Campaign 001 · Conference CutRoll for initiative
d20 · NAT 20 Multi-LLM Stack SDD-Driven
A Software Engineer's AI Campaign

Vivecoding.

How I shipped in 1 month what used to take 6 — by giving every AI in my party a class, a role, and a stat.
Samuel Cala
DM of the Party · Software Engineer @ IT Audit Labs
20
vivecoding.talk01 / 16
Slide 02 · The Confessionroll · perception
A small embarrassing admission

For years I pronounced it vibecoding

I kept saying vivecoding.

Turns out — once I looked at what I actually do —
I was right by accident.
vivecoding.talk02 / 16
Slide 03 · The Thesissave · vs. shipping speed
The difference is the discipline

Vibecoding  vs  Vivecoding

Vibecoding
CHAOTIC NEUTRAL
Roll a d20. Pray.
  • Prompt the model. Ship whatever falls out.
  • No specs. No design. Tests are optional.
  • One model. For everything.
  • "It compiles" = "it works".
  • Tech debt grows faster than you can write it.
Vivecoding
LAWFUL GOOD
Engineering discipline + AI as amplifier
  • SDD pipeline: explore → spec → design → apply → verify.
  • Multi-model cross-check. Right model, right job.
  • TDD strict. Pure modules. Authz invariants.
  • Code review baked into every PR.
  • The AI amplifies the engineer — not the other way around.
vivecoding.talk03 / 16
Slide 04 · Meet the Partysession · 001
Roll call

I don't code alone.
I'm the DM.

memorias
Cleric · WIS 18
Engram
RAG memory keeper. Persists every decision, observation, and CVE so context never refills.
obs#110 · obs#268 · obs#223
Bard · CHA 17
Gentle
My grounding companion. Lands me when I'm spiraling. Knows the song, doesn't go rogue.
"che, no" — circa every session
Warlock · INT 19
Warlock
Security & bug bounty. Pacts with demons to find the CVE before the attacker does.
2 critical CVEs caught in 48h
vivecoding.talk04 / 16
Slide 05 · Supporting Castroster · sdd-agents
Each command is a class

The SDD party.

Ranger · DEX 16
sdd-explore
Scouts the codebase before any commitment.
Wizard · INT 18
sdd-spec
Writes the runes. Requirements + scenarios.
Artificer · INT 17
sdd-design
Architectural decisions, blueprints, trade-offs.
Fighter · STR 16
sdd-apply
Implements. Tests pass before commit.
Paladin · WIS 16
sdd-verify
Validates impl matches the sacred specs.
vivecoding.talk05 / 16
Slide 06 · The Stackrule · right model, right job
Five models, five jobs, zero overlap

The right model
for the right job.

01
Gemini
Documentation & planning. Long context, structured artifacts, SDDs.
google · planner
02
Claude
Development. Implementation, refactor, the actual code that ships.
anthropic · builder
03
Cloudflare Workers AI
Edge inference. Llama / Kimi at the edge, close to the request. Cheap, fast iteration, fallback path.
edge · fallback
04
Codex
Bug bounty & error hunting. Adversarial pass over diffs.
openai · hunter
05
CodeRabbit + Copilot
PR safety net. Two reviewers, every merge. No exceptions.
pr · safety net
vivecoding.talk06 / 16
Slide 07 · The SDD Workflowgraph · acyclic
The classical SDLC, executable

The pipeline.
You can't skip a phase.

/sdd-design architecture decisions /sdd-init detect stack & conventions /sdd-explore scout the terrain /sdd-propose intent + scope + approach /sdd-spec requirements + scenarios /sdd-tasks implementation checklist /sdd-apply write the code /sdd-verify specs ≡ implementation /sdd-archive sync & close spec & design feed tasks in parallel verify gate before archive design is its own artifact, not a comment
⚜   same workflow you learned in school. now executable.   ⚜
vivecoding.talk07 / 16
Slide 08 · The Orchestratorhidden · not in autocomplete
The three commands I use every day

Meta-commands.
The orchestrator runs the DAG.

/sdd-new <change>
Spin up a new change. Auto-delegates exploration + proposal so you start at "spec", not "blank page".
/sdd-continue [change]
Runs whatever phase is next-ready in the DAG. You stop deciding "what's next" — the orchestrator already knows.
/sdd-ff <name>
Fast-forward planning: proposal → specs → design → tasks in one shot. For when you can already see the destination.
⚜   methodology becomes a tool when the friction goes to zero   ⚜
vivecoding.talk08 / 16
Slide 09 · Case Studyreal · multi-tenant · production
A real campaign — not a toy project

ITALPortal.
The CISO's operational portal.

