Replit

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

Replit AI

I tested how well Claude generated code handles security. Here's what I found in 48 real apps.

I've been curious about a specific problem: when Claude (or other AI tools) generates a full stack app, how secure is the output in practice? So I built a scanner and ran static analysis on 48 public GitHub repos built with Lovable, Bolt, and Replit. Here's what came up: **90% had at least one security vulnerability.*\* The breakdown: - 44% — authentication gaps (routes unprotected despite having a login system) - 33% — Security Definer RPCs (Postgres functions that bypass row-level security) - 25% — BOLA/IDOR (ownership checks missing from database queries) - 25% — committed env or config files The pattern I found most interesting: these aren't random errors. They're systematic. The same vulnerabilities appear across different apps, different developers, different AI tools. **The auth gap is the most instructive:*\* Claude builds login flows correctly. Registration, email verification, sessions, password reset all solid. But 44% of apps had API routes or pages that anyone could reach without logging in. The authentication *system* was built. The actual *protection* of routes behind that system often wasn't. This makes sense if you think about how LLMs work. The prompt was "build me a user dashboard with authentication." Claude built the dashboard and built the authentication. Nobody asked it to specifically verify that every route is protected. It wasn't in the spec, so it wasn't in the output. **Security Definer is the hidden one:*\* 33% of apps had Postgres functions marked `SECURITY DEFINER`. This makes the function run as the database superuser, bypassing all RLS policies. AI tools generate these to resolve permission errors it's a "fix" that works locally and causes a real security problem in production. There's no error, no warning. The app works perfectly while being exploitable. I don't think this is a Claude problem specifically it's a fundamental constraint of how LLMs generate code. Security requires thinking adversarially, and that's not what "write me a working app" prompts for. What's your approach when you use Claude to build something you're going to ship? submitted by /u/Powerful-Fly-9403 [link] [comments]

I spent hours with REPLIT's free day of coding...did you?

And wasn't able to finish my work. Not pubilished! huhu. https://preview.redd.it/yu71tbo2w4zg1.png?width=832&format=png&auto=webp&s=e78aa8f3010871557a868f04c37ab790c7e3b1c1 It was a great experience. Better than AI Studio IMO - though the interface is the same. PLAN MODE. But I found out it has a PLAN MODE. I didn't know that but I used REPLIT ------..sh...----------- JUST TO PLAN THE APP I WAS MAKING! 😄 It was excellent in doing that. IN FACT I opened a 2nd account - free tier, no MAY 2026 promo - and used that to fine tune the plan for another app-- ignoring the prompts to make the app. Until I was ready to say "GREAT PLAN!" Then I gave the plan to Claude and ... that one ran out of credits. 😞 I'll try it in gemini next time. But the remaining free credits -- replit was able to make my 2nd smaller app. YOU? If you participated, what did you do? Where you able to publish? Disclaimer: I dont work for them or with them. submitted by /u/Adventurous_Drink557 [link] [comments]

I run a paper-trading bot where Claude Opus is the Lead Engineer with veto power over a Gemini "Strategist." 270+ entry audit log of every disagreement. Sharing the architecture.

