Transcript
driven development using AI coding tools. And in this video, you're going to see my reaction to trying out Quiro for the first time to see how it compares to other AI coding tools. Now in order to get access to Quiro, you got to go to quiro.dev and you're going to have to join the waitlist. Right now it's in limited access, so you enter to join the waitlist and you'll get an email once you're selected for access. Once you're granted access, you're going to want to not click links in emails. Don't do that. It's good practice not to do that and just go to websites directly. You're going to scroll down to the bottom of this and go to downloads. Click on downloads, choose your operating system that you're going to be using Quiro on and run through the steps to install for that operating system. Once Quiro is installed, you're going to see this sign in view that you have here. You're going to choose to sign in with Google GitHub, AWS Builder ID, or your organization identity. I'm going to go with GitHub. There's going to be a code from your email that you're going to need to enter in to get access after that. This is the view that you're going to see when you need to enter in that access code that you'll receive from your email. I'm going to enter in my code and validate it and then go from there. Once your code is validated, there's a couple of steps that you have options to choose from. We can import configuration from other IDEs that you might have installed on that same system. In this case, I'm going to skip that. I don't want to go to that far just yet. I want to get the full firsthand experience of just Quiro, so I'm skipping that. Choose your theme, always go dark, and we're going to skip setting up the shell as well. Right off the bat, keyboard shortcuts that I'm used to in VS Code, like that zooming in and out, control plus, control minus I'm pressing, or command plus or minus on MacOS, allows me to make things larger, zoom in and zoom out, so that's great to see. First things first, Quiro, an agentic IDE that helps you do your best work. Sounds good to me. We can open up a project, clone a repository, or connect to something. What does that do? Remote destinations. Please install an SSH extension to list those. Okay, so we're not going to do that. I'm going to probably start with a project that's local, but first, let's get acquainted with the UI. It feels very similar to other IDEs, especially VS Code, which I have a strong background in using quite a bit. We have the Explorer view, Search view, Source Control view, Debug view, Extensions view, and then the Quiro view, which is, we got to open up a project to do that. There's accounts if you want to sign in with GitHub. Bonus credits. 14 days, I get 100 bonus credits for vibing. I could vibe to 100, and then I could spec to 100. Estimated usage resets on October 1st, okay, and then there's more vibing going on here. Zero use, 50 covered in the plan, and then you can upgrade. Upgrading that, you get $20 a month, gives you 125. I don't know what these mean. We're going to find out. We're going to see what we can do here. Seems like pretty generous free tier though, $200 a month, wow, so that's what this little icon is here, and then we have our usual settings, which again, very similar to VS Code. In fact, I'm guessing this is a fork of VS Code, like a lot of the other AI IDEs that are out there, Cursor, Windsurf, and the like. All right, let's open up a project. I have my repo, AI Code Security, that I've been using for all these video series around AI, and I created a Kiro September 2025 folder for it, and it immediately presented this prompt asking me if I trust the authors. I do. Not really. I mean, the authors are AI. It's not me. Git repository is found in that. Sure, we'll do that. All right, so once we have a project open, and look at that, it's even using VS Code settings, JSON, so it must be a fork of VS Code. Once we have that open, we can see this new chat session that's available via the sidebar here. We have the option to select Vibe, where we're going to chat first, then build, explore ideas and iterate as you discover needs, or we can go the spec route. We plan first, then build, create requirements and design before coding starts. It also tells you below that what that's great for. It's great for thinking through features in depth, projects needing upfront planning, and building features in a structured way, whereas this vibing approach, you just want a rapid exploration and testing of new ideas, building when requirements are unclear right now, and then just implementing a simple task, right? This is a really important distinguishing approach to any AI coding generation tools, whether you're going to go vibing or you're going to go spec first. Specifically to spec, I want to call out, Microsoft and GitHub recently announced their new spec kit. It seems very timely that that's the direction things are going lately with AI code generation tools like this. We also have below that, the chat window area where I can enter in my prompt, I can choose different models it looks like, but it's not giving me the option to choose anything other than CloudSonic 4 right now, maybe because autopilot's on? Nope. So we'll have to see about that. We can add context, add the code base, specific code, docs, terminal selections, a webpage, current file and so forth, and then we can attach images if we wanted to as well. That's pretty cool. So with this, we are going to go with the spec first approach, and I'm going to give it the usual prompt that we have in this series of videos. Before we enter a prompt though, let's double check and see what autopilot does. It seems that in this case, when you have it enabled, Kiro will make changes on your behalf versus you manually asking. It's going to ask for approval. I'm going to go that route, paste in my prompt and send it. I do like the cool little animation, this little ghost animation that they have in there. Branding is pretty cool. I'm a fan. The first thing we see generated from going this route with the spec driven development is it creates a requirements.md file for us. And in there we see this document outlines the requirements for the secure Node.js application requirement one, user story. I want to securely