Foundations for AI Developers

You cannot direct an AI agent past your own ceiling of understanding. Whatever the agent produces, you have to read it, judge it, accept it, or reject it. If your model of how the system works is wrong, the agent's output will reflect that wrongness back at you, and it will do so at production scale. The myth that AI removes the need for fundamentals is exactly backward. Foundations matter more now, not less, because the speed at which a confused author can ship broken software is no longer bounded by typing speed.

This page argues a single position. The fastest path to shipping real software with AI tools is the same path that produced competent engineers before AI existed, with some sections compressed and some sections moved earlier in the curriculum. There is no skip. There is a shorter route, and that shorter route still has a floor. This page describes the floor.

The Myth That AI Removes the Need for Fundamentals

In 2023, the marketing pitch around AI coding tools was simple. Anyone can build software now. Describe what you want in English, get working code, ship a product. The pitch sold a beautiful idea. It sold the elimination of a barrier that had kept millions of would-be product builders out of the field for forty years. The pitch worked because it was almost true.

By 2026, the picture is sharper. Yes, you can build. The barrier to producing something that runs on a laptop has collapsed. A motivated non-engineer with Claude Code, a clear idea, and three weekends can put together an application that boots, displays a screen, accepts input, and stores data. That is real. It was not real in 2019.

What did not collapse is the floor of understanding required to direct AI well. The floor moved. It used to include syntax memorization, language-specific quirks, and a long apprenticeship in writing every line by hand. That floor is gone or shrinking fast. The new floor is structural understanding. You need a working mental model of how the system you are building actually works. Without that model, you cannot tell when the AI's output is wrong. You cannot review a diff. You cannot debug a 500 error. You cannot make a sane call about whether to ship the migration the agent just generated.

Here is the failure pattern. A non-engineer with a real product idea opens an AI agent and types something like "build me a SaaS app for managing client invoices, with login, Stripe payments, and a dashboard." The agent produces a working scaffold in a few minutes. The user runs it locally. It boots. The login screen renders. The user celebrates. They show it to a friend. The friend signs up. Things look fine.

Then the user does the second test. They sign up with the same email twice. The app crashes. They look at the database and find two rows with the same email and different user IDs, neither linked to anything, both holding stale session tokens. They ask the AI to fix it. The AI adds a unique constraint. The migration partially fails because the AI did not know there was already duplicate data in the table. The constraint is now half-applied. Nobody can sign up. Existing users cannot log in. The user has no idea what happened, which file to look at, or how to roll the migration back.

This is not a failure of the AI. The agent did exactly what it was asked. It is a failure of the floor. The user did not have a working model of what a database migration is, what a unique constraint does, or what happens when you apply one to a table that already violates it. With a slightly larger floor, the user would have caught the duplicate-data problem before running the migration. With a real floor, they would have written a one-line query to check the data first, asked the AI to write a deduplication script, run that, then applied the constraint.

The AI was capable of doing all of that. The user did not know to ask. That gap, between what the agent can do and what the user knows to direct, is the gap this page is about.

The same dynamic plays out across every category of bug a real product hits. Authentication that works in dev but leaks session state in production. Background jobs that quietly drop tasks because nobody set up retries. APIs that succeed under one user but melt under five hundred concurrent ones. Schema changes that lock the table for ten minutes and take the site down during the deploy. None of these are rare. All of them are within the AI's ability to handle correctly when prompted. None of them are within the AI's ability to anticipate when the prompter does not know they exist.

This is the asymmetry. The AI is a strong responder. It is a weak forecaster. Strong response means: when you describe a problem accurately, the agent often has a good answer. Weak forecasting means: the agent will not raise its hand and say "by the way, your auth flow has no rate limiting and a script can brute-force it in fifteen minutes." Not because the agent could not figure that out. Because nobody asked. The forecaster role belongs to whoever is sitting at the keyboard, and the forecaster needs the floor.

The Minimum Viable Programming Literacy

Programming literacy is not about writing code from scratch. The AI writes the code. Literacy is about reading code well enough to know when the AI's output is right, wrong, or weird. There are a small number of concepts that, once you have them, change everything.

