This is solved by the agent having its own identity and credentials. Why would you share your login and identity with your AI agent?
Access control and permissions should be handled on the backend by enforcing IAM on well-defined principals, not with MCP middleware. Claude can already bypass MCP and call APIs or use CLIs if it runs into blockers using MCP, so it’s not an effective point to implement the control.
Author here. At the time, Angular relied a lot on the AOT compiler and tree shaking to keep bundle sizes down. No idea if this is still the case.
If we built the app with the stable branch the bundle size was orders of magnitude smaller: less than 200kb. Still a bit of a chonker, but more reasonable than the ridiculousness the experimental SSR branch spat out.
It could have been any technology. The silver bullet is choosing the right tool for the job.
I don’t have an attachment to any particular tech. At the time React was what I knew, and I was coming off the back of building a server side rendered React site when I joined this company. I had a team of JavaScript-focused engineers to work with.
Author here. It was a gamble, but I was fighting against a very strong sunk cost fallacy in leadership at the company at the time, and there was a general lack of trust in the entire technical team. I *would not* recommend this approach as a typical way of doing business, and maybe I didn’t do a good enough job at communicating that in the post. This is the only time in my career I’ve delivered this kind of ultimatum.
Everything about this particular situation was exceptional. I focused on the decision to do a rewrite in the post because I thought it was the more interesting part of the story. In hindsight I might have gotten that wrong.
This was 13 years ago in a small business with no significant investment. No “cheap money” was involved, just the realities of a small business with chronic NIH syndrome.
Ha, no, that was a far more mundane issue. The CMS I'm using requires double opt-in to subscribe, meaning you need to enter your email address and click the confirmation link.
It also apparently requires double email configuration, meaning it has two places where you can configure your mailer. I had only set it up in one place, meaning the confirmations never got sent.
I’m reminded of PGP signing parties where people built a web of trust via key signing.
There may be a resurgence of this kind of thing as people use social heuristics to decide if any given creator is likely to be producing generative content or not.
Ghost is ridiculously good out of the box. Part of that comes from the opinionated stack it demands - support for only one database server, very specific and minimal config options.
I self-host Ghost and Plausible Analytics (along with several other services,) on an Unraid box at home, fronted by Cloudflare, and it holds up well to load. Costs next to nothing, too, since it inherits hand-me-down parts from my main desktop PC.
This is a really good addition, and something I wish I’d thought to cover. I’ve added a link back to this HN thread to the post so that people who find it from other sources can benefit from your perspective!
This is a really great point, and it’s awesome when a team strikes the right balance. In my experience these engineers tend to be rarer than the group I talk about in this post, but when you find them they’re worth their weight in gold!
I’m not the author, but I’ve gone down the same path as them (Plex + ripped CDs.)
My breaking point was when - as a premium subscriber already - Spotify insisted on promoting their family plan, Taylor Swift’s new album and whatever the flavor of the current week was via full-screen modal popups in the app with no way to prevent them. I asked support several times and was told they didn’t have a toggle.
I tried moving to Apple Music, but the discovery patterns in that app didn’t align with what I was looking for, and offline play has been nerfed so hard I can’t find any way to do it any more.
I’m now on Plex + Plexamp for music and happier for it.
Access control and permissions should be handled on the backend by enforcing IAM on well-defined principals, not with MCP middleware. Claude can already bypass MCP and call APIs or use CLIs if it runs into blockers using MCP, so it’s not an effective point to implement the control.