• What favicon sizes do I need?

• What image size does Twitter use?

• Where should icons go in Next.js App Router?

• Do I need a maskable icon?

So I wrote this short checklist for my future self.

If I follow this post step-by-step, my app will have all required icons and social images.

This guide assumes:

• Next.js App Router

• icons placed in /app

• metadata handled by Next.js metadata system

Next.js automatically detects files like favicon.ico, opengraph-image.png, and twitter-image.png when placed in the app folder and adds them to the page metadata automatically. (Next.js)

🖼️ 1. Start With One High-Resolution Logo

Always begin with a square PNG.

Recommended:

logo.png
1024 × 1024
transparent background

Everything else will be generated from this.

🌐 2. Favicons (Browser Tabs)

Favicons are still required for browser tabs and bookmarks.

The .ico format can contain multiple sizes inside a single file, allowing browsers to select the best resolution automatically. (Favicon.io)

Typical sizes inside favicon:

16×16
32×32
48×48
64×64

🔧 Tool I use

https://realfavicongenerator.net

https://www.png2ico.com/

Upload your logo and generate favicon.ico.

📁 Folder placement

/app
  favicon.ico

Next.js automatically detects the file and adds it to <head>. (wisp.blog)

🔍 Test your favicon

1. Open your site in Chrome

2. Check the browser tab icon

Or verify using:

https://realfavicongenerator.net/favicon_checker

https://cards-dev.x.com/validator - For x.com

📱 3. PWA App Icons (Installable Apps)

These icons appear when a user installs your web app.

Minimum required sizes:

icon-192.png
icon-512.png

PWAs typically require 192×192 and 512×512 icons for installation and splash screens. (Stack Overflow)

Folder structure

/public
  icon-192.png
  icon-512.png
  icon-maskable-512.png

Example manifest.js

export default function manifest() {
  return {
    name: "Your App",
    short_name: "App",
    start_url: "/",
    display: "standalone",
    icons: [
      {
        src: "/icon-192.png",
        sizes: "192x192",
        type: "image/png"
      },
      {
        src: "/icon-512.png",
        sizes: "512x512",
        type: "image/png"
      },
      {
        src: "/icon-maskable-512.png",
        sizes: "512x512",
        type: "image/png",
        purpose: "maskable"
      }
    ]
  }
}

The manifest file defines how your web app behaves when installed and includes the icons used by devices. (MDN Web Docs)

🎨 4. Maskable Icons (Android Adaptive Icons)

Modern PWAs should also include maskable icons.

Android launchers crop icons into shapes (circle, squircle, etc.).
Maskable icons allow your icon to fill the entire shape correctly. (web.dev)

Add this icon:

/public
    icon-maskable-512.png

Updated manifest entry

{
  src: "/icon-maskable-512.png",
  sizes: "512x512",
  type: "image/png",
  purpose: "maskable"
}

Recommended icon set:

icon-192.png
icon-512.png
icon-maskable-512.png

🔗 5. Social Sharing Images

These images appear when someone shares your site on:

• Twitter / X

• LinkedIn

• Facebook

• Slack

• Discord

Next.js supports special file names for them.

opengraph-image.png
twitter-image.png

Next.js automatically detects these files when placed in the app folder. (Next.js)

Recommended size

This works across most social platforms.

1. opengraph-image.png -- 1200x630 pixels

2. twitter-image.png -- 1200x675 pixels

Folder structure

/app
  opengraph-image.png
  twitter-image.png

⚡ 6. Dynamic Social Images (My Favorite)

Instead of static images, I generate them dynamically.

Example:

/app/api/og/route.js
/app/api/twitter-card/route.js

Using:

ImageResponse from next/og

Next.js supports both static and dynamically generated OG images. (Next.js)

Benefits:

• centralized branding

• dynamic titles

• dynamic backgrounds

• easy updates

📂 Final Folder Structure

When everything is done, /app should look like this:

/app
  favicon.ico
  opengraph-image.png
  twitter-image.png
  manifest.js

✅ My Personal Icon Checklist

Whenever I launch a new project:

✔ favicon.ico
✔ icon-192.png
✔ icon-512.png
✔ icon-maskable-512.png
✔ opengraph-image.png (1200×630)
✔ twitter-image.png (1200×630)

That’s it.

No guessing.
No Googling again.

You can build beautiful APIs.
You can have authentication.
You can even have JWTs, OAuth, and encrypted traffic.

And still ship a critical vulnerability.

That vulnerability is IDOR — Insecure Direct Object Reference.

It’s simple.
It’s common.
And it’s responsible for some of the most serious real-world data leaks.

