Skip to main content

Menu

LEVEL 0
0/5 XP
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications

Categories

🎓 Certifications
🤖 Artificial Intelligence
☁️ Cloud and Infrastructure
💾 Data and Databases
💼 Professional Skills
🎯 Programming and Development
🔒 Security and Networking
📚 Specialized Topics
CheatGrid
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications
LVLEVEL 0
0/5 XP
GitHub
© 2026 CheatGrid™. All rights reserved.
Privacy PolicyTerms of UseAboutContact

Vibe Coding Cheat Sheet

Vibe Coding Cheat Sheet

Tables
Back to Software Engineering
Updated 2026-05-28
🎯Take a practice test on this topic8 practice tests · 220 questions→

Vibe coding is an AI-assisted development paradigm — coined by Andrej Karpathy in February 2025 — where developers describe intent in natural language and iteratively refine AI-generated code through conversation. By 2026, 92% of US developers use AI coding tools daily, with 46% of all code now AI-generated. Success depends on context engineering, prompting discipline, and human oversight — the emerging "vibe and verify" philosophy treats AI as a collaborative partner while maintaining engineering judgment over architecture, security, and quality.

Quick Index248 entries · 27 tables
Mind Map

27 tables, 248 concepts. Select a concept node to jump to its table row.

Preparing mind map...

Table 1: Core Concepts and Definitions

Foundational vocabulary for the 2025–2026 AI-coding landscape. These terms are often used interchangeably in marketing, but practitioners draw sharp lines between them — knowing the difference (vibe vs. AI-assisted, prompt vs. context, agentic vs. vibe) is what keeps prototypes from shipping as production code.

ConceptExampleDescription
Vibe Coding
"Create a React dashboard with auth"
• Karpathy's term: accept AI-generated code without reading it, guiding only by prompts and results
• "fully give in to the vibes, and forget that the code even exists"
AI-Assisted Engineering
Developer reviews code line-by-line, writes tests
Structured approach where AI augments development but every change is rigorously reviewed, tested, and understood by the engineer
Context Engineering
Providing PRD, API docs, style guide to AI
• Curating the optimal set of tokens in the context window (system prompt, tools, MCP, history, retrieved docs)
• the production-quality lever that supersedes prompt wording in 2026
Agentic Coding
AI autonomously plans, codes, tests, debugs
• AI agents that plan, execute, test, and iterate with minimal human intervention
• outcome-oriented and goal-driven, distinct from vibe coding's free-flowing style
Prompt Engineering
Three-layer prompt: context + task + constraints
Crafting effective natural-language instructions — wording, examples, constraints, and iterative refinement — to steer a single LLM call
Vibe and Verify
AI generates code, developer reviews and validates
• Discipline counterbalancing pure vibe coding: AI handles routine generation, humans own review, testing, and validation
• "trust but verify" applied to AI output
Spec-Driven Development
Write specs first, AI implements to spec
• Treating specifications as the source of truth that AI executes against
• specs are the binding artifact, code is regenerable
Model Context Protocol (MCP)
Connecting IDE to Jira, Slack, docs via MCP
• Open standard (Anthropic, Nov 2024) for connecting AI assistants to external tools, APIs, and data sources
• vendor-neutral, adopted across the ecosystem
Iterative Refinement
"Add validation" → test → "Fix edge case"
Cycle of prompting, observing output, giving feedback where each turn nudges the code closer to the desired behavior
Flow State Development
Staying in creative flow without syntax interruptions
Developers focus on problem-solving while AI absorbs boilerplate and syntax lookups, keeping cognitive attention on the design

Table 2: AI Models and Platforms

The vibe-coding stack in 2026 splits into three layers: the underlying models (Claude, GPT, Gemini), the developer surfaces that drive them (IDEs like Cursor and Windsurf, CLIs like Claude Code and Codex CLI, in-IDE plugins like Copilot), and the autonomous "AppGen" platforms (Lovable, v0, Bolt.new, Devin) that go straight from prompt to deployed app. Knowing which layer a tool lives at — and how autonomous it actually is — is the first step to choosing the right one for the job.

ToolExampleDescription
Cursor
AI-powered code editor with autocomplete
• VS Code fork with native AI features
• tab-completion, inline chat, multi-agent background tasks, and codebase-wide context
GitHub Copilot
Inline suggestions, coding agent for issues
• Most widely adopted AI coding assistant
• coding agent autonomously fixes issues, creates PRs, and runs terminal commands
Claude Code
Terminal-based agentic coding
• Anthropic's CLI tool for agentic development
• reads codebase, edits files, runs commands with 1M token context window
Claude Sonnet 4.6
Balanced speed and quality for most tasks
• Best value coding model in 2026
• 79.6% SWE-bench Verified; preferred over Opus by 59% of Claude Code users
Claude Opus 4.6
Complex architecture, long-running agent tasks
• Top-tier coding model for sustained reasoning
• 80.8% SWE-bench; excels at multi-file refactoring and agentic workflows
GPT-5
Mathematical reasoning, architecture design
• OpenAI's general-purpose reasoning model
• 400K context window with integrated reasoning across coding, math, and writing
GPT-5.3-Codex
Autonomous agentic coding tasks
• OpenAI's specialized coding model
• Codex-native agent pairing frontier coding performance with general reasoning for long-horizon work
Windsurf
AI pair programming in IDE
• Agentic IDE (VS Code fork) with Cascade flow engine
• automatic codebase indexing, Memories system for learning preferences
Cline
Open-source VS Code extension with Plan/Act modes
• 8M+ developers; Plan mode reasons before acting, Act mode executes autonomously
• full MCP integration, runs with any model backend including local LLMs
Gemini 3.1 Pro
Multi-modal input, deep Google Cloud integration
• Google's latest model with advanced reasoning and agentic coding
• three thinking levels for different task complexity
Amp
Frontier coding agent for long agentic runs
• Spun out of Sourcegraph; tuned for long, complex agent threads that overwhelm other tools
• multi-model support; Rush variant runs on GPT-5.5 for fast, small tasks
Lovable
Browser-based full-stack app builder
• Design-first AppGen platform for complete applications from prompts
• ideal for rapid prototyping and MVPs with auth + database wired in
v0 by Vercel
Design-to-code for React components
• Generates production-ready UI components with shadcn/ui + Tailwind
• sandbox runtime, Git integration, and database connections in 2026
Codex CLI
Terminal-based agentic coding via OpenAI
• Lightweight coding agent that runs locally
• reason-and-act loop for planning, executing, and verifying tasks
Gemini CLI
Terminal-based coding via Google
• Open-source AI agent in terminal
• free for individuals (60 req/min, 1000 req/day) with Gemini model access
Continue
Open-source IDE extension for local + cloud LLMs
• Connects VS Code (and Cursor/Zed) to any model, including local Ollama/LM Studio endpoints
• Agent, Plan, and Chat modes; the standard bridge for offline or privacy-first vibe coding
Replit Agent
Cloud IDE with integrated deployment
• Browser-based environment with Agent 4
• handles coding, hosting, and deployment; multiplayer editing support
Bolt.new
Instant web app deployment
• Code-first AppGen that generates and deploys apps fast
• prioritizes developer control and rapid iteration
Amazon Q Developer
AWS-integrated coding agent
• Deep integration with the AWS ecosystem (Lambda, CDK, CloudWatch)
• inline suggestions, chat, and autonomous task agents in VS Code, JetBrains, and the CLI
Aider
Terminal pair programming with Git integration
• Auto-commits every change with a descriptive message so the full session is reversible
• works with any OpenAI-compatible endpoint; strong for large-codebase refactors from the CLI
Devin
Autonomous AI software engineer
• Fully autonomous agent with own shell, browser, and environment
• handles multi-step engineering tasks with minimal intervention

Table 3: Rules Files and Project Configuration

Each AI coding tool reads project-specific guidance from a known filename or directory. Knowing where each file lives, when it is loaded, and which format (single file vs. scoped directory) the vendor currently recommends is what makes the difference between rules that actually steer the agent and rules that sit on disk unused.

TypeExampleDescription
CLAUDE.md
Stack, conventions, current focus in root file
• Claude Code reads it automatically every session from the working directory up to the repo root
• Anthropic recommends keeping it under ~200 lines and offloading reference material to skills
Cursor Rules Directory
.cursor/rules/react-patterns.mdc, api-guidelines.md
• Current Cursor format: multiple .md/.mdc files under .cursor/rules/
• .mdc files support YAML frontmatter (description, globs, alwaysApply) for path-scoped activation
copilot-instructions.md
.github/copilot-instructions.md
VS Code and GitHub Copilot auto-detect this file at .github/copilot-instructions.md and apply it to every chat request in the workspace
.windsurfrules (legacy)
Single file in project root
• Original Windsurf rules file
• superseded by the .windsurf/rules/ directory which supports activation modes (always-on, manual, glob, model-decision)
Architecture Documentation
ARCHITECTURE.md referenced from CLAUDE.md
• Separate markdown file describing system design and data flow
• kept out of the always-on context file and pulled in via progressive disclosure when relevant
Nested Context Files
Subdirectory CLAUDE.md / AGENTS.md
• Discovered on demand as the agent accesses files in that subtree, not all loaded at session start
• The closest file to the edited file wins when instructions conflict
AGENTS.md
Repo-root markdown read by Codex, Cursor, Copilot, Aider, Jules, etc.
• Open, tool-agnostic format (stewarded by the Agentic AI Foundation) used by 60k+ repos
• one file works across many agents instead of maintaining a separate rules file per tool

Table 4: Prompting Techniques

Prompting techniques are the levers you pull to shape what an AI coding assistant produces. The right structure, examples, and constraints turn vague intent into reliable, idiomatic code; the wrong ones produce confident-sounding slop.

