Web applications, front to back
React, Vite, Express or Fastify, Postgres or MySQL, queued workers, sensible auth. Most public products in the list below are this shape.
We build programs that engineers and the people who use them love in equal measure.
30
Shipped projects
11
Public · running now
5
Years of work
2
Developers, no middle
What we work on
We are generalists by necessity and specialists by project. Across the workshop, the work tends to fall into six shapes.
Native & cross-platform clients
Flutter for web and iOS, Electron when desktop is the right answer, Swift / SwiftUI when iOS is the only answer.
Developer tools & compilers
Parsers, type checkers, code generators, LSP servers, VS Code extensions. TypeLua and the Lua / JS obfuscator both live here.
Systems & infrastructure
HA Postgres and Redis clusters, monitoring stacks, ingestion services, WireGuard fleets. Things that have to stay up.
Integrations & AI tooling
Discord bots, MCP servers exposing real backends to AI clients, OAuth flows, webhook pipelines, sandboxed code execution.
Native & reverse engineering
C and C++ on Windows when the work is hooking, mapping, or talking to the kernel. Niche, but we have done it for years.
Selected works
A selection of what we have shipped: public products you can try right now, alongside internal tools we built for our own use.
-
01 / 30 2026 · 05 Public
Finance API
HUF foreign exchange rates API with HA deployment
A Go service that pulls live and historical foreign exchange rates against the Hungarian Forint from Yahoo Finance, stores them in Postgres, and exposes them through a small authenticated HTTP API. Supports a configurable target currency set, periodic fetching with staleness tracking, and a high-availability mode where multiple instances coordinate via database-backed distributed locks so only one fetches at a time. API key auth, request logging with proxy-aware client IPs, and Docker Compose files for both single and HA deployments.
-
02 / 30 2026 · 05 Public
AI Bot
Discord AI self-bot with a web companion
A Discord self-bot wired to OpenAI-compatible models, with web search, OCR, image recognition, file generation, and sandboxed code execution in per-language Docker containers. A separate Express + React web app signs in with Discord OAuth to browse conversations, send messages, and manage MCP servers, with public servers gated by admin approval. Deployed via Docker.
-
03 / 30 2026 · 05 Internal MVP
271.hu
Local news portal & CMS · MVP
A locally-runnable news portal and CMS built to exercise the full editorial workflow: public site, admin panel, article writing, publishing, image uploads, comments, RSS. Two-tier auth separates readers from staff, with role-based permissions on every backend route.
Not publicly available -
04 / 30 2026 · 05 Public
clipbin.cc
Streamable-style video & audio hosting
Multipart upload, HLS streaming for video, sprite-based hover previews, and Discord-compatible embeds, including derived MP4 assets for MP3 uploads. Tiered access with voucher-based premium upgrades, optional 2FA, temporary share links, a ShareX-compatible API, and an admin panel for moderation. Deployed via Docker.
-
05 / 30 2026 · 04 Public
Media Converter
Media & document conversion service
A queued conversion service with a Flutter web and iOS client. Files upload chunked straight to R2; a BullMQ worker pipes them through FFmpeg, Sharp, Pandoc, LibreOffice, TeX Live, and pdf2docx, then the result comes back via a short-lived signed URL. PgBouncer in front of Postgres, Cloudflare in front of the API, and a separate MCP server exposing the same conversion matrix to AI clients. Deployed via Docker.
-
06 / 30 2026 · 04 Public
DownloadAll
Self-hosted media downloader · web & iOS
A Flutter web and iOS client over a FastAPI backend that wraps yt-dlp behind a real UI and API. Optional invite-only accounts, admin cookie manager backed by Cloudflare R2 for HA cookie sync, API keys for automation, and an MCP server for AI clients. Deployed via Docker.
-
07 / 30 2026 · 04 Public
JavaScript & Lua Obfuscator
Polymorphic VM-based Lua & JS obfuscator
Compiles source to a custom IR, serializes it to bytecode, and generates a per-build polymorphic VM that executes it at runtime. Targets Lua 5.1 through 5.4, LuaJIT, Luau/Roblox, FiveM, and Garry's Mod, with a three-tier optimizer, 2FA-protected accounts, invite-only registration, and API keys. Deployed via Docker.
