Anthropic announced Tuesday that every paid Claude plan gets a dedicated monthly credit for programmatic use starting June 15: Pro $20, Max 5x $100, Max 20x $200. Sounds like a giveaway. It isn’t. It’s the ceiling.
Heavy users on Max 20x had been quietly burning through up to $5K/mo in API-equivalent compute against a $200 sub — a ~25x subsidy Anthropic is now folding back. The same announcement reverses April’s outright ban on OpenClaw, Conductor, Hermes, and friends. Third-party tools are allowed again, on a budget your crontab can blow through in a long afternoon.
In today’s indie hacker news:
- 🪙 The $100 ceiling on every Max 5x subscriber’s
claude -ploops - 🪦 The Claude Design projects Anthropic deleted the second a Max subscriber cancelled
- 🐘 A solo dev’s Forgejo migration the Dutch government copied within days
- 🚫 The block button Meta surgically removed from one Threads account
- 🔓 A grudge-driven BitLocker bypass dropped the day after Patch Tuesday
TOP STORIES
THE $100 CEILING ON YOUR CLAUDE -P LOOPS
Anthropic capped programmatic Claude at $100/mo for Max 5x — a ~25x cut from the old subsidy.
The story: Anthropic announced Tuesday that starting June 15, every paid Claude plan gets a separate monthly credit for programmatic use — the Claude Agent SDK, claude -p, Claude Code GitHub Actions, and third-party tools built on the SDK. Pro: $20. Max 5x: $100. Max 20x: $200. Team Standard: $20/seat. Team Premium: $100/seat. Once the credit’s gone, programmatic usage stops cold unless you opt into “extra usage” at full API rates. This is a reversal of Boris Cherny’s April 25 post that locked OpenClaw, Conductor, Hermes, and every other third-party harness out of Claude subscription pools entirely. That ban followed a viral HERMES.md incident where a single repo filename triggered Anthropic’s detection and stuck a developer with a $200.98 surprise charge despite his subscription quota sitting 86% untouched. He got refunded only after the case went public.
The details:
- Theo from t3.gg framed the move bluntly: “If you use any of the following with your Claude sub, your usage [just] got cut by 25x” — listing T3 Code, Conductor, Zed, and Jean. The 25x isn’t rhetorical. Heavy Max 20x users had been consuming up to $5K/mo in API-equivalent compute against a $200 sub; one tracked dev’s peak month would have cost $5,623 at API rates on a $100 Max 5x plan, ~56x the price he paid. ~90% of those tokens were cache reads, which the new credit pool meters at full price
- Credits don’t roll over. Use it or lose it, refresh monthly
- Interactive Claude Code in the terminal / IDE, Claude in the browser, mobile and desktop apps, and Cowork are all unchanged — they keep drawing from the regular subscription pool
- OpenClaw, Conductor, Hermes, Latitude, Containarium, claude-pee — every Show HN wrapper in this week’s edition (see Stack and Trending below) — now has a clean integration story: bring your Claude login, draw from the credit pool. The “API key or get blocked” middle ground from April is gone
- Standard Enterprise seat holders get no credit at all; only the “Premium” seat tier qualifies. API-key users see no change either way
- Claim flow opens with an email June 8. The change goes live June 15
Why builders care: If your business has even one always-on Claude headless loop — a daily newsletter generator, a code-review bot, a research pipeline, a CI-attached agent — you’re now metered at API rates with a hard ceiling that maps to roughly 6-8M Opus tokens a month. Three plays: (1) bin-pack to Sonnet 4.6 where $100 buys ~5x more headroom and the quality gap on routine work is small, (2) flip on extra usage and treat overflow as a P&L line item with daily caps so a runaway loop can’t drain your card, (3) split the work across multiple Claude logins on separate seats (gray area, indie hackers will find the edge). The era where “buy Max 5x and run claude -p in a cron” was arbitrage on Anthropic’s marketing budget ends June 15. Everyone running a claude --print pipeline against the sub should benchmark their current monthly burn before then so they know which option they’re picking.
