Blog · Bubble.io, AI-assisted development, and production apps

Chrome extension version-bump discipline: pre-commit + GitHub Actions: cover image

Latest

May 22, 2026 · 8 min read · chrome-extension , github-actions , pre-commit-hooks

Chrome extension version-bump discipline: pre-commit + GitHub Actions

The Chrome Web Store rejects re-uploads with the same manifest version. Catch the missed bump in pre-commit; gate it again in CI.

Read as a series

Topical clusters meant to be read in order, or jumped into anywhere.

Chrome Extension Lifecycle 3 posts

Read the series

Ai Assisted Web Apps 7 posts

Read the series

Supabase Production Hardening 6 posts

Read the series

Data Pipeline Reliability 4 posts

Read the series

Recent writing

View all 67 →

May 15, 2026 ·9 min read · chrome-extension , manifest-v3 , supabase

How to build a Chrome extension popup with Supabase Auth (step by step)

Load Supabase JS into a Manifest V3 popup, persist sessions in chrome.storage, handle popup-reopen state recovery. Step by step.

May 8, 2026 ·12 min read · chrome-extension , manifest-v3 , chrome-web-store

Shipping a Manifest V3 Chrome extension: the gates nobody mentions

Trader verification, publisher identity, the URL slug gotcha, version-bump CI. The async gates that turn a one-day project into a three-week project.

May 1, 2026 ·9 min read · methodology , ai-assisted-development , refactoring

Phased migrations with per-phase verification gates

Big-bang rewrites of 6+ files break things you cannot predict. Phased migration with explicit gates is slower and catches the regressions early.

Apr 28, 2026 ·10 min read · claude-code , claude-md , lovable

How I document AI-built projects: a CLAUDE.md, ISSUES.md, and prompts/ workflow

The four-part system I install on day one of every inherited Lovable, Cursor, or Claude Code project: CLAUDE.md template, ISSUES.md learning log, prompts/ folder, two-AI workflow.

Apr 24, 2026 ·9 min read · react-hook-form , zod , react

How to migrate a useState form to React Hook Form and Zod (the real walkthrough)

Step-by-step migration of one form from useState plus inline validation to React Hook Form plus Zod plus shadcn Form. Code diffs and the mode choice.

Apr 23, 2026 ·8 min read · supabase , supabase-auth , supabase-publishable-key

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

Supabase's new sb_publishable_* keys return 401 when sent as raw apikey headers, and the JS SDK defaults to localStorage which a Manifest V3 Chrome extension cannot use. Here is the migration: deleting hand-rolled fetch wrappers, switching to @supabase/supabase-js, and the chrome.storage.local adapter that keeps sessions persistent.

Apr 21, 2026 ·9 min read · lovable , lovable-security , supabase

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Lovable's April 2026 BOLA vulnerability exposed projects created before November 2025. Here is the audit checklist I ran on a client's Supabase-backed Lovable app, the 6-hour key rotation that followed, and the Chrome-extension SDK migration nobody warned us about.

Apr 17, 2026 ·8 min read · supabase , supabase-realtime , security

Realtime broadcast scope is a security boundary, not a routing convenience

Default-public Realtime broadcasts leak message bodies to every subscriber. The private-channel flag is the fix; here is when to use it.

Apr 10, 2026 ·7 min read · security , supabase , auth-jwt

User enumeration via password reset: the bug in default forgot-password flows

Most forgot-password endpoints leak whether an email exists. The fix is one rule: return the same response always, regardless of account status.

Apr 3, 2026 ·7 min read · security , supabase , edge-functions

Origin validation in edge functions: the open redirect you ship by default

Edge functions that trust the Origin header for redirect URLs are open-redirect vulnerable. Here's the allowlist pattern that closes the gap.