Let’s break it down properly — what it is, how it happens, how attackers exploit it, and how modern teams prevent it in 2026.

🧠 What Is IDOR?

IDOR (Insecure Direct Object Reference) occurs when an application exposes a direct reference to an internal object (like a database ID) without properly checking whether the user is authorized to access it.

In simple terms:

The system verifies who you are — but not what you’re allowed to access.

That’s an authorization failure.

And in modern security standards, this falls under:

Broken Access Control (OWASP Top 10)

💥 The Classic Example

Let’s say your API has this route:

GET /api/users/123

Backend code:

app.get('/api/users/:id', async (req, res) => {
  const user = await User.findById(req.params.id)
  res.json(user)
})

Now imagine:

• You are logged in as user ID 101

• You change the request to:

GET /api/users/102

If the server does not verify ownership, you now have access to another user's data.

No hacking tools required.
No brute force.
Just changing a number.

That’s IDOR.

🔥 Why It’s So Dangerous

With IDOR, attackers can:

• View other users’ personal data

• Download invoices

• Access private files

• Modify someone else’s account

• Delete resources they don’t own

It’s not a theoretical issue.
It’s one of the most exploited vulnerabilities in production systems.

🧩 Where IDOR Commonly Appears

IDOR doesn’t just happen in user profiles.

It often shows up in:

📦 Orders

GET /orders/98765

📄 Documents

GET /documents/abc123

🧾 Invoices

GET /invoice/4455

📁 File Downloads

GET /files/report.pdf

If access control isn’t enforced properly, all of these can be exposed.

⚠️ Authentication ≠ Authorization

This is the mistake many developers make.

• Authentication → Who are you?

• Authorization → What are you allowed to access?

IDOR happens when authentication exists but authorization checks are missing or incomplete.

🛠️ The Correct Way to Fix It

❌ Wrong Approach

const order = await Order.findById(req.params.id)

✅ Correct Approach

const order = await Order.findOne({
  _id: req.params.id,
  userId: req.user.id
})

Now the query ensures:

• The order exists

• It belongs to the logged-in user

This simple pattern eliminates most IDOR cases.

🔐 Best Practices to Prevent IDOR (2026 Standard)

Modern engineering teams follow these rules:

1️⃣ Always Scope Database Queries by Ownership

Every resource should be tied to:

• userId

• organizationId

• role

• permission policy

Never fetch by ID alone.

2️⃣ Centralize Authorization Logic

Instead of scattering checks everywhere:

Use:

• Middleware

• Policy layers

• Access control services

For example:

if (!canAccess(req.user, resource)) {
  return res.status(403).json({ error: "Forbidden" })
}

Centralizing reduces human error.

3️⃣ Use Role-Based or Attribute-Based Access Control

Modern systems use:

• RBAC (Role-Based Access Control)

• ABAC (Attribute-Based Access Control)

This makes permission decisions consistent and scalable.

4️⃣ Avoid Predictable IDs (Optional but Helpful)

Sequential IDs:

/user/1
/user/2
/user/3

Very easy to enumerate.

Better:

/user/550e8400-e29b-41d4-a716-446655440000

UUIDs reduce guessing — but they do NOT replace proper authorization checks.

5️⃣ Log Suspicious Access Patterns

If a user tries:

/user/100
/user/101
/user/102
/user/103

That’s enumeration behavior.

Modern systems log and alert on this.

🧪 How to Test Your App for IDOR

Here’s a simple developer checklist:

1. Log in as User A

2. Capture a request like:

   GET /api/orders/123
   

3. Change the ID to another value

4. Replay the request

If you get valid data → you have an IDOR vulnerability.

Security engineers test this constantly.

🏗️ How Modern Teams Design Against IDOR

In mature systems, you’ll see:

• Object queries always scoped to ownership

• Middleware handling authorization

• Centralized permission services

• Automated security tests in CI

• API contracts enforcing access rules

• Security reviews during PR

Security is built into the architecture — not patched afterward.

📌 Real-World Example (Multi-Tenant SaaS)

Imagine a SaaS dashboard:

GET /api/projects/abc123

Correct query:

const project = await Project.findOne({
  id: req.params.id,
  organizationId: req.user.organizationId
})

This prevents users from accessing projects outside their organization.

This is how serious SaaS platforms avoid cross-tenant data leaks.

🧠 Why IDOR Is Still So Common

Because it’s easy to overlook.

Developers think:

• “The user is logged in.”

• “The UI hides the button.”

• “Nobody will try changing the ID.”

Attackers absolutely will.

🎯 Key Takeaways

• IDOR is an authorization failure.

• It allows users to access resources they don’t own.

• It’s part of OWASP’s Broken Access Control category.

• Fixing it requires proper ownership checks in every query.

• Modern systems centralize and automate authorization.

🚀 Final Thoughts

IDOR is dangerous because it’s simple.

No SQL injection.
No complex exploit chains.
Just changing a number in a request.

In 2026, secure development isn’t optional.
Authorization logic is core infrastructure.

If you build APIs, SaaS products, dashboards, or file systems —
you must treat access control as seriously as authentication.

Today, modern software teams use:

• structured documentation formats like AGENTS.md and SKILL.md

• automated tests at all levels (unit → integration → end-to-end)

• continuous integration / deployment (CI/CD)

• secure coding workflows

• AI and agent-assisted development tools

This isn’t future-talk — it’s already how top engineering teams worldwide work in 2026.

📘 1. Must-Have Docs for Any Project

Good documentation is no longer optional — even AI tools depend on it.

📝 AGENTS.md — Machine-Readable Project Guide

AGENTS.md tells coding agents how to behave in your project:

• how to install

• how to build

• commands for tests

• style rules

• guardrails

These aren’t just nice to have — they reduce ambiguity and help both humans and AI collaborate without confusion.

Modern coding ecosystems treat docs as part of the codebase — versioned and always up-to-date.
This approach is known as docs-as-code.

📗 SKILL.md — Domain Knowledge Module

Some tasks are complex and repeatable. SKILL.md encapsulates how to do them consistently:

• writing API docs

• refactoring guidelines

• test generation patterns

• architectural standards

If you think of AGENTS.md as “how the project runs”, SKILL.md is “how we do specific things well”.

These files are critical when teams want agents to perform high-value tasks reliably.

🧼 2. Coding Standards That Still Matter

Before any tests or release pipelines, clean code matters.

🧠 Consistent Style & Naming

Use:

• solid naming conventions

• agreed linting rules (Prettier, ESLint, RuboCop, etc.)

• clear formatting guidelines

Consistency helps teams onboard faster and reduces bugs caused by misunderstandings.

🏷️ Commit Message Standards

Using structured commit conventions (like Conventional Commits) supports:

• automated changelogs

• semantic versioning

• better traceability

Example:

feat(auth): add password reset
fix(api): handle edge case in token validation
docs: update AGENTS.md

Structured commits are now expected by modern release pipelines.

🔐 3. Secure Coding Practices — Safety First

Security is every developer’s responsibility.

Secure coding isn’t a separate phase — it’s a constant habit.

Best practices include:

• input validation

• output encoding

• using prepared queries

• avoiding hard-coded secrets

• dependency scanning

• threat modeling

This ensures your code is safe from common attacks and tools catch mistakes early.

🧪 4. Testing — Your Code’s Safety Net

Testing makes your code reliable and predictable.

🔍 Types of Tests to Know

• Unit Tests — test small units in isolation

• Integration Tests — test modules working together

• End-to-End Tests — simulate real user workflows

• Performance & Regression Tests

Top teams write tests early — sometimes before writing production code (TDD).

🧪 Quick Test Example (JavaScript + Jest)

sum.js

export function sum(a, b) {
  return a + b;
}

sum.test.js

import { sum } from './sum';

test('adds two numbers', () => {
  expect(sum(2, 3)).toBe(5);
});

Run:

pnpm test

Your tests become part of continuous integration workflows — automatically verifying code quality on every push.

🚀 5. CI/CD — Automated Builds & Deployment

Modern teams automate releases using CI/CD pipelines:

• Run tests on every push

• Lint & static analysis

• Deployment to staging/production

• Canary releases / feature flags

CI/CD is expected, not optional — it ensures reliable, repeatable delivery.

🤖 6. Best AI & Agent-Assisted Coding Tools (Free & Paid)

In 2026, AI coding tools have matured into core developer tools — not just nice extras.

Here’s an overview of the most impactful vibe coding tools you should know:

💡 Cursor — AI-First Code Editor

• Works like VS Code but infused with an AI agent

• Understands multi-file contexts and suggestions

• Great for rapid iteration and editing

• Smooth IDE-style workflow with AI support

Cursor is widely loved by developers for its deep editor integration and strong productivity boost.

🤖 GitHub Copilot + Built-In Agents

• AI suggestions directly in GitHub & VS Code

• Now supports multiple AI agents (Copilot, Claude, Codex) inside GitHub workflows

• Generates code, tests, docs, and pull requests

GitHub is integrating rival AI code agents like Anthropic’s Claude and OpenAI’s Codex right into its platform, making them available inside repositories where developers already work.

⚡ Claude Code — CLI & Web Coding Agent

• Strong at reasoning and complex changes

• Works well in terminal or automation workflows

• Great for building CLI tools, scripts, and deeper architectural edits

Claude Code continues to be a top choice when deep understanding and logical reasoning are needed.

🌌 Google Antigravity — Agent-First Coding

• Google’s ambitious AI coding platform

• Acts as autonomous agents capable of planning tasks, refactors, and logic flows

• Best when you want the tool to execute workflows, not just suggest lines

Tools like Antigravity are shifting towards agentic development models, where AI coordinates large tasks on its own.

🆓 OpenCode — Open-Source Coding Agent

• Community-driven alternative

• Works in terminal or IDE

• Gives flexibility to connect different models

• No vendor lock-in, customizable

OpenCode is becoming popular among developers who want agent capabilities without locking into specific commercial ecosystems.

💻 GitHub Copilot (Standard)

• Familiar tool for many

• Works inside IDEs (VS Code, JetBrains, etc.)

• Generates code on demand

• Suggests tests and docs

Copilot is still a staple in many workflows, especially integrated with GitHub repos.

🆓 Free & Low-Cost Vibe Coding Tools

Not all tools require pricey subscriptions. Here are budget-friendly options:

• OpenCode — open source coding agent you can self-host or extend.

• Cursor (Free tier) — many features available without full subscription.

• Gemini Code Assist (Free tier) — powerful coding assistant with generous free usage limits.

• Free agent libraries & open agents — community tools that connect open models to editors.

These tools let you begin vibe coding with little or no upfront cost.

🧠 How to Pick the Right Tool

Here’s a quick guide based on your workflow:

There isn’t a single best tool — the right choice depends on your workflow and team.

📊 7. Real-World Team Practices

Top engineering teams integrate:

• detailed AGENTS.md / SKILL.md

• automated CI/CD

• thorough testing practices

• security checks (SAST, dependency scans)

• agent guidelines and guardrails

• structured doc review processes

This reduces ambiguity, ensures quality, and keeps development vibing at scale.

🎯 Final Thoughts

By adopting modern documentation standards, strong coding practices, testing & CI automation, and the right AI tools, you’ll be positioned to write better code faster and more reliably.

Vibe coding in 2026 = process + tools + discipline.

What if your AI wasn’t just a chat partner but a digital colleague — one that lives in the messaging apps you already use and can take real actions on your behalf? That’s the pitch behind Clawd.bot, the open-source AI assistant that went viral in 2026. It’s fast shaping up to be one of the most exciting AI tools for developers and power users alike. (Vercel)

🧠 What Is Clawd.bot?

At its core, Clawd.bot is an open-source personal AI assistant you run locally or on a server you control. Unlike traditional web-based chatbots, it bridges powerful AI agents with the messaging apps you already use — like WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, and more. (Vercel)

Here’s a simple architectural view:

Messaging App (WhatsApp/Telegram/Slack/etc.)  
        ↕  
   Clawd.bot Gateway  
        ↕  
   AI Agent + Skills (Claude, GPT, local models)  
        ↕  
    Real Actions (scripts, reminders, browser control)

The gateway handles connections and context, the AI agent processes your input and manages persistent memory, and the skills layer performs real tasks on your behalf — from running shell commands to automating workflows. (Vercel)

🛠️ Getting Started with Clawd.bot (High Level)

Here’s the conceptual setup that turns Clawd.bot into your personal assistant:

1. Install Clawd.bot locally, on a VPS, or with Docker

   • One-liner installers and Docker options are supported. (DEV Community)

2. Connect your messaging platforms through the gateway

   • Telegram, WhatsApp, Slack, Discord, Signal, iMessage, Teams, WebChat, etc. (Clawdbot)

3. Choose your model(s)

   • Options include Claude, GPT-like APIs, or local models of your choice. (Vercel)

4. Add Skills

   • Prebuilt or custom extensions unlock real actions.

5. Authorize devices and set appropriate permissions

   • Permissions control what your assistant can access and act upon.

6. Start chatting and automation begins

   • It listens, remembers, and acts.

⚠️ Some skills require higher privileges (like system access or script execution) — configure them with care. (Clawdbot)

🔧 Core Features That Make Clawd.bot Stand Out

✅ 1. Multi-Platform Messaging Support

Clawd.bot connects to apps you already use:

• WhatsApp

• Telegram

• Discord

• Slack

• Signal

• iMessage

• Microsoft Teams

• WebChat
  …and more. (Clawdbot)

You chat with it like a colleague — no new app to learn.

🧠 2. Persistent Memory & Context

Most AI tools forget everything after a session ends. Clawd.bot remembers you — your context, preferences, routines, and long-running conversations — giving it continuity and personalization you won’t get from ephemeral web chatbots. (Vercel)

⚙️ 3. Real Actions, Not Just Replies

Clawd.bot can do way more than reply to text. It’s effectively a programmable agent that can:

• Execute shell commands on your host machine

• Automate file and directory tasks

• Perform browser automation (navigate and interact with web pages)

• Fetch and summarize emails

• Create GitHub issues or tickets

• Manage calendars and reminders

• Schedule tasks and proactive notifications

That’s what turns it from a chatbot into a true digital worker. (banani.co)

💡 Real-World Use Case Examples

Below are hands-on ways developers and power users are already using Clawd.bot to go beyond simple chat.

🛠 1. Developer Automation & Workflow Integration

Clawd.bot is becoming a favorite for developers because it can act like a hands-free dev assistant:

• Run CI/CD scripts from chat prompts

• Generate code snippets or refactor functions on request

• Summarize logs and test results

• Integrate with GitHub — create issues, track PRs, generate release notes

• Retrieve and analyze analytics or metric data

Example:

@clawd: “Run tests on the staging branch”
Clawd.bot: “Starting tests... 42 passed, 3 failed. See log below.”

This turns your messaging interface into a command center for your development workflows. (Clawdbot)

🏡 2. Home Automation and Smart Device Control

Clawd.bot isn’t limited to your keyboard — it can also integrate with smart home platforms via scripts and API calls:

• Turn lights on/off or adjust brightness

• Change thermostat settings

• Trigger scenes or routines (e.g., “Good night” → all lights off)

• Control smart speakers and media devices

• Schedule recurring actions

Example:

@clawd: “Dim living room lights to 30% at 10 PM”
Clawd.bot: “Scheduled.”

This transforms simple text messages into real physical automation across your devices. (MacStories)

✉️ 3. Inbox Zero and Email Workflows

TIred of sifting through hundreds of emails? Clawd.bot can help:

• Summarize unread messages

• Flag important threads

• Draft responses or follow-ups

• Automatically archive low-priority emails

All delivered right into your chat app. (banani.co)

📆 4. Proactive Personal Assistant Tasks

Clawd.bot can initiate messages, not just respond:

• Daily agendas and briefing summaries

• Alerts before meetings or deadlines

• Weather forecasts or travel updates

• Scheduled reminders based on context

This moves Clawd.bot from reactive to proactive, making it feel more like a personal AI companion than a chatbot. (Vercel)

⚠️ Pitfalls to Watch Out For

Clawd.bot is powerful, but not plug-and-play for everyone:

❗ Setup can be technical and requires comfort with infrastructure and messaging platform APIs. (Medium)
⚠️ You’re responsible for security — running automation with powerful permissions can be risky if misconfigured. (GitHub)
🧠 Persistent memory means data stays longer — you need thoughtful management and good hygiene. (Medium)

This tool is best suited for builders, tinkerers, and automation geeks who want fine-grained control over their AI assistant.

🧠 Why This Matters for Developers

Clawd.bot isn’t just “another chatbot” — it’s a self-hosted programmable assistant that:

• Runs where you control it

• Integrates with daily tools and workflows

• Allows you to extend functionality with custom scripts and plugins

• Turns AI from passive Q&A into active automation

In many ways, it feels like the bridge between traditional automation (cron jobs and scripts) and the next generation of conversational AI as actual digital teammates. (banani.co)

🧠 Final Thoughts

Clawd.bot is one of the most exciting advancements in personal AI assistants in 2026.
It transforms AI from a reactive chat interface into a context-aware automation engine you control — not a cloud megacorp. (Medium)

For developers seeking autonomy, customization, and true productivity gains, Clawd.bot isn’t just another tool — it’s a platform for unleashing AI as your everyday team member. 🚀

🔗 Official & Community Resources for Clawd.bot

🔹 Official Website – Home page & quick intro to the tool
👉 https://clawd.bot

📘 Official Documentation – Setup guides, concepts, config, and more
👉 https://docs.clawd.bot

📦 GitHub Repository (Source Code + CLI) – Issue tracker, code, releases
👉 https://github.com/clawdbot/clawdbot

📥 Releases Page – Download stable builds & view changelogs
👉 https://github.com/clawdbot/clawdbot/releases

💬 GitHub Discussions (Forum) – Community Q&A, tips, collaboration
👉 https://github.com/clawdbot/clawdbot/discussions

🛠 Getting Started (Official Guide) – Step-by-step first chat setup
👉 https://docs.clawd.bot/start/getting-started

📘 Clawdbot Configuration Docs – Customize and configure your assistant
👉 https://github.com/clawdbot/clawdbot/blob/main/docs/configuration.md

This guide walks through a clean, repeatable, and production-safe way to restore a Supabase database using psql, with a few extra tips I wish someone had told me earlier.

Step 1: Create a New Supabase Project

Head over to the Supabase Dashboard and create a brand-new project.

Important tips here:

• ✅ Use the same region as the original project (helps with latency + future migrations)

• ⏱️ Wait until the database status shows healthy

Get the Direct Database Connection String

1. Go to Settings → Database

2. Copy the Direct connection string (port 5432)

3. If the password was recently changed:

   • Reset it once more

   • Wait ~1 minute so it propagates everywhere

📌 You’ll use this connection string later as [NEW_DB_URL].

Step 2: Install Required Tools Locally

You’ll need two things:

• PostgreSQL client (psql)

• Supabase CLI (optional, but useful)

Install PostgreSQL Client

Windows

winget install postgresql

Or download directly from postgresql.org.

macOS

brew install postgresql supabase/tap/supabase

Linux (Debian/Ubuntu)

sudo apt install postgresql-client supabase

Verify Installation

psql --version

If this works, you’re good to go 🚀

Step 3: Download Backup Files from GitHub

From your repository, download these files into one local folder:

roles.sql
schema.sql
data.sql

⚠️ Do not rename them
⚠️ Order matters — this exact sequence is critical for a successful restore.

Step 4: Restore the Database (The Safe Way)

Now comes the main event.

Run this single command from the folder containing your SQL files:

psql \
  --single-transaction \
  --variable ON_ERROR_STOP=1 \
  --file roles.sql \
  --file schema.sql \
  --set session_replication_role=replica \
  --file data.sql \
  --dbname "[NEW_DB_URL]"

Why this works so well

• --single-transaction
  → Either everything restores, or nothing does (no half-broken DBs)

• ON_ERROR_STOP=1
  → Stops immediately if something goes wrong

• session_replication_role=replica
  → Temporarily disables triggers & foreign-key checks
  (super important for bulk COPY inserts)

Step 5: Understand the Restore Order (Don’t Skip This)

Here’s why the order matters:

1. roles.sql

   • Database users

   • Permissions & grants
     Without this → schema permissions can fail

2. schema.sql

   • Tables, views, functions, indexes

   • Constraints & relationships

3. data.sql

   • Actual records

   • Usually uses COPY for speed

Mess this order up and you’ll meet cryptic Postgres errors 😅

Step 6: Verify the Restoration

Quick sanity check via terminal

psql "[NEW_DB_URL]" -c "SELECT COUNT(*) FROM your_table;"

Visual check in Supabase

• Open Table Editor

• Browse a few tables

• Confirm row counts look right

If both checks pass — congrats 🎉 your database is officially back.

Step 7: Things That Are Not Restored Automatically

SQL backups do not include:

• 🔐 Auth providers (Google, GitHub, email, etc.)

• 🗄️ Storage buckets & policies

• 🔑 API keys & secrets

• ⚙️ Edge Functions config

You’ll need to reconfigure these manually in the Supabase dashboard.

👉 Pro tip: keep a post-restore checklist in your repo for this stuff.

Optional Improvements (Highly Recommended)

• ✅ Test restore on a staging project first

• 🧪 Run a few app queries against the new DB

• 📄 Log restore output to a file for debugging:

    psql ... > restore.log 2>&1
  

• 🔁 Automate restore later via GitHub Actions (carefully!)

If you’re using Supabase, the good news is:
you can fully automate PostgreSQL backups using GitHub Actions + Supabase CLI in just a few minutes.

This setup:

• Runs automatically

• Stores backups securely

• Requires zero manual effort after setup

Why Automate Supabase Backups?

Supabase handles infrastructure well — but your data is still your responsibility.

Automation gives you:

• ✅ Regular backups (daily / PR / manual)

• ✅ Versioned SQL dumps

• ✅ Easy recovery

• ✅ Peace of mind

⚠️ Important: Always use a private GitHub repository for backups.

What We’re Building

A GitHub Actions workflow that:

• Uses Supabase CLI

• Backs up:

  • roles

  • schema

  • data

• Runs:

  • On push to main

  • On pull requests

  • Daily (cron)

  • Manually

• Commits backups automatically

Step 1: Get Your Supabase Database URL

Go to your Supabase Dashboard → select your project → click Connect (top-right).

