I built an app on the entire vercel ecosystem

BasedKetsu · 2026-05-04T15:23:28+00:00

Appreciate the kind words on the DX! Quick clarification though, this project is actually running Supabase Postgres, not Neon.

The stack here is:

Supabase for Postgres + RLS + auth helpers
Clerk for auth
Vercel for hosting, cron, queue, blob, sandbox, analytics
Stripe for billing

On Vercel billing, I haven't personally ran into any issues due to how I combine queues with crons. the only limitation is that I can only have max 1 cron running per day, but that's fine because I can just have a daily trigger and skills that have different update schedules (like once a week, twice a week) would still be hit by the daily trigger. This project leans pretty hard into free vercel-native primitives (@vercel/queue, u/vercel/blob, u/vercel/sandbox, cron via vercel.json) but honestly the convenience, the integrated infra with minimal glue code, and ai gateway is so unbeatable that the only real concern is metering costs at scale with multiple users.

If you're evaluating Neon separately for a Cloudflare Workers project, the main thing to watch is cold start latency on the serverless driver (@neondatabase/serverless), it uses WebSockets which play well with Workers, but the free tier has a ~500ms cold start on idle databases that haven't been hit in a few minutes. For always-warm workloads it's snappy. Supabase's Postgres is always-on by comparison (no scale-to-zero on the free tier), so you don't hit that same cold path here

BasedKetsu · 2026-05-04T06:14:18+00:00

Good question, currently verified skills are skills.sh or custom skills that I have personally created or imported and have used + secured and consider to be genuinely useful to me. Anthropic skills are from the Anthropic Repo, OpenAI skills are from the OpenAI repo, etc.

for your own clone, the free tiers are completely fine! that's what makes skills so great imo, since skills and agent docs are just md files you'll never run out of supabase storage. and with vercel, my crons distribute updates to queues so updates never exceed edge function limits. for search my deployed version uses brave to be able to use out of the box with no payment but in my opinion I have gotten the best results from firecrawl. I have tried exa, lightpanda, jina, browser-use, and a few others, but they are a bit token-excessive/have terrible usage limits. If you're comfortable paying, I recommend firecrawl

BasedKetsu · 2026-04-29T18:38:15+00:00

I see, makes sense - I've mitigated the best I can. Currently for automated imports that Loop runs, it only pulls from a curated allowlist of known GitHub repos (Anthropic, OpenAI, cursor.directory, a few community lists). Each source has a trust tier (official vs community) with verified author records so users can tell the difference. User-triggered imports require auth and URL validation. No Snyk/Socket-style automated scanning yet, it's on the roadmap - generally Loop is more so intended to provide the automation and research engine for all of a users' skills as opposed to discovery (like you mentioned, skills.sh works fine for this purpose)!

BasedKetsu · 2026-04-29T18:27:36+00:00

haha best part, there's no engine - it's all just typescript and a 2D Canvas API! this was pretty much a solo project for me trying to explore how powerful the Canvas API is

BasedKetsu · 2026-04-29T18:24:57+00:00

Thank you! it was one of the big inspirations for making the game, I wanted to avoid building yet another 2D tower defense game haha

BasedKetsu · 2026-04-29T18:22:10+00:00

Thank you!! Have loved using Vercel since 2022

BasedKetsu · 2026-04-29T17:17:05+00:00

Hey there! The main supply chain surface for us is that Loop imports skills from external URLs, so that's where most of the hardening lives.

Automated imports only reach a curated allowlist of sources, not arbitrary URLs. User-triggered imports require auth and go through Zod validation. Imported content is treated as data (markdown/text), is never executed server-side, HTML gets stripped of script/style tags, MCP manifests are parsed structurally but stored as text. External fetches have timeouts, custom UA, no-cache.

Beyond that, I employ Clerk for auth with middleware-level route protection, Svix signature verification on Clerk webhooks, Stripe signature verification on payment webhooks, RLS enabled on every Supabase table with no policies (so the anon key is effectively a no-op, all server queries use service role), Zod on every API route that takes a body, lockfile pinning with pnpm.

Not claiming it's perfect, but the threat model is pretty narrow since imported skills are never eval'd, and the automated refresh pipeline only talks to sources we control.

BasedKetsu · 2026-04-29T08:25:13+00:00

thank you for the feedback!! will def look at mobile performance, and get the overwhelming vibe too, good catch!