Reading code

You need to look at a function and understand what it does. Not at the level of a senior engineer, but at the level of a careful reader. A function takes inputs, does work, returns outputs. A loop runs the same logic over a list of things. An if/else picks one branch based on a condition. Async/await means "this thing takes time, the program will keep going while it waits, then resume here when the result is ready." That is the core literacy.

If you can read a 30-line function and tell me, in plain English, what it does, you have the floor for this category. If you cannot, every diff the AI produces is a black box, and you are accepting changes on faith.

Recognizing the shape of a bug

Bugs come in patterns. Once you have seen the patterns, you recognize them in seconds. A few of the most common.

Type confusion. The code expected a number, got a string. The code expected an object, got null. The code expected an array, got a single value. These show up as "cannot read property X of undefined" or "X is not a function" in JavaScript, and as TypeError messages in Python. When you see one of these, the question is always: where did the wrong type come in, and what was supposed to convert it?

Null reference. The code did not check whether a value existed before using it. Database query returned no rows. API call returned an empty response. Optional field on a form was left blank. Now somewhere downstream, the code assumes the value is there and crashes.

Race condition. Two operations were supposed to happen in order, but happened in parallel, and the second one ran before the first one finished. This is the bug that "works on my machine" and breaks under load. Almost always involves async code, database writes, or external API calls.

Off-by-one. The loop ran one too many times or one too few. The array index was wrong by one. Classic, ancient, still everywhere.

State mismatch. The frontend thinks the data is one thing, the backend thinks it is another. Usually because a cache did not invalidate, or a refresh did not happen, or two tabs are open and one is stale.

You do not have to fix these. You have to recognize them when the AI describes the bug, and you have to know which questions to ask next. "Where does the null come from? What was supposed to set it? Why is the cache stale? When was it last invalidated?" Those questions are the floor.

Reading a stack trace

A stack trace is the most-read, most-misunderstood document in software. Top of the stack is where the error happened. Bottom of the stack is where the program started. Between them is the chain of function calls that led to the error. Read top to bottom for "what failed and where," bottom to top for "how did we get here."

Most stack traces include line numbers, file paths, and the actual error message. Eighty percent of bugs are solved by reading the stack trace carefully, finding the line, and asking "what value did this expect, and what did it actually get." The AI can do the second part. You have to be willing to read the trace.

Compile-time vs runtime errors

Compile-time errors happen before the program runs. The compiler or type-checker looks at the code, sees that it does not make sense, and refuses to build. These are the easy errors. They show up in the editor as red squiggles. They show up in the build step as a list of failures with file paths and line numbers. You fix them by reading the message and changing the code.

Runtime errors happen while the program is running. The code looked fine, the build succeeded, but at runtime, something the type system could not predict went wrong. A network call failed. A user entered something unexpected. A database row was missing. These are harder. They require logs, monitoring, reproduction steps.

The distinction matters because the fix is different. Compile-time, you look at the code. Runtime, you look at the logs and the data.

The numbers above are rough. They are also defensible. To direct an AI agent through a small project, you need maybe thirty percent of what a senior engineer carries around. To catch the bugs the agent introduces, especially the silent ones, you need closer to seventy. To design a system from scratch that holds up under real traffic, you still need almost everything a senior knows, because the architectural decisions compound and the agent will not push back on a bad one.

How Code Is Structured

Code does not live in one big file. It lives in a tree. Files, folders, modules, packages. Most beginners look at a project directory and see noise. Engineers look at the same directory and see a map. The difference is knowing what each piece is for.

Files, folders, modules, packages

A file is a single text file, usually one piece of related code. A folder is a directory holding multiple files, typically grouped by purpose. A module is a unit of code that exports things to other parts of the project. In most languages, one file equals one module, but the concepts are not identical. A package is a collection of modules distributed as a unit, often pulled from a registry like npm or pypi.

You do not have to draw the distinctions perfectly. You have to be able to look at a project and answer: where does the entry point live, where do the routes live, where does the database code live, where do the styles live. If you cannot answer those four questions about a project, you cannot review changes the AI makes to it.

Entry points, modules, libraries

An entry point is the file the program starts running from. In a Node project, often `index.js` or a path declared in `package.json`. In a Next.js project, the entry is implicit, defined by the framework convention. In a Python project, often `main.py` or whatever you point the interpreter at.

A module is a piece of code that exports functions, classes, or values for other modules to use. Modules import each other. The import graph is the skeleton of the project.

A library is a module or collection of modules written by someone else, installed via a package manager, and used as a dependency. Libraries are imported the same way as your own modules, but they live in a separate folder, usually `node_modules` for JavaScript or a virtual environment for Python.

Imports and dependency graphs

Every time a file uses code from another file, it imports it. The collection of all import relationships is the dependency graph. Bigger projects have hundreds or thousands of files in this graph. The graph is rarely visualized, but engineers carry a rough mental version of it.

The flow above is a typical backend service. The entry point starts the server. Routes match incoming requests to handlers. Controllers parse the request and call business logic. Services hold the business logic. The database layer reads and writes data. Each arrow is an import. Each node is a folder or a small group of files.

This matters because the AI agent makes changes across files. If you ask for a feature, the agent might touch the route file, the controller, the service, and the database layer in one diff. If you cannot read the structure, you cannot review the diff. You will accept changes you do not understand, and one of them will eventually be the change that broke production.

The shortcut. When you open a project, spend ten minutes reading the directory structure. Open the entry point. Follow the imports. Pick one feature, trace it from request to database. You do not have to memorize the whole codebase. You have to know how to find your way around it. The AI can help you with this. Ask it to explain the structure. Ask it to draw the import graph. The model has read more code than any human alive. It will tell you what it sees.

How the Web Works

Most AI-built apps are web apps. If you do not have a model of how the web works, every error is a mystery and every deployment is a prayer. The good news. The model is not complicated. It fits on one page.

The request/response model

A browser sends a request. A server receives it, does work, sends a response. The response is usually HTML, JSON, or a file. The browser displays the response. That is the entire web, at the level of abstraction you need.

Every page load is a request. Every form submission is a request. Every API call is a request. Some pages, after they load, send more requests in the background to update parts of the screen without a full reload. These are still just requests. The model does not change.

Client vs server

The client is the browser. It runs JavaScript, displays HTML, manages user input. The server is a process running on a machine somewhere, listening for incoming requests, doing work, sending responses. Modern web frameworks blur the line, with code that runs partly on the server and partly on the client, but the underlying split is the same.

Things you can do on the client: render UI, validate input, store small amounts of local state. Things you should never do on the client: trust user input, store secrets, enforce business rules. Anything sensitive happens on the server, because the client is fully under the user's control and a sufficiently motivated user can change it.

HTTP basics

HTTP is the protocol the browser uses to talk to the server. It has a small vocabulary worth knowing.

Methods. GET reads. POST creates. PUT and PATCH update. DELETE removes. There is more nuance, but those four cover the territory.

Status codes. 200 means success. 201 means created. 301 and 302 are redirects. 400 means the client sent bad data. 401 means not authenticated. 403 means authenticated but not allowed. 404 means not found. 500 means the server crashed. 502 and 504 mean a proxy in front of the server could not reach it. Memorize these. Every web error you ever see will start with one of these numbers.

Headers. Metadata about the request or response. Things like content type, authentication tokens, caching directives, and cookies all travel in headers. You do not have to know every header. You have to know they exist and be willing to look at them when something is broken.

Cookies. Small pieces of data the server sends to the browser, which the browser sends back on every subsequent request. Cookies are how the server knows you are still logged in across page loads. They are the foundation of session management, and they are also a major source of security and privacy issues.

DNS, domains, SSL/TLS

A domain is a human-readable name like `example.com`. A DNS lookup translates that name into an IP address, which is what the browser actually connects to. SSL/TLS is the layer that encrypts the connection between the browser and the server, turning `http://` into `https://`. A working web app needs all three. A broken DNS record, an expired certificate, or a missing redirect from HTTP to HTTPS will all surface as user-visible failures, and they will all look different.

The flow above is what happens every time you type a URL and hit enter. Each step can fail in its own way. DNS can return the wrong address. The server can be unreachable. The TLS handshake can fail because of a bad certificate. The HTTP request can be malformed. The server can return a 500. The browser can fail to render the response. When something is broken, the question is always: which step failed?

Without this model, a 500 error is a mystery. With this model, a 500 error is a starting point. You go to the server logs, you find the request, you read the stack trace, you fix the bug.

How Databases Work

Almost every real application stores data. The shape of that storage is load-bearing. Get it wrong and the whole app is fragile. Get it right and the app is easy to evolve. AI agents have strong defaults for database design, but the defaults are not always correct for your use case, and if you cannot read SQL, you cannot review the migration.

Tables, rows, columns, primary keys

A relational database stores data in tables. A table has columns, which define the shape of the data. A table has rows, which are instances of that shape. Each row has a primary key, which is a unique identifier. Every relational database in widespread use, including Postgres, MySQL, and SQLite, works on this model.

A users table might have columns for id, email, password_hash, created_at. Each row is one user. The primary key is usually id. Every other table that needs to refer to a user does so by storing that user's id, which is called a foreign key.

Relations and joins

Tables relate to each other through keys. A users table and an invoices table. Each invoice has a user_id column pointing back at a row in users. To find all invoices for a particular user, you query the invoices table where user_id matches. To get the user data and the invoices in one result, you join the two tables.

Joins are the operation that combines rows from two or more tables based on a related column. There are several flavors. Inner join returns only matching rows. Left join returns all rows from the left table and matching rows from the right. Outer joins are rarer. The AI knows when to use which. You should know enough to read the result and tell whether it makes sense.

Transactions and integrity

A transaction is a group of operations that succeed or fail together. If you charge a credit card and create an invoice, you want both to succeed or neither. A transaction wraps the two operations. If anything goes wrong in the middle, the database rolls back, and it is as if nothing happened.

Integrity constraints are rules the database enforces. A unique constraint ensures no two rows have the same value in a column. A foreign key constraint ensures every reference points at a real row. A not-null constraint ensures a column is always populated. These constraints are how the database protects you from your own bugs. AI agents sometimes forget to add them. You have to know to ask.

Indexes

An index is a data structure the database keeps to make lookups faster. Without an index, finding a row means scanning the whole table. With an index, the database goes straight to the row. Indexes are the difference between a query that runs in 2 milliseconds and one that runs in 2 seconds.

You do not have to design indexes from scratch. The AI will suggest them. You have to know to ask "is there an index on this column" when a query is slow. The AI will check, find that there is not, and add one. Without the question, the slow query just stays slow.

SQL vs NoSQL at a high level

SQL databases are the relational ones. Postgres, MySQL, SQLite. They enforce a schema. They support joins. They support transactions. They are the default choice for most applications, and the choice you should reach for unless you have a specific reason not to.

NoSQL is a family of databases that work differently. MongoDB stores documents, which are JSON-like structures. Redis stores key-value pairs in memory. DynamoDB and Firestore store key-value or document data with their own quirks. NoSQL databases are good for specific use cases, mostly around scale and flexibility. They are not a free lunch. They give up joins, transactions, and schema enforcement, and they make you build those guarantees in application code if you need them.

Why the floor matters here. Schema design is a one-way door. Once you have data in a shape, changing the shape is painful. The AI will produce a working schema in seconds, and the schema will work for the demo. Whether it scales, whether it supports the queries you actually need, whether it captures the relationships you implicitly know about your domain, is on you. If you cannot read the schema and the queries, you cannot review them. You are accepting them on faith.

How Deployment Works

Every app eventually leaves the laptop. The path from "it works on my machine" to "it works for users on the public internet" is the part many AI-assisted projects skip until launch day. Launch day is the wrong time to learn what a reverse proxy is.

