Listen to this Post

Introduction:
The AI coding assistant hype cycle has run for 18 months, flooded with “10× productivity” claims that usually boil down to prototyping a todo app in four minutes. Real engineering work—auth migrations, distributed system bugs, production refactors—still takes hours, and the gap between theater and reality is where incidents happen. This article strips away the affiliate links and “vibe coding” nonsense to deliver a verified, security-aware cheatsheet for using Code as a chainsaw, not a screwdriver.
Learning Objectives:
- Implement project‑level memory with `CLAUDE.md` to replace fragile 12‑paragraph prompts.
- Configure Plan mode, permission hooks, and read‑only MCP servers to prevent catastrophic AI‑driven commands.
- Automate Code in CI/CD pipelines while avoiding common failure modes for crypto, migrations, and race conditions.
You Should Know
- CLAUDE.md Is the Law – Project Memory Always Wins
Most users paste long prompts every session. Senior engineers put 200 lines of stack conventions, gotchas, and architecture into `CLAUDE.md` at the repo root. reads this file first on every invocation, giving you persistent, version‑controlled context.
What this does:
Forces to obey project‑specific rules (e.g., “use `pgx` pool, never database/sql”, “all API errors must return RFC 7807”, “never suggest rm -rf”).
Step‑by‑step setup (Linux/macOS/WSL):
Navigate to your repo root cd /path/to/your-project Create CLAUDE.md with baseline rules cat > CLAUDE.md << 'EOF' Project: payment-gateway Stack: Go 1.23 + Postgres 16 + Temporal Security rules: - NEVER generate crypto primitives; use `crypto/ed25519` or `age` only. - All SQL migrations must be reviewed line‑by‑line. - Production commands require `ask` permission – see `./settings.json` Conventions: - Use `pkg/errors` with stack traces. - Logs must be JSON, level `info` minimum. EOF Verify loads it --version /init Forces re‑read of CLAUDE.md
Windows (PowerShell):
Set-Content -Path CLAUDE.md -Value @" Project: legacy-aspnet Stack: .NET 8 + SQL Server Security: - No inline SQL; always use Dapper or EF Core. - Secrets via Azure Key Vault only. "@
Pro tip: Place `./settings.json` in the same repo to enforce permission policies. Example:
{
"permissions": {
"bash": "ask",
"read": "allow",
"edit": "ask",
"rm": "deny"
}
}
2. Plan Mode Beats Auto Mode 9/10 Times
Auto mode (letting edit immediately) is fast and wrong. Plan mode (Shift+Tab in the terminal UI) forces read‑only thinking: outlines changes, explains trade‑offs, and asks for confirmation before touching a single file.
What this does:
Prevents “vibe bugs” – plausible but incorrect code that passes tests but breaks production invariants.
How to use it:
Start in default (interactive) mode Inside the chat, switch to Plan mode by pressing Shift+Tab You'll see [PLAN MODE] in the prompt. Now ask: "Refactor the retry logic in payment_processor.go – use exponential backoff with jitter." will output a plan without writing files: Analysis: current retry uses fixed delay, may cause thundering herd Proposed changes: 1. Add `backoff.go` with `func Exponential(maxSecs int)` 2. Modify `processor.go` lines 45-52 3. Unit test `backoff_test.go` Risks: existing integration tests assume fixed delay – will update them. Confirm? (yes/no/describe) Type "yes" – only then does apply edits.
Linux command to verify no invisible changes:
Watch filesystem for unexpected writes inotifywait -m -r --format '%w%f' ./src | while read file; do echo "[bash] $file changed at $(date)" done
Windows alternative:
Using FileSystemWatcher
$watcher = New-Object System.IO.FileSystemWatcher -Property @{
Path = '.\src'
IncludeSubdirectories = $true
}
Register-ObjectEvent $watcher "Changed" -Action { Write-Host "Changed: $($Event.SourceEventArgs.FullPath)" }
- MCP Servers: RPC with a Wrapper – Pick Three, Master Them
Model Context Protocol (MCP) servers let talk to external tools (GitHub, Postgres, Playwright). Half of `awesome-mcp` is demoware. Real senior engineers pick exactly three production‑ready servers and enforce read‑only DSNs.
