Infonestira
AI & ML

The Complete Developer's Guide to Vibe Coding: From Skeptic to 10x Engineer

· 5 min read
SitePoint Premium
Stay Relevant and Grow Your Career in Tech
  • Premium Results
  • Publish articles on SitePoint
  • Daily curated jobs
  • Learning Paths
  • Discounts to dev tools
Start Free Trial

7 Day Free Trial. Cancel Anytime.

Vibe coding has moved well past its origins as a catchy phrase on social media. In 2025, it represents a concrete shift in how software gets built: developers describe what they want in natural language, AI generates the code, and the human steers, validates, and refines the output. For intermediate developers looking to integrate AI-assisted development into real projects, the four-week checklist below closes the gap between "I've heard of this" and "I ship with this daily." But it requires the right tools, the right workflow, and a clear understanding of where things break down.

This guide provides that bridge, covering tool selection, environment setup, a hands-on REST API tutorial, workflow patterns, and the pitfalls that catch even experienced engineers off guard.

Table of Contents

Prerequisites

Before starting, ensure you have the following installed and configured:

  • Node.js 20+ (node --version should return v20.x.x or higher)
  • npm 9+ (npm --version)
  • OS: Commands in this guide assume a Unix-like shell (bash). Windows users should use WSL or adapt commands accordingly.
  • Cursor IDE installed from the official site
  • An Anthropic API key (for Claude Code) — requires a billing account at console.anthropic.com
  • A GitHub account with an active Copilot subscription (for Copilot CLI steps)
  • GitHub CLI (gh) version 2.0+ — install from cli.github.com

What Is Vibe Coding? (And What It Isn't)

The AI-First Development Workflow Defined

Andrej Karpathy, the former VP of AI at Tesla and co-founder of OpenAI, coined the term "vibe coding" to describe a development approach where the programmer expresses intent in natural language and lets an AI model generate the implementation. The developer's role shifts from writing every line to steering direction, reviewing output, and making architectural decisions.

This is fundamentally different from traditional AI-assisted development. Tools like early GitHub Copilot offered line-level autocomplete, predicting the next few tokens based on the current file. Vibe coding operates at a higher level of abstraction. Instead of accepting a suggested line inside a function, the developer describes an entire feature, endpoint, or module. The AI produces a complete first draft spanning multiple files, and the developer iterates on it through further natural language prompts. The interface is intent-driven, not line-driven.

Common Misconceptions That Hold Developers Back

Three misconceptions consistently slow adoption among experienced engineers.

"It's just for beginners." Senior engineers at companies across the industry use vibe coding workflows to scaffold services, generate boilerplate, and prototype architectures. The skill ceiling is high: the better a developer understands system design, the more precisely they can prompt and the more effectively they can review output.

Imagine a staff engineer designing a new microservice. She spends ten minutes writing a detailed prompt that specifies the database schema, the error-handling contract, and the authentication middleware. The AI produces 800 lines of scaffold code in under a minute. She spends the next hour reviewing, tightening, and adjusting. That is not a beginner workflow. That is an expert compressing a day of boilerplate into a focused review session.

"It produces garbage code." More accurately, AI produces first-draft code that requires skilled review. Output quality depends heavily on prompt specificity, the model's context window, and the project conventions fed into the tool. Treat AI-generated code as a rough draft, not a finished product.

"It replaces developers." Vibe coding repositions the developer as architect and reviewer rather than typist. The human decides what to build, how components interact, what trade-offs to accept, and whether the generated code meets security, performance, and maintainability standards. Without that expertise, the AI output is directionless.

Vibe coding repositions the developer as architect and reviewer rather than typist.

Vibe Coding Tools Compared

AI-Native IDEs: Cursor vs. Windsurf

Cursor and Windsurf represent the current generation of AI-native IDEs. Cursor is a fork of VS Code; Windsurf, developed by Codeium, is a separate IDE that shares VS Code compatibility but has a distinct codebase. Both are designed from the ground up around AI interaction.

Cursor's Composer mode generates multi-file output from a single prompt, its Agent mode executes autonomous multi-step tasks, and its deep codebase indexing gives the AI awareness of the entire project. It supports connecting to multiple model providers, including Claude and GPT-series models, and offers a .cursorrules file for persistent project conventions.

