Addy, I fully agree with everything you shared. Your article is not only insightful but also brings a much-needed sense of maturity to the conversation around AI-assisted development.
What I’d like to add from my own experience is this: now more than ever, it's crucial that we build a solid mental foundation—clear principles, patterns, and paradigms—for how we approach and collaborate with AI. It’s not just about speed; it’s about developing a mindset that knows how to extract value from these tools while staying grounded in good engineering practices.
Even platforms with great version control and structure can break down if there's no conscious framework guiding how we use them. Personally, I’ve been exploring the use of custom instructions—refining a set of rules that define base premises, forbidden actions, and conversational boundaries. It’s been helping me turn the AI into a real partner instead of a chaotic code generator.
I’d honestly love to see a future piece from you exploring this idea—
“Rules before Vibes: A framework to avoid depressed coding™” 😅
Thanks for pushing the conversation forward with such clarity and depth.
Such a lovely well written and comprehensive article for something we're still wrapping our heads around.
I personally feel this is a pretty significant paradigm shift in the way we do things. Despite being on the conservative side where I do look down upon vibe coded, AI bugs riddled projects, I do acknowledge the fact that the change is inevitable.
And a root of lot of my derision does stem from an existential threat from the "new way of doing things", which just puts greater stress on needing to find the middle ground between velocity and discipline.
As much as I don't want to bring out an old man yells at cloud energy, I do believe there are going to be some messy times ahead till be reach the balance. There's going to be a lot more talk on protocols to understand the mix of scrutiny vs vibing. But in the end, vibing by definition, wherein it is absolved from any form of control might not exist in its so called truest sense for anything that even touches production code.
100% agree. Vibe coding is NOT a replacement for production-level coding, but it’s a great option to build personal projects and prototypes. It lowers the barrier to start building. It feels amazing to just talk through your ideas and see them turn into working code.
But we should be diligent about reviewing the AI-written code, ensuring that it is secure, performant and architecturally stable.
I am glad that people like you, Simon et. al are clarifying the difference between vibe coding and LLM-assisted coding.
This hits close to home. I just worked with a client who vibe-coded an entire app and didn't think about security until I mentioned Snyk for static content analysis. I wasn't as keen on Synk.io as the fact it is easy to use and would show them that the code had serious issues.
Their "solution"? Screenshot Snyk vulnerabilities and have Claude fix them until they got zero errors.
The problem isn't just that they were reactive about security - it's that they had no way to evaluate whether Claude's fixes were actually solving the problems or just making Snyk happy.
When you don't understand web app security fundamentals, how can you possibly audit an AI's security recommendations? The code had SQL injections, no mime checking on file uploads, no suffix protection of file uploads -- meaning someone could just upload a PHP Shell kit.
They bypassed GitHub integration, code review, everything. Just Claude fixing whatever Snyk flagged in isolation, with no context about how those changes affected the overall security posture.
Your "Russian roulette" metaphor is perfect. They thought they were being responsible by running security scans, but they were still gambling that an AI could architect secure solutions without human security expertise in the loop.
The scary part? This client was convinced they'd "solved" security because Snyk showed green. They had no idea they might have introduced new attack vectors that Snyk doesn't catch, or that their authentication logic might be fundamentally flawed.
Vibe coding works until it doesn't. When it comes to security, "doesn't work" often means you don't find out until you've been breached.
Addy, I fully agree with everything you shared. Your article is not only insightful but also brings a much-needed sense of maturity to the conversation around AI-assisted development.
What I’d like to add from my own experience is this: now more than ever, it's crucial that we build a solid mental foundation—clear principles, patterns, and paradigms—for how we approach and collaborate with AI. It’s not just about speed; it’s about developing a mindset that knows how to extract value from these tools while staying grounded in good engineering practices.
Even platforms with great version control and structure can break down if there's no conscious framework guiding how we use them. Personally, I’ve been exploring the use of custom instructions—refining a set of rules that define base premises, forbidden actions, and conversational boundaries. It’s been helping me turn the AI into a real partner instead of a chaotic code generator.
I’d honestly love to see a future piece from you exploring this idea—
“Rules before Vibes: A framework to avoid depressed coding™” 😅
Thanks for pushing the conversation forward with such clarity and depth.
Such a lovely well written and comprehensive article for something we're still wrapping our heads around.
I personally feel this is a pretty significant paradigm shift in the way we do things. Despite being on the conservative side where I do look down upon vibe coded, AI bugs riddled projects, I do acknowledge the fact that the change is inevitable.
And a root of lot of my derision does stem from an existential threat from the "new way of doing things", which just puts greater stress on needing to find the middle ground between velocity and discipline.
As much as I don't want to bring out an old man yells at cloud energy, I do believe there are going to be some messy times ahead till be reach the balance. There's going to be a lot more talk on protocols to understand the mix of scrutiny vs vibing. But in the end, vibing by definition, wherein it is absolved from any form of control might not exist in its so called truest sense for anything that even touches production code.
https://substack.com/@consanareal/note/p-175261797?r=6emfa2&utm_medium=ios&utm_source=notes-share-action
Coding with flow, when creativity and logic meet.
100% agree. Vibe coding is NOT a replacement for production-level coding, but it’s a great option to build personal projects and prototypes. It lowers the barrier to start building. It feels amazing to just talk through your ideas and see them turn into working code.
But we should be diligent about reviewing the AI-written code, ensuring that it is secure, performant and architecturally stable.
I am glad that people like you, Simon et. al are clarifying the difference between vibe coding and LLM-assisted coding.
This hits close to home. I just worked with a client who vibe-coded an entire app and didn't think about security until I mentioned Snyk for static content analysis. I wasn't as keen on Synk.io as the fact it is easy to use and would show them that the code had serious issues.
Their "solution"? Screenshot Snyk vulnerabilities and have Claude fix them until they got zero errors.
The problem isn't just that they were reactive about security - it's that they had no way to evaluate whether Claude's fixes were actually solving the problems or just making Snyk happy.
When you don't understand web app security fundamentals, how can you possibly audit an AI's security recommendations? The code had SQL injections, no mime checking on file uploads, no suffix protection of file uploads -- meaning someone could just upload a PHP Shell kit.
They bypassed GitHub integration, code review, everything. Just Claude fixing whatever Snyk flagged in isolation, with no context about how those changes affected the overall security posture.
Your "Russian roulette" metaphor is perfect. They thought they were being responsible by running security scans, but they were still gambling that an AI could architect secure solutions without human security expertise in the loop.
The scary part? This client was convinced they'd "solved" security because Snyk showed green. They had no idea they might have introduced new attack vectors that Snyk doesn't catch, or that their authentication logic might be fundamentally flawed.
Vibe coding works until it doesn't. When it comes to security, "doesn't work" often means you don't find out until you've been breached.