You’ll see multiple connection options.

⚠️ Direct Connection vs Pooler (Important Read)

Initially, I tried using the Direct Connection (port 5432) like this:

postgresql://postgres:[PASSWORD]@db.[project-ref].supabase.co:5432/postgres

But in GitHub Actions, this caused the following error:

pg_dumpall: error: connection to server at "db.xxx.supabase.co" (2406:da18:...)
port 5432 failed: Network is unreachable

Why This Happens

• Supabase Free projects do not have dedicated IPv4

• DNS resolves the database host to IPv6

• GitHub Actions runners (ubuntu-latest) cannot reach Supabase IPv6 on port 5432

• Result: ❌ backup job fails

You can fix this on paid Supabase plans by forcing IPv4 —
but on the Free tier, the reliable solution is the Connection Pooler.

✅ Use the Connection Pooler (Recommended)

From the Connect dialog:

• Choose Connection Pooler

• Use Transaction mode

• Port: 6543

Example:

postgresql://postgres.[project-ref]:[PASSWORD]@db.[project-ref].supabase.co:6543/postgres

This works reliably in GitHub Actions and is perfect for backups.

Step 2: Add the Database URL as a GitHub Secret

In your GitHub repository:

1. Go to Settings → Secrets and variables → Actions

2. Click New repository secret

3. Add:

Name: SUPABASE_DB_URL  
Value: <pooler connection string>

Your credentials stay encrypted and never appear in logs.

Step 3: Create the GitHub Actions Workflow

Create the file:

.github/workflows/backup.yml

Paste this:

name: Supabase Backup

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * *' # Daily

jobs:
  run_db_backup:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    env:
      DATABASE_URL: ${{ secrets.SUPABASE_DB_URL }}

    steps:
      - uses: actions/checkout@v3

      - uses: supabase/setup-cli@v1
        with:
          version: latest

      - name: Create backup folder
        run: mkdir -p supabase_backup

      - name: Backup roles
        run: supabase db dump --db-url "$DATABASE_URL" -f supabase_backup/roles.sql --role-only

      - name: Backup schema
        run: supabase db dump --db-url "$DATABASE_URL" -f supabase_backup/schema.sql

      - name: Backup data
        run: supabase db dump --db-url "$DATABASE_URL" -f supabase_backup/data.sql --data-only --use-copy

      - uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: "Automated Supabase backup"

📁 Note About the supabase_backup Folder

GitHub Actions can create folders during a run, but Git only tracks folders once a file exists.

To avoid confusion on the first run, it’s best to create the folder once.

Quick Options

Option 1: Locally

mkdir supabase_backup
git add supabase_backup
git commit -m "Add supabase backup folder"
git push

Option 2: On GitHub

• Create a file named:

    supabase_backup/.gitkeep
  

• Commit it

After this, the workflow will automatically dump backups into the folder.

Where Are the Backups Stored?

After each run, your repo will contain:

supabase_backup/
├── roles.sql
├── schema.sql
└── data.sql

You can pull the repository anytime to access them.

Restoring from Backup (Quick Note)

To restore:

1. Create a new Supabase project

2. Connect using psql

3. Restore in order:

   • roles.sql

   • schema.sql

   • data.sql

This article focuses on creating reliable, automated backups.

The step-by-step restore process deserves its own dedicated post, because it involves:

• Creating a fresh Supabase project

• Restoring roles, schema, and data in the correct order

• Handling extensions, ownership, and permissions safely

👉 In the next blog, we’ll walk through the complete restore process

Key Takeaways

• Supabase backups can be fully automated

• Free tier users should use the Connection Pooler

• Back up roles, schema, and data

• Store backups in a dedicated folder

• Always use private repositories

Reference

Supabase Docs:
https://supabase.com/docs/guides/deployment/ci/backups

Ever wondered what actually happens when you type a prompt into ChatGPT?
Or better — what if you could run the same experience locally, without APIs, rate limits, or data leaving your machine? 🤯

That curiosity is exactly what led me to Ollama.

Running LLMs locally is no longer a “research lab only” thing. With modern tools and optimized models, developers can now spin up a personal AI assistant that feels shockingly close to ChatGPT — all on a laptop.

In this article, we’ll build our own ChatGPT-like setup locally using Ollama, understand what’s happening under the hood, and explore how far you can push it.

What Problem Are We Solving?

