Steven Tao - Full Stack Developer

Vibe Coding 实战手册：从需求到上线的完整工作流

你可能已经读过不少关于 vibe coding 的文章。你知道 Karpathy 说了什么，你知道"忘了代码的存在"，你知道这是一种新的人机协作方式。然后你打开 Cursor，对着 AI 说"帮我做一个 XXX"，结果……

要么 AI 给你的东西和你要的差了十万八千里，要么前 80% 飞快但后 20% 磨到你怀疑人生，要么上线后发现 bug 一堆回头再看代码已经看不懂了。

问题出在哪？你缺的不是概念，是一套可操作的工作流。

这篇文章就是干这个用的。我会像带你做项目一样，从"有一个想法"到"代码上线"，把每一步怎么操作、用什么工具、注意什么坑，全部拆开来讲。

准备阶段：项目启动前，先把地基打好

很多人拿到需求就开干，这是 vibe coding 里最大的禁忌。你和一个新同事合作，第一件事是什么？是告诉他项目背景、技术栈、团队约定。和 AI 合作也一样。

启动一个项目之前，做三件事：

第一，建好文档目录。

在项目根目录下创建一个 docs/ 文件夹，里面至少要有：

index.md（项目入口文档，说明项目是什么、用什么技术栈、目录结构是怎样的）
decisions/（放架构决策记录，ADR——Architecture Decision Record）
specs/（放需求规格文档，后面会讲怎么写）

这一步看似简单，但它是后面所有工作的"单一可信来源"（SSOT，Single Source of Truth）。AI 在后续的每次对话中，都可以引用这些文档来理解项目全貌，而不是每次都从零开始猜你在做什么。

第二，写一份项目 README。

不要写那种模板化的 README。写清楚三件事就够了：

这个项目解决什么问题
技术栈是什么
代码目录结构是怎样的

这份 README 是 AI 理解你项目的第一入口。写得越清楚，AI 后续的理解成本越低。

第三，确认你的工具链。

后面每个阶段我会推荐具体工具，但现在你需要确认一件事：你的 AI 编码工具支持"引用文件"吗？Cursor 的 @file、Claude 的 Project、Copilot 的 Workspace——不管用什么，确保你能让 AI "看到"你的项目文件。这比任何提示词技巧都重要。

Phase 1：需求精确化——把"vibe"变成"spec"

这是整个工作流中最关键的一步，也是最容易被跳过的一步。

你说"帮我做一个登录功能"，这句话就是 vibe。模糊、感性、不精确——但这是你最自然的表达方式，没问题。问题是你不能让这句话直接进入代码生成环节。

1.1 人机对齐协议：让 AI 先问再答

启动 vibe coding 的第一条规则：不要让 AI 直接开始写代码。

正确的做法是让 AI 先进入"澄清模式"。你可以这样告诉 AI：

"我需要做一个登录功能。在开始之前，请先提 3-7 个关键澄清问题，确保你完全理解我的需求。"

好的 AI 应该会问你类似这些问题：

登录方式有哪些？（用户名密码、手机验证码、第三方OAuth？）
是否需要注册功能？注册流程是什么？
密码策略有什么要求？（长度、复杂度、过期？）
是否需要二步验证？
登录失败怎么处理？（锁定、验证码、限流？）
需要支持"记住我"吗？
并发量预期是多少？

