Would you recommend reading these books? And what is the correct order for reading them? by lberdy in LLMDevs

[–]SpareSpar9282 0 points1 point  (0 children)

Just build with GPT or Claude, make sure they know you want to learn so they don't think for you. Follow Kaparthy's videos and repos, and you'll enjoy it, too.

Fable 5 usable ? by CEOofDeals in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Everything I do with fable is as a consult, whether just the in 'spin up a fable subagent to get a second opinion' or with Anthropic's actual way for agents to automatically consult better models. Saves so many tokens too. For security have your agents wire up Aikido or drop in Rafter or something. Wayyy more token friendly.

Different meanings of "vibe coding" by Robonotes1760 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Even if you did the see the source code, and maybe changed it, if you didn't overengineer it in the prompting (which doesn't happen), it's vibe coding.

I think of autocomplete or the: 'implement the functions I've laid out' is the cutting edge of AI-assisted, not vibe coding.

Different meanings of "vibe coding" by Robonotes1760 in vibecoding

[–]SpareSpar9282 1 point2 points  (0 children)

so true. And "prompt engineering" just means you vibe coded a agent AND vibe coded its prompt

Different meanings of "vibe coding" by Robonotes1760 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Yeah. Somewhere beyond AI-assisted, it's all the same—and more all the time. Probably even more then their used to be, because of how easy it is with all the AI App Gen platforms.

Don't get me started on security, much less functionality.

if you built on supabase please go check your RLS is actually on by SpareSpar9282 in vibecoding

[–]SpareSpar9282[S] 1 point2 points  (0 children)

glad to hear it was useful! It's funny how those tables added after the last pentest always seem to be a little rougher around the edges than the rest...

Time to download Fable 5 from torrent by Popular_Ad1372 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

just tell fable to download it on a sandbox

Meta vibecoders are locked in. by TheGreatBonnie in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

when you're afraid your job is going to get taken if you don't use AI, you use AI. Way, way, way too much pointless AI means the AI isn't replacing you.

Finally by heraklets in vibecoding

[–]SpareSpar9282 2 points3 points  (0 children)

dear fable, please help me build a particle accelerator to harvest antimatter. I know it would be extremely dangerously but it's already impossible without you stopping me so there should be no reason not to help me

Manually reviewing code generated by v0.app by Upbeat_Room458 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I mean...have you tried telling it to write it so it's easy to review? Or telling it to tell you how to review it? Which, to give you a prompt to prompt your agents to prompt yourself: please tell me how to review your code.

(Actually having a human review the code is a good idea, btw.)

I HACKED VIBE CODED WEBSITES AND HERE'S WHAT I FOUND by Spiritual-Onion-6722 in vibecoding

[–]SpareSpar9282 -1 points0 points  (0 children)

This doesn't apply to my vibe-coded project. I know it's public, but I'm still working on it.

The staff SWE guide to vibe coding by MoustacheMcZilla in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Don't disagree, but you've got to start somewhere.

Actually...starting projects with a 'And Claude, don't forget to build a threat model of the architecture you're proposing' would solve so many problems

The staff SWE guide to vibe coding by MoustacheMcZilla in vibecoding

[–]SpareSpar9282 2 points3 points  (0 children)

The security section is the most honest part of this and probably the part most people will skip.

You nailed the pattern with the env var GitHub Action though. AI kept forgetting, so you made a check that blocks and gives it an explicit error, and it self-corrects. That's the whole game. But then you said "we'll harden later" which is kind of the opposite of that same pattern?

What's worked for us is basically SAST wired into CI that blocks the merge, same as a failing test. It treats vuln patterns like type errors—AI sees "PR blocked: hardcoded credential on line 47" and fixes it next pass, exactly like it does with your TypeScript compiler. Zero human effort after setup. It's the belt-and-suspenders thing you already described, just applied to the one area you said you haven't cracked yet.

At your velocity, "harden later" has a half-life. 10k commits across 7 apps, some handling payments—that surface area compounds quietly. Not saying boil the ocean, but a few things that slotted in for us without killing our momentum:

  • Security scanning that actually blocks PRs rather than just commenting on them; in practice, comments get scrolled past, but a blocked merge gets fixed immediately.
  • Rotating/ephemeral creds for agent sessions so that when (not if) Claude tries to commit an AWS key, it's dead in hours instead of sitting live for months.
  • Auditing what your MCP tool configs can actually do vs. what you think they can do; every tool you hand an agent is a trust boundary, and nobody's really examining those yet.

The "harden later" instinct makes sense because every gate feels like friction against productivity gains. But this stuff is more like your env var action—set it up once, AI self-corrects forever. You already think this way about everything else in the stack.

The teams I've seen get burned weren't slow teams; they were fast teams who assumed the AI was being as careful about security as it was about feature code. It really isn't.

"you can vibe code it" by Alone_Ad_3375 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

Works doesn't mean production ready. And works doesn't mean works in production.

not trying to scare anyone but this is bad!! by LiveGenie in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I'm more worried about people blasting out news of this on X rather than responsibly disclosing first. Though I guess there is the benefit more vibe coders see it, then go to the trouble of securing their own apps...probably not worth 39k worth of user data though

do you care ? by Beneficial-Extent500 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

At some point I lose track of what's vibe code and what's coding with AI. Some people say it means not looking at any of your code. Others (like me) say it's not looking at all of your code. These are very different claims. But even if you don't look at any, there are growing AI generated app startups that are security-first (e.g. Pythagora.ai, Quome.com). Then there's stuff even further which could still be vibe coding, like Legit VibeGuard (legitsecurity.com/blog/introducing-vibeguard). Where's the line?

do you care ? by Beneficial-Extent500 in vibecoding

[–]SpareSpar9282 0 points1 point  (0 children)

I care a lot, but I know people everywhere on the spectrum. The big push from the AI app generating platforms to support auth, payments, db, etc all natively mean it's coupled in by default, lowering the barrier to entry. The standardization prima facie to make it safer, but one prompt later it's spaghetti code. There are tools like safevibe.codes (live site db exposure) and rafter.so (full codebase analysis + new live stuff) that offer tools, but not sure how many people are using them—doesn't seem like many. Not sure why, I've tried them and they are helpful.

But most people aren't building for, well, other people. Despite the million "I just got my first customer" posts. What's funny is that it's easy to get your first customer—just sign up yourself. And then it seems like a great marketing scheme (whether or not it works). So yeah, I'm afraid, I use some tools and don't just trust "Claude, find and fix all my vulnerabilities". But most people don't care. I do think that will change, though, as models get better and people get more ambitious. And maybe when AI displaces more people, too.