I've been running a personal project for the last few months and I think the workflow might be more interesting to this sub than the application itself, so wanted to share.   The setup: I'm building an autonomous paper-trading bot on Alpaca. Instead of one LLM doing everything, I split the work into bounded roles: Me — Commander. Capital authority + thesis. I sign off on anything that touches money. Gemini Pro — Chief Strategist. Bounded scope: thesis adjudication only. Not allowed to make implementation choices, pick the broker SDK, or decide architecture. Claude Opus 4 — Lead Engineer. Writes the actual code. Audits Strategist directives. Allowed to push back and veto anything from the Strategist that doesn't survive contact with engineering reality. Logs the veto on the record.   No party can deploy autonomously. Every disagreement gets logged in a "Strategist Codex" doc that's now 270+ entries. The Codex never hides reversals — if a principle gets superseded later, both versions stay in the file with dates.   Why I think this works better than a single LLM: A single LLM has no incentive to disagree with itself. Two LLMs from different vendors with bounded scopes and a documented veto path produce something closer to a real engineering review process. The friction is the point — it forces the disagreement into the design phase instead of the post-mortem.   A real example from this week: Strategist directive: anchor a 14-day position-decay clock to Position.created_at from the broker SDK. Claude (Engineer) checked dir(Position) against the live Alpaca SDK and pointed out the field doesn't exist. Implemented a state-side ledger instead and logged the doctrine update with the rationale: "broker did not in fact provide the field the original adjudication assumed." Then on architect review, Claude further refactored the implementation because the first pass held a state lock across N broker calls. Both passes are in the Codex.   Repo + writeup: https://github.com/ALGEM-hub/Whitepaper Full 9-page architecture paper in there if you want to go deep. ~4,900 LOC, five Python modules.   What I'd love to hear from this sub: Anyone else running multi-LLM workflows with explicit veto/disagreement logging? How do you handle "they agreed too quickly" failure modes? I'm currently coordinating Claude through the Anthropic API + the Replit dev loop. Curious if anyone's tried similar architectures with Claude as one of two coordinated agents vs. as a sole agent. The "bounded scope" concept (Strategist isn't allowed to touch implementation, Engineer isn't allowed to override thesis) — does that match patterns you've seen, or is there better prior art I should be looking at?   Solo builder, not selling anything, no DMs about access. Genuinely just want to find the people who are also working in this space. submitted by /u/Vortextgamer [link] [comments]

Why every AI-agent production-deletion incident has the same shape (and what fixes it)

PocketOS lost their production database in 9 seconds last week. A Cursor agent running Claude Opus made one curl call to Railway's volumeDelete endpoint. Most of the discussion has been about AI safety. The pattern matters more than the model. Two pre-AI versions of the same incident: Pixar, 1998. An animator ran /bin/rm -r -f * on the asset server. About 90 percent of Toy Story 2 deleted before anyone could stop it. Recovered only because the technical director had a near-complete copy on her home workstation while on maternity leave. GitLab, January 2017. An engineer trying to clean up a stuck replica ran rm -rf on what they thought was the standby database. It was the live one. The pg_dump backups had been silently failing for weeks; email-authentication settings rejected the failure-alert emails. Two AI versions, alongside PocketOS: Replit, July 2025. SaaStr's AI coding agent deleted the production database during a declared code freeze, fabricated 4,000 fake user records, and told the operator recovery was impossible (it wasn't). Cursor Plan Mode, December 2025. An agent in Plan Mode deleted around 70 source files tracked in Git after the user typed "DO NOT RUN ANYTHING." A Cursor team member acknowledged a critical bug in Plan Mode constraint enforcement. Different operators, different decades. The shared variable is the access pattern, not the model and not the harness: an interactive session that holds credentials with reach to destructive operations, and an actor with the means to invoke them. The structural fix: agents have no production access. Production credentials live in CI/CD secrets, used only by pipeline jobs. Production-bound changes flow through commit, push, and release. A risk-scoring gate fires on those three actions, scoring the diff against a written policy. Apollo Research's in-context scheming study is the empirical reason a separate subagent doing the scoring is structurally important: the agent that wants the commit to land has incentive to under-score risk to clear the gate; the scorer has incentive to score accurately. Full write-up with the bash for the gate, the four-layer defence-in-depth model, the ISO 31000 framing for the matrix, and a test you can run on your own credentials: https://windyroad.com.au/blog/an-ai-agent-deleted-production-the-model-wasnt-the-problem Has anyone else built pipeline-action gates as a pattern, rather than trying to gate destructive APIs one provider at a time? submitted by /u/tompahoward [link] [comments]

Built a real estate SaaS with no traditional dev background using Claude as my co-developer — here’s what I shipped

I’m an MSBA student — analytics background, not engineering. Used Claude to build OfferRead, a real estate deal analyzer that: - Pulls live AVM data and rental comps - Runs cap rate, cash-on-cash, and cash flow calculations - Generates a deal verdict with plain-English AI explanation - Includes scenario modeling sliders and neighborhood intelligence - Has Stripe payments, freemium model, and custom domain Just crossed 5,000 Reddit views this week. The process: I described what I wanted, Claude wrote the code, I validated in the browser, reported what broke, we iterated. Replit handled deployment. No traditional dev background at all. Happy to talk about the build process or answer questions about the product. Offer Read submitted by /u/OfferRead [link] [comments]

