All posts

It Vibes On My Machine

9 min read

When Andrej Karpathy coined "vibe coding" in early 2025, it described something real: you type a rough idea, the AI spits out code, you don't fully understand it, and somehow it works. The "vibe" was the point. You weren't engineering. You were surfing.

That was a year ago. What's happening now is something fundamentally different, and we're still using the old label. I know we'll keep using it. "Context engineering" has been proposed, Tobi Lutke pushed it, Martin Fowler wrote about it, Patrick Debois built a whole framework around it. Nobody cares. Everyone still says "vibe coding." It's the new "cloud." The meaning will stretch until it covers everything from pasting ChatGPT output into a file to building production systems with autonomous agents. That's fine. Language does what it wants.

But I'm opting out. Not because I think I can change what people call it. I just refuse to describe what I do with the same word that describes what got us here.

What got us here

Today people are shipping real products with agentic coding tools. SaaS apps, internal tools, customer-facing services. And the vibing approach is starting to produce real damage. Not theoretical damage. Not "could potentially lead to issues" damage. Actual, embarrassing, sometimes illegal damage.

I asked Claude Code to build a website for a small business. It produced a beautiful, functional site in under an hour. Clean layout, responsive design, fast loading. Impressive. But it didn't generate a privacy policy page. Or a cookie banner. Or an imprint. Not because the AI is incapable of building those things. It builds them perfectly fine when asked. It just wasn't told to. The AI doesn't know German or European law requires these pages. It doesn't think about GDPR unless you do. It solves exactly the problem you describe and nothing more.

A business that launches without a privacy policy faces fines. But hey, the vibes were great.

Here's a better one. I told Claude Code to handle SEO optimization for a project. It took that instruction seriously. Very seriously. It generated structured data with fake five-star reviews. Rich snippets pointing to testimonials that didn't exist. Schema markup designed to make Google show glowing ratings that nobody ever wrote. The code was technically excellent. The SEO implementation was textbook. And the result would have been genuinely fraudulent if it had gone live without review.

The AI wasn't being malicious. It was optimizing for exactly what it was told to optimize for: search engine visibility. Without the context that fake reviews are illegal, unethical, and brand-destroying, "do SEO" became "game Google at any cost." Vibes, baby.

One more. I told Claude Code to deploy a Next.js app on Vercel and keep the usage costs as low as possible. It did exactly that. Aggressive caching headers, maxed-out ISR revalidation intervals, stale-while-revalidate cranked to the limit. Usage costs? Near zero. The problem? The site was showing content that was hours old. New blog posts, updated prices, fresh announcements, none of it visible to users because the cache refused to let go. The AI had solved the cost problem perfectly and created a freshness problem that nobody asked about.

This is the pattern. The AI optimizes brilliantly for whatever you specify. Everything you don't specify becomes a blind spot. And blind spots in production become incidents.

The poster child

If you want to see what vibing looks like at scale, look no further than Moltbook. The "social network for AI agents" that Meta just acquired this week. The founder publicly stated that he didn't write a single line of code. The platform went viral, attracted millions of registered bots, got Elon Musk to call it "the early stages of the singularity," and just landed an acqui-hire deal with Meta Superintelligence Labs.

It also had an unsecured database that exposed over a million authentication tokens, tens of thousands of email addresses, and private messages. Anyone could impersonate any agent on the platform because the entire identity layer was public and unprotected. Security firm Wiz found the flaw. Cybersecurity firm 1Password warned that OpenClaw agents running on the platform had elevated permissions on users' local machines, making them vulnerable to supply chain attacks.

Moltbook is the vibe coding success story. Built fast, shipped fast, went viral fast. Also insecure fast. The founder got a life-changing payday, which good for him. But somewhere out there, a million credentials were exposed because nobody vibed the security context into the codebase.

This isn't a cautionary tale about one platform. It's a snapshot of an entire era. The vibes were immaculate. The security wasn't.

The vibe coder and the engineer

Here's the part where I'll sound like a gatekeeper, and I've made peace with that.

A vibe coder is someone with little or no understanding of software systems who uses AI to produce code. And for a certain class of problems, that works. A personal landing page, a quick internal tool, a prototype that never sees real traffic. Nobody gets hurt. Ship it.

But software doesn't end at "it works on my machine."