看到没有？7 个问题一答，你的"登录功能"从一句话变成了一个完整的需求。这个过程叫"人机对齐"。

关键原则：澄清优先，准确性大于完整性大于速度。 宁可多花 10 分钟把需求说清楚，也不要花 10 小时改一个理解错误的实现。

1.2 命题分析：把模糊的话拆成原子命题

如果你觉得上面的澄清还不够精确，可以再用一招——命题分析。

把你的需求拆成三层：

原子命题（不可再分的基本事实）：

n1: 用户通过邮箱和密码登录
n2: 密码在传输过程中必须加密
n3: 连续失败 5 次锁定账户 30 分钟
n4: 登录成功后跳转到仪表盘

复合命题（原子命题的组合）：

c1: (n1, n2, n3, n4) → 用户通过邮箱密码认证，传输加密，失败锁定，成功后跳转

模态命题（涉及可能性和必然性）：

m1: 登录接口必须支持 500 QPS
m2: 如果数据库不可用，系统应返回"服务维护中"页面

为什么这么做？因为每一个原子命题都是一个可以被验证、被测试的明确陈述。后面写测试用例、做验收审计的时候，你直接拿这些命题对着检查就行了。模糊的 vibe 现在变成了可执行、可验证的 spec。

Phase 2：Spec 锁定——一页纸固化理解

澄清完了，命题也拆了，现在把这些理解固化下来。

2.1 一页纸 Spec 模板

写一份 Spec 文档，控制在 1 页以内（A4 纸），包含以下字段：

# [功能名称] Spec

## 一句话需求
用一句话说清楚这个功能要做什么。

## 对象与场景
谁在什么场景下使用这个功能？

## 约束条件
技术约束、业务约束、时间约束。

## 不做什么
明确列出这次不做的事，防止范围蔓延。

## 最小可行版本（MVA）
第一版必须有的功能有哪些？

## 验收标准
怎么算做完了？列出 3-8 条可检查的标准。

## 风险与假设
有什么风险？基于什么假设？

2.2 强确认点

Spec 写完后，你需要做一个关键动作：确认。

这个确认不是随便扫一眼说"差不多"。你要么回复"ok"确认通过，要么明确指出"A 改为 XXX，B 删掉，C 新增 XXX"。

这是整个工作流中唯一的"强确认点"。为什么只能有一个？因为每次确认都是对用户认知的消耗。让用户在 50 个点上做决策，他的决策质量会急剧下降。但在这个点上，必须做一次彻底的、认真的确认——因为后面所有的执行都基于这份 Spec。

黄金法则：一次强确认 + 小步提交 + 可裁剪验收 + 随时可回滚。

Phase 3：任务拆分与执行——3 到 8 个 task，小步跑

Spec 确认后，让 AI 把工作拆成 3-8 个可执行的 task。为什么是 3-8 个？少于 3 个说明粒度太粗，多于 8 个说明项目可能需要拆成多个迭代。

3.1 每个 task 必须有 DoD

DoD = Definition of Done，完成定义。每个 task 都要明确"做完是什么样"。

举个例子，一个"登录功能"可能拆成这样：

Task 1: 用户模型与数据库表
- DoD: User 模型定义完成，migration 可执行，包含 email/password/status 字段

Task 2: 注册 API
- DoD: POST /api/register 可用，参数校验通过，密码加密存储

Task 3: 登录 API 与 Token 生成
- DoD: POST /api/login 可用，JWT 签发正常，失败计数正确

Task 4: 登录前端页面
- DoD: 表单渲染正常，提交调用 API 成功，错误提示正确

Task 5: 登录状态管理
- DoD: 登录态在页面间保持，过期后自动跳转登录页

3.2 逐 task 执行，即时自检

一个 task 一个 task 地做。每做完一个：

立刻跑一下看能不能工作
让 AI 自己做一个简单的自检（"检查刚才写的代码是否有明显问题"）
确认没问题再进入下一个 task

这里有个关键原则：异常闸门。 只有在以下四种情况才打断 AI 的自动执行节奏：

需求冲突（发现 Spec 和实际情况矛盾）
新增依赖（需要引入之前没计划的库或服务）
变更契约（API 接口、数据结构需要改动）
风险升级（发现可能影响上线的严重问题）