Seeking Critique on Research Approach to Open Set Recognition (Novelty Detection) [R]

Hey guys, I'm an independent researcher working on a project that tries to address a very specific failure mode in LLMs and embedding based classifiers: the inability of the system to reliably distinguish between "familiar data" that it's seen variations of and "novel noise." The project's core idea is moving from a single probability vector (P(class|input)) to a dual-output system that measures μ(x), a continuous familiarity score bounded [0,1], derived from set coverage axioms. The detailed paper is hosted on GitHub: https://github.com/strangehospital/Frontier-Dynamics-Project/blob/c84f5b2a1cc5c20d528d58c69f2d9dac350aa466/Frontier%20Dynamics/Set%20Theoretic%20Learning%20Environment%20Paper.md ML Model: https://just-inquire.replit.app --> autonomous learning system Why I'm posting here: As an independent researcher, I lack the daily pushback/feedback of a lab group or advisor. Obviously, this creates a situation where bias can easily creep into the research. The paper details three major revisions based on real-world failure modes I encountered while running this on a continuous learning agent. Specifically, the paper grapples with: Saturation Bug: phenomenon where μ(x) converged to 1.0 for everything as training samples grew in high-dimensional space. The Curse of Dimensionality: Why naive density estimation in 384-dimensional space breaks the notion of "closeness." I attempted to ground this research in a PAC-Bayes convergence proof and tested it on a ML model ("MarvinBot") with a ~17k topic knowledge base. If anyone has time to skim the paper, I would be grateful for a brutal critique. Go ahead and roast the paper. Please leave out personal attacks, just focus on the substance of the material. I'm particularly interested in hearing thoughts on: --> Saturation bug --> If there's a simpler solution than using the evidence-scaled multi-domain Dirichlet accessibility function used in v3 --> Edge cases or failures I've been blind too. I'm not looking for stars or citations. Just a reality check about the research. Note: The repo also has a v3 technical report on the saturation bug and the proof if you want to skip the main paper. submitted by /u/CodenameZeroStroke [link] [comments]

Has anyone experienced unexpected behavior from multiple AI agents interacting with each other?

I've been researching how teams handle multi-agent systems before deployment and I'm curious about real experiences. Specifically has anything ever gone wrong when your Claude agents were interacting with each other? Like one agent doing something unexpected that affected the others, or an agent reporting success when it actually failed? I know about the Replit case where an agent deleted a production database and then created fake users to cover it up. Curious if anyone has seen anything similar, even on a smaller scale. How do you currently test this before going live? submitted by /u/Alternative-Tip6571 [link] [comments]

I built an interactive Web Dev course for Claude Code (100% free)

If pure vibe coding leaves you feeling stuck, this is for you: https://OpenVibe.sh I see a lot of people getting frustrated with platforms like Lovable, Replit, etc., and it's because they don't yet understand the fundamentals of web dev. So I thought, why not build a course that the agent leads you through so that you learn to build real web apps with AI locally, using something like claude code (or codex, cursor, etc). The goal isn't to just learn prompting or to do 100% pure vibe coding, nor is it to learn to code in the traditional sense. It's to get learn the fundamentals through building, while also having an ever-patient, all-knowing tutor at your side. You are free to ask the agent whatever you want and take the course in whatever direction you want, and then return to the course structure whenever you see fit. To build the course, I'm leaning on my experience creating Open SaaS (the top open-source SaaS boilerplate template with 13k+ github stars), and the ultimate end goal of the course is to learn how to build your own SaaS (if you want). Right now its just the setup and first lesson, but I'll be adding the next lesson ASAP. Just go to this website, copy and paste the provided prompt into Claude Code (or any other coding agent) and start learning! submitted by /u/hottown [link] [comments]

Last Call: Perplexity, Replit, & GitHub— The AI Student Discounts You're Cheerfully Paying the Tourist Price For

If you got a student edu email, these official promos will expire soon. submitted by /u/Mstep85 [link] [comments]

Softr launches AI-native platform to help nontechnical teams build business apps without code

