workers-oauth-provider VS colibri

AFAIK, this https://github.com/cloudflare/workers-oauth-provider repository is made with Claude code.

> So it kinda worked, but I would not use that for anything "mission critical" (whatever this means).

It means projects like Cloudflare's new OAuth provider library. https://github.com/cloudflare/workers-oauth-provider

> This library (including the schema documentation) was largely written with the help of Claude, the AI model by Anthropic. Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security and compliance with standards. Many improvements were made on the initial output, mostly again by prompting Claude (and reviewing the results). Check out the commit history to see how Claude was prompted and what code it produced.

I get that a lot of folks wouldn't want to keep a log, but it makes me so sad that the wonderful aider 'ai peer' recommends adding aider logs of all sorts to the gitignore on startup. This feels bad for humans, and bad for AI sense-making too. If you are having this dialog, of course you'd want to be able to reflect on that, I'd think.

It'd be neat to go further. Keeping the agent instructions alongside engineering docs feels like it makes sense. It'd be neat to see what one could do with Backstage like integration, to build out this existing wonderful corporate knowledge-base.

Are there MCP servers yet that can reflect on chat history? Now I want to see a Backstage MCP server even more, one that's extensible by the many Backstage plugins!

Shout out to Kenton Varda & cloudflare doing a nice job making a good commit history of AI use on this project where Kenton was testing the waters. I'm not sure what other good write ups we have for enshrining & promoting the agent instructions as good reference material. https://github.com/cloudflare/workers-oauth-provider/ https://news.ycombinator.com/item?id=44159166

To be fair, there was a pretty dumb CVE (which had already been found and fixed by the time the project made the rounds on HN):

https://github.com/cloudflare/workers-oauth-provider/securit...

You can certainly make the argument that this demonstrates risks of AI.

But I kind of feel like the same bug could very easily have been made by a human coder too, and this is why we have code reviews and security reviews. This exact bug was actually on my list of things to check for in review, I even feel like I remember checking for it, and yet, evidently, I did not, which is pretty embarrassing for me.

We'll have to see how it pans out for Cloudflare. They published an oauth thing and all the prompts used to create it.

https://github.com/cloudflare/workers-oauth-provider/

There's many examples of exactly what you're asking for, such as Kenton Varda's Cloudlfare oauth provider [1] and Simon Willison's tools [2]. I see a new blog post like this with detailed explanations of what they did pretty frequently, like Steve Klabnik's recent post [3], which while it isn't as detailed has a lot of very concrete facts. There's even more blog posts from prominent devs like antirez who talk about other things they're doing with AI like rubber ducking [4], if you're curious about how some people who say "I used Sonnet last week and it was great" are working, because not everyone uses it to write code - I personally don't because I care a lot about code style.

[1]: https://github.com/cloudflare/workers-oauth-provider/

[2]: https://tools.simonwillison.net/

[3]: https://steveklabnik.com/writing/a-tale-of-two-claudes/

[4]: https://antirez.com/news/153

> A very good piece that clearly illustrates one of the dangers with LLS's: responsibility for code quality is blindly offloaded on the automatic system

It does not illustrate that at all.

> Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security and compliance with standards.

> To emphasize, *this is not "vibe coded"*. Every line was thoroughly reviewed and cross-referenced with relevant RFCs, by security experts with previous experience with those RFCs.

— https://github.com/cloudflare/workers-oauth-provider

The humans who worked on it very, very clearly took responsibility for code quality. That they didn’t get it 100% right does not mean that they “blindly offloaded responsibility”.

Perhaps you can level that accusation at other people doing different things, but Cloudflare explicitly placed the responsibility for this on the humans.

The author goes into great detail about how he looked at my commit log[0] where I used AI, and he found it "nauseating" and concluded he'd never want to work that way.

I'm certainly not going to tell anyone that they're wrong if they try AI and don't like it! But this guy... did not try it? He looked at a commit log, tried to imagine what my experience was like, and then decided he didn't like that? And then he wrote about it?

Folks, it's really not that hard to actually try it. There is no learning curve. You just run the terminal app in your repo and you ask it to do things. Please, I beg you, before you go write walls of text about how much you hate the thing, actually try it, so that you actually have some idea what you're talking about.

