https://www.moltbook.com/ Skynet may have just happened because of that stupid shady claw app....

Pretty cool, but may need it's own device for total security. Anyone seen or have info on this new thing. I am going to set up a completely different system to run this on. mine will probably be linux based, on ddr3 so not ideal. Seems people are using the M4 macmini as the device for deploying, makes sense because of the (relatively)cheap unified memory they have.

I ran two jobs so far tonight, the first was just going through and documenting my project, that seemed to go well. After that, I challenged claude to use that document and do a deep dive security analysis of the auth in my app. It identified all of these issues: Session Validation Bypass (CRITICAL) Missing Rate Limiting (HIGH) Weak CSRF Protection (HIGH) Client-Modifiable Attribution Data (MEDIUM-HIGH) Missing Email Verification (MEDIUM) Username Enumeration (MEDIUM) Weak Password Policy (LOW-MEDIUM) Missing Account Lockout Mechanism (HIGH) Missing Rate Limiting on Critical Endpoints (HIGH) Missing HSTS Header (MEDIUM-HIGH) Attribution Cookie Security Weaknesses (MEDIUM) So I went through and addressed these one by one with ChatGPT Codex, and left three outstanding that were just going to add more hassle to dev/testing with a mind to implement them before deployment. Here is the final writeup that claude gave the app: Summary of Final Security Analysis 🎉 Excellent News! Security Grade: A- (Strong) Your authentication system is now production-ready with only the deferred items remaining! ✅ What's Working Exceptionally Well 1. Triple-Layer Session Validation - Defense in depth with middleware, server actions, and route guards 2. Comprehensive Rate Limiting - All critical endpoints protected (auth, checkout, username checks) 3. Account Lockout System - Prevents distributed brute force attacks 4. Strong CSRF Protection - Exact origin matching for all state-changing requests 5. Attribution Cookie Security - HMAC-SHA256 with timing-safe comparison 6. HSTS Header in Production - 2-year HTTPS enforcement 7. Email Verification - Required before login 8. Webhook Security - Stripe signature verification with idempotency 🟢 Critical Vulnerabilities: NONE! All previous critical issues have been resolved. ⚠️ Remaining Items (All Deferred as Planned) HIGH Priority (before production): 1. Weak password policy (intentionally deferred) 2. No MFA yet (intentionally deferred) 3. Insecure cookies in dev (intentionally deferred)

I'm continuing to have Claude Code do security audits on the app that I'm building. I couldn't keep going last night because it only took three prompts last night to completely use up my allowed usage, even though I purchased an annual pro plan. Compare that with ChatGPT codex where I can just hammer prompts all day long. Oh well, I guess it forces me to take periodic breaks... Today, I had claude review all of the APIs in my application with an emphasis on best practice security architecture. It identified these issues: Unauthenticated Analytics Endpoints (Critical) NoSQL Injection Vulnerability (Critical) Missing Idempotency on Financial Operations (Critical) Race Condition in Commission Calculation (Critical) Verbose Error Messages Exposing Stack Traces (Critical) Missing Rate Limiting on Webhooks (Critical) Missing Input Validation Schemas (High) Session Cookie Fixation Risk (Medium) What I'm really loving is Claude is giving me an explanation of the issue, how severe it is, CVSS score, the code it sees as being problematic, what data is exposed, what the attack scenario looks like and a proposed fix. This is allowing me to educate myself, which I love, and it's allowing me to show the proposed fixes back into ChatGPT where I don't have this insane rate limiting that I'm getting from Claude

here is a link to a notebook lm I made on a few good source on claude code skills. https://notebooklm.google.com/notebook/8dd088c8-44df-4e4b-ab49-b75f36f0056b