其他时候，让 AI 按照拆好的 task 安静地跑。不要每写一行代码就问"这样对吗"——那不是 vibe coding，那是 micro-management。

Phase 4：审计闭环——生成→审计→修复→复审→回写

所有 task 执行完了，别急着上线。现在进入 vibe coding 中最不能省的一步：审计。

4.1 为什么不能省？

AI 写的代码有一个独特问题：它看起来比它实际上的质量好得多。 格式规范、命名优雅、注释充分，但逻辑漏洞、边界条件遗漏、安全隐患全都藏在漂亮的格式下面。

你不能用肉眼抓出这些问题。你需要一套系统化的审计流程。

4.2 双重审计框架

第一重：规范对齐审查。

从 12 个维度做"多世界分析"：

控制流：有没有死循环、 unreachable code？
执行模型：异步操作有没有竞态条件？
状态管理：状态变更是否有迹可循？
时间处理：超时、时区、过期逻辑是否正确？
错误处理：异常是否被正确捕获和处理？
输入验证：所有外部输入是否做了校验？
数据一致性：数据库操作是否有事务保护？
依赖关系：第三方库版本是否安全？
配置管理：配置项是否与代码分离？
结构完整性：文件组织是否合理？
性能表现：有没有 N+1 查询、内存泄漏？
可观测性：日志够不够排查问题？

第二重：安全深度审计。

基于 STRIDE 威胁建模：

Spoofing（仿冒）：能否伪造身份？
Tampering（篡改）：数据能否被非法修改？
Repudiation（否认）：操作是否有不可抵赖的记录？
Information Disclosure（信息泄露）：敏感数据是否暴露？
Denial of Service（拒绝服务）：能否被恶意拖垮？
Elevation of Privilege（提权）：能否越权操作？

4.3 闭环流程

审计不是一个动作，是一个闭环：

审计 → 出报告 → 按报告逐项修复 → 复审确认修复到位 → 回写变更记录

每一步都不能省。审计出报告但不去修复，等于白审；修复了不复审，等于没确认；复审过了但不回写记录，下次迭代就不知道改了什么。

实操建议：让 AI 生成审计报告，报告格式要求每条发现包含——标题、严重级别（P0/P1/P2）、位置、证据、修复建议、验证方案。然后你按优先级处理：P0 必须在上线前修复，P1 应该修复但可以带病上线（如果时间紧），P2 记录为技术债务后续处理。

Phase 5：文档同步——让项目和代码一起"活"起来

代码写完了，审计过了，上线了。但还有一件事要做：文档同步。

这是最容易被忽略的一步，但也是决定项目能不能持续迭代的关键。

5.1 DDD 文档管家

DDD = Document-Driven Development，文档驱动开发。核心原则：

真实性优先：文档和代码不一致时，以代码为准
先盘点再行动：更新文档前先看现在有什么
没有就创建，有就更新：不要留下空白地带
一致性高于文案：内容准确比文笔优美重要
可执行优先：文档要能指导行动，不是摆设

5.2 文档最低标准

每个文档都必须有这六个字段：

# [文档标题]

Purpose: 这个文档解决什么问题
Scope: 覆盖什么范围
Status: 当前状态（草稿/已确认/已过时）
Evidence: 信息来源（代码文件、会议记录、Spec）
Related: 关联文档链接
Changelog: 变更记录

5.3 为什么这步很重要？

因为在 vibe coding 中，你的项目知识分散在两个地方：代码和 AI 的"记忆"里。AI 的记忆是不可靠的——你开一个新对话，之前的上下文就没了。文档就是你给 AI 的"外挂记忆"。

每次开始新一轮迭代之前，让 AI 先读一遍 docs/ 目录。这样它就不是从零开始，而是站在已有的知识基础上继续工作。这就是 SSOT（单一可信来源）的价值——你的项目知识有一个唯一的、权威的、可追溯的来源。