register and authenticate with the applications that only I can access my personal notes. Awesome. Some acceptance criteria. This is great to see. Second requirement is a user. Okay. So it's going based on user story approach. This is a very common practice in software engineering. We have user stories, the expectations of what a user can and cannot do and what the expected results are for that. So this is great to see. Skim through those. Sounds fantastic. What's the next step here? Do the requirements look good? If so, we can move on to the design. Yeah, let's do that. If you click that follow button that's right here while it's working on things, it will follow along with what actual file changes it's making. That's a nice feature to have there. All right. So we've finished the design phase. They've created this design markdown file and calls out, can we render this? Let's see. Control shift V on. Oh, wow. Yep. That shortcut works as well. So if you didn't know control shift V while having a markdown file open or command shift V on Mac OS in VS code will give you the rendered output of that markdown file in a new tab like that. And we can see it used the mermaid syntax for generating like a sequence diagram or in this case, a UML diagram to show the different security layers that it's going to put in for the architecture rate limiting JWT authentication, data encryption. It's going to have a load balancer and reverse proxy before the entering any requests enter in the Node.js application, which then is going to require a PostgreSQL database, Redis session store and Winston logger. Very cool. Then we get the technology stack it's looking to do based on the architecture and design authentication services. It looks pretty thorough to me just at first glance, but I'm not going to spend a ton of time for the sake of this video going too in depth with everything here. Unit tests. Love to see that. Integration tests. Security tests. I wonder how it's going to do that. And penetration testing checklist. Oh, watch the top 10 vulnerability testing. That's great to see. Error handling and information disclosure, input validation and output encoding. Impressive. Impressive. Oh, I'm in the way. Here we go. You can see what I'm looking at now when it's not behind me. We got environment variables, which quick note on this. We as developers need to move away from using .env files. I'm thinking about making a video on that separately, but I'm just going to call it out here. The way things are going lately with the latest trends in security, it's not good practice to have an .env file for local development. That's storing things like passwords, encryption keys, JWT secrets, that type of thing. So just a heads up on that. Comment on the video below if you're interested in a video covering that more in depth. All right. So with that, I did a quick review of the requirements and design. I think I'm okay with it. I'm going to leave it as is and not correct it on anything as of right now. And we're going to move on to implementation plan. All right. So what resulted from the implementation plan is a tasks.md file now in which it puts in a checklist and above each checklist item, we have the little annotation to click on a button as if it's a button to start that task and so forth. Even subtests that are here. So we've got 2, 2.1, 2.2, and so forth. So it's asking me, do the tasks look good? If so, we're going to finalize the task list. So I'm going to click on that and see where things take us from here. So that completes the whole spec for the project to hand over to the AI to start building out. So I'm going to say accept all and we'll close that. Okay. In reading this, it says you can now begin executing tasks by opening the task.md file and clicking start tasks next to any task item. I recommend starting with the task one to establish the secure foundation, then proceeding through tasks in order. This implementation plan will ensure your application is production ready and secure enough to protect your job. I like when it calls that out lately. Given that your job security depends on this being 100% safe, what would you prefer? It's taking the prompt seriously. That's cool. When deployed to the real world, each task has been carefully designed to maintain security as the top priority while building functionality incrementally. And that folks, I think is the key with any of these AI cogeneration tools is working iteratively, building out piece by piece of the application that you're trying to create using AI instead of one-shot prompting like you've seen me do a lot in these videos in this series. All right. So we're going to start with the first one. I'm going to click start task. Go for it. That opened up a new tab in Kiro, which is cool to see. So here's the original one and here's the new one to execute that task. Something to note here is that all those spec documents were placed in a .kiro folder, specs and secure notes app. So based on the name of the app, I guess with, even though I'm in that folder already. All right. So Kiro with CloudSonic 4 is moving along, doing its thing. And as expected, it's waiting for my input to see if I want to let it run the NPM install command. I'm going to say, go ahead and run that. That's nice to see that it has that level of control based on what settings or approach I chose and how I want this to flow. All right. Task one is complete. It took a little bit of time because it slowly goes through the right steps to complete that task. I had this first issue when it would try to run NPM tests because the schema validation from the JOI library is noticing that the encryption key is not of the right length, 44 characters long. And the cause of that that I'm aware of is because the environment variables are not being loaded into the process when it goes to run. So therefore process.env has those as empty values right now. So that said, Kiro and CloudSonic did not pick up on that. I decided to just skip over that and let it keep going. We're going to finish out the rest of the tasks at this point. I'll take note of any other issues or significant findings that I find in my experience with trying out Kiro with this prompt. All right. So at this point we are a few hours later into using Kiro while it