Why AI-assisted coding is 10% of shipping software
I built the core of a media authenticity app in a weekend.
Firebase Auth. Cryptographic signing. Camera integration. Claude helped me write Go handlers. Cursor generated React components. The demo was chef's kiss.
I felt like a god.
Then I tried to deploy it. That's when I discovered what 963 commits of pain looks like.
The 90% Nobody Talks About
Here's what tutorials show you:
Idea → Code → "It works!"
Here's what production actually requires:
Idea → Code → Tests → Security → CI/CD → Infrastructure → Deploy → Monitor → Iterate
That arrow between "Code" and "Tests"? It took me 963 commits and nearly a year to cross.
I'm not exaggerating. Here's my actual git history.
The Real Journey (From My Git Log)
Commit #1: The Euphoria
fb5f2ea Initial project structure
8750a5c Implement core backend with cryptographic proof system
Two commits. Core functionality done. I felt invincible.
Commits #3-12: The Reality Check
f7d4886 Add Docker build and Cloud Build configuration
a965146 Add Docker build and Cloud Build configuration
Wait, why are there two commits for the same thing? Because the first one didn't work.
Then came the GitHub Actions saga:
8d21a90 Fix GitHub Actions: Add CLOUDSDK_CORE_PROJECT env var
383e76a Fix GitHub Actions: Use google-github-actions/auth@v2
8159c3f Fix GitHub Actions: Add export_default_credentials
Three separate commits just to get authentication working in CI. Each one felt like victory. Each one revealed another problem.
The Milestone That Mattered
23be044 ✅ Complete CI/CD pipeline working!
See that emoji? That's not decoration. That's relief. That commit represented weeks of wrestling with:
- Service account permissions
- Docker layer caching
- Environment variable injection
- Secrets management
The code itself? Maybe 200 lines. The debugging? Countless hours.
The Gaps AI Won't Vibe Through
Gap #1: CI/CD Is a Special Hell
AI can write your GitHub Actions workflow. It cannot debug why your workflow passes locally but fails in CI with a cryptic PERMISSION_DENIED error at 11pm when you just want to ship.
My repo has 30+ commits with "fix" and "CI" in the message. Each one taught me something documentation didn't.
Gap #2: Infrastructure Is Not Code
"Just use Terraform" they say. "Pulumi is easy" they say.
Sure. But first you need to:
- Set up GCP/AWS accounts and billing
- Configure service accounts with correct IAM roles (not too few, not too many)
- Create Artifact Registry for Docker images
- Maintain separate dev/prod environments that don't accidentally cross
- Wire up secrets management without committing
.envfiles - Configure custom domains and SSL certificates
Each bullet is a rabbit hole. None of them ship features.
Gap #3: Security Is Invisible Until It Isn't
c8b4a6d feat: Complete integration test infrastructure with production-ready authentication
That single commit message hides:
- JWT validation that actually validates
- Firebase Auth token verification
- Rate limiting (because someone will try to hammer your API)
- Security headers: CORS, CSP, HSTS
- Dependency vulnerability scanning
None of this was "vibed." All of it was required before I could sleep at night.
Gap #4: Cross-Platform Is Cross-Painful
5841cdb fix iPad create proof crash issue
e2b3ec8 android and universal link fixes
c7ff253 android fix like and bookmark
The app worked on my iPhone. And my Android test device.
iPads? Different aspect ratios broke the UI. Different memory constraints caused crashes. Different logs to hunt through.
"Works on my device" is the new "works on my machine."
What I Actually Extracted
After 963 commits, I did something I should have done earlier: I separated my business logic from everything else.
The "everything else" turned out to be around 15,000 lines of infrastructure code. A year of debugging distilled into config files and workflows.
Here's what's in there:
- GitHub Actions pipelines with security scanning (gosec, Trivy, govulncheck) — because I got tired of finding vulnerabilities in prod
- Pulumi infrastructure for Cloud Run, Firebase, and networking — because clicking through GCP console doesn't scale
- Environment separation that actually separates dev from prod — learned this one the expensive way
- Firebase Auth integration that handles edge cases — the "happy path" documentation doesn't mention
-
Structured logging with Zap — because
fmt.Printlnstops being funny in production - Health checks and graceful shutdown — for when Cloud Run decides to kill your container mid-request
- Docker builds with layer caching — because 15-minute builds break your flow
- Pre-commit hooks — to catch the problems I kept committing
The GitHub Actions workflows have comments explaining why certain approaches don't work. Those comments are my debugging sessions, preserved in code.
The Math
| Phase | What I Expected | What It Actually Took |
|---|---|---|
| Core features | 1 weekend | 1 weekend |
| CI/CD pipeline | 2 hours | 3 weeks |
| Infrastructure | A few days | 2 weeks |
| Security hardening | Add it later | 2 weeks |
| Testing | Manual is fine | 1 week |
| Monitoring | Console.log | 1 week |
Weekend project → 2+ months to ship properly.
Unless you start with production infrastructure.
The Repo
I open-sourced the whole thing: vibe-to-prod
It's the production infrastructure from my actual app with the business logic stripped out. Go backend, Next.js frontend, Pulumi IaC, GitHub Actions CI/CD, Firebase auth.
Will it save you 963 commits? No. You'll have your own debugging sessions, your own 2am "why doesn't this work" moments. That's how you actually learn this stuff.
But maybe it saves you the first 200.
The commit that started this: fb5f2ea Initial project structure. The commit count when I wrote this article: 963. The number of times I Googled "GitHub Actions PERMISSION_DENIED": countless.
Top comments (1)
👏