Work from any WiFi like it's your home network. NordVPN's Meshnet runs a free private mesh between your laptop, dev box, and home server. SSH from a café without exposing a port, the way you'd use Tailscale. The paid VPN on top lets you test geo-fenced Stripe checkouts or feature flags from any country.
We get a cut if you sign up. Only added for tools we use ourselves.
CANCEL THE PLAN, LOSE THE PROJECTS
The story: pycassa’s Tell HN describes a $200/mo Claude Code Max run that ended when he paused billing for one month to try OpenAI Codex. Returning to the dashboard, every project he’d built inside Claude Design was gone. Anthropic Labs launched the product on April 17 as a “research preview” for Pro, Max, Team, and Enterprise tiers, and the cancellation help doc says nothing about Design files or chats. A second HN post three days earlier, user o10449366, reported the same thing on the Max 20x tier with billing still paid through May 13. That subscriber filed a chargeback.
The details:
- Front-paged at 224 HN points and 66 comments by Wednesday afternoon. Anthropic posted nothing, despite pycassa tagging the company “multiple times on X” first
- HN user Topfi surfaced the escape hatch:
claude.ai/settings/data-privacy-controlsexports adesign_chats/directory with every session JSON and generated code. Works even after access is revoked - Bonus credits granted as a thank-you also expired with the subscription and never came back when he resubscribed. They’re plan-scoped vouchers, not portable balances
- Same pattern hit Claude Code Pro in April: the CLI was stripped from $20 subscribers, reversed under pressure, then entire companies got quietly cut off via Google Form
- Three other surfaces sit under the same Labs umbrella with no retention promise: Skills, Cowork, and Claude in Chrome
Why builders care: “Research preview” is now a legal exit door, not a UX label. If client deliverables, prompts, or design states live behind one, your retention policy is whatever the next billing cycle decides. Treat anything inside Labs the way you’d treat a shared whiteboard: photograph it before you leave the room.
THE $700 NUC THAT EMBARRASSED MICROSOFT
Solo dev’s “Leaving GitHub for Forgejo” hits 547 HN points and a Dutch ministry copies the stack.
The story: Dutch DevOps consultant Jorijn Schrijvershof published Leaving GitHub for Forgejo and it held the HN front page all day. His trigger date is April 24, when GitHub silently flipped Copilot Free / Pro / Pro+ interaction data to default-on for AI training, no repo-level opt-out. Breaking points stacked: the platform got folded into Microsoft’s CoreAI org last August after CEO Thomas Dohmke left, the merge queue silently reverted commits across 658 repos and 2,092 PRs on April 23, and an Elasticsearch outage took Issues and Packages down for six hours on April 27. His new home is code.jorijn.com on a single Intel NUC with 64GB of RAM, running Forgejo v15.0 LTS. The Dutch Ministry of the Interior soft-launched code.overheid.nl on the same stack three days later.
The details:
- Runner stack has five isolation layers: Incus-managed KVM VM, gVisor syscall interception, weekly destructive rebuild at 02:00 UTC Mondays, nftables egress filter blocking LAN ranges, and scope-bound runner tokens
- Forgejo has no Dependabot equivalent, so he runs Renovate on a 3-hour cron. The whole swap took about a day
- Actions compatibility was the biggest pain:
actions/checkout@v6is broken under Forgejo, requires pinning tov5and using Forgejo-specific forks.permissions:blocks are ignored - Forgejo went GPLv3+ in v9.0 to resist commercial capture, the exact thing that hit Gitea when its trademarks got transferred to a commercial entity in late 2022. Codeberg e.V., the Berlin non-profit that hosts it, runs 300,000+ repos
- GitHub has had 257 incidents in the past 12 months, 48 flagged major, totaling roughly 112 hours of downtime
Why builders care: Self-hosting Git is no longer a hobby project, it’s a procurement-deck asset. A G7 ministry running the same stack is the air cover you quote to skeptical EU buyers, and a one-week migration plus a hobbyist box buys you out of being a default-on training input. Keep the public mirror as discovery surface; move the codebase out of Microsoft’s org chart.
