The agentic engineering methodology. Fractal, tool-agnostic, production-grade.
Most vibe-coded projects fail the same way. They work in the demo, break in production, and nobody can explain why. Not because the AI wrote bad code, but because it had nothing solid to build on.
bedrock is what you put in place before the AI touches anything. It's a complete context engineering system: a methodology, a set of templates, security protocols, and a setup CLI that generates everything your AI tool needs, pre-filled and ready to go.
The same rules apply at every scale. Weekend project or production SaaS, the loop is identical. You just go deeper.
Right now in 2026:
- 46% of all new code on GitHub is AI-generated
- 62% of that code has design flaws or security vulnerabilities
- 20% of AI-generated code references packages that don't exist, and attackers are already registering those phantom names with malicious payloads (slopsquatting)
- The Axios npm supply chain attack on March 31, 2026, attributed to Lazarus Group / DPRK, hit vibe-coded projects hardest because AI workflows skip manual dependency review
- Code churn is up 41%. Code duplication has increased fourfold. Careful refactoring dropped from 25% of changed lines in 2021 to under 10% by 2024
- The number one pain point in the vibecoding community is not bugs or AI limits. It's maintenance. Projects that worked in the demo become unmaintainable within months
The tools are not the problem. The missing foundation is.
No existing methodology repo covers all of: vision, design, context engineering, session management, supply chain security, observability, and long-term sustainability, and none of them have an automated setup system that works across every AI tool on the market.
bedrock covers all of it.
Every project at every scale follows the same loop:
Clarify -> Specify -> Context -> Build -> Verify -> Close
On a weekend hack you run it once, shallowly, in two hours. On a production SaaS you run it recursively: the whole project runs the loop, each feature runs the loop, each component runs the loop.
Same pattern. Different depth. Like zooming into a Mandelbrot set.
This is what Andrej Karpathy called agentic engineering: structured AI-human collaboration where AI agents handle implementation while humans own architecture, review, and quality assurance. bedrock is the operating system for that workflow.
bedrock/
│
├── init/ <- interactive setup CLI
│ ├── setup.py <- questions -> generates all files pre-filled
│ ├── questions.yml <- MCQ definitions
│ ├── templates/ <- Jinja2 templates for every file and tool
│ └── context-package/ <- compressed upload bundle for Claude/ChatGPT web
│
├── 0-vision/ <- human work only. before AI touches anything.
│ ├── SPARK.md <- problem, audience, why now, non-goals
│ ├── NORTH_STAR.md <- the one sentence this project exists to serve
│ ├── SCOPE.md <- hard lines: what this will NEVER be
│ └── DECISIONS.md <- architecture decision records, the WHY
│
├── 1-design/ <- visual layer. injected for all frontend work.
│ ├── DESIGN.md <- tokens: color, type, spacing, breakpoints, motion
│ ├── AESTHETIC.md <- mood, feel, references: communicate vibe to AI
│ ├── COMPONENTS.md <- UI patterns AI must follow consistently
│ └── A11Y.md <- accessibility rules AI must never skip
│
├── 2-context/ <- what AI knows. fed into every session.
│ ├── AGENT.md <- global AI rules: think, simplify, surgical, goal-driven
│ ├── CONSTITUTION.md <- project-wide laws AI must never break
│ ├── ARCHITECTURE.md <- system design, data flows, service boundaries
│ ├── STACK.md <- tech choices and WHY: AI cannot swap these
│ ├── INTENT.md <- the WHY behind non-obvious decisions
│ ├── MODELS.md <- which AI model for which task
│ ├── .aiignore <- files AI must never read or touch
│ └── examples/ <- code patterns for AI to emulate
│
├── 3-workflow/ <- how to work, session by session
│ ├── BLUEPRINT.md <- feature spec template (one per feature, pre-AI)
│ ├── PLAN.md <- living project plan, updated each session
│ ├── HANDOFF.md <- end-of-session recap. kills context cold-start.
│ ├── PROMPTS.md <- prompt library: what worked and what didn't
│ ├── PIVOT.md <- how to change direction without context chaos
│ ├── GIT.md <- commit discipline: when, how, what message format
│ └── AUDIT.md <- AI decision log: what changed and why
│
├── 4-security/ <- non-negotiable. verify effectiveness, not existence.
