Training · MakerGuardrailemergingpartial

Anti-pattern: Vibe-Ship Without Review

also known as vibe coding anti-pattern, ship-only coding, no-review build-along

Shipping AI-generated code without any human review or testing cycle. The speed of vibe-coding tools tempts makers to deploy code they cannot read or verify, creating security, correctness, and maintenance blind spots.

How the learner advances

flowchart TD A[AI coding tool generates a new feature] --> B{Learner reads generated code?} B -- No: anti-pattern --> C[Deploy directly to public URL] C --> D[Silent failure: security hole, broken logic, or leaked secret] B -- Yes: counter-move --> E[Learner explains 2 key functions] E --> F[Check for hardcoded credentials + unvalidated input] F --> G[Smoke test locally] G --> H[Deploy with confidence and annotated prompt notes]

Intent. Name and prevent the pattern of deploying AI-generated code without a comprehension gate, before it causes a security or correctness failure in a production application.

When to apply. Recognise and intervene when a learner or practitioner in any maker-step program is shipping multiple AI-generated features per session without reading the generated code, cannot explain what a deployed function does, or treats the AI tool's output as inherently correct. This anti-pattern is most dangerous at the maker step because the tooling is fast enough to ship real harm before the learner realises anything is wrong.

Threshold — earns the next step. The learner consistently reads generated code before deploying, can explain what the key functions do, and can identify at least one category of risk (hardcoded secrets, unvalidated input, error handling) to check for in any generated feature.

Masterpiece — the artifact that proves it. A build-along or maker program that has formally incorporated the discernment checkpoint as a deploy gate, with observable evidence that learners read and annotate generated code before shipping — measured by the presence of prompt notes that describe generated functions, not just describe what was asked for.

Example scenario

A founder joins an 8-week Build-Along cohort with ambitions to ship fast. By week 3 she is deploying two to three features per session directly from Lovable's publish button without opening the code view. In week 4 she adds user authentication. The AI tool generates a Supabase auth integration — working, but with the service role key hardcoded in a client-side file. She ships it without reading the code. A cohort peer running a security check on their own app notices the pattern in a shared code snippet in the Discord channel and flags it. The instructor calls a ten-minute session halt: the learner reads the auth code for the first time, finds the hardcoded key, and rotates it immediately. The incident is used as a teaching moment for the full cohort. From that session forward, the program adds an explicit discernment checkpoint: before every deploy step, learners write one sentence in their prompt notes explaining what the auth or data-handling function does. Three weeks later the same learner catches an unvalidated user-input issue in her own generated code before deploying, entirely independently.

Facets

Container — async
Mode — hands-on-build
Reach — individual
Persona — non-technicalfounder
Craft (AI Fluency) — discernmentdiligence
Learner — human
Trainer — human
Guardrail — securityresponsible-userisk

Inputs

Generated code from an AI coding tool — Output from Lovable, Cursor, Claude Code, or equivalent — potentially containing security vulnerabilities, unchecked user inputs, hardcoded secrets, or logic errors that are invisible to someone who has not read the code.
Time pressure or speed incentive — A course structure, competitive context, or personal excitement that rewards shipping speed over comprehension — the environmental condition that makes this anti-pattern attractive.

Outputs

Identified risk before deployment — A moment where the learner or a peer review stops a deployment that contains a reviewable problem — a leaked API key, an unsanitised input, or a function that does not do what the learner assumed.
Discernment habit — A learner who, after encountering or hearing about this anti-pattern, consistently reads generated code before deploying, can explain the key functions, and runs at least a smoke test before any public deployment.

Steps (3)

Recognise the symptom
The anti-pattern presents as: shipping multiple features per session without opening the code view, deploying to a public URL directly from an AI tool's 'one-click deploy' without reviewing the output, or using test credentials in production because the learner did not read the environment variable handling the tool generated.
Apply the counter-move: discernment checkpoint
Before any deployment, the learner reads the diff or generated code for the feature being shipped. They must be able to explain what at least two key functions do and what user input they handle. In a Build-Along track, this is a formal gate: the learner writes a one-sentence explanation of each key function in their prompt notes before the instructor approves their deploy step.
Structural prevention: minimum viable review step
Program designers add a mandatory review step to the build-along template: run the app locally first, read the generated code for the feature, check for hardcoded credentials, and confirm error states are handled. The step takes 5–10 minutes per feature and is non-optional. Skipping it triggers a conversation, not a penalty — the goal is habit formation.

Principles

Speed without comprehension is not a skill; it is a liability that compounds with every unreviewed deployment.
The AI tool writes the code; the learner owns the deployed result — including its security surface and its behaviour under edge inputs.
A five-minute read before deploy prevents failure modes that take days to diagnose in production.

Unlocks methodologies (2)

A learner who completes this pattern is equipped to execute these methodology families:

LLM-App Engineering Spec-Driven

Known failure modes (1)

[discernment-checkpoint-as-checkbox]
The anti-pattern of adding a discernment step to a program's checklist without ensuring learners actually read the code. If the checkpoint is 'did you review the code? yes/no' with no verification, it becomes a rubber stamp that provides false security without changing behaviour.

Related trainings (1)

Build-Along★
move
Enable a non-engineer to ship and deploy a real web application by building it live alongside an instructor, one capability at a time, using AI-first coding tools.

Sources (1)

https://cloud.google.com/discover/what-is-vibe-coding
doc
“vibe coding offers intoxicating generative speed at the cost of nearly all technical control”

Provenance

Ecosystem: neutral
Added to catalog: 2026-05-27
Last updated: 2026-05-27
Verification status: partial