One of the ways to turn vibe coding into agentic engineering is to make sure you apply the right structure to how the output is evaluated. You’re still letting AI write the code, but you’re building a system around it that catches the things it misses.
Red/green test-driven development is the obvious one. Write the test first, let the AI write the implementation, and the test tells you whether it worked.
With OpenAI’s privacy-filter you can add a different kind of check: a small model that detects PII in text. Names, emails, phone numbers, addresses, API secrets. It runs locally on your machine, 50 million active parameters, fast enough to use as a pre-push check.
I wired this into Claude Code as a hook. Every time Claude tries to git push, the hook scans every changed file through the model and blocks the push if it finds PII:
PII detected — push blocked.
src/config.ts:2 private_email (1.00) "john.doe@company.com"
src/config.ts:3 private_person (1.00) "John Doe"
src/config.ts:4 secret (1.00) "sk-proj-abc123xyz789secretkey"About 150 lines of TypeScript. The model runs through Transformers.js on CPU, downloads once (~900MB quantised), then loads from local cache. The Claude Code hook configuration is a few lines of JSON that say “before any git push, run this script, and if it exits with code 2, block the action.”
You’ll have to tune the process it a little though and ignore all warnings for private_url, since it’s pretty aggressive, and will likely tag all URLs in your code as PII and block it.
What is really cool is that you can actually wire this into a Github Action, alongside all your other tests scripts (That I’m sure you already have and run on each deploy), so that even if you’re pushing this from your phone while coding with Claude Code in the app, it’ll get this as a step. You’ll need to set up a separate repo for it and point your CI/CD process to it, but it’s relatively straight forward.
Want to set this up? Paste this into Claude Code:
Create a Claude Code PreToolUse hook that scans all changed files for PII before git push using the openai/privacy-filter model from Hugging Face. Use Transformers.js with q4 quantisation so it runs locally on CPU. The hook should get the list of changed files from git diff, scan each one through the model’s token-classification pipeline, and block the push (exit code 2) if any PII is found with confidence above 0.8. Print the findings with file path, line number, PII type, and matched text. Configure it in .claude/settings.local.json.
This note is a living document and will keep changing. It's not an article. It's a notebook page I'm letting you read over my shoulder. If you spot something I'm wrong about, or if you've worked through the same thing differently, reply to henrik@holenventures.com.