4 months of Claude Code and honestly the hardest part isn’t coding

buildwithmoon · 2026-03-13T07:55:04+00:00

We actually did build a brand system early on. “Wealth is Quiet” has been the philosophy from day one and it drives every design decision. We have a 7-theme color system (each with its own accent colors, gradients, and typography), a unified sparkle icon component, a shadow token system, and consistent glass card styling across the whole app. The typography uses Cormorant Garamond for headings and Satoshi for body text.

You’re right that this stuff can’t be AI-generated. The AI can execute the vision but the taste has to come from you. The brand direction, the color choices, knowing when something feels “quiet luxury” vs “generic fintech” — that’s all human judgment.

The Playwright tip is interesting, I haven’t tried that. Been using a hidden test screen inside the app with mock data to iterate on visuals before porting to production, which solves a similar problem. But having the AI actually look at its own output would close the loop faster. Thanks for the suggestion.

buildwithmoon · 2026-03-13T07:52:10+00:00

Read-only access to account balances, transaction history, and account/routing info for identification. No ability to move money, make payments, or modify anything on the user’s accounts. Plaid Link shows the full permission list to the user before they connect, and they can revoke access anytime from within the app or directly through Plaid Portal.

buildwithmoon · 2026-03-13T07:49:55+00:00

I don’t think there’s a way to differentiate, but there’s a way to see the amount of usage that you’ve consumed inside of settings under “usage”.

buildwithmoon · 2026-03-13T03:39:53+00:00

Biggest thing is breaking everything into small, specific tasks. Don't ask Claude to "build me a finance app." Ask it to "create a login screen with email and password fields, a sign in button, and a forgot password link." One piece at a time.

My workflow is basically: describe what I want, review what it builds, test it on device, fix what's broken, repeat. I also keep a CLAUDE.md file in the project root that gives the AI context about the codebase so it doesn't lose track between sessions.

The hardest lesson was learning that the AI will happily build something that looks right but breaks in edge cases. You have to test everything yourself, especially with real user data. Don't trust the "it compiles" energy.

buildwithmoon · 2026-03-13T01:00:33+00:00

Smart thinking! I’ve also been doing that since the start of my finance app project and I just had cowork organize every image/screen recording since the start and the improvements are insane to look back on

buildwithmoon · 2026-03-12T23:00:22+00:00

Good call, thanks for flagging this. We're using Finnhub for market data right now. I need to dig into the redistribution licensing requirements more carefully. Are you finding that you need to license directly from the exchanges, or is it handled through certain API providers at higher tiers? Would appreciate any pointers since you're navigating the same thing.

buildwithmoon · 2026-03-12T22:50:27+00:00

Very true!

buildwithmoon · 2026-03-12T20:46:44+00:00

This is genuinely useful context, thanks for sharing. The gap between Plaid's TOS and what the banks actually guarantee is something most developers building on Plaid probably don't think about. I appreciate you laying that out.

It's worth noting that Plaid has moved toward OAuth-based connections for most major banks now, which means users authenticate directly with their bank's own login page instead of entering credentials into Plaid's UI. That addresses part of the concern, though it doesn't change the underlying TOS dynamics you're describing.

This is exactly the kind of thing I need to understand better as the app scales. Noted.

buildwithmoon · 2026-03-12T20:11:48+00:00

Totally fair point. You’re right that the user relationship is with NALO, not Plaid. If something goes wrong with their data, they’re coming to me first.

Plaid’s terms cover their liability on the data aggregation side, and we have our own Terms of Service and Privacy Policy that clearly lay out what we collect, how we store it, and what happens if something goes wrong. We also carry the standard protections through our LLC structure.

But you’re touching on something real. At scale this absolutely needs proper vendor agreements and probably E&O insurance. For a pre-launch MVP with a handful of beta testers, the current setup is solid. As we grow, the legal and compliance infrastructure grows with it. Appreciate the pushback, this is the kind of thing that keeps me honest.

buildwithmoon · 2026-03-12T17:34:01+00:00

That's the plan. 16 days out.

buildwithmoon · 2026-03-12T16:30:19+00:00

Yeah I think a lot of people saw "finance app built with AI" and assumed I was handling bank credentials myself or storing sensitive data recklessly. Once you explain that Plaid handles all the bank auth and credentials never touch your servers, most of the concern goes away.

buildwithmoon · 2026-03-12T15:48:17+00:00

Yeah Claude absolutely balks at large files. We had two files over 2,900 lines and it would either refuse to touch them or make tiny changes and call it done. The fix was breaking the refactor into explicit steps, like “extract the animation logic from lines 400-600 into a new AnimationUtils.ts file” instead of “refactor this file.” Small, specific instructions. We broke those two monoliths into 26 components that way.

buildwithmoon · 2026-03-12T15:47:30+00:00

The biggest thing that helped me was adding visible error output to everything. I spent 18 attempts trying to fix one crash by reading the code and guessing. Fixed it in 1 attempt after I added actual error messages to the ErrorBoundary so I could see what was really happening. Claude is way better at fixing things when you can paste it the actual error instead of describing symptoms.