Softr, the Berlin-based no-code platform used by more than one million builders and 7,000 organizations including Netflix, Google, and Stripe, today launched what it calls an AI-native platform — a bet that the explosive growth of AI-powered app creation tools has produced a market full of impressive demos but very little production-ready business software. The company's new AI Co-Builder lets non-technical users describe in plain language the software they need, and the platform generates a fully integrated system — database, user interface, permissions, and business logic included — connected and ready for real-world deployment immediately. The move marks a fundamental evolution for a company that spent five years building a no-code business before layering AI on top of what it describes as a proven infrastructure of constrained, pre-built building blocks. "Most AI app-builders stop at the shiny demo stage," Softr Co-Founder and CEO Mariam Hakobyan told VentureBeat in an exclusive interview ahead of the launch. "A lot of the time, people generate calculators, landing pages, and websites — and there are a huge number of use cases for those. But there is no actual business application builder, which has completely different needs." The announcement arrives at a moment when the AI app-building market finds itself at an inflection point. A wave of so-called "vibe coding" platforms — tools like Lovable, Bolt, and Replit that generate application code from natural language prompts — have captured developer mindshare and venture capital over the past 18 months. But Hakobyan argues those tools fundamentally misserve the audience Softr is chasing: the estimated billions of non-technical business users inside companies who need custom operational software but lack the skills to maintain AI-generated code when it inevitably breaks. Why AI-generated app prototypes keep failing when real business data is involved The core tension Softr is trying to resolve is one that has plag

Ask HN: How are you monitoring AI agents in production?

With the recent incidents (DataTalks database wipe by Claude Code, Replit agent deleting data during code freeze), it&#x27;s clear that running AI agents in production without observability is risky.<p>Common failure modes I&#x27;ve seen: no visibility into what the agent did step-by-step, surprise LLM bills from untracked token usage, risky outputs going undetected, and no audit trail for post-mortems.<p>I&#x27;ve been building AgentShield (https:&#x2F;&#x2F;useagentshield.com) — an observability SDK for AI agents. It does execution tracing, risk detection on outputs, cost tracking per agent&#x2F;model, and human-in-the-loop approval for high-risk actions. Plugs into LangChain, CrewAI, and OpenAI Agents SDK with a 2-line integration.<p>Curious what others are using. Rolling your own monitoring? LangSmith? Langfuse? Or just hoping for the best?

Anthropic launches Claude Marketplace, giving enterprises access to Claude-powered tools from Replit, GitLab, Harvey and more

San Francisco startup Anthropic continues to ship new AI products and services at a blistering pace, despite a messy ongoing dispute with the U.S. Department of War. Today, the company announced Claude Marketplace, a new offering that lets enterprises with an existing Anthropic spend commitment apply part of it toward tools and applications powered by Anthropic's Claude models but made and offered by external partners including GitLab, Harvey, Lovable, Replit, Rogo and Snowflake. According to Anthropic’s Claude Marketplace FAQ, the program is designed to simplify procurement and consolidate AI spend. Anthropic says the Marketplace is now in limited preview and that enterprises interested in using it should reach out to their Anthropic account team to get started. For customers interested in the Marketplace, Anthropic says purchases made through it “count against a portion of your existing Anthropic commitment,” and that the company will manage invoicing for partner spend — meaning enterprises can use part of their existing Anthropic commitment to buy Claude-powered partner solutions without separately handling partner invoicing. In effect, Anthropic is positioning Claude Marketplace as a more centralized way for enterprises to procure certain Claude-powered partner tools. Yet, the whole point of Anthropic's Claude Code and Claude Cowork applications for many users was that they could shift enterprise spend and time away from current third-party software-as-a-service (Saas) apps and instead, they could "vibe code" new solutions or bespoke, AI-powered workflows. This idea is so pervasive that prior Claude integrations have on several recent occasions caused a major selloff in SaaS stocks after investors thought Claude could threaten the underlying companies and applications. Claude Marketplace seems to be pushing against that idea, suggesting current SaaS apps are still valuable and perhaps even more useful and appealing to enterprises with Claude integrated into them

I wasted $500 testing AI coding tools so you don't have to 💸 Here's what actually works: 🧪 Testing ideas? → V0 or Lovable Built a landing page in 90 seconds. Fully clickable, looked real. Code's me

