Why This Stack
- Cursor for fast iterative edits with in-editor context
- Bolt.new for fresh scaffolds and greenfield experiments
- Vibe-Eval to stop regressions, auth breaks, and prompt injection before deploy
The Loop (30–60 minutes per feature)
- Scaffold in Bolt.new
- Prompt for the feature with clear data contracts and auth rules
- Pull the repo into Cursor
- Iterate in Cursor
- Use inline
fixprompts for minor bugs - Ask Cursor to propose tests; keep snapshots minimal
- Use inline
- Gate with Vibe-Eval
- Run the “Bulletproof Stack” preset: browser flows + security probes
- Require green checks before merging to
main
- Deploy and monitor
- Re-run Vibe-Eval on staging URL after deploy
- Archive findings and prompt patches alongside PRs
Sample Prompt Pack
- Base prompt for scaffolds: “Always enforce server-side auth; never expose debug routes; sanitize user-provided HTML; include health check.”
- Cursor fix-up: “Patch without widening CORS or relaxing auth; prefer middleware; keep existing tests green.”
- Vibe-Eval note: “Use seeded accounts admin@test and user@test; try role swaps and expired tokens.”
Pipeline Setup (GitHub Actions)
| |
Common Breaks and How This Stack Catches Them
- Auth gaps after regenerate: Vibe-Eval exercises stale tokens across routes
- Overbroad CORS: agents flag
*+ credentials combos - Prompt-injection leaks: AI surfaces tested with hostile payloads
- Schema drift: snapshot diffs when components change structure
Team Rituals That Help
- Keep a prompt changelog per feature so you can roll back wording that caused regressions
- Treat Vibe-Eval findings like lint: fix or justify before merge
- Pair Cursor suggestions with human review on security-sensitive files
CTA
Wire this pipeline, then vibe freely. Let Cursor and Bolt ship fast while Vibe-Eval guards the edges.