What this does:
Gives structured access to your codebase, logs, and APIs without granting unbounded shell.
Step‑by‑step: configuring safe MCP
Install MCP for GitHub + Postgres (read‑only)
npm install -g @modelcontextprotocol/server-github @modelcontextprotocol/server-postgres
Set up Postgres read‑only user
psql -U admin -d yourdb -c "CREATE USER _ro WITH PASSWORD 'safe_pass';"
psql -U admin -d yourdb -c "GRANT CONNECT ON DATABASE yourdb TO _ro;"
psql -U admin -d yourdb -c "GRANT USAGE ON SCHEMA public TO _ro;"
psql -U admin -d yourdb -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO _ro;"
Configure ’s MCP settings (~/./mcp.json on Linux/macOS)
cat > ~/./mcp.json << 'EOF'
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_xxxx" }
},
"postgres_ro": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-postgres"],
"env": { "PG_CONNECTION_STRING": "postgresql://_ro:safe_pass@localhost:5432/yourdb?sslmode=require" }
}
}
}
EOF
Verify MCP servers attach
--mcp-list
Security note: Never attach a writeable production database. Use a replica or read‑only user. For GitHub, use a token with `repo:read` and no `write:repo` scope.
- Hooks & Permissions – Safe by Default (Or Learn at 2am)
Letting run `rm -rf` unprompted is malpractice. Code supports pre‑tool hooks that audit, log, or block every bash, edit, or `rm` invocation.
What this does:
Creates an immutable audit trail and enforces “allow/ask/deny” per command pattern.
Step‑by‑step: enable hooks and deny dangerous commands
Create project‑level hooks directory
mkdir -p ./hooks
Hook that logs every bash command
cat > ./hooks/pre-bash.sh << 'EOF'
!/bin/bash
COMMAND="$1"
echo "$(date -Iseconds) | USER: $USER | CMD: $COMMAND" >> ./audit.log
Block rm -rf on any path
if [[ "$COMMAND" =~ "rm -rf" ]] || [[ "$COMMAND" =~ "rm -fr" ]]; then
echo "BLOCKED: recursive rm is not allowed" >&2
exit 1
fi
EOF
chmod +x ./hooks/pre-bash.sh
Configure to use the hook (in ./settings.json)
cat > ./settings.json << 'EOF'
{
"hooks": {
"pre-bash": "./hooks/pre-bash.sh"
},
"permissions": {
"bash": "ask",
"edit": "ask",
"write": "ask",
"rm": "deny"
}
}
EOF
Testing the hook:
Inside , try to run: rm -rf /tmp/foo You'll see: BLOCKED: recursive rm is not allowed And the audit.log will record the attempt.
Windows (PowerShell hook equivalent):
Create `./hooks/pre-bash.ps1` with `if ($args
-match "del /s") { exit 1 }` and set <code>"pre-bash": "powershell -File ./hooks/pre-bash.ps1"</code>.
<h2 style="color: yellow;">5. Headless Mode – in CI/CD Pipelines</h2>
` -p` (piped mode) runs non‑interactively, letting you insert AI‑generated scaffolding, code reviews, or log triage into your CI cron jobs – without a human babysitting.
<h2 style="color: yellow;">What this does:</h2>
Automates repeatable tasks: generate migration files, audit secrets in recent commits, or produce release notes from PR descriptions.