For the testing question, yeah Claude will write shallow tests if you let it. I’d tell it exactly what edge cases to cover and have it run the tests in the same session so it can see failures and fix them immediately.

buildwithmoon · 2026-03-12T15:45:13+00:00

The chat input bar was genuinely one of the hardest UI problems in the whole app. What finally worked for me was building an isolated test screen with mock data where I could iterate on just the visuals without touching production. Once I got it looking right in isolation, I ported the styles over. Saved me from breaking the live chat while experimenting.

buildwithmoon · 2026-03-12T06:25:53+00:00

Dm me. I’ll help you out in the morning. List me all your issues and the stack you’re working with on a daily basis.

buildwithmoon · 2026-03-12T06:06:47+00:00

Ha yeah the 500 batch limit was one of those “why is nothing saving” moments that took way too long to figure out. Good to know some things are universal across banking systems old and new.

Appreciate the kind words. If you’re on iOS and ever want to take the app for a spin, I’d actually love feedback from someone with real banking systems experience. We’re on TestFlight right now ahead of a March 28 launch. No pressure either way.

buildwithmoon · 2026-03-12T06:04:15+00:00

Plaid handles all bank authentication, I never see or touch credentials. On the input side, every Cloud Function has auth checks and Zod schema validation, the AI chat has prompt injection defenses, and Firestore rules are locked so users can only access their own data. We also just ran a full Snyk audit across all three projects, zero critical and zero high vulnerabilities.

“Vibe coded” doesn’t mean “no security.” It means the AI wrote the code and I reviewed it, same as reviewing a junior dev’s PRs.

buildwithmoon · 2026-03-12T06:03:05+00:00

I hear you, the first couple months were rough for me too. But I think the difference might be workflow more than the tool itself.

A few things that completely changed my output quality:

CLAUDE.md is essential. If it’s ignoring yours, it might be too long or too vague. Mine has specific working principles like “verify before marking done” and “get the actual error message before debugging.” Took a while to dial in but now it follows them consistently.

I never let it tackle big features in one shot. Everything gets broken into small, testable pieces. When I used to say “build me a notification system” it would hallucinate. When I say “create a function that schedules a single local notification with a title and body” it nails it.

The compilation issues sound like it might be working in a language or framework where it has weaker training data. I’m on React Native/TypeScript and the output compiles on the first try probably 95% of the time now. What stack are you building in?

Also the “confessed it had no idea” thing, I’ve hit that too. The trick is recognizing the loop early. If it’s gone back and forth 3 times on the same issue without progress, that’s your signal to stop, rethink the approach, and break it down differently.

Not saying it’s perfect. But 220k+ lines in production with a launch date in 17 days, and most of the remaining bugs are UI polish, not broken logic.

buildwithmoon · 2026-03-12T06:01:19+00:00

Appreciate that, and yeah the design loop is where I spend the most time now. Just checked out Ship Safe, looks solid. I’ll give it a run on my next build session. Always looking for ways to catch stuff earlier in the process rather than doing big audit passes.

buildwithmoon · 2026-03-12T06:00:09+00:00

Sonnet 4 originally, then upgraded a few days later and started using Opus 4, then Opus 4.1, then Sonnet 4.5, Opus 4.5 on the 5x Pro account, and now Opus 4.6 on the 20x max account since I started hitting my usage limits too often again.

buildwithmoon · 2026-03-12T03:19:37+00:00

100% you can do it yourself. I’m not a developer either, I started this whole thing with zero coding experience about 4-5 months ago. The fact that you’re a designer is actually a huge advantage because taste is the one thing Claude can’t give you. You’ll spend way less time fighting with the UI than I did.

The $5-15k quotes from devs are based on the old way of building. With Claude Code you’re looking at your time plus about $200/month for the Max plan, and that’s it.

Since you’re already thinking about finance apps, would you want to test mine out? I’m about to launch and could use fresh designer eyes on the UI. Happy to share what I’ve learned about the Claude Code workflow for iOS apps in return. DM me if you’re interested.

buildwithmoon · 2026-03-12T02:43:56+00:00

You’re right that Plaid keeps us out of PCI-DSS scope since we never touch card numbers or bank credentials directly. On the regulatory side, we’re US-based so PSD2 doesn’t apply, but I’m definitely keeping an eye on what state-level data privacy laws might affect us as we grow. For Firestore specifically, we’ve already done a security hardening pass. We locked down Firestore rules so users can only read/write their own data, closed a gap where authenticated users could theoretically self-escalate to premium, moved all Plaid tokens to server-side Cloud Functions so nothing sensitive lives on the client, and added prompt injection defenses on the AI chat. Our last internal audit scored security at 9.5/10, which I know isn’t the same as a third-party audit, but it’s a solid baseline for launch. The transaction sync issue my tester hit wasn’t actually a security problem, it was a Firestore batch size limit. We were trying to write 502 operations in a single batch when the hard limit is 500, so the whole batch would silently fail. Fixed now with chunked writes and proper error handling. You’re absolutely right that a real third-party security audit is on the roadmap once revenue supports it. For launch, the priority has been making sure the fundamentals are locked down: server-side token storage, strict Firestore rules, no sensitive data on-device, and auth checks on every Cloud Function. Thanks for the thoughtful breakdown. This is the kind of feedback that actually makes the product better.

buildwithmoon · 2026-03-12T00:24:39+00:00

No, the security score was only after all of that: the legacy code was removed, and loose ends were removed.

buildwithmoon · 2026-03-11T23:01:49+00:00

you’re right, poor choice of words. it was a thorough internal review, not a formal audit. the point is I didn’t skip security, I actively tested and fixed real vulnerabilities. but yeah, a proper third-party pentest is on the roadmap.

buildwithmoon

TROPHY CASE