I don't know enough about this specific implementation to say whether "implemented Matrix" is accurate or marketing stretch. But the pattern of "we did X" blog posts that turn out to be "we did a demo of part of X" is getting tiresome across the industry.
The fix is boring: just be precise about what you built. "We prototyped a Matrix homeserver on Workers with these limitations" is less exciting but doesn't erode trust.
I raised this point on a previous Cloudflare blog post - they've turned quite vapid these days. If you pay attention, they're stuffed to the brim with generated text which is sloppy and under-opinionated on the audience for the writing in the first place.
That said I think the concept of a full matrix server running all on CF infrastructure/services is an awesome blog post from CF.
Honestly I wish CF would simply unpublish/retract this blog post, put another engineer on it to help the PM, and spend another couple of weeks polishing the post/code to republish the same blog post.
I am quite shocked by such lack of care, and it does tarnish the reputation of Cloudflare in my eyes :/
You can tell since the code is in a public repository and not Cloudflare’s, which IMO is the big giveaway that this is a lesson for Cloudflare in having appropriate review processes for public comms and for the individual to avoid making claims they cannot substantiate or verify independently.
How much longer are shareholders** going to accept that these are mistakes?
To be fair I've benefited from that in the past; this is an observation of my own that doesn't represent the views of any of my current or former employers.
Furthermore, I don't see why we are extending the principle of charity to cloudflare, a billion dollar enterprise controlling a significant part of internet traffic self identifying as a "utility." If cloudflare deserves more of something from us, it is scrutiny and accountability, not charity and deference.
[1] https://simonwillison.net/2025/Dec/18/code-proven-to-work/
I think it's fair to assume, given the historical quality of the CF blog, that this was a (big) mistake by an individual, and not "Cloudflare", as an entity, making this claim.
Cloudflare apparently considers blog posts to be a key deliverable for many roles. Not just marketing or devrel but engineering too. That sets up a lot of incentives for slop. And then all you need for a disaster is a high trust environment with insufficient controls, which they probably have since the process had worked for a decade without an insufficiently reviewed article blowing up in their face.
Going forward there will be just a little bit less trust, more controls, and more friction that will make it harder to get a post out in a timely manner. It's just the way all organizations evolve. You can see from the scar tissue where problems existed in the past.
What I can't believe is that they haven't retracted the whole post by now, but are allowing the author to make an even bigger mess trying to fix the initial problems.
Should have just nuked the whole thing to be honest, the blog post and the repo.
Previously someone might sketch out a purposeful one in Monodraw or something (https://monodraw.helftone.com). But only when it adds value.
Now Claude shits out this vacuous nonsense by the bucketload———but it's some interconnected boxes in a code block in a readme, so it must be good.
Covering tracks stinks badly enough, trying to hide that insecure code is insecure without even leaving notices of it is just so bad.
The end result: Me and one agent (codex) managed to build something more or less the same as Cursor's "hundreds of agents" running for weeks and producing millions of lines of code, in just 20K LOC (this includes X11, macOS and Windows support). Has --headless, --screenshot, handles scaling, link clicking and scrolling, and can render basic websites mostly fine (like HN) and most others not so fine. Also included CI builds and automatic releases because why not.
The repository itself is here and should run out of the box on most modern OSes, downloads can be found at the Releases page: https://github.com/embedding-shapes/one-agent-one-browser
Here's a screenshot I took with it: https://bsky.app/profile/simonwillison.net/post/3mdg2oo6bms2...
one-agent-one-browser-Linux-X64 1.14 MB
one-agent-one-browser-macOS-ARM64 1.02 MB
one-agent-one-browser-Windows-X64.exe 847 KB
A poc that would usually take a team of engineers weeks to make because of lack of cross disciplinary skills can now be done by one at the cost of long term tech debt because of lack of cross disciplinary knowledge.
This is where I wish we spent more energy, figuring out better ways to work with the AI, rather than trying replace some parts wholesale with AI. Wrote a bunch more specifically about that, while I was watching the agent work on the browser itself, here: https://emsh.cat/good-taste/ (it's like a companion-piece I guess)
I’m no expert but it seems like a strange choice to me - using a mutex around an MPSC receiver, so whoever locks first gets to block until they get a message.
Is that not introducing unnecessary contention? It wouldn’t be that hard to just retain a sender for each worker and just round robin them
Although the tell is obvious if you spent one second looking at https://github.com/nkuntz1934/matrix-workers. That misaligned ASCII diagram, damn.
Why is Cloudflare paying this guy again, just to vibe a bunch of garbage without even checking above the fold content in the README?
