A cybersecurity consultant built a $10/month persistent workspace for Claude Code and Claude AI by repurposing Pi's open-source execution layer. The setup, posted on Hacker News, lets any MCP-compatible tool share one filesystem, database, and knowledge base, eliminating session context loss.
Key facts
- $10/month total cost to run the persistent workspace
- One afternoon to build the bridge
- Five imports from Pi's npm package
- Cloudflare Tunnel and Worker on free tier
- SHA256 hashing for every tool call
Key Takeaways
- A $10/month persistent workspace for Claude Code and Claude AI using Pi's execution layer, MCP, and Cloudflare Tunnel.
- Bypasses session context loss by sharing one filesystem and database across all MCP-compatible tools.
The $10/month fix for AI context evaporation
A Hacker News post by a cybersecurity consultant describes a $10/month persistent workspace for Claude Code, Claude AI, and any MCP-compatible tool. The author, who builds AI agent infrastructure, wanted to avoid paying Mem0 or congee $100/month for saving text files. [According to the source] "Every AI I use hits the same wall. The conversation ends and everything disappears."
The solution: a Linux VPS with a shared filesystem, database, and knowledge base. Claude writes an architecture doc; Claude Code can grep for it. The author imported five functions from Pi's npm package @earendil-works/pi-coding-agent — createReadToolDefinition, createWriteToolDefinition, createGrepToolDefinition, createFindToolDefinition, createLsToolDefinition — registered them as MCP tools, and added a bash shell. The bridge is a single TypeScript file with five dependencies: Pi's package, MCP SDK, Express, an OTP library, and Zod. [Per the source] "The whole thing cost an afternoon to build and $10/month to run."
Architecture: Cloudflare Tunnel, Clerk OAuth, TOTP
A Cloudflare Worker hosts the MCP endpoint, connected via Cloudflare Tunnel to a cheap VPS. No inbound ports, no public IP. Free tier for both. The AI connects with three strings: URL, OAuth client ID, OAuth secret. Auth uses Clerk OAuth at the MCP connection, a shared-secret origin proxy, and a TOTP gateway that locks every tool until the user enters an authenticator code. [The source says] "To pass the TOTP I just tell Claude the code on my authenticator app and he calls the TOTP tool in the MCP."
Every tool call is logged with SHA256 hashes. Every file write creates a backup. Claude installed PostgreSQL in userspace on the box, running SQL queries alongside the markdown layer. [The source notes] "Next conversation, any device, any tool, it greps for prior context and picks up where we left off. Ideas compound instead of evaporating."
The unique take: repurposing agent internals, not building MCP servers from scratch
The author's insight is that any coding agent that publishes its execution layer as importable modules works for this pattern. Pi happens to be modular enough that the surgery is trivial. [According to the source] "Stop building MCP servers from scratch. A coding agent already built the hard part." This contrasts with the current trend of developers writing bespoke MCP servers for every tool integration. The approach also bypasses Claude Code's SSH throttling — the author notes there's no reason you can't use this pattern to give Claude Code SSH access to dozens of machines.
Security and limitations
The author acknowledges from a security perspective this is "a terrible idea" but works great. The setup runs on a disposable VPS. All tool calls are logged with SHA256 hashes. Every file write creates a backup. The author is a cybersecurity consultant and identity architect who builds AI agent infrastructure because "the tools I want don't exist yet." The source did not disclose the exact VPS provider or the Cloudflare Worker configuration details.
What to watch
Watch for more developers repurposing agent execution layers as shared MCP backends, potentially spawning a new pattern for persistent AI tooling. Also watch for Anthropic's response — whether they add native persistent workspace features to Claude Code or Claude Agent that render this hack unnecessary.
