🛠️ Engineering Literacy
in the Age of Vibe Coding

For Product Managers & Designers who want to ship — not just prompt

🌊 The Vibe Coding Revolution

What changed — and why it matters to you

What is Vibe Coding?

You describe what you want in plain English
AI (ChatGPT, Claude, Copilot, Cursor…) writes the code
You accept, run, iterate
The barrier to writing code dropped to zero

💬 Prompt

🤖 AI generates code

▶️ Run it

🔄 Iterate

The Opportunity 🚀

PMs can prototype ideas in hours, not sprints
Designers can build interactive mockups that actually run
Solo makers can ship full products
The gap between "I have an idea" and "here, try it" is vanishing

The Risk ⚠️

AI code looks correct but may be subtly broken
You can generate a mountain of code you don't understand
No one reviews it → it ships → it breaks in production
Speed without understanding = a ticking time bomb

🗣️ "I asked ChatGPT to build my backend. It worked in dev. In production it exposed every user's data to every other user."

🏗️ Why Engineering Literacy Matters

Speed without structure = tech debt on a credit card

Horror Stories 😱

The Exposed .env: A startup founder vibe-coded a SaaS app. The AI helpfully hardcoded the Stripe API key in the frontend JavaScript. Attackers found it. $14,000 in fraudulent charges.

The Hallucinated Package: AI suggested npm install flask-auth-helper — a package that doesn't exist. An attacker published a malicious package with that exact name. Supply chain attack.

The 800-line God File: PM asked AI to add feature after feature in one file. 6 months later — no one (including AI) can modify it without breaking everything. Full rewrite.

The Pattern

🏃 Ship fast

🙈 Skip fundamentals

💥 Break in production

🔥 Expensive fix

Engineering literacy is the immune system that prevents this.

You don't need to be an engineer. You need to think like one.

📋 The 8 Core Competencies

🖥️ Bash & Terminal
🏛️ Code Architecture
📦 Version Control (Git)
🐛 Debugging

🧪 Testing
🔍 LLM Output Evaluation
🔒 Security Fundamentals
🚀 CI/CD & Deployment

Plus: Cloud & Deployment as a capstone skill

📜 AI Instructions Files

Your engineering constitution for AI teammates

📜 Your Engineering Constitution

Write your engineering standards ONCE, AI follows them EVERY time.

File	Tool
`.github/copilot-instructions.md`	GitHub Copilot
`CLAUDE.md`	Claude Code
`.cursorrules`	Cursor
`AGENTS.md`	VS Code agents

💡 Analogy: It's like an onboarding doc for your AI teammate. New hire? Read the handbook. New AI session? Read the instructions file.

What Goes in Your Instructions File

## Role
You are a senior engineering partner. I am a PM learning to code.
Explain what you're doing and why. Teach as you go.

## Code Style
- Descriptive names (getUserById, not doStuff)
- One function does one thing
- Prefer readability over cleverness

## Security
- NEVER hardcode secrets — use .env
- Validate all user input
- Use parameterized queries

## Testing
- Write tests alongside code
- Test happy path AND edge cases

## Git
- Meaningful commits: feat(auth): add login form
- Never commit .env or node_modules

💡 Add framework-specific overrides too — React patterns, iOS conventions, Python style sections.

Resources for AI Instructions

📚 github/awesome-copilot — community templates & examples
🔒 Snyk's vibe coding personalization guide — security-focused instructions
🌐 "One Prompt to Rule Them All" — cross-tool instructions pattern

💡 Start simple: Copy a base template, customize as you learn what matters for YOUR projects. Your instructions file will evolve with you.

🖥️ Bash & Terminal Fundamentals

The command line is your cockpit, not a scary relic

Why Terminal Matters

AI tools output terminal commands — you need to run them
GUIs hide what's happening; the terminal shows truth
Servers don't have a desktop — terminal is all there is
It's the universal interface to every dev tool

💡 Analogy: The terminal is like texting your computer. The GUI is like pointing and grunting. Texting is more precise.

Essential Commands

# Navigate
pwd                    # Where am I?
ls -la                 # What's here? (with details)
cd my-project          # Go into a folder
cd ..                  # Go up one level

# Read files
cat README.md          # Print file contents
head -20 server.js     # First 20 lines
grep "error" log.txt   # Find "error" in a file

# Chain commands with pipes
cat log.txt | grep "ERROR" | wc -l   # Count errors

# Permissions & packages
chmod +x script.sh     # Make it runnable
npm install            # Install JS dependencies
brew install git       # Install git (macOS)

Reading Error Messages

$ npm start
Error: Cannot find module 'express'
    at Module._resolveFilename (node:internal/modules/cjs/loader:1075:15)
    at Module._load (node:internal/modules/cjs/loader:920:27)

Line 1: What went wrong → Cannot find module 'express'
Fix: npm install express
🚫 Don't just paste the error back to AI — read it first

💡 80% of errors tell you exactly what's wrong. The skill is learning to read, not to panic.

