CodeZera

Vibe coders debugging an app they built with Claude Code:

If Claude keeps repeating the same mistakes, you don’t need a longer prompt - you need a skill. I wrote a practical guide to building Claude Code skills that auto-invoke when relevant: • SKILL.md structure • trigger design • allowed-tools safety • templates/examples What’s one task Claude keeps getting wrong for you?

The main problem which I believe every developer is starting to realize is this, You create a new feature in your product using AI from scratch. Then you hit a problem during dev testing. Earlier, you knew your code like a master. Now the code is written mostly by AI, and debugging suddenly becomes much harder. In the near future, debugging will become one of the most important developer skills. AI helps you build small personal projects faster, but for scalable and largeprojects ,debugging AI generated code often takes almost as much time as it took to create the code itself.

THE FILE LOOKED NORMAL UNTIL I CHECKED WHAT IT WAS REALLY DOING I was sent a file not long ago and the person who forwarded it said it was just a document they had downloaded in a hurry. On the surface, nothing looked dramatic. The file name was ordinary, the icon looked fine, and if you ask most people, they would open it without thinking twice. But one thing about it did not sit well with me. The file had been dropped in a place where that kind of document does not normally come from, and the timing around it was also strange. So instead of opening it casually, I moved straight into checking what the system knew about it first. The moment I started looking properly, the story changed. The hash was unique, the execution history showed it had already run, and shortly after that, a new outbound connection appeared from the same machine. That is usually where the problem starts. A lot of suspicious files do not make noise immediately. They run quietly, create one child process, reach out to something outside, and then sit there hoping nobody notices. Below is exactly what I saw on my terminal.

"Using coding agents well is taking every inch of my 25 years of experience as a software engineer, and it is mentally exhausting. I can fire up four agents in parallel and have them work on four different problems, and by 11am I am wiped out for the day. There is a limit on human cognition. Even if you're not reviewing everything they're doing, how much you can hold in your head at one time. There's a sort of personal skill that we have to learn, which is finding our new limits. What is a responsible way for us to not burn out, and for us to use the time that we have?" @simonw

It's Friday afternoon and I've merged 13 PRs this week so far. I used to ship 2-3 a week. This is on top of my tech lead duties: reviewing code, responding to Slack, design discussions, meetings, and conducting interviews. Is there more context-switching? Yes. Is my cognitive load higher? No. Most of my cognitive load used to come from coding itself, and I'd max out after about 6 hours a day. Now I've delegated most of that to agents and trust them to handle the bulk of the work. I spend more time finding patterns that should be automated, then automating them, so the cognitive load keeps shrinking over time. The best-kept "secret" in productivity? Don't work on parallel coding tasks. Throughout my career, I've mostly worked on a single code branch at a time. I only work on multiple code changes when I'm truly blocked. There's always background work to fill the gaps: reviewing code, responding to Slack, writing a design doc. This keeps mental load low and ensures each change gets merged before it drifts from main. Where do I think we're headed? The era of hundreds of 5-minute tasks a day. Most will only take 5 minutes or less of your time. Some in the foreground, others you kick off and get notified when they're done. It's going to seem scary, but with the right orchestration tooling it's fairly manageable. Not that different from working through a support inbox.

Here's one of your three super advanced exploits for today's 6.6 LTS kernel: fgetxattr(31337, NULL, NULL, 0); That's it, that's the exploit.

Has anyone built a AI-powered regression monitor for rollbacks? Like a sentinel? Instead of running a real healthcheck of your services, you have an agent monitor post-deployment, and if regression/bug, it rollsback & tries to fix? So sorta like the old "known good" version monitors for its newer iteration and says "LGTM"?

Got a crash report - assert hit. The usual "should never-ever happen". Spend time debugging - no idea how the user got there. "Claud - make a test case that reproduces this user crash". It did that.

the only good news about claude code's source code leaking is that i have finally backported the few good things about it and can now never use it again

"But Rust has strong memory safety guarantees!" When your async runtime (with io_uring) crashes: 1. ⌛️ Debugging segmentation faults... Found! io_uring use after free. 2. ⌛️ Debugging aborted programs... Found! Dangling pointers to the stack-allocated buffer. Oh no... 🥲

I once spent 6 hours troubleshooting why a Linux VM couldn't reach the internet after migrating it from VMware to Proxmox. Checked the firewall. Clean. Checked the gateway. Correct. Checked DNS. Resolving fine internally. Ran traceroute, packets dying at the first hop. I was convinced it was a routing issue, so I rebuilt the routes. , rebuiltthing. Then I checked the network interface name. VMware called it ens33. Proxmox renamed it to ens18. The netplan config was still pointing to ens33, an interface that no longer existed. The VM was basically shouting into a disconnected phone line. Changed one line in netplan. Applied. The Internet came back instantly. 6 hours. One line. Lesson: After any VM migration, always check if the NIC name changed. It's the simplest thing, and it will waste your entire day if you miss it.

