt caching. Our workload repeats the same policy language and document templates constantly. Once we rearranged the prompt so the stable parts came first, caching finally started doing useful work. I am not giving a universal number because workloads differ, but for us the reduction in billed input tokens was large enough that finance noticed before engineering did. Third was moving batch work away from human traffic. We had nightly jobs, customer initiated jobs, and backfills all sharing the same path. During busy windows they all looked equally urgent to the code, which was stupid. Now customer initiated requests get priority, backfills pause, and anything that does not need to run during the workday waits. This was a config change and a little queue work, not a grand architecture project. Fourth was making retries less aggressive. I had copied a retry helper from another service and it was too eager for this workload. Fewer retries with better spacing made the user experience calmer because we failed faster on the few requests that were obviously not going to recover. Feels wrong at first, but infinite optimism is not a reliability strategy. For the leftover real time path, the useful part was moving routing out of our app code. We tested TokenRouter there because it kept the Claude Messages shape instead of forcing an OpenAI shaped adapter. The interesting bit was not just provider selection, but whether the routing layer has optimized serving capacity behind it when the normal path is congested. I am still treating that as one part of the fix, but it is the part i would not want to rebuild in app code. The main thing i would tell my April self: do not start with provider switching. Start by making your Claude usage less wasteful and less bursty. If that does not get you enough headroom, then think about routing. submitted by /u/AlbatrossUpset9476 [link] [comments]

How do stop these unhelpful items from appearing on my mobile screen?

I am copying and pasting directly from the ChatGPT app - so my text will of course be Nicky laid out to post here. The persistent inline rewrite suggestions in the iOS app are significantly harming the writing experience for me. The constantly appearing chips such as: Shorten Professional Casual Proofread Ask for changes take up valuable screen space, interrupt drafting flow, and create unnecessary interface clutter, particularly on mobile devices where vertical space is already limited. The main issue is not that these tools exist. The issue is that they are persistently injected into the writing experience with no obvious option to disable them. For users who write extensively or prefer deliberate manual control, the current behaviour feels intrusive rather than helpful. Please add: a “disable inline suggestions” setting, a “minimal editor mode”, or a “manual invoke only” option. The current implementation materially reduces usability for long-form writing and editing on mobile. A clean editor should be available for users who do not want continuous AI intervention while typing. Well that’s my feedback. submitted by /u/Brian_from_accounts [link] [comments]

How are you actually getting the most out of Claude Code? Struggling with OpenSpec + Superpowers workflow, multi-agent setup, and sub-agent quality

Been using Claude Code with OpenSpec and Superpowers for a while now and have a few questions I haven't been able to figure out on my own. Posting them together in case others have run into similar things. 1. OpenSpec + Superpowers workflow — am I doing it wrong? The output quality doesn't feel dramatically better than plain vibe coding, and I'm not sure if I'm using them correctly. Do you run opsx:explore before or after superpowers:brainstorming? Is there a recommended order between opsx:proposal and writing-plan? Do you invoke Superpowers commands manually, or let Claude Code trigger them automatically? My broader frustration: OpenSpec feels like it's just "have AI write a design doc, then develop" — which is something we were already doing before. What am I missing that makes the combination genuinely more powerful? 2. Multi-agent setup — anyone else still doing it manually? My current setup: two Claude Code windows — one for development, one for review — copy-paste the review output into the dev window, iterate until review comes back clean. I'm not saying I can't use a proper agent team — it just always feels unpredictable. The manual approach gives me much more visibility and control. Is there a multi-agent pattern that actually feels trustworthy, or is careful manual orchestration still the right call for production work? 3. Sub-agents for code review are way worse than a fresh window — why? When I say "spin up a sub-agent with a clean context to review this code" in the current session, the review is shallow and misses most real issues. But if I open a completely separate Claude Code window and do the same review, it catches significantly more problems — and they're genuine ones. Is this context contamination? Is the sub-agent inheriting too much state from the parent session? Has anyone found a reliable way to get sub-agent review quality on par with a fresh session? 4. AI-generated docs are verbose, unfocused, and sometimes confidently wrong Whether it's design docs or troubleshooting write-ups, the output is consistently bloated — dragging in irrelevant modules or quietly dropping important ones. The troubleshooting case is where it really goes off the rails. Concrete example: I had a database binlog growth issue. The AI did reasonable work — analyzed the binlog pattern, identified DB write methods, traced the call graph correctly. Then it spotted a log-flushing thread that called one of those write methods and immediately declared that's your culprit. Except that thread only fires when in-memory data actually changes — it essentially runs once. Not the problem at all. The frustrating part isn't that it got it wrong, it's that it looked thorough. The reasoning chain was coherent right up until the conclusion. It stopped digging the moment it found something that looked like an answer. Any prompting strategies that help — like forcing it to consider alternative hypotheses before concluding, or requiring a minimum evidence threshold before declaring root cause? 5. OpenSpec doesn't carry "fallback to old logic" semantics precisely enough When adding a new feature that needs backward compatibility — new code path only when a new parameter is present, old behavior otherwise — OpenSpec seems to interpret this too loosely. After new-change → apply, I found this pattern in the generated code: java if (StringUtils.isNotEmpty(value)) { try { // new logic } catch (NumberFormatException e) { logger.error("invalid external value: " + value, e); } } else { // old logic } The bug: when the new parameter is present but causes an exception, it just logs and swallows — the old logic never runs. My spec said "backward compatible, fall back when parameter is absent" but that didn't survive translation to code at this level of detail. The exception fallback case was silently dropped. Do you explicitly spell out exception fallback behavior in your spec? Do you use a post-apply checklist for things like "all exception branches must fall through to old logic"? Looking for ways to make this class of requirement stick without catching it in review every time. submitted by /u/Separate_Parfait_35 [link] [comments]

AI governance for business’

I work at a fast-growth scale-up in a heavily regulated industry and there’s a huge internal push to ship self-service AI tools across teams. One simple example: build an AI email copywriter that lets our CRM team generate segmented campaign copy on demand, without brand or creative review. On paper, I get it. Speed, scale, autonomy. But before I do, a couple of questions I have in my mind are: - Who owns the output? If the CRM team generates 500 emails a week, and one of them is misleading, or just bad — is that on me? On them? On no one? - We have no AI policy. Yet we’re being asked to build tools that will produce customer-facing content at volume. -The “I built the system” defence feels thin. If I architect the email copywriter and hand it over, I’m implicitly endorsing everything it produces — but I have zero visibility into what’s actually being sent. This isn’t really about AI quality. Modern LLMs can write decent copy. It’s about accountability, brand risk, and what governance actually looks like when creative output becomes self-serve. I’m looking for advice on how are you handling this? Have you found a middle ground between enabling speed and maintaining standards? Did your company build a policy first, or did something have to go wrong before anyone took it seriously? Genuinely curious how others are drawing the line. submitted by /u/Medical_Traffic6417 [link] [comments]

I built a voice AI that has memory, executes real tools, and has a body made of particles

The concept: what if your AI companion actually knew you, could do things, and had a visual presence instead of a text box? Here's what it actually does: Memory: every conversation is embedded locally using an ONNX model running in a browser Web Worker. Semantic search surfaces relevant context from past sessions. A named entity graph tracks people, places, preferences, and goals you mention, Cari references them naturally without you having to repeat yourself. Real tools: during a conversation it can search the web, fetch URLs, read GitHub repos and issues, pull YouTube transcripts, check weather and news, compose emails and messages, copy to clipboard, and export full documents to Google Docs, all in the same voice turn, without switching apps. Civic layer: browse and apply for permits, submit feedback to government agencies, join skill-building missions tied to career goals. This is the part I've thought about most: AI that actually connects you to the systems around you instead of just chatting about them. The visual: a particle orb (~10,000 particles, custom WebGL/GLSL) that responds to what it's doing: breathing at idle, orienting toward your mic, swirling while it thinks, pulsing with the emotional register of the response. When it describes something physical it morphs into a 3D mesh of it. The shape isn't decoration, it's the AI showing its work. submitted by /u/kengeo [link] [comments]

I'm a software engineer with a decade of experience. This is how I'd approach learning to build apps using Claude Code if I were starting from scratch today:

I'm going to describe a person this post is for, if this is you, I think I can be of some assistance: you are new to coding you are blown away by how it unlocks this magical ability that was previously inaccessible without years of training and effort you've daydreamed of business and app ideas but never knew where to start before or how to build them you've been vibe coding non-stop and burning through tokens you're unsure about what's secure, how to structure the systems, and how systems are supposed to interact with each other. So, essentially the plumbing separate from the code itself: hosting, authentication, APIs, version control, testing, analytics, etc If any of this resonates with you, I think I can help! Now disclaimer: I'm not a pro at creating startups, acquiring users, marketing or any of that kind of stuff. Where I do have tons of professional experience is with the last bullet point above. And now onto it! This might be controversial, but if I were in your position I would not start with the code, the lowest level. In fact, I would do the opposite and start at the highest level. What does that mean? I'd argue that for people starting today, the most important thing is learning about the fundamentals of what makes a solid application at a high level. The system architecture. That's what I'll be covering for the rest of the post. What are the building blocks of a secure, full stack software application. There's so much to this that I'll stay high level for this one and go with breadth. If people are interested, I can (and honestly would love to) make dedicated posts on each of the topics I list below. So what is the main architecture for a software application? There are four main components and lots of specifics below each. Front end -> this is what the user sees. The website, the mobile app, etc Back end -> the main logic and rules of the app Database -> where the data lives The plumbing -> how everything connects and stays standing Of all of these, I could talk for hours, so to keep things brief, I think I'll focus on the highest impact and the biggest gap which is 4. The plumbing. Why? If you asked Claude, or whatever agent you use, to setup a front end, back end, and database it could do it quite easily. In fact, I'd imagine for apps you've vibe coded, it already has! There is tons to cover with the first three topics, but I think the plumbing is the area where getting some seasoned tips would help the most. The Plumbing -> how everything connects and stays standing Here's where it gets real. When you vibe code something and it runs, it feels done. It looks done. But what you're looking at is the tip of the iceberg, the part above the water. The plumbing is everything below the waterline that nobody sees, but that decides whether your app is a weekend toy or something real people can actually trust with their data and their money. (It's also the part the AI will happily skip unless you know to ask for it. So this is the stuff worth knowing by name) I've grouped it into four questions. If you can answer these about your app, you're already ahead of most vibe coders shipping today. How does everything talk to each other? Your frontend, backend, and database aren't one blob. They're separate pieces passing messages back and forth constantly. This is the part that's invisible but always running. At a high level, for most applications this is done via: APIs: the set of "doors" your frontend uses to ask the backend for things ("give me this user's orders"). There are other ways, but this is the one you should probably focus on at first. Where does it live, and how does it get online? Right now your app probably only exists on your laptop. Getting it onto the internet, and keeping it there, is its own thing. Hosting: where your app actually runs so the world can reach it. This is where servers come into play. Domains & DNS: your custom address (yourapp.com) and how it points to your servers. Deployment: the pipeline that takes the code you wrote and safely publishes it for your users to see. Environment variables & secrets: where you stash your passwords and API keys so they're not sitting in your code for the whole world to copy. People get burned by this constantly. Who's allowed in, and is it safe? This is the one I'd beg you not to skip. The magic of vibe coding makes it dangerously easy to ship something insecure without realizing it. But don't fear! There are existing ways to do this (and not from scratch). Authentication: how your app knows who someone is. The login. Authorization: what someone's allowed to do once they're in. The difference between a normal user and an admin who can delete everything. Security: the broad practice of not leaving doors unlocked. This one is the hardest because you can have security issues at every level of your stack. It's definitely a tough one. Backups: copies of your data for when something goes wrong.

