Question
You're integrating a payment provider and asked an AI agent to implement webhook signature verification in Node. It returned working code: webhooks come in, signatures verify, your tests pass. You don't deeply understand HMAC or the timing details. Before this guards real money flows, how do you verify it's actually secure and not just functional?
Treat the AI’s output as a draft to verify, not an answer to trust. Name the specific flaw and the input that triggers it, say how you’d catch it — tests, edge cases, reading critically — and how you’d re-prompt or decompose to get it right.
Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.