Norah Klintberg Sakal

Same prompt. Different teammate. My 5 cents on Opus 4.8​

I'm using Claude Code while creating my "How to deploy an AI agent" course.

Don't get me started. I know it's very meta to use AI while building a course about deploying AI apps, but here we are.

And after switching to Opus 4.8 today, I noticed a small thing that felt different.

Not "the model solved world peace" different.

More like "Did it just understand what I'm actually working on? 🧐"

My #1 rule:

Deploy the boring loop first. Add intelligence later.

Because if the simple loop doesn't work in production, the fancy version won't save you.

Your vibe-coded AI app does not need a complicated backend on day one.

🙅‍♀️ No RAG
🙅‍♀️ No tools
🙅‍♀️ No streaming
🙅‍♀️ No multi-agent orchestration

It needs one boring backend loop:

Getting to a live URL is the easy part now.

The harder question is whether you actually own what you built.

Can you move it?
Can you debug it?
Can you explain the stack to a client?
Can you protect your API keys?

If the answer is "No 🙂‍↔️" or "I'm not sure 🥹" → your AI app is still a hosted prototype.

Here are the 7 things you need to deploy your vibe-coded app and own the whole stack on AWS:

This is THE day​

Day 13: You build a secure backend trigger (mock response)

Today: We deploy the actual AI containers and make real phone calls.

Remember yesterday's response?

{
  "message": "Call trigger received! (Mock response - Fargate connection coming Day 14)"
}

Today, your phone will actually ring 📞🤖

Why you need a secure trigger​

Day 12: You build a protected frontend

Today: We build the secure backend that triggers calls

Here's the critical security issue:

Remember your ALB endpoint we built on Day 9 ↗?

https://ai-caller.yourdomain.com

If we add a /make-call endpoint directly to Fargate:

POST https://ai-caller.yourdomain.com/make-call
→ Publicly accessible
→ Anyone can trigger calls
→ Could rack up *huge* OpenAI/Twilio bills
→ Even with frontend auth, the endpoint is exposed

This is not acceptable.

Protect your app from unauthorized use​

Days 9-11: You built the infrastructure

Today: We build the protected frontend

Here's the critical security issue:

When you deploy your AI calling agent:

https://app.yourdomain.com
→ Publicly accessible
→ Anyone can use it
→ Could rack up huge OpenAI/Twilio bills

This is not acceptable.

What you need:

Make it secure​

Day 10: You got a custom domain

Today: We make it secure with HTTPS

Here's the situation:

Your app is accessible at:

http://ai-caller.yourdomain.com

Browser says: ⚠️ "Not secure":

The problem:
❌ Data transmitted in plain text
❌ Anyone can intercept traffic
❌ Users don't trust it
❌ Browser shows scary warnings
❌ Can't use modern web features (WebRTC, microphone access)

What you need:

No more default URLs​

Day 9: You built the front-yard house (ALB)

Today: We give it a real address

Here's the situation: Your ALB has a public endpoint:

fargate-alb-1234567890.us-east-1.elb.amazonaws.com

This works, but:
❌ Impossible to remember
❌ Looks unprofessional
❌ Hard to share
❌ Can't use for SSL certificate (Day 11)

What you want:

ai-caller.yourdomain.com

Clean. Professional. Memorable.

Solution: Route 53 + Custom Domain

Your network needs a front-yard house​

Day 8: You tested and validated your network

Today: We build the front door (Application Load Balancer)

Here's the setup:

Trust, but verify​

Days 3-7: You built the entire network infrastructure

Today: We prove it actually works

Here's the situation:

You've built:
✅ VPC with Internet Gateway
✅ Public and private subnets
✅ NAT Gateway
✅ Route Tables
✅ Security Groups

But you haven't actually tested any of it.

What if:

• NAT Gateway isn't running correctly?
• Route tables have the wrong associations?
• Secure Groups are blocking traffic?
• Something is misconfigured?

You'd fund out after deploying your containers (painful debugging)

Solution: Test first, deploy second.