Windsurf provides similar agentic capabilities with its Cascade feature for multi-step workflows. In the author's testing, Windsurf's UI responds faster during prompt interactions, though generation quality is comparable to Cursor's for small-to-medium projects. For smaller projects or developers who prefer a lighter-weight experience, Windsurf is a reasonable alternative.

The deciding factors are project size and team workflow. Cursor's codebase indexing handles repositories exceeding 100k lines of code without noticeable degradation in the author's experience, and its ecosystem of configuration files (.cursorrules) makes it more suitable for teams that need consistent AI behavior across contributors.

Terminal-First AI: Claude Code and GitHub Copilot CLI

Claude Code is Anthropic's agentic coding tool that runs directly in the terminal. It can read and edit files, execute multi-step tasks, run shell commands, and maintain context across a session. For developers who prefer terminal workflows or need to integrate AI into CI/CD pipelines, Claude Code operates without requiring an IDE.

Note: Claude Code usage is billed per token against your Anthropic API key. Monitor usage at console.anthropic.com to avoid unexpected charges.

GitHub Copilot CLI integrates with the gh command-line tool, providing command generation, git workflow assistance, and shell integration. It is less agentic than Claude Code but fits naturally into existing GitHub-centric workflows. It requires gh CLI version 2.0+ and an active GitHub Copilot subscription.

Choosing Your Stack Based on Project Type

For solo side projects, Claude Code paired with the Cursor IDE offers a fast feedback loop: generate scaffolding in the terminal, refine in the IDE. Team production applications benefit more from GitHub Copilot integrated with Cursor and a CI/CD pipeline, which provides better collaboration tooling, code review integration, and audit trails.

Tool Comparison

FeatureCursorWindsurfClaude CodeGitHub CopilotCopilot CLI
Context WindowFull codebase indexFull codebase indexSession-based, project filesOpen file + neighborsCommand context
Agent ModeYes (Composer, Agent)Yes (Cascade)Yes (terminal-native)Yes (Copilot Chat agent)No
Pricing TierFree / Pro ($20/mo)Free / Pro (see codeium.com/pricing)Usage-based via APIFree / Pro ($10/mo or $100/yr) / Business — verify current pricing at github.com/features/copilot/plansIncluded with Copilot
Best ForIDE-centric full-stack devLightweight AI IDETerminal-first workflows, CI/CDTeam collaboration, GitHub integrationShell commands, git workflows
Language SupportBroad (all VS Code languages)Broad (all VS Code languages)Broad (model-dependent)BroadShell/CLI focused

Setting Up Your Vibe Coding Environment

Installing and Configuring Cursor with AI Features

Install Cursor from the official site. On first launch, enable Composer mode and Agent mode in settings. Connect it to a model provider: Cursor supports Claude (via Anthropic API key) and OpenAI GPT models. If you have a Cursor Pro subscription, some model access may be included; otherwise, you will need to provide your own API key from Anthropic (console.anthropic.com) or OpenAI (platform.openai.com). Configure codebase indexing so the AI can reference your entire project, not just the open file.

The critical configuration step is creating a .cursorrules file in the project root. This is a plain-text file — not JSON — that Cursor's AI reads as freeform instructions about project conventions, preferred patterns, and constraints. It persists across sessions and ensures consistent output.

# Project Conventions

Language: TypeScript
Runtime: Node.js 20+
Strict mode: enabled — no `any` types

Error handling: Use custom AppError class with HTTP status codes
Validation: Zod schemas for all request input
Testing: Vitest for unit and integration tests
Imports: Use path aliases via tsconfig paths

Naming: camelCase for variables, PascalCase for types and classes
File structure: src/routes, src/controllers, src/middleware, src/types
Async handlers: Always wrap in try/catch or use asyncHandler middleware

This file acts as persistent context. Every time Cursor's AI generates or refines code, it references these rules, reducing the need to repeat conventions in every prompt.