runs through each task in the task plan. And I'm pretty impressed with this. It did a pretty good job. And I'm going to share with you some of the things I observed in that timeframe between last I spoke with you until now when it's done working on everything. The one thing that kept coming up that was a bit of a pain was it's using Jest for testing and running the test suites, which is okay. That's fine. It's been writing a lot of tests while it's going through each of those tests, which is fantastic. However, some of the tests that it wrote are asynchronous or seemingly asynchronous, and it would lead to the terminal hanging and just waiting for the test to finish, even though they're not. And I learned that from the message that Jest would put in the terminal saying Jest did not exit one second after test run has completed. This usually means that there are asynchronous operations. And so then Kiro and Claude would sit there waiting for the terminal to finish and it wouldn't get anywhere. And I would have to catch that manually and fix it and like basically just exit out of the test from running control C. Now there might be some options where we can get around that, but that was kind of a pain that it just didn't recognize that was going on on its own to fix it itself. Some other odd behavior that I noticed with Kiro going through the tasks is when it would complete a task, as you can see here, it puts the little X there and shows the annotation on top of task completed. However, it would always add these extra white spaces or new lines after tasks that were completed as you can see here, and that slowly gets added more and more as it goes through the process of completing each task in the plan. So that's just something odd that in terms of the formatting that I noticed as it was going through these tasks. Something else that came up was I eventually grew tired of having to manually approve running NPM test commands, which again, it was good. It's running tests, but I didn't want to have to approve every time it wanted to run and see the results of those tests running. So I ended up trusting it to run NPM test and then a specific test that it would do. And then I found I got even more frustrated with having to do that so frequently. So then I gave it a more broad permission of NPM test and star. I don't have a visual to show you at this point in time, but there's a little button that says trust the specific command, trust a more broad command and trust like a really broad command, like any NPM command if I wanted to. And I never went to that level. I only let it go to trusting the NPM test level in that regard. Now what's interesting about that though, is it will also detect potentially unsafe commands and request you to give it permissions even if it falls within one of those trusted commands that you permitted before. So that's a nice thing too. So that it doesn't just overly trust every command that's running, even though I've given it that permission. Last but not least, in terms of the implementation plan that I didn't catch in the requirements or the design is this is a note-taking application. And for some reason it added a route to upload files if we wanted to, however, it didn't fully implement that route. So not terrible because I wouldn't want to enable file uploads in a note-taking application like this. I don't know why that got added into the design and requirements. However, that's something that I would catch had I gone through with a fine tooth comb, all the different requirements that were listed out when we were in that planning phase and the design. All right. So let's, all right. So let's see what it produced. It came up with this that you see here on the screen. We have this secure notes application. We can get started. We can send an test at example.com to register an account, give it a password and type that password again, create an account, invalid or missing CSRF token. So it didn't get that quite right. Even with all that thoroughness of having spec driven development, which is interesting here. So I can't really register or test things out further because of it's failing to implement that CSRF token properly, I guess, and how it implemented that. On that note though, it did not use the CSURF module, which is something that we see very often and very commonly with the other models and other tools that we've had in the past. In this case, even though it's Claude Sonnet 4 with Kiro and the spec driven development approach, it avoided that using that NPM package, the CSURF package that often comes up. So overall my thoughts are, it's pretty impressive. I think it did a decent job of implementing what was needed here and it took the initial prompt very seriously to then generate a plan and then execute on that plan. This is also very early days still of this tool. So I imagine it's going to get better from here. So that's very promising as well. A nice to have would be able to select other models besides Claude Sonnet 4 or bring our own key for different models that we might want to use within Kiro here. But I imagine that's probably something coming later down the line. I think in terms of results, this is one of the more robust solutions that I've seen given this same prompt that we've been using for all the AI models that we've used in this series. And I think a big part of that is this spec driven development approach that is starting to take hold in the community here that we're seeing between GitHub and now Kiro encouraging this approach when using AI code generation tools like this. So I'm curious, have you gotten access to Kiro yet? And what's been your experience? Let me know in the comments below. Also, if you don't have access yet, join that wait list. And in the meantime, if you want to start testing out spec driven development with AI code tools, I highly recommend checking out that GitHub repo to get started with that via the CLI as I think this is where things are heading in this space. On that note, that does it for this video. If you got value out of it, be sure to like it down below and share with somebody who could put it to use. And if you've made it this far, subscribe to the channel so you don't miss out on upcoming videos. Thanks for watching and happy safe coding everyone.
