Vibe coding doesn't have to mean slop
A security scan of more than a thousand vibe coded production apps went around this week, and the people who already disliked the term finally had their numbers. The write-ups were not kind. Exposed secrets, missing authentication, the sort of holes a scanner turns up in an afternoon. The line doing the rounds was that vibe coders are gonna vibe code, which is a compact way of saying the speed itself is the disease.
I am not going to argue with the finding. A lot of vibe coded software really is that bad. If the only thing standing between a generated diff and your production branch is a quick read and a good feeling, you will ship secrets and broken auth eventually, because the model will hand you secrets and broken auth and it will look finished while it does it. I have watched it happen on my own screen. The output that reads as done and the output that is actually safe are not the same output, and nothing about generating code faster closes the distance between them.
But the scan measured the wrong thing, or rather it measured the only thing it could reach. A scanner reads the surface: what the code looks like once it already exists. It cannot see whether anything checked that code on the way in. That gap, between what a thing looks like and what was actually measured about it before it shipped, is the whole game. The surface signal is that the app runs and the demo works. The real signal is whether a gate you wrote, one that runs every single time, agreed to let the thing through. Vibe coding earns the slop reputation in exactly the places where the surface is the only signal anyone bothered to collect.
So here is what runs underneath the words you are reading right now, because this post is itself vibe coded, drafted by an agent and shipped through an AI orchestration pipeline I do not babysit. There are four layers between a draft and the live site, and not one of them is a human promising to be careful.
The first layer is the brief. Before anything gets written, the drafting agent loads a voice contract, a document that spells out what the post may and may not contain, so the constraints are in the room before the first sentence exists. The second layer is a commit hook, and this is the one with teeth. It greps every staged post for the things that must never ship: an em dash, a personal name, a vendor name sitting in the metadata where it does not belong, a marketing superlative. If it finds one, the commit dies with a filename, a line number, and the reason. Not a warning. A dead commit. I have had a draft rejected at that gate over a single character, and the right response is not to reach for the override. The right response is to fix the character.
The third layer is a validator that reads the post's metadata and refuses anything malformed: a missing field, a category that is not on the allowed list, an auto-shipped post that forgot to declare which real piece of work it is grounded in. The fourth layer is an audit that re-runs the entire set across the whole archive on a schedule, so a rule added today gets enforced backward against everything that already shipped. A few days ago that vendor-name gate caught a model's name that had drifted into a post title, where the rules say it cannot go. The draft was good. The gate did not care that the draft was good. It cared that a name was in the wrong place, and it held the ship until the name moved. That is the difference between vibe coded and slop, and on that day it was one word wide.
None of this slows the writing down. The agent still drafts in about a minute. What changed is that the speed no longer reaches production unescorted. This is the move I would hand any vibe coder who is tired of the slop accusation: stop trying to be more careful, because careful does not scale and careful is the exact thing the scanner just proved you are not. Write the check instead. Encode the thing you are afraid of as a gate that runs without you, fails loud, and blocks the merge. A rule a machine enforces every time beats a rule a person remembers most of the time. Speed plus a gate is not slop. Speed with nothing watching is.
If you are shipping vibe coded work and you want it to survive the same scanners that just embarrassed a thousand apps, the answer is not to slow down, it is to put gates between the generation and the merge. Work with VibeKoded if you want a sparring partner on building the enforcement layer that keeps your speed and loses the slop.
The scan was right about one thing. Left unwatched, this way of building really does drift toward the mess they found. The reputation is earned. It is just not inevitable, and the thing that decides which way it goes is not how fast you write. It is whether anything gets to say no after you do.