Getting Started with Claude Code in the Terminal

Claude Code installs via npm and runs as a CLI tool. Verify the current package name at Anthropic's official Claude Code documentation before installing. The following commands set up a new project with persistent context:

# Install Claude Code globally
# Note: global installs may require sudo on Linux/macOS if npm prefix is not configured
npm install -g @anthropic-ai/claude-code

# Navigate to your project directory
cd my-api-project

# Initialize Claude Code (authenticates on first run)
claude

# Create a CLAUDE.md file for persistent project context
# Note: This heredoc syntax is bash-specific.
# PowerShell users should create the file manually or use New-Item.
cat > CLAUDE.md << 'EOF'
# Project: Task Manager API

## Tech Stack
- Runtime: Node.js 20+ with TypeScript 5.x
- Framework: Express.js
- Validation: Zod
- Testing: Vitest
- Database: PostgreSQL with Drizzle ORM

## Conventions
- All route handlers must be async and use centralized error middleware
- Use strict TypeScript (no `any` types)
- Every endpoint must validate input with Zod before processing
- Tests go in `__tests__/` directories adjacent to source files
EOF

The CLAUDE.md file is read by Claude Code at the start of each session. It provides the model with project-specific context that persists beyond a single conversation, reducing hallucination of incorrect patterns and keeping output aligned with the project's actual stack.

Integrating GitHub Copilot and GitHub CLI

Enable GitHub Copilot in your editor through the extensions marketplace. Install the GitHub CLI (gh) from cli.github.com (requires version 2.0+) and enable Copilot extensions with gh extension install github/gh-copilot. This requires an active GitHub Copilot subscription. It provides gh copilot suggest and gh copilot explain commands for terminal-level AI assistance alongside the editor integration.

Your First Vibe Coding Session: Building a REST API

Step 1: Describing Intent in Natural Language

Effective natural language coding starts with a well-structured prompt. Vague instructions produce vague output. The prompt should specify the tech stack, expected behavior, error handling approach, and output structure.

Here is a prompt designed for a Claude Code tutorial session, building a task management REST API:

Prompt to Claude Code:

Build a REST API for a "tasks" resource using Node.js 20, TypeScript 5, and Express.js.

Requirements:

  • CRUD endpoints: GET /tasks, GET /tasks/:id, POST /tasks, PUT /tasks/:id, DELETE /tasks/:id
  • Use an in-memory array as the data store for now (we'll add PostgreSQL later)
  • Each task has: id (UUID), title (string, required), description (string, optional), status (enum: "todo" | "in-progress" | "done"), createdAt (ISO timestamp)
  • All request input must be validated with Zod
  • Use centralized error handling middleware that returns JSON error responses with appropriate HTTP status codes
  • TypeScript strict mode, no any types
  • Include a package.json with all dependencies and a tsconfig.json

Output the full project structure under src/.

Notice the structure: context (what is being built), constraints (specific libraries, strict mode, no any), and output format (full project structure). This level of specificity improves first-pass output quality by an order of magnitude compared to a vague "build me an API" prompt.

Step 2: Generating the Scaffold with Claude Code

Feeding this prompt to Claude Code in the terminal produces a multi-file scaffold. The generated project structure includes src/routes/, src/controllers/, src/middleware/, src/types/, configuration files (package.json, tsconfig.json), and an entry point (src/index.ts).

Below are the supporting type and error-handling files the AI generates. These are required for the route file that follows:

// src/types/task.ts — AI-generated type definitions
export enum TaskStatus {
  TODO = "todo",
  IN_PROGRESS = "in-progress",
  DONE = "done",
}

export interface Task {
  id: string;
  title: string;
  description?: string;
  status: TaskStatus;
  createdAt: string;
}
// src/middleware/errorHandler.ts — AI-generated error class and middleware
import { Request, Response, NextFunction } from "express";

export class AppError extends Error {
  public statusCode: number;

  constructor(statusCode: number, message: string) {
    super(message);
    this.statusCode = statusCode;
    this.name = "AppError";
    Object.setPrototypeOf(this, new.target.prototype);
  }
}

export function errorHandler(
  err: Error,
  _req: Request,
  res: Response,
  _next: NextFunction
): void {
  if (err instanceof AppError) {
    res.status(err.statusCode).json({ error: err.message });
    return;
  }
  console.error(err);
  res.status(500).json({ error: "Internal Server Error" });
}

The AppError class sets this.name and calls Object.setPrototypeOf(this, new.target.prototype) in the constructor. This ensures instanceof checks work correctly even when TypeScript is compiled to ES5/CommonJS targets, where extending built-in classes like Error can otherwise break the prototype chain. The error handler also logs unexpected errors to the console so that 500-level failures are visible during development and in production logs.

