Your vibe coding app works. That's exactly the problem.

--- title: Your vibe coding app works. That's exactly the problem. published: true tags: claudecode, vibecoding, ai, webdev description: Vibe coding gives you speed. It also gives you plaintext passwords, non-expiring tokens, and CORS open to the entire internet. This article is about the second part. cover_image: https://github.com/bezael/ai-workflow-kit/raw/main/banner.png --- Your app works. You opened it in the browser. Clicked the buttons. Everything responds. You deployed it. Nobody complained. And that's exactly the problem. Because "works" doesn't mean the same thing as "is correct". And when you delegate code to an AI without reviewing it, the gap between those two can be an endpoint with no authentication, a JWT token that never expires, or a password stored in plaintext in your database. Not because the AI is bad. But because the AI optimizes for "make the prompt work". Not for "make it safe in production". --- ## What the AI doesn't tell you when it generates your code The AI generated your endpoint. You tested it with Postman. It returned 200. But it didn't tell you that any authenticated user can access any other user's data just by changing the ID in the URL. The AI set up your JWT authentication. Tokens are generated. Users log in. But it didn't tell you those tokens have no expiration date. That if one leaks, it's valid forever. The AI configured CORS so the frontend could call the backend. But it didn't tell you it set `origin: '*'`. That means any domain in the world can make requests to your API. This isn't theory. It's what shows up when you audit a vibe-coded app. Every single time. --- ## `/vibe-audit` — 30 seconds to know what mess you're in I built **AI Workflow Kit** because I got tired of manually reviewing AI-generated code and finding the same 20 problems every time. Installation: ```bash npx ai-workflow-kit ``` Then, in any project: ```plaintext /vibe-audit ``` That's it. The skill scans the entire project, reads the most critical files, and generates a report with severity, concrete evidence, and the suggested fix. It doesn't tell you "there's a security problem". It tells you exactly where it is, which line, what can happen if you don't fix it, and how to fix it. --- ## The problems it finds. Every time. After auditing dozens of AI-generated apps, there are 20 patterns that show up again and again. These are the most common: **The critical ones — the ones that can kill your project:** **Hardcoded secrets.** The AI puts API keys, passwords, and database URLs directly in the code because "it works faster in the prompt". Shows up in almost 100% of projects generated without review. ```js // What you find OPENAI_API_KEY = "sk-..." password: "admin123" const SECRET = "abc123" ``` **No input validation.** Endpoints blindly trust `req.body`. Any user can send you whatever they want. Including `role: "admin"`. ```js const { email, role } = req.body await db.users.update({ role }) // user gives themselves admin role ``` **IDOR — access to other users' resources.** The `GET /api/orders/:id` endpoint doesn't verify that order belongs to you. Change the number in the URL. You access any other user's data. **Unhashed passwords.** Not always. But it happens, especially when the prompt was vague or rushed. **JWT without expiration.** `jwt.sign(payload, secret)` without `expiresIn`. Token valid forever. If it leaks — in logs, in localStorage, anywhere — the attacker has permanent access. **Stack traces exposed to the client.** `res.json({ error: err.stack })` in the error handler. In production this gives an attacker internal paths, library versions, and application logic. --- **The important ones — the ones that blow up in production:** **Queries without pagination.** `db.findMany()` without a limit. In development with 10 records, perfect. In production with 50,000, the database goes down. **Third-party APIs without rate limiting.** The AI connects your app to OpenAI, Stripe, or any external API and calls directly with no control. A bot can fire thousands of requests and wreck your bill or get your account banned by the provider. **No loading or error states in the frontend.** The AI generates the perfect happy path. If the API is slow or fails, the app goes blank or crashes silently. **Development console.logs in production.** The AI logs everything for debugging. Those logs expose internal data and pollute your production logs. --- The report `/vibe-audit` generates looks like this: ```markdown # Vibe Audit — project-name Audited: date ## Summary - 🔴 Critical: N (block production or are security risks) - 🟡 Important: N (affect stability or maintainability) - 🔵 Improvements: N (technical debt, quality) ## 🔴 Critical ### Unhashed passwords **Where:** `src/auth/register.ts` line 23 **Evidence:** [problematic code] **Risk:** If the database is compromised, all passwords are exposed in plaintext **Suggested fix:** [corrected code] ``` No vague warnings. Concrete code. Exact line. Actionable fix. --- ## The rest of the kit `/vibe-audit` is the reason the kit exists. But it doesn't stand alone. Once your app is audited and the critical issues resolved, the rest of the tools keep the workflow clean: **Skills:** - `/commit` — reads the real diff and generates a semantic commit. No copy-paste, no "fix stuff" - `/pr` — PR with description, test plan, and reviewer checklist - `/review @file` — reviews bugs, security, and performance with real engineering criteria - `/plan [task]` — forces planning before execution. For complex tasks, an approved plan is worth more than fast code - `/debug [problem]` — diagnosis with hypotheses before proposing fixes **Specialized agents:** - `/frontend` — components following the project's design system - `/api` — endpoints with validation, auth, and error handling - `/test` — behavior-driven tests, not implementation tests - `/refactor` — improves code without changing behavior - `/docs` — JSDoc, README, or ADR depending on context **Automatic hooks** — no activation needed, they just run: - Blocks destructive commands before they execute - Scans staged files for API keys before every commit - Formats with Prettier or Biome after every edit - Runs ESLint and feeds errors back to Claude to fix - Desktop notification when Claude finishes (Mac/Linux/Windows) Works with **Claude Code**, **Cursor**, and **GitHub Copilot**. --- ## The difference between vibe coding and vibe coding done right Vibe coding isn't going away. And it shouldn't. The speed is real. The productivity is real. Being able to build in hours what used to take days is real. The problem isn't the speed. The problem is mistaking "fast" for "done". Your app needs both. Speed to reach the market. And a `/vibe-audit` to know what's inside before someone else finds out for you. --- One line: ```bash npx ai-workflow-kit ``` GitHub: [https://github.com/bezael/ai-workflow-kit](https://github.com/bezael/ai-workflow-kit)