-
08 / 30 2026 · 04 Public
End-to-end Encrypted File Share
Browser-to-browser file transfer over WebRTC
Peers connect directly through WebRTC data channels, with a Fastify signalling server to introduce them and a TURN fallback (coturn) for strict NATs. Invite-only accounts, one-to-many lobbies with per-recipient progress, and an admin panel for user and invite management. Deployed via Docker.
-
09 / 30 2026 · 04 Internal
TypeLua
Typed superset of Lua with a full compiler toolchain
A typed superset of Lua that compiles to clean Lua 5.1, 5.2, or LuaJIT. Full parser, type checker, and IR with classes, generics, metamethods, enums, switch, ternaries, destructuring, compound assignment, template strings, and a C++-style preprocessor. Multi-target backends, declaration files (`.d.tlua`), real bundling with a Lua loader, a JavaScript plugin macro system, incremental watch mode, and a VS Code extension backed by a dedicated LSP server.
Internal tooling -
10 / 30 2026 · 04 Internal
OCR Service
OCR platform with Discord bot companion
A small OCR platform with a React frontend and an Express + Postgres backend. JWT auth, invite-only registration, per-user API keys for automation, and a companion Discord bot that lets users run OCR jobs straight from chat. Hardened with Helmet, rate limiting, and Zod-validated routes; deployed via Docker behind nginx.
Internal tooling -
11 / 30 2026 · 04 Public
Biospheres
Modern Fabric port of Risugami's Biospheres mod for Minecraft
A recreation of the original Biospheres mod for Minecraft 1.21 on Fabric, with substantial world generation improvements. Variable sphere sizes, glass containment shells, ramped bridges between spheres, seed-driven biome distribution, and proper containment of vanilla structures (villages, ancient cities, trial chambers, monuments, and the rest). The v2 branch extends the original with the larger spheres and structure-aware generation.
-
12 / 30 2026 · 04 Internal
nginx-minecraft
An nginx-style HTTP engine running inside Minecraft servers (a joke)
A joke project taken further than it had any right to be: a real nginx-style HTTP engine in pure Java, with `nginx.conf` parsing, upstreams, load balancing, TLS and HTTP/2, rewrite engine, `if` / `return` / `map` / `geo` / `split_clients`, access control with `allow` / `deny` / `satisfy`, basic auth and auth_request, rate and connection limits, and FastCGI / uWSGI / SCGI / memcached upstream handlers, packaged as Fabric and Paper plugins so a Minecraft server can host it.
Internal tooling -
13 / 30 2026 · 03 Public
SideStore Resource Manager
Self-hosted SideStore / AltStore source manager
A self-hosted admin dashboard for running a SideStore / AltStore-compatible source. React admin UI for apps, versions, news, and source metadata, with IPA uploads streamed straight to Cloudflare R2 and a standards-compliant `source.json` served at the root. JWT auth with refresh token rotation, multi-user accounts, and optional TOTP 2FA with backup codes.
-
14 / 30 2026 · 03 Internal
Note Manager
Self-hosted notes & code workspace
A self-hosted notes and code workspace built around the Monaco editor with tabs, split panes, syntax highlighting, and a real filesystem-backed file tree with drag-and-drop. Multi-user with isolated home directories, automatic save history with a diff viewer and rollback, language server support for autocomplete and diagnostics, and a built-in AI assistant with multi-provider support. Code can be executed through built-in and custom runtimes (Docker or HTTP). JWT auth with refresh rotation, optional TOTP 2FA (AES-256-GCM at rest), rate limiting, and an admin panel.
Internal tooling -
15 / 30 2026 · 03 Internal
VantaGuard
Self-hosted uptime & infrastructure monitoring stack
A HetrixTools-style self-hosted monitoring platform with a central control plane, distributed probe nodes, an optional Docker host probe, and Linux/macOS/Windows server agents. Supports website, TCP service, ping, heartbeat, docker container, and DNSBL blacklist monitors with consensus-based state across nodes, retries, and timeouts. Collects server metrics from agents, sends alerts to Telegram and Discord, publishes public status pages, and ships with an optional updater pair for the agents.
