Skip to content

Compose the vike-* extensions instead of hand-rolling auth/data/UI #186

Description

@suleimansh

The framework currently makes the agent hand-roll everything from scratch (its own Prisma data layer, session auth, validation, rate-limiting, CSRF, admin CRUD UI). The vike-page-builder persona says "prefer composing existing vike-* extensions" but the framework gives the agent zero concrete knowledge of those extensions, and data-modeler points at raw Prisma — so the agent ignores the advice and reinvents the wheel.

Evidence (first full-scope live run, "a blog with posts, comments, admin")

It scaffolded ~30 files, then the production-grade loop spent 5 passes finding: missing cookie flags, no CSRF, no rate limiting, timing-attack-vulnerable password compare, no session cleanup, missing logout. The generated login was also broken. Every one of those is something vike-auth already solves correctly.

Why compose instead of generate

  • Faster: install + wire a few extensions vs. generate and debug 30 files.
  • Better/safer: auth/sessions/CSRF are hardened library code, not fresh AI output. The broken login and the security blockers would not exist.
  • Kills the over-polish churn: the loop churns because it reviews freshly-generated hand-rolled code and always finds a flaw. If the hard parts are library code, there is far less surface to pick at. So this also addresses the "loop runs too many passes" complaint, at the root.

This is the "Stem Vision": extensions are composable, already-hardened building blocks the AI assembles (vike-auth owns users/sessions, vike-data owns schema->data layer, vike-view generates admin UI from schema).

Mechanism (tractable)

Same lever that switched the agent to Prisma (#181): persona / skills framing. Teach the agent the extensions as concrete knowledge:

  • What each vike-* extension is, its install command, and its wiring conventions.
  • Point data-modeler at vike-data (over/instead of raw Prisma) and add a vike-auth-aware auth persona.
  • Package this as skills (@gemstack/ai-skills) so the knowledge is versioned per extension.

The agent still runs as a black box; we only change the system-prompt framing it gets.

Phasing (only teach whats shipped)

  • Now: vike-auth + vike-data core (built/merged). Biggest immediate win: auth + data layer stop being hand-rolled.
  • Later: vike-view (schema->admin/CRUD UI) once it ships (epic is in progress) - that removes the most hand-written UI. vike-notifications / vike-storage as needed.

Acceptance

  • For a blog-style app, the agent composes vike-auth (working login + sessions) and a vike-data data layer instead of writing its own, and the production-grade loop no longer surfaces the auth/session/CSRF blockers above.

Part of #110. Surfaced by the first live full-scope run; connects the framework to the vike-* substrate. Related: #185 (existing-project support), the over-polish loop finding (this supersedes the pure loop-tuning fix).

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions