Tools · Engineering · Vibe Coding · Philosophy
Five ways AI-written GitHub Actions workflows leak API keys, and the local-vault pattern that closes the gap on any runner.
bkit v2.1.13 adds Sprint Management on top of PDCA. One sprint wraps many feature loops, with eight phases, fourteen quality gates, and four auto-pause triggers that stop runaway AI sessions.
Karpathy retired "vibe coding." Anthropic's own study says its product made devs 17% worse at understanding. The hype isn't broken — the classroom is. A field essay on context engineering as the new literacy.
If a weekend with the right AI tools can ship a working product, what is the craft? An essay on juniors, CTOs, solo founders, and pyramids that are losing tenants — grounded in 29 days of Claude Code data.
Get Claude, ChatGPT, Gemini, and Perplexity to cite your app. Real retrieval pathways, JSON-LD that works, GEO numbers, and the MCP registry.
A Q1 2026 audit found 60%+ of vibe-coded apps ship API keys to public repos. Discipline isn't the fix — workflow is. The 60-second swap that ends it.
One founder plus Claude Code shipped 11 microservices to production in 9 days. The playbook is now bkit, a CC plugin. A case study and method.
3,514 messages, 28 days, 9 sprints shipped in a single session — the 4-layer context stack a solo founder uses so AI does the execution and the human still owns the call.
The 5% capturing AI value at scale redesigned roles, workflows, governance, data, and KPIs before picking a model. The 95% in pilot purgatory did not.
Every MCP server you install is a local process with access to your filesystem, network, and env. The threat model — and how to scope it before it costs you.
Vibe-coding peaks when the spec is written first. The minimum viable spec, why Claude Code rewards it more than other agents, and where it stops paying off.
Manage dev, staging, and prod secrets in a single encrypted vault — no cloud SaaS, no .env.staging files committed to git. A solo-dev workflow.
How a 12-word BIP-39 mnemonic lets a local-first secret vault survive a forgotten master password — without a cloud account or email reset.
Chatbots got good. Agents did not — not because the models aren't smart, but because the system around them isn't. Roles, responsibility, and why PDCA + L0–L4 control beats another model upgrade.
AI wrote your code. Now how do you ship it to the internet? A plain-language tour of client/server, frontend/backend, database, deployment, and the security gap most AI tutorials skip.
Plaintext .env files are a liability in the AI coding era. Here is why the AI-agent threat model changes the math, and what to replace .env with.
Why the workflow around Claude Code matters more than picking a bigger model. Harness engineering, bkit's PDCA, and L0–L4 trust-graduated automation.
bkit encodes PDCA methodology into Claude Code: Skills, Agents, Hooks, MCP, and a state machine with quality gates from plan to report.
A practical pattern for using Claude Code with real API keys without leaking them into the context window. Covers CLAUDE.md auto-generation, 'tene run --' subshell, and concrete Stripe / OpenAI examples.
The dotenv-vault Pro tier was discontinued in February 2026. Here is a honest side-by-side of the migration options — Doppler, Infisical, HashiCorp Vault, and tene — and a one-command path off the old product.
A hands-on tutorial: take an existing .env file, import it into an encrypted vault, and get your app running through runtime injection. No code changes needed.
A practical explanation of XChaCha20-Poly1305 and why tene picked it over AES-GCM for a local-first secret vault. No PhD required.
How to set up Cursor so API keys stay out of the AI context, using the .cursor/rules/tene.mdc file to teach the agent the safe pattern.
Doppler is a good product. This is not a hit piece. It is an honest walk through why a solo developer moved off it to a local-first vault — and why you might too, or might not.
