Avenassh 🛠️

@petergyang @Replit Relying purely on cloud platforms to catch flaws post-generation still misses the root issue. If the AI agent doesn't understand the underlying dependency graph, it will keep introducing leaks. I'm building PreFlight—a local gate that catches broken RLS policies and leaked keys.

Next time just use @Replit which has built in database and security checks. I frankly don't understand why Supabase doesn't have Row Level Security (RLS) enabled by default in all cases. For Replit, after you vibe code something, use their built in security and privacy scanner: tinyurl.com/4zmwxumr

@PrajwalTomar_ Zero RLS on Supabase and exposed frontend keys is the ultimate vibe coding starter pack. AI agents have crazy velocity but are terrifyingly blind to structural security. This is exactly why I'm building PreFlight—a local gate that catches these exact flaws right in the terminal.

This should not be this good. I just had Cursor audit a vibe coded app a founder sent us for a rebuild quote. 11 issues flagged in 60 seconds. → Exposed Stripe key in the frontend → Zero RLS policies on Supabase → No rate limits on a paid OpenAI endpoint → Stack traces leaking in production The 3-day security audit cycle just collapsed into a single prompt. We have been running this on every inbound audit for 2 weeks. It is legitimately unfair. Full breakdown in the article.

@kiwicopple @supabase Love this. Auth UX is improving fast, but the silent failure mode in AI-built apps is still broken auth boundaries after generation: wrong session handling, leaked tokens, or RLS assumptions that don’t hold in prod. Passkeys + stronger verification loops is a strong combo.

We just released Passkeys for @Supabase Auth i checked in GitHub discussions and this was the 3rd-most upvoted feature request it's available on all projects now (in Beta)

@supabase A lot of AI-generated Supabase apps don’t fail because RLS is missing, they fail because the policy looks plausible but still leaks tenant data. Built around that exact problem: github.com/av29nassh-sket… preflight-vibe.vercel.app

@swyx @METR_Evals The real question isn’t “did the AI produce code”, it’s “can a developer safely understand, review, and modify it later without starting from scratch”. That maintainability gap is exactly why I built PreFlight. Repo: github.com/av29nassh-sket… Site: preflight-vibe.vercel.app

It's finally out!!! @METR_Evals found that more than half of SWEBench results is unmergeable slop. FrontierCode represents over 1000+ hours of maintainer validated software engineering work most frontier models cannot yet solve, much less solve with high quality. Cog had IOI Gold medalists and top code maintainers Look At The Data — FrontierCode includes 3000+ rubrics covering code quality and anticheat reward hacking plaguing other benchmarks. FC Diamond is so hard that Opus 4.8 scores 13.8%. Three eras of AI coding : Three eras of benchmarks 2021 • Autocomplete : HumanEval 2023 • Passing Tests: SWEBench, TerminalBench 2026 • Maintainable Code: FrontierCode to me the most beautiful chart when I requested a special historical run into all extant old models, the data was finding that the easiest third of FC tasks (in FC Extended) were rapidlly and suddenly solved over late 2025 - Opus almost doubled from a 41% pass rate to 74% in 4 months. This describes the "WTF happened in Dec 2025" vibe shift that a lot of folks from @dhh to @karpathy have called out: it is the difference between getting 95% success in 2 rerolls vs 6, making it finally feasible to go up the next layer of abstraction in agentic coding, eg @GeoffreyHuntley's ralph loops or @bcherny's /goals or @steipete's "loops that prompt your agents" without fearing too much that things go off the rails. My guess: as AI accelerates from here, each FrontierCode tier will saturate in sequence, hopefully ~annually. I've already asked the team to prepare FrontierCode 2027.... The old mountains will be destroyed. Their rubble becomes regolith. And from that regolith, the next model forest grows. Circle of life.

@addyosmani 100%. The biggest failure mode in AI coding is still “generate -> trust -> ship”. The missing layer is a local verification/remediation loop that catches auth, RLS, env, and SQL drift before deploy. Built this exact idea: github.com/av29nassh-sket… preflight-vibe.vercel.app

Check out the repository, view the guardrail rules, or contribute here: 👉 github.com/av29nassh-sket…

Most security tools check AI-generated code after it runs. That's too late. Introducing PreFlight 🛡️ It parses code into an Abstract Syntax Tree (AST) to intercept and block security vulnerabilities locally before execution. 2-min demo below:

If you build apps with AI: what’s the hardest part after the app “works”? Debugging? Understanding AI changes? Auth/db/API/deploy issues? Verifying before shipping? Try this 3-min survey: docs.google.com/forms/d/e/1FAI…

@JaceFromHI @martinfowler yeah that’s the nightmare case. for a beginner building with Lovable/Supabase/Cursor, what would you make them check before calling an app safe: RLS policies, public/private tables, API keys, or something else first?

