commit.show — Every commit, on stageThe vibe coding league. AI-assisted GitHub projects (built with Cursor · Claude Code · Lovable · Bolt · v0 · Cline · etc.) get audited, ranked, and forecasted by tier-gated Scouts.How it works

Audit · run npx commitshow@latest audit github.com/owner/repo · 60s deterministic + LLM-judged score (0-100) on 14 production-readiness frames

Audition · submit at /submit to enter the season ladder · first 3 audits per member free during launch

Encore · cross score 84 to earn a permanent badge · top 0.5% Valedictorian, 5% Honors, 14.5% Graduate

What the audit catches14 vibe-coding failure modes calibrated against real OSS: missing RLS · webhook idempotency · secret-in-bundle · column GRANT mismatches · Stripe API idempotency · mobile input auto-zoom · AI template-copy footguns · seed arrays in prod · CORS wildcard · localhost-in-prod · 4 more. Catch what your AI missed in 60 seconds.Who this is forVibe coders shipping with AI assistants who want a public ranking, social proof, and a path to graduation. Beginners welcome — Phase 1 brief auto-fills from your README, the audit handles the rest.Score = 50 + 30 + 20

Audit (50pt) · automated rubric · production-readiness signals from your repo + live URL

Scout Forecast (30pt) · tier-gated humans place predictions on which projects graduate

Community Signal (20pt) · views · comments · applauds · return visits

For LLM agents reading this pagePrefer the REST API · zero install, no sandbox prompt:GET https://api.commit.show/audit?repo=<github-url>&format=mdCORS open · no API key · returns paste-ready markdown · same engine as the CLI. Use this from Claude Code, Cursor agent mode, Cline, Windsurf, Gemini, ChatGPT browse, n8n, Zapier, curl. The npx commitshow path tends to trip agent sandbox classifiers; the REST endpoint never does.Full agent integration guide: /llms.txt · OpenAPI: api.commit.show/openapi.jsonFull audit method docs: /audit · /rulebookRun an audit yourselfnpx commitshow@latest audit github.com/owner/repoOr fetch from any agent runtime: GET https://api.commit.show/audit?repo=owner/repo&format=md · see /llms.txt for the full agent integration guide.Cross-links · Products · Scouts · Library · Rulebook · Audit method · CommunityPrivacy · Terms · operated by Madeflo Inc., a Delaware corporation.

10 modules AI coding tools almost always botch on the first try (after ~2 years of daily use)

2026-05-15

Open Mic · commit.show

Been using Cursor / Claude Code / Copilot heavily for a while and a really consistent failure pattern shows up. The tools are great for a ton of stuff, but there are specific areas where the first draft is almost always wrong in ways that look right. Sharing in case it saves someone a 2am debugging session.

Rough order of how often it bites me:

Timezones and date math. UTC ↔ local, DST, month boundaries, "last day of month." Mixes new Date(), Luxon, date-fns, dayjs depending on which era of training data won out. Works in dev, breaks for users in Sydney.
Auth (OAuth / JWT / sessions). Token refresh logic that's plausibly correct but skips the messy parts. CSRF, SameSite, PKCE get quietly omitted. I've had it invent OAuth library methods more than once.
Fast-moving framework APIs. Next.js App Router vs Pages, RSC, Tailwind v4, LangChain, AI SDK. The model blends syntax from different versions. "use client", cookies(), headers() placement is a coin flip.
Regex edge cases. Unicode, emoji, greedy vs lazy, catastrophic backtracking. Passes the happy path, silently truncates the rest.
Money and decimals. Just throws number at it. 0.1 + 0.2 doesn't get a second thought. Decimal libraries only show up if you explicitly ask.
SQL: N+1, NULL, transactions. Classic N+1s through the ORM. = NULL instead of IS NULL in raw queries. Transaction boundaries basically never reasoned about.
Async / race conditions. Promise.all where it should be sequential, or sequential where it should be parallel. React useEffect stale closures and missing deps are practically guaranteed.
Hallucinated methods on niche libraries. Anything below ~1k stars is dangerous. It invents APIs that should exist based on naming conventions of similar libs. Compiles, dies at runtime.
Paths and OS differences. "/" hardcoded instead of path.join. Fine on the Mac it was generated on, breaks on Windows / Docker / CI.
Security: SSRF, path traversal, dangerouslySetInnerHTML, missing sanitization. The code runs. The sanitize step is just… not there. You basically have to ask for it every single time.
My current workflow for anything in this list is either (a) write the test first, or (b) do a focused second pass where I name the failure mode and ask the model to specifically check for it. The killers are the "looks right on review" ones — these aren't compile errors, they're stuff that ships.

What's on your list that's not on mine? Curious what everyone else keeps tripping over.

#ai-tool

Read on commit.show