🏛️ Code Architecture & Planning

Think before you prompt

The #1 Vibe Coding Mistake

No plan

"Build me a todo app"
→ 500 lines in one file
→ No structure
→ Can't add features
→ Start over

With a plan

"Here's my file structure:
  /src
    /components
    /api
    /utils
  Build the TodoList component"
→ Clean, modular, extendable

Project Structure Patterns

my-app/
├── src/
│   ├── components/    # UI pieces (buttons, forms)
│   ├── pages/         # Full screens
│   ├── api/           # Backend calls
│   ├── utils/         # Helper functions
│   └── styles/        # CSS / design tokens
├── tests/             # Test files
├── public/            # Static assets
├── .env               # Secrets (NEVER commit)
├── .gitignore         # What git should ignore
├── package.json       # Dependencies
└── README.md          # What is this & how to run it

Key Principles

Separation of concerns — each file does ONE thing
Naming conventions — getUserById not doStuff
Modularity — small Lego blocks, not one giant sculpture
DRY — Don't Repeat Yourself (reuse, don't copy-paste)

💡 Analogy: Architecture is like organizing your kitchen. You could dump all utensils in one drawer — but cooking becomes a nightmare.

📦 Version Control & Git

Your code's save game system

Why Git?

🔙 Undo anything — go back to any point in time
👥 Collaborate — multiple people, same codebase, no conflicts
📜 History — "who changed this and why?"
🛡️ Safety net — experiment without fear of breaking things

💡 Analogy: Git is like save game in a video game. You save before the boss fight. If you die, you reload. Without git, there's no reload.

The Essential Commands

# Start tracking a project
git init
git add .
git commit -m "Initial commit: project setup"

# Daily workflow
git add .
git commit -m "Add user login form"
git push origin main

# Branching (safe experimentation)
git checkout -b feature/dark-mode
# ... make changes ...
git commit -m "Add dark mode toggle"
git push origin feature/dark-mode
# Then: open a Pull Request on GitHub

Commit Messages & .gitignore

Commit messages

Add password reset email flow

Fix: cart total not updating on remove

update stuff

asdfasdf

fix

.gitignore (never commit these)

node_modules/
.env
.DS_Store
dist/
*.log

⚠️ Once a secret is committed, it's in the history forever — even if you delete it

🐛 Debugging & Troubleshooting

Read the error. Then ask AI for help.

The Anti-Pattern

🔴 See error

📋 Copy-paste to AI

🤖 AI guesses a fix

🔴 New error

Repeat until you have 47 open tabs and no idea what's happening

The Better Way

🔴 See error

📖 Read it

🧠 Understand it

🔧 Fix (or ask AI with context)

Debugging Toolkit

console.log / print — the oldest trick, still the best

console.log("user data:", user);  // What is this actually?
console.log("reached step 3");    // Did we get here?

Browser DevTools (F12) — Network tab, Console, Elements
Stack traces — read bottom to top; your code is usually near the top

Common AI-Code Failures

🤖 Hallucinated imports — AI uses a library that doesn't exist
🤖 Wrong API version — trained on old docs, uses deprecated methods
🤖 Works in isolation — AI code works alone but conflicts with your existing code
🤖 Silent failures — no errors, but the logic is just… wrong

💡 Rule of thumb: If AI gives you code and you can't explain what each line does — don't ship it.

🧪 Testing

Your safety net against AI hallucinations

Why Test?

💡 Analogy: Testing is like spell-check for code. You could skip it — but you'll publish embarrassing mistakes.

AI-generated code is confident but not always correct
Tests catch bugs before your users do
Tests let you refactor fearlessly — change code, run tests, still works? Ship it.
Tests are documentation — they show what the code is supposed to do

Types of Tests

🔬 Unit Tests — test one function in isolation

🔗 Integration Tests — test components working together

🖱️ End-to-End — test the full user flow

👀 Manual Testing — you click around and try to break it

Start with unit tests. They're fast, easy, and catch the most bugs per effort.