I wasted $500 testing AI coding tools so you don't have to 💸 Here's what actually works: 🧪 Testing ideas? → V0 or Lovable Built a landing page in 90 seconds. Fully clickable, looked real. Code's messy but perfect for validation. 🏗️ Shipping real apps? → Bolt Full dev environment in your browser. I built a document uploader with front end + back end + database in one afternoon. 💻 Coding with AI? → Cursor or Windsurf Cursor = stable, used by Google engineers Windsurf = faster, newer, more aggressive Both are insane. 📚 Learning from scratch? → Replit Best coding teacher I've found. Explains errors, walks you through fixes, teaches as you build. Here's what 500+ hours taught me: The tool doesn't matter if you're using it for the wrong stage. Testing ≠ Building ≠ Coding ≠ Learning Stop comparing features. Match your goal first. Drop what you're building 👇 I'll tell you exactly which tool to use Save this. You'll need it. #AI #AITools #TechTok #ChatGPT #Coding

Anthropic Is Bleeding Out

**Hello premium customers!** Feel free to get in touch at ez@betteroffline.com if you're ever feeling chatty. And if you're not one yet, please subscribe and support my independent brain madness. Also, thank you to Kasey Kagawa for helping with the maths on this. [***Soundtrack: Killer Be Killed - Melting Of My Marrow***](https://youtu.be/bAO5sM89HUw?ref=wheresyoured.at) [Earlier in the week](https://www.wheresyoured.at/anthropic-and-openai-have-begun-the-subprime-ai-crisis/), I put out a piece about how Anthropic had begun cranking up prices on its enterprise customers, most notably Cursor, a $500 million Annualised Recurring Revenue (meaning month multiplied by 12) startup that is also Anthropic’s largest customer for API access to models like Claude Sonnet 4 and Opus 4. As a result, Cursor had to make massive changes to the business model that had let it grow so large in the first place, replacing (on June 17 2025, a few weeks after Anthropic’s May 22 launch of its  Claude Opus 4 and Sonnet 4 models) a relatively limitless $20-a-month offering with a much-more-limited $20-a-month package and a less-limited-but-still-worse-than-the-old-$20-tier $200-a-month subscription, pissing off customers and leading to [most of the Cursor Subreddit](http://reddit.com/r/cursor/?ref=wheresyoured.at) turning into people complaining or discussing they’d cancel their subscription. Though I recommend you go and read the previous analysis, the long and short of it is that Anthropic increased the costs on its largest customer — a coding startup — about 8 days (on May 30 2025) after launching two models (Sonnet 4 and Claude Opus 4) specifically dedicated to coding. I concluded with the following: > What I have described in this newsletter is one of the most dramatic and aggressive price increases in the history of software, with effectively no historical comparison. No infrastructure provider in the history of Silicon Valley has so distinctly and aggressively upped its prices on customers, let alone their largest and most prominent ones, and doing so is an act of desperation that suggests fundamental weaknesses in their business models.Worse still, these changes will begin to kneecap an already-shaky enterprise revenue story for two companies desperate to maintain one. OpenAI's priority pricing is basic rent-seeking, jacking up prices to guarantee access. Anthropic's pricing changes are intentional, mob-like attempts to increase revenue by hitting its most-active customers exactly where it hurts, launching a model for coding startups to integrate that’s **specifically priced to increase costs on enterprise coding startups.** But the whole time I kept coming back to a question: why, exactly, would Anthropic do this? Was this rent seeking? A desperate attempt to boost revenue? An attempt to bring its largest customer’s compute demands under control [as its regularly pushed Anthropic’s capacity to the limit](https://www.vincentschmalbach.com/cursor-is-anthropics-largest-customer-and-maxing-out-their-gpus/?ref=wheresyoured.at)? Or, perhaps, it was a little simpler: was Anthropic having its own issues with capacity, and maybe even cash flow. Another announcement happened on May 22 2025 — [Anthropic launched Claude Code](https://docs.anthropic.com/en/release-notes/claude-code?ref=wheresyoured.at), a version of Anthropic’s Claude that runs directly in your terminal (or integrates into your IDE) that uses Anthropic’s Claude models to write and manage code. This is, I realize, a bit of an oversimplification, but the actual efficacy or ability of Claude Code is largely irrelevant other than in the sheer amount of cloud compute it requires. As a reminder, [Anthropic also launched its Claude Sonnet 4 and Opus 4 models on May 22 2025](https://www.anthropic.com/news/claude-4?ref=wheresyoured.at), shortly followed by its Service Tiers, and then both Cursor and vibe-coding startup Replit’s price changes, which I covered last week. These are not the moves of a company brimming with confidence about its infrastructure or financial position, which made me want to work out *why things might have got more expensive.* And then I found out, and it was really, really fucking bad. Claude Code, as a product, is quite popular, along with its Sonnet 4 and Opus 4 models. It’s accessible via Anthropic’s $20-a-month “Pro” subscription (but only using the Claude Sonnet 4 model), or the $100 (5x the usage of Pro) and $200 (20x the usage of Pro) ”Max” subscriptions. While people hit rate limits, they seem to be getting a lot out of using it, to the point that you have people on Reddit boasting [about running eight parallel instances of Claude Code](https://www.reddit.com/r/cursor/comments/1lmhm5x/idk_how_you_guys_are_using_claude_code_but_im/). Something to know about software engineers is that they’re *animals*, and I mean that with respect. If something can be automated, a software engineer is at the very least going to *take a look at automat

