Back to Blog
April 26, 20264 min read

Transcribing Isn't Building

A writer keeps finding vibe-coded apps that leak user data — without even looking for them. The builders aren't careless. They don't know the question exists.

An XDA Developers writer published something this week that should bother anyone shipping software: he keeps finding vibe-coded apps that leak user data, and he isn't even looking for them. They surface on their own, one after another, each built by someone who never bypassed a security measure — because they never knew the security question existed in the first place.

That distinction is the whole story. This is not negligence in the traditional sense. When you generate working software without understanding what it does, you aren't building; you're transcribing. And transcribed code carries every assumption and failure mode of whatever the model learned from, with none of the contextual judgment an engineer would apply. The gap is comprehension, not generation, which is why better models alone won't close it.

The mature counterexample this week came from Cloudflare. Their CI-native AI code reviewer does the tedious first pass — catching bugs, surfacing context, keeping merge queues moving — while engineers keep the judgment calls and the accountability. That design choice is the point. It captures the real productivity gain without hollowing out the layer that makes a codebase maintainable: people who understand what shipped and why.

My practical suggestion, if your team is adopting these tools: treat AI-generated code the way you treat a third-party dependency. You wouldn't vendor a random library into production without reading what it touches; the same standard applies to code you prompted into existence. Review gates and clear ownership aren't friction to be optimized away — they're the loan terms. Shipping fast without them is borrowing, and the vibe-coded data leaks we're reading about now are early repayments by people who didn't read the terms.

Elsewhere in a busy week: SpaceX secured an option to buy Cursor for sixty billion dollars, with a ten-billion-dollar fee if it walks away — the editor many of us live in is now a strategic asset, which is worth being clear-eyed about even if nothing changes tomorrow. Microsoft's C# Dev Kit team published a genuinely enjoyable deep-dive on replacing C++ Node.js addons with pure C# via Native AOT, and Ubuntu 26.04 now ships .NET 10 in its default archive — .NET keeps quietly becoming a first-class Linux runtime. And an experimental Rust-based compiler called Perry wants to compile TypeScript straight to native executables. Early days, but somebody is betting on TypeScript as a systems language, and I'll be watching.

The week's real lesson sits in the contrast, though. The tools are getting faster at producing code than we are getting at understanding it. Whatever your setup, make sure understanding is still somebody's job.

Sources