Internal tooling -
16 / 30 2026 · 02 Internal
luadec-web
Lua bytecode analyzer
Web UI and API for analyzing, decrypting, and decompiling `.luac` files. Routes uploads through multiple backends (unluac 2017/2020, luadec51, a bundled JS decompiler), handles optional obfuscation and encryption layers. Deployed via Docker.
Internal tooling -
17 / 30 2026 · 01 Public
DögSMP Map Exporter
Hourly snapshot archiver for Squaremap servers
A Node.js service that archives snapshots of the DögSMP Minecraft server's dynamic Squaremap every few hours and serves a web UI to browse and compare the map across time. Smart tile fetching constrained to the world border at every zoom level, proxy fallback for anything not yet archived, an optional read-only mode, and Docker deployment with a persistent volume. Works for any Squaremap instance.
-
18 / 30 2025 · 12 Internal
autoDiscordQuest
Automated Discord quest helper
A small Windows C++ utility that drops an embedded helper executable (old Windows XP calculator) into a target directory, launches it via the Win32 process API to satisfy Discord's "play a game" quest checks, then cleans up cleanly on exit. Handles missing path creation, parent-directory tracking, and graceful process termination.
Internal tooling -
19 / 30 2025 · 09 Public
ifconfig.tech
Self-hosted IP and geolocation lookup service
A small Express service that returns the caller's IP, hostname, ASN, organization, country, city, region, timezone, and coordinates either as plain text per field or rendered into a single overview page. Backed by local MaxMind GeoLite2 City and ASN databases with reverse DNS, IPv4 and IPv6 bogon detection, and proxy-aware client IP resolution. Deployed via Docker.
-
20 / 30 2025 · 08 Internal
vpnshare-sense
WireGuard tunnel provisioning over OPNsense
A web app that provisions per-device WireGuard tunnels by driving an OPNsense router's API and SSH config. React frontend over an Express + MySQL backend that allocates client subnets, writes peers into the OPNsense XML config, and hands clients ready-to-import `.conf` files. Enforces a per-device tunnel limit and tracks provisioned peers in its own database. Deployed via Docker.
Internal tooling -
21 / 30 2025 · 02 Internal
Colada Loader
Internal loader platform · UEFI to user-mode
A multi-stage Windows loader stack. A UEFI DXE component runs early in the boot pipeline, before user-land protections are up, with its own disassembler, hooking primitives, and direct kernel surface access. A C++ backend service speaks a custom TCP and HTTP protocol, performs remote manual mapping (the server maps the payload into the client), manages configs and component metadata, and is paired with a React / Express / MySQL admin panel. The user-mode loader frontend is hardware-bound, license-keyed, and CodeVirtualizer-protected throughout, with string obfuscation in the native code.
Not publicly available -
22 / 30 2024 · 09 Hidden
███-████████
███████████ ████ ███████ · ████████ ███ ████
A targeted Lua exploit chain written against a specific MTA:SA server's client-side scripting surface. Names withheld and details kept deliberately vague: the target is still online, and saying more would basically hand a roadmap to anyone who wanted to abuse the same vector. C++ payload, custom resource handling, a small loader interface, shipped as a single DLL. Built and used privately, never distributed. Earlier versions of similar exploits against the same target go back to 2022 and 2023, and all of them worked, but I'm only listing this one since it was the last one I wrote for that target before being asked to stop. cooper23 (the same outside collaborator credited on the 2023 MTA work) also wrote exploits against the same target back in 2022 and 2023, but has not done so since.
Hidden · target and name withheld -
23 / 30 2023 · 12 Internal
excalibur-loader
Internal loader · direct predecessor of Colada Loader
A Windows loader stack built around a kernel driver pair: a HWID checker driver that fingerprinted the machine from ring 0, and a separate injector driver that handed the payload to the target process. Both drivers were manually mapped into the kernel through a private vulnerable driver I reverse engineered myself (no public BYOVD), then hidden from the kernel's loaded-module lists so they would not show up under normal inspection. Like the later Colada Loader, the backend performed the manual mapping server-side for the user-mode payload, so it was materialised into the client rather than shipped over the wire. No UEFI stage, no DXE component: this one stopped at the kernel boundary. Never released, never even handed out to friends; used purely as the internal groundwork that the current, considerably stronger Colada Loader was built on top of.
