988: Cloudflare’s Next.js Slop Fork

March 18, 2026

47 min episode · 2 min read

Steve Faulkner

Episode

47 min

Read time

2 min

AI-Generated Summary

Published Mar 19, 2026

Key Takeaways

✓AI-Assisted Planning with Voice Input: Faulkner used Super Whisper voice-to-text to brain-dump architecture plans directly into Claude Opus 4.5/4.6, spending a few hours generating markdown planning files before writing a single line of code. The key unlock was understanding the target system's shape first — knowing Vite's plugin architecture and Next.js internals made AI direction-setting possible and precise.
✓Test Porting Over Test Running: Rather than attempting to run Next.js's 8,000-test suite directly, Faulkner instructed the AI to port individual tests into a Vitest and Playwright setup. This reframing — porting tests rather than executing them — gave the agent a contained, trackable task with clear success criteria and a tracking document to log progress test by test.
✓Barbell Session Structure for Agent Work: OpenCode's session data revealed Faulkner's usage was bimodal — either two-to-four minute correction bursts or one-to-two hour deep sessions, with peak token usage at 3AM from overnight task queues. This pattern suggests structuring AI work as either quick targeted fixes or long autonomous runs with pre-written task documents, not medium-length interactive sessions.
✓Discoveries.md as Persistent Agent Memory: Faulkner maintained a file called discoveries.md logging ecosystem-specific bugs — incompatible React/Webpack CJS module combinations, Vite-specific loading issues — so the agent stopped re-encountering solved problems. Pairing this with a review loop (review code, fix issues, review again, repeat two to three iterations) reduced context pollution and repetitive failure cycles significantly.
✓AI-Driven Security Triage Pipeline: After receiving vulnerability reports — including submissions from Vercel — Cloudflare built a custom AI agent to find, triage, fix, validate, and respond to security issues in VNext. That same agent, when pointed at other projects, surfaced additional vulnerabilities, suggesting AI security scanning pipelines built for one codebase can generalize across similar projects with minimal reconfiguration.

What It Covers

Steve Faulkner, Cloudflare's Director of Engineering for Workers, explains how he built VNext — a Vite-powered fork of Next.js — over a single weekend using Claude Opus and OpenCode, demonstrating how AI amplifies engineering managers who understand system architecture and can set clear technical direction.

Key Questions Answered

•AI-Assisted Planning with Voice Input: Faulkner used Super Whisper voice-to-text to brain-dump architecture plans directly into Claude Opus 4.5/4.6, spending a few hours generating markdown planning files before writing a single line of code. The key unlock was understanding the target system's shape first — knowing Vite's plugin architecture and Next.js internals made AI direction-setting possible and precise.
•Test Porting Over Test Running: Rather than attempting to run Next.js's 8,000-test suite directly, Faulkner instructed the AI to port individual tests into a Vitest and Playwright setup. This reframing — porting tests rather than executing them — gave the agent a contained, trackable task with clear success criteria and a tracking document to log progress test by test.
•Barbell Session Structure for Agent Work: OpenCode's session data revealed Faulkner's usage was bimodal — either two-to-four minute correction bursts or one-to-two hour deep sessions, with peak token usage at 3AM from overnight task queues. This pattern suggests structuring AI work as either quick targeted fixes or long autonomous runs with pre-written task documents, not medium-length interactive sessions.
•Discoveries.md as Persistent Agent Memory: Faulkner maintained a file called discoveries.md logging ecosystem-specific bugs — incompatible React/Webpack CJS module combinations, Vite-specific loading issues — so the agent stopped re-encountering solved problems. Pairing this with a review loop (review code, fix issues, review again, repeat two to three iterations) reduced context pollution and repetitive failure cycles significantly.
•AI-Driven Security Triage Pipeline: After receiving vulnerability reports — including submissions from Vercel — Cloudflare built a custom AI agent to find, triage, fix, validate, and respond to security issues in VNext. That same agent, when pointed at other projects, surfaced additional vulnerabilities, suggesting AI security scanning pipelines built for one codebase can generalize across similar projects with minimal reconfiguration.

Notable Moment

Faulkner revealed that Cloudflare's AI security agent — originally built to handle VNext vulnerability reports — was then pointed at unrelated projects and began finding new vulnerabilities there too, prompting a forthcoming blog post about using AI offensively for security research across codebases.

Know someone who'd find this useful?