The entry point file wires everything together. This file is essential — without express.json() middleware, req.body will be undefined for all POST and PUT requests:

// src/index.ts — application entry point
import express from "express";
import taskRouter from "./routes/tasks";
import { errorHandler } from "./middleware/errorHandler";

const app = express();

app.use(express.json()); // required — must precede routes
app.use("/tasks", taskRouter);
app.use(errorHandler); // must be last middleware

const PORT = process.env.PORT ?? 3000;
app.listen(PORT, () => {
  console.log(`Server listening on port ${PORT}`);
});

export { app }; // export for supertest integration tests

Next, create a small async handler utility. Route handlers in Express that perform asynchronous work need their rejections forwarded to the error middleware. Without this wrapper, an unhandled promise rejection will crash the process silently instead of returning a proper error response:

// src/middleware/asyncHandler.ts
import { Request, Response, NextFunction, RequestHandler } from "express";

type AsyncRequestHandler = (
  req: Request,
  res: Response,
  next: NextFunction
) => Promise<void>;

export function asyncHandler(fn: AsyncRequestHandler): RequestHandler {
  return (req, res, next) => {
    Promise.resolve(fn(req, res, next)).catch(next);
  };
}

Below is the route file the AI produces, with annotations indicating what was generated versus what required developer refinement. Note that uuid and @types/uuid must be installed as dependencies (npm install uuid @types/uuid):

// src/routes/tasks.ts — AI-generated, developer-refined
import { Router, Request, Response, NextFunction } from "express";
import { z } from "zod";
import { v4 as uuidv4 } from "uuid";
import { Task, TaskStatus } from "../types/task";
import { AppError } from "../middleware/errorHandler";
import { asyncHandler } from "../middleware/asyncHandler";

const router = Router();

// In-memory store — resets on every server restart.
// Intentional for this tutorial; replace with a database in production.
// WARNING: This store is local to a single process. It will not be shared
// across Node.js cluster workers or worker threads.
const tasks: Task[] = [];

// Zod schemas — AI generated, developer tightened the status enum
// .max() caps prevent unbounded strings from exhausting memory
const createTaskSchema = z.object({
  title: z.string().min(1, "Title is required").max(255, "Title too long"),
  description: z.string().max(2048, "Description too long").optional(),
  status: z.nativeEnum(TaskStatus).default(TaskStatus.TODO),
});

const updateTaskSchema = createTaskSchema
  .partial()
  .refine((data) => Object.keys(data).length > 0, {
    message: "At least one field must be provided for update",
  });

// GET /tasks — AI generated as-is
router.get(
  "/",
  asyncHandler(async (_req: Request, res: Response) => {
    res.json({ data: tasks });
  })
);

// GET /tasks/:id — developer added the explicit 404 with AppError
router.get(
  "/:id",
  asyncHandler(async (req: Request, res: Response, next: NextFunction) => {
    const task = tasks.find((t) => t.id === req.params.id);
    if (!task) {
      const safeId = req.params.id.replace(/[^\w-]/g, "").slice(0, 36);
      console.warn(`Task lookup failed for id: ${safeId}`);
      return next(new AppError(404, "Task not found"));
    }
    res.json({ data: task });
  })
);

// POST /tasks — AI generated, developer verified Zod integration
router.post(
  "/",
  asyncHandler(async (req: Request, res: Response, next: NextFunction) => {
    const result = createTaskSchema.safeParse(req.body);
    if (!result.success) {
      const message = result.error.issues
        .map((issue) => issue.message)
        .join(", ");
      return next(new AppError(400, message));
    }
    const newTask: Task = {
      id: uuidv4(),
      ...result.data,
      createdAt: new Date().toISOString(),
    };
    tasks.push(newTask);
    res.status(201).json({ data: newTask });
  })
);

// PUT /tasks/:id — AI generated, follows the same pattern as POST
router.put(
  "/:id",
  asyncHandler(async (req: Request, res: Response, next: NextFunction) => {
    const index = tasks.findIndex((t) => t.id === req.params.id);
    if (index === -1) {
      const safeId = req.params.id.replace(/[^\w-]/g, "").slice(0, 36);
      console.warn(`Task lookup failed for id: ${safeId}`);
      return next(new AppError(404, "Task not found"));
    }
    const result = updateTaskSchema.safeParse(req.body);
    if (!result.success) {
      const message = result.error.issues
        .map((issue) => issue.message)
        .join(", ");
      return next(new AppError(400, message));
    }
    tasks[index] = { ...tasks[index], ...result.data };
    res.json({ data: tasks[index] });
  })
);

