Receipts. Not vibes. Restricted access.
Sent to you because you asked what's behind UpfrontOps.
Every framework, deploy target, security control, and pipeline currently running across UpfrontOps. Pulled from /opt, Gitea, GitHub, Caddy, UFW, fail2ban, pm2, Docker, and systemd on the server delivering this page.
Every host block in /etc/caddy/Caddyfile. Click any tile to open.
Tailscale-only tiles return a styled 403 unless you are on the tailnet. From a tailnet device they pass straight through to the backend.
Lovable and Base44 ship managed React plus Supabase CRUD apps inside their hosted environments, useful for fast MVPs. This server covers a wider surface: voice, mail, IoT, multi-agent ops, background work, multi-tenant data isolation, and full security ownership. Same starting prompt, different ceiling.
| Capability | Lovable / Base44 | This Server |
|---|---|---|
| What it can build | React plus Supabase web apps from natural-language prompts | Web apps plus voice telephony, physical mail automation, IoT control, multi-agent orchestration, background ETL, e-commerce, document review |
| Where the database lives | Vendor-managed Supabase project, one per app | Self-hosted multi-tenant Supabase fleet on vault.upfrontops.cloud with auto-pause, wake-on-demand, per-project isolation at db-<name>.upfrontops.cloud |
| Where the code runs | Inside the vendor's hosted walled garden, or Supabase Edge Functions for logic | Cloudflare Workers at the edge, 31 Docker containers, 5 PM2 long-running Node apps, 29 systemd services, all root-controlled on owned hardware |
| Security layer | Vendor defaults, no header or proxy control, no network gating | 33 Caddy sites with HSTS preload, X-Frame DENY, block_sensitive_paths, Tailscale CIDR gates 21+ services, UFW denies SMTP egress, fail2ban on SSH, monit + earlyoom guard runaway processes, edge backups with SHA256 re-download verification |
| CI/CD discipline | "Click to deploy", no pipeline customization, no test gates | GitHub Actions with Gitleaks full-history scans, Semgrep SAST, npm audit, pa11y WCAG2AA, Cloudflare Workers Builds, Gitea HMAC-SHA256 webhook deploys, 3,619 test files, cross-platform CI matrix on Linux × Win × macOS |
| Real-time voice and PSTN | Not in scope | Twilio voice bridging, Deepgram real-time STT over WebSocket, ElevenLabs voice cloning, Vapi for AI phone calls, NFC tap-to-call with Durable Object countdown over SSE |
| Physical mail | Not in scope | 12,000+ Lob sends routed through lob-webhooks.upfrontops.cloud with project-prefix dispatch to the right per-project Supabase |
| Autonomous editing | In-app prompt iteration only | Open a labeled GitHub issue, an Action runs Claude Opus against the issue body, the edit is applied to the source document, downstream PDFs and TTS audio are re-rendered, commit lands on main, all without human intervention |
| Code ownership | Lives in vendor account, exportable but not directly portable | Self-hosted Gitea with 50 repos plus 19 on GitHub, Husky pre-commit gates, every layer of stack is replaceable with no rebuild |
| Cost model | Credits per AI build plus monthly seat fees, marginal cost rises with usage | Fixed VPS plus B2 plus Cloudflare baseline, marginal cost of a new project is near zero |
| Vendor lock-in | High, replatforming means rebuild | None, Cloudflare can be Fly, Docker can be Podman, Supabase is upstream OSS, Gitea can be GitHub, Caddy can be nginx |
Sources for the Lovable and Base44 columns: Lovable docs, Base44 site, June 2026.
Paste a JD URL or the full job-description text. The inventory below sorts by strongest match, with top results highlighted.
Click any row to expand. Filter and sort to slice.
| Tech / Skill | Category | Level | What I Built With It | Evidence | Recency |
|---|
No skills match your filters.