TechniqueExampleDescription
Three-Layer Prompt Structure
Context → Task → Constraints
Organizing prompts into background, objective, and limitations to give AI necessary context
Few-Shot Prompting
Provide 2-5 examples of desired output
AI learns patterns from examples, producing more consistent and idiomatic results
Chain-of-Thought Prompting
"Think step-by-step: 1) validate,
2) query, 3) return"
Guides AI to break down complex logic with intermediate reasoning steps
Iterative Prompting
Start broad, refine incrementally
Breaking work into small, sequential requests that build on previous results
Constraint-First Prompting
"No external libraries. Under 100 lines."
Defining boundaries before the task prevents AI from expanding scope or adding unwanted dependencies
Role-Based Prompting
"Act as a senior TypeScript engineer"
Shapes AI response tone and expertise level to match desired code quality
Task Decomposition
"First schema, then controllers, then tests"
Breaking complex features into focused subtasks that each get their own prompt
Output Format Specification
"Return JSON: {status, data, error}"
Ensures AI output is structured and machine-parsable for automated validation
Reference Examples
"Follow this API pattern: [example]"
Providing concrete code samples grounds AI output in specific patterns
Self-Correction Prompts
"Review and fix any issues in your code"
Instructing AI to audit its own output catches obvious errors before human review
Pattern Recognition Guidance
"Maintain consistency with existing code"
Directing AI to follow established codebase conventions and structure

Table 5: Prompt Templates for Common Tasks

Reusable prompt skeletons for the recurring jobs of AI-assisted coding: building UI, wiring an API, modeling data, fixing bugs, and structuring the prompt itself. Each template forces the missing piece that vibe-coded output most often skips — non-happy-path states, auth, version pinning, or a deliberate failure-mode pass.

TemplateExampleDescription
UI Component Template
Framework + styling + props + states + accessibility
Structured template covering visual states, interactions, and responsiveness in one prompt
API Endpoint Template
Method + route + auth + validation + errors
Covers request/response format, error handling, and rate limiting for complete endpoints
Data Modeling Template
Entity + fields + relationships + constraints
Specifies schema, indexes, validation rules, and migration requirements together
Bug Fix Template
Error message + file context + expected behavior
Provides AI with symptoms, stack trace, and reproduction steps for targeted fixes
XML-Tagged Prompt
<context>...</context> <task>...</task>
Using XML tags to separate sections — Claude is specifically trained on this format and parses it more reliably than free-form prose
JSON Prompt Structure
{"summary": "...", "requirements": [...]}
Machine-readable structured prompts for reproducible, version-controlled interactions
Version-Pinned Prompt
"Using Next.js 15 with App Router"
Specifying exact framework versions steers the model away from deprecated patterns in its training data
"What Could Go Wrong?" Prompt
"What edge cases should I handle?"
• Asking AI to predict failure scenarios after generating code
• reveals blind spots the build prompt missed

Table 6: Context Engineering

Context engineering is the discipline of curating what an AI coding agent actually sees on each turn — files, tool results, prior decisions — so its finite attention stays on the task. Done well, it beats prompt wording and bigger context windows for production reliability.

TechniqueExampleDescription
Context Files
CLAUDE.md, .cursorrules, AGENTS.md
• Project rules the agent reads each session
• curate for signal — every line costs attention budget
Context Window Management
Prioritise high-signal files, drop dead-end reads
• LLM accuracy degrades with input length (context rot) long before the window is full
• signal-to-noise beats raw capacity
Codebase Indexing
Cursor's local embeddings, Copilot's repo code search
• Building a searchable map of the project so the agent can pull relevant code on demand
• local vs. cloud indexing differs on privacy
MCP Server Integration
Connect Jira, Slack, GitHub, Postgres via MCP
Open JSON-RPC 2.0 protocol for exposing Tools, Resources, and Prompts to any MCP-capable client
Incremental Context Building
Just-in-time loading, sub-agent results, structured notes
Layering context as the task needs it instead of front-loading everything — keeps attention focused
Session Persistence
Save handoff notes to .claude/docs/ before /clear
Durable project memory lives in files, not the chat buffer — the agent re-reads them next session
Strategic Chat Reset
/clear after each commit
Drops accumulated context so unrelated past work doesn't bleed into the next task
Maintain Prompt Logs
Commit prompts, skills, and slash commands to Git
Proven prompts become reviewable, diffable artefacts that survive sessions and team turnover
Symbol-Level Context
@file, @symbol, @folder in Cursor
Attach specific functions, classes, or files to a prompt so the agent edits real code instead of inventing it
Documentation as Context
Comments explain intent and constraints, not syntax
Capturing the "why" the model can't infer from code itself — invariants, trade-offs, business rules

Table 7: Conversation Management Techniques

Long AI-coding sessions degrade as the context window fills and old turns crowd out current state. These techniques — compaction, structured handoffs, focused threads, and disciplined reset rules — keep the model accurate without losing what you've already established.

TechniqueExampleDescription
Context Compaction
/compact focus on the API changes
• Replaces conversation history with a model-generated summary before the window fills
• older tool outputs are cleared first, then the remaining turns are summarized
Error-Paste-Fix Cycle
Paste the entire stack trace, not just the headline message
The "Karpathy move" — give the AI the full error including stack trace so it can diagnose root cause instead of guessing from a one-line summary
Session Summary Handoff
"Write a handoff: decisions made, open questions, next steps"
A structured end-of-session document (decisions + open questions + next steps) so a fresh session resumes without re-discovering state
Topic Separation
One feature per chat session
Keeping each conversation focused on a single concern improves response quality, at the cost of discarding context already built up elsewhere
Three-Attempt Rule
After 3 failed fixes, reset strategy or start a fresh chat
A heuristic to break doom loops — when the model repeats itself, change the plan or start clean rather than hitting "regenerate" again
Conversation Forking
Open a new chat to try an alternative approach
Exploring a parallel branch in a separate thread lets you test alternatives without polluting the main conversation's history
Self-Improvement Loop
"Audit our rules file and propose edits to a review file"
The AI reviews the session and proposes rule-file edits for human review — never auto-applied, because silent rewrites of the rules that govern future sessions are dangerous

Table 8: Development Workflow

Vibe coding doesn't replace engineering discipline — it requires more of it. These patterns turn fuzzy AI sessions into a repeatable loop: write the spec, plan before editing, change one small thing, test, commit, and know when to stop talking to the model and start typing yourself.

PatternExampleDescription
Write Detailed Specifications
Create spec.md with architecture and constraints
Provides AI with clear requirements and boundaries, reducing hallucination and rework
Planning Before Prompting
Define data models, user flows first
Creating clear specifications before engaging AI improves first-pass code quality
Use Plan Mode
Press Shift+Tab to enter read-only planning
Claude proposes a step-by-step plan and lists files it will touch without modifying anything until you approve
Foundation First
Initializer sets up scaffold, feature list, init.sh
Establishing project scaffolding upfront provides stable base for iterative development
Small Increments
One feature at a time; test, commit, next
Building in verifiable, reversible steps prevents the agent from one-shotting and reduces debugging complexity
Continuous Testing
Run tests after every AI-generated change
Catches hallucinated APIs and edge case failures early when context is fresh
Refine, Don't Regenerate
"Add error handling to line 42"
• Targeted edits preserve working code and context
• full regeneration introduces regressions
Git Discipline
Commit frequently, descriptive messages, tag good states
• Maintaining version control hygiene
• enables safe experimentation and quick rollback when AI goes wrong
Context File Maintenance
Keep CLAUDE.md or AGENTS.md updated
Documenting project standards in files the agent auto-loads every session ensures consistent output
Red-Green-Refactor Cycle
Write failing test → AI generates fix → refactor
Applying TDD principles with AI: failing test first, minimum code to pass, then improve structure without changing behavior
Refactor-As-You-Go
Clean up code after feature works
Improving structure once functionality is validated prevents technical debt accumulation
Tech Stack Selection
Choose popular frameworks AI knows well
Selecting widely-trained technologies (React, Next.js, Django) improves AI output quality versus niche stacks
When to Stop Prompting
After 3-4 failed cycles, manually edit
• Diminishing returns set in quickly
• human intervention is often faster than endless prompt tweaking

Table 9: Scaffolding and Code Generation Techniques

These techniques turn an AI coding assistant from a one-shot code dispenser into a structured collaborator. Each pattern narrows what the model has to guess — a skeleton, a type, a schema, a screenshot — so the generated code lands closer to what you actually wanted.