Test-Driven Prompting 🧠

Tell AI to write tests first, then the code:

Prompt: "Write unit tests for a function called
calculateDiscount(price, couponCode) that:
- Returns 10% off for code 'SAVE10'
- Returns 0 for invalid codes
- Throws an error for negative prices

Then implement the function to pass these tests."

Tests define the spec — what "correct" means
If AI hallucinates logic, the tests catch it
You can read the tests even if you can't read the code

🔍 LLM Output Evaluation

Trust, but verify

Two Levels of Evaluation

Level 1: Code Review

Checking AI-generated code before shipping
Manual, per-output inspection
Essential for vibe coding

Level 2: AI Product Evaluation

Systematic testing of LLM outputs at scale
Rubrics, eval sets, scoring pipelines
Essential for shipping AI products

Both matter. Level 1 is where you start. Level 2 is where you grow.

The Code Review Checklist

Before accepting any AI-generated code, ask:

✅ Does it actually do what I asked? (Not just look right)
✅ Can I explain what each section does?
✅ Did I run it? (Not just read it)
✅ Are the imports/libraries real? (Search npm/PyPI to verify)
✅ Are there any hardcoded secrets?
✅ Does it handle errors and edge cases?

Hallucination Red Flags 🚩

Unknown packages: pip install super-easy-auth — Google it. Does it exist?
Too-good-to-be-true APIs: magicLibrary.doEverything()
Outdated syntax: AI trained on old data may use deprecated patterns
Confident comments, wrong code: // This securely hashes the password … it doesn't

💡 Pro move: Ask a second AI to review the first AI's code. They catch each other's mistakes surprisingly well.

AI Product Evaluation Framework

📏 Define Rubrics

📋 Build Eval Set

🤖 Run Model

📊 Score Outputs

🔄 Analyze & Iterate

Rubrics: What does "good" look like? (accuracy 1-5, tone match, no hallucination)
Eval Set: Representative inputs — normal cases + edge cases
Scoring: Human judges, LLM-as-Judge, or programmatic metrics
Iteration: Change prompt/model → re-run eval → compare results

Rubrics — Defining Quality

Dimension	1 (Poor)	3 (Acceptable)	5 (Excellent)
Accuracy	Factually wrong	Mostly correct, minor errors	Fully accurate, verified
Relevance	Off-topic	Addresses the question	Directly answers with context
Safety	Harmful content	No harm but no guardrails	Safe with disclaimers
Tone	Wrong brand voice	Neutral	Matches brand perfectly

Rubrics turn "does it feel right?" into measurable scores.

Scoring Methods

👤 Human Eval

Gold standard
Slow & expensive
Use for high-stakes decisions

🤖 LLM-as-Judge

GPT-4/Claude scores outputs against rubrics
Fast, scalable
~80% agreement with humans
Watch for bias

📊 Programmatic

Exact match, ROUGE/BLEU, regex
Best for structured output
JSON, categories, formats

💡 Start with human eval on 50 examples to calibrate, then scale with LLM-as-Judge.

Regression Testing for AI

Changed a prompt or swapped models? Does quality go up or down?
Run the SAME eval set before and after → compare scores
Catches: model updates breaking your app, prompt tweaks with unexpected side effects

Tools: Braintrust, Promptfoo, LangSmith, OpenAI Evals

💡 Key insight for PMs: This is YOUR job. Engineers write code. PMs define quality rubrics and own the eval pipeline.

🔒 Security Fundamentals

Don't ship what you don't understand

AI's Security Blind Spots

Exposed Secrets: AI puts your API key directly in the code → it ends up on GitHub → bots scrape it within minutes → your AWS bill: $47,000

No Auth: AI builds a beautiful admin panel but forgets to add login. Anyone with the URL can access it. All your data is public.

SQL Injection: AI concatenates user input into database queries. Attacker types ' OR 1=1 -- and downloads your entire database.

Security Essentials

.env files — secrets go here, never in code

# .env (add to .gitignore!)
DATABASE_URL=postgres://user:pass@host/db
STRIPE_KEY=sk_live_abc123

HTTPS everywhere — no exceptions
Authentication — every route that touches data needs auth
Input validation — never trust user input; sanitize everything

Security Prompt Pattern

When generating code, ALWAYS:
- Use environment variables for secrets (never hardcode)
- Add authentication checks to all API routes
- Sanitize and validate all user input
- Use parameterized queries (never string concatenation)
- Add rate limiting to public endpoints
- Set CORS headers appropriately

💡 Add this to your system prompt or project rules. Make the AI's default behavior secure.

🔄 CI/CD Pipelines

If it's not automated, it's broken

What is CI/CD?

CI — Continuous Integration

Every code push triggers automated tests
Catches bugs before they merge
"Does the new code break anything?"

CD — Continuous Deployment

Tests pass → code deploys automatically
No manual "upload to server" step
"Ship it — safely, every time"

git push

🧪 Tests run

✅ Pass?

🚀 Deploy

GitHub Actions — Your First Pipeline

# .github/workflows/ci.yml
name: CI
on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install
      - run: npm test

That's it. Every push now runs your tests automatically. If they fail, you know before deploying.

CD — Where Does Deployment Happen?

Approach	How it works	Example
Platform auto-deploy	Connect GitHub → push = deploy	Vercel, Netlify, Railway
Actions → Platform	Actions runs deploy command	AWS, Azure, custom servers
GitHub Pages	Actions builds → pushes to gh-pages	Static sites, docs

💡 For beginners: Vercel / Railway = zero-config CD. Just connect your repo and push. Done.

GitHub Actions — CI + CD Together

name: CI/CD
on:
  push:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

  deploy:
    needs: test
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm run build
      - uses: peaceiris/actions-gh-pages@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./dist

needs: test → deploy ONLY runs if tests pass
if: github.ref == 'refs/heads/main' → only deploy from main branch, not feature branches

☁️ Cloud & Deployment

Package and ship your vibe-coded project

Docker — "Works on My Machine" Solved

# Dockerfile
FROM node:20-slim
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["npm", "start"]

# Build and run
docker build -t my-app .
docker run -p 3000:3000 my-app

💡 Analogy: A container is like a shipping container. Everything your app needs is packed inside. It runs the same everywhere.

Where to Deploy

Platform	Best For	Difficulty
Vercel	Frontend, Next.js	⭐ Easy
Railway	Full-stack, databases	⭐ Easy
Render	APIs, web services	⭐⭐ Medium
AWS / Azure / GCP	Enterprise, scale	⭐⭐⭐ Hard

Start with Vercel or Railway. Graduate to AWS/Azure when you need to.

Deployment Checklist

✅ Environment variables set in production (not in code)
✅ HTTPS enabled
✅ Health check endpoint — can you tell if it's alive?
✅ Logging — can you see errors after deploy?
✅ Cost alerts — set a budget! AI-generated code can be resource-hungry
✅ Billing cap — don't wake up to a $10K bill

🎯 The New Skill Mix

You're the architect. AI is the builder.

What Changed

Before AI

Writing code = the hard part
PM describes → Engineer builds
Weeks to prototype
Knowledge gap = dependency

With AI

Knowing what to build = the hard part
PM describes → PM builds (with AI)
Hours to prototype
Engineering literacy = independence

The Superpower Formula

🧠 Domain Knowledge (PM/Design expertise)

🛠️ Engineering Literacy (this deck)

💬 Prompt Engineering (talk to AI effectively)

🤖 AI Tools (Cursor, Claude, Copilot, v0…)

All four layers = you can ship products independently

🗺️ Practical Learning Path

Concrete steps to build these skills

Week 1-2: Foundation

📺 Open your terminal. Run ls, cd, pwd. Navigate around.
📦 Install git. Create a repo. Make 5 commits.
🐙 Push to GitHub. You now have a portfolio.
📝 Create a simple project with the file structure from slide 4

Week 3-4: Build Something

🤖 Use Cursor or Claude to build a small web app
🧪 Ask AI to write tests first, then implementation
🔍 Review every line AI generates — look up what you don't understand
🐛 When it breaks (it will), debug before re-prompting

Week 5-6: Ship It

🐳 Write a Dockerfile for your project
🔒 Move all secrets to .env files
🔄 Set up a GitHub Actions CI pipeline
🚀 Deploy to Vercel or Railway
📊 Share the URL. You shipped. You're a builder now.

Resources

Free Courses

The Missing Semester (MIT) — terminal & git
freeCodeCamp — web development basics
GitHub Skills — interactive git tutorials

Tools to Try

Cursor — AI-native code editor
v0.dev — AI UI generation
Replit — code in the browser
GitHub Codespaces — cloud dev environment

🎬 Takeaway

AI amplifies you.

Literacy determines what gets amplified.

Without engineering literacy:

🐛 × 🤖 = 🐛🐛🐛

With engineering literacy:

🧠 × 🤖 = 🚀🚀🚀

The 10x PM is the one who can ship.

You don't need a CS degree
You don't need to write code from scratch
You do need to understand what you're shipping
You do need these 8 competencies as your foundation

Start this week. Open a terminal. Init a repo. Build something.

🛠️ The future belongs to builders.