Local dev to staging to production

Three environments. Local is your laptop, where you build. Staging is a copy of production, used to test changes before they go live. Production is the live system real users hit. The progression is the same in every serious project. Code goes from local to staging to production. Each step adds confidence. Skipping staging works until it does not, which is usually the time you most regret it.

What "the server" actually is

A server is a process running on a machine somewhere, listening on a port. That is the physical reality. The machine might be a virtual server in a data center, a serverless function on a cloud provider, or a container running on an orchestrated cluster. The shape varies. The essence does not. Some piece of software is running, waiting for connections, responding to requests.

When you "deploy a server," what you are doing is taking your code, putting it on a machine somewhere, starting the process, and making sure traffic from the internet can reach it. Each part of that sentence is its own little world.

Domains, DNS, reverse proxies, SSL termination

To put your server on the internet, you need a domain pointing at the server's IP address. You need a way for HTTPS traffic to reach the server, which usually involves a reverse proxy that handles the SSL termination and forwards the request to your application process. The reverse proxy might be Nginx, Caddy, a managed service like Cloudflare, or a layer baked into the platform you deploy on. The pattern is the same. Public traffic hits the proxy, the proxy hands the decrypted request to your app, your app responds, the proxy encrypts the response and sends it back.

This is the part most people get wrong on launch day. The DNS is misconfigured. The certificate is missing. The reverse proxy is forwarding to the wrong port. The application is running but unreachable. Each of these has a different fix, and each fix requires knowing what the moving parts are.

The build step

Most modern web apps have a build step. The code you write is not the code that runs in production. The build step takes your source files, compiles them if the language requires it, bundles them into smaller numbers of files for faster loading, generates static assets where possible, and produces a deployable artifact.

For a Next.js app, the build step generates HTML, JavaScript bundles, and static assets, and figures out which routes can be served as static files and which need a running server. For a Node API, the build step might just be a TypeScript compile. For a Go service, the build step produces a single binary. The shape varies. The principle is the same. There is a transformation between source code and what actually runs.

When the build step fails, deployment fails. Reading the build log is the first move, every time. The AI can read it for you. You have to be willing to ask.

Real tools

Vercel is a deployment platform built around Next.js and similar frameworks. Push to a Git branch, get a preview deployment with its own URL. Merge to main, get a production deployment. The platform handles the build, the reverse proxy, the SSL, the CDN. Cost starts free, scales based on usage.

Render and Railway are similar in spirit, more flexible about what they run. They handle web services, background workers, databases, cron jobs. They are good defaults for apps that are not pure Next.js.

Classic VPS providers like Hetzner, DigitalOcean, and Linode give you a Linux machine and root access. You set up the reverse proxy, the process manager, the SSL, the firewall, the deployment pipeline. More work. Cheaper at scale. More control. The AI can help you set the whole thing up, but you have to understand the pieces enough to debug them when they break.

Versioning and Dependencies

Modern software is built on libraries, and libraries change. Every project carries a list of dependencies and the specific versions of those dependencies. Managing the list is its own discipline.

Why semver matters

Semver, short for semantic versioning, is the convention most libraries use to number their releases. A version looks like `2.5.1`. The first number is major. The second is minor. The third is patch.

Patch releases fix bugs without changing behavior. Going from 2.5.1 to 2.5.2 should be safe. Minor releases add features without breaking existing usage. Going from 2.5.1 to 2.6.0 should also be safe, in theory. Major releases change behavior in ways that might break your code. Going from 2.5.1 to 3.0.0 means you have to read the release notes and probably update your code.

The convention is not always honored. Libraries sometimes break things in minor releases. The convention still matters because most of the time, it works, and when it does not, you have a starting point for the conversation.

Lockfiles

A lockfile records the exact versions of every dependency, including the transitive ones. When you install a Node project, npm reads `package.json` for the requested versions and writes `package-lock.json` with the exact versions actually installed, all the way down. Yarn uses `yarn.lock`. Pnpm uses `pnpm-lock.yaml`. Python has `Pipfile.lock` or the lock data inside `poetry.lock`.

The lockfile is what makes builds reproducible. Without it, two people running the same install command on different days can end up with different versions of the same library, and one of them will hit bugs the other one does not. Always commit the lockfile. Always.