// DELETE /tasks/:id — AI generated, returns 204 No Content per REST conventions
router.delete(
  "/:id",
  asyncHandler(async (req: Request, res: Response, next: NextFunction) => {
    const index = tasks.findIndex((t) => t.id === req.params.id);
    if (index === -1) {
      const safeId = req.params.id.replace(/[^\w-]/g, "").slice(0, 36);
      console.warn(`Task lookup failed for id: ${safeId}`);
      return next(new AppError(404, "Task not found"));
    }
    tasks.splice(index, 1);
    res.status(204).send();
  })
);

export default router;

In the author's experience building this tutorial, the AI produced about 90% of this file in a usable state. The developer's refinements were targeted: tightening the Zod enum to use nativeEnum instead of a raw z.enum with string literals, ensuring the AppError class was used consistently, adding input length caps to prevent memory exhaustion, sanitizing user-controlled path parameters out of error responses, wrapping handlers with asyncHandler for safe error propagation, and verifying that the safeParse pattern returned user-friendly error messages.

Step 3: Iterating and Refining in Cursor

With the generated code open in the Cursor IDE, Composer mode enables further refinement through natural language. For example, adding input validation middleware as a reusable layer:

Prompt in Cursor Composer:

Create a reusable validation middleware function that accepts a Zod schema and returns Express middleware. It should validate req.body using safeParse, return a 400 JSON error if validation fails, and pass validated data forward via res.locals.validated if valid. Then refactor the POST and PUT routes in tasks.ts to use this middleware instead of inline validation.

Cursor generates the middleware and refactors the routes. To maintain type safety in strict TypeScript, validated data is passed via res.locals rather than mutating req.body directly, which would bypass TypeScript's type checking and silently defeat strict mode:

// src/middleware/validate.ts — generated by Cursor Composer
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { AppError } from "./errorHandler";

export function validate(schema: z.ZodTypeAny) {
  return (req: Request, res: Response, next: NextFunction): void => {
    const result = schema.safeParse(req.body);
    if (!result.success) {
      const message = result.error.issues
        .map((issue) => issue.message)
        .join(", ");
      next(new AppError(400, message));
      return;
    }
    res.locals.validated = result.data;
    next();
  };
}

With this middleware extracted, the route handlers become cleaner. Note how validated data is read from res.locals.validated with an explicit type assertion, keeping the type contract intact:

// Updated route usage in tasks.ts:
router.post(
  "/",
  validate(createTaskSchema),
  asyncHandler(async (req: Request, res: Response) => {
    const data = res.locals.validated as z.infer<typeof createTaskSchema>;
    const newTask: Task = {
      id: uuidv4(),
      ...data,
      createdAt: new Date().toISOString(),
    };
    tasks.push(newTask);
    res.status(201).json({ data: newTask });
  })
);

router.put(
  "/:id",
  validate(updateTaskSchema),
  asyncHandler(async (req: Request, res: Response, next: NextFunction) => {
    const index = tasks.findIndex((t) => t.id === req.params.id);
    if (index === -1) {
      const safeId = req.params.id.replace(/[^\w-]/g, "").slice(0, 36);
      console.warn(`Task lookup failed for id: ${safeId}`);
      return next(new AppError(404, "Task not found"));
    }
    const data = res.locals.validated as z.infer<typeof updateTaskSchema>;
    tasks[index] = { ...tasks[index], ...data };
    res.json({ data: tasks[index] });
  })
);

This demonstrates the iterative loop: generate, review, prompt for refinement, review again.

Step 4: Adding Tests via Natural Language

Prompting Claude Code or Cursor Agent with "Generate integration tests for all task endpoints using Vitest and supertest" produces test files covering each CRUD operation. Ensure vitest, supertest, and @types/supertest are installed as dev dependencies (npm install -D vitest supertest @types/supertest). The critical step is reviewing the generated test coverage, identifying gaps (such as edge cases for invalid UUIDs or empty request bodies), and prompting the AI to fill those specific gaps.

Here is a representative test file covering the key behaviors, including edge cases that AI-generated tests often miss:

// __tests__/tasks.integration.test.ts
import { describe, it, expect } from "vitest";
import request from "supertest";
import { app } from "../src/index";

describe("Tasks API", () => {
  // POST rejects missing title
  it("POST /tasks returns 400 when title is missing", async () => {
    const res = await request(app)
      .post("/tasks")
      .send({ description: "no title" });
    expect(res.status).toBe(400);
    expect(res.body).toHaveProperty("error");
  });

  // POST rejects invalid status enum
  it("POST /tasks returns 400 for invalid status value", async () => {
    const res = await request(app)
      .post("/tasks")
      .send({ title: "T", status: "invalid-status" });
    expect(res.status).toBe(400);
  });

  // GET returns 404 for unknown UUID and does not reflect the param
  it("GET /tasks/:id returns 404 for nonexistent task", async () => {
    const res = await request(app).get(
      "/tasks/00000000-0000-0000-0000-000000000000"
    );
    expect(res.status).toBe(404);
    // Verify param is NOT reflected in response body
    expect(res.body.error).not.toContain(
      "00000000-0000-0000-0000-000000000000"
    );
  });

  // PUT rejects empty body
  it("PUT /tasks/:id returns 400 for empty update body", async () => {
    // Create a task first
    const create = await request(app)
      .post("/tasks")
      .send({ title: "Original" });
    const id = create.body.data.id;
    const res = await request(app).put(`/tasks/${id}`).send({});
    expect(res.status).toBe(400);
  });

  // AppError instanceof check works after transpilation
  it("AppError instanceof check is correct", async () => {
    const { AppError } = await import("../src/middleware/errorHandler");
    const err = new AppError(404, "not found");
    expect(err instanceof AppError).toBe(true);
    expect(err instanceof Error).toBe(true);
    expect(err.statusCode).toBe(404);
  });

  // Full CRUD lifecycle
  it("full CRUD lifecycle completes without error", async () => {
    const create = await request(app)
      .post("/tasks")
      .send({ title: "Integration Task", status: "todo" });
    expect(create.status).toBe(201);
    const id = create.body.data.id;

    const read = await request(app).get(`/tasks/${id}`);
    expect(read.status).toBe(200);
    expect(read.body.data.title).toBe("Integration Task");

    const update = await request(app)
      .put(`/tasks/${id}`)
      .send({ status: "done" });
    expect(update.status).toBe(200);
    expect(update.body.data.status).toBe("done");

    const del = await request(app).delete(`/tasks/${id}`);
    expect(del.status).toBe(204);

    const missing = await request(app).get(`/tasks/${id}`);
    expect(missing.status).toBe(404);
  });
});

Run the tests with:

npx vitest run --reporter=verbose

As a quick sanity check that the server is working end-to-end:

curl -s -X POST http://localhost:3000/tasks \
  -H "Content-Type: application/json" \
  -d '{"title":"smoke test"}' | jq .

Expected output:

{
  "data": {
    "id": "<uuid-v4>",
    "title": "smoke test",
    "status": "todo",
    "createdAt": "<iso-timestamp>"
  }
}

The Vibe Coding Workflow: Patterns That Actually Work

The Prompt, Generate, Review, Refine Loop

The core workflow is a four-step cycle: prompt the AI with specific intent, generate the output, review every line of the diff, and refine through follow-up prompts or manual edits. The word "vibe" in the name should not suggest lack of rigor. Effective vibe coding is disciplined iteration.

A useful heuristic from the author's experience building this tutorial: AI gets about 80% of the implementation to a functional state. The developer's expertise handles the remaining 20%, which includes error edge cases, security boundaries, performance characteristics, and architectural consistency. That ratio is not a measured industry figure; it reflects the pattern observed across the CRUD endpoints, validation logic, and test generation in this guide.

Context Management: The Make-or-Break Skill

Context management is the single most important skill in AI programming workflows. When the AI loses track of project conventions or file relationships, output quality degrades rapidly.

Context management is the single most important skill in AI programming workflows.

The tools provide mechanisms for this: CLAUDE.md files for Claude Code, .cursorrules for the Cursor IDE, pinned files in Composer sessions, and structured conversation patterns that reference specific files by path. The decision of when to start a fresh context versus continuing an existing thread matters. If a conversation has drifted across multiple unrelated features, starting fresh with a focused prompt and pinned files produces better output than continuing a muddled thread.

