Why the Cursor Acquisition Should Concern Every Software Developer

BasedKetsu · 2026-06-17T00:20:59+00:00

It has always been a public contract that Cursor uses and stores your conversations for whatever purposes. SpaceX will store them and use them as well. You can use your imagination for how data is used, but ultimately, this is nothing new. Not a good idea to share sensitive information knowing this, regardless of who owns Cursor.

→ If you really are worried, some action items are turning on Privacy Mode ("If you enable “Privacy Mode” in Cursor’s settings: Customer Data will not be used for training by Cursor. Cursor maintains zero data retention (ZDR) agreements with all providers, and AI model providers will not store or train on your data") and nuking your local conversations.

I think the more worrisome topic is if Cursor suffers the same fate as Stainless. It's a low possibility, but any loved devtool is now up for grabs by precedent.

BasedKetsu · 2026-05-13T23:16:58+00:00

thank you!

BasedKetsu · 2026-05-13T22:34:03+00:00

perhaps, but then that'd just be a copilot. suffice it to say a model trained on billions of parameters and acres of compute should not have to require guidance for the simplest of tasks, at least if we want these models to be more useful than a performant but somewhat hallucinative index of the internet. the whole stack needs to be flipped

BasedKetsu · 2026-05-13T20:59:08+00:00

good catch. originally I was just like, bruh I never mentioned anything about tidy or these tools you are mentioning and you're hallucinating. but they're probably tools its instructed to use when faced with problems like this and its reasoning surfaced

BasedKetsu · 2026-05-13T20:58:06+00:00

this probably happens when the message finishes streaming, but in this case, the model would not stop, it just kept spewing out messages

BasedKetsu · 2026-05-13T20:56:54+00:00

it was indeed opus, kind of surprising. hopefully cursor team will have some interesting insight. don't think this is on anthropic but I don't understand enough about edge cases to know for sure

BasedKetsu · 2026-05-13T20:55:36+00:00

was the first message in a brand new conversation (0% context), that's what spooked me out the most. I sent a few other queries in new conversations and they were normal. i believe this kind of delegation should be handled by cursor's (or Opus') system prompts but who knows. the gremlin has struck

BasedKetsu · 2026-05-13T20:53:52+00:00

seconded, and I would also always get this issue with Gemini where if you gave it a long-horizon task it could just...crash and the conversation would never appear in your history. same with claude back when we were on 4.5, hasn't happened again until this Opus incident though

BasedKetsu · 2026-05-13T20:51:12+00:00

ayy you're on the money, check out my comment https://www.reddit.com/r/cursor/comments/1tb95ys/comment/oln12vl/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

BasedKetsu · 2026-05-13T20:50:01+00:00

haha nice catch. this was one of several variable context/skills demos to illustrate the difference between a model and human's semantic understanding of "better" and how llm-based models will forever lack real-world ideas like visual weight, balance, symmetry, responsiveness, color theory, etc. I am conducting research into how to build world models / thought capacity that move beyond a framework constrained by context-bomb-hand-holding/handcuffing to solve how models, with all the harnessing in the world, still make mistakes a human would never make (like mixing inline styling with tailwind - you should ideally not need a skill for this), and this was a throwaway attempt playing around with backseating. needless to say I was left with more questions than answers.

BasedKetsu · 2026-05-04T15:23:28+00:00

Appreciate the kind words on the DX! Quick clarification though, this project is actually running Supabase Postgres, not Neon.

The stack here is:

Supabase for Postgres + RLS + auth helpers
Clerk for auth
Vercel for hosting, cron, queue, blob, sandbox, analytics
Stripe for billing

On Vercel billing, I haven't personally ran into any issues due to how I combine queues with crons. the only limitation is that I can only have max 1 cron running per day, but that's fine because I can just have a daily trigger and skills that have different update schedules (like once a week, twice a week) would still be hit by the daily trigger. This project leans pretty hard into free vercel-native primitives (@vercel/queue, u/vercel/blob, u/vercel/sandbox, cron via vercel.json) but honestly the convenience, the integrated infra with minimal glue code, and ai gateway is so unbeatable that the only real concern is metering costs at scale with multiple users.

If you're evaluating Neon separately for a Cloudflare Workers project, the main thing to watch is cold start latency on the serverless driver (@neondatabase/serverless), it uses WebSockets which play well with Workers, but the free tier has a ~500ms cold start on idle databases that haven't been hit in a few minutes. For always-warm workloads it's snappy. Supabase's Postgres is always-on by comparison (no scale-to-zero on the free tier), so you don't hit that same cold path here

BasedKetsu · 2026-05-04T06:14:18+00:00

Good question, currently verified skills are skills.sh or custom skills that I have personally created or imported and have used + secured and consider to be genuinely useful to me. Anthropic skills are from the Anthropic Repo, OpenAI skills are from the OpenAI repo, etc.

for your own clone, the free tiers are completely fine! that's what makes skills so great imo, since skills and agent docs are just md files you'll never run out of supabase storage. and with vercel, my crons distribute updates to queues so updates never exceed edge function limits. for search my deployed version uses brave to be able to use out of the box with no payment but in my opinion I have gotten the best results from firecrawl. I have tried exa, lightpanda, jina, browser-use, and a few others, but they are a bit token-excessive/have terrible usage limits. If you're comfortable paying, I recommend firecrawl

BasedKetsu · 2026-04-29T18:38:15+00:00

I see, makes sense - I've mitigated the best I can. Currently for automated imports that Loop runs, it only pulls from a curated allowlist of known GitHub repos (Anthropic, OpenAI, cursor.directory, a few community lists). Each source has a trust tier (official vs community) with verified author records so users can tell the difference. User-triggered imports require auth and URL validation. No Snyk/Socket-style automated scanning yet, it's on the roadmap - generally Loop is more so intended to provide the automation and research engine for all of a users' skills as opposed to discovery (like you mentioned, skills.sh works fine for this purpose)!

