I’ve heard the stories: vibe coding with Claude, build an app over a weekend, etc. It finally dawned on me that I owed it to myself to try, so I picked a project I’ve been carrying around in my head for years and settled on a day when my wife was out of town.
That project is Artists Exchange, a open platform for artists anywhere in the world to find collaborators – kind of like Tinder for artists, but with a higher calling. A musician from the US travelling to Morocco wants to meet up with a musician there and collaborate on a new piece. A writer in Seoul is looking for a graphic artist anywhere in the world to do the illustrations for her children’s book. The collaborations can be within a discipline or across them; what matters is that the artists can find each other in the first place. The idea is not complicated, the execution is what kept it on the shelf all these years.
For background, I started my career as a developer, moved up through software engineering, and settled into cloud solutions architecture across the first fifteen years of my career. The last ten have been in cybersecurity and risk management. During the last three-plus, I have been learning AI – an MSc in AI/ML from Colorado State – then hands-on with models, agents, security, and now governance. I have been using AI as a daily tool since ChatGPT launched in November 2022, and I have not looked back since. It’s integrated into most of the corners of my professional and personal lives that involve producing anything.
About six months ago I tried Claude for the first time, and it’s now my primary creative AI, with ChatGPT, Gemini, NotebookLM, and a rotation of specialized tools alongside it. I know how systems are built and I know how to work with these models. I also know, honestly, that I do not have the skills to ship a modern, production-grade web app on my own – not at the depth that this stack demands simultaneously, and not in a day. The architect in me can draw the boxes, the developer in me moved on before half of those boxes existed.
So I sat down with Claude Code on a Saturday morning and started typing. The first two hours were just deciding then standing up the architecture, creating accounts, getting access keys, and answering prompt after prompt until there was a blank app deployed online. Two hours! The next hour was the behind-the-scenes work to get the domain pointed through Cloudflare on a free account, and by the end of that hour the app was live on the correct domain (which I am not sharing with the world yet). Then, over the next six hours, in between two workouts – with my laptop propped open on the treadmill on one of them while I ran a few miles – plus shopping, dinner, and watching TV, Claude and I added every feature needed to pass through Phases 1 and 2 of the eight phases laid out in our development plan.
In total, twelve hours after starting, Artists Exchange was live at its own domain! Real authentication integrated with Google IDs. Real profiles. Real avatars with the metadata stripped out before upload. A hundred seeded artists for testing purposes from fourteen regions across all twelve disciplines, with hand-curated names and heritages so the default cohort is not quietly Western. A homepage that matches collaboration calls to artists by discipline overlap. Favorites. Filters. A locked-down security posture underneath all of it that I would not be embarrassed to walk an auditor through.
The stack, for the curious:
- GitHub for source control and the project’s home
- Next.js 15 for the application framework
- Supabase for the database, authentication, and file storage
- Tailwind CSS + shadcn/ui for the design system and component library
- Cloudflare for DNS and edge protection
- Vercel for hosting and deployment
- Google OAuth for sign-in
- sharp for server-side image processing and metadata stripping
- next-intl for internationalization scaffolding
- next-pwa for progressive web app support
- gitleaks + lefthook for pre-commit secret scanning and hooks
After one of the most condensed productive twelve hours of my life, here are my observations:
The architect did not become unnecessary; the architect got a counterpart. Every database schema conversation I had ever had with ChatGPT (more than several fruitless chats over the last few years) produced suggestions I had to interrogate from scratch. Claude Code was different, it (he?) asked me my preferences, then made suggestions I almost always accepted, because the suggestions were good. It was not deferring to me and it was not steamrolling me. It was working with me at the level the work actually needed. The years I had spent stuck on schema decisions with ChatGPT collapsed into an afternoon, not because the decisions got easier, but because the conversation finally had two partner in it who could keep up with each other.
The skill I brought did not stop mattering; it shifted from typing to judging. Claude Code was extraordinary at execution and at the surfaces I have not touched in years – modern React patterns, current backend idioms, the security middleware dance, the image pipeline. It was not extraordinary at deciding what the product should be, what the threat model should cover, or what “ready for real users” actually means in this domain. Those decisions were mine, and they had to be mine. Twenty-five years of building and breaking systems did not become decoration. The work just stopped being keystrokes.
Vibe coding does not skip the hard parts; it compresses everything around them. Real bugs surfaced. A photo from an iPhone blew past a body limit and broke uploads. A disabled form input quietly stripped data on resubmission. A database permission rule that should have worked one way worked another, and we routed around it for now and wrote down why, because some day a feature is going to force the real fix. Those bugs got found because someone uploaded real photos and clicked real buttons. The compression makes QA the obvious bottleneck, which is roughly where it should have been all along.
Security is not a phase; it is the gate between phases. Before a single line of code was written, before Claude Code opened a file, I sat down with Claude – Claude Code’s digital sibling, the one built for thinking out loud – and worked up a full threat model. Attack vectors and threat actors named. A defense-in-depth plan that mapped controls to each layer of the stack, written down as a document that Claude Code would then reference, with reminders of the security elements that had to be in place before any phase could close. That document is the reason the strict CSP landed in Phase 1 and not “after launch.” It is the reason the audit log exists. It is the reason the avatar pipeline strips metadata before storage rather than after a complaint.
I cannot stress enough how important this step is, or how easy it is to put in place from the very beginning. The horror stories about vibe-coded apps with leaked databases and exposed buckets are not stories about AI failing. They are stories about the human skipping the part of the work that has always been the hard part, and AI cheerfully helping them skip it. Security is not what you bolt on at the end, it’s what you decide before you start, and then enforce at every gate.
The Democratization of App Development Has Begun
For twenty-five years the floor for shipping a decent web application was a team. Not a solo entrepreneur in a basement – a team, with a security person and a frontend person and a backend person and somebody who knew how to lock down user data and somebody who knew how to keep a browser from running code it should not. That floor is what kept most ideas from ever becoming products. Not laziness or lack of ambition, the floor.
Well, the floor just dropped. Not for me specifically – I had advantages, twenty-five years of context and a working threat model in my head before I opened the laptop. But the floor dropped for the painter who has an idea for a tool that helps painters, and for the teacher who has an idea for a tool that helps teachers, and for the thousands of people who have been carrying around an idea for a decade because the gap between “I see how this should work” and “I can ship this” was a team they did not have.
I think the world is about to get hit with millions of great ideas that would never have shipped before now. Some of them will be bad, most of them will be small, and quite a few of them will be the thing the founder would have spent ten years trying and failing to build the old way. With Claude Code and the tools that will follow it, the only thing holding someone back is themselves. The idea is the only thing that matters now. Building the website, building the app, shipping the product – that part has been democratized to anyone willing to give it a go.
I gave it a go on a Saturday – Artists Exchange is live and moving on to the next phase.