@ArcAven29 @martinfowler Exactly. the scary version isn't "my app is broken." it's "my app works perfectly and has been leaking every user's data since launch." no error, no warning, nothing that tells a beginner to even ask the question

NEW POST Four of my colleagues share their experiences in applying good security practices to vibe coding. martinfowler.com/articles/vibes…

@mohbii @WSJ @nicnguyen exactly. when you say observability, what do you usually wish you had first: clearer logs, knowing which layer broke, or understanding what the AI changed?

@ArcAven29 @WSJ @nicnguyen the layer problem is real. fast to build, slow to diagnose. observability from day one would save so much pain

People are vibe-coding their own apps. @nicnguyen explains the highs and lows of building the dashboard of her dreams. on.wsj.com/3P0PvyT

@mohbii @WSJ @nicnguyen this matches my experience. the exciting part is getting something built fast. the hard part is when it breaks and you don’t know what layer caused it.

people vibe coding their own apps and only losing their minds a little is the most honest description of what using AI to build software actually feels like. the promise of vibe coding is that anyone can build the app of their dreams without learning to code but the reality is you spend half your time arguing with the AI about why it broke something that was working five minutes ago. building a dashboard of your dreams sounds amazing until you realize the AI built it on a foundation you dont understand so when something breaks you have no idea how to fix it without asking the AI which sometimes makes it worse. vibe coding is genuinely revolutionary for simple projects but the ceiling comes fast because AI can build version one of anything but maintaining evolving and debugging what it built requires exactly the skills that vibe coding was supposed to replace

@resolvervicky this is exactly the thing i’m feeling. AI makes building easier, but understanding what you shipped still matters when things break.

Unpopular opinion from a solo founder: AI coding tools are creating the most dangerous generation of developers in history. Not because the code is bad. Because the developers don't understand the code they're shipping.

@JaceFromHI @martinfowler this is the scary part for nontechnical builders. the app can “work” while the fix is actually unsafe, and beginners don’t always know what to question.

The core tension they identify is exactly what I keep finding in Lovable + Supabase apps. The AI generates code that works. But CVE-2025-48757 hit 170 production Lovable apps by exploiting RLS disabled by default — a configuration issue the AI never flagged. Prompts don't produce secure defaults. You have to enforce them separately.

@techhdive @AlfinCodes “ownership” is the word. i can make AI build things, but i’m trying to get better at knowing where to look when it breaks.

the risk with vibe coding is that nobody owns the code. ownership is what helps you debug things later. you know where to look, what parts to trust and what probably needs to be rewritten. if you are just prompting, accepting and moving on, then there is no mental model behind the system. and debugging becomes painful because you cannot properly reason about code you never understood in the first place.

every vibe coder is just blindly accepting code written by an AI that’s also blindly guessing

@KushagraAg0717 yeah this is what i’m trying to avoid. using AI is great, but if every bug just becomes “ask AI again”, you never build the mental model.

What did vibe coding actually teach us? Earlier,bugs forced developers to think,research,debug, and actually learn Now it just:prompt→copy→prompt again That’s not coding anymore, it's mental labor with zero depth Useful for quick tasks and beginners maybe, but............

@thisiscodingguy harsh but kinda true. i’m realizing the missing skill isn’t “prompt better”, it’s learning enough to understand and verify what the AI changed.

Vibe coding is a prototyping tool dressed up as an engineering discipline. If you can't read the output, debug the failure, or explain the tradeoff, you're not an engineer. You're a prompt wrapper. #MachineLearning #BuildInPublic #AI

Vibe coding demos great. Then production arrives.

@saen_dev this is the exact gap i’m feeling too. AI can get you to a working app, but when it breaks, the real skill is understanding what it shipped and how to debug it.

Vibe coding creating a new class of founders is just "low-code" rebranded with better marketing and worse error messages. The founders who win won't be the ones who ship fastest, they'll be the ones who debug what the AI shipped.

vibe coding is weird. i can get AI to build features, but when it breaks, i’m staring at files,terminal errors,env vars APIs,db stuff, deployment logs then i just ask AI to fix it again. but did i understand the fix or just accept it? anyone else? #vibecoding #buildinpublic

@geekyranjit It's samsung s20 FE

About to purchase the first smartphone this year that I will be purchasing for me myself and my personal use! Can you guys guess what it might be? Will post about it on my Instagram page once I get it instagram.com/geekyranjitoff…