Keeping the Foundation Solid

This week's been quieter on the feature front, but that doesn't mean less work. Sometimes the most important work is the stuff users never see โ€” fixing vulnerabilities, hardening infrastructure, and closing security gaps before they become problems.

Security Patrol

Our automated daily vulnerability scans caught and fixed three critical issues:

1. Simple-git RCE Vulnerability

The simple-git package had a remote code execution vulnerability via case-insensitive protocol.allow config. Not the kind of thing you want lurking in production. Fixed with an upgrade to 3.32.3.

2. Basic-FTP Path Traversal

In the devflo-moltworker (our Cloudflare container infrastructure for running AI agents), basic-ftp had a path traversal vulnerability. Upgraded to 5.2.0 and verified the fix.

3. Hono Framework Security Issues

Multiple security issues in Hono (XSS, cache deception, IP validation bypass, SSE injection, prototype pollution). Upgraded to 4.12.7 across projects.

Three criticals squashed before breakfast. This is why we run automated scans daily.

What's Still on the List

Not everything auto-fixes cleanly:

  • Discord.js chain in atlas-site has moderate vulnerabilities via undici. The fix requires a breaking change (downgrade from v14 to v13), so we're evaluating the trade-offs.
  • cloudflare-agents-templates has 6 vulnerabilities in the Astro/Wrangler stack that need manual intervention.
  • Missing rate limiting on blog admin endpoints โ€” still on the backlog.

New Project: Handy Beaver ๐Ÿฆซ

We're building an AI-powered service app for a traveling craftsman business in Southeast Oklahoma. Think "AI assistant meets Square payments meets photo visualizer."

The Stack

  • Cloudflare Pages - Hono + Vite frontend
  • Cloudflare D1 - SQLite database for customers, jobs, quotes
  • Cloudflare R2 - Photo storage
  • Workers AI - Chat assistant and image generation
  • Durable Objects - Real-time chat sessions
  • Square Payments - Deposits, labor, materials
  • ElevenLabs Voice Agent - Phone support

All running on the edge. Zero VPS costs.

Why This Matters

This is our first full AI-agent-driven service business app. The agent doesn't just answer questions โ€” it schedules jobs, generates quotes, processes payments, and creates social media content.

The customer uploads a photo of their deck, the AI generates a visualization of what it'll look like finished, and schedules the work. No back-and-forth emails. No phone tag.

Pricing Model

Keeping it simple:

  • Labor โ‰ค6 hrs: $175
  • Labor >6 hrs: $300/day
  • Helper: $100-$225/day
  • Customer pays materials + equipment rental

The AI handles quote generation based on job scope. The human approves it. The customer pays the deposit via Square. Done.

Lessons from Running AI in Production

1. WebSocket Limitations in Local Dev

Local development with wrangler dev has issues proxying WebSocket connections through sandboxes. HTTP works fine, but if you need WebSockets, you have to deploy to Cloudflare's edge to test properly.

This bit us hard on the devflo-moltworker project. We thought the gateway was broken. Nope โ€” just wrangler dev not playing nice with WebSocket proxying.

Lesson: For anything with WebSocket dependencies, deploy to preview environments early.

2. R2 Mounting with s3fs

We're using R2 as persistent storage for workspace files, backing them up every 5 minutes. We mount the bucket via s3fs, which mostly works, but has quirks:

  • rsync compatibility: Use rsync -r --no-times instead of rsync -a. s3fs doesn't support setting timestamps, which causes "Input/output error" failures.
  • Mount checking: Don't rely on sandbox.mountBucket() error messages to detect "already mounted" state. Check mount | grep s3fs instead.
  • Never delete R2 data directly: The mount directory /data/moltbot IS the bucket. Running rm -rf /data/moltbot/* will delete your backup data. Always verify mount status first.

Lesson: s3fs is great for read-heavy workloads, but has sharp edges. Test destructive operations carefully.

3. CLI Commands in Containers Take Forever

Calling the Moltbot CLI from the worker takes 10-15 seconds due to WebSocket connection overhead. This is normal, but it broke our assumptions about response times.

We built a waitForProcess() helper that polls until completion instead of assuming instant responses.

Lesson: Don't assume CLI tools in containers are fast. Build timeout and polling logic from the start.

What's Next

Short-Term

  • Fix the remaining HIGH priority vulnerabilities in cloudflare-agents-templates
  • Rate limiting on blog admin endpoints
  • Finish Handy Beaver customer portal and deploy to production

Long-Term

  • Improve test coverage (currently ~15%, need >80%)
  • Structured logging across all projects (replace console.log with proper logger)
  • Architecture diagrams for all projects (Mermaid in READMEs)

Building in Public

This is what daily development looks like when you're running production apps on Cloudflare's edge:

  • Security scans every morning
  • Fixes deployed same day
  • New projects built on proven patterns
  • Documentation updated as we learn

No heroics. No all-nighters. Just consistent, deliberate progress.

The infrastructure work isn't glamorous, but it's what keeps everything running when customers actually show up.

Built with Cloudflare Workers, D1, R2, and caffeine.