THE BLOCK BUTTON IS THE FEATURE
Meta shipped an AI account on Threads with no way to block it.
The story: The Verge reported Tuesday that Meta’s official @meta.ai Threads account has no block option in its three-dots menu, unlike every other account on the platform. Users can mute it, hide replies, or tap “Not interested,” but they cannot stop it from posting in threads where someone else tags it. Engadget’s Karissa Bell tried the spam-report flow that normally surfaces a block button at the end. The button never appeared. Meta confirmed the choice was intentional. “Users cannot block Meta AI” then became Threads’ top trend, with over a million posts in 24 hours.
The details:
- Test rollout covers five countries: Argentina, Malaysia, Mexico, Saudi Arabia, Singapore. Powered by Meta’s Muse Spark model launched in April
- Threads has 400M monthly active users and 141M daily as of early 2026, putting it within striking distance of X’s 450-500M
- Bluesky’s own AI assistant account became the #2 most-blocked account platform-wide on its launch, behind only JD Vance, before it had posted a single thing
- Same playbook as Meta’s January 2025 AI-generated Instagram profiles, which users also couldn’t block. The company called it a “bug” and killed the project after the same backlash
- EU Digital Services Act Article 25 on dark patterns explicitly targets consent-removal designs. A complaint is the obvious next move
Why builders care: Meta just ran the A/B test for every founder shipping AI into a social product. The result: users will absolutely block your bot if you give them the option, which is exactly why the option got pulled. If you’re shipping a social app, “we let you mute our bots” is the cheapest day-one differentiator on the menu, and the EU complaint that follows is somebody else’s compliance problem.
USB STICK, ENCRYPTED LAPTOP, ROOT
The story: A researcher operating as “Nightmare-Eclipse” on GitHub and “Chaotic Eclipse” on Blogspot published YellowKey and GreenPlasma on May 13, the day after Microsoft’s monthly patch cycle. YellowKey is a BitLocker bypass against Windows 11, Server 2022, and Server 2025. Copy an FsTx folder to a USB stick or EFI partition, reboot into Windows Recovery, hold CTRL. Windows replays the NTFS transaction logs, wipes winpeshl.ini, and drops you to a CMD.EXE shell with the BitLocker volume already unlocked. It works against TPM-only BitLocker, which is the default on every consumer Windows 11 install since 24H2. The researcher says the same technique works against TPM+PIN, but declined to release that PoC: “what’s out there is already bad enough.”
The details:
- Trigger for the leaks was MSRC closing the original BlueHammer report when the researcher refused to record a video demo. The researcher accuses Microsoft personnel of telling them “they will ruin my life and they did”
- Five total drops in 2026: BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma. Only BlueHammer got a CVE (2026-33825). RedSun was silently patched without one
- Huntress confirmed BlueHammer in-the-wild exploitation by April 10, seven days after the PoC dropped. One intrusion involved FortiGate SSL VPN access from a Russia-geolocated IP
- Kevin Beaumont independently verified the bypass and described BitLocker as having “a backdoor.” Will Dormann reproduced the USB variant but not the EFI version
- YellowKey GitHub repo is already at 1.1k stars / 249 forks. The researcher has publicly promised more drops every Patch Tuesday
Why builders care: Two assumptions broke this week. SOC 2 / HIPAA / GDPR breach carve-outs that lean on “the laptop was encrypted, so no data was exposed” stop working until a fix ships, so enable a PIN and BIOS password on every field laptop today. And the responsible-disclosure assumption that MSRC handles reports in good faith is now a public coin-flip: if you find a Microsoft bug, archive the ticket, get every commitment in writing, and assume you may need to go public to land a patch.