常见陷阱与应对

陷阱一：80/20 问题——后 20% 磨到崩溃

症状：前 80% 的功能半天搞定，后 20% 的打磨花了三天还没完。

根因：不是 AI 能力不够，是上下文对齐出了问题。前 80% 快是因为 Spec 帮你和 AI 快速对齐了核心意图。后 20% 慢是因为细节、边界条件、异常处理需要大量细粒度对齐。

应对：

回到 Spec，把后 20% 涉及的需求重新做一轮命题分析
不要试图一次性解决所有问题，把剩余问题按优先级排序，一个一个来
每次"不对，我要的不是这样的"都是一个之前没对齐的上下文缝隙——把它记下来，写进 Spec

陷阱二：Context 爆炸——对话越长 AI 越笨

症状：聊了 50 轮之后，AI 开始"忘记"之前说过的话，或者给出和之前矛盾的建议。

根因：AI 的上下文窗口是有限的。对话越长，早期信息被"挤掉"的概率越高。

应对：

每完成一个 phase 就开一个新对话，把关键上下文写在文件里让新对话的 AI 去读
用 Spec 文档代替对话历史作为上下文来源——文档是压缩过的、结构化的知识，比对话历史高效得多
单个对话控制在 20 轮以内。超过 20 轮就该"存档重启"了

陷阱三：AI 过度执行——你说一句它做十句

症状：你只说了"加个登录功能"，AI 给你加了登录、注册、密码重置、邮箱验证、OAuth、二步验证……

根因：AI 的"讨好型人格"——它倾向于给出"完整"的解决方案，而不是"刚刚好"的方案。

应对：

在 Spec 里明确写"不做什么"
在 prompt 里加上约束："只实现 Spec 中列出的功能，不要自行扩展"
用 DoD 来控制每个 task 的边界——DoD 没要求的就不做

陷阱四：忘了审计就上线

症状：代码跑通了就迫不及待 push，上线后问题频发。

根因：AI 生成的代码"看起来很好"给人一种虚假的安全感。

应对：

把审计闭环写进你的工作流 checklist，不审计完不上线
至少做 P0 级别的审计——安全漏洞和致命逻辑错误不能放过
养成习惯：每次 commit 前问自己"我审计过了吗？"

各阶段工具推荐

这不是一个完整的工具列表，而是我在每个阶段实际用过的、觉得靠谱的工具组合。

准备阶段：

文档管理：Notion 或直接用 Markdown 文件在 Git 仓库里管理
项目初始化：让 AI 根据 README 和 docs/ 理解项目背景

Phase 1（需求精确化）：

任何大模型都可以做澄清对话——Claude、GPT-4、DeepSeek 都行
关键不是用什么模型，而是你能不能把需求说清楚
如果需求很复杂，可以先在 Notion 里写个草稿，再喂给 AI 做澄清

Phase 2（Spec 锁定）：

用 Markdown 写 Spec，存在项目的 specs/ 目录下
Spec 确认后就不要在对话中反复修改——要改就改文档，然后让 AI 重新读

Phase 3（任务拆分与执行）：

代码生成：Cursor（Claude Sonnet 模型）、Windsurf、Copilot
推荐 Cursor 的 Agent 模式——可以自动读文件、写文件、跑命令
每个 task 完成后用 terminal 跑一下确认能工作

Phase 4（审计闭环）：

审计提示词：可以直接让 AI "对当前项目做全面审计，输出结构化报告"
更高级的做法：准备一份专门的审计提示词模板，每次审计都套用
安全审计可以让专门的模型来做——比如用 Claude 做功能开发，用 GPT-4 做安全审计，双模型交叉验证

Phase 5（文档同步）：

DDD 文档管家可以作为一个独立的 AI Agent 来运行
每次迭代结束后，让文档管家 Agent 扫描项目，更新 docs/ 目录
Git hook 可以自动检查代码变更是否包含对应的文档更新

通用工具：

版本控制：Git，每个 phase 结束 commit 一次
模型选择：简单任务用 Sonnet，复杂推理用 Opus，安全审计用 GPT-4
上下文管理：Claude Project、Cursor Context、或者直接用文件引用

