What 963 Commits Taught Me About the 'Vibe to Prod' Gap

Arsene Muyen Lee — Sun, 04 Jan 2026 05:53:28 +0000

Why AI-assisted coding is 10% of shipping software

I built the core of a media authenticity app in a weekend.

Firebase Auth. Cryptographic signing. Camera integration. Claude helped me write Go handlers. Cursor generated React components. The demo was chef's kiss.

I felt like a god.

Then I tried to deploy it. That's when I discovered what 963 commits of pain looks like.

The 90% Nobody Talks About

Here's what tutorials show you:

Idea → Code → "It works!"

Here's what production actually requires:

Idea → Code → Tests → Security → CI/CD → Infrastructure → Deploy → Monitor → Iterate

That arrow between "Code" and "Tests"? It took me 963 commits and nearly a year to cross.

I'm not exaggerating. Here's my actual git history.

The Real Journey (From My Git Log)

Commit #1: The Euphoria

fb5f2ea Initial project structure
8750a5c Implement core backend with cryptographic proof system

Two commits. Core functionality done. I felt invincible.

Commits #3-12: The Reality Check

f7d4886 Add Docker build and Cloud Build configuration
a965146 Add Docker build and Cloud Build configuration

Wait, why are there two commits for the same thing? Because the first one didn't work.

Then came the GitHub Actions saga:

8d21a90 Fix GitHub Actions: Add CLOUDSDK_CORE_PROJECT env var
383e76a Fix GitHub Actions: Use google-github-actions/auth@v2
8159c3f Fix GitHub Actions: Add export_default_credentials

Three separate commits just to get authentication working in CI. Each one felt like victory. Each one revealed another problem.

The Milestone That Mattered

23be044 ✅ Complete CI/CD pipeline working!

See that emoji? That's not decoration. That's relief. That commit represented weeks of wrestling with:

Service account permissions
Docker layer caching
Environment variable injection
Secrets management

The code itself? Maybe 200 lines. The debugging? Countless hours.

The Gaps AI Won't Vibe Through

Gap #1: CI/CD Is a Special Hell

AI can write your GitHub Actions workflow. It cannot debug why your workflow passes locally but fails in CI with a cryptic PERMISSION_DENIED error at 11pm when you just want to ship.

My repo has 30+ commits with "fix" and "CI" in the message. Each one taught me something documentation didn't.

Gap #2: Infrastructure Is Not Code

"Just use Terraform" they say. "Pulumi is easy" they say.

Sure. But first you need to:

Set up GCP/AWS accounts and billing
Configure service accounts with correct IAM roles (not too few, not too many)
Create Artifact Registry for Docker images
Maintain separate dev/prod environments that don't accidentally cross
Wire up secrets management without committing .env files
Configure custom domains and SSL certificates

Each bullet is a rabbit hole. None of them ship features.

Gap #3: Security Is Invisible Until It Isn't

c8b4a6d feat: Complete integration test infrastructure with production-ready authentication

That single commit message hides:

JWT validation that actually validates
Firebase Auth token verification
Rate limiting (because someone will try to hammer your API)
Security headers: CORS, CSP, HSTS
Dependency vulnerability scanning

None of this was "vibed." All of it was required before I could sleep at night.

Gap #4: Cross-Platform Is Cross-Painful

5841cdb fix iPad create proof crash issue
e2b3ec8 android and universal link fixes
c7ff253 android fix like and bookmark

The app worked on my iPhone. And my Android test device.

iPads? Different aspect ratios broke the UI. Different memory constraints caused crashes. Different logs to hunt through.

"Works on my device" is the new "works on my machine."

What I Actually Extracted

After 963 commits, I did something I should have done earlier: I separated my business logic from everything else.

The "everything else" turned out to be around 15,000 lines of infrastructure code. A year of debugging distilled into config files and workflows.

Here's what's in there:

GitHub Actions pipelines with security scanning (gosec, Trivy, govulncheck) — because I got tired of finding vulnerabilities in prod
Pulumi infrastructure for Cloud Run, Firebase, and networking — because clicking through GCP console doesn't scale
Environment separation that actually separates dev from prod — learned this one the expensive way
Firebase Auth integration that handles edge cases — the "happy path" documentation doesn't mention
Structured logging with Zap — because fmt.Println stops being funny in production
Health checks and graceful shutdown — for when Cloud Run decides to kill your container mid-request
Docker builds with layer caching — because 15-minute builds break your flow
Pre-commit hooks — to catch the problems I kept committing

The GitHub Actions workflows have comments explaining why certain approaches don't work. Those comments are my debugging sessions, preserved in code.

The Math

Phase	What I Expected	What It Actually Took
Core features	1 weekend	1 weekend
CI/CD pipeline	2 hours	3 weeks
Infrastructure	A few days	2 weeks
Security hardening	Add it later	2 weeks
Testing	Manual is fine	1 week
Monitoring	Console.log	1 week

Weekend project → 2+ months to ship properly.

Unless you start with production infrastructure.

The Repo

I open-sourced the whole thing: vibe-to-prod

It's the production infrastructure from my actual app with the business logic stripped out. Go backend, Next.js frontend, Pulumi IaC, GitHub Actions CI/CD, Firebase auth.

Will it save you 963 commits? No. You'll have your own debugging sessions, your own 2am "why doesn't this work" moments. That's how you actually learn this stuff.

But maybe it saves you the first 200.

The commit that started this: fb5f2ea Initial project structure. The commit count when I wrote this article: 963. The number of times I Googled "GitHub Actions PERMISSION_DENIED": countless.

DEV Community: Arsene Muyen Lee