Perhaps usage of AI is a performance target he's being judged against, like at many tech companies today.
It's getting outright frustrating to deal with this.
Fine, random hype-men gets hyped about stuff and tweets about it, doesn't mind me too much.
Huge companies who used to have a lot of good will putting out stuff like this, seemingly with absolutely zero reviews before hitting publish? What are they doing? Have everyone decided to just give up and give in to the slop? We need "engineering" to make a comeback.
I'm mostly concerned that something we used to see as a part of basic "software engineering" (verify that what you build is actually doing what you think it is) has suddenly made a very quick exit from the scene, in chase of outputting more LOC which is completely backwards.
This is also what I ask our engineers to do, but it's getting hard to enforce.
Vibing is incompatible with engineering and this practice is disgusting and NOT acceptable.
I'm starting to believe they are all right, actually. Maybe frontier models surpassed most humans, but the bar we should have for humans is really really low. I genuinely believe most people cannot distinguish llms capabilities from their own capabilities, and their are not wrong from the perspective they have.
How could you perceive, out in the wild, an essence that scapes you?
Normal people don't jerk themselves off about being edgy in public. Hope this helps!
Glad you don't think the part about you jerking off is delusional, at least!
I have yet to see a counter-example
Even if Blockchain has tremendous impact, even if transformers are incredible (really) technology, even if NFTs could solve real world problems...you could basically say the same thing and be right, rounding up, 100% of the time, about anything technology related (and everything else as well). This truly is a clown world, but it is illegal to challenge it (or considered bad faith around here)
The project itself did compile most of the time it was being developed - the coding agents had been compiling it the whole time they were running on it.
Shortly after the blog post they updated the GitHub repo with compilation instructions and it worked. I took this screenshot with it: https://static.simonwillison.net/static/2026/cursor-simonwil...
The "it didn't even compile" criticism is valid in pointing out that they messed up the initial release, but if you think "it never compiled" you have an incorrect mental model.
If I install an Arch Linux, I don't say I 'installed Linux from scratch'.
I'd estimate that's a lot less than 60% of the "actual work" though.
> This post was updated at 11:15 a.m. Pacific time to clarify that the use case described here is a proof of concept. Some sections have been updated for clarity.
But then the bottom still says:
> Our team is using Matrix on Workers, handling real encrypted communications. It is fast, it is cheap, and it is arguably one of the most secure ways to deploy a homeserver today.
Which one is it?
> I have been experimenting with the implementation and am excited for any contributions from others interested in this kind of service.
A few of the versions of the blog are available at: https://archive.ph/https://blog.cloudflare.com/serverless-ma...
... Oh, dear.
5 - A production-grade Matrix homeserver [...]
5 + This is a proof of concept Matrix homeserver [...]
https://github.com/nkuntz1934/matrix-workers/commit/fd412f41...
So many failures coming out of Cloudflare these days, feels like they peaked a while ago and are slowly declining into incompetence.
I wonder if there's a particular new fad that could be causing this
I have limited experience with Matrix, but you don't actually need Synapse (reference homeserver) which is quite a resource hog and not even remotely easy to setup/administer.
You can just use the lightweight Continuwuity homeserver for the Matrix part, and Caddy for the reverse proxy/TLS/ACME part, installed on a VPS. Both require minimal configuration, and provide packages for many Linux distributions, as well as Docker images.
(Continuwuity is a fork of conduwuit which was a fork of Conduit. Conduit was abandoned, but is now active again, and there are also other active forks as well. However, it seems to me that Continuwuity is currently the most active fork.)
https://xcancel.com/eastdakota/status/2016357035064144309#m
> It’s a proof of concept. Get off your high horse.
Welcome to Wildebeest: the Fediverse on Cloudflare https://blog.cloudflare.com/welcome-to-wildebeest-the-fedive...
Wildebeest ceased maintenance one month after the article's publication, adding a similar comment several months later[1]:
> :warning: This project has been archived and is no longer actively maintained or supported. Feel free to for this repository, explore the codebase, and adapt it to your needs. Wildebeest was an opportunity to showcase our technology stack's power and versatility and prove how anyone can use Cloudflare to build larger applications that involve multiple systems and complex requirements.
[1]: https://github.com/cloudflare/wildebeest/commit/b1be6a5c49be...
Because their CDN/DNS is excellent software but it's not massive moat. Workers on other hand is.
It's like difference between running something on Kubernetes vs Lambdas. One you can somewhat pivot with between vendors vs other one requires massive rewrites to software that means most executives won't transition away from it due to high potential for failure.