Browse all 67 posts in the archive

Chrome extension version-bump discipline: pre-commit + GitHub Actions

How to build a Chrome extension popup with Supabase Auth (step by step)

Shipping a Manifest V3 Chrome extension: the gates nobody mentions

Phased migrations with per-phase verification gates

How I document AI-built projects: a CLAUDE.md, ISSUES.md, and prompts/ workflow

How to migrate a useState form to React Hook Form and Zod (the real walkthrough)

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Realtime broadcast scope is a security boundary, not a routing convenience

User enumeration via password reset: the bug in default forgot-password flows

Origin validation in edge functions: the open redirect you ship by default

How to build a tamper-evident audit log in Postgres with one trigger

How a Postgres constraint rename silently broke production via PostgREST

Silent timezone bugs in JavaScript date arithmetic

Two-layer identity models in Supabase: when auth and authorization disagree

ISSUES.md as a learning log: a 78-issue tracker pattern for AI-built projects

How Aider's repomap uses PageRank and tree-sitter to rank your codebase

Why I stopped trusting Bubble.io's list fields and re-query the database instead

n8n Cloud's 60-second timeout: the dispatcher-worker pattern that beats it

Idempotent data pipelines: the natural-key fingerprint pattern

How I Used Claude Code to Build a Full-Stack React App: A Step-by-Step Development Guide

Silent failures: the bug class no AI tool catches in your data pipeline

Why AI coding tools rewrite full files instead of using diffs

How AI coding tools actually edit code: 6 truths from 4,000+ hours of building software

How to Implement TOTP(time-based one-time passwords) based 2FA in Bubble.io Without Using Any APIs?

How to Migrate a Relational Database Between Two Bubble.io Apps Using n8n (Step-by-Step)

How to Merge PDFs in Bubble Without Timeouts Using n8n?

How to Implement Daisy Chain Filtering in Bubble.io?

How to Let Admins Access User Accounts in Bubble.io Without Credentials

Self-Host n8n in Minutes - No Terminal Commands, No Code (Step-by-Step)

How to Paginate Repeating Groups in Bubble.io Without Loading All Data at Once?

How to Use Sub-Apps in Bubble? - The Complete Step-by-Step Guide

How to sort a repeating group in Bubble.io by a nested field?

Step-by-Step Guide to Building an AI Assistant with Bubble.io (No Plugins)

5 Simple Scripts to Enhance UI/UX for Your Bubble.io App

How to add custom fonts in bubble.io?

Bubble.io Tips - 3

Bubble.io API Security Best Practices

How can you effectively prevent deleted pages from consuming workload units (WU)?

The learning curve of the bubble (no-code) developer explained using the dunning-Kruger effect

How to create Skeleton Loading in Bubble?

How can openAI's markdown text be converted into HTML text with CSS style without code in Bubble? (Without Paid Plugin)

How to implement OAuth 2 in Bubble?

Things I understood before learning Bubble

What is Rate Limiting in Xano?

How to convert Bubble Page into PDF? How to merge multiple PDFs in Bubble?

How to restrict file types in multi-file uploader in bubble? (No Code/No Paid Plugins)

How to choose between the UUID and the sequential ID as the Primary key in Xano?

How to select data field API Access in Xano?

How to Verify a user's email in the Bubble app using Postmark?

Bubble.io Tips - 2

Best practices while collaborating with other Bubble Devs I follow using Version control of Bubble.io

Bubble.io Tips - 1

How to configure Stripe Checkout Integration in the Bubble.io application without any Paid Plugins?

Arbitrary Text : Data Source of Nested Repeating Group in Bubble

How do I create documentation for Bubble.io Application I am working on?

How to integrate GPT 3.5 Turbo API into your Bubble.io app?

How to pass Nested Array as a parameter in Bubble API Connector?

Maximizing SEO and User Engagement on Bubble.io Website

How to calculate the distance between two locations in Bubble.io? (One location will be dynamic)

How to use Stripe Payment Intents with Bubble?

How to create a bubble app using the phone number as a signup method? (No Plugin)

6 Fatal mistakes which destroy the scalability of the Bubble application

Integrate Bubble with Airtable

Connecting Bubble.io with Zapier: Streamlining Workflows and Automating Tasks

4 Reasons why you should use fuzzy search over Searchbox in bubble?

Why one should choose Bubble.io?

Chrome extension version-bump discipline: pre-commit + GitHub Actions

How to build a Chrome extension popup with Supabase Auth (step by step)

Shipping a Manifest V3 Chrome extension: the gates nobody mentions

Phased migrations with per-phase verification gates

How I document AI-built projects: a CLAUDE.md, ISSUES.md, and prompts/ workflow

How to migrate a useState form to React Hook Form and Zod (the real walkthrough)

Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.

How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook

Realtime broadcast scope is a security boundary, not a routing convenience

User enumeration via password reset: the bug in default forgot-password flows

Origin validation in edge functions: the open redirect you ship by default

All topics