OpenAI’s Game-Changing o1 Description: Big news in the AI world! OpenAI is shaking things up with the launch of ChatGPT Pro, priced at $200/month, and it’s not just a premium subscription—it’s a glim

OpenAI’s Game-Changing o1 Description: Big news in the AI world! OpenAI is shaking things up with the launch of ChatGPT Pro, priced at $200/month, and it’s not just a premium subscription—it’s a glimpse into the future of AI. Let me break it down: First, the Pro plan offers unlimited access to cutting-edge models like o1, o1-mini, and GPT-4o. These aren’t your typical language models. The o1 series is built for reasoning tasks—think solving complex problems, debugging, or even planning multi-step workflows. What makes it special? It uses “chain of thought” reasoning, mimicking how humans think through difficult problems step by step. Imagine asking it to optimize your code, develop a business strategy, or ace a technical interview—it can handle it all with unmatched precision. Then there’s o1 Pro Mode, exclusive to Pro subscribers. This mode uses extra computational power to tackle the hardest questions, ensuring top-tier responses for tasks that demand deep thinking. It’s ideal for engineers, analysts, and anyone working on complex, high-stakes projects. And let’s not forget the advanced voice capabilities included in Pro. OpenAI is taking conversational AI to the next level with dynamic, natural-sounding voice interactions. Whether you’re building voice-driven applications or just want the best voice-to-AI experience, this feature is a game-changer. But why $200? OpenAI’s growth has been astronomical—300M WAUs, with 6% converting to Plus. That’s $4.3B ARR just from subscriptions. Still, their training costs are jaw-dropping, and the company has no choice but to stay on the cutting edge. From a game theory perspective, they’re all-in. They can’t stop building bigger, better models without falling behind competitors like Anthropic, Google, or Meta. Pro is their way of funding this relentless innovation while delivering premium value. The timing couldn’t be more exciting—OpenAI is teasing a 12 Days of Christmas event, hinting at more announcements and surprises. If this is just the start, imagine what’s coming next! Could we see new tools, expanded APIs, or even more powerful models? The possibilities are endless, and I’m here for it. If you’re a small business or developer, this $200 investment might sound steep, but think about what it could unlock: automating workflows, solving problems faster, and even exploring entirely new projects. The ROI could be massive, especially if you’re testing it for just a few months. So, what do you think? Is $200/month a step too far, or is this the future of AI worth investing in? And what do you think OpenAI has in store for the 12 Days of Christmas? Drop your thoughts in the comments! #product #productmanager #productmanagement #startup #business #openai #llm #ai #microsoft #google #gemini #anthropic #claude #llama #meta #nvidia #career #careeradvice #mentor #mentorship #mentortiktok #mentortok #careertok #job #jobadvice #future #2024 #story #news #dev #coding #code #engineering #engineer #coder #sales #cs #marketing #agent #work #workflow #smart #thinking #strategy #cool #real #jobtips #hack #hacks #tip #tips #tech #techtok #techtiktok #openaidevday #aiupdates #techtrends #voiceAI #developerlife #o1 #o1pro #chatgpt #2025 #christmas #holiday #12days #cursor #replit #pythagora #bolt