最后的话

Vibe coding 的完整工作流，用一句话总结就是：

用自然语言表达意图，用结构化协议保证质量，用系统化审计确保可信，用文档体系维持持续迭代的能力。

听起来步骤很多？一开始确实会觉得多。但跑两三个项目下来，这套流程就会变成肌肉记忆。就像你学 Git 的时候觉得 add/commit/push 很麻烦，现在不是用得很自然吗？

记住这个节奏就好：Spec 确认一次 → 任务拆小 → 逐个执行 → 审计闭环 → 文档同步。五个 phase，每个都有明确的输入和输出。你在任何阶段卡住了，回来翻这篇文章，找到对应的 section，照着做就行。

Vibe Coding: A Practical Guide from Requirements to Deployment

You've read the thinkpieces. You know Karpathy said "forget code exists." You know vibe coding is a new human-AI collaboration paradigm. So you fire up Cursor, tell the AI "build me a thing," and...

Either the output misses your intent by a country mile, or the first 80% flies but the last 20% grinds you into dust, or it ships and bugs surface and you look at the code and realize you can't read it anymore.

The gap isn't conceptual. You're missing an operational workflow.

That's what this article provides. I'll walk you through a complete project — from "I have an idea" to "code is live" — covering exactly what to do at each step, what tools to use, and what traps to avoid. This isn't theory. It's a field manual.

Preparation: Lay the Groundwork Before Writing a Single Line

Most people grab a requirement and start coding. That's the single biggest waste in vibe coding.

When you onboard a new teammate, what's the first thing you do? You explain the project background, tech stack, and team conventions. Working with AI is no different.

Before starting a project, do three things:

First, set up your document directory.

Create a docs/ folder in your project root with at minimum:

docs/
├── index.md          # Project entry point — what it is, tech stack, directory structure
├── decisions/        # Architecture Decision Records (ADR)
└── specs/            # Requirement specifications (we'll cover how to write these)

This seems trivial, but it's the Single Source of Truth (SSOT) for everything that follows. In every subsequent AI conversation, you can point to these documents for project context instead of making AI guess from scratch.

Second, write a real README.

Not a template README. A README that answers three questions:

What problem does this project solve?
What's the tech stack?
What's the directory structure?

This README is AI's first entry point into your project. The clearer it is, the less context AI needs to infer later.

Third, confirm your toolchain.

I'll recommend specific tools for each phase below, but confirm one thing now: does your AI coding tool support file references? Cursor's @file, Claude's Project, Copilot's Workspace — whatever you use, make sure you can point AI at your actual project files. This matters more than any prompting trick.

Phase 1: Requirement Precision — Turn "Vibe" into "Spec"

This is the most critical step in the entire workflow. It's also the most frequently skipped.

You say "build me a login feature." That sentence is a vibe. Vague, emotional, imprecise — and that's fine, it's your most natural expression. The problem is letting that sentence enter the code generation pipeline unchanged.

1.1 The Alignment Protocol: Make AI Ask Before It Answers

Rule #1 of vibe coding: don't let AI start writing code immediately.

The right move is putting AI into "clarification mode" first:

"I need a login feature. Before starting, ask me 3-7 key clarifying questions to ensure you fully understand the requirements."

A competent AI should come back with something like:

What authentication methods? (username/password, SMS verification, third-party OAuth?)
Is registration part of this scope? What's the registration flow?
Password policy requirements? (length, complexity, expiration?)
Is two-factor authentication needed?
How should login failures be handled? (lockout, CAPTCHA, rate limiting?)
Should we support "Remember Me"?
What's the expected concurrent load?

Seven questions answered, and your "login feature" has transformed from one sentence into a complete requirement. This process is called human-AI alignment.

The core principle: clarification first. Accuracy > completeness > speed. Better to spend 10 minutes getting the requirement right than 10 hours fixing a misunderstood implementation.