TechniqueExampleDescription
Scaffold-and-Fill
AI generates skeleton with TODOs, fill each
Have the AI sketch a function or module skeleton with TODOs, then implement each TODO in its own focused prompt instead of one giant request
CRUD Generation
"Add CRUD endpoints for Product model"
• AI generates standard create/read/update/delete operations
• high ROI on boilerplate, but auth/validation wiring still needs a spec
Type-First Generation
Define TypeScript interfaces before code
Writing the data shapes first constrains the AI to consistent inputs and outputs — it pins down structure, not behavior
Schema-Driven Generation
Prisma/DB schema drives API routes and types
Treat the schema as single source of truth so models, DTOs, and validators stay in sync across layers
Design-to-Code
Upload screenshot or wireframe as prompt
• Visual input removes ambiguity from UI requirements
• output is a starting point, not production-ready code
Component Library First
Build reusable buttons, forms, cards early
Create shared primitives up front and reference them in prompts — the AI reuses what you point to, it rarely infers reuse on its own
Boilerplate Elimination
"Generate DTOs, API clients, config files"
Delegating repetitive mechanical setup (DTOs, clients, configs) to AI frees attention for real business logic
Format Conversion
"Convert this JSON to TypeScript types"
AI is strong at mechanical transforms between formats (JSON → TS, SQL → ORM) but slips when source and target have subtly different semantics

Table 10: Testing Techniques with AI

When an AI writes the production code, your tests stop being a safety net and become the specification. The techniques in this table are the practical patterns teams use to keep AI-generated code honest — from tests-first prompting to coverage analysis to natural-language scenarios — along with the traps that make each one backfire.

TechniqueExampleDescription
Test-First with AI
Write the failing test, then "implement to pass this test"
Classic red-green-refactor where the human writes the test and the agent writes the minimum code to pass — tests become the spec the AI implements against
AI Test Generation
"Write unit tests for this function"
AI drafts test cases for happy path, edge cases, and error conditions — outputs still need human review since the tests themselves can be wrong or assert the wrong thing
Edge Case Prompting
"What could go wrong with this code?"
A one-line prompt that pushes the AI off the happy path to surface race conditions, failure modes, and inputs you forgot to handle
Vibe Testing
"Test that users can sign up and see the dashboard"
Describing intent in natural language and letting AI generate the executable test — you still owe it precise assertions, or it tests the action without checking the outcome
Coverage Gap Analysis
"What paths aren't tested in this module?"
• Using AI to find untested branches and missing scenarios
• useful for spotting gaps, but high coverage alone never proves the code is correct
Integration Test Generation
"Test the API endpoint against the database"
AI generates tests that exercise real component boundaries — watch for over-mocking, which makes the test green while the real integration is still broken
Behavior-Driven Testing
Given / When / Then user stories
Writing scenarios in Gherkin-style business language so AI can translate them into step definitions — the feature wording has to be precise or the generated steps drift

Table 11: Code Review Techniques

Reviewing AI-generated code is not the same as reviewing human-written code: the failure modes are different, the trust calibration is different, and the rate of output is much higher. The techniques below combine an automated first pass with disciplined human verification — especially around dependencies, security, and personal understanding of what's being committed.

TechniqueExampleDescription
AI First-Pass Review
"Review this PR for bugs and security"
Use AI as an automated first reviewer to catch obvious issues, then have a human review the same diff — AI catches surface bugs but misses architectural and authorization flaws
Security-Focused Review
Check for injection, secrets, auth bypass
• Specifically reviewing against the OWASP Top 10 — AI-generated code is roughly 2.7×
• more likely to contain XSS and frequently ships hardcoded secrets
Checklist-Driven Review
Functionality → tests → deps → security
Following a structured checklist ensures no review dimension is skipped, beating ad-hoc scanning for consistency across reviewers
Pattern Compliance Check
"Does this follow our service pattern?"
Verifying AI code matches established conventions and architecture — works only when the patterns are actually in the model's context, otherwise the AI guesses
Dependency Audit
Verify all imports and packages exist
• LLMs hallucinate package names at scale (~19.7% of suggestions)
• attackers register the names — known as slopsquatting — so every import must be verified on the registry before install
Diff-Based Review
Review only changed lines with context
Focusing on actual changes is efficient but risks missing broader impact — callers, data flow, and side effects outside the diff
Explain-Before-Commit
"Explain what this does" before accepting
• If you can't explain the code to a teammate, don't commit it
• Simon Willison's distinction: reviewed-and-understood AI output isn't vibe coding, it's using an LLM as a typing assistant

Table 12: Debugging Techniques with AI

When AI writes the code, AI also helps debug it — but only if you give it what it needs. These techniques pair classic debugging moves (rubber-ducking, bisection, reproduce-then-fix) with AI-specific failure modes like hallucinated APIs and missing context.

TechniqueExampleDescription
Ask AI to Debug
"This throws error X, fix it"
• Paste the error plus the surrounding code — context drives accuracy
• AI proposes a root cause, you verify by running the code
Stack Trace Interpretation
"Explain this stack trace and suggest fix"
• AI translates a traceback into plain English
• read it bottom-up to find the originating error before trusting the suggested fix
Rubber Duck with AI
Explain the problem to the AI conversationally
• Articulating the issue in natural language often reveals the bug before any reply
• AI works as an interactive duck that can ask back
Bisect with AI
"What changed between working and broken?"
Pair git bisect (binary search over commits) with AI to compare the working and broken states and isolate the regression
Reproduce-Then-Fix
Write a failing test first, then fix
A failing test before the fix locks in the bug so you can prove it actually went away — the Red-Green-Refactor discipline
Logging Injection
"Add debug logging to trace data flow"
AI adds targeted log statements at key boundaries to show where values diverge — strategic placement beats sprinkling prints everywhere
Hallucinated API Detection
Verify every import and function call actually exists
• AI confidently invents plausible-looking packages and methods
• running the code or checking the docs is the only reliable detector

Table 13: Refactoring Techniques with AI

Refactoring is where AI assistants pay back the most leverage, but each technique has a sharp edge: cross-file edits need an indexing agent, "extract" tempts premature abstraction, and "remove dead code" can sever dynamic references the model never saw. Use these techniques with tests in place and read the diff.

TechniqueExampleDescription
Cross-File Refactoring
"Refactor auth across these 5 files"
Agentic tools that index the project make coordinated edits across many files at once
Pattern Migration
"Convert class components to functional"
Mechanical translation from an old idiom to a new one (e.g. class → hooks, callbacks → async/await)
Extract and Abstract
"Extract shared logic into a utility"
Pull duplicated code into a named function or module so changes happen in one place
Rename and Restructure
"Rename for clarity, restructure dirs"
Scope-aware symbol renames and directory moves with every reference updated consistently
Type Addition
"Add TypeScript types to this JavaScript"
Infer and add type annotations to untyped code to surface bugs and document intent
Dead Code Removal
"Find and remove unused functions"
Identify code paths that can never execute and delete them to shrink the surface area
Performance Refactoring
"Optimize the slow queries in this file"
Rewrite inefficient code patterns after profiling identifies the real bottleneck
AI Cleanup Sprint
Dedicated session to improve AI-generated code
A scheduled debt-paydown session targeting accumulated AI-generated code, only safe with tests in place

Table 14: Best Practices

These are the disciplines that separate professional vibe coding from hope-driven coding. Most are not new — they are existing software-engineering habits (review, version control, single responsibility) that matter more, not less, when an LLM is writing your diffs.

PracticeExampleDescription
Treat AI Code as Untrusted
Review with the same scrutiny as a third-party dependency
Veracode's 2025 GenAI Code Security Report found about 45% of AI-generated code introduced an OWASP Top 10 vulnerability such as SQL injection, XSS, or weak crypto
Understand AI Capabilities
Know which tasks the model is reliable for, and which it bluffs through
LLMs are strong on boilerplate and well-known patterns and weak on novel logic, concurrency, and security-critical code — picking the right tasks avoids confident-looking wrong answers
Start with Data Structures
Define models, schemas, and interfaces before generating endpoints or UI
Linus Torvalds' "bad programmers worry about the code, good programmers worry about data structures" applies double to AI — fixing the shape of the data first constrains every later generation
Human Code Review Checklist
Verify functionality, tests, dependencies, and security on every AI diff
Research (Veracode 2025, CodeRabbit's GitHub PR study) shows AI-generated code carries roughly 1.7x more defects than human-written code, so a structured checklist is what catches the slip-ups
Test Real User Scenarios
Drive tests from end-to-end use cases, not just unit happy paths
LLMs cheerfully pass the tests they themselves wrote — exercising real-world scenarios is what reveals missing edge cases, race conditions, and incorrect assumptions
Maintain Single Responsibility
One component, one job — a module should have one reason to change
• Robert C. Martin's SRP keeps AI-edited code modifiable: when one file does one thing, the next prompt has a small, focused target instead of a sprawling bundle of concerns
Document Patterns
Comments and a CLAUDE.md / AGENTS.md explain "why", not "what"
Inline "why" notes and a top-level instructions file feed the model the same context a new teammate would need, so subsequent generations stay consistent with the project's conventions
Version Control Everything
Commit before each AI session; branch for risky changes; tag known-good states
Frequent commits make rollback cheap — when the agent takes the code in the wrong direction, git reset or branch abandonment costs minutes, not hours
Capture Effective Prompts
Save working prompts and CLAUDE.md snippets in a team prompt library
Treating prompts as reusable artifacts (versioned, shared, refined) builds institutional knowledge and stops every developer from rediscovering the same phrasings
Disclose AI Usage
Tag PRs with the model used and the prompts that drove the change
Disclosure gives reviewers the context they need to calibrate scrutiny and protects the team from confusion when AI-introduced bugs surface later

Table 15: Use Cases and Applications

Where vibe coding actually shines — and where its speed-over-rigor trade-off becomes a liability. The fit is best on low-stakes, single-user, throwaway work; the further you push into production-critical or novel territory, the more human review and traditional engineering skills the work demands.