Why version conflicts happen

Libraries depend on other libraries. Library A says it needs library X version 1.x. Library B says it needs library X version 2.x. The package manager has to pick a version that works for both, or fail. Sometimes it can pick a version. Sometimes the conflict is real, the two libraries are incompatible, and you have to choose between them.

This is what dependency hell looks like in practice. The error messages are often inscrutable. The AI agent helps a lot here, because it has seen most of the common conflicts and knows the workarounds. The AI will tell you "library A needs version 1, library B needs version 2, and library C is the bridge that makes both work." Without the AI, this is hours. With the AI, this is minutes. With the AI and no understanding of what is happening, this is hours of confused back-and-forth where you keep asking the agent to fix it and the agent keeps trying things.

The "delete node_modules" reflex

When something is wrong with dependencies, the universal first move is "delete node_modules and reinstall." Sometimes this works. The lockfile gets re-applied, and whatever was corrupted gets repaired. Other times it does nothing, because the corruption is in the lockfile itself or the package.json.

The reflex is not wrong. It is a cheap experiment. If it works, great. If it does not, you learn that the problem is deeper, and you stop trying that and start reading the actual error messages. The AI can help you read them. Ask "why is this dependency installation failing" and paste the log.

The AI version-pick failure

Here is a specific failure mode worth naming. You have an existing project with a lockfile. You ask the AI to add a new dependency. The AI suggests a version. The version it suggests is the latest, but your project depends on something else that requires an older version of a shared transitive dependency. The install succeeds, sort of. It throws a warning. You miss the warning. The build runs. The app starts. Three days later, in production, a specific code path triggers the version mismatch and crashes.

The fix is to ask the AI "is this version compatible with my existing lockfile, and if not, what version would be compatible." The model can read your lockfile, check the constraints, and pick a version that fits. It will not do this unless you ask. Lockfile-aware dependency management is something you have to direct.

Just Enough Debugging Mindset

Debugging is the highest-return skill in software, and the one AI cannot fully replace. The AI is a powerful tool inside the loop. It cannot run the loop for you. The loop is the debugging mindset.

The debugging loop

Observation. Hypothesis. Test. Conclusion. The scientific method applied to bugs.

You observe what is happening. The login button does not work. You form a hypothesis. The button is firing the wrong handler. You test the hypothesis. You add a console log to the handler, click the button, see if the log fires. You draw a conclusion. The log did not fire, so the handler is not running. New hypothesis. The button click is not registering at all. New test. And so on, until you find the actual cause.

This loop is fast or slow depending on how good your observations are, how plausible your hypotheses are, and how cheap your tests are. The AI accelerates every step. It can suggest hypotheses. It can write the test code. It can read the logs and pull out what matters. What it cannot do is decide what to look at next when the test fails. That decision is the mindset, and it lives in you.

Reading errors as the first source of truth

Most bugs come with an error message. The error message is almost always more informative than the user-visible symptom. "Cannot read property X of undefined at line 42" tells you, in one sentence, what failed and where. Reading that sentence carefully, before doing anything else, solves a lot of bugs.

Most beginners do not read errors. They see red text, panic, and start changing things. The AI loop amplifies this. The user copies the error to the agent without reading it. The agent suggests a fix. The user applies it. The fix does not work because the agent guessed. They go around the loop again. Three rounds in, nobody knows what is happening.

The fix is simple. Read the error first. Then ask the AI. The AI's response is dramatically better when you say "I have this error, here is what I think is happening, please tell me if I am right" than when you say "fix this." The first prompt invites a real diagnosis. The second invites a guess.

The rubber duck pattern

Engineers have a tradition called rubber ducking. You explain the bug to a rubber duck on your desk. Halfway through the explanation, you realize what is wrong. The rubber duck does not have to say anything. The act of articulating the problem clearly is the work.

The AI is a better rubber duck. You can explain the bug, and the agent can ask clarifying questions, suggest things to check, or simply listen. Half the time, by the third paragraph, you have figured it out. The other half, the agent points at something you missed. Either way, the act of articulating the bug clearly is what unlocks the fix.