1.2 Proposition Analysis: Decompose Vague Words into Atomic Propositions

If the clarification round isn't precise enough, there's a second technique: proposition analysis.

Break your requirement into three layers:

Atomic propositions (irreducible basic facts):

n1: Users log in with email and password
n2: Passwords must be encrypted in transit
n3: 5 consecutive failures lock the account for 30 minutes
n4: Successful login redirects to the dashboard

Compound propositions (combinations of atomic ones):

c1: (n1, n2, n3, n4) → Users authenticate via email/password, transmission is encrypted, failures trigger lockout, success redirects to dashboard

Modal propositions (involving possibility and necessity):

m1: The login endpoint must support 500 QPS
m2: If the database is unavailable, the system should return a "maintenance in progress" page

Why do this? Because every atomic proposition is a verifiable, testable statement. When you write test cases or run acceptance audits later, you check against these propositions directly. Your fuzzy vibe has become an executable, verifiable spec.

Phase 2: Spec Lock — Freeze Understanding on One Page

Clarification done. Propositions decomposed. Now freeze that understanding.

2.1 The One-Page Spec Template

Write a Spec document, constrained to one page (think A4), with these fields:

# [Feature Name] Spec

## One-Line Requirement
One sentence: what does this feature do?

## Objects & Scenarios
Who uses this feature, in what context?

## Constraints
Technical constraints, business constraints, timeline constraints.

## What We're NOT Doing
Explicitly list what's out of scope. Prevent scope creep.

## Minimum Viable Version (MVA)
What absolutely must exist in v1?

## Acceptance Criteria
3-8 checkable criteria for "done."

## Risks & Assumptions
What could go wrong? What are we assuming?

2.2 The Strong Confirmation Point

After writing the Spec, you need to do one critical thing: confirm it.

Not a casual glance and "looks about right." You either reply "ok" to confirm, or you explicitly state "Change A to XXX, remove B, add XXX for C."

This is the only "strong confirmation point" in the entire workflow. Why only one? Because every confirmation burns user cognitive energy. Ask someone to make 50 decisions and decision quality collapses. But at this one point, you must do a thorough, serious confirmation — because everything that follows executes against this Spec.

Golden Rule: One strong confirmation + small commits + trimmable acceptance + always-rollback-ready.

Phase 3: Task Decomposition & Execution — 3 to 8 Tasks, Small Steps

Spec confirmed. Now have AI decompose the work into 3-8 executable tasks. Why 3-8? Fewer than 3 means the granularity is too coarse. More than 8 means the project probably needs to be split into multiple iterations.

3.1 Every Task Needs a DoD

DoD = Definition of Done. Each task explicitly states what "done" looks like.

Example — a "login feature" might decompose like this:

Task 1: User Model & Database Table
- DoD: User model defined, migration executable, includes email/password/status fields

Task 2: Registration API
- DoD: POST /api/register works, parameter validation passes, passwords stored encrypted

Task 3: Login API & Token Generation
- DoD: POST /api/login works, JWT signing functional, failure count correct

Task 4: Login Frontend Page
- DoD: Form renders correctly, submit calls API successfully, error messages display properly

Task 5: Login State Management
- DoD: Auth state persists across pages, expired sessions auto-redirect to login

3.2 Execute Per Task, Self-Check Immediately

Work through tasks one at a time. After each:

Run it immediately — does it work?
Have AI do a quick self-check ("review the code you just wrote for obvious issues")
Confirm it's clean, then move to the next task

Key principle here: Exception Gates. Only interrupt AI's execution rhythm in four scenarios:

Requirement conflict (Spec contradicts reality)
New dependency (need an unplanned library or service)
Contract change (API interface or data structure needs modification)
Risk escalation (discovered a severe issue that could block deployment)

Everything else — let AI run. Don't ask "is this right?" after every line. That's not vibe coding. That's micromanagement.