ScenarioExampleDescription
Rapid Prototyping
MVP in days instead of months
• Building proof-of-concept quickly to validate ideas
• speed prioritized over production architecture
Internal Tools
Admin dashboards, one-off scripts
Creating low-stakes utilities for internal teams where the impact radius is small and mistakes are easy to fix
Boilerplate Reduction
CRUD operations, config files
Eliminating repetitive setup work so developers focus on unique business logic
UI Component Generation
Form builders, data tables, dashboards
Building visual interface elements, especially effective with tools like v0 and Lovable that generate React components from prompts
Automation Workflows
Data pipelines, scheduled tasks
Generating repetitive automation code for standard integration patterns where the tech stack is well-represented in training data
Documentation Creation
API docs, inline comments, READMEs
• Generating explanatory content from existing code
• strong at the "what" of an API, weaker at the architectural "why"
Side Projects
Personal apps, weekend hacks
Individual developers experimenting in Karpathy's original "throwaway weekend project" framing — low-risk, disposable, accountability-free
Learning and Exploration
Trying new frameworks, "software for one"
Using AI as a teaching scaffold so non-developers and hobbyists can build working apps without first learning a programming language

Table 16: Code Quality and Security

When an AI writes the code, the burden of verifying it shifts entirely to you. This table covers the layered defenses — automated scans, incremental checks, edge-case probing, error-handling audits, and old-fashioned reading — that catch the failures AI assistants reliably introduce.

StrategyExampleDescription
Security Scanning
SAST tools, secret scanning in CI/CD
• Automated checks for vulnerabilities in AI code
• Veracode's 2025 study found ~45% of AI-generated code contains security flaws
Incremental Validation
Test each component in isolation
Validating individual pieces before integration isolates where bugs originate
Review for Hallucinated APIs
Verify all imports and functions exist
AI frequently invents non-existent APIs or packages ("slopsquatting" risk) or mixes syntax from different library versions
Edge Case Testing
Empty input, null values, extremes
• Testing boundary conditions AI often misses
• reveals unhandled scenarios in generated code
Check Error Handling
Ensure try-catch, validation, fallbacks
AI omits error handling frequently, producing happy-path-only code that fails in production
AI Code Review
"Review this code for security issues"
Having AI audit code quality helps catch issues but has known self-correction blind spots when reviewing its own output
Manual Code Reading
Line-by-line comprehension
• Human verification of logic and structure
• essential for production code regardless of AI quality

Table 17: Security Hardening Techniques

AI-generated code defaults to happy-path logic and skips defensive controls unless you ask. These techniques are the explicit prompt patterns, automated checks, and runtime boundaries that catch the security holes vibe-coded output ships with by default — from missing input validation to leaked secrets to hallucinated malicious packages.

TechniqueExampleDescription
Security-Focused Prompting
"Follow OWASP Top 10 for this endpoint"
• Explicitly requesting security best practices in the prompt
• AI defaults to happy-path otherwise
Input Validation Generation
"Add Zod validation to all API inputs"
AI generates schema-based runtime input validation to reject malformed or malicious data at the boundary
Secret Scanning
Gitleaks/TruffleHog pre-commit hook
Automated detection of hardcoded credentials before they enter git history
Parameterized Query Enforcement
Replace string interpolation with $1 params
Forcing AI-generated SQL to use bound parameters so user input never becomes executable code
Agent Permission Boundaries
Read-only DB user, sandboxed file system, scoped tokens
Applying least privilege to the AI agent itself so a hallucination cannot wipe production
Pre-Commit Security Hooks
Semgrep SAST scan before commit
Automated static analysis that blocks vulnerable code from entering version control
Rate Limiting Generation
"Add rate limiting to auth endpoints"
• AI often omits abuse protection
• explicitly request throttling on login, password reset, payment
Dependency Vulnerability Scan
CI scan packages for known CVEs and slopsquats
• AI may suggest packages with known CVEs or hallucinated names
• SCA scanning catches both in CI
Indirect Prompt Injection Defense
Sanitize web content, file data, and tool output before feeding to agent
When an agent reads external data (web pages, files, API responses), malicious instructions embedded in that data can hijack its actions — validate and strip untrusted content before it enters the context window

Table 18: Common Pitfalls and Anti-Patterns

These are the recurring ways AI-assisted coding goes wrong in practice — from prompts too vague to steer the model, to chat sessions that quietly outgrow the context window, to first-draft output that ships unrefactored and compounds into debt. Learn to recognize the symptom; the recovery is usually the inverse of the anti-pattern.

PitfallExampleDescription
Vague Prompts
"Make it better"
• Providing insufficient direction
• AI produces generic or incorrect code without specific guidance
Overloading Single Prompt
"Build entire e-commerce site"
• Requesting too much at once
• AI produces superficial implementations when scope is massive — decompose into smaller, finishable slices
Blindly Trusting AI
Accepting code without reading it
• Abdicating responsibility for code quality
• AI can hallucinate APIs, introduce subtle bugs, or make poor architectural choices
Skipping Iteration
Expecting perfect code on first try
• Treating AI like a magic button
• quality emerges through refinement — feed errors and tests back in
Ignoring Underlying Logic
Not understanding generated code
Accepting code without comprehension creates comprehension debt — invisible until you need to extend or debug it
Forgetting to Test
Assuming AI code works perfectly
• Skipping validation of generated code
• AI makes subtle logical errors that look correct but fail on real inputs
Context Window Overflow
Continuing in same chat indefinitely
• AI loses earlier decisions as history crowds out signal (context rot)
• reset the chat or summarize history strategically
Prompt Thrashing
Rapidly tweaking prompts without testing
Fix one issue, test, then iterate — avoid shotgun debugging with scattered prompt changes that produce no learning signal
Dead-End Conversations
Persisting after 3–4 failed attempts
• AI gets stuck in a local minimum
• start a fresh chat or switch to manual coding — nudging from inside the poisoned context rarely works
Poor File Organization
No structure, overlapping components
Lacking project discipline creates an unmaintainable codebase that gets harder to vibe code
Accumulating Technical Debt
Never refactoring AI output
• Shipping first-draft code to production
• debt compounds rapidly without deliberate cleanup
Assuming Understanding
Not providing file references to AI
• AI doesn't know your codebase — it only sees the context window
• provide explicit references
Over-RAGging
Feeding AI entire documentation sets
Be selective with context — quality over quantity prevents attention dilution and context rot

Table 19: Recovery and Troubleshooting Techniques

When AI-generated changes go sideways — wrong direction, broken build, or an agent stuck repeating itself — recovery is its own skill. These techniques cover how to bail out cleanly, reset state, and steer the AI back onto a working path.

TechniqueExampleDescription
Git Checkpoint Rollback
git stash saves uncommitted work; git reset --hard discards
Creating save points (commits or stashes) before AI edits so you can quickly recover from a bad generation
Fresh Context Restart
Start a new chat session when the AI is locked into bad assumptions
A new conversation drops poisoned context and lets the model reason without the prior failed framing
Model Switching
Switch from Sonnet to Opus when stuck on hard reasoning
Different models have different strengths — switching can break past a stuck point, though it may also break a working pattern
Simplify the Problem
Break a stuck task into smaller sub-tasks the AI can solve individually
Task decomposition is the most reliable recovery — LLMs handle narrow, well-scoped subproblems far better than tangled ones
Ralph Wiggum Loop
while :; do cat PROMPT.md | claude-code; done — feed the same prompt back until done
A deliberate iterative self-referential loop (Geoffrey Huntley's technique) where the agent retries the same task across fresh contexts until completion criteria are met
Different Approach Prompt
"Try a completely different approach"
Explicitly asking the AI to abandon the current strategy breaks the pattern and forces an alternative solution path
Manual Intervention
Stop prompting and write the fix yourself
Sometimes human coding is faster — recognizing when to stop iterating with the AI is a core vibe-coding skill
Revert and Re-Prompt
Roll back the failed change, then re-prompt with sharper instructions
Reset to the last working state and provide clearer, more specific guidance so the AI doesn't repeat the same mistake

Table 20: Drawbacks and Limitations

Vibe coding ships features quickly, but the speed comes with a measurable tax in security, maintainability, and developer skill. Knowing each failure mode by name lets you put guardrails around the parts of the workflow where AI is weakest.

