Writing
Notes on Bubble.io, AI, and shipping things.
68 posts on Bubble.io, AI, n8n, and shipping production apps that hold up.
matching post
No posts match . Try a different word, or .
Latest
How to encrypt API keys and client secrets in Supabase
Use Supabase Vault to encrypt API keys and client secrets, keep metadata in Postgres, and gate decrypts behind one checked SECURITY DEFINER function.
Read as a series
Topical clusters meant to be read in order, or jumped into anywhere.
Recent writing
View all 68 →·6 min read · chrome-extension , github-actions , pre-commit-hooks
Chrome extension version-bump discipline: pre-commit + GitHub Actions
The Chrome Web Store rejects re-uploads with the same manifest version. Catch the missed bump locally in a pre-commit hook; gate it again in CI.
·7 min read · chrome-extension , manifest-v3 , supabase
How to build a Chrome extension popup with Supabase Auth (step by step)
Wire Supabase Auth into an MV3 popup: bundle the UMD, persist sessions in chrome.storage, recover state on reopen. Working code included.
·10 min read · chrome-extension , manifest-v3 , chrome-web-store
Shipping a Manifest V3 Chrome extension: the gates nobody mentions
Trader verification, publisher identity, the URL slug gotcha, version-bump CI: the async gates that turn a one-day project into a three-week project.
·7 min read · methodology , refactoring , lovable
Phased migrations with per-phase verification gates
Big-bang refactors of 6+ files break things you cannot predict. Phased migration with explicit gates catches regressions before they compound.
·8 min read · claude-code , claude-md , lovable
How I document AI-built projects: a CLAUDE.md, ISSUES.md, and prompts/ workflow
Four files that fix the missing context in AI-built codebases: CLAUDE.md, ISSUES.md, a prompts/ folder, and a two-AI handoff workflow.
·7 min read · react-hook-form , zod , react
How to migrate a useState form to React Hook Form and Zod (the real walkthrough)
Step-by-step migration from useState to React Hook Form, Zod, and shadcn Form. Code diffs, validation mode choice, and four gotchas covered.
·7 min read · supabase , supabase-auth , supabase-publishable-key
Migrating to Supabase publishable keys broke my Chrome extension. Here is the fix.
Supabase publishable keys return 401 from hand-rolled fetch. Migration to @supabase/supabase-js with a chrome.storage.local session adapter.
·9 min read · lovable , lovable-security , supabase
How to audit a Lovable app after the BOLA disclosure: a 6-hour rotation playbook
Audit checklist I ran on a client's Lovable app after the April 2026 BOLA disclosure, plus the key rotation and Chrome extension SDK migration.
·7 min read · supabase , supabase-realtime , security
Realtime broadcast scope is a security boundary, not a routing convenience
Default-public Realtime broadcasts leak message bodies to every subscriber. The private-channel flag plus RLS is the fix.
·6 min read · security , supabase , auth-jwt
User enumeration via password reset: the bug in default forgot-password flows
Most forgot-password endpoints leak whether an email exists. Fix: return the same response always, regardless of account status.
All topics
- bubble (40)
- no-code (30)
- bubbleio (29)
- nocode (15)
- supabase (10)
- no-code-platform (9)
- bubble-developers (8)
- methodology (7)
- n8n (6)
- api-security (5)
- apis (5)
- claude-code (5)
- postgres (5)
- security (5)
- tutorial (5)
- chrome-extension (4)
- data-integrity (4)
- data-pipeline-reliability (4)
- vibe-coding (4)
- ai-coding-tools (3)
- aider (3)
- api (3)
- automation (3)
- cursor (3)
- data-migration (3)
- javascript (3)
- lovable (3)
- manifest-v3 (3)
- no-code-development (3)
- performance-optimization (3)
- security-definer (3)
- supabase-auth (3)
- typescript (3)
- xano (3)
- api-integration (2)
- css (2)
- documentation (2)
- idempotency (2)
- low-code (2)
- mvp (2)
- mvp-development (2)
- optimization (2)
- owasp (2)
- payments (2)
- rls-policies (2)
- stripe (2)
- 2fa (1)
- ai (1)
- ai-assistant (1)
- ai-development (1)
- airtable (1)
- api-access (1)
- api-basics (1)
- apiintegration (1)
- audit-logging (1)
- auth-jwt (1)
- authentication (1)
- automation-tools (1)
- backend-developments (1)
- beginners (1)
- best-practices (1)
- bola (1)
- bubble-api (1)
- bubble-backend-workflow (1)
- bubble-list-field (1)
- bubble-sort (1)
- bubble-timeout (1)
- bubbleio-lazy-loading (1)
- bubbleio-pagination (1)
- bubbleio-repeating-group-performance (1)
- bubbleio-workload-units-optimization (1)
- bubbletips (1)
- bubbletutorial (1)
- chatgpt (1)
- checkout (1)
- chrome-extension-lifecycle (1)
- chrome-web-store (1)
- ci-cd (1)
- claude-md (1)
- codebase-ranking (1)
- custom-fonts (1)
- daisy-chain-filter (1)
- data-migration-tools (1)
- data-pipeline (1)
- databases (1)
- datamigration (1)
- dedup (1)
- diffs (1)
- dispatcher-worker (1)
- dunning-kruger-effect (1)
- edge-functions (1)
- encryption (1)
- fast-apply (1)
- filtering (1)
- finalize-parents (1)
- font-integration (1)
- full-stack (1)
- geolocation (1)
- github-actions (1)
- google-authenticator (1)
- google-maps (1)
- identity-management (1)
- impersonation (1)
- intl-api (1)
- issues-md (1)
- key-rotation (1)
- learning-journey (1)
- learning-log (1)
- learningcurve (1)
- load-data-in-chunks-bubbleio (1)
- loginasuser (1)
- lovable-security (1)
- markdown-to-html (1)
- merge-pdf (1)
- morph (1)
- multi-tenant-database-design (1)
- multitenant (1)
- n8n-cloud (1)
- n8n-openai-pinecone-automation-nocode (1)
- n8n-workflows (1)
- natural-key (1)
- nextjs (1)
- no-code-automation (1)
- no-code-mobile-app-builder (1)
- oauth2 (1)
- open-redirect (1)
- openai (1)
- pagerank (1)
- pdf-merge (1)
- performance (1)
- plugins (1)
- postgres-migrations (1)
- postgres-triggers (1)
- postgrest (1)
- postmark (1)
- pre-commit-hooks (1)
- primary-key (1)
- ratelimiting (1)
- react (1)
- react-hook-form (1)
- reactjs (1)
- refactoring (1)
- saas (1)
- saas-development (1)
- saas-development-services (1)
- salesforce (1)
- scalability (1)
- self-hosted (1)
- seo (1)
- sequential-id (1)
- shadcn-ui (1)
- silent-failures (1)
- skeleton-loading (1)
- sorting (1)
- startup (1)
- supabase-publishable-key (1)
- supabase-realtime (1)
- supabase-vault (1)
- tailwind-css (1)
- timezone-handling (1)
- token (1)
- totp (1)
- tree-sitter (1)
- typography (1)
- ui (1)
- ui-design (1)
- uiux (1)
- user-engagement (1)
- user-enumeration (1)
- uuid (1)
- ux (1)
- web-design (1)
- websockets (1)
- workflow-architecture (1)
- workload-units (1)
- zapier (1)
- zod (1)