# Lab 03: Vibe Coding with AI Assistants

**Interactive Walkthrough Notebook**

This notebook guides you through the "vibe coding" workflow - using AI assistants to help write code through natural conversation.

## What You'll Learn

1. The SPARK prompting framework
2. How to iterate with AI to build working code
3. Building a password strength analyzer step-by-step
4. Best practices for AI-assisted development

## Prerequisites

- Basic Python knowledge (Lab 01)
- Understanding of prompting (Lab 02)
- Access to an AI assistant (Claude, ChatGPT, or similar)

**Time:** 45-60 minutes

---

## Part 1: Understanding Vibe Coding

**Vibe coding** is an approach where you:

1. Describe what you want in plain English
2. Let AI generate code
3. Review, understand, and iterate
4. Learn from the generated code

### The Key Principle

> "AI accelerates coding, but doesn't replace understanding."

You must **always understand** the code before running it, especially in security contexts.

---

## Part 2: The SPARK Framework

For security-focused prompts, use **SPARK**:

| Letter | Meaning | Example |
|--------|---------|--------|
| **S** | Specific | "Check password length, not just 'validate password'" |
| **P** | Purpose | "This is for a security audit tool" |
| **A** | Approach | "Use regex for pattern matching" |
| **R** | Requirements | "Must run on Python 3.10+, no external deps" |
| **K** | Knowledge | "Reference NIST password guidelines" |

### Example: Bad vs Good Prompts

**Bad prompt:**
```
Write a password checker
```

**Good prompt (using SPARK):**
```
Write a Python function that checks password strength.

Purpose: Security training tool for demonstrating password policies

Requirements:
- Check length (12+ chars for strong)
- Check character variety (upper, lower, numbers, symbols)
- Detect common passwords from a list
- Return a score from 0-100
- No external dependencies beyond stdlib

Reference NIST SP 800-63B password guidelines.
```

---

## Part 3: Warm-Up Exercise

Let's start simple. We'll ask an AI to generate a basic function, then run it here.

### Step 1: Copy this prompt to your AI assistant

```
Write a Python function called `check_length` that:
- Takes a password string as input
- Returns a tuple of (score, feedback)
- Scoring: <8 chars = 0pts, 8-11 = 10pts, 12-15 = 20pts, 16+ = 30pts
- Feedback should explain why the score was given

Just the function, no main or imports needed.
```

### Step 2: Paste the AI's response below and run it

In [None]:
# Paste your AI-generated check_length function here
# Then run this cell

def check_length(password: str) -> tuple[int, str]:
    """Check password length and return score with feedback."""
    # YOUR AI-GENERATED CODE HERE
    pass

# Test it
test_passwords = ["short", "medium12", "longerpassword", "verylongpassword123!"]
for pwd in test_passwords:
    score, feedback = check_length(pwd)
    print(f"{pwd:25} -> Score: {score:2}, {feedback}")

### Reference Implementation

If you want to compare, here's one possible implementation:

In [None]:
def check_length_reference(password: str) -> tuple[int, str]:
    """Check password length and return score with feedback."""
    length = len(password)
    
    if length < 8:
        return (0, f"Too short ({length} chars). Need at least 8.")
    elif length < 12:
        return (10, f"Acceptable length ({length} chars). 12+ recommended.")
    elif length < 16:
        return (20, f"Good length ({length} chars).")
    else:
        return (30, f"Excellent length ({length} chars)!")

# Test reference
for pwd in ["short", "medium12", "longerpassword", "verylongpassword123!"]:
    score, feedback = check_length_reference(pwd)
    print(f"{pwd:25} -> Score: {score:2}, {feedback}")

---

## Part 4: Building the Password Analyzer

Now let's build a complete password strength analyzer using iterative vibe coding.