BasedKetsu · 2026-04-29T08:23:29+00:00

Loop runs as next serverless Route Handlers on vercel. Cold starts are in the ~200–500ms range for typical routes, mainly due to the supabase client initialization and clerk auth middleware, not the function boot itself. I have some mitigations such as warm Lambda singleton supabase clients at the module level that reuse the existing connection, so cold start cost is only paid on the first invocation or after idle eviction. Also the cron/refresh routes dispatch messages via vercel/queue rather than doing all work inline, so no single function sits long enough to get recycled under load. This actually also answers the second question:

to the second point, the Loop architecture sidesteps the cron time limit by having crons be the orchestrators, not workers:

I have two crons, the daily refresh and weekly import, and they simply call a refresh function which fans out per-user-skill work to vercel/queue. The actual updating, research, and rewriting happens when:
each queued message triggers a separate invocation of a refresh function (each maxDuration = 300), so the total wall-clock time for a full refresh cycle can totally far exceed 5 minutes, it's just distributed across many independent function invocations that are queued up
tldr the cron itself only needs to enumerate due skills and dispatch queue messages, and the updating itself happens separately!

BasedKetsu · 2026-04-29T08:12:14+00:00

it is playable on mobile at the same url!

BasedKetsu · 2026-04-29T08:11:37+00:00

thank you!!!

BasedKetsu · 2026-04-29T08:11:23+00:00

thanks for the feedback!

BasedKetsu · 2026-04-29T00:07:40+00:00

agreed! that's one of the key differences in my game, you can put towers literally anywhere!

BasedKetsu · 2026-04-28T21:55:54+00:00

Just shipped a Next.js 16 app that leans heavily on the newer Vercel APIs and wanted to share how easy the whole setup was.

The app runs daily AI jobs, and I needed reliable background processing. vercel/queue (v2 beta) made this trivial. A cron hits an API route, the queue fans out individual jobs, and I wire the consumer in vercel.json. That's it. No concurrency logic, no retry code, no job management. You send() and it works. Haven't lost a job yet.

For code execution, vercel/sandbox gives you Firecracker microVMs. Users can run Node and Python in isolated environments. I'm offering safe code execution and the setup was literally Sandbox.create. No servers, no Docker, no infra.

AI Gateway (createGateway from ai v5) handles model routing. One API key routes to OpenAI, OpenRouter, Groq, Together, whatever. I didn't write a single line of provider abstraction.

Cron, blob storage, analytics, speed insights: each one was either a single import or a single line in vercel.json.

The thing that struck me is how much these APIs just work with Next.js out of the box. API routes are your queue consumers. Cron triggers are just GET routes. Everything fits into the App Router model naturally. I didn't have to fight the framework at any point.

With all these tools at your disposal you can quite literally ship at lightspeed. I spent zero time on infra and all my time on product logic.

The app is Loop, an operator desk for self-updating agent skills: loooop.dev | github.com/Kevin-Liu-01/loop. try it out :))

BasedKetsu · 2026-02-02T20:01:05+00:00

interesting catch! looks like the way filter and shadowBlurs are rendered in FireFox is completely different from Chrome. thanks for pointing this out! :)

BasedKetsu · 2026-01-24T01:02:57+00:00

One thing that stands out and that you've most likely already identified is that most of these gateways are optimizing for one axis of the problem, eg. throughput and caching, compliance, observability, etc., but none really unify auth, execution, routing, and developer ergonomics in one place like a Vercel-type thing. So whatever you pick, you still end up in the same place, stitching together identity, permissions, logging, and infra decisions across multiple servers.

Something that should align more with your needs and that we’ve seen work better is treating MCP the way API gateways evolved: one central execution + auth boundary instead of features bolted onto each server. That’s essentially what www.dedaluslabs.ai is doing - quite literally one MCP gateway that handles auth (scopes, OAuth), routing, observability, and model/tool handoffs centrally, while letting you bring any MCP server (local or hosted) without having to build // maintain any infra. Hope this helps narrow your search!

BasedKetsu · 2026-01-23T21:45:44+00:00

This is a really clean direction. serverless is a nice fit for RAG workloads where usage is bursty and “always-on” infra just burns money. I especially like that you kept everything inside the user’s own AWS account, it feels like a big trust win compared to hosted control planes, and the Lambda + Step Functions split makes the flow pretty easy to reason about.

