Tendril — AI Lessons for Real Life

Tendril

The 10-Minute Security Check

Before a vibe-coded app leaves your laptop, check auth, database policies, secrets, file uploads, admin routes, rate limits, and public pages.

Name the job before naming the tool.

Write the smallest useful scope the agent can finish.

Run the result as a user, not as a fan of the tool.

Inspect the diff, data access, and failure path before sharing.

Audit this app for: exposed .env values, public Supabase tables, missing auth guards, public storage buckets, unsafe admin routes, unvalidated forms, no rate limits, and destructive actions without confirmation.Use this as the working prompt or checklist for the lesson.

What should the user be able to do when this is finished?

What data should the app or agent never expose?

What test proves the change works?

What rollback path exists if the output is wrong?

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-vibecoder-security-checklist-lite

A developer asks an AI to 'make this app secure.' What does the lesson recommend doing first?

Run multiple AI tools simultaneously to compare results
Ask the AI to generate a comprehensive security report
Skip the planning phase since AI handles security automatically
Define the specific security job before selecting a tool or prompt

When reviewing AI-generated code, what does 'smallest useful scope' refer to?

Completing the smallest security task that provides meaningful protection
Using the minimum number of security tools available
Writing the shortest possible code regardless of functionality
Limiting the app to only one user at a time

Why should security testing be done 'as a user, not as a fan of the tool'?

AI tools only work when complimented during the development process
Developers should never test their own code for security issues
Users have more technical knowledge than developers about security
Testing as a user reveals how the app behaves when someone tries to abuse it, not just when it works correctly

Which three areas does the lesson specifically list as part of a pre-deployment security check?

User interface, database speed, and API documentation
File uploads, admin routes, and network latency
Authentication, database policies, and color scheme
Authentication, secrets management, and file uploads

What is the 'diff' that should be inspected during security review?

The difference between the app's current and previous versions
The network traffic difference between local and production
The difference between the AI's training data and actual code
The visual difference between light and dark mode

What does it mean for a deployed feature to be 'observable'?

The feature has a visible user interface
The feature responds quickly to user requests
The feature generates logs that show who accessed what and when
The feature can be seen by all users on the internet

What does the lesson mean by saying a security change should be 'reversible'?

The change automatically reverts after 24 hours
The change requires no user action to implement
The change only affects temporary data
The change can be undone if it breaks functionality or introduces vulnerabilities

Why are admin routes particularly risky in web applications?

They provide privileged access that regular users should never reach
They consume more server resources than regular routes
They are visually ugly and hurt user experience
They cannot be cached by browsers

What problem does rate limiting primarily prevent?

Slow page loading times
Database storage limits being reached
Automated attacks that overwhelm services with requests
Users from accidentally submitting forms twice

When reviewing database policies, what should be the primary concern?

Whether users can access only the data they're authorized to see
The color of the database management interface
Database speed and query optimization
How many tables the database contains

In the context of AI-generated apps, why are 'secrets' a security concern?

AI always generates ugly secret URLs
AI cannot keep secrets from users
Secrets slow down application performance
Secrets like API keys and database passwords can be accidentally included in code that gets shared

What security risk is unique to file upload features in web applications?

File uploads always crash the database
Uploaded files are automatically visible to everyone
Users might upload executable code that runs on the server
Uploaded files cannot be downloaded

What is the 'failure path' in security testing?

The route users take when the website is down
The process of deleting user accounts
What happens when a user tries to access something they shouldn't
The code path that runs when the application crashes

Why should public pages be checked for security issues even though anyone can see them?

Public pages cannot have security issues
They might contain hidden admin links or exposed debugging information
Public pages are not important for security
Security testing on public pages wastes time

What does it mean that 'AI optimizes for it works unless you ask for it cannot be abused'?

AI automatically blocks all potential attacks
AI can only work with paid security tools
AI deliberately creates insecure code
AI defaults to making functional code, not secure code — security must be explicitly requested

The 10-Minute Security Check

Before a vibe-coded app leaves your laptop, check auth, database policies, secrets, file uploads, admin routes, rate limits, and public pages.

Name the job before naming the tool.

Write the smallest useful scope the agent can finish.

Run the result as a user, not as a fan of the tool.

Inspect the diff, data access, and failure path before sharing.

What should the user be able to do when this is finished?

What data should the app or agent never expose?

What test proves the change works?

What rollback path exists if the output is wrong?

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-vibecoder-security-checklist-lite

A developer asks an AI to 'make this app secure.' What does the lesson recommend doing first?

Run multiple AI tools simultaneously to compare results
Ask the AI to generate a comprehensive security report
Skip the planning phase since AI handles security automatically
Define the specific security job before selecting a tool or prompt

When reviewing AI-generated code, what does 'smallest useful scope' refer to?

Completing the smallest security task that provides meaningful protection
Using the minimum number of security tools available
Writing the shortest possible code regardless of functionality
Limiting the app to only one user at a time

Why should security testing be done 'as a user, not as a fan of the tool'?

AI tools only work when complimented during the development process
Developers should never test their own code for security issues
Users have more technical knowledge than developers about security
Testing as a user reveals how the app behaves when someone tries to abuse it, not just when it works correctly

Which three areas does the lesson specifically list as part of a pre-deployment security check?

User interface, database speed, and API documentation
File uploads, admin routes, and network latency
Authentication, database policies, and color scheme
Authentication, secrets management, and file uploads

What is the 'diff' that should be inspected during security review?

The difference between the app's current and previous versions
The network traffic difference between local and production
The difference between the AI's training data and actual code
The visual difference between light and dark mode

What does it mean for a deployed feature to be 'observable'?

The feature has a visible user interface
The feature responds quickly to user requests
The feature generates logs that show who accessed what and when
The feature can be seen by all users on the internet

What does the lesson mean by saying a security change should be 'reversible'?

The change automatically reverts after 24 hours
The change requires no user action to implement
The change only affects temporary data
The change can be undone if it breaks functionality or introduces vulnerabilities

Why are admin routes particularly risky in web applications?

They provide privileged access that regular users should never reach
They consume more server resources than regular routes
They are visually ugly and hurt user experience
They cannot be cached by browsers

What problem does rate limiting primarily prevent?

Slow page loading times
Database storage limits being reached
Automated attacks that overwhelm services with requests
Users from accidentally submitting forms twice

When reviewing database policies, what should be the primary concern?

Whether users can access only the data they're authorized to see
The color of the database management interface
Database speed and query optimization
How many tables the database contains

In the context of AI-generated apps, why are 'secrets' a security concern?

AI always generates ugly secret URLs
AI cannot keep secrets from users
Secrets slow down application performance
Secrets like API keys and database passwords can be accidentally included in code that gets shared

What security risk is unique to file upload features in web applications?

File uploads always crash the database
Uploaded files are automatically visible to everyone
Users might upload executable code that runs on the server
Uploaded files cannot be downloaded

What is the 'failure path' in security testing?

The route users take when the website is down
The process of deleting user accounts
What happens when a user tries to access something they shouldn't
The code path that runs when the application crashes

Why should public pages be checked for security issues even though anyone can see them?

Public pages cannot have security issues
They might contain hidden admin links or exposed debugging information
Public pages are not important for security
Security testing on public pages wastes time

What does it mean that 'AI optimizes for it works unless you ask for it cannot be abused'?

AI automatically blocks all potential attacks
AI can only work with paid security tools
AI deliberately creates insecure code
AI defaults to making functional code, not secure code — security must be explicitly requested