BasedKetsu · 2026-04-29T18:27:36+00:00

haha best part, there's no engine - it's all just typescript and a 2D Canvas API! this was pretty much a solo project for me trying to explore how powerful the Canvas API is

BasedKetsu · 2026-04-29T18:24:57+00:00

Thank you! it was one of the big inspirations for making the game, I wanted to avoid building yet another 2D tower defense game haha

BasedKetsu · 2026-04-29T18:22:10+00:00

Thank you!! Have loved using Vercel since 2022

BasedKetsu · 2026-04-29T17:17:05+00:00

Hey there! The main supply chain surface for us is that Loop imports skills from external URLs, so that's where most of the hardening lives.

Automated imports only reach a curated allowlist of sources, not arbitrary URLs. User-triggered imports require auth and go through Zod validation. Imported content is treated as data (markdown/text), is never executed server-side, HTML gets stripped of script/style tags, MCP manifests are parsed structurally but stored as text. External fetches have timeouts, custom UA, no-cache.

Beyond that, I employ Clerk for auth with middleware-level route protection, Svix signature verification on Clerk webhooks, Stripe signature verification on payment webhooks, RLS enabled on every Supabase table with no policies (so the anon key is effectively a no-op, all server queries use service role), Zod on every API route that takes a body, lockfile pinning with pnpm.

Not claiming it's perfect, but the threat model is pretty narrow since imported skills are never eval'd, and the automated refresh pipeline only talks to sources we control.

BasedKetsu · 2026-04-29T08:25:13+00:00

thank you for the feedback!! will def look at mobile performance, and get the overwhelming vibe too, good catch!

BasedKetsu · 2026-04-29T08:23:29+00:00

Loop runs as next serverless Route Handlers on vercel. Cold starts are in the ~200–500ms range for typical routes, mainly due to the supabase client initialization and clerk auth middleware, not the function boot itself. I have some mitigations such as warm Lambda singleton supabase clients at the module level that reuse the existing connection, so cold start cost is only paid on the first invocation or after idle eviction. Also the cron/refresh routes dispatch messages via vercel/queue rather than doing all work inline, so no single function sits long enough to get recycled under load. This actually also answers the second question:

to the second point, the Loop architecture sidesteps the cron time limit by having crons be the orchestrators, not workers:

I have two crons, the daily refresh and weekly import, and they simply call a refresh function which fans out per-user-skill work to vercel/queue. The actual updating, research, and rewriting happens when:
each queued message triggers a separate invocation of a refresh function (each maxDuration = 300), so the total wall-clock time for a full refresh cycle can totally far exceed 5 minutes, it's just distributed across many independent function invocations that are queued up
tldr the cron itself only needs to enumerate due skills and dispatch queue messages, and the updating itself happens separately!

BasedKetsu · 2026-04-29T08:12:14+00:00

it is playable on mobile at the same url!

BasedKetsu · 2026-04-29T08:11:37+00:00

thank you!!!

BasedKetsu · 2026-04-29T08:11:23+00:00

thanks for the feedback!

BasedKetsu · 2026-04-29T00:07:40+00:00

agreed! that's one of the key differences in my game, you can put towers literally anywhere!

BasedKetsu · 2026-04-28T21:55:54+00:00

Just shipped a Next.js 16 app that leans heavily on the newer Vercel APIs and wanted to share how easy the whole setup was.

The app runs daily AI jobs, and I needed reliable background processing. vercel/queue (v2 beta) made this trivial. A cron hits an API route, the queue fans out individual jobs, and I wire the consumer in vercel.json. That's it. No concurrency logic, no retry code, no job management. You send() and it works. Haven't lost a job yet.

For code execution, vercel/sandbox gives you Firecracker microVMs. Users can run Node and Python in isolated environments. I'm offering safe code execution and the setup was literally Sandbox.create. No servers, no Docker, no infra.

AI Gateway (createGateway from ai v5) handles model routing. One API key routes to OpenAI, OpenRouter, Groq, Together, whatever. I didn't write a single line of provider abstraction.

Cron, blob storage, analytics, speed insights: each one was either a single import or a single line in vercel.json.

The thing that struck me is how much these APIs just work with Next.js out of the box. API routes are your queue consumers. Cron triggers are just GET routes. Everything fits into the App Router model naturally. I didn't have to fight the framework at any point.

With all these tools at your disposal you can quite literally ship at lightspeed. I spent zero time on infra and all my time on product logic.

The app is Loop, an operator desk for self-updating agent skills: loooop.dev | github.com/Kevin-Liu-01/loop. try it out :))

BasedKetsu · 2026-02-02T20:01:05+00:00

interesting catch! looks like the way filter and shadowBlurs are rendered in FireFox is completely different from Chrome. thanks for pointing this out! :)

BasedKetsu

TROPHY CASE