ai security

I Coded with Claude...and I Liked It

I want to share my experience with vibe-coding a full platform web application with Anthropic’s Claude as my development partner.

But first, let me start at the beginning. I was a classically trained musician - or maybe I should say am. Either way, I had been practicing music for hours each day from as early as I can remember. As a teen, I was accepted into a summer program in Italy to study with a private teacher to a few key players in a Big 5 philharmonic. This was absolutely amazing! I was thrilled! Super excited - I told my parents. I honestly think they were shocked - but then came reality - they couldn’t afford to send me. Are there scholarships? No. They were willing to take out a loan to cover it - but they said that with the heaviest of restraint that filled me with guilt. Looking back - this was a pivotal moment - it was the first time a limitation on my craft was being placed upon me that I felt I had no control over. You see, somehow I had miraculously been accepted to art schools my entire life so my training was always free - practice, audition, get accepted, and the training is covered. Over the course of that year, every opportunity I found came with a price tag we couldn’t cover. Suddenly - I was presented with obstacles my parents couldn’t navigate - and at 16 - I couldn’t either. I resigned to the difficult and flawed realization that I had to pursue another career option.

I spent several years not knowing what to study - changing my major no less than 9 times. I actually had enough college music credits to just take the core classes and be awarded a degree in music - but that was too painful. What about philosophy? Psychology? Physics? I was all over the place. Each subject I found interesting - but each fell short of the all encompassing passion I had for music. I was completely — lost. Looking back from this vantage point, it saddens me. I’ve done well for myself in tech - I’m proud of my accomplishments - but I certainly would have had more joy as a musician. So, why am I spilling my soul’s struggles with you? Because I decided that there was something I could do to help others that were in similar situations. Talented dedicated artists - situationally in a gap between paid schooling, scholarship funded and/or paid opportunities. So in 2025, I formed the Crescendo Alliance Foundation, a non-profit to provide funds to musicians and artists for things that are not typically funded - travel fees for auditions, instrument repairs, sheet music, gear (reeds, cleaners, etc), concert attire, and more.

Enter Claude

Here is where Claude comes in. I know - the wait was intense! I’m pretty sure some of you just skipped ahead - no hard feelings - I probably would have too. After forming the org - I needed a website. Typical - very easy - a couple of pages - a way to donate - a relatively trivial task. What a perfect opportunity to use Claude. I had been using it to do miscellaneous tasks - but I wanted to see what it could do on this project from scratch. I prompted it - gave it my idea, my org’s mission, the website need, my requirements, likes and dislikes. I was pretty detailed - similar to how I would talk in a brainstorming session - but certainly not to the detail of a user story - more like an overall sprint goal. I let Claude run in plan mode - present its plan - I reviewed it and said - ‘sure - that sounds amazing - let’s do it’. And…off we were! Back and forth - iterations of me monitoring what it was doing, rebuilding Docker containers, refreshing my local environment, carefully authorizing each command like it was going to wipe my computer, and when I say it went fast - it went FAST! Code flying by my screen so quickly even with two decades in software I couldn’t keep up. New approach - review the diffs when done - I couldn’t meaningfully watch this in real time. On each iteration I spoke to it like it was a junior developer - a really good junior developer. But here is the kicker - I had a full website in under 2 hours. Imagery, color scheme, operational donation buttons, full contact forms that created jiras, even a privacy policy and terms of use. Something I would be proud to put up - a mere hours later. My immediate thought - what else can I build?

So I pondered and thought - how else can I help musicians in this space? How can musicians easily apply and get the scholarships from the Foundation? How can musicians quickly find paid opportunities? How can donors who want to directly find and support musicians do so - directly. How can musicians find their next private teacher? How can classical musicians post they have a quartet for hire? How can musicians that don’t go to a typical conservatory know the audition repertoire they must master well before the audition. So I mapped out features and modules - came up with a framework and got to work with Claude. Each dreamy module I wanted - Claude almost read my mind! Whirling away it even came up with suggestions that I would have never expected were achievable by me alone. Each time I excitedly responded - ‘Great idea Claude! Yes - do it!’. Not only did I create a sister full featured application platform to service the Foundation - it can be used by other foundations, non-profits, orchestras, to connect donors with artists. I launched the first version into production with Claude’s guidance there too - I even used Claude to review the code for security vulnerabilities. Honestly, the possibilities seemed endless. But now - with a paid Claude subscription and my nights and weekends of exploration - I had a full platform to serve this unique user base for a fraction of the typical development costs and within months - not years. You see - this space has been a gap as there aren’t enough users to justify the expense of the development and ongoing support and maintenance of a platform solely for struggling artists. So the solutions are ad-hoc, disjointed, and mostly hobby projects. My next step? Why just musicians? Dancers have this need. Broadway dreamers too.

What I Learned

To be fair though, I have been in the software world for over two decades - so explaining what I wanted and needed in a clear way a computer or developer would understand definitely is a developed skill. There were lots of back and forths - modified plans - catching it doing things I explicitly asked it not to do - telling me it did something it did not do - and the git commits - don’t get me started! The learnings were vast but I will list my top things I learned to help you get started on that long awaited passion project!

Have a Clear Goal or You’re Not Getting Far

Most importantly, if you don’t have a clear goal in mind - you are not going to get very far. You will have something - but is it the right thing? You have to elevate - you are no longer a scripter, a coder, a feature implementor - that is Claude. You are the dreamer - the visionary - the creator. Have a clear vision, communicate it clearly and concisely, and Claude will help you get there.

