← Back to Blog

What Software Engineers Actually Review in the Vibe Coding Era

By Zain • January 27, 2026

Line-by-line code review doesn't scale to AI speed. Here's what does:

The new review workflow: AI writes features, architecture change detected, visual diff, 30 second review, approve or reject

AI writes features. Architecture changes trigger a visual diff. You review in 30 seconds instead of 30 minutes. The implementation details? Let AI review tools handle those.

Your job is to review the contract.

What Actually Warrants Human Attention

Three things:

1. Architecture — What capabilities does the system have? What functions exist, and what can they do?

2. Access Control — Who can perform each action? Which roles have access to which capabilities?

3. Data Surface — What entities does the system operate on? What's the blast radius when something goes wrong?

Everything else—implementation details, variable names, code style—can be handled by AI review tools and linters.

The Tooling: ont-run

This shift requires new tooling. You can't review architecture by scrolling through thousands of lines of TypeScript.

ont-run provides a visual review surface. One command shows you the entire system:

ont-run table view showing 26 functions, 8 entities, and 4 access groups

26 functions. 8 entities. 4 access groups. At a glance, you understand the shape of your system.

Reviewing Capabilities

Click any function to see what it can do:

ont-run function detail view showing access groups, entities, and schemas

Which access groups can call this function? What entities does it touch? What are the input and output schemas?

Reviewing Access Control

Click any access group to see its full permission set:

ont-run access group view showing all functions available to a role

Can a public user call admin-only functions? Does the support role have access to billing operations? These questions are answered in seconds.

Reviewing the Data Surface

Click any entity to see every function that touches it:

ont-run entity view showing all functions that operate on an entity

If someone compromises this entity, what's the blast radius? What functions can read it? Write to it? Delete it?

The Enforcement Layer

Visual review is half the solution. The other half is enforcement.

ont-run generates an ont.lock file that captures your architecture with a cryptographic hash. If the architecture changes—new functions, modified access controls, different entity relationships—the hash changes.

The framework refuses to start if the hash doesn't match. This isn't a prompt that agents can ignore or forget. It's framework-level enforcement. The system physically cannot run if the architecture changed without review.

The code is the implementation. The ontology is the contract.