When to step back

Sometimes you go around the debugging loop five times and you are no closer. The hypotheses keep failing. The tests keep showing nothing. This is the signal to step back, not to keep grinding.

Step-back means widening the frame. Maybe the bug is not where you are looking. Maybe the assumption you have been making for the last hour is wrong. Maybe you misread the spec. Maybe you have been chasing the wrong symptom. Going for a walk, sleeping on it, or explaining it to someone else are all valid moves. The AI cannot do this for you, because it does not know that you have been stuck for an hour. You have to notice and call the audible.

The Floor That Lets You Use AI Well

Synthesis. The argument of this page lands here.

A developer with these foundations, paired with Claude Code, can ship production software solo. Not just demos. Real software, with users, with paying customers, with the kind of reliability that matters. The foundations carry the architecture decisions, the bug-catching, the security instincts, the deployment confidence. The AI carries the typing, the boilerplate, the syntax, the API research, the pattern matching, the parallel exploration of approaches. Together they are faster than either alone, and the output is good.

A developer without the foundations, paired with the same Claude Code, ships demos that break. Sometimes the demo is enough. A pitch deck. A prototype. An internal tool nobody depends on. For those, no foundation is fine. The trouble is that the line between "this is a demo" and "this is production" is not always obvious, and demos have a way of becoming production by accident. Once they cross that line, the absence of the floor shows up everywhere. Auth is leaky. Data integrity is shaky. Errors are unhandled. The deployment is fragile. Each individual issue is fixable, but together they form a system the user cannot reason about.

The threshold

The threshold is roughly this. You can read a 30-line function and explain what it does. You know the difference between a 401 and a 403. You can look at a database schema and tell whether it makes sense for the app. You know what a build step is and what fails when it fails. You can read a stack trace. You know what a transaction is and when one matters. You have a working mental model of the request/response cycle. You understand that lockfiles exist and what they are for.

That is not "senior engineer." That is "competent operator of an AI agent on a real project." It is a smaller list than a CS degree. It is not a small list. There is no five-minute version. The shortest honest path to this floor is somewhere between two and six months of focused study, and that assumes you are working on real projects the whole time, not just reading.

Some readers will disagree. The disagreement usually takes the form of "but I shipped a SaaS in two weeks with no programming background and it works fine." This is sometimes true. The category of project where it is true is small, and it is shrinking, because the projects that succeed without the floor are the ones that never grow past the size where the floor would have mattered. If your project succeeds, you eventually need the floor. The choice is whether you build the floor on the way up or learn it during your first incident.

Where to start

If you are below this floor and you want to be on it, the order matters. Start with reading code. Pick an open source project, open it in your editor, and read it. Do not write anything. Just read. Ask the AI to explain what each file does. After a week or two, you will have a feel for the structure of small applications. Move from there to small modifications. Add a log. Change a string. Run the tests. Then bigger modifications. A new endpoint. A new field on a database table. A new page in a web app.

Web fundamentals come next. The request/response model, HTTP methods, status codes, cookies. There are good free resources. Read them. Build a tiny API, by hand or with the AI, that exposes a few endpoints. Talk to it from a browser console.

Databases come around the same time. Install Postgres locally. Create a database. Make a few tables. Insert some rows. Query them. Join them. The AI can write the SQL. You should run it, look at the results, and form an intuition about how the database thinks.

Deployment is last and worth the time. Take a small project, however small, and put it on the public internet. Buy a domain. Point it at a server. Set up SSL. Watch it serve real traffic, even if the only traffic is you on your phone. The first time you do this is the day you understand how the web actually works, and what you understood up to that point was a sketch.

Debugging is woven through all of it. Every project will break. The breaking is the lesson. Every fix is one more pattern you recognize next time.

The fundamentals are still the fundamentals. AI changes how you apply them, not whether you need them. The fastest path to vibe coding competence runs through the same territory engineers have always covered, just with a different finishing distance. The new finishing distance is shorter. The starting line is in the same place it has always been, and that starting line is the floor this page describes.