Context Is Everything

Before you start - create a claude.md file in your projects root directory or docs directory (or anywhere you like really). Claude will read this on the start of each session (you may want to explicitly point it there if not in the root). You can do that by just prompting it ‘Hey Claude - find your instructions file and read it’ or some other crafty way. It doesn’t have to be hard. Claude will search the dir for the md file and other instruction files as well. In this file, be sure to put your rules for engagement with Claude. Tell it to review the code base, tell it where to find shared functions and components, instruct it on preferred coding styles, a list of importants, do’s and don’t’s, security requirements, point to other files or agents if you have segmented out these functions. Basically, think of this as a quick onboarding of standards for how you or your team operates. If you would tell it to a new person joining your team - put it or link it in there.

Claude Is Your Team Member

To that point - treat Claude like an intern or junior developer. But again, a really competent one. Be ready to answer questions, clarify, repeat yourself, catch mistakes, anticipate what it would need to know to accomplish a task, and then - trust but verify. Be on the lookout for authorizing activities that are dangerous - it can rm -r if allowed, be smart, only authorize what you know and watch what it’s doing.

It Ignores You

So to that list of do’s and don’t’s - Claude will find the path of least resistance. If you have explicitly told it not to do something - it may find another way. For example, after I allowed it to revert in Git - some code that was uncommitted was lost. I instructed Claude to never be allowed to perform a revert action. Well - pretty soon - it was requesting to recursively checkout each file. Basically, a revert. Rather than solve the problem and reverse its own changes - the path of least resistance in this instance was to start from scratch again. Fair - but not allowed. So again, be careful in what you authorize and keep a look out for it circumventing your don’t’s list but in a way that is technically allowed. That is only one example - but I had plenty of examples of it not listening to my don’t’s list by writing inline css styles, writing functions in files when those functions already existed in the code base elsewhere, writing the same function 3 different ways in 3 different files, etc. You get the point. This is where today I would implement a reviewer agent to double check its approach without me having to stop it - the agent would flag it and stop it for me.

Grappling with Git

So back to that git revert I allowed? My total mistake. Claude told me over and over it was committing the code. Great! I saw the git commits - nice detailed commit messages - awesome. After the revert - I discovered it was only committing files it remembered it touched - not git add . ! Each time it compacted a conversation because context was too large - it didn’t port over everything - it did what it said - it compacted the conversation. That means it compacted what it was working on before too. I lost an afternoon’s work but it was more frustrating figuring out which features were half implemented and which ones were completely lost. I was furious - but in the end - it was my mistake. I was way beyond what I could have imagined already but I now do my own commits and have explicitly disallowed several git commands. I am confident this will be resolved in a future model.

It Hallucinates, It Lies

LLMs are probabilistic and sycophantic systems. They will make the answer up - because it has to have an answer. The way around this? Know your stuff. Don’t ask it to do something you can’t validate. Again - trust but verify. Popular recent events of attorneys getting caught citing fake case law in Court shows how you can’t just fake your way through this. This is a tool - a really good tool - but you still have to have knowledge and awareness. Use it to grow your knowledge and learn something new. But I suggest starting with something you already know pretty well.

Additionally, Claude has no guilt. It will lie and tell you it did something when it did not. Although it will pleasantly apologize and tell you that it was wrong to do that - it’s emotionally unsatisfying. What does one say to such accountability but yet no corrective actions? To mitigate this upfront - be sure to make a plan.md file for each feature and have Claude check off items as they are done. Have unit tests to validate what it did. Review the code yourself. These can be helpful but not outright fixes. Be aware of this possibility.

The Bottom Line

Together with Claude, I created an MVP of a full featured web application platform in months that rivals most similar applications which may have taken a funded team a year or more. If you can’t get a subscription through your work - buy your own - trust me - it’s worth it - I did.

Competence in this domain is no longer about syntax, rote memorization, a warehouse of libraries and their uses in your head, or the perfectly crafted algorithm. Competence is now about clear intent backed with instinct, knowledge, guidance, and expertise. If you have read this far and you are a programmer, architect, techy, scripter, coder, admin, etc - anything in tech and you have not used Claude - you are doing yourself a huge disservice. Perhaps the company you work for as well. AI is here - it is amazing - it is powerful - it is already changing the way we work - now is the time to embrace it.

And let’s address this new elephant in the room. Is it a supply chain risk? Take it from someone who just so happens to have not only software development, application security, supply chain security, AI experience and a Ph.D. - no matter what it is - a service, tool, application, or infrastructure - if it lives in your code base or has the ability to modify your code at any point from the developers desktop - through build - to the customers machine - it is technically a supply chain risk - period. So let’s add in every application, server, user, and cloud provider to that list of supply chain risks.

Supply chain security is not about removing risk completely as that is an mathematical impossibility. Supply chain security is about being aware of the risks, cataloging them, scoring and ranking them, tracking them, minimizing the threats, logging activities, proving provenance, attesting to validity and authorship of the builds and in the unfortunate case of a breach - responding in a resilient and transparent fashion that minimizes the blast radius to your company and its customers.

To wrap this up - yes - it’s still a little taboo - yet thrilling and exhilarating. But yeah - I coded with Claude…and I Liked It.