LimitationExampleDescription
Security Vulnerabilities
Hardcoded credentials, SQL injection
• Veracode 2025 found 45% of AI-generated code contains OWASP Top 10 vulnerabilities
• LLMs lack threat-model awareness
Technical Debt Acceleration
Rapid generation without cleanup
• GitClear measured a spike in duplicate code and short-term churn since AI assistants went mainstream
• code is produced faster than it is refactored
Hallucinations
AI invents nonexistent APIs and packages
• LLMs fabricate plausible-looking calls to functions or packages that don't exist (≈20% of package recs in some studies)
• enables "slopsquatting" supply-chain attacks
Shallow Understanding
Developer can't debug or extend
• Produces developers who generate but don't comprehend the code they ship
• dangerous the moment AI output fails
Performance Issues
Inefficient algorithms, no optimization
• AI prioritizes "works" over "optimal"
• common artifacts: N+1 queries, missing indexes, unbounded loops
Limited Custom Logic
Complex business rules poorly handled
• Excels at well-trodden patterns, falters on novel domain rules
• permission/governance logic often missing unless prompted
Maintainability Challenges
Inconsistent patterns across features
• Piecemeal prompts yield inconsistent architectural choices
• duplicate blocks grow, "moved lines" (real reuse) decline
Dependency on AI Availability
Productivity drops when service is down
• Workflow becomes reliant on an external service
• outages, rate limits, or pricing changes interrupt work
Junior Developer Impact
Reduced learning of fundamentals
• Risk of skill atrophy: skipping the syntax / data-structure reps that build expertise
• juniors hit a ceiling when AI output needs debugging

Table 21: Vibe Coding vs Traditional Development

Vibe coding swaps hand-written code for natural-language prompts to an LLM, trading deep code understanding for speed. This table compares the two approaches on the dimensions where the trade-off actually shows up — speed, quality, debugging, skills, scaling, and cost — so you can pick the right mode for the job.

AspectExampleDescription
Speed Advantage
Days vs months for prototypes
• Vibe coding delivers faster initial results for prototypes
• METR's 2025 RCT found experienced devs 19% slower on real tasks, but their 2026 update shows likely speedup now — selection effects make controlled measurement difficult as developers refuse to work without AI
Learning Curve
Non-programmers can build apps
• Lowered barrier to entry for the first 70%
• non-programmers hit walls fast on debugging and maintenance
Code Quality
First draft vs hand-crafted
• AI-co-authored code shows ~1.7x more major issues and 2.74x more security flaws (CodeRabbit, 2025)
• hand-written code typically more maintainable
Debugging Complexity
Harder to troubleshoot AI code
Debugging is harder than traditional, because the developer never built a mental model of code they didn't write
Skill Requirements
Prompt engineering vs programming
Shifts from syntax mastery to communication, judgment, and review — skills are redistributed, not eliminated
Collaboration Model
Conversational vs command-driven
• Vibe coding is an iterative dialogue with the AI
• traditional development is direct command of an editor and toolchain
Scaling Challenges
Struggles at enterprise scale
LLMs handle simple tasks well but struggle with multi-file projects, poorly documented libraries, and safety-critical code
Cost Structure
AI costs vs developer time
• Trades AI service fees for some developer hours
• hidden cost is the final 30% — polish, edge cases, security — that still needs senior engineers

Table 22: Vibe Coding vs Low-Code/No-Code

Vibe coding and low-code/no-code platforms both aim to lower the bar for building software, but they take opposite paths: vibe coding emits real source code you own, while low-code/no-code platforms hide code behind visual builders and a hosted runtime. The trade-offs cluster around ownership, flexibility, governance, target user, and how costs scale.

DistinctionExampleDescription
Code Generation
Vibe: actual source code produced
• Vibe coding asks an LLM to generate real source code the developer owns and runs
• no-code platforms generate platform-internal configuration behind visual tools
Flexibility
Custom features vs templates
• Vibe coding is an open system — anything the chosen stack supports is fair game
• no-code is closed and extends only through templated feature sets
Vendor Lock-in
Portable code vs platform trapped
• No-code apps run on the vendor's proprietary runtime and rarely export
• vibe-coded apps run anywhere their stack runs
Developer Target
Developers vs business users
• No-code targets business users and citizen developers with domain knowledge
• vibe coding still rewards developers who can read and steer the output
Complexity Ceiling
Complex logic handled better
• No-code has limited extensibility and a narrow set of use cases
• vibe coding inherits the full architectural range of the underlying stack
Governance
Low-code has structured governance
• Enterprise low-code platforms keep work under the IT fold with controls
• no-code carries the highest shadow-IT risk; vibe coding sits in between
Learning Path
Vibe teaches real programming concepts
• Vibe-coded output is real source code learners can read and modify
• no-code skills are platform-specific and don't transfer to traditional coding
Cost Predictability
No-code has fixed licensing
• No-code uses per-seat / per-app licensing that is predictable month to month
• vibe coding costs scale with LLM token usage and can spike unexpectedly

Table 23: Production Deployment Considerations

Shipping AI-assisted code to production demands the same discipline as any other change — plus an extra dose of skepticism because the author (the model) didn't think about your incident history. These nine gates cover what a human owner must verify before, during, and right after a vibe-coded feature goes live.

ConsiderationExampleDescription
Code Review Requirements
Manual audit before deployment
• Implementing thorough human review of every AI-generated change
• A 2025 CodeRabbit analysis of ~150k PRs found 2.74x more vulnerabilities in AI-generated code than in human-written code
Security Audit
SAST + SCA + secret scanning pre-deploy
Running static analysis, dependency, and secret scans on AI output to catch exposed credentials, injection sinks, and known-vulnerable packages CI lint alone misses
Performance Optimization
Profile and improve slow operations
• Profile-then-tune, never premature optimization
• AI defaults to "working", not "fast" — measure before changing anything
Error Handling
Add try/catch, validation, fallbacks
• Strengthening failure resilience
• AI exhibits "happy-path bias" — training data is full of demos, so generated code skips edge cases and error branches
Test Coverage
Unit, integration, end-to-end tests
• Building an automated test pyramid (many unit, fewer integration, few E2E)
• Critical when the developer didn't write the code by hand
Documentation
API docs, architecture diagrams
• Creating handoff-grade documentation
• Especially important when the next maintainer didn't watch the prompt session that produced the code
Monitoring and Observability
Logs, metrics, traces, alerts
Implementing the three pillars of observability so production issues surface and can be diagnosed without redeploying to add a print statement
Staged Rollout
Dev → staging → canary → production
Using progressive deployment (canary, blue/green, feature flags) to limit blast radius and enable fast rollback when a release misbehaves
Refactoring Pass
Clean up structure, naming, duplication
Conducting a deliberate cleanup before debt compounds — AI tends to repeat patterns rather than abstract them, inflating maintenance interest fast

Table 24: Team Collaboration and Handoffs

Vibe coding lets people produce code faster than they can sustain it, so teams need explicit norms for who owns the output, how it's reviewed, and how knowledge survives past the chat window. This table covers the collaboration practices that turn one-person AI velocity into something a team can actually maintain.

PracticeExampleDescription
Code Ownership Clarity
Designate human owner for AI code
• Assigning accountability for each vibe-coded component
• someone must understand and maintain it
Vibe Coding Standards
Team guidelines on AI tool usage
Establishing shared norms for when AI is appropriate (low-stakes work) versus when reviewed AI-assisted coding is required
Review Process
Peer review of AI-generated code
Implementing human verification that runs tests, checks context and intent, scrutinizes dependencies, and catches AI-specific pitfalls like hallucinated APIs
Knowledge Sharing
Document prompts and patterns
Preserving prompts and instructions in repository files so proven approaches become team resources instead of chat history
Handoff Documentation
Explain AI-generated architecture
Providing context for the next developer — the rule is don't commit code you couldn't explain to someone else
Junior Developer Guidance
Pair juniors with seniors on AI work
Mentoring during AI usage so juniors build fundamentals rather than accepting diffs they cannot explain
AI Audit Trail
Track which AI generated what code
Maintaining generation history (model, prompt, dependencies) useful for debugging hallucinated packages and tracing decisions
Cross-Functional Collaboration
Designers, PMs use AI to prototype
Enabling non-developers to build prototypes to reduce handoff friction, while keeping production deployment gated on engineering review

Table 25: Advanced Workflows and Patterns

These are the higher-leverage patterns experienced developers reach for once basic prompt-and-paste stops scaling. They share a theme: front-load structure (planning, specs, tests, version control) so the AI works inside guardrails instead of improvising your architecture.