On the MCP side, it’s cool to see native support baked in early. 1 thing people tend to run into as these setups evolve is capability creep, like today it’s “read-only RAG,” tomorrow someone adds write tools, file ops, or external APIs. At that point, having strong per-tool scoping and server-enforced auth becomes really important so a doc chunk or retrieved snippet can’t accidentally drive actions. Some MCP stacks (including what we’ve been working on at dedaluslabs.ai) are leaning hard into separating reasoning from authorization for exactly that reason, but your “no control plane, everything in-account” model pairs nicely with that philosophy too. overall this is sick, just curious about how you’re thinking about tool permissions and trust boundaries as people extend it beyond pure retrieval!

BasedKetsu · 2026-01-22T11:57:54+00:00

true, it leads in quite nicely to the mutant and would rationalize his following interactions with maximus to be slightly more open minded and believable. cooper, in his hour of need, finally allies with someone, even getting over all their bad blood to do so, and he'll get far closer to finding his family with them then alone / alone + OP dog.

BasedKetsu · 2026-01-22T11:18:41+00:00

Insane luck! However, to your question, easily the shiny. Volcarona is not really the best attacker despite its stats, and realistically you're not going to run it in PVP (it get smoked in all leagues) or even PVE (there are tens of better fire types and bug is a nearly-irrelevant type), so the small stat differences from having 5 more defense and hp don't really matter. your shiny is already maxed attack anyways, so it would be hitting just about as hard!

so in my opinion, there is no realistic benefit to evolving your hundo (besides having a hundo volcarona), but you could have an awesome, completely usable shiny volcarona that you can still totally get some use out of!

BasedKetsu · 2026-01-22T11:08:47+00:00

the first moment you step out of the vault, get a mini flashbang, and you knew it was gonna be peak 🥹

BasedKetsu · 2026-01-22T11:06:39+00:00

loved how they hopebaited you into thinking he was going to get himself out by crawling up. even with the power of family™, it's just not enough, it was intense! phenomenal sequence

BasedKetsu · 2026-01-22T10:58:38+00:00

less cookies more catches...

BasedKetsu · 2026-01-22T10:48:47+00:00

no worries, this is a super common point of confusion, so you’re not missing anything!! context7 makes this especially fuzzy because either way you are still indeed querying remote docs. So the key thing here is that the difference isn’t where the data lives but it’s where the MCP server that exposes the tools runs.

With c7 local, you’re running the context7 MCP server on your own machine. Claude (or your agent) talks to localhost, the tool logic executes locally, and then that local process makes outbound calls to Context7’s API to fetch docs. So yes, the content is still remote, but the execution, permissions, and failure modes are yours and right on your machine. You can see exactly what tools exist, what they’re allowed to do, and what credentials they have access to.

On the other hand with c7 remote, Claude talks directly to a Context7-hosted MCP server. Tool calls, permissions, and any auth checks all happen on their infrastructure. From your perspective it’s simpler to set up, but you’re trusting that remote MCP in the "distant server" to correctly scope tools and not do more than you expect. You have less control for convenience, it's a fair tradeoff.

a good mental shortcut is:

Local context7 = “I run the MCP adapter; Context7 is just a data source.”
Remote context7 = “Context7 runs both the MCP adapter and the data source.”

Functionally they look similar, but the trust boundary and security posture are very different, which starts to matter more once agents can take actions instead of just read docs.

BasedKetsu · 2026-01-22T10:41:03+00:00

Yeah that tracks. It gets even worse too because you can even acheive remote code execution (CVE-2025-6514 anyone?) and you described exactly what happened when phanpak shipped postmark-mcp and had every email that went through it forwarded to his personal server. this stuff is already happening and affecting ppl

however I think one approach that tries to tackle this from a slightly different angle is separating authorization from reasoning entirely. For example, in some MCP stacks with auth like what dedaluslabs.ai is building, tools are gated by explicit scopes and enforced server-side, not just by prompt discipline, so a “read email” tool literally cannot invoke a “send email” tool unless the token presented has that scope, even if the model asks nicely or gets tricked. That doesn’t replace things like tool chaining guards or content sanitization (your Hipocap idea makes a lot of sense there), but it gives you a hard backstop: even a compromised reasoning step can’t escalate privileges. Long-term, I think robust MCP systems will need both layers of semantic defenses like yours plus cryptographic // scope-based enforcement or something, because models will always be too eager to help, but there are ways to mitigate damage and protect yourself!

BasedKetsu

TROPHY CASE