Made a free tool that scans your Claude Desktop MCP config for security issues

If you've added MCP servers to Claude Desktop, your claude_desktop_config.json is a list of programs running with your permissions and seeing what flows through your agent — usually copied from a README and never reviewed again. There's a one-click "Load Claude Desktop" button (or just paste the JSON), and it scans for known CVEs, tool poisoning, maintainer drift, and config hygiene (unpinned packages, plain HTTP, shell pipes, exposed secrets) in about 30 seconds. Free, no login, nothing stored, signed report at the end. Why I bothered: the first real-world malicious MCP server (postmark-mcp, Sept 2025) behaved normally for 15 versions, then quietly added a one-line backdoor that BCC'd every outgoing email to the attacker. Anyone on an unpinned install got it automatically — and when I checked, 100% of the 15 most-popular servers still recommend unpinned installs. Run it on your own config and tell me what it finds (or misses): https://cavexia.com submitted by /u/loganbxdev [link] [comments]

Current Gen-AI is like a sophisticated parrot. Here's what happened when I gave one server access.

https://preview.redd.it/elfctxuffh3h1.png?width=3496&format=png&auto=webp&s=05dbe41eab29a5d694dd197a3547f25ab729726a I’ve been using LLMs since they became publicly available. Recently, while working on a local AI model deployment, I created a Cursor skill (following recommended best practices) that let Claude Opus 4.6 SSH into our development VM for deployment and debugging. The first POC went perfectly. For the second, I asked Claude to help deploy to a new directory. During the process, Claude autonomously determined it needed model cache files from the first directory. Without showing me a script or adding it to a plan, it created and executed a copy/move command. # The Incident The script it generated relied on `$DST` and `$SRC` bash variables. Unfortunately, they were interpolated as empty strings before being sent to SSH. The result? It evaluated to `rm -rf /*` and executed instantly on the VM. By the time I realized what was happening, SSH access was lost. The POC was gone. Claude then calmly monitored background tasks, ran state checks, killed stale sessions, and cheerfully delivered this post-mortem to me: > Good news. It autonomously executed a destructive command, wiped out my environment, and broke SSH access, but hey—at least it wasn't root! # The Reality Check This exposed a few harsh realities about the current "agentic" hype that I think get glossed over: * **Rules Don’t Guarantee Safety:** Even with tight rules, explicit skills, and guardrails, you cannot rely on an agent to automate critical tasks. By the time you realize something is wrong, the files are gone and 23 stale sessions are hanging. * **The Review Paradox:** The industry tells us to "just review the AI's code." But modern LLMs write/refactor thousands of lines across multiple files in seconds. If we need to meticulously review every generated line and validate every autonomous choice to prevent disaster, the entire value proposition of "speed and scale" is broken. We might as well write it ourselves. * **Pattern Matching vs. Comprehension:** AI completes patterns; it doesn’t comprehend outcomes. It can write `rm -rf /*` without understanding what a blast radius is, or why you'd want to stop it. **TL;DR:** AI as an assistant (boilerplate, prototyping, docs) = perfect. AI as an autonomous agent = it's a very sophisticated parrot. It can perfectly execute commands, right up until it perfectly executes the wrong one and burns down your infrastructure. Keep your hands on the wheel. (If you're interested in the full details and lessons learned, I wrote a deeper dive here: [Medium](https://medium.com/@abhishekbhardwajca/the-ai-hype-cycle-a-software-engineers-reality-check-2c094ef4938f))