PatternExampleDescription
Multi-Model Strategy
Opus for architecture, Sonnet for features
Picking the cheapest model that still meets the task's reasoning bar keeps cost and latency down without sacrificing quality
Test-Driven Development with AI
Write test, AI generates passing code
Tests drive what "done" means so the agent has a concrete loop (write → run → fix) to converge against
Visual Prompting
Upload wireframes or screenshots as prompts
• Eliminates layout ambiguity that text descriptions can't pin down
• faster than re-prompting for spacing/alignment
Agentic Workflows
AI autonomously plans, codes, tests, deploys
Delegating multi-step execution to an agent — useful only when paired with permission boundaries and review gates
Research-Plan-Implement Framework
AI researches → creates plan → you approve → implement
Front-loading discovery and planning in a read-only phase catches misunderstandings before any file is touched
Template-Driven Generation
Start with Shadcn, Next.js scaffold
Starting from proven scaffolding constrains the AI to patterns the framework already supports
Compositional Prompting
"Compose these 3 hooks into a new one"
Building features by referencing existing utilities the AI must reuse instead of reinventing
Documentation-First Workflow
Write README and API docs before code
• Forces clarity of design intent
• gives the AI a spec to align generated code against
Atom-of-Thought Decomposition
Break reasoning into independent atomic subquestions
A Markovian reasoning framework (NeurIPS 2025) that decomposes a problem into a DAG of self-contained subquestions, eliminating historical context
Prompt Versioning
Track prompt changes in Git alongside code
• Treats prompts as code artifacts with diffs and rollback
• enables A/B testing and regression checks across model upgrades
Breadcrumb Documentation
Frequent commits + notes for future sessions
Save points that let you (and future agent sessions) resume work and roll back failed AI changes without losing context
Git Worktrees for Parallel Agents
claude --worktree feature-auth in one terminal, claude --worktree feature-payments in another
Each worktree gets its own branch, directory, and isolated file state while sharing the same .git object database — prevents agents from overwriting each other mid-edit
tmux Multi-Agent Management
tmux new-session with one pane per agent; send-keys and capture-pane for automation
Splits terminal into panes, one per agent, giving real-time visibility across all parallel sessions without switching windows — the native runtime for Claude Code Agent Teams in 2026

Table 26: Multi-Agent Orchestration Patterns

When a single agent hits its context limit or takes too long on complex tasks, multi-agent orchestration is the answer. These five patterns — documented by Anthropic in their Building Effective Agents guide — define how to decompose, route, parallelize, and verify work across multiple coordinated agents, turning the AI from a single pair programmer into an engineered team.

PatternExampleDescription
Prompt Chaining
Generate outline → expand sections → review → format
• Decomposes tasks into sequential LLM calls where each step processes the previous output
• adds latency but increases accuracy since each step can be validated independently
Routing
User request → classifier → Bug agent / Feature agent / Refactor agent
Classifies inputs and directs each request to the most appropriate specialized handler — prevents a generalist from degrading when different task types need different approaches
Parallelization (Sectioning)
Three agents analyze different modules simultaneously, results merged
• Splits independent subtasks across simultaneous agents
• throughput scales with agent count as long as tasks don't share mutable state
Parallelization (Voting)
Same prompt run three times; majority answer accepted
Same task run multiple times and results aggregated — increases confidence on ambiguous or high-stakes outputs at the cost of compute
Orchestrator-Workers
Orchestrator plans and delegates; workers implement code, tests, and docs independently
• A central orchestrator dynamically decomposes tasks and delegates to specialist workers
• the standard pattern in most agentic coding tools (Claude Code multi-agent, Cursor Composer)
Evaluator-Optimizer
Generator writes function, evaluator reviews for security and edge cases, generator revises
One agent generates, another evaluates and provides feedback in an iterative refinement loop — ideal for code review, content editing, and optimization tasks
Coordinator / Specialist / Verifier
Coordinator decomposes spec → specialists implement → verifier validates against acceptance criteria
Three-tier architecture: coordinator plans, specialists execute bounded tasks, verifier checks output — separates planning, execution, and validation into roles that can run with appropriate model tiers

Table 27: Agent Lifecycle Hooks

Claude Code hooks (released early 2026) execute automatically at specific lifecycle events — before a tool runs, after a file is edited, when the agent finishes — turning "best-practice guidelines" into enforced, repeatable automation. They close the gap between what CLAUDE.md suggests and what actually always happens.

HookExampleDescription
PostToolUse — Auto-Format
Run npx prettier --write $FILEPATH after every file edit
• Fires after a tool completes
• cannot block but can auto-correct — the lowest-risk, highest-impact hook
• eliminates formatting noise before you ever see the diff
PreToolUse — File Protection
Block edits to src/middleware.ts, .env, and payment routes
• Fires before a tool executes and is the only hook that can deny the action
• prevents Claude from touching production-critical files without explicit override
PreToolUse — Dependency Guard
Block npm install --save (production deps) without approval
Intercepts Bash tool calls matching npm install/yarn add/pip install and requires human approval before adding production dependencies — directly blocks slopsquatting
PostToolUse — Type Check
Run npx tsc --noEmit after every TypeScript file edit
• Catches type errors immediately after each AI edit rather than accumulating them
• keeping the project in a valid type state preserves model accuracy in subsequent turns
PreToolUse — Prompt Hook (Security Review)
Prompt evaluates the pending edit for auth, DB, payment, and secrets changes
• Sends a single-turn LLM evaluation of the pending action — can approve or deny based on semantic meaning, not just regex patterns
• understands context that shell scripts cannot
Agent Hook — Deep Verification
Spawn subagent with Grep/Glob to verify new endpoint follows auth pattern across files
Spawns a subagent with tool access (Read, Grep, Glob) to verify cross-file conditions before approving — the most powerful handler type for architecture compliance checks
Stop Hook — Quality Gate
Run full lint + type check + test suite when Claude finishes a turn
• Fires at end of each agent turn
• runs the full quality suite and posts results — the enforcement mechanism for "Claude is done only when tests pass"
Back to Software Engineering

More in Software Engineering

  • Twelve-Factor App Methodology Cheat Sheet
  • _Dependency_Injection_Patterns
  • CQRS Command Query Responsibility Segregation Cheat Sheet
  • Feature Flags and Progressive Delivery Cheat Sheet
  • Monorepo Strategy and Tooling Cheat Sheet
  • Software Engineering Cheat Sheet
View all 47 topics in Software Engineering