│ ├── SECURITY.md <- OWASP Top 10 + database-specific + LLM injection
│ ├── DEPENDENCIES.md <- supply chain rules: pin, audit, never auto-update
│ ├── PRIVACY.md <- GDPR/CCPA, data minimization, consent flows
│ ├── GUARD.md <- dedicated security reviewer agent system prompt
│ ├── GOVERNANCE.md <- for teams: who approves what into production
│ ├── LEGAL.md <- licensing, AI-generated code IP, OSS compliance
│ └── .github/workflows/
│ └── security.yml <- Semgrep + Gitleaks + dep audit CI gate, ready to use
│
├── 5-quality/ <- production-grade from day one
│ ├── TESTING.md <- test-first prompting, reality-check patterns
│ ├── DATABASE.md <- schema, migrations, RLS verification, PROD IS SACRED
│ ├── DEPLOY.md <- env parity, pre-ship checklist, env isolation
│ ├── PERFORMANCE.md <- query optimization, bundle size, caching strategy
│ ├── API.md <- response envelope, versioning, rate limiting
│ ├── COSTS.md <- every external service: cost model + free tier limits
│ └── ERRORS.md <- accumulated: error -> fix that worked -> why
│
├── 6-observe/ <- know when things break before your users do
│ ├── OBSERVE.md <- logging strategy, metrics, tracing, alert thresholds
│ └── INCIDENT.md <- what to do when production breaks
│
├── 7-sustain/ <- the layer nobody else built. long-term health.
│ ├── MAINTAIN.md <- protocols for keeping AI-built projects alive
│ ├── REFACTOR.md <- when and how to safely refactor AI-generated code
│ ├── HANDOFF_HUMAN.md <- how to onboard another human to this codebase
│ ├── ROLLBACK.md <- recovery procedures + git discipline
│ └── CHANGELOG.md <- template + prompt to auto-generate from diffs
│
├── 8-ship/ <- distribution. building is the easy part.
│ ├── LAUNCH.md <- validate before you build, ICP, distribution channel
│ ├── PRICING.md <- don't underprice. boring B2B beats consumer apps.
│ └── CONTRIBUTING.md <- open source health, maintainer norms
│
└── scales/ <- the fractal depth guide. pick your zoom level.
├── MICRO.md <- weekend project: 8 files, ship in 48hrs
├── PRODUCT.md <- real app with users: 22 files, full security
└── SCALE.md <- team + CI/CD: every file, every gate required
git clone https://github.com/mohammed-bfaisal/bedrock.git
cd bedrock
python3 init/setup.pyThe CLI asks about 15 questions: what you're building, your stack, your aesthetic, and which AI tools you use. It generates every context file pre-filled for your project and outputs tool-specific config files for every AI tool you selected.
Tool output mapping:
| Tool | Generated file |
|---|---|
| Claude Code | CLAUDE.md |
| Cursor | .cursorrules |
| Windsurf | .windsurfrules |
| Cline | .clinerules |
| GitHub Copilot | .github/copilot-instructions.md |
| Gemini CLI | GEMINI.md |
| OpenAI Codex CLI | AGENTS.md |
| Aider | .aider.conf.yml |
| Ollama / local models | SYSTEM.md (paste as system prompt) |
| Claude.ai Projects (web) | context-package/ |
| ChatGPT Projects (web) | context-package/ |
All tool files are generated from the same source. No duplication, one source of truth.
For Claude.ai Projects and ChatGPT, upload the entire context-package/ folder. The AI gets your full project constitution and can build the project from it.
context-package/
├── 00-INDEX.md <- master guide: what each file does, load order
├── 01-AGENT.md <- AI behavior rules
├── 02-CONSTITUTION.md <- project laws
├── 03-ARCHITECTURE.md <- system design
├── 04-STACK.md <- tech choices
├── 05-DESIGN.md <- visual system
├── 06-SECURITY.md <- security context
├── 07-PLAN.md <- current project plan
└── 08-BLUEPRINT.md <- active feature blueprint
Use: AGENT.md CONSTITUTION.md PLAN.md BLUEPRINT.md SECURITY.md DEPENDENCIES.md HANDOFF.md
Skip everything else. Run the loop once. Ship.