### Iteration 1: Character Variety Check

**Prompt to use:**
```
Write a Python function `check_character_variety` that:
- Takes a password string
- Returns (score, list of feedback strings)
- Awards points for:
  - Has lowercase: +5
  - Has uppercase: +10
  - Has numbers: +5
  - Has symbols (!@#$%^&* etc): +10
- Feedback should list what's present and missing
```

In [None]:
# Paste your AI-generated check_character_variety function here

def check_character_variety(password: str) -> tuple[int, list[str]]:
    """Check character variety and return score with feedback."""
    # YOUR AI-GENERATED CODE HERE
    pass

# Test it
test_cases = ["password", "Password", "Password1", "Password1!", "P@ssw0rd!"]
for pwd in test_cases:
    score, feedback = check_character_variety(pwd)
    print(f"{pwd:15} -> Score: {score:2}, Feedback: {feedback}")

### Iteration 2: Common Password Check

**Prompt to use:**
```
Write a Python function `check_common_passwords` that:
- Takes a password string
- Returns (penalty_score, feedback)
- penalty_score is NEGATIVE (0 to -50)
- Check against a list of common passwords (include at least 20)
- Also check with common letter substitutions (@ for a, 3 for e, etc)
- -50 points for exact match to common password
- -25 points for match after un-substituting leetspeak
- 0 points if not found

Include the common password list in the function.
```

In [None]:
# Paste your AI-generated check_common_passwords function here

def check_common_passwords(password: str) -> tuple[int, str]:
    """Check if password is common and return penalty with feedback."""
    # YOUR AI-GENERATED CODE HERE
    pass

# Test it
test_cases = ["password", "P@ssw0rd", "letmein", "MyUniqueP@ss123!", "qwerty"]
for pwd in test_cases:
    penalty, feedback = check_common_passwords(pwd)
    print(f"{pwd:20} -> Penalty: {penalty:3}, {feedback}")

### Iteration 3: Pattern Detection

**Prompt to use:**
```
Write a Python function `check_patterns` that:
- Takes a password string
- Returns (penalty_score, list of detected patterns)
- Detects these weak patterns:
  - Keyboard walks (qwerty, asdf, zxcv, 1234, etc): -10 each
  - Repeated characters (aaa, 111): -10
  - Sequential letters (abc, xyz): -10
  - Sequential numbers (123, 789): -10
- Maximum penalty of -30

Use case-insensitive matching.
```

In [None]:
# Paste your AI-generated check_patterns function here

def check_patterns(password: str) -> tuple[int, list[str]]:
    """Detect weak patterns and return penalty with list of issues."""
    # YOUR AI-GENERATED CODE HERE
    pass

# Test it
test_cases = ["qwertypass", "aaa111", "abcdef", "NoPatterns!", "Pass123word"]
for pwd in test_cases:
    penalty, patterns = check_patterns(pwd)
    print(f"{pwd:15} -> Penalty: {penalty:3}, Patterns: {patterns}")

### Iteration 4: Combine Everything

**Prompt to use:**
```
Write a Python function `analyze_password` that:
- Takes a password string
- Uses these helper functions (assume they exist):
  - check_length(password) -> (score, feedback)
  - check_character_variety(password) -> (score, feedback_list)
  - check_common_passwords(password) -> (penalty, feedback)
  - check_patterns(password) -> (penalty, pattern_list)
- Combines all scores (max 100, min 0)
- Returns a dict with:
  - 'score': final score 0-100
  - 'strength': label (Very Weak/Weak/Fair/Strong/Very Strong)
  - 'breakdown': dict of individual scores
  - 'feedback': list of all feedback items

Strength labels (based on max achievable score of 60):
- <15: Very Weak
- 15-24: Weak
- 25-39: Fair
- 40-54: Strong
- 55+: Very Strong
```

In [None]:
# Paste your AI-generated analyze_password function here
# Make sure the helper functions from above are defined first!

def analyze_password(password: str) -> dict:
    """Analyze password strength and return detailed results."""
    # YOUR AI-GENERATED CODE HERE
    pass

# Test it (requires all helper functions to be defined above)
# test_passwords = ["password", "Password1!", "X7#mK9$pL2@wQ", "correct-horse-battery-staple"]
# for pwd in test_passwords:
#     result = analyze_password(pwd)
#     print(f"\n{pwd}")
#     print(f"  Score: {result['score']} ({result['strength']})")
#     print(f"  Breakdown: {result['breakdown']}")

---

## Part 5: Complete Working Example

Here's a complete working password analyzer for reference. Compare it with what you built!

