Topic
Building with AI tools, no-code, and the new vibe-coding workflow.
Mar 18, 2026 · 10 min read
Supabase Edge Functions run on Deno, not Node, and that changes everything. Here is when they beat Vercel API routes, when they cost you a week, and how the hybrid pattern actually works.
Read more
Mar 14, 2026 · 10 min read
The default Supabase auth emails look like phishing. Here is how to edit the templates, wire up custom SMTP, and align SPF, DKIM, and DMARC so confirmation mail actually lands in Primary.
Mar 11, 2026 · 9 min read
The eight Supabase settings that break Lovable-built apps in production: rate limits, SMTP, service role exposure, pooler mode, PITR, log retention, unused extensions, and network rules. Defaults and...
Mar 8, 2026 · 12 min read
Row-level security is where AI-built apps fail quietly. The mental model, six copy-paste policy patterns, and the pgTAP harness that runs in CI before you ship.
Mar 4, 2026 · 10 min read
What a fixed-scope AI code audit actually looks like: the five categories we check, what gets patched in the PR, what we flag for later, and what you pay for.
Mar 1, 2026 · 12 min read
Audit trail, access controls, encryption, backup policy, vendor review, SLAs. What SOC-2 actually costs, how fast it moves, and the six gaps AI-built MVPs always have.
Feb 26, 2026 · 9 min read
The four ways AI builders leak API keys, Stripe tokens, and database credentials, each with the fix we ship when WitsCode audits a vibe-coded app.
Feb 22, 2026 · 11 min read
The research behind the 40-62% vulnerability rate in AI-generated code, the Q1 2026 study showing 91.5% of vibe-coded apps ship with at least one flaw, and the four-practice testing loop that moves...
Feb 20, 2026 · 10 min read
When your AI-built app accepts user input into a prompt, you have a new attack surface. The five injection patterns we test for, and the defensive prompting rules we apply.
Feb 16, 2026 · 11 min read
Three real Supabase RLS failures we found on Lovable projects, with the corrected SQL and why each one shipped broken in the first place.
Feb 12, 2026 · 11 min read
The thirteen checks we run on every AI-generated codebase before it ships, and why the defaults Lovable, Bolt and v0 produce fail most of them.
Feb 9, 2026 · 11 min read
The 2026 Lovable incident was not a single bug. It was a structural failure that every vibe-coded app inherits. Here is the timeline, the cause, and the lessons to apply this week.
Feb 6, 2026 · 10 min read
Long Cursor sessions degrade because the context window fills with stale, contradictory, and hallucinated information. Here is the fresh-shell rule, the project-guide file discipline, and the...
Feb 2, 2026 · 11 min read
Cursor is editor-centric and interactive. Claude Code is terminal-first and agentic. Here is the task split that decides which to use, plus the hybrid workflow we run on large projects.
Jan 29, 2026 · 9 min read
The four Cursor anti-patterns that quietly wreck vibe-coded projects: over-editing, context rot, auto-applying suggestions, and prompt sprawl. How to spot each and the workflow change that fixes it.
Jan 27, 2026 · 11 min read
The full text of the .cursor/rules directory we install on every founder project. Safety, git, Supabase, and env guardrails that stop the disasters before they happen.
Jan 23, 2026 · 10 min read
Cursor can let a non-dev delete their production database in a single prompt. The rules file, terminal permissions, repo setup, and git discipline we require of every non-engineer founder we onboard.
Jan 19, 2026 · 9 min read
shadcn/ui components are fine in isolation, but v0 generates them without theming, accessibility review, or form integration. Walk through the four hardening steps we apply before shipping.
Jan 16, 2026 · 10 min read
v0 draws the frontend. You still need auth, database, API routes, deployment, and payments. A reality check for founders who think one v0 prompt ships a product.
Jan 13, 2026 · 10 min read
v0 ships with shadcn defaults. Sometimes you fight them and lose. Sometimes accepting them is the right call. The decision guide we use with design-forward clients.
Jan 9, 2026 · 10 min read
v0's opinionated Tailwind, shadcn, and CSS variable stack fights your existing codebase unless you harmonise. The three-step merge we run on client projects.
Jan 7, 2026 · 11 min read
v0 generates beautiful components but does not build apps. Walk through the bridge: scaffolding a Next.js repo, importing v0 components, wiring up routing, state, and data fetching. Templates...
Jan 3, 2026 · 10 min read
Five signals your Bolt project has outgrown the IDE, and exactly what to do before you hand it to a developer.
Dec 30, 2025 · 10 min read
Which platform generates code a developer can actually work with? Bolt leans idiomatic React and handoff friendly, Lovable leans non dev friendly but harder to hand off.