References

Official Documentation

  1. Agent Permission Boundaries - https://owasp.org/www-project-top-10-for-large-language-model-applications/
  2. Check Error Handling - https://owasp.org/www-community/Improper_Error_Handling
  3. Checklist-Driven Review - https://owasp.org/www-project-code-review-guide/
  4. Dependency Vulnerability Scan - https://owasp.org/www-community/Component_Analysis
  5. Input Validation Generation - https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
  6. Parameterized Query Enforcement - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
  7. Rate Limiting Generation - https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
  8. Secret Scanning - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
  9. Security Scanning - https://owasp.org/www-community/Source_Code_Analysis_Tools
  10. Security-Focused Prompting - https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html
  11. Security-Focused Review - https://owasp.org/Top10/
  12. Treat AI Code as Untrusted - https://genai.owasp.org/llm-top-10/
  13. MCP Specification - https://modelcontextprotocol.io/docs/getting-started/intro
  14. MCP Server Integration - https://modelcontextprotocol.io/docs/learn/architecture
  15. CLAUDE.md Memory - https://code.claude.com/docs/en/memory
  16. Claude Code Overview - https://code.claude.com/docs/en/overview
  17. Claude Code Best Practices - https://code.claude.com/docs/en/best-practices
  18. Claude Code Permission Modes - https://code.claude.com/docs/en/permission-modes
  19. Claude Code Context Window - https://code.claude.com/docs/en/context-window
  20. Effective Context Engineering - https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents
  21. Effective Harnesses for Long-Running Agents - https://www.anthropic.com/engineering/effective-harnesses-for-long-running-agents
  22. Anthropic Claude Code Best Practices - https://www.anthropic.com/engineering/claude-code-best-practices
  23. Building Effective Agents - https://www.anthropic.com/research/building-effective-agents
  24. Claude Sonnet 4.6 - https://www.anthropic.com/news/claude-sonnet-4-6
  25. Claude Opus 4.6 - https://www.anthropic.com/news/claude-opus-4-6
  26. Logging Injection - https://docs.python.org/3/library/logging.html
  27. TypeScript Everyday Types - https://www.typescriptlang.org/docs/handbook/2/everyday-types.html
  28. TypeScript Migration from JavaScript - https://www.typescriptlang.org/docs/handbook/migrating-from-javascript.html
  29. Output Format Specification - https://platform.claude.com/docs/en/build-with-claude/structured-outputs
  30. XML-Tagged Prompt - https://docs.anthropic.com/en/docs/build-with-claude/prompt-engineering/use-xml-tags
  31. Cross-File Refactoring (Claude Code Docs) - https://docs.anthropic.com/en/docs/claude-code/overview
  32. GitHub Copilot Features - https://github.com/features/copilot
  33. GitHub PR Reviews - https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews
  34. GitHub Copilot AI Code Review - https://docs.github.com/en/copilot/tutorials/review-ai-generated-code
  35. GitHub Copilot Repository Instructions - https://docs.github.com/en/copilot/how-tos/configure-custom-instructions/add-repository-instructions
  36. copilot-instructions.md - https://code.visualstudio.com/docs/copilot/customization/custom-instructions
  37. VS Code Chat Sessions - https://code.visualstudio.com/docs/copilot/chat/chat-sessions
  38. Cursor IDE - https://www.cursor.com/
  39. Cursor Rules Directory - https://cursor.com/docs/rules
  40. Cursor Codebase Indexing - https://cursor.com/help/customization/indexing
  41. Windsurf - https://windsurf.com/
  42. Windsurf Cascade Memories - https://docs.windsurf.com/windsurf/cascade/memories
  43. GPT-5 - https://openai.com/index/introducing-gpt-5/
  44. GPT-5.3-Codex - https://openai.com/index/introducing-gpt-5-3-codex/
  45. Codex CLI - https://github.com/openai/codex
  46. Gemini 3.1 Pro - https://deepmind.google/models/gemini/pro/
  47. Gemini CLI - https://github.com/google-gemini/gemini-cli
  48. Lovable - https://lovable.dev/
  49. v0 by Vercel - https://v0.app/
  50. Replit Agent - https://replit.com/agent4
  51. Bolt.new - https://bolt.new/
  52. Devin - https://devin.ai/
  53. Cline - https://cline.bot/
  54. Amp Code - https://ampcode.com/
  55. Amazon Q Developer - https://aws.amazon.com/q/developer/
  56. Aider - https://aider.chat/
  57. Continue (IDE extension) - https://www.continue.dev/
  58. Augment Code - https://www.augmentcode.com/
  59. SRE Monitoring - https://sre.google/sre-book/monitoring-distributed-systems/
  60. SRE Canarying Releases - https://sre.google/workbook/canarying-releases/
  61. Git Bisect - https://git-scm.com/docs/git-bisect
  62. Git Branching Workflows - https://git-scm.com/book/en/v2/Git-Branching-Branching-Workflows
  63. Git Stash / Rollback - https://www.atlassian.com/git/tutorials/saving-changes/git-stash
  64. JetBrains Rename Refactoring - https://www.jetbrains.com/help/idea/rename-refactorings.html
  65. Dead Code Elimination - https://en.wikipedia.org/wiki/Dead-code_elimination
  66. Edge Case - https://en.wikipedia.org/wiki/Edge_case
  67. Integration Testing - https://en.wikipedia.org/wiki/Integration_testing
  68. Code Review - https://en.wikipedia.org/wiki/Code_review
  69. Single Responsibility Principle - https://en.wikipedia.org/wiki/Single-responsibility_principle
  70. Vibe Coding (Wikipedia) - https://en.wikipedia.org/wiki/Vibe_coding
  71. Vibe Coding Quality / Security Issues - https://en.wikipedia.org/wiki/Vibe_coding#Quality_of_code_and_security_issues
  72. Vibe Coding Definition - https://en.wikipedia.org/wiki/Vibe_coding#Definition
  73. Vibe Coding Debugging Challenges - https://en.wikipedia.org/wiki/Vibe_coding#Challenges_with_debugging
  74. Vibe Coding Task Complexity - https://en.wikipedia.org/wiki/Vibe_coding#Task_complexity_and_developer_productivity
  75. Linus Torvalds (Data Structures quote) - https://en.wikipedia.org/wiki/Linus_Torvalds
  76. Rubber Duck Debugging - https://en.wikipedia.org/wiki/Rubber_duck_debugging

Technical Blogs & Tutorials

  1. AI-Assisted Engineering vs Vibe Coding - https://addyo.substack.com/p/vibe-coding-is-not-the-same-as-ai
  2. My LLM Coding Workflow - https://addyo.substack.com/p/my-llm-coding-workflow-going-into
  3. The 70% Problem - https://addyo.substack.com/p/the-70-problem-hard-truths-about
  4. Good Spec - https://addyosmani.com/blog/good-spec/
  5. AI Coding Workflow - https://addyosmani.com/blog/ai-coding-workflow/
  6. Code Agent Orchestra - https://addyosmani.com/blog/code-agent-orchestra/
  7. Beyond Vibe Coding: 2026 AI Coding Trends - https://beyond.addy.ie/2026-trends/
  8. Vibe Testing - https://testkube.io/blog/what-is-vibe-testing
  9. Simon Willison on Vibe Coding - https://simonwillison.net/2025/Mar/19/vibe-coding/
  10. Simon Willison on LLM Hallucinations in Code - https://simonwillison.net/2025/Mar/2/hallucinations-in-code/
  11. Simon Willison on Using LLMs for Code - https://simonwillison.net/2025/Mar/11/using-llms-for-code/
  12. Vibe Coding Best Practices Prompting - https://supabase.com/blog/vibe-coding-best-practices-for-prompting
  13. Chain-of-Thought Prompting Guide - https://www.promptingguide.ai/techniques/cot
  14. Few-Shot Prompting Guide - https://www.promptingguide.ai/techniques/fewshot
  15. Role Prompting - https://learnprompting.org/docs/advanced/zero_shot/role_prompting
  16. Task Decomposition - https://learnprompting.org/docs/advanced/decomposition/decomp
  17. Writing a Good CLAUDE.md - https://www.humanlayer.dev/blog/writing-a-good-claude-md
  18. Vibe Speccing - https://lukebechtel.com/blog/vibe-speccing
  19. 3-Layer Prompt Template - https://dev.to/novaelvaris/the-3-layer-prompt-template-for-consistent-results-context-task-constraints-ic4
  20. Vibe Coding 2026 Complete Guide - https://dev.to/pockit_tools/vibe-coding-in-2026-the-complete-guide-to-ai-pair-programming-that-actually-works-42de
  21. Rollback Prompt Technique - https://dev.to/novaelvaris/the-rollback-prompt-undo-ai-changes-safely-without-losing-context-c2o
  22. Structured Prompting XML/JSON - https://codeconductor.ai/blog/structured-prompting-techniques-xml-json/
  23. Constraint-First Prompting - https://jonathanmast.com/prompt-with-constraints-why-limitations-make-ai-better/
  24. Pattern Prompting for Vibe Coding - https://www.sitepoint.com/vibe-coding-prompt-patterns/
  25. Vibe Coding Workflow Examples - https://vibecoding.app/blog/vibe-coding-workflow-examples
  26. Testing Vibe Coding - https://bridger.to/testing-vibe-coding
  27. What to Do When Stuck in Vibe Coding - https://dualite.dev/blogs/what-to-do-when-stuck-with-vibe-coding
  28. One-Shot vs Iterative AI Development - https://www.dplooy.com/blog/one-shot-app-generation-vs-iterative-ai-development
  29. Top 10 Learnings from Vibe Coding with GitHub Copilot - https://www.wictorwilen.se/blog/top-10-learnings-from-vibe-coding-with-github-copilot/
  30. How I Code with LLMs These Days (Honeycomb) - https://www.honeycomb.io/blog/how-i-code-with-llms-these-days
  31. AI Coding Tip - Tell the AI Why - https://hackernoon.com/ai-coding-tip-019-tell-the-ai-why-not-just-what
  32. Self-Improving CLAUDE.md - https://claudefa.st/blog/tools/hooks/self-improving-claude-md
  33. Symbol-Level Context in Cursor - https://tutorial.gogoai.xin/tutorial/cursor-at-symbol-context-referencing-boost-ai-code-generation-accuracy
  34. Clear Context Window Claude Code - https://m.academy/lessons/clear-context-window-claude-code/
  35. Plan Mode Claude Code - https://codewithmukesh.com/blog/plan-mode-claude-code/
  36. Vibe Coding to Production - https://stack.convex.dev/vibe-coding-to-production
  37. v0 UI Generation to Code Creation - https://vercel.com/blog/maximizing-outputs-with-v0-from-ui-generation-to-code-creation
  38. shadcn/ui Component Library - https://ui.shadcn.com/docs
  39. Prisma ORM - https://www.prisma.io/docs/orm
  40. Format Conversion - https://transform.tools/json-to-typescript
  41. AI Integration Testing - https://owlity.ai/articles/how-to-use-ai-for-integration-testing
  42. GitHub Copilot Test Generation - https://github.com/readme/guides/github-copilot-automattic
  43. Behavior-Driven Testing (Cucumber) - https://cucumber.io/docs/
  44. Diff-Based Review - https://www.michaelagreiler.com/code-review-pitfalls-slow-down/
  45. Python Traceback - https://realpython.com/python-traceback/
  46. Stack Overflow AI Skill Atrophy - https://stackoverflow.blog/2026/01/02/a-new-worst-coder-has-entered-the-chat-vibe-coding-without-code-knowledge/
  47. Forbes AI Skill Atrophy - https://www.forbes.com/sites/juliakorn/2026/05/14/youre-getting-faster-and-dumber-how-to-fight-ai-skill-atrophy/
  48. Forbes Flow State Development - https://www.forbes.com/councils/forbestechcouncil/2025/09/09/the-ultimate-hack-for-developers-vibe-coding-and-the-flow-state-youve-been-missing/
  49. Vibe Coding Risks - https://retool.com/blog/vibe-coding-risks
  50. AI Coding is Vibe Coding (Google Cloud) - https://cloud.google.com/discover/what-is-vibe-coding
  51. Agentic Coding (Google Cloud) - https://cloud.google.com/discover/what-is-agentic-coding
  52. IBM Vibe Coding - https://www.ibm.com/think/topics/vibe-coding
  53. IBM Low-Code vs No-Code - https://www.ibm.com/think/topics/low-code-vs-no-code
  54. Vibe Coding not same as AI-Assisted - https://addyo.substack.com/p/vibe-coding-is-not-the-same-as-ai
  55. Trust but Verify - Vibe and Verify - https://www.reworked.co/collaboration-productivity/trust-but-verify-when-you-take-up-vibe-coding/
  56. Vibe Coding Exploring Gen AI (Fowler) - https://martinfowler.com/articles/exploring-gen-ai/to-vibe-or-not-vibe.html
  57. Martin Fowler TDD - https://martinfowler.com/bliki/TestDrivenDevelopment.html
  58. Martin Fowler Test Coverage - https://martinfowler.com/bliki/TestCoverage.html
  59. Martin Fowler Technical Debt - https://martinfowler.com/bliki/TechnicalDebt.html
  60. Martin Fowler Refactoring - https://martinfowler.com/books/refactoring.html
  61. Martin Fowler Practical Test Pyramid - https://martinfowler.com/articles/practical-test-pyramid.html
  62. Arstechnica Vibe Coding Speed - https://arstechnica.com/ai/2025/03/is-vibe-coding-with-ai-gnarly-or-reckless-maybe-some-of-both/
  63. Pragmatic Engineer Vibe Coding - https://newsletter.pragmaticengineer.com/p/vibe-coding-as-a-software-engineer
  64. PostHog UI Vibe Design - https://newsletter.posthog.com/p/an-engineers-guide-to-vibe-design
  65. Redis Context Window Overflow - https://redis.io/blog/context-window-overflow/
  66. Context Rot - https://www.understandingai.org/p/context-rot-the-emerging-challenge
  67. Comprehension Debt - https://maximilianocontieri.com/ai-coding-tip-021-avoid-comprehension-debt
  68. Vibe Coding When to Code Manually - https://www.nucamp.co/blog/vibe-coding-when-to-vibe-and-when-to-code-guidelines-for-using-ai-wisely-in-development
  69. Mastering Prompting Techniques for Vibe Coding - https://medium.com/@zahwahjameel26/mastering-prompting-techniques-for-vibe-coding-e140ad07603b
  70. Karpathy Vibe Coding Tweet - https://x.com/karpathy/status/1886192184808149383
  71. Claude Code Product Page - https://claude.com/product/claude-code
  72. Choosing the Right Claude Model - https://claude.com/resources/tutorials/choosing-the-right-claude-model
  73. Complete Guide to Agentic Coding 2026 - https://www.teamday.ai/blog/complete-guide-agentic-coding-2026
  74. Agentic AI Engineering for iOS 2026 - https://blog.jacobstechtavern.com/p/agentic-ai-2026
  75. Parallel Vibe Coding with Git Worktrees - https://www.dandoescode.com/blog/parallel-vibe-coding-with-git-worktrees
  76. Git Worktrees for Parallel AI Agents - https://www.mindstudio.ai/blog/parallel-ai-coding-agents-git-worktrees/
  77. Multi-Agent Coding Workspace - https://www.augmentcode.com/guides/how-to-run-a-multi-agent-coding-workspace
  78. Claude Code Hooks Production Patterns - https://www.pixelmojo.io/blogs/claude-code-hooks-production-quality-ci-cd-patterns
  79. Claude Code Hooks Deterministic Control - https://dotzlaw.com/insights/claude-hooks/
  80. 5 AGENTS.md Patterns - https://dev.to/dohkoai/5-agentsmd-patterns-that-10x-your-ai-coding-workflow-with-templates-5ln
  81. tmux in the Coding Agents Era - https://pasqualepillitteri.it/en/news/3493/tmux-runtime-coding-agents-2026
  82. Offline Vibe Coding with Local LLMs - https://www.centron.de/en/tutorial/offline-vibe-coding-with-local-llms-tools-models-and-workflows/
  83. Indirect Prompt Injection Amplification - https://christian-schneider.net/blog/prompt-injection-agentic-amplification/
  84. Happy Path Bias Anti-Pattern - https://agentpatterns.ai/anti-patterns/happy-path-bias/

