A BEAUTY BLOGGER JUST TAUGHT ROW-LEVEL SECURITY. VIBE CODING ISN'T EMERGING — IT'S BASELINE.

A non-coder shipped a beauty app with Claude Code. Her blog has a whole section teaching RLS via apartment analogy. When beauty bloggers are explaining Row-Level Security, vibe coding isn’t emerging. It’s baseline. RLS is just the concept everyone still gets wrong first.

What happened

A Japanese beauty blogger — openly “I can’t write code” — published a full write-up of how she built a working skincare app with Claude Code. Tone is warm, the screenshots are real, the app ships.

One section stands out: “Explaining RLS (Row Level Security) as an apartment building.” She walks through Supabase’s tenant-isolation model with a mansion analogy — who has keys, which floors they can access, what happens when a resident tries to open someone else’s door. It reads like a children’s book about security — exactly the level a non-coder needs to stop writing policies that leak every user’s data to every other user.

Why this is the signal, not the story

“Someone who can’t code shipped an app” is not new. What’s new is what they had to teach themselves to ship it. Two years ago that was “what is a database.” One year ago it was “what is an API.” Right now it is row-level security.

That matters because RLS is the single most common place where vibe-coded apps in 2025–2026 got popped. The February 2026 Lovable report found 170+ breached databases out of 1,645 scanned. Nearly every pattern traced back to either missing RLS or RLS policies that looked right and weren’t. This is the class of bug that “just ship it” does not survive.

The good news

A beauty blogger writing an apartment analogy for RLS is a bullish signal:

• The ecosystem is pushing security knowledge downstream instead of hoarding it.
• Supabase’s docs and community have made RLS teachable enough for a non-coder to re-explain to her audience.
• Vibe coders are noticing the gotcha early, not after their data leaks on Twitter.

The less-good news

Understanding RLS conceptually is not the same as writing correct policies. An apartment analogy gets you to “I need policies.” It does not get you to “my policy actually works under INSERT when the row doesn’t exist yet and the user is inserting on behalf of another user via a service-role function.” The Snyk ToxicSkills + MCP prompt injection data shows the direction: as agents do more of the plumbing, subtle misconfigurations become more common, not less.

If you are vibe-coding your way to launch

1. Read the apartment analogy, internalize it, then stop using the analogy. Real policies need real predicates.
2. Turn on RLS for every table. Then write at least one deny-by-default policy.
3. Test with two users. Log in as A. Try to read B’s data through the UI and through the raw API. Not just “does the dashboard show mine” — actually probe the cross-tenant path.
4. Scan the deployed thing. Analogy-level understanding is not a substitute for a probe that tries to read someone else’s rows.

Vibe coding is baseline now. Treat your auth and your RLS as production concerns from your first commit, not after your first user.

Source: みおのミハダノート — コードが書けない私がClaude Codeで美容アプリを作った全記録