When to Type Code Yourself

Not everything benefits from AI generation. Complex algorithms where the logic requires deep domain reasoning, security-critical paths like authentication and authorization flows, and performance-sensitive inner loops are all cases where manual coding is faster and safer. Recognizing when AI slows a developer down rather than speeding them up is itself a skill that improves with practice.

Avoiding the Pitfalls: What Goes Wrong with Vibe Coding

The "It Works, I Think" Problem

The most dangerous failure mode is accepting generated code without understanding it. The code compiles, the basic test passes, and it ships, but the developer never traced the logic. Fix this by reading diffs line by line, running the full test suite, and periodically prompting the AI to explain its choices. If the explanation does not make sense, the code probably has a problem.

Context Drift and Hallucinated Dependencies

AI models sometimes reference npm packages that do not exist, API methods that have been deprecated, or library versions with breaking changes. This is especially common in longer sessions where context drifts. Pin dependency versions in package.json, verify every import against the actual installed packages, and maintain lockfiles. Running npm ls <packagename> confirms a package is installed. Cross-reference package.json to catch packages referenced in code but never declared as dependencies.

Security and Code Review Blind Spots

The model may generate queries vulnerable to SQL injection, expose environment secrets in error responses, skip authentication checks on new endpoints, or use insecure defaults. These are not hypothetical risks. Integrate static analysis tools such as ESLint security plugins like eslint-plugin-security, which catches common JavaScript security antipatterns; complement with dedicated database query review for SQL injection risks. Enforce mandatory human review for all authentication, authorization, and data access paths. Treat AI-generated code with the same scrutiny you would apply to code from a junior team member.

From Skeptic to Productive: The Implementation Checklist

Week 1: Setup and Exploration

  • Install Cursor IDE and configure model provider (Claude or GPT)
  • Create a .cursorrules file (plain text, not JSON) for your primary project
  • Install Claude Code via npm (npm install -g @anthropic-ai/claude-code) — verify the current package name at Anthropic's official documentation
  • Create a CLAUDE.md file in one active project
  • Install GitHub Copilot and gh CLI extensions (requires gh 2.0+ and an active Copilot subscription)
  • Run 3 exploratory prompts on non-critical code (refactoring, documentation, test generation)

Week 2: First Real Feature with AI

Pick something low-stakes. A utility module, a new set of CRUD endpoints, or a batch of missing tests. The goal is not to ship something impressive; it is to internalize the prompt-generate-review-refine loop on real code.

  • Identify a low-risk feature or module for AI-first development
  • Write a structured prompt with context, constraints, and output format
  • Generate the feature scaffold using Claude Code or Cursor Composer
  • Review every generated file line by line
  • Refine through 2 or 3 follow-up prompts
  • Write or generate tests and verify coverage

Week 3: Full Workflow Integration

  • Use the prompt, generate, review, refine loop for all new feature work
  • Track time-to-ship for AI-assisted features versus previous baseline
  • Integrate ESLint security plugins into the CI pipeline
  • Document prompt patterns that produce consistently good output

Start fresh contexts when conversations drift beyond two or three topics. A focused prompt with pinned files beats a long, wandering thread every time.

  • Start fresh contexts when conversations drift beyond 2 or 3 topics

Week 4: Measure and Optimize

  • Compare defect rate for AI-assisted code versus manually written code
  • Measure lines reviewed versus lines manually written
  • Identify which task types benefit most from AI (boilerplate, tests, CRUD) and which do not (algorithms, security)
  • Share findings with team and establish conventions for AI-assisted code review

Key Takeaways and Next Steps

The core mental model shift behind vibe coding: the developer becomes the architect and the AI becomes the builder. The developer defines what to build, sets the constraints, reviews every output, and makes the judgment calls that require understanding of the system as a whole. The AI handles the translation from intent to syntax.

This workflow amplifies existing skill. A developer who understands TypeScript type safety, REST API design, and error handling patterns will get better output from AI tools than someone who does not. Vibe coding does not replace expertise; it gives expertise higher leverage.

For further learning, the Claude Code documentation on Anthropic's developer site, the Cursor IDE documentation, and SitePoint's AI development tutorials provide deeper coverage of specific tools and techniques. The REST API tutorial above is designed to be a practical starting point. Try building it this week, measure how the process compares to a manual approach, and iterate from there. The gap between skepticism and daily use is exactly one real project.

Further Reading