GitHub Repositories & Code Examples

  1. AGENTS.md Standard - https://agents.md/
  2. Codex CLI Repo - https://github.com/openai/codex
  3. Gemini CLI Repo - https://github.com/google-gemini/gemini-cli
  4. Bug Fix Prompt Template - https://github.com/vbrazo/cursor-framework-for-rubyists/blob/master/templates/bugfix-prompt-template.md
  5. Session Handoff Skill - https://github.com/softaworks/agent-toolkit/blob/main/skills/session-handoff/README.md
  6. Ralph Wiggum Plugin (Claude Code) - https://github.com/anthropics/claude-code/blob/main/plugins/ralph-wiggum/README.md
  7. Claude Code Hooks Mastery - https://github.com/disler/claude-code-hooks-mastery
  8. Spec Kit - https://github.github.io/spec-kit/
  9. PromptLayer Prompt Versioning - https://www.promptlayer.com/

Academic Papers

  1. Self-Correction Prompts - https://arxiv.org/abs/2303.17651
  2. Hallucinated API Detection Study - https://arxiv.org/abs/2406.10279
  3. Atom-of-Thought Decomposition - https://arxiv.org/abs/2502.12018
  4. AI Code Review Study - https://arxiv.org/pdf/2507.02778
  5. Prompt Injection Attacks on Agentic Coding Assistants - https://arxiv.org/html/2601.17548v1

Industry Research & Reports

  1. Slopsquatting / Dependency Audit - https://socket.dev/blog/slopsquatting-how-ai-hallucinations-are-fueling-a-new-class-of-supply-chain-attacks
  2. Veracode AI Security Report - https://www.businesswire.com/news/home/20250730694951/en/AI-Generated-Code-Poses-Major-Security-Risks-in-Nearly-Half-of-All-Development-Tasks-Veracode-Research-Reveals
  3. GitClear AI Code Quality 2025 - https://www.gitclear.com/ai_assistant_code_quality_2025_research
  4. METR 2025 AI Productivity Study - https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/
  5. METR 2026 Productivity Update - https://metr.org/blog/2026-02-24-uplift-update/
  6. METR 2026 AI Usage Survey - https://metr.org/blog/2026-05-11-ai-usage-survey/
  7. Pre-Commit Security Hooks (Semgrep) - https://semgrep.dev/docs/getting-started/quickstart
  8. Gitleaks / Secret Scanning - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html

Video Resources

  1. Vibe Coding Best Practices 2026 (YouTube) - https://www.youtube.com/watch?v=b49qBJM8rTk
  2. Parallel Claude Code + Git Worktrees (YouTube) - https://www.youtube.com/watch?v=rFGlJ4oIlhw

Industry Best Practice Guides & Books

  1. Karpathy Vibe Coding Origin Tweet - https://x.com/karpathy/status/1886192184808149383
  2. Emerging Skillset of Wielding Coding Agents (Beyang Liu) - https://www.youtube.com/watch?v=F_RyElT_gJk
  3. Roadmap.sh Best Vibe Coding Tools 2026 - https://roadmap.sh/vibe-coding/best-tools
  4. DataCamp Top Vibe Coding Tools 2026 - https://www.datacamp.com/blog/top-vibe-coding-tools-to-build-faster
  5. Tembo.io Best AI for Coding 2026 - https://www.tembo.io/blog/best-ai-for-coding
  6. Augment Code Top AI Coding Assistants - https://www.augmentcode.com/tools/8-top-ai-coding-assistants-and-their-best-use-cases
  7. 2026 Agentic AI Workflow Patterns - https://ai.plainenglish.io/top-ai-agentic-workflow-patterns-that-will-lead-in-2026-2468bf088dc6
  8. Securing AI Agents 2026 (BVP) - https://www.bvp.com/atlas/securing-ai-agents-the-defining-cybersecurity-challenge-of-2026
  9. Nimbalyst Best Git Worktree Tools 2026 - https://nimbalyst.com/blog/best-git-worktree-tools-ai-coding-2026/
  10. Best Multi-Agent Coding Tools 2026 - https://nimbalyst.com/blog/best-multi-agent-coding-tools-2026/
  11. Parallel Code Agents Explained - https://docs.kanaries.net/topics/AICoding/parallel-code-agents
  12. Daily.dev Vibe Coding 2026 - https://daily.dev/blog/vibe-coding-how-ai-changing-developers-code/
  13. Faros AI Lab vs Reality Productivity - https://www.faros.ai/blog/lab-vs-reality-ai-productivity-study-findings
  14. Indirect AGENTS.md Injection (NVIDIA) - https://developer.nvidia.com/blog/mitigating-indirect-agents-md-injection-attacks-in-agentic-environments/
  15. Indirect Prompt Injection (CrowdStrike) - https://www.crowdstrike.com/en-us/blog/indirect-prompt-injection-attacks-hidden-ai-risks/
  16. Prompt Injection in 2026 (Radware) - https://www.radware.com/cyberpedia/prompt-injection/