Six months ago, I myself imagined that I would hate AI-assisted coding! Then I tried it. I found out a lot of things that surprised me, and it turns out I don't hate it as much as I thought.

[0] https://github.com/cloudflare/workers-oauth-provider/commits... (link to oldest commits so you can browse in order; newer commits are not as interesting)

What exactly do you want to see put up?

I ask this because it reads like you have a specific challenge in mind when it comes to generative AI and it sounds like anything short of "proof of the unlimited powers" will fall short.

It's almost as if you've set the criteria find LLMs being useful to be proof of unlimited powers.

Here's the deal: Reasonable people aren't claiming this stuff is a panacea. It's useful when used by people who understand its limitations.

If you want to see how it's been used by someone who was happy with the results, and is willing to share their results, you can scroll down a few stories on the front-page and check the commit history of this project:

https://github.com/cloudflare/workers-oauth-provider/commits...

Now here's the deal: These people aren't trying to prove anything to you. They're just sharing the results of an experiment where a very talented developer used these tools to build something useful.

So let me ask you this: Did they put up? Or is it not magical enough for you to deem it useful?

> did he save any time though

Yes:

> It took me a few days to build the library with AI.

> I estimate it would have taken a few weeks, maybe months to write by hand.

– https://news.ycombinator.com/item?id=44160208

> or just tried to prove a point that if you actually already know all details of impl you can guide llm to do it?

No:

> I was an AI skeptic. I thoughts LLMs were glorified Markov chain generators that didn't actually understand code and couldn't produce anything novel. I started this project on a lark, fully expecting the AI to produce terrible code for me to laugh at. And then, uh... the code actually looked pretty good. Not perfect, but I just told the AI to fix things, and it did. I was shocked.

— https://github.com/cloudflare/workers-oauth-provider/?tab=re...

Im working on a similar project, Colibri (https://github.com/colibri-hq/colibri), an app to manage your ebook collection. Librari is looking really slick! Also, It’s always interesting to see how others approach schema selection and customization.

If I may, I would suggest adding support for ingesting data from open sources, for example OpenLibrary, WikiData, the LoC API, and a bunch of others. Since you’re building a for-profit project, you can probably also tap the billed services to get high-quality metadata. But even with OpenLibrary alone, you have access to a treasure trove of information that spares users from having to type off things from their books. That allows for bulk import, high-res covers, and so on.

I’m currently working on the metadata reconciliation engine in Colibri, so feel free to check out the source every once in a while.

Funny thing. I have built something similar recently, that is a 2.1-compliant authorisation server in TypeScript[0]. I did it by hand, with some LLM help on the documentation. I think it took me about two weeks full time, give or take, and there’s still work to do, especially on the testing side of things, so I would agree with you.

I’m going to take a very close look at your code base :)

[0] https://github.com/colibri-hq/colibri/blob/next/packages/oau...

Semantic search is planned as part of book content search, look here: https://github.com/colibri-hq/colibri/issues/45

LLMs might make sense to interact with your collection, so that could find its way into the app at some point. Plus, I've been experimenting with generating llms.txt for all routes to point your own LLM to.

On the other hand, I'm concerned with LLMs quite intensely at work, so it's nice to spend some time with plain, honest-to-god SQL for now!

But currently it's from openlibrary.org right? https://github.com/colibri-hq/colibri/blob/next/apps/app/src...

Oh my! This looks very neat, and I’ve been working on something similar to Storyteller (i think): https://github.com/project-kiosk/kiosk

I don’t get around working on it right now, but maybe there’s something useful there for you.

I'm actually working on something like this:

https://github.com/project-kiosk/kiosk/tree/v3

I'm still deep in the trenches, though. That project is like my personal zen garden of deadline-free software development, so don't expect a release soon. Happy if someone would be interested in contributing, though :)

Interesting! For a while now, I’ve started working on a similar project with the same general idea, although I settled for SvelteKit and browsers instead of native apps:

https://github.com/project-kiosk/kiosk

I just can’t keep motivation up long enough to finish it…