How I built ThreadCrunch — solo, on Cloudflare's stack
ThreadCrunch is a solo build. Here's the stack and the interesting decisions along the way.
The stack:
- Cloudflare Email Workers — receive inbound email at custom addresses
- Cloudflare Workers — API and all business logic (TypeScript)
- Cloudflare D1 — SQLite database
- Cloudflare Pages — Vue 3 + Tailwind CSS frontend
- Stripe — subscriptions + metered billing for AI analysis
- Resend — transactional emails (thread ready, payment links, errors)
- Claude Sonnet (Anthropic) — AI thread analysis
Why Cloudflare for everything?
Email receiving, compute, database, and hosting on one platform. No glue between services. Email Workers are the key piece — they let me receive email directly in a Worker without a separate email provider or webhook relay.
The hard part: parsing email threads
Every email client formats forwarded threads differently. Outlook uses separator lines and inline header blocks. Gmail uses "On {date}, {person} wrote:" with > quoted lines. Webmail clients use RFC 3676 format=flowed, which joins soft-wrapped lines and destroys thread structure if your MIME parser decodes it naively.
I built a custom thread splitter that handles all of these, including mixed-client threads (someone replies from Outlook to a Gmail chain). The edge cases were endless — header fields wrapping across lines, nested quoted replies inside Outlook blocks, space-stuffed lines from webmail.
AI analysis design
The prompt does sequential per-message analysis (tone, emotion, response timing, intent, power dynamics) before synthesising into a structured output. This produces significantly better results than asking for a flat "analyse this thread."
The trickiest part was orientation — without explicit rules, the model writes advice for whoever "needs it most" rather than the person who actually forwarded the thread. The system prompt now has strict rules about perspective: next steps and suggested reply are always from the forwarder's point of view.
Security: AI
Since users forward real email threads, prompt injection is a real concern. Input sanitisation covers Unicode lookalike characters, zero-width chars, delimiter breakout tags, and common sandbox escape patterns. The analysis output is also sanitised (URLs stripped, HTML removed) before storage. Input is capped at 50K characters and output at4K tokens. The best defence is honestly the paywall — you need a $5/month subscription to even get an email processed.
Data and privacy
This came up on a Facebook thread — someone's first reaction was to block the domain in their email gateway. Fair enough. Corporate email being forwarded to an external service and made accessible via URL is a legitimate concern.
Here's how I think about it: ThreadCrunch doesn't enable anything that isn't already possible. Anyone can forward an email to anyone else, paste it into Slack, print it as a PDF, or leave a printout on a café table. What ThreadCrunch does is make the result cleaner and more readable.
That said, the concerns are valid, so here's what I built in:
- Thread URLs are unguessable — 12-character random tokens, not sequential IDs
- Auto-delete after 7 days — threads and all associated data are purged on a daily cron
- No indexing — thread pages have noindex meta tags, so search engines won't crawl them
- No accounts or dashboards — there's no central place where all your threads are browsable
- Stored securely on Cloudflare's infrastructure (D1 database, Workers runtime)
- Raw email is not exposed — only the parsed, cleaned conversation is shown
If your organisation's security policy says don't forward email externally, then yes — block the domain. That's the right call for that environment. ThreadCrunch is for the people who are already forwarding threads and want a better way to do it.
What I'd do differently
I'd spend less time on the landing page and more time getting real threads through the system earlier. The parser edge cases only surfaced when real people forwarded real threads from real email clients — test fixtures only get you so far.
Replies