In [None]:
import string

# Common passwords list
COMMON_PASSWORDS = {
    "password", "123456", "qwerty", "admin", "letmein", "welcome",
    "monkey", "dragon", "master", "login", "abc123", "password1",
    "iloveyou", "sunshine", "princess", "football", "baseball",
    "shadow", "superman", "michael", "trustno1", "hunter"
}

# Keyboard patterns
KEYBOARD_PATTERNS = [
    "qwerty", "qwertyuiop", "asdf", "asdfgh", "zxcv", "zxcvbn",
    "1234", "12345", "123456", "1234567890", "0987654321"
]

# Leetspeak substitutions
SUBSTITUTIONS = {'@': 'a', '4': 'a', '3': 'e', '1': 'i', '0': 'o', '$': 's', '5': 's', '7': 't'}


def check_length_complete(password: str) -> tuple[int, str]:
    """Check password length."""
    length = len(password)
    if length < 8:
        return (0, f"Too short ({length} chars)")
    elif length < 12:
        return (10, f"Acceptable ({length} chars)")
    elif length < 16:
        return (20, f"Good ({length} chars)")
    else:
        return (30, f"Excellent ({length} chars)")


def check_variety_complete(password: str) -> tuple[int, list[str]]:
    """Check character variety."""
    score = 0
    feedback = []
    
    has_lower = any(c.islower() for c in password)
    has_upper = any(c.isupper() for c in password)
    has_digit = any(c.isdigit() for c in password)
    has_symbol = any(c in string.punctuation for c in password)
    
    if has_lower:
        score += 5
        feedback.append("Has lowercase")
    if has_upper:
        score += 10
        feedback.append("Has uppercase")
    if has_digit:
        score += 5
        feedback.append("Has numbers")
    if has_symbol:
        score += 10
        feedback.append("Has symbols")
    
    return (score, feedback)


def normalize_leetspeak(password: str) -> str:
    """Convert leetspeak to regular letters."""
    result = password.lower()
    for leet, normal in SUBSTITUTIONS.items():
        result = result.replace(leet, normal)
    return result


def check_common_complete(password: str) -> tuple[int, str]:
    """Check against common passwords."""
    pwd_lower = password.lower()
    
    if pwd_lower in COMMON_PASSWORDS:
        return (-50, "Exact match to common password!")
    
    normalized = normalize_leetspeak(password)
    if normalized in COMMON_PASSWORDS:
        return (-25, "Matches common password with substitutions")
    
    return (0, "Not a common password")


def check_patterns_complete(password: str) -> tuple[int, list[str]]:
    """Detect weak patterns."""
    pwd_lower = password.lower()
    penalty = 0
    patterns = []
    
    # Keyboard patterns
    for pattern in KEYBOARD_PATTERNS:
        if pattern in pwd_lower:
            penalty -= 10
            patterns.append(f"Keyboard: {pattern}")
            break
    
    # Repeated characters (3+)
    for i in range(len(password) - 2):
        if password[i] == password[i+1] == password[i+2]:
            penalty -= 10
            patterns.append("Repeated characters")
            break
    
    # Sequential letters/numbers
    sequences = ["abcdefghijklmnopqrstuvwxyz", "0123456789"]
    for seq in sequences:
        for i in range(len(seq) - 2):
            if seq[i:i+3] in pwd_lower:
                penalty -= 10
                patterns.append(f"Sequential: {seq[i:i+3]}")
                break
    
    return (max(penalty, -30), patterns)


def analyze_password_complete(password: str) -> dict:
    """Full password analysis."""
    length_score, length_fb = check_length_complete(password)
    variety_score, variety_fb = check_variety_complete(password)
    common_penalty, common_fb = check_common_complete(password)
    pattern_penalty, pattern_fb = check_patterns_complete(password)
    
    total = length_score + variety_score + common_penalty + pattern_penalty
    total = max(0, min(100, total))  # Clamp to 0-100
    
    # Determine strength label (max achievable is 60 points)
    if total < 15:
        strength = "Very Weak"
    elif total < 25:
        strength = "Weak"
    elif total < 40:
        strength = "Fair"
    elif total < 55:
        strength = "Strong"
    else:
        strength = "Very Strong"
    
    return {
        "score": total,
        "strength": strength,
        "breakdown": {
            "length": length_score,
            "variety": variety_score,
            "common_penalty": common_penalty,
            "pattern_penalty": pattern_penalty
        },
        "feedback": [length_fb] + variety_fb + [common_fb] + pattern_fb
    }

In [None]:
# Test the complete analyzer
test_passwords = [
    "password",           # Very Weak - common password
    "Password1",          # Weak - common pattern
    "P@ssw0rd!",          # Weak - common with substitutions
    "BlueSky#42",         # Fair - decent but short
    "X7#mK9$pL2@wQ",      # Strong - random, good variety
    "correct-horse-battery-staple"  # Very Strong - long passphrase
]

print("Password Strength Analysis")
print("=" * 60)

for pwd in test_passwords:
    result = analyze_password_complete(pwd)
    print(f"\nPassword: {pwd}")
    print(f"Score: {result['score']}/100 ({result['strength']})")
    print(f"Breakdown: {result['breakdown']}")
    print(f"Feedback: {', '.join(result['feedback'])}")

---

## Part 6: Your Challenge

Now it's your turn to practice vibe coding independently!

### Challenge: Build a URL Defanger

Security analysts often need to "defang" malicious URLs so they can be safely shared without being clickable.

**Requirements:**
- Function `defang_url(url)` that converts:
  - `http://` → `hxxp://`
  - `https://` → `hxxps://`
  - `.` in domain → `[.]`
- Function `refang_url(defanged)` that reverses the process
- Handle edge cases (no protocol, multiple dots, etc.)

**Example:**
```
https://malware.evil.com/payload → hxxps://malware[.]evil[.]com/payload
```

Use your AI assistant to help you build this!

In [None]:
# Your URL defanger implementation here
# Use vibe coding - prompt your AI assistant and paste the result!

def defang_url(url: str) -> str:
    """Defang a URL for safe sharing."""
    # YOUR CODE HERE
    pass

def refang_url(defanged: str) -> str:
    """Refang a defanged URL back to original."""
    # YOUR CODE HERE
    pass

# Test your implementation
test_urls = [
    "https://malware.evil.com/payload",
    "http://192.168.1.1/admin",
    "https://sub.domain.example.org/path?query=1"
]

for url in test_urls:
    defanged = defang_url(url)
    refanged = refang_url(defanged)
    print(f"Original:  {url}")
    print(f"Defanged:  {defanged}")
    print(f"Refanged:  {refanged}")
    print(f"Match: {url == refanged}")
    print()

---

## Part 7: Reflection

After completing this notebook, consider:

1. **What did the AI get right?** Where did generated code work immediately?

2. **What needed iteration?** What did you have to ask the AI to fix or improve?

3. **What did you learn?** Did you discover Python features or patterns you didn't know?

4. **What would you do differently?** How would you prompt differently next time?

### Key Takeaways

- **Iterate**: First outputs rarely perfect; refine through conversation
- **Understand**: Always read and understand generated code before running
- **Verify**: Test with edge cases the AI might not have considered
- **Learn**: Use AI-generated code as a learning opportunity

## Next Steps

- Try the full challenge in `starter/main.py`
- Compare your solution with `solution/main.py`
- Move on to Lab 09: CTF Fundamentals
- Start tackling the CTF challenges!