Internal · never released -
24 / 30 2023 · 11 Internal
InjectorDxe
First UEFI DXE injector · template for the Colada Loader EFI stage
The first complete UEFI DXE injector I wrote, and the direct architectural template for the EFI stage that now lives in Colada Loader. Built on EDK II in C, the driver hooks a late firmware boot service from the UEFI side, persists across the transition into the Windows kernel's virtual address space, then inline hooks an early kernel initialisation routine so payload code runs at the right point in the boot pipeline, long before any user-mode protections exist. Ships with an in-tree HDE-based length disassembler, a small `ntos`/`ntdef` surface for the kernel structures it touches, and a user-mode companion with PDB symbol resolution. The foundations were already in place by May 2023, and the rest came together by November 2023. Colada Loader's EFI side grew out of this, but the core logic and structure of the InjectorDxe driver hasn't really changed since. Colada also added an automatic loader for the EFI component, so it can be dropped on a FAT32 USB drive and booted from directly, without ever touching the EFI shell.
Internal · never released -
25 / 30 2023 · 06 Internal
KernelInjector
First kernel-mode project · DLL and driver mapper
My first real foray into Windows kernel-mode development, and the toolchain we used early on to manually map DLLs and drivers into target processes. The v1 stack pairs an x64 user-mode injector with a self-signed kernel driver and exposes three injection methods against the target: manual map with `RtlCreateUserThread`, manual map with thread hijacking, and manual map with `QueueUserApc`. The v2 rewrite drops the custom driver in favour of a reverse engineered ASUS IO driver (`AsusIO2`), talking to it over IOCTLs to perform user physical memory mapping through four allocation strategies (ExPool, MDL, contiguous, independent-page), with PDB symbol parsing on top so kernel structures can be located by name. Pure tooling, never released; later projects (excalibur-loader, then Colada Loader) grew out of what was learned here.
Internal · never released -
26 / 30 2023 · 05 Sold
██████████
MTA:SA Cops & Robbers gamemode · sold to a third party
A full Cops & Robbers MTA:SA gamemode built on top of a custom resource framework with roughly 90 resources: accounts, achievements, banking, ATM robberies, fishing, drug dealing, jobs (trucker, pilot, lumberjack, mining, forklift), vehicle and clothes shops, garages, tuning, paintjobs, paynspray, petrol stations, food shops, interiors, safezones, party system, duels, wanted system, police job and LSPD map, lucky wheel, level and skill systems, quests, custom HUD with dashboard and scoreboard, in-game language switching, and a minigame pack (lockpicking, balance, bar, tap, pincode finding) for the heist-style activities. Originally meant to ship inside the RobMTA launcher; sold to a third party who asked that the project not be named publicly. Partly inspired by SAS Network, a defunct but beloved MTA:SA Cops & Robbers server that shut down in 2021. Built together with cooper23, an outside collaborator on the 2023 MTA work and not part of Colada (Colada was founded in 2025).
Sold · name withheld -
27 / 30 2023 · 02 Internal
RobMTA
Abandoned MTA:SA fork · launcher · backend · site
An abandoned four-part private fork of Multi Theft Auto: San Andreas. A modified mtasa-blue client and server (C++) with custom branding and patched internals, a full EasyAntiCheat integration wired from launcher handshake through to in-game scripting (with custom exports like `getServerEACState`), and a custom serial system replacing the stock MTA serial. A C++ launcher built on ImGui and Direct3D 9 handles login, registry setup, version checks, and patching the client. A Node.js + MySQL backend signs auth responses with RSA and ships AES-encrypted patch manifests for per-release client and launcher versions. A PHP marketing site at robga.me hosts the login flow and account pages. Shelved before reaching a public release. Built together with cooper23, an outside collaborator on the 2023 MTA work and not part of Colada (Colada was founded in 2025).
Not publicly available -
28 / 30 2022 · 10 Internal
excalibur-mtasa
Internal MTA:SA cheat
A C++ DLL targeting the Multi Theft Auto: San Andreas client. Hooks the game's native call surface, instruments the client through `CHook` and `CMemory` helpers, exposes extended classes back to Lua, and ships with a Lua bootstrap layer. Internal tooling for one of the older MTA:SA projects in the workshop.