Yeah, this is just shameful. Obviously written by an LLM with zero oversight. If this engineer doesn't get fired I'll lose all trust in Cloudflare.
The best CF can do is to post a post-mortem and improve procedures so that can't happen anymore.
I love LLMs as much as the next guy, but it says something about Cloudflare if they allow engineers this reckless in their organization.
That's one way to destroy the CF blog credibility!
Professionalism at its finest!
It's kinda mindblowing. What even is the purpose of this? It's not like this is some post on the vibecoding subreddit, this is fricken Cloudflare. Like... What the hell is going on in there?
To the author: see my comment at https://news.ycombinator.com/item?id=46782174, please also clean up that misaligned ASCII diagram at the top of the README, it's a dead tell.
https://github.com/nkuntz1934/matrix-workers/commits/main/
There exist only two commits. I've never seen a "real" project that looks like this.
You don't need to see every single commit and the exact chronology of my work, snapshots is enough :)
So I wouldn't use the single-commit as a signal indicating AI-generated code. In this case, there are plenty of other signals that this was AI-generated code :)
https://www.linkedin.com/posts/nick-kuntz-61551869_building-...
DevSecOps Engineer United States Army Special Operations Command · Full-time
Jun 2022 - Jul 2025 · 3 yrs 2 mos
Honestly, it is a little scary to see someone with a serious DevSecOps background ship an AI project that looks this sloppy and unreviewed. It makes you question how much rigor and code quality made it into their earlier "mission critical" engineering work.
This person was in communications of the 160th Special Operations Aviation Regiment, the group that just flew helicopters into Venezuela. ... And it looks like a very unusual connection to Delta Force.
Covering it up changes it from being dumb to being deceptive
>Claude's output was thoroughly reviewed by Cloudflare engineers with careful attention paid to security
>To emphasize, this is not "vibe coded".
>Every line was thoroughly reviewed and cross-referenced with relevant RFCs, by security experts with previous experience with those RFCs.
...Some time later...
Things built with security in mind are not invulnerable, human written or otherwise.
This applies whether the code is written is by a human or AI, and also whether the code is reviewed by a human or AI.
Is a Github Copilot auto-reviewer going to click two levels deep into the Slack links that are provided as a motivating reference in the user story that led to the PR that's being reviewed? Or read relevant RFCs? (And does it even have permission to do all this?)
And would you even do this, as the code reviewer? Or will you just make sure the code makes sense, is maintainable, and doesn't break the architecture?
This all leads to a conclusion that software engineering isn't getting replaced by AI any time soon. Someone needs to be there to figure out what context is relevant when things go wrong, because they inevitably will.
If a marketer claims something, it is safe to assume the claim is at best 'technically true'. Only if an actual engineer backs the claim it can start to mean something.
so the "reviewing" process will be looking for the needles in the haystack
when you have no understanding, or mental model of how it works, because there isn't one
it's a recipe for disaster for anything other than trivial projects
>"NOOOOOOOO!!!! You can't just use an LLM to write an auth library!"
>"haha gpus go brrr"
(Those lines remain in the readme, even now: https://github.com/cloudflare/workers-oauth-provider?tab=rea...)
> Every line was thoroughly reviewed and cross-referenced with relevant RFCs
The issue in the CVE comes from direct contradiction of the RFC. The RFC says you MUST check redirect uris (and, as anyone who's ever worked with oauth knows, all the functionality around redirect uris is a staple of how oauth works in the first place -- this isn't some obscure edge case). They didn't make a mistake, they simply did not implement this part of the spec.
When they said every line was "thoroughly reviewed" and "cross referenced", yes, they lied.
They do entirely different things: MLS is a key agreement protocol, equivalent to the Double Ratchet that Matrix uses for E2EE today. Matrix can use both.
MLS is an IETF standard. The server is easy to write, and easy to make scalable (no complicated merge algorithm required, unlike Matrix). Finally, individual chatrooms scale to an order of magnitude larger size vs. Matrix.
MLS is superior in every way to Matrix as it exists today if you need to implement encrypted chat rooms for your app.
Source: Guy who has implemented both, including extending Matrix to scale the server to Twitter scale (by, in essence, making it working like MLS, only worse due to the merge algorithm).
Source: Guy who started Matrix, was in the room at IETF 101 when MLS was proposed and ratified it for Matrix, and has been working away on the various approaches to use MLS on Matrix.
Like okay, I am an indie-dev if I create a vibe coded project, I create it for fun (I burn VC money of other people doing so tho but I would consider it actually positive)
But what's up with large companies who can actually freaking sponsor a human to do work make use of AI agents vibe code.
