🩹Vibe Code Fix
Back to checklist/Use Cases

The Pre-Deploy Review: Ten Minutes, Every Push

The most valuable habit in a vibe-coding workflow isn't writing better prompts — it's putting a tiny review ritual between "code looks done" and "git push." Ten minutes, same steps every time. The cost is trivial. The payoff is that almost no regression ever reaches a user without you seeing it first. This page walks through the exact ten-minute routine that earns its keep every single push.

Minute 1-2: diff review, but backwards

Open your diff viewer of choice. Instead of reading what was added, read what was removed. Any red line the AI deleted gets a one-line sanity check: "did I want that gone?". Most of the time the answer is yes and you move on in seconds. The minority where the answer is "wait, why?" is where silent-deletion bugs hide. Reclaim what shouldn't have been touched before anything else.

Minute 3-4: grep for new imports

Every import added in the diff gets verified. Does the package actually exist on npm? Is it the version you meant? Is it the right name — not a typo-squatted neighbor? Run your package manager once to confirm the install graph is clean. Hallucinated imports are one of the cheapest bugs to prevent and one of the worst to ship.

Minute 5: secrets sweep

Grep the diff for strings that look like keys: "sk_", "pk_", "AIza", long random hex. If anything matches, decide whether it's a real secret or a placeholder. Real secrets in the diff get yanked immediately and the key gets rotated, not "I'll do it later" rotated — actually rotated. This is cheaper than finding it in a GitHub secret scanner email tomorrow.

Minute 6-7: new endpoints and new SQL

Every new API route gets two questions: "can a random person call this without being logged in?" and "what happens if they pass someone else's ID?". Every new database query gets one question: "is any string from the request concatenated into the SQL?". These three checks, asked honestly every time, would have prevented most of the production incidents in the last year of shipping AI-assisted code.

Minute 8: null and empty

Scan the new code for property accesses and array methods on anything that came from a fetch, a database, or user input. Ask: "what does this do when the thing is null, undefined, or an empty array?". If the answer is "crash," add a guard. Takes seconds and removes the top class of runtime errors you'll see after launch.

Minute 9: run it

Actually run the happy path in a browser. Then pass one weird input — empty string, very long text, leading whitespace, emoji. Not a full test suite, just the five-second "does it still work when the user is slightly off-nominal?" check. This catches more real bugs than most people expect because AI-generated code is optimized for the example, not the edge.

Minute 10: the checklist pass

Open our Vibe Code Fix checklist and skim the items that match what this diff actually changed. New endpoints? Check the security category. New DB code? SQL injection and N+1. New UI? Loading state, error state, empty state. The checklist isn't meant to be run cover-to-cover every push — it's a menu you pick from based on what you touched. Ten minutes of this discipline is the cheapest insurance in vibe coding.

code reviewpre-deployritual리뷰デプロイ前

More use cases

Shipping an AI-Built Prototype to Real Users
Debugging When Claude Code Won't Stop Gaslighting You
Solo Founders Shipping Without a Code Reviewer

Ready to run your next diff through the checklist?

Back to checklist