<h2 style="color: yellow;">Practical pipeline examples</h2>
<h2 style="color: yellow;">Linux / GitHub Actions:</h2>
[bash]
.github/workflows/-review.yml
name: Code Review
on: [bash]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install
run: npm install -g @anthropic-ai/-code
- name: Run security audit on new code
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_KEY }}
run: |
git diff origin/main...HEAD > pr.diff
-p "Review this diff for hardcoded secrets, SQL injection, and race conditions. Output only findings as markdown." < pr.diff >> review.md
- name: Post comment
run: gh pr comment ${{ github.event.pull_request.number }} -F review.md
Cron job for log triage (Linux):
!/bin/bash /etc/cron.hourly/-log-scan export ANTHROPIC_API_KEY="key" journalctl --since "1 hour ago" -u myapp | \ -p "Extract anomalies, error rates >5%, and potential security events. Output JSON." \ <blockquote> /var/log/-analysis.json
Windows Task Scheduler + PowerShell:
run--headless.ps1 $env:ANTHROPIC_API_KEY = "your-key" Get-EventLog -LogName Application -After (Get-Date).AddHours(-1) | Out-String | ` -p "Summarize critical errors and warnings. Format as table." ` | Out-File C:\logs-summary.txt
- When NOT to Use Code – The Slide Everyone Skips
Knowing when to close the laptop and write code yourself separates seniors from hype‑chasers. Code is catastrophic for these domains:
| Domain | Why fails | Safe alternative |
||-|-|
| Crypto / auth primitives | Model hallucinates constant‑time comparisons, nonce reuse, or side‑channel leaks | Use vetted libraries: libsodium, age, `crypto/tls` |
| Production migrations | Line‑by‑line correctness matters; AI reorders operations or drops constraints | Write by hand, test on replica, use `migrate` with checksums |
| Distributed systems (race conditions, consensus) | Pattern matching cannot infer state spaces; will suggest broken “fixes” | Formal verification (TLA+), deterministic simulation, or manual review |
| “Just refactor it” with no spec | Without bounds, creates 500‑line abominations that “work” for one test | Write a spec, add property tests, then use AI for small steps |
| When you’re tired | AI amplifies the driver’s fatigue – tired driver = tired bugs | Stop. Commit. Sleep. Review in morning. |
Step‑by‑step: safe migration workflow (without AI)
-- 1. Write migration manually (postgres) BEGIN; ALTER TABLE users ADD COLUMN api_version SMALLINT DEFAULT 2; UPDATE users SET api_version = 2 WHERE updated_at > '2025-01-01'; -- 2. Check every line -- 3. Test on staging with `ROLLBACK;` first -- 4. After staging OK, run in transaction on prod with backup ROLLBACK; -- dry run -- then COMMIT;
Command to validate migration idempotency:
Linux/macOS – run twice, should return same schema diff migrate -database "postgres://..." -path ./migrations up > first.txt migrate -database "postgres://..." -path ./migrations up > second.txt diff first.txt second.txt || echo "Migration is NOT idempotent – do not use AI for this"
What Undercode Say
- CLAUDE.md is non‑negotiable – without persistent project memory, every session starts from zero, guaranteeing inconsistent outputs. Version‑control it like you would a Dockerfile.
- Plan mode prevents “vibe bugs” – the 9/10 ratio comes from real production incidents where auto mode introduced subtle logic errors that tests missed. Make `Shift+Tab` muscle memory.
- MCP servers need the principle of least privilege – read‑only DSNs, scoped GitHub tokens, and demo‑ware filtering reduce the attack surface from 50+ servers to three you truly master.
- Hooks turn into a supervised junior dev – logging every `bash` command and blocking `rm -rf` creates an audit trail that catches both AI mistakes and insider threats.
- Headless mode is underused – CI integrations for log triage and PR review save hours weekly. But never pipe production `DELETE` statements to ` -p` without a human confirmation step.
- The “when NOT to use” list saves prod – crypto, migrations, and race conditions are where even senior engineers have to write the code themselves. AI amplifies risk when you’re tired or the problem is underspecified.
Analysis: The industry is drowning in “10× developer” claims that erode trust. This cheatsheet’s value is its anti‑hype stance: treating Code as a powerful but dangerous tool. The rise of AI‑generated code will inevitably increase the frequency of “vibe bugs” – plausible code that passes unit tests but fails under production load. Organisations that adopt permission hooks, mandatory Plan mode, and explicit “no‑AI zones” for crypto and migrations will have 10× fewer incidents than those chasing the productivity theater.
Prediction
Within 12 months, every major CI/CD platform will offer native “AI agent sandboxes” with immutable audit logs, read‑only MCP connectors, and pre‑baked policies that prevent `rm -rf` and production writes. Regulatory frameworks (PCI DSS v5, FedRAMP High) will explicitly require attestation that AI‑generated code was reviewed line‑by‑line for cryptographic and migration logic. The “10× developer” posts will give way to “0.9× incident reduction” metrics – and the engineers who mastered CLAUDE.md, Plan mode, and the “when NOT to use” slide will become the new security architects. The hype cycle is ending; the engineering cycle is beginning.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Yildizokan Claude – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