Not publicly available -
29 / 30 2021 · 12 Internal
internal-loader
Internal cheat loader with manual-map and ImGui menu
An early C++ Windows cheat loader, really more of a test than a product. A connection manager talked to the backend, a basic manual-mapping injector delivered the payload without touching disk, a JSON-driven menu variable system fed an ImGui in-game UI. Trivially bypassable in hindsight, and in no way related to the current Colada Loader, which is built on entirely different foundations.
Not publicly available -
30 / 30 2021 · 09 Internal
hourboost
Steam idle / hour boosting service
A Node.js service that signs Steam accounts in through steam-user, parks them in games to accrue playtime, and exposes a small web UI and WebSocket feed for live account state. Persists accounts and sessions in MySQL, relays status changes to Telegram, and runs under Docker. The oldest project in this list, predating most of the workshop.
Internal tooling
How we work
A working pattern, not a methodology. Four habits we keep, and a short list of things we politely do not do.
Scope honestly, in writing
Before code we describe what we will build, what we will not, and what will likely change. If something is unknown, the document says so instead of pretending.
Ship in small, visible steps
We push to a branch you can pull from week one. You see the project grow rather than appear at the end, and we course-correct early when something is off.
Test what matters
We write tests around the parts that would hurt in production — auth, payments, anything that touches user data. Not for coverage trophies.
Deploy and operate it for you
Docker by default, behind nginx or Cloudflare. We can hand over the repo and walk away, or keep running the thing for you. Your choice.
Things we don't do
- Design-only or wireframe-only engagements.
- Fixed-bid pricing without a paid discovery week.
Developers
Two people, one workshop. We worked independently for years and joined forces in 2026. Each of us leads our their own projects from start to finish and steps in on the other's work when it helps the result.
unrivaled formerly known as tarcseh
Owner · Developer
Founder. Leads systems, infrastructure, and reverse-engineering-heavy work, and ships full products across the stack. Comfortable across the whole devops and networking stack: Proxmox, Docker, OPNsense and OpenWRT, nginx, WireGuard, Postgres, MySQL, Grafana, high-availability services, monitoring, and a lot of other infrastructure stuff.
eldob6os
Co-owner · Developer
Co-owner. Leads several of the workshop's projects himself, owning the design, the code, and the parts users touch, and contributes across the stack on the rest. Also handles his own infra: comfortable with Linux, Docker, and WireGuard for day-to-day deployment and networking.
Common questions
Things people reasonably ask before sending us a paragraph about their project. Answered the way we would answer in email.
01
Are you a registered company?
Not yet. Colada is the working name of two independent developers in Hungary. For now, contracts are signed in our personal names and invoiced individually. If a client needs a registered entity to sign with, we are happy to incorporate as part of the project.
02
Where are you based, and how do you work?
We are based in Hungary, working remotely. There is no office. Communication runs over email and whichever chat tool your team uses; we are comfortable with most of them. We work in English and Hungarian.
03
How does pricing and payment work?
Most engagements start with a short paid discovery week so we can give a real estimate instead of guessing. After that, projects run either at a weekly rate or in fixed phases with milestone payments. Bank transfer in EUR or HUF; crypto only if you ask for it.
04
Will we see the code as you build it?
Yes. From the first week the repository is yours and you can pull at any time. We push small, reviewable commits, so there is no "big reveal" at the end. If you want to bring in your own engineers to review, even better.
05
Who owns the code, and can you list us as a
client?
You own everything we write for you, including all repositories, assets, and deployment configuration, transferred on final payment. We ask for permission to mention the project on this page — name and description only — and accept a no cheerfully if that is what the work needs.
06
What happens after launch?
We can hand the project over with deployment docs and walk away, or keep operating it for a monthly retainer that covers updates, monitoring, and on-call. We do not take pure maintenance contracts on code we did not write.
§ 06
Have a program in mind, and actually want it built?
Write a paragraph about what you want, and we will reply within 48 hours during weekdays. No template, no form, just a plain email.