First it was cursor who spent almost 3-5 million$ (Just came here after watching a good yt video about it) and now Cloudflare.
Like, large corpos, if you are so much interested in burning money, atleast burn it on something new (perhaps its a good critique of the browser thing by Cursor but yeah)
I am recently in touch with a person from UK (who sadly got disabled due to an accident when he was young) guy who is a VPS provider who got really impacted by WHMCS increase in bill and He migrated to 1200 euros hostbill. Show him some HN love (https://xhosts.uk/)
I had vibe coded a golang alternative. Currently running it in background to create it better for his use cases and probably gonna open source it.
The thing with WHMCS alternatives are is that I made one using gvisor+tmate but most should/have to build on top of KVM/QEMU directly. I do feel that WHMCS is definitely one of the most rent seeking project and actually writing a golang alternative of it feels sense (atleast to me)
Can there not be an AI agent which can freaking detect what people are being charged for (unfairly) online & these large companies who want to build things can create open source alternatives of it.
I mean I am not saying that it stops being slop but it just feels a good way of making use of this tech aside from creating complete spaggeti slop nobody wants, I mean maybe it was an experiment but now it got failed (Cursor and this)
A bit ironic because I contacted the xhosts.uk provider because I wanted to create a cloudflare tunnels alternative after seeing 12% of internet casually going through cf & I saw myself being very heavily reliant on it for my projects & I wasn't really happy about my reliance on cf tunnels ig
Of course, this is done by a manager. Classic corporate mindset, I can do what these smelly nerds do every day, hold my bear.
He doesn't even know how git works, huh?
What a clown.
> A production-grade Matrix homeserver
this is engineering malpractice. It is also unethical to present the work of an LLM as your own.
Unequivocally yes.
Fraud is fraud, and if your first instinct is to defend it in this manner, check yourself in the mirror.
I would absolutely say exactly the same things to the author’s face as I’m saying right now. I would never work for a company that condones this in a million years, as a matter of principle.
I just see a lot of comments from people who just seem happy to see that they can contribute to ruining someone else's day (or more).
You wrote,
> May I kindly ask you to calm the fuck down?
So yes, a reasonable person would conclude that you were talking to them.
> I just see a lot of comments from people who just seem happy to see that they can contribute to ruining someone else's day (or more).
Which comments do you see doing that? Exactly?
And you don't seem to understand how the conversation went. I was obviously talking about my first comment, to which they answered.
> Which comments do you see doing that? Exactly?
Interestingly, those that made me write my first message were removed. Not that it was because of my message obviously, which mostly got me downvotes :-).
But the next best one would be:
"public shaming is the next best thing. I sincerely hope links to this incident will haunt him every time someone googles his name forevermore"
(after implying that ideally they should lose their job for this)
He's emblematic of the era we now live in. Vibe coded projects that the "developer" didn't learn anything from, posted using LLMs. People have zero shame, zero curiosity, zero desire in learning and understanding what they're working on.
Also it doesn't make sense to escalate an interaction by swearing at a person and simultaneously asking them to calm down.
I found it fun :-).
I kindly ask to try to empathise with a random human being who is most certainly not used to be shamed publicly, and they tell me to check myself in the mirror.
That doesn't exist in our trade, so yeah, public shaming is the next best thing. I sincerely hope links to this incident will haunt him every time someone googles his name forevermore.
Controlled by a machine and only there to put their names and reputations on the line when the machine messes up.
Maybe this applies more to a writer having to generate 20 articles per hour in some journalism sweatshop, pressured to push out anything that will catch the winds of SEO augmented news, but I would not discount the level of pressure that the author of the blog post was put under to produce something, anything...
Based on the published profile, I strongly suspect that this person is not paid that well at all. you are not looking at a FAANG kind of deal here most certainly.
So maybe spare one second of thought for that future where many many folks are just there to be burnt up in some cancellation machine whilst profit gets accumulated elsewhere...
Still I don't think that some random employee deserves to be harassed and publicly shamed for a bad blog post.
In this industry, public criticism for public fraudulence is "harassment", I guess? C'mon, man.
Yes, but this is not another industry. Also in other industries, some say that "full self-driving is coming tomorrow" or "we can send millions of people to live on mars".
> public criticism for public fraudulence is "harassment", I guess? C'mon, man.
I never said "don't criticise". I have seen comments that I found very disrespectful early when this post started growing, and I tried to call for some empathy for the human being who made that mistake.
That's a generous read. From the actual article:
> We wanted to see if we could eliminate that tax entirely. Spoiler: We could.