Add: all of 0-vision/ + 1-design/ + 2-context/ + 3-workflow/ + 4-security/ + DATABASE.md + DEPLOY.md + TESTING.md
Run the loop per feature. Security gate before launch.
Everything. Every file. Every gate. GOVERNANCE.md for approvals. OBSERVE.md active before any user traffic. CI pipeline required. HANDOFF_HUMAN.md written before any new contributor touches the codebase.
bedrock treats security as context, not afterthought.
The core principle, drawn from CVE-2025-48757 (Lovable/Supabase RLS failure, 170 production apps exposed) and the March 2026 Axios supply chain attack (Lazarus Group RAT, 100M weekly download package):
Verify effectiveness, not existence. A check that confirms a protection exists is not enough. You have to prove it works.
- Every dependency the AI adds must be reviewed before
npm installruns - Pin all versions in lockfile. Never auto-update without audit.
- Run
npm auditorpip-auditbefore every install session - AI hallucinates roughly 20% of package names. Attackers register those names. This is slopsquatting.
- Any package the AI adds is untrusted until you verify it on the official registry
Every table must have RLS enabled AND verified working.
Test it: run SELECT * as an anonymous user using the anon key.
If it returns rows, RLS is broken, not just missing.
Never expose the service_role key in client code.
After every schema change, re-run the anonymous user test.
Prod database credentials must never appear in any file AI can read.
Add them to .aiignore immediately.
4-security/.github/workflows/security.yml runs Semgrep, Gitleaks, and dependency audit on every pull request. Merge is blocked on high-severity findings. Copy it into your project's .github/workflows/ folder.
The most upvoted thread on r/vibecoding is "The problem with vibe coding is nobody wants to talk about maintenance" with 562 upvotes and 252 comments. 7-sustain/ is the answer to that thread.
MAINTAIN.md: how to re-onboard the AI to an existing codebase, how to run health checks, how to catch context drift before it becomes a rewriteREFACTOR.md: when and how to safely refactor AI-generated code without things cascadingHANDOFF_HUMAN.md: how to explain a vibe-coded codebase to another developer who wasn't there for any of itROLLBACK.md: recovery procedures and git discipline for when the AI makes a catastrophic changeCHANGELOG.md: template plus a prompt that generates a changelog from your git diff
Vibe coding solved the building problem. It created a selling problem.
The number one pain point across 4,753 community posts is distribution, not bugs, not AI limits. One developer spent 7 months building and made $4. 90% of failed indie projects build consumer apps instead of boring B2B tools.
8-ship/ forces the question before you write a single line: who is the actual customer, what is the distribution channel, and why boring B2B consistently beats consumer at the indie scale.
bedrock sits at the intersection of three terms describing the same evolution:
- Vibe coding: the practice. What everyone is doing. Where the stars come from.
- Context engineering: the discipline. The bottleneck is never the AI, it's what the AI knows.
- Agentic engineering: the maturation. Karpathy's term (February 2026) for structured AI-human collaboration where humans own architecture and review, AI owns implementation.
bedrock is the operating system for agentic engineering.
| Feature | bedrock | Other methodology repos |
|---|---|---|
| All 8 layers covered | yes | 1-2 layers max |
| Automated setup CLI | yes | none |
| All AI tools supported | yes | Claude Code / Cursor only |
| Web interface package (Claude/ChatGPT upload) | yes | none |
| Supply chain security (DEPENDENCIES.md) | yes | none |
| Design + aesthetic layer | yes | none |
| Long-term sustain layer | yes | none |
| Distribution / ship layer | yes | none |
| Fractal scale model | yes | fixed tiers |
| INTENT.md (the why behind decisions) | yes | none |
| Security verification patterns | yes | checklists only |
If you have a pattern that belongs here, a file template, a security protocol, a workflow improvement, open a PR. See 8-ship/CONTRIBUTING.md.
bedrock. lay it before you build.