Risk register. M365 security assessment via Microsoft Graph. Project & task management. Zendesk-integrated ticketing. And an AI assistant named Emma.
Six modules. One codebase. Multi-tenant.
Astro 5.16 SSR React 19 islands Cloudflare Workers 3× D1 R2 + KV 3× Durable Objects Hono + Drizzle Clerk authz Tailwind v4 + shadcn Zod 4 TanStack Query MS Graph API Zendesk NinjaOne RMM Resend + react-email Anthropic · Haiku 4.5 TS 5.9 strict ESM · pnpm
Quest log · 2026-04-13
In a single day:
  • SDD init complete · skill registry · openspec bootstrap
  • tickets-custom-statuses — 22 tasks, 12 tests, KV cache 24h
  • recurring-tasks-toggle — 17 tests, pure module extracted
  • Privilege-escalation closed in requireOrgAdmin()
  • AI module deleted (TODO finally honored)
Next session: Emma overhaul — 78 tests passing
vivecoding.talk09 / 16
Slide 10 · The Numbercritical hit
From baseline → vivecoding
6
months
1
month
Production. Multi-tenant. 78 tests passing. Two security audits.
Speed didn't come from skipping steps. It came from parallelizing the right ones with the right models.
vivecoding.talk10 / 16
Slide 11 · Wow Moment #01warlock · audit
CVE · PRIVILEGE ESCALATION

What looks like a feature
is sometimes a CVE.

requireOrgAdmin()
The bug
Any member of an IT Audit Labs org was treated as admin automatically, regardless of their role.
It looked intentional. The pattern was old. Nobody questioned it. It would have lived in production for months.
obs#110
How the party caught it
Warlock ran a security audit, chained it with the code-review skill, and confirmed: this is a real privilege-escalation bug, not by design.
"Looked intentional. After audit, confirmed real CVE."
— Engram, obs#110
vivecoding.talk11 / 16
Slide 12 · Wow Moment #02emma · cross-tenant leak
CVE · CROSS-TENANT DATA LEAK

AI tools need the same guards
as your REST endpoints.

emma.tools.get_ticket_detail
The bug
Emma's get_ticket_detail tool fetched any ticket by ID via service account.
No ownership check.
A user in org A could ask Emma for a ticket from org B — and Emma would hand it over.
obs#268
How the party caught it
Caught during the security audit phase of the Emma overhaul — before production. Fix: replicate the access control from the REST endpoint inside the tool.
"Forget this and you leak data cross-tenant. Period."
— Engram, obs#268
vivecoding.talk12 / 16
Slide 13 · The Honest Scarsnat · 1
NAT 1 · WHAT WENT WRONG

If a talk only shows wins,
they're selling you something.

scar #1
CF Workers AI (Llama, Kimi) too slow + bad at instructions. Migrated to Anthropic API with fallback.
scar #2
ts-node broke on extensionless ESM imports. One session lost. Fix: switch to tsx.
scar #3
14 Pulse components rendered raw HTML entities. MS Graph returns them encoded. Decoded in every component.
scar #4
client:load hydration mismatch with sessionStorage. Switched Chat to client:only="react".
scar #5 · the lesson
Zendesk POST had no retry. GET had 3-attempt backoff.
SDD didn't catch it. The user did.
The workflow is good. It's not magic. User feedback is still irreplaceable.
vivecoding.talk13 / 16
Slide 14 · Hot Takesfive rules · zero exceptions
Five rules I live by

What the vibecoder
gets wrong.

01
Specs before code. Always.
If you can't write the spec, you don't understand the change. Stop typing prompts.
02
One model is never the right answer.
Each model has a strength. The mix is the moat. Plan, build, audit — different agents.
03
Design is code. Merge it.
Architecture decisions belong in version control, next to the code that proves them.
04
“It compiles” “it works.”
Verify is a phase, not a vibe. Tests, invariants, authz checks. Don't skip the Paladin.
05
The AI is your junior — not your genius.
You wouldn't merge a junior's PR without reading it. Don't merge the AI's either.
vivecoding.talk14 / 16
Slide 15 · Three Takeawaystl;dr
If you remember nothing else

Three things to
take home.

01 · The Thesis
Discipline beats vibes.
Specs, design, TDD, verify. The classical SDLC — just executable now.
02 · The Stack
Right model, right job.
Build a party. Each agent carries their class. Engram remembers, Warlock audits, Gentle grounds.
03 · The Math
AI is an amplifier.
It doesn't replace the engineer. It makes a trained one 6× faster.
⚜   vibecoding is roleplay. vivecoding is a campaign with a DM.   ⚜
vivecoding.talk15 / 16
Slide 16 · End of Campaignquestions · q&a
NAT 20 · SUCCESS XP awarded Roll for questions
End of session

Thanks.

Now — roll initiative for questions.
The party is listening.
Samuel Cala
DM of the Party · IT Audit Labs
@samuelcala itauditlabs.com SDD skills · open source
The Party
Engram · Cleric · WIS 18
Gentle · Bard · CHA 17
Warlock · Warlock · INT 19
+ the SDD party of five
20
vivecoding.talk16 / 16