I did a double blind test before confirming this. Claude Code audited a plan twice, which I also had analyzed by Qwen3.5 free right now in @OpenRouter Both times CC missed a critical bug, both times Qwen3.5 flagged it. Def worth pulling into your workflow.

@Gregorein I’ve seen this kind of AI-generated bloat too looks fine in code but falls apart at runtime, recently we found a tool called @hud_hq and it made it way easier to see what was actually slowing things down in prod

so... I audited Garry's website after he bragged about 37K LOC/day and a 72-day shipping streak. here's what 78,400 lines of AI slop code actually looks like in production. a single homepage load of garryslist.org downloads 6.42 MB across 169 requests. for a newsletter-blog-thingy. 1/9🧵

lol yeah the “pay twice for the same bug” loop is too real, we hit that exact wall before, ended up wiring Hud.io into our flow and it’s been way closer to that “see it actually run and break” vibe, way less guessing compared to just staring at static output from claude/codegen tools

> Claude wrote your buggy code, charged you $200 > now it’ll charge you again to fix the same code but but but… > here comes depthfirst > just raised $80M to build this > actually sees how your app runs, not just your files > finds the kind of bugs that show up only after things go live > points out what can actually hurt you > doesn’t spam you with nonsense alerts > gives fixes you can just apply and move on > literally tries to break your app before hackers do > and fixes it like an engineer, not a chatbot

@ivanburazin i would like to add one more Hud.io ,it’s a tool that lets you actually see what’s happening at runtime, so even if your startup stack is tiny and cheap, you can make sure everything is running as expected before it hits users.

You could literally build and run a startup with 21 bucks per month. - Claude = coding ($20/mo) - Supabase = backend (Free) - Vercel = deploying (Free) - Namecheap = domain ($12/yr) - Stripe = payments (2.9%/transaction) - GitHub = version control (Free) - Resend = emails (Free) - Clerk = auth (Free) - Cloudflare = DNS (Free) - PostHog = analytics (Free) - Sentry = error tracking (Free) - Upstash = Redis (Free) - Pinecone = vector DB (Free) And make a total sales of $29. No one is building a serious startup on something because it's free. You choose something that makes you scale faster and ship better. Ofc, you could get free credits if your usage/demand exceeds normal volumes. But this listicle above is the newest form of slop on our feeds after "X/Y/Z is dead" and "I just replaced my $300k team with Claude/n8n"

@NoahKingJr lol yeah it’s kinda crazy how good these tools got, still feels illegal to trust it fully tho, we’ve been leaning on @hud_hq to see what actually happens at runtime vs what claude thinks it did

Me reviewing Claude Code output before pushing directly to prod:

i usually start by assuming they’re right and something is broken… just not where they think had almost the exact same situation, Hud.io made it super obvious the issue was upstream and not our code, saved us from chasing ghosts while they were (rightfully) pissed

Got a refund request this week. "Your emails aren't working." Turned out their staging script had fired in production. Bounce rate spiked. AutoSend paused their campaigns automatically. Their domain reputation tanked so badly, even their support email landed in our spam. Still thinking about how few things look like product bugs when the real issue is somewhere else entirely. How do you respond to angry support emails?

I've spent all day working on an LLM <---> MCP tool to perform automated vulnerability analysis on a directory of binaries, working as a state machine. Screenshot of some output attached. The idea is that it will analyse its own results and make recommendations to a vulnerability analyst who can go off and triage further, which may speed up the process (and/or inspire other post-processing tools / workflows). I tested it with Claude + IDA Home and it found the same vulnerabilities through the tool as it did from yesterday. I then realised IDA Home doesn't include headless, so I spent this afternoon porting it over to Ghidra using an MCP integration there which was annoying as it was over a differnet protocol. Interestingly, switching to Ghidra as the backend from Ida gives slightly weaker results (using the same model) which I am trying to debug. A clarification from yesterday: a DKOM-based privilege escalation path from high integrity to System is the more accurate description of what the LLM produced an exploit for. I've made that clearer on GitHub too. The point I'm conveying is that AI and LLMs are driving this. What stood out to me was that the LLM was able to reason far beyond my initial, limited attempt and identify that path to SYSTEM via using an arbitary physical memory read & virtual write vuln (whilst constrained by 32-bit addressing), which I thought was absolutely wild! That's some crazy capability imo. I used a known vulnerable driver because it is a good sample set for testing this functionality. After testing a data set of known vulnerable drivers to validate output, you can then move onto testing binaries of which the status of their exploitability is unknown, that will be the next step of this. Anyway I need a break from this for this afternoon as my brain is tired, but I'm looking forward to seeing where this project goes!

Claude is not allowed to write outside the workspace. But it wanted to. So Claude wrote a python script and executed it via bash to modify the file essentially hacking my permissions.