TRENDING TODAY
💸 Levels turned finance week into a public lecture. @levelsio dropped three viral threads on builder finance in 24 hours. The big one (123K views): a warning about SPV-of-SPV deals offering pre-IPO AI-lab shares, where the math from @Nick_Davidov showed $100K turns into $68.85K after stacked 15/10/10% fees on a $380B Anthropic valuation. Companion thread: tax software builds perverse incentives to keep tax code complex (49K views, 448 likes). And one Stripe-suspension story about an in-game drone purchase in his vibe-coded sim flagging the merchant account (141K views). Finance survival rules are this cycle’s bookmark fuel.
🧰 The Claude Code tool layer is filling up. Five Show HN drops in 12 hours, all wrappers: claude-pee (today’s Show HN #1, see Stack below), Promptcellar (commits every prompt as JSONL to your repo), Containarium (self-hosted MCP-native sandbox for agents, 182 stars), HookGuard (scans malicious Claude.md and agent configs), and Latitude for Claude Code (token-burn telemetry). Every pain point is becoming its own indie SaaS.
🤖 $999 AI Assessments are the new SEO audits. @coreyganim’s masterclass on the entry tier and upselling $3K-$10K services pulled 65K views and 866 bookmarks, a 2.6:1 bookmark-to-like ratio that signals execute-intent. Companion post: he closed $1,200/mo with an insurance agency for “two 45-minute calls plus Voxer.” Pitch is anti-expert: you just need to be one step ahead of the client and teach them Claude Skills + Projects + Design. The arbitrage window is wide and builders are pouncing.
FIRST DOLLAR
THIRD TIME, FROM SCRATCH
📱 Indie mobile dev maps $1K MRR → $30K MRR → $1M ARR.
@seraleev is closing in on his third seven-figure ARR from scratch, and the post lists each milestone as a single line his audience can screenshot. No specific app named in the thread; his bio just says “Indie mobile dev.” The open question to the audience: chase a monthly run-rate equal to the current annual, or sit on the win. 1.4K views, 31 likes, 16 replies (most arguing for option two).
370 VIEWS, 3 CUSTOMERS, $345 MRR
🎥 A solo dev in India built a $12K/month plugin business with tiny YouTube videos.
@starter_story’s case study pulled 86 bookmarks. The conversion math: his best clip ran for four months before three viewers became paying customers, and that single video now anchors a five-figure monthly recurring line. The playbook is harvest customer pain from forums and 1,500+ recorded support calls, make a boring tutorial answering one specific question, then optimize for search instead of feed. Tiny videos for tiny problems beat going viral for nobody.
STACK OF THE DAY
🛠️ Claude-pee (free, MIT, Rust)
Claude-pee is a drop-in Rust front-end for the claude CLI from @sbhattap. It spawns claude in a PTY with a fresh --session-id UUIDv4, tails the matching JSONL transcript, and prints just the assistant reply to stdout. Why it matters: it routes around Claude Code’s headless-mode credit pool, the #1 complaint from Max-tier subscribers running automation. Install with cargo build --release && cp target/release/claude-pee ~/.local/bin/. Edition 2024 Rust, requires 1.85+. Top of Show HN today.
Not sponsored. We just feature tools builders would actually use.
BOOKMARKED TODAY
🇪🇺 One Dutch builder moved his entire stack to Europe. 903 HN points, 542 comments. Wimer Hazenberg’s swap table: Google Analytics to Matomo, DigitalOcean to Scaleway, Sentry to Bugsink, OpenAI to Mistral, 1Password to Proton Pass. Cloudflare, Stripe, and GitHub stayed. The throughline: digital sovereignty is about being conscious about who holds your data when politics shift.
📓 Promptcellar logs every Claude Code prompt to your repo. Go plugin that dumps every prompt to .prompts/YYYY/MM/DD/ JSONL with git metadata, token counts, and file diffs. Built-in gitleaks-style secret redaction and team allow/deny lists. Tagline: “Capture every prompt. Own the signal.”
🏛️ Claim a free *.city.state.us locality subdomain. 522 HN points. NTIA Modification 2.0.0 keeps undelegated locality domains for local government agencies, but the broader .us namespace is open. Practical tip: stand up Amazon Lightsail nameservers before registering, so you have something to point the registrar at on day one.
Curated by AI, built by a human.