Cloud-based LLMs are amazing, but they come with trade-offs:

❌ Data privacy concerns
❌ API costs & usage limits
❌ Internet dependency
❌ Limited control over models

Local LLMs solve this by giving you:

✅ Full control
✅ Offline usage
✅ Zero per-request cost
✅ Customization freedom

That’s where Ollama shines.

What Is Ollama?

Ollama is a developer-friendly tool that lets you download, manage, and run large language models both locally and via Ollama Cloud using a simple CLI and API.

Think of it as:

Docker for LLMs 🐳🤖

Instead of building inference pipelines from scratch, Ollama abstracts away:

• Model downloads

• Quantization

• GPU/CPU optimizations

• Runtime management

You just run a command — and boom, your local ChatGPT is alive.

Step 1: Install Ollama

macOS / Linux

curl -fsSL https://ollama.com/install.sh | sh

Windows

Download directly from:
👉 https://ollama.com

Once installed, verify:

ollama --version

If that works, you’re good to go ✅

Step 2: Log In to Ollama (Local vs Cloud Models)

Before running models, it’s important to understand that Ollama supports both local and cloud-based models.

To access cloud features, you’ll need to log in:

ollama login

This connects your CLI to your Ollama account.

Why this matters

• Local models

  • Run entirely on your machine

  • Fully offline

  • No usage limits

  • Maximum privacy

• Cloud models

  • Run on Ollama’s infrastructure

  • Faster startup for large models

  • Subject to hourly and weekly usage limits

  • Useful when your hardware is limited

The key thing I love:
you choose per model whether it runs locally or in the cloud.

Step 3: Run Your First Local LLM

Let’s start with a popular ChatGPT-like local model:

ollama run llama3

That’s it. This will download and run llama3 on your local

No API keys.
No environment variables.
No cloud setup.

You’re now chatting with a local LLM running on your own machine.

Step 4: Understanding What’s Happening Under the Hood

Behind the scenes, Ollama:

• Downloads the model weights

• Optimizes them for your hardware

• Starts a local inference server

• Streams responses token-by-token

If you’ve used ChatGPT before, the experience feels… familiar 👀

Step 5: Running Ollama as a Local ChatGPT API

Ollama also exposes a local HTTP API, which means you can connect it to:

• Web apps

• Desktop apps

• VS Code extensions

• Custom UIs

Start the Ollama server:

ollama serve

Example API request:

curl http://localhost:11434/api/generate -d '{
  "model": "llama3",
  "prompt": "Explain transformers like I am a developer"
}'

Congrats — you now have a self-hosted ChatGPT backend 🔥

Step 6: Building a Simple Chat UI (Concept)

At this point, the architecture looks like this:

Frontend (React / Next.js / CLI)
        ↓
Local Ollama API
        ↓
LLM Model (LLaMA, Mistral, etc.)

You can:

• Build a React chat UI

• Store conversation history

• Add system prompts

• Create AI agents

• Run everything offline

This is where things get really fun.

Useful Models to Try

List installed models:

ollama list

Popular options:

• llama3 – Best ChatGPT-like experience

• mistral – Fast & lightweight

• codellama – Code-focused

• phi – Small & efficient

Switch instantly:

ollama run mistral

Common Pitfalls (Learned the Hard Way)

🧠 RAM matters — 8GB works, 16GB is smoother
🔥 CPU-only works, GPU is a big win
📦 Larger models ≠ always better
📝 Prompt quality matters more than model size

Local LLMs reward clear intent, not brute force.

When Should You Use Local LLMs?

Perfect for:

• Learning how LLMs work

• Prototyping AI products

• Internal tools

• Privacy-sensitive data

• AI experimentation & agents

Not ideal for:

• Massive production scale

• Multi-user public apps (yet)

What I Personally Love About This Setup

Running ChatGPT locally feels empowering.

You stop being a consumer of AI
and start becoming a builder with AI 🛠️🤖

It completely changes how you think about:

• App architecture

• Privacy

• AI UX

• Tooling

And honestly?
Once you try this, cloud-only AI feels limiting.

Conclusion: Your AI, Your Rules

With Ollama, building your own ChatGPT is no longer magic — it’s just good tooling.

If you’re a developer exploring AI, this is one of those setups that:

• Teaches you fast

• Unlocks experimentation

• Makes AI feel tangible

Next steps

• Build a chat UI

• Add memory

• Connect tools

• Create AI agents

Local AI is here — and it’s 🔥

Key Takeaways

• Ollama supports both local and cloud models

• Cloud usage comes with hourly & weekly limits

• Local models give full privacy and control

• You can build a ChatGPT-like experience in minutes

• Perfect playground for hands-on AI experimentation