A software developer or architect thinks ahead. They think about what happens when the app has ten thousand concurrent users instead of ten. They choose the right database for the access pattern, not just the one the AI suggests first. They think about infrastructure: where does this run, how does it scale, what happens when a region goes down? They think about security: authentication, authorization, input validation, secrets management, not because someone asked them to, but because building without it would be negligent. They think about production readiness: logging, monitoring, error handling, graceful degradation, rollback strategies. They think about deployment: can someone actually install and run this, or is it so tangled with local dependencies and undocumented configuration that it dies the moment it leaves the developer's laptop?

What use is a solution that's so complex to install that nobody bothers?

None of this is glamorous work. None of it shows up in a demo. But it's the difference between software that impresses in a tweet and software that survives contact with reality.

And here's the irony: AI coding tools are perfectly capable of building all of this. They'll set up proper database migrations, configure container orchestration, implement rate limiting, write health checks, and generate deployment manifests. But they only do it when the context demands it. A vibe coder doesn't know to ask for these things because they've never had to think about them. A software engineer provides the context almost instinctively because years of production experience have taught them what goes wrong when you don't.

Same tool. Vastly different outcomes. Because the context was vastly different.

AI tools don't close this gap. They widen it. The vibe coder produces a demo that looks production-ready but isn't. The experienced engineer produces something that actually is production-ready, in a fraction of the time it used to take. If you thought the gap between junior and senior was big before, wait until one of them has an agent that can execute at the speed of thought.

What to do instead

There's no catchy alternative that will catch on. "Context engineering" already exists and nobody uses it. So here's what actually works.

What actually produces good results with today's agentic tools is the opposite of vibing. It's providing precise, dense, domain-specific context. The better your context, the better the output. The relationship is almost linear.

The same website project works flawlessly when the prompt includes: "This is a business based in Germany. Generate all legally required pages including Impressum, Datenschutzerklarung per GDPR, and a cookie consent banner that defaults to opt-out. Use real company information from the following details."

The same SEO task produces legitimate results when framed as: "Optimize for search engines. Use only factual information. Do not generate fake reviews, fake testimonials, or fabricated ratings. Implement structured data only for content that actually exists on the site."

The same Vercel deployment works correctly when you say: "Keep usage costs low, but content must be fresh. Use ISR with a revalidation time of 60 seconds for dynamic pages and on-demand revalidation for content updates. Cache static assets aggressively but never cache API responses for more than 30 seconds."

The difference is not in the AI. It's in the human. One prompt vibes. The other provides context. The output quality follows directly.

Why this matters right now

This week, Amazon held an emergency engineering meeting because AI-assisted code changes caused multiple production outages. Their briefing note referenced a "trend of incidents" with "high blast radius" related to "Gen-AI assisted changes."

This is what happens when you vibe code production infrastructure. Someone lets the AI make changes without providing sufficient context about blast radius, dependencies, and rollback procedures. The code was syntactically correct but contextually wrong.

Meanwhile, Redox OS announced a strict no-LLM policy for contributions. Debian couldn't decide on a policy at all. The open source world is struggling with this because they're treating all AI-generated code as one category, when the quality spectrum runs from "vibed-out garbage" to "precisely contextualized and thoroughly specified."

The conversation we should be having is not "should we allow AI code?" It's "what level of context specification should we require?"

The context is the product

AI coding agents are optimization machines. They will pursue whatever objective you give them with remarkable competence and zero judgment. Tell them to maximize engagement, and they'll add dark patterns. Tell them to minimize costs, and they'll sacrifice user experience. Tell them to handle authentication, and they'll store passwords in plaintext if you don't specify otherwise.

Every missing piece of context is a potential failure mode. And unlike traditional programming, where the developer's own knowledge fills gaps unconsciously ("of course I wouldn't store passwords in plaintext"), AI agents have no implicit knowledge about what's appropriate. They have no professional instincts. They have no sense of "obviously you shouldn't do that." They only have what you tell them.

The things you don't mention are the things that will go wrong. Legal constraints, ethical boundaries, user expectations, performance requirements, security standards, infrastructure costs, deployment complexity, business logic. If you didn't specify it, it doesn't exist.

So call it whatever you want

I know the industry will keep saying "vibe coding." That's fine. I just won't use the word for myself. You can keep the vibes. I'll keep the context.

Next time someone shows you a demo and says "it works," ask them where. Ask them for how many users. Ask them about the security model. Ask them about the deployment. Ask them about the legal requirements.

Or don't. It vibes on their machine. That's probably enough.