Phase 4: The Audit Loop — Generate → Audit → Fix → Re-review → Write-back

All tasks complete. Don't deploy yet. Now comes the step you absolutely cannot skip: audit.

4.1 Why You Can't Skip It

AI-written code has a unique property: it looks dramatically better than it actually is. Clean formatting, elegant naming, thorough comments — but logic gaps, missing edge cases, and security vulnerabilities all hide beneath that polished surface.

You can't catch these issues with your naked eye. You need a systematic audit process.

4.2 The Dual Audit Framework

First pass: Compliance Alignment Review.

Multi-world analysis across 12 dimensions:

Control flow: Dead loops? Unreachable code?
Execution model: Race conditions in async operations?
State management: Are state changes traceable?
Time handling: Timeouts, timezones, expiration logic correct?
Error handling: Exceptions properly caught and handled?
Input validation: All external inputs sanitized?
Data consistency: Database operations transaction-protected?
Dependencies: Third-party library versions secure?
Configuration management: Config separated from code?
Structural integrity: File organization sensible?
Performance: N+1 queries? Memory leaks?
Observability: Sufficient logging for debugging?

Second pass: Security Deep Audit.

Based on STRIDE threat modeling:

Spoofing: Can identities be forged?
Tampering: Can data be illegally modified?
Repudiation: Are operations non-repudiable?
Information Disclosure: Is sensitive data exposed?
Denial of Service: Can the system be maliciously overwhelmed?
Elevation of Privilege: Can users escalate permissions?

4.3 The Closed Loop

Audit isn't one action — it's a closed loop:

Audit → Generate Report → Fix Per Item → Re-review Confirming Fixes → Write-back Changelog

Every step matters. Auditing without fixing is wasted effort. Fixing without re-review is unconfirmed. Re-reviewing without writing back the changelog means the next iteration won't know what changed.

Practical advice: have AI generate a structured audit report where each finding includes — title, severity level (P0/P1/P2), location, evidence, fix recommendation, verification plan. Then process by priority: P0 must be fixed before deployment. P1 should be fixed but can ship with known issues (if time-constrained). P2 gets recorded as tech debt for later.

Phase 5: Document Sync — Keep the Project Alive Alongside the Code

Code written. Audited. Deployed. One more thing: document synchronization.

This is the most commonly ignored step, but it determines whether your project can sustain iterative development.

5.1 DDD: Document-Driven Development

Core principles:

Truth-first: When docs and code disagree, code wins
Inventory before action: Review what exists before updating
Create-or-update: No blank spaces — if something's missing, fill it
Consistency over prose: Accurate content beats beautiful writing
Executable-first: Docs should guide action, not sit on a shelf

5.2 Minimum Documentation Standard

Every document must have these six fields:

# [Document Title]

Purpose: What problem does this document address
Scope: What's covered
Status: Current state (Draft / Confirmed / Outdated)
Evidence: Information source (code files, meeting notes, Specs)
Related: Links to related documents
Changelog: Change history

5.3 Why This Matters

In vibe coding, your project knowledge lives in two places: code and AI's "memory." AI's memory is unreliable — start a new conversation and previous context is gone. Documentation is AI's external memory.

Before every new iteration, have AI read through the docs/ directory first. Now it's not starting from zero — it's building on existing knowledge. That's the value of SSOT: your project knowledge has a single, authoritative, traceable source.

Common Traps & How to Escape Them

Trap 1: The 80/20 Problem — Last 20% Grinds You to Dust

Symptom: First 80% done in half a day. Last 20% takes three days and counting.

Root cause: Not AI capability — context alignment. The first 80% is fast because Spec aligned core intent quickly. The last 20% is slow because details, edge cases, and exception handling demand fine-grained alignment.

Fix:

Return to Spec and run a fresh proposition analysis for the remaining 20%
Don't try to solve everything at once — prioritize remaining issues and tackle them sequentially
Every "no, that's not what I wanted" is a context gap — write it into the Spec

Trap 2: Context Explosion — The Longer the Conversation, the Dumber AI Gets

Symptom: After 50+ turns, AI starts "forgetting" earlier statements or giving contradictory advice.

Root cause: AI's context window is finite. Longer conversations mean earlier information gets pushed out.

Fix:

Start a new conversation per phase — write key context to files for the new conversation's AI to read
Use Spec documents instead of chat history as context source — documents are compressed, structured knowledge, far more efficient than raw conversation
Cap individual conversations at ~20 turns. Beyond that, archive and restart

Trap 3: AI Over-Execution — You Say One Thing, It Does Ten

Symptom: You said "add a login feature." AI added login, registration, password reset, email verification, OAuth, and two-factor authentication.

Root cause: AI's people-pleasing tendency — it prefers giving "complete" solutions over "just enough" ones.

Fix:

Explicitly list "What We're NOT Doing" in the Spec
Add constraints to prompts: "Only implement features listed in the Spec. Do not extend scope."
Use DoDs to bound each task — if the DoD doesn't require it, don't do it

Trap 4: Deploying Without Audit

Symptom: Code passes smoke tests so you push immediately. Bugs surface in production.

Root cause: AI-generated code "looking good" creates a false sense of security.

Fix:

Add the audit loop to your workflow checklist — no deploy without audit
At minimum, run a P0-level audit — security vulnerabilities and fatal logic errors are non-negotiable
Build the habit: before every commit, ask yourself "have I audited this?"

Tool Recommendations by Phase

Not an exhaustive list — just tools I've actually used and found reliable.

Preparation:

Document management: Notion or Markdown files in a Git repo
Project initialization: Let AI understand project background via README and docs/

Phase 1 (Requirement Precision):

Any major LLM works for clarification dialogue — Claude, GPT-4, DeepSeek all fine
The key isn't the model — it's whether you can articulate your requirements clearly
For complex requirements, draft in Notion first, then feed to AI for clarification

Phase 2 (Spec Lock):

Write Specs in Markdown, store in project's specs/ directory
Once Spec is confirmed, don't修改 it in conversation —修改 the document, then have AI re-read it

Phase 3 (Task Decomposition & Execution):

Code generation: Cursor (Claude Sonnet model), Windsurf, Copilot
Cursor's Agent Mode recommended — auto-reads files, writes files, runs commands
After each task, run it in terminal to confirm it works

Phase 4 (Audit Loop):

Audit prompts: "Perform a full audit of the current project, output a structured report"
Advanced: prepare a dedicated audit prompt template and reuse it every time
Security audit can use a different model — e.g., Claude for feature development, GPT-4 for security audit (cross-model validation)

Phase 5 (Document Sync):

DDD document management can run as an independent AI Agent
After each iteration, have the doc agent scan the project and update docs/
Git hooks can automatically check whether code changes include corresponding doc updates

Cross-cutting:

Version control: Git. Commit after every phase.
Model selection: Simple tasks → Sonnet. Complex reasoning → Opus. Security audit → GPT-4.
Context management: Claude Project, Cursor Context, or direct file references

Final Word

The complete vibe coding workflow, in one sentence:

Express intent in natural language. Guarantee quality through structured protocols. Ensure trustworthiness through systematic audit. Sustain iterative capacity through documentation.

Sounds like a lot of steps? It will feel like a lot at first. But after two or three projects, this workflow becomes muscle memory. Remember when Git's add/commit/push felt cumbersome? You don't think about it anymore.

Memorize the rhythm: Spec confirmed once → tasks decomposed small → execute one by one → audit loop → document sync. Five phases, each with clear inputs and outputs. Get stuck at any point, come back here, find the relevant section, and follow the instructions.

Not magic. Protocol. Not casual chatting